ipn/localapi: basic LocalAPI endpoints for profiles

Signed-off-by: Mihai Parparita <mihai@tailscale.com>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,12 +1,12 @@
 name: Bug report
-description: File a bug report
+description: File a bug report. If you need help, contact support instead
 labels: [needs-triage, bug]
 body:
   - type: markdown
     attributes:
       value: |
-        Please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues).
-        Have an urgent issue? Let us know by emailing us at <support@tailscale.com>.
+        Need help with your tailnet? [Contact support](https://tailscale.com/contact/support) instead.
+        Otherwise, please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues) before filing a new one.
   - type: textarea
     id: what-happened
     attributes:

.github/ISSUE_TEMPLATE/config.yml

@@ -5,4 +5,4 @@ contact_links:
     about: Contact us for support
   - name: Troubleshooting
     url: https://tailscale.com/kb/1023/troubleshooting
-    about: Troubleshoot common issues
+    about: See the troubleshooting guide for help addressing common issues

.github/workflows/cifuzz.yml

@@ -2,7 +2,7 @@ name: CIFuzz
 on: [pull_request]
 
 concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:

.github/workflows/cross-android.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/cross-darwin.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/cross-freebsd.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/cross-openbsd.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/cross-wasm.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
@@ -39,7 +40,7 @@ jobs:
       # that depend on it.
       run: |
         ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect build-pkg
+        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
 
     - uses: k0kubun/action-slack@v2.0.0
       with:

.github/workflows/cross-windows.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/depaware.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/go-licenses.yml

@@ -50,7 +50,7 @@ jobs:
           private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
 
       - name: Send pull request
-        uses: peter-evans/create-pull-request@18f90432bedd2afd6a825469ffd38aa24712a91d #v4.1.1
+        uses: peter-evans/create-pull-request@ad43dccb4d726ca8514126628bec209b8354b6dd #v4.1.4
         with:
           token: ${{ steps.generate-token.outputs.token }}
           author: License Updater <noreply@tailscale.com>

.github/workflows/license.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/linux-race.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/linux.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/linux32.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/static-analysis.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

.github/workflows/vm.yml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
@@ -13,7 +14,7 @@ jobs:
   ubuntu2004-LTS-cloud-base:
     runs-on: [ self-hosted, linux, vm ]
 
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+    if: "(github.repository == 'tailscale/tailscale') && !contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
       - name: Set GOPATH

.github/workflows/windows.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - '*'
+      - 'release-branch/*'
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

Dockerfile

@@ -66,10 +66,12 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
       -X tailscale.com/version.Long=$VERSION_LONG \
       -X tailscale.com/version.Short=$VERSION_SHORT \
       -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
-      -v ./cmd/tailscale ./cmd/tailscaled
+      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot
 
 FROM alpine:3.16
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
-COPY --from=build-env /go/src/tailscale/docs/k8s/run.sh /usr/local/bin/
+# For compat with the previous run.sh, although ideally you should be
+# using build_docker.sh which sets an entrypoint for the image.
+RUN ln -s /usr/local/bin/containerboot /tailscale/run.sh

Makefile

@@ -54,3 +54,9 @@ pushspk: spk
 	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
 	scp tailscale.spk root@${SYNO_HOST}:
 	ssh root@${SYNO_HOST} /usr/syno/bin/synopkg install tailscale.spk
+
+publishdevimage:
+	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
+	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
+	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
+	TAGS=latest REPOS=${REPO} PUSH=true ./build_docker.sh

VERSION.txt

@@ -1 +1 @@
-1.31.0
+1.33.0

api.md

@@ -335,11 +335,12 @@ The response is 2xx on success. The response body is currently an empty JSON
 object.
 
 ## Tailnet
-A tailnet is the name of your Tailscale network.
-You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
 
+A tailnet is your private network, composed of all the devices on it and their configuration. For more information on tailnets, see [our user-facing documentation](https://tailscale.com/kb/1136/tailnet/).
 
-`alice@example.com` belongs to the `example.com` tailnet and would use the following format for API calls:
+When making API requests, your tailnet is identified by the organization name. You can find it on the [Settings page](https://login.tailscale.com/admin/settings) of the admin console.
+
+For example, if `alice@example.com` belongs to the `example.com` tailnet, they would use the following format for API calls:
 
 ```
 GET /api/v2/tailnet/example.com/...
@@ -355,9 +356,14 @@ GET /api/v2/tailnet/alice@gmail.com/...
 curl https://api.tailscale.com/api/v2/tailnet/alice@gmail.com/...
 ```
 
-Tailnets are a top-level resource. ACL is an example of a resource that is tied to a top-level tailnet.
+Alternatively, you can specify the value "-" to refer to the default tailnet of
+the authenticated user making the API call.  For example:
+```
+GET /api/v2/tailnet/-/...
+curl https://api.tailscale.com/api/v2/tailnet/-/...
+```
 
-For more information on Tailscale networks/tailnets, click [here](https://tailscale.com/kb/1064/invite-team-members).
+Tailnets are a top-level resource. ACL is an example of a resource that is tied to a top-level tailnet.
 
 ### ACL
 
@@ -813,6 +819,10 @@ Supply the tailnet in the path.
 
 ###### POST Body
 `capabilities` - A mapping of resources to permissible actions.
+
+`expirySeconds` - (Optional) How long the key is valid for in seconds.
+                  Defaults to 90d.
+
 ```
 {
   "capabilities": {
@@ -826,7 +836,8 @@ Supply the tailnet in the path.
         ]
       }
     }
-  }
+  },
+  "expirySeconds": 1440
 }
 ```
 

build_dist.sh

@@ -54,7 +54,7 @@ while [ "$#" -gt 1 ]; do
 	--extra-small)
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws"
+		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap"
 		;;
 	--box)
 		shift

build_docker.sh

@@ -35,14 +35,14 @@ BASE="${BASE:-${DEFAULT_BASE}}"
 go run github.com/tailscale/mkctr \
   --gopaths="\
     tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
-    tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled" \
+    tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled, \
+    tailscale.com/cmd/containerboot:/usr/local/bin/containerboot" \
   --ldflags="\
     -X tailscale.com/version.Long=${VERSION_LONG} \
     -X tailscale.com/version.Short=${VERSION_SHORT} \
     -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
-  --files="docs/k8s/run.sh:/tailscale/run.sh" \
   --base="${BASE}" \
   --tags="${TAGS}" \
   --repos="${REPOS}" \
   --push="${PUSH}" \
-  /bin/sh /tailscale/run.sh
+  /usr/local/bin/containerboot

chirp/chirp.go

@@ -24,11 +24,17 @@ func New(socket string) (*BIRDClient, error) {
 	return newWithTimeout(socket, responseTimeout)
 }
 
-func newWithTimeout(socket string, timeout time.Duration) (*BIRDClient, error) {
+func newWithTimeout(socket string, timeout time.Duration) (_ *BIRDClient, err error) {
 	conn, err := net.Dial("unix", socket)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
 	}
+	defer func() {
+		if err != nil {
+			conn.Close()
+		}
+	}()
+
 	b := &BIRDClient{
 		socket:  socket,
 		conn:    conn,

chirp/chirp_test.go

@@ -106,10 +106,10 @@ func TestChirp(t *testing.T) {
 		t.Fatal(err)
 	}
 	if err := c.EnableProtocol("rando"); err == nil {
-		t.Fatalf("enabling %q succeded", "rando")
+		t.Fatalf("enabling %q succeeded", "rando")
 	}
 	if err := c.DisableProtocol("rando"); err == nil {
-		t.Fatalf("disabling %q succeded", "rando")
+		t.Fatalf("disabling %q succeeded", "rando")
 	}
 }
 

client/tailscale/acl.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 package tailscale
 
@@ -459,7 +458,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
+		return nil, fmt.Errorf("control api responded with %d status code", resp.StatusCode)
 	}
 
 	// The test ran without fail

client/tailscale/apitype/controltype.go

@@ -11,7 +11,6 @@ type DNSConfig struct {
 	Domains           []string                 `json:"domains"`
 	Nameservers       []string                 `json:"nameservers"`
 	Proxied           bool                     `json:"proxied"`
-	PerDomain         bool                     `json:",omitempty"`
 }
 
 type DNSResolver struct {

client/tailscale/devices.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 package tailscale
 

client/tailscale/dns.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 package tailscale
 

client/tailscale/localclient.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 package tailscale
 
@@ -36,6 +35,7 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
+	"tailscale.com/types/key"
 )
 
 // defaultLocalClient is the default LocalClient when using the legacy
@@ -267,15 +267,77 @@ func (lc *LocalClient) Profile(ctx context.Context, pprofType string, sec int) (
 	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
 }
 
-// BugReport logs and returns a log marker that can be shared by the user with support.
-func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
+// BugReportOpts contains options to pass to the Tailscale daemon when
+// generating a bug report.
+type BugReportOpts struct {
+	// Note contains an optional user-provided note to add to the logs.
+	Note string
+
+	// Diagnose specifies whether to print additional diagnostic information to
+	// the logs when generating this bugreport.
+	Diagnose bool
+
+	// Record specifies, if non-nil, whether to perform a bugreport
+	// "recording"–generating an initial log marker, then waiting for
+	// this channel to be closed before finishing the request, which
+	// generates another log marker.
+	Record <-chan struct{}
+}
+
+// BugReportWithOpts logs and returns a log marker that can be shared by the
+// user with support.
+//
+// The opts type specifies options to pass to the Tailscale daemon when
+// generating this bug report.
+func (lc *LocalClient) BugReportWithOpts(ctx context.Context, opts BugReportOpts) (string, error) {
+	qparams := make(url.Values)
+	if opts.Note != "" {
+		qparams.Set("note", opts.Note)
+	}
+	if opts.Diagnose {
+		qparams.Set("diagnose", "true")
+	}
+	if opts.Record != nil {
+		qparams.Set("record", "true")
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	var requestBody io.Reader
+	if opts.Record != nil {
+		pr, pw := io.Pipe()
+		requestBody = pr
+
+		// This goroutine waits for the 'Record' channel to be closed,
+		// and then closes the write end of our pipe to unblock the
+		// reader.
+		go func() {
+			defer pw.Close()
+			select {
+			case <-opts.Record:
+			case <-ctx.Done():
+			}
+		}()
+	}
+
+	// lc.send might block if opts.Record != nil; see above.
+	uri := fmt.Sprintf("/localapi/v0/bugreport?%s", qparams.Encode())
+	body, err := lc.send(ctx, "POST", uri, 200, requestBody)
 	if err != nil {
 		return "", err
 	}
 	return strings.TrimSpace(string(body)), nil
 }
 
+// BugReport logs and returns a log marker that can be shared by the user with support.
+//
+// This is the same as calling BugReportWithOpts and only specifying the Note
+// field.
+func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
+	return lc.BugReportWithOpts(ctx, BugReportOpts{Note: note})
+}
+
 // DebugAction invokes a debug action, such as "rebind" or "restun".
 // These are development tools and subject to change or removal over time.
 func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
@@ -286,6 +348,41 @@ func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
 	return nil
 }
 
+// SetDevStoreKeyValue set a statestore key/value. It's only meant for development.
+// The schema (including when keys are re-read) is not a stable interface.
+func (lc *LocalClient) SetDevStoreKeyValue(ctx context.Context, key, value string) error {
+	body, err := lc.send(ctx, "POST", "/localapi/v0/dev-set-state-store?"+(url.Values{
+		"key":   {key},
+		"value": {value},
+	}).Encode(), 200, nil)
+	if err != nil {
+		return fmt.Errorf("error %w: %s", err, body)
+	}
+	return nil
+}
+
+// SetComponentDebugLogging sets component's debug logging enabled for
+// the provided duration. If the duration is in the past, the debug logging
+// is disabled.
+func (lc *LocalClient) SetComponentDebugLogging(ctx context.Context, component string, d time.Duration) error {
+	body, err := lc.send(ctx, "POST",
+		fmt.Sprintf("/localapi/v0/component-debug-logging?component=%s&secs=%d",
+			url.QueryEscape(component), int64(d.Seconds())), 200, nil)
+	if err != nil {
+		return fmt.Errorf("error %w: %s", err, body)
+	}
+	var res struct {
+		Error string
+	}
+	if err := json.Unmarshal(body, &res); err != nil {
+		return err
+	}
+	if res.Error != "" {
+		return errors.New(res.Error)
+	}
+	return nil
+}
+
 // Status returns the Tailscale daemon's status.
 func Status(ctx context.Context) (*ipnstate.Status, error) {
 	return defaultLocalClient.Status(ctx)
@@ -642,14 +739,14 @@ func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate
 	return &cert, nil
 }
 
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
 //
 // Deprecated: use LocalClient.ExpandSNIName.
 func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	return defaultLocalClient.ExpandSNIName(ctx, name)
 }
 
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
 func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	st, err := lc.StatusWithoutPeers(ctx)
 	if err != nil {
@@ -694,13 +791,16 @@ func (lc *LocalClient) NetworkLockStatus(ctx context.Context) (*ipnstate.Network
 }
 
 // NetworkLockInit initializes the tailnet key authority.
-func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
+//
+// TODO(tom): Plumb through disablement secrets.
+func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key, disablementValues [][]byte) (*ipnstate.NetworkLockStatus, error) {
 	var b bytes.Buffer
 	type initRequest struct {
-		Keys []tka.Key
+		Keys              []tka.Key
+		DisablementValues [][]byte
 	}
 
-	if err := json.NewEncoder(&b).Encode(initRequest{Keys: keys}); err != nil {
+	if err := json.NewEncoder(&b).Encode(initRequest{Keys: keys, DisablementValues: disablementValues}); err != nil {
 		return nil, err
 	}
 
@@ -716,6 +816,49 @@ func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key) (*ip
 	return pr, nil
 }
 
+// NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
+func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
+	var b bytes.Buffer
+	type modifyRequest struct {
+		AddKeys    []tka.Key
+		RemoveKeys []tka.Key
+	}
+
+	if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
+		return nil, err
+	}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 200, &b)
+	if err != nil {
+		return nil, fmt.Errorf("error: %w", err)
+	}
+
+	pr := new(ipnstate.NetworkLockStatus)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
+}
+
+// NetworkLockSign signs the specified node-key and transmits that signature to the control plane.
+// rotationPublic, if specified, must be an ed25519 public key.
+func (lc *LocalClient) NetworkLockSign(ctx context.Context, nodeKey key.NodePublic, rotationPublic []byte) error {
+	var b bytes.Buffer
+	type signRequest struct {
+		NodeKey        key.NodePublic
+		RotationPublic []byte
+	}
+
+	if err := json.NewEncoder(&b).Encode(signRequest{NodeKey: nodeKey, RotationPublic: rotationPublic}); err != nil {
+		return err
+	}
+
+	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/sign", 200, &b); err != nil {
+		return fmt.Errorf("error: %w", err)
+	}
+	return nil
+}
+
 // tailscaledConnectHint gives a little thing about why tailscaled (or
 // platform equivalent) is not answering localapi connections.
 //

client/tailscale/required_version.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build !go1.19
-// +build !go1.19
 
 package tailscale
 

client/tailscale/routes.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 package tailscale
 

client/tailscale/tailnet.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 package tailscale
 

client/tailscale/tailscale.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 // Package tailscale contains Go clients for the Tailscale Local API and
 // Tailscale control plane API.
@@ -115,7 +114,7 @@ func (c *Client) Do(req *http.Request) (*http.Response, error) {
 	return c.httpClient().Do(req)
 }
 
-// sendRequest add the authenication key to the request and sends it. It
+// sendRequest add the authentication key to the request and sends it. It
 // receives the response and reads up to 10MB of it.
 func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
 	if !I_Acknowledge_This_API_Is_Unstable {

cmd/containerboot/kube.go

@@ -0,0 +1,206 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux
+
+package main
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+	"sync"
+	"time"
+)
+
+// findKeyInKubeSecret inspects the kube secret secretName for a data
+// field called "authkey", and returns its value if present.
+func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error) {
+	kubeOnce.Do(initKube)
+	req, err := http.NewRequest("GET", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", kubeNamespace, secretName), nil)
+	if err != nil {
+		return "", err
+	}
+	resp, err := doKubeRequest(ctx, req)
+	if err != nil {
+		if resp != nil && resp.StatusCode == http.StatusNotFound {
+			// Kube secret doesn't exist yet, can't have an authkey.
+			return "", nil
+		}
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	bs, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	// We use a map[string]any here rather than import corev1.Secret,
+	// because we only do very limited things to the secret, and
+	// importing corev1 adds 12MiB to the compiled binary.
+	var s map[string]any
+	if err := json.Unmarshal(bs, &s); err != nil {
+		return "", err
+	}
+	if d, ok := s["data"].(map[string]any); ok {
+		if v, ok := d["authkey"].(string); ok {
+			bs, err := base64.StdEncoding.DecodeString(v)
+			if err != nil {
+				return "", err
+			}
+			return string(bs), nil
+		}
+	}
+	return "", nil
+}
+
+// storeDeviceID writes deviceID into the "device_id" data field of
+// the kube secret secretName.
+func storeDeviceID(ctx context.Context, secretName, deviceID string) error {
+	kubeOnce.Do(initKube)
+
+	// First check if the secret exists at all. Even if running on
+	// kubernetes, we do not necessarily store state in a k8s secret.
+	req, err := http.NewRequest("GET", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", kubeNamespace, secretName), nil)
+	if err != nil {
+		return err
+	}
+	resp, err := doKubeRequest(ctx, req)
+	if err != nil {
+		if resp != nil && resp.StatusCode >= 400 && resp.StatusCode <= 499 {
+			// Assume the secret doesn't exist, or we don't have
+			// permission to access it.
+			return nil
+		}
+		return err
+	}
+
+	m := map[string]map[string]string{
+		"stringData": map[string]string{
+			"device_id": deviceID,
+		},
+	}
+	var b bytes.Buffer
+	if err := json.NewEncoder(&b).Encode(m); err != nil {
+		return err
+	}
+	req, err = http.NewRequest("PATCH", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s?fieldManager=tailscale-container", kubeNamespace, secretName), &b)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/strategic-merge-patch+json")
+	if _, err := doKubeRequest(ctx, req); err != nil {
+		return err
+	}
+	return nil
+}
+
+// deleteAuthKey deletes the 'authkey' field of the given kube
+// secret. No-op if there is no authkey in the secret.
+func deleteAuthKey(ctx context.Context, secretName string) error {
+	kubeOnce.Do(initKube)
+	// m is a JSON Patch data structure, see https://jsonpatch.com/ or RFC 6902.
+	m := []struct {
+		Op   string `json:"op"`
+		Path string `json:"path"`
+	}{
+		{
+			Op:   "remove",
+			Path: "/data/authkey",
+		},
+	}
+	var b bytes.Buffer
+	if err := json.NewEncoder(&b).Encode(m); err != nil {
+		return err
+	}
+	req, err := http.NewRequest("PATCH", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s?fieldManager=tailscale-container", kubeNamespace, secretName), &b)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/json-patch+json")
+	if resp, err := doKubeRequest(ctx, req); err != nil {
+		if resp != nil && resp.StatusCode == http.StatusUnprocessableEntity {
+			// This is kubernetes-ese for "the field you asked to
+			// delete already doesn't exist", aka no-op.
+			return nil
+		}
+		return err
+	}
+	return nil
+}
+
+var (
+	kubeOnce      sync.Once
+	kubeHost      string
+	kubeNamespace string
+	kubeToken     string
+	kubeHTTP      *http.Transport
+)
+
+func initKube() {
+	// If running in Kubernetes, set things up so that doKubeRequest
+	// can talk successfully to the kube apiserver.
+	if os.Getenv("KUBERNETES_SERVICE_HOST") == "" {
+		return
+	}
+
+	kubeHost = os.Getenv("KUBERNETES_SERVICE_HOST") + ":" + os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")
+
+	bs, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	if err != nil {
+		log.Fatalf("Error reading kube namespace: %v", err)
+	}
+	kubeNamespace = strings.TrimSpace(string(bs))
+
+	bs, err = os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
+	if err != nil {
+		log.Fatalf("Error reading kube token: %v", err)
+	}
+	kubeToken = strings.TrimSpace(string(bs))
+
+	bs, err = os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
+	if err != nil {
+		log.Fatalf("Error reading kube CA cert: %v", err)
+	}
+	cp := x509.NewCertPool()
+	cp.AppendCertsFromPEM(bs)
+	kubeHTTP = &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs: cp,
+		},
+		IdleConnTimeout: time.Second,
+	}
+}
+
+// doKubeRequest sends r to the kube apiserver.
+func doKubeRequest(ctx context.Context, r *http.Request) (*http.Response, error) {
+	kubeOnce.Do(initKube)
+	if kubeHTTP == nil {
+		panic("not in kubernetes")
+	}
+
+	r.URL.Scheme = "https"
+	r.URL.Host = kubeHost
+	r.Header.Set("Authorization", "Bearer "+kubeToken)
+	r.Header.Set("Accept", "application/json")
+
+	resp, err := kubeHTTP.RoundTrip(r)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return resp, fmt.Errorf("got non-200 status code %d", resp.StatusCode)
+	}
+	return resp, nil
+}

cmd/containerboot/main.go

@@ -0,0 +1,455 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux
+
+// The containerboot binary is a wrapper for starting tailscaled in a
+// container. It handles reading the desired mode of operation out of
+// environment variables, bringing up and authenticating Tailscale,
+// and any other kubernetes-specific side jobs.
+//
+// As with most container things, configuration is passed through
+// environment variables. All configuration is optional.
+//
+//  - TS_AUTH_KEY: the authkey to use for login.
+//  - TS_ROUTES: subnet routes to advertise.
+//  - TS_DEST_IP: proxy all incoming Tailscale traffic to the given
+//                destination.
+//  - TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
+//  - TS_EXTRA_ARGS: extra arguments to 'tailscale up'.
+//  - TS_USERSPACE: run with userspace networking (the default)
+//                  instead of kernel networking.
+//  - TS_STATE_DIR: the directory in which to store tailscaled
+//                  state. The data should persist across container
+//                  restarts.
+//  - TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration.
+//  - TS_KUBE_SECRET: the name of the Kubernetes secret in which to
+//                    store tailscaled state.
+//  - TS_SOCKS5_SERVER: the address on which to listen for SOCKS5
+//                      proxying into the tailnet.
+//  - TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen
+//                                   for HTTP proxying into the tailnet.
+//  - TS_SOCKET: the path where the tailscaled local API socket should
+//               be created.
+//  - TS_AUTH_ONCE: if true, only attempt to log in if not already
+//                  logged in. If false (the default, for backwards
+//                  compatibility), forcibly log in every time the
+//                  container starts.
+//
+// When running on Kubernetes, TS_KUBE_SECRET takes precedence over
+// TS_STATE_DIR. Additionally, if TS_AUTH_KEY is not provided and the
+// TS_KUBE_SECRET contains an "authkey" field, that key is used.
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io/fs"
+	"log"
+	"net/netip"
+	"os"
+	"os/exec"
+	"os/signal"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"golang.org/x/sys/unix"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn/ipnstate"
+)
+
+func main() {
+	log.SetPrefix("boot: ")
+	tailscale.I_Acknowledge_This_API_Is_Unstable = true
+
+	cfg := &settings{
+		AuthKey:         defaultEnv("TS_AUTH_KEY", ""),
+		Routes:          defaultEnv("TS_ROUTES", ""),
+		ProxyTo:         defaultEnv("TS_DEST_IP", ""),
+		DaemonExtraArgs: defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
+		ExtraArgs:       defaultEnv("TS_EXTRA_ARGS", ""),
+		InKubernetes:    os.Getenv("KUBERNETES_SERVICE_HOST") != "",
+		UserspaceMode:   defaultBool("TS_USERSPACE", true),
+		StateDir:        defaultEnv("TS_STATE_DIR", ""),
+		AcceptDNS:       defaultBool("TS_ACCEPT_DNS", false),
+		KubeSecret:      defaultEnv("TS_KUBE_SECRET", "tailscale"),
+		SOCKSProxyAddr:  defaultEnv("TS_SOCKS5_SERVER", ""),
+		HTTPProxyAddr:   defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
+		Socket:          defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
+		AuthOnce:        defaultBool("TS_AUTH_ONCE", false),
+	}
+
+	if cfg.ProxyTo != "" && cfg.UserspaceMode {
+		log.Fatal("TS_DEST_IP is not supported with TS_USERSPACE")
+	}
+
+	if !cfg.UserspaceMode {
+		if err := ensureTunFile(); err != nil {
+			log.Fatalf("Unable to create tuntap device file: %v", err)
+		}
+		if cfg.ProxyTo != "" || cfg.Routes != "" {
+			if err := ensureIPForwarding(cfg.ProxyTo, strings.Split(cfg.Routes, ",")); err != nil {
+				log.Printf("Failed to enable IP forwarding: %v", err)
+				log.Printf("To run tailscale as a proxy or router container, IP forwarding must be enabled.")
+				if cfg.InKubernetes {
+					log.Fatalf("You can either set the sysctls as a privileged initContainer, or run the tailscale container with privileged=true.")
+				} else {
+					log.Fatalf("You can fix this by running the container with privileged=true, or the equivalent in your container runtime that permits access to sysctls.")
+				}
+			}
+		}
+	}
+
+	// Context is used for all setup stuff until we're in steady
+	// state, so that if something is hanging we eventually time out
+	// and crashloop the container.
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+
+	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.AuthKey == "" {
+		key, err := findKeyInKubeSecret(ctx, cfg.KubeSecret)
+		if err != nil {
+			log.Fatalf("Getting authkey from kube secret: %v", err)
+		}
+		if key != "" {
+			log.Print("Using authkey found in kube secret")
+			cfg.AuthKey = key
+		} else {
+			log.Print("No authkey found in kube secret and TS_AUTHKEY not provided, login will be interactive if needed.")
+		}
+	}
+
+	st, daemonPid, err := startAndAuthTailscaled(ctx, cfg)
+	if err != nil {
+		log.Fatalf("failed to bring up tailscale: %v", err)
+	}
+
+	if cfg.ProxyTo != "" {
+		if err := installIPTablesRule(ctx, cfg.ProxyTo, st.TailscaleIPs); err != nil {
+			log.Fatalf("installing proxy rules: %v", err)
+		}
+	}
+	if cfg.InKubernetes && cfg.KubeSecret != "" {
+		if err := storeDeviceID(ctx, cfg.KubeSecret, string(st.Self.ID)); err != nil {
+			log.Fatalf("storing device ID in kube secret: %v", err)
+		}
+		if cfg.AuthOnce {
+			// We were told to only auth once, so any secret-bound
+			// authkey is no longer needed. We don't strictly need to
+			// wipe it, but it's good hygiene.
+			log.Printf("Deleting authkey from kube secret")
+			if err := deleteAuthKey(ctx, cfg.KubeSecret); err != nil {
+				log.Fatalf("deleting authkey from kube secret: %v", err)
+			}
+		}
+	}
+
+	log.Println("Startup complete, waiting for shutdown signal")
+	// Reap all processes, since we are PID1 and need to collect
+	// zombies.
+	for {
+		var status unix.WaitStatus
+		pid, err := unix.Wait4(-1, &status, 0, nil)
+		if errors.Is(err, unix.EINTR) {
+			continue
+		}
+		if err != nil {
+			log.Fatalf("Waiting for exited processes: %v", err)
+		}
+		if pid == daemonPid {
+			log.Printf("Tailscaled exited")
+			os.Exit(0)
+		}
+	}
+}
+
+// startAndAuthTailscaled starts the tailscale daemon and attempts to
+// auth it, according to the settings in cfg. If successful, returns
+// tailscaled's Status and pid.
+func startAndAuthTailscaled(ctx context.Context, cfg *settings) (*ipnstate.Status, int, error) {
+	args := tailscaledArgs(cfg)
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, unix.SIGTERM, unix.SIGINT)
+	// tailscaled runs without context, since it needs to persist
+	// beyond the startup timeout in ctx.
+	cmd := exec.Command("tailscaled", args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Setpgid: true,
+	}
+	log.Printf("Starting tailscaled")
+	if err := cmd.Start(); err != nil {
+		return nil, 0, fmt.Errorf("starting tailscaled failed: %v", err)
+	}
+	go func() {
+		<-sigCh
+		log.Printf("Received SIGTERM from container runtime, shutting down tailscaled")
+		cmd.Process.Signal(unix.SIGTERM)
+	}()
+
+	// Wait for the socket file to appear, otherwise 'tailscale up'
+	// can fail.
+	log.Printf("Waiting for tailscaled socket")
+	for {
+		if ctx.Err() != nil {
+			log.Fatalf("Timed out waiting for tailscaled socket")
+		}
+		_, err := os.Stat(cfg.Socket)
+		if errors.Is(err, fs.ErrNotExist) {
+			time.Sleep(100 * time.Millisecond)
+			continue
+		} else if err != nil {
+			log.Fatalf("Waiting for tailscaled socket: %v", err)
+		}
+		break
+	}
+
+	if !cfg.AuthOnce {
+		if err := tailscaleUp(ctx, cfg); err != nil {
+			return nil, 0, fmt.Errorf("couldn't log in: %v", err)
+		}
+	}
+
+	tsClient := tailscale.LocalClient{
+		Socket:        cfg.Socket,
+		UseSocketOnly: true,
+	}
+
+	// Poll for daemon state until it goes to either Running or
+	// NeedsLogin. The latter only happens if cfg.AuthOnce is true,
+	// because in that case we only try to auth when it's necessary to
+	// reach the running state.
+	for {
+		if ctx.Err() != nil {
+			return nil, 0, ctx.Err()
+		}
+
+		loopCtx, cancel := context.WithTimeout(ctx, time.Second)
+		st, err := tsClient.Status(loopCtx)
+		cancel()
+		if err != nil {
+			return nil, 0, fmt.Errorf("Getting tailscaled state: %w", err)
+		}
+
+		switch st.BackendState {
+		case "Running":
+			if len(st.TailscaleIPs) > 0 {
+				return st, cmd.Process.Pid, nil
+			}
+			log.Printf("No Tailscale IPs assigned yet")
+		case "NeedsLogin":
+			// Alas, we cannot currently trigger an authkey login from
+			// LocalAPI, so we still have to shell out to the
+			// tailscale CLI for this bit.
+			if err := tailscaleUp(ctx, cfg); err != nil {
+				return nil, 0, fmt.Errorf("couldn't log in: %v", err)
+			}
+		default:
+			log.Printf("tailscaled in state %q, waiting", st.BackendState)
+		}
+
+		time.Sleep(500 * time.Millisecond)
+	}
+}
+
+// tailscaledArgs uses cfg to construct the argv for tailscaled.
+func tailscaledArgs(cfg *settings) []string {
+	args := []string{"--socket=" + cfg.Socket}
+	switch {
+	case cfg.InKubernetes && cfg.KubeSecret != "":
+		args = append(args, "--state=kube:"+cfg.KubeSecret, "--statedir=/tmp")
+	case cfg.StateDir != "":
+		args = append(args, "--state="+cfg.StateDir)
+	default:
+		args = append(args, "--state=mem:", "--statedir=/tmp")
+	}
+
+	if cfg.UserspaceMode {
+		args = append(args, "--tun=userspace-networking")
+	} else if err := ensureTunFile(); err != nil {
+		log.Fatalf("ensuring that /dev/net/tun exists: %v", err)
+	}
+
+	if cfg.SOCKSProxyAddr != "" {
+		args = append(args, "--socks5-server="+cfg.SOCKSProxyAddr)
+	}
+	if cfg.HTTPProxyAddr != "" {
+		args = append(args, "--outbound-http-proxy-listen="+cfg.HTTPProxyAddr)
+	}
+	if cfg.DaemonExtraArgs != "" {
+		args = append(args, strings.Fields(cfg.DaemonExtraArgs)...)
+	}
+	return args
+}
+
+// tailscaleUp uses cfg to run 'tailscale up'.
+func tailscaleUp(ctx context.Context, cfg *settings) error {
+	args := []string{"--socket=" + cfg.Socket, "up"}
+	if cfg.AcceptDNS {
+		args = append(args, "--accept-dns=true")
+	} else {
+		args = append(args, "--accept-dns=false")
+	}
+	if cfg.AuthKey != "" {
+		args = append(args, "--authkey="+cfg.AuthKey)
+	}
+	if cfg.Routes != "" {
+		args = append(args, "--advertise-routes="+cfg.Routes)
+	}
+	if cfg.ExtraArgs != "" {
+		args = append(args, strings.Fields(cfg.ExtraArgs)...)
+	}
+	log.Printf("Running 'tailscale up'")
+	cmd := exec.CommandContext(ctx, "tailscale", args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("tailscale up failed: %v", err)
+	}
+	return nil
+}
+
+// ensureTunFile checks that /dev/net/tun exists, creating it if
+// missing.
+func ensureTunFile() error {
+	// Verify that /dev/net/tun exists, in some container envs it
+	// needs to be mknod-ed.
+	if _, err := os.Stat("/dev/net"); errors.Is(err, fs.ErrNotExist) {
+		if err := os.MkdirAll("/dev/net", 0755); err != nil {
+			return err
+		}
+	}
+	if _, err := os.Stat("/dev/net/tun"); errors.Is(err, fs.ErrNotExist) {
+		dev := unix.Mkdev(10, 200) // tuntap major and minor
+		if err := unix.Mknod("/dev/net/tun", 0600|unix.S_IFCHR, int(dev)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// ensureIPForwarding enables IPv4/IPv6 forwarding for the container.
+func ensureIPForwarding(proxyTo string, routes []string) error {
+	var (
+		v4Forwarding, v6Forwarding bool
+	)
+	proxyIP, err := netip.ParseAddr(proxyTo)
+	if err != nil {
+		return fmt.Errorf("invalid proxy destination IP: %v", err)
+	}
+	if proxyIP.Is4() {
+		v4Forwarding = true
+	} else {
+		v6Forwarding = true
+	}
+	for _, route := range routes {
+		cidr, err := netip.ParsePrefix(route)
+		if err != nil {
+			return fmt.Errorf("invalid subnet route: %v", err)
+		}
+		if cidr.Addr().Is4() {
+			v4Forwarding = true
+		} else {
+			v6Forwarding = true
+		}
+	}
+
+	var paths []string
+	if v4Forwarding {
+		paths = append(paths, "/proc/sys/net/ipv4/ip_forward")
+	}
+	if v6Forwarding {
+		paths = append(paths, "/proc/sys/net/ipv6/conf/all/forwarding")
+	}
+
+	// In some common configurations (e.g. default docker,
+	// kubernetes), the container environment denies write access to
+	// most sysctls, including IP forwarding controls. Check the
+	// sysctl values before trying to change them, so that we
+	// gracefully do nothing if the container's already been set up
+	// properly by e.g. a k8s initContainer.
+	for _, path := range paths {
+		bs, err := os.ReadFile(path)
+		if err != nil {
+			return fmt.Errorf("reading %q: %w", path, err)
+		}
+		if v := strings.TrimSpace(string(bs)); v != "1" {
+			if err := os.WriteFile(path, []byte("1"), 0644); err != nil {
+				return fmt.Errorf("enabling %q: %w", path, err)
+			}
+		}
+	}
+	return nil
+}
+
+func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Addr) error {
+	dst, err := netip.ParseAddr(dstStr)
+	if err != nil {
+		return err
+	}
+	argv0 := "iptables"
+	if dst.Is6() {
+		argv0 = "ip6tables"
+	}
+	var local string
+	for _, ip := range tsIPs {
+		if ip.Is4() != dst.Is4() {
+			continue
+		}
+		local = ip.String()
+		break
+	}
+	if local == "" {
+		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstStr, tsIPs)
+	}
+	cmd := exec.CommandContext(ctx, argv0, "-t", "nat", "-I", "PREROUTING", "1", "-d", local, "-j", "DNAT", "--to-destination", dstStr)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("executing iptables failed: %w", err)
+	}
+	return nil
+}
+
+// settings is all the configuration for containerboot.
+type settings struct {
+	AuthKey         string
+	Routes          string
+	ProxyTo         string
+	DaemonExtraArgs string
+	ExtraArgs       string
+	InKubernetes    bool
+	UserspaceMode   bool
+	StateDir        string
+	AcceptDNS       bool
+	KubeSecret      string
+	SOCKSProxyAddr  string
+	HTTPProxyAddr   string
+	Socket          string
+	AuthOnce        bool
+}
+
+// defaultEnv returns the value of the given envvar name, or defVal if
+// unset.
+func defaultEnv(name, defVal string) string {
+	if v := os.Getenv(name); v != "" {
+		return v
+	}
+	return defVal
+}
+
+// defaultBool returns the boolean value of the given envvar name, or
+// defVal if unset or not a bool.
+func defaultBool(name string, defVal bool) bool {
+	v := os.Getenv(name)
+	ret, err := strconv.ParseBool(v)
+	if err != nil {
+		return defVal
+	}
+	return ret
+}

cmd/derper/depaware.txt

@@ -34,7 +34,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
         tailscale.com/ipn                                            from tailscale.com/client/tailscale
         tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
-     💣 tailscale.com/metrics                                        from tailscale.com/cmd/derper+
+        tailscale.com/metrics                                        from tailscale.com/cmd/derper+
         tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
         tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
      💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
@@ -47,6 +47,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
         tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
+        tailscale.com/net/wsconn                                     from tailscale.com/cmd/derper+
         tailscale.com/paths                                          from tailscale.com/client/tailscale
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale
         tailscale.com/syncs                                          from tailscale.com/cmd/derper+
@@ -63,14 +64,15 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
         tailscale.com/types/netmap                                   from tailscale.com/ipn
         tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
-        tailscale.com/types/pad32                                    from tailscale.com/derp
         tailscale.com/types/persist                                  from tailscale.com/ipn
         tailscale.com/types/preftype                                 from tailscale.com/ipn
         tailscale.com/types/structs                                  from tailscale.com/ipn+
         tailscale.com/types/tkatype                                  from tailscale.com/types/key+
         tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
+   W    tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy
         tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
    W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
+   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
    W    tailscale.com/util/endian                                    from tailscale.com/net/netns
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
@@ -107,6 +109,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
    W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
    W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
         golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
         golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
         golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+

cmd/derper/derper.go

@@ -325,11 +325,31 @@ func main() {
 	}
 }
 
+const (
+	noContentChallengeHeader = "X-Tailscale-Challenge"
+	noContentResponseHeader  = "X-Tailscale-Response"
+)
+
 // For captive portal detection
 func serveNoContent(w http.ResponseWriter, r *http.Request) {
+	if challenge := r.Header.Get(noContentChallengeHeader); challenge != "" {
+		badChar := strings.IndexFunc(challenge, func(r rune) bool {
+			return !isChallengeChar(r)
+		}) != -1
+		if len(challenge) <= 64 && !badChar {
+			w.Header().Set(noContentResponseHeader, "response "+challenge)
+		}
+	}
 	w.WriteHeader(http.StatusNoContent)
 }
 
+func isChallengeChar(c rune) bool {
+	// Semi-randomly chosen as a limited set of valid characters
+	return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z') ||
+		('0' <= c && c <= '9') ||
+		c == '.' || c == '-' || c == '_'
+}
+
 // probeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
 func probeHandler(w http.ResponseWriter, r *http.Request) {

cmd/derper/derper_test.go

@@ -7,6 +7,9 @@ package main
 import (
 	"context"
 	"net"
+	"net/http"
+	"net/http/httptest"
+	"strings"
 	"testing"
 
 	"tailscale.com/net/stun"
@@ -67,3 +70,62 @@ func BenchmarkServerSTUN(b *testing.B) {
 	}
 
 }
+
+func TestNoContent(t *testing.T) {
+	testCases := []struct {
+		name  string
+		input string
+		want  string
+	}{
+		{
+			name: "no challenge",
+		},
+		{
+			name:  "valid challenge",
+			input: "input",
+			want:  "response input",
+		},
+		{
+			name:  "valid challenge hostname",
+			input: "ts_derp99b.tailscale.com",
+			want:  "response ts_derp99b.tailscale.com",
+		},
+		{
+			name:  "invalid challenge",
+			input: "foo\x00bar",
+			want:  "",
+		},
+		{
+			name:  "whitespace invalid challenge",
+			input: "foo bar",
+			want:  "",
+		},
+		{
+			name:  "long challenge",
+			input: strings.Repeat("x", 65),
+			want:  "",
+		},
+	}
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			req, _ := http.NewRequest("GET", "https://localhost/generate_204", nil)
+			if tt.input != "" {
+				req.Header.Set(noContentChallengeHeader, tt.input)
+			}
+			w := httptest.NewRecorder()
+			serveNoContent(w, req)
+			resp := w.Result()
+
+			if tt.want == "" {
+				if h, found := resp.Header[noContentResponseHeader]; found {
+					t.Errorf("got %+v; expected no response header", h)
+				}
+				return
+			}
+
+			if got := resp.Header.Get(noContentResponseHeader); got != tt.want {
+				t.Errorf("got %q; want %q", got, tt.want)
+			}
+		})
+	}
+}

cmd/derper/websocket.go

@@ -13,6 +13,7 @@ import (
 
 	"nhooyr.io/websocket"
 	"tailscale.com/derp"
+	"tailscale.com/net/wsconn"
 )
 
 var counterWebSocketAccepts = expvar.NewInt("derp_websocket_accepts")
@@ -23,7 +24,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		up := strings.ToLower(r.Header.Get("Upgrade"))
 
 		// Very early versions of Tailscale set "Upgrade: WebSocket" but didn't actually
-		// speak WebSockets (they still assumed DERP's binary framining). So to distinguish
+		// speak WebSockets (they still assumed DERP's binary framing). So to distinguish
 		// clients that actually want WebSockets, look for an explicit "derp" subprotocol.
 		if up != "websocket" || !strings.Contains(r.Header.Get("Sec-Websocket-Protocol"), "derp") {
 			base.ServeHTTP(w, r)
@@ -50,7 +51,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 			return
 		}
 		counterWebSocketAccepts.Add(1)
-		wc := websocket.NetConn(r.Context(), c, websocket.MessageBinary)
+		wc := wsconn.NetConn(r.Context(), c, websocket.MessageBinary)
 		brw := bufio.NewReadWriter(bufio.NewReader(wc), bufio.NewWriter(wc))
 		s.Accept(r.Context(), wc, brw, r.RemoteAddr)
 	})

cmd/netlogfmt/main.go

@@ -0,0 +1,387 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// netlogfmt parses a stream of JSON log messages from stdin and
+// formats the network traffic logs produced by "tailscale.com/wgengine/netlog"
+// according to the schema in "tailscale.com/types/netlogtype.Message"
+// in a more humanly readable format.
+//
+// Example usage:
+//
+//	$ cat netlog.json | go run tailscale.com/cmd/netlogfmt
+//	=========================================================================================
+//	NodeID: n123456CNTRL
+//	Logged: 2022-10-13T20:23:10.165Z
+//	Window: 2022-10-13T20:23:09.644Z (5s)
+//	---------------------------------------------------  Tx[P/s]  Tx[B/s]  Rx[P/s]    Rx[B/s]
+//	VirtualTraffic:                                       16.80    1.64Ki   11.20      1.03Ki
+//	    TCP:    100.109.51.95:22 -> 100.85.80.41:42912    16.00    1.59Ki   10.40   1008.84
+//	    TCP: 100.109.51.95:21291 -> 100.107.177.2:53133    0.40   27.60      0.40     24.20
+//	    TCP: 100.109.51.95:21291 -> 100.107.177.2:53134    0.40   23.40      0.40     24.20
+//	PhysicalTraffic:                                      16.80    2.32Ki   11.20      1.48Ki
+//	                100.85.80.41 -> 192.168.0.101:41641   16.00    2.23Ki   10.40      1.40Ki
+//	               100.107.177.2 -> 192.168.0.100:41641    0.80   83.20      0.80     83.20
+//	=========================================================================================
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"math"
+	"net/http"
+	"net/netip"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/dsnet/try"
+	jsonv2 "github.com/go-json-experiment/json"
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
+	"tailscale.com/logtail"
+	"tailscale.com/types/netlogtype"
+	"tailscale.com/util/must"
+)
+
+var (
+	resolveNames = flag.Bool("resolve-names", false, "convert tailscale IP addresses to hostnames; must also specify --api-key and --tailnet-id")
+	apiKey       = flag.String("api-key", "", "API key to query the Tailscale API with; see https://login.tailscale.com/admin/settings/keys")
+	tailnetName  = flag.String("tailnet-name", "", "tailnet domain name to lookup devices in; see https://login.tailscale.com/admin/settings/general")
+)
+
+var namesByAddr map[netip.Addr]string
+
+func main() {
+	flag.Parse()
+	if *resolveNames {
+		namesByAddr = mustMakeNamesByAddr()
+	}
+
+	// The logic handles a stream of arbitrary JSON.
+	// So long as a JSON object seems like a network log message,
+	// then this will unmarshal and print it.
+	if err := processStream(os.Stdin); err != nil {
+		if err == io.EOF {
+			return
+		}
+		log.Fatalf("processStream: %v", err)
+	}
+}
+
+func processStream(r io.Reader) (err error) {
+	defer try.Handle(&err)
+	dec := jsonv2.NewDecoder(os.Stdin)
+	for {
+		processValue(dec)
+	}
+}
+
+func processValue(dec *jsonv2.Decoder) {
+	switch dec.PeekKind() {
+	case '[':
+		processArray(dec)
+	case '{':
+		processObject(dec)
+	default:
+		try.E(dec.SkipValue())
+	}
+}
+
+func processArray(dec *jsonv2.Decoder) {
+	try.E1(dec.ReadToken()) // parse '['
+	for dec.PeekKind() != ']' {
+		processValue(dec)
+	}
+	try.E1(dec.ReadToken()) // parse ']'
+}
+
+func processObject(dec *jsonv2.Decoder) {
+	var hasTraffic bool
+	var rawMsg []byte
+	try.E1(dec.ReadToken()) // parse '{'
+	for dec.PeekKind() != '}' {
+		// Capture any members that could belong to a network log message.
+		switch name := try.E1(dec.ReadToken()); name.String() {
+		case "virtualTraffic", "subnetTraffic", "exitTraffic", "physicalTraffic":
+			hasTraffic = true
+			fallthrough
+		case "logtail", "nodeId", "logged", "start", "end":
+			if len(rawMsg) == 0 {
+				rawMsg = append(rawMsg, '{')
+			} else {
+				rawMsg = append(rawMsg[:len(rawMsg)-1], ',')
+			}
+			rawMsg = append(append(append(rawMsg, '"'), name.String()...), '"')
+			rawMsg = append(rawMsg, ':')
+			rawMsg = append(rawMsg, try.E1(dec.ReadValue())...)
+			rawMsg = append(rawMsg, '}')
+		default:
+			processValue(dec)
+		}
+	}
+	try.E1(dec.ReadToken()) // parse '}'
+
+	// If this appears to be a network log message, then unmarshal and print it.
+	if hasTraffic {
+		var msg message
+		try.E(jsonv2.Unmarshal(rawMsg, &msg))
+		printMessage(msg)
+	}
+}
+
+type message struct {
+	Logtail struct {
+		ID     logtail.PublicID `json:"id"`
+		Logged time.Time        `json:"server_time"`
+	} `json:"logtail"`
+	Logged time.Time `json:"logged"`
+	netlogtype.Message
+}
+
+func printMessage(msg message) {
+	// Construct a table of network traffic per connection.
+	rows := [][7]string{{3: "Tx[P/s]", 4: "Tx[B/s]", 5: "Rx[P/s]", 6: "Rx[B/s]"}}
+	duration := msg.End.Sub(msg.Start)
+	addRows := func(heading string, traffic []netlogtype.ConnectionCounts) {
+		if len(traffic) == 0 {
+			return
+		}
+		slices.SortFunc(traffic, func(x, y netlogtype.ConnectionCounts) bool {
+			nx := x.TxPackets + x.TxBytes + x.RxPackets + x.RxBytes
+			ny := y.TxPackets + y.TxBytes + y.RxPackets + y.RxBytes
+			return nx > ny
+		})
+		var sum netlogtype.Counts
+		for _, cc := range traffic {
+			sum = sum.Add(cc.Counts)
+		}
+		rows = append(rows, [7]string{
+			0: heading + ":",
+			3: formatSI(float64(sum.TxPackets) / duration.Seconds()),
+			4: formatIEC(float64(sum.TxBytes) / duration.Seconds()),
+			5: formatSI(float64(sum.RxPackets) / duration.Seconds()),
+			6: formatIEC(float64(sum.RxBytes) / duration.Seconds()),
+		})
+		if len(traffic) == 1 && traffic[0].Connection.IsZero() {
+			return // this is already a summary counts
+		}
+		formatAddrPort := func(a netip.AddrPort) string {
+			if !a.IsValid() {
+				return ""
+			}
+			if name, ok := namesByAddr[a.Addr()]; ok {
+				if a.Port() == 0 {
+					return name
+				}
+				return name + ":" + strconv.Itoa(int(a.Port()))
+			}
+			if a.Port() == 0 {
+				return a.Addr().String()
+			}
+			return a.String()
+		}
+		for _, cc := range traffic {
+			row := [7]string{
+				0: "    ",
+				1: formatAddrPort(cc.Src),
+				2: formatAddrPort(cc.Dst),
+				3: formatSI(float64(cc.TxPackets) / duration.Seconds()),
+				4: formatIEC(float64(cc.TxBytes) / duration.Seconds()),
+				5: formatSI(float64(cc.RxPackets) / duration.Seconds()),
+				6: formatIEC(float64(cc.RxBytes) / duration.Seconds()),
+			}
+			if cc.Proto > 0 {
+				row[0] += cc.Proto.String() + ":"
+			}
+			rows = append(rows, row)
+		}
+	}
+	addRows("VirtualTraffic", msg.VirtualTraffic)
+	addRows("SubnetTraffic", msg.SubnetTraffic)
+	addRows("ExitTraffic", msg.ExitTraffic)
+	addRows("PhysicalTraffic", msg.PhysicalTraffic)
+
+	// Compute the maximum width of each field.
+	var maxWidths [7]int
+	for _, row := range rows {
+		for i, col := range row {
+			if maxWidths[i] < len(col) && !(i == 0 && !strings.HasPrefix(col, " ")) {
+				maxWidths[i] = len(col)
+			}
+		}
+	}
+	var maxSum int
+	for _, n := range maxWidths {
+		maxSum += n
+	}
+
+	// Output a table of network traffic per connection.
+	line := make([]byte, 0, maxSum+len(" ")+len(" -> ")+4*len("  "))
+	line = appendRepeatByte(line, '=', cap(line))
+	fmt.Println(string(line))
+	if !msg.Logtail.ID.IsZero() {
+		fmt.Printf("LogID:  %s\n", msg.Logtail.ID)
+	}
+	if msg.NodeID != "" {
+		fmt.Printf("NodeID: %s\n", msg.NodeID)
+	}
+	formatTime := func(t time.Time) string {
+		return t.In(time.Local).Format("2006-01-02 15:04:05.000")
+	}
+	switch {
+	case !msg.Logged.IsZero():
+		fmt.Printf("Logged: %s\n", formatTime(msg.Logged))
+	case !msg.Logtail.Logged.IsZero():
+		fmt.Printf("Logged: %s\n", formatTime(msg.Logtail.Logged))
+	}
+	fmt.Printf("Window: %s (%0.3fs)\n", formatTime(msg.Start), duration.Seconds())
+	for i, row := range rows {
+		line = line[:0]
+		isHeading := !strings.HasPrefix(row[0], " ")
+		for j, col := range row {
+			if isHeading && j == 0 {
+				col = "" // headings will be printed later
+			}
+			switch j {
+			case 0, 2: // left justified
+				line = append(line, col...)
+				line = appendRepeatByte(line, ' ', maxWidths[j]-len(col))
+			case 1, 3, 4, 5, 6: // right justified
+				line = appendRepeatByte(line, ' ', maxWidths[j]-len(col))
+				line = append(line, col...)
+			}
+			switch j {
+			case 0:
+				line = append(line, " "...)
+			case 1:
+				if row[1] == "" && row[2] == "" {
+					line = append(line, "    "...)
+				} else {
+					line = append(line, " -> "...)
+				}
+			case 2, 3, 4, 5:
+				line = append(line, "  "...)
+			}
+		}
+		switch {
+		case i == 0: // print dashed-line table heading
+			line = appendRepeatByte(line[:0], '-', maxWidths[0]+len(" ")+maxWidths[1]+len(" -> ")+maxWidths[2])[:cap(line)]
+		case isHeading:
+			copy(line[:], row[0])
+		}
+		fmt.Println(string(line))
+	}
+}
+
+func mustMakeNamesByAddr() map[netip.Addr]string {
+	switch {
+	case *apiKey == "":
+		log.Fatalf("--api-key must be specified with --resolve-names")
+	case *tailnetName == "":
+		log.Fatalf("--tailnet must be specified with --resolve-names")
+	}
+
+	// Query the Tailscale API for a list of devices in the tailnet.
+	const apiURL = "https://api.tailscale.com/api/v2"
+	req := must.Get(http.NewRequest("GET", apiURL+"/tailnet/"+*tailnetName+"/devices", nil))
+	req.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(*apiKey+":")))
+	resp := must.Get(http.DefaultClient.Do(req))
+	defer resp.Body.Close()
+	b := must.Get(io.ReadAll(resp.Body))
+	if resp.StatusCode != 200 {
+		log.Fatalf("http: %v: %s", http.StatusText(resp.StatusCode), b)
+	}
+
+	// Unmarshal the API response.
+	var m struct {
+		Devices []struct {
+			Name  string       `json:"name"`
+			Addrs []netip.Addr `json:"addresses"`
+		} `json:"devices"`
+	}
+	must.Do(json.Unmarshal(b, &m))
+
+	// Construct a unique mapping of Tailscale IP addresses to hostnames.
+	// For brevity, we start with the first segment of the name and
+	// use more segments until we find the shortest prefix that is unique
+	// for all names in the tailnet.
+	seen := make(map[string]bool)
+	namesByAddr := make(map[netip.Addr]string)
+retry:
+	for i := 0; i < 10; i++ {
+		maps.Clear(seen)
+		maps.Clear(namesByAddr)
+		for _, d := range m.Devices {
+			name := fieldPrefix(d.Name, i)
+			if seen[name] {
+				continue retry
+			}
+			seen[name] = true
+			for _, a := range d.Addrs {
+				namesByAddr[a] = name
+			}
+		}
+		return namesByAddr
+	}
+	panic("unable to produce unique mapping of address to names")
+}
+
+// fieldPrefix returns the first n number of dot-separated segments.
+//
+// Example:
+//
+//	fieldPrefix("foo.bar.baz", 0) returns ""
+//	fieldPrefix("foo.bar.baz", 1) returns "foo"
+//	fieldPrefix("foo.bar.baz", 2) returns "foo.bar"
+//	fieldPrefix("foo.bar.baz", 3) returns "foo.bar.baz"
+//	fieldPrefix("foo.bar.baz", 4) returns "foo.bar.baz"
+func fieldPrefix(s string, n int) string {
+	s0 := s
+	for i := 0; i < n && len(s) > 0; i++ {
+		if j := strings.IndexByte(s, '.'); j >= 0 {
+			s = s[j+1:]
+		} else {
+			s = ""
+		}
+	}
+	return strings.TrimSuffix(s0[:len(s0)-len(s)], ".")
+}
+
+func appendRepeatByte(b []byte, c byte, n int) []byte {
+	for i := 0; i < n; i++ {
+		b = append(b, c)
+	}
+	return b
+}
+
+func formatSI(n float64) string {
+	switch n := math.Abs(n); {
+	case n < 1e3:
+		return fmt.Sprintf("%0.2f ", n/(1e0))
+	case n < 1e6:
+		return fmt.Sprintf("%0.2fk", n/(1e3))
+	case n < 1e9:
+		return fmt.Sprintf("%0.2fM", n/(1e6))
+	default:
+		return fmt.Sprintf("%0.2fG", n/(1e9))
+	}
+}
+
+func formatIEC(n float64) string {
+	switch n := math.Abs(n); {
+	case n < 1<<10:
+		return fmt.Sprintf("%0.2f  ", n/(1<<0))
+	case n < 1<<20:
+		return fmt.Sprintf("%0.2fKi", n/(1<<10))
+	case n < 1<<30:
+		return fmt.Sprintf("%0.2fMi", n/(1<<20))
+	default:
+		return fmt.Sprintf("%0.2fGi", n/(1<<30))
+	}
+}

cmd/nginx-auth/README.md

@@ -1,5 +1,7 @@
 # nginx-auth
 
+[![status: experimental](https://img.shields.io/badge/status-experimental-blue)](https://tailscale.com/kb/1167/release-stages/#experimental)
+
 This is a tool that allows users to use Tailscale Whois authentication with
 NGINX as a reverse proxy. This allows users that already have a bunch of
 services hosted on an internal NGINX server to point those domains to the

cmd/nginx-auth/mkdeb.sh

@@ -4,7 +4,7 @@ set -e
 
 CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o tailscale.nginx-auth .
 
-VERSION=0.1.1
+VERSION=0.1.2
 
 mkpkg \
     --out=tailscale-nginx-auth-${VERSION}-amd64.deb \

cmd/pgproxy/README.md

@@ -0,0 +1,42 @@
+# pgproxy
+
+The pgproxy server is a proxy for the Postgres wire protocol. [Read
+more in our blog
+post](https://tailscale.com/blog/introducing-pgproxy/) about it!
+
+The proxy runs an in-process Tailscale instance, accepts postgres
+client connections over Tailscale only, and proxies them to the
+configured upstream postgres server.
+
+This proxy exists because postgres clients default to very insecure
+connection settings: either they "prefer" but do not require TLS; or
+they set sslmode=require, which merely requires that a TLS handshake
+took place, but don't verify the server's TLS certificate or the
+presented TLS hostname.  In other words, sslmode=require enforces that
+a TLS session is created, but that session can trivially be
+machine-in-the-middled to steal credentials, data, inject malicious
+queries, and so forth.
+
+Because this flaw is in the client's validation of the TLS session,
+you have no way of reliably detecting the misconfiguration
+server-side. You could fix the configuration of all the clients you
+know of, but the default makes it very easy to accidentally regress.
+
+Instead of trying to verify client configuration over time, this proxy
+removes the need for postgres clients to be configured correctly: the
+upstream database is configured to only accept connections from the
+proxy, and the proxy is only available to clients over Tailscale.
+
+Therefore, clients must use the proxy to connect to the database. The
+client<>proxy connection is secured end-to-end by Tailscale, which the
+proxy enforces by verifying that the connecting client is a known
+current Tailscale peer. The proxy<>server connection is established by
+the proxy itself, using strict TLS verification settings, and the
+client is only allowed to communicate with the server once we've
+established that the upstream connection is safe to use.
+
+A couple side benefits: because clients can only connect via
+Tailscale, you can use Tailscale ACLs as an extra layer of defense on
+top of the postgres user/password authentication. And, the proxy can
+maintain an audit log of who connected to the database, complete with
+the strongly authenticated Tailscale identity of the client.

cmd/pgproxy/pgproxy.go

@@ -0,0 +1,366 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The pgproxy server is a proxy for the Postgres wire protocol.
+package main
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	crand "crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"expvar"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"math/big"
+	"net"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"tailscale.com/client/tailscale"
+	"tailscale.com/metrics"
+	"tailscale.com/tsnet"
+	"tailscale.com/tsweb"
+	"tailscale.com/types/logger"
+)
+
+var (
+	hostname     = flag.String("hostname", "", "Tailscale hostname to serve on")
+	port         = flag.Int("port", 5432, "Listening port for client connections")
+	debugPort    = flag.Int("debug-port", 80, "Listening port for debug/metrics endpoint")
+	upstreamAddr = flag.String("upstream-addr", "", "Address of the upstream Postgres server, in host:port format")
+	upstreamCA   = flag.String("upstream-ca-file", "", "File containing the PEM-encoded CA certificate for the upstream server")
+	tailscaleDir = flag.String("state-dir", "", "Directory in which to store the Tailscale auth state")
+)
+
+func main() {
+	flag.Parse()
+	if *hostname == "" {
+		log.Fatal("missing --hostname")
+	}
+	if *upstreamAddr == "" {
+		log.Fatal("missing --upstream-addr")
+	}
+	if *upstreamCA == "" {
+		log.Fatal("missing --upstream-ca-file")
+	}
+	if *tailscaleDir == "" {
+		log.Fatal("missing --state-dir")
+	}
+
+	ts := &tsnet.Server{
+		Dir:      *tailscaleDir,
+		Hostname: *hostname,
+		// Make the stdout logs a clean audit log of connections.
+		Logf: logger.Discard,
+	}
+
+	if os.Getenv("TS_AUTHKEY") == "" {
+		log.Print("Note: you need to run this with TS_AUTHKEY=... the first time, to join your tailnet of choice.")
+	}
+
+	tsclient, err := ts.LocalClient()
+	if err != nil {
+		log.Fatalf("getting tsnet API client: %v", err)
+	}
+
+	p, err := newProxy(*upstreamAddr, *upstreamCA, tsclient)
+	if err != nil {
+		log.Fatal(err)
+	}
+	expvar.Publish("pgproxy", p.Expvar())
+
+	if *debugPort != 0 {
+		mux := http.NewServeMux()
+		tsweb.Debugger(mux)
+		srv := &http.Server{
+			Handler: mux,
+		}
+		dln, err := ts.Listen("tcp", fmt.Sprintf(":%d", *debugPort))
+		if err != nil {
+			log.Fatal(err)
+		}
+		go func() {
+			log.Fatal(srv.Serve(dln))
+		}()
+	}
+
+	ln, err := ts.Listen("tcp", fmt.Sprintf(":%d", *port))
+	if err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("serving access to %s on port %d", *upstreamAddr, *port)
+	log.Fatal(p.Serve(ln))
+}
+
+// proxy is a postgres wire protocol proxy, which strictly enforces
+// the security of the TLS connection to its upstream regardless of
+// what the client's TLS configuration is.
+type proxy struct {
+	upstreamAddr     string // "my.database.com:5432"
+	upstreamHost     string // "my.database.com"
+	upstreamCertPool *x509.CertPool
+	downstreamCert   []tls.Certificate
+	client           *tailscale.LocalClient
+
+	activeSessions  expvar.Int
+	startedSessions expvar.Int
+	errors          metrics.LabelMap
+}
+
+// newProxy returns a proxy that forwards connections to
+// upstreamAddr. The upstream's TLS session is verified using the CA
+// cert(s) in upstreamCAPath.
+func newProxy(upstreamAddr, upstreamCAPath string, client *tailscale.LocalClient) (*proxy, error) {
+	bs, err := os.ReadFile(upstreamCAPath)
+	if err != nil {
+		return nil, err
+	}
+	upstreamCertPool := x509.NewCertPool()
+	if !upstreamCertPool.AppendCertsFromPEM(bs) {
+		return nil, fmt.Errorf("invalid CA cert in %q", upstreamCAPath)
+	}
+
+	h, _, err := net.SplitHostPort(upstreamAddr)
+	if err != nil {
+		return nil, err
+	}
+	downstreamCert, err := mkSelfSigned(h)
+	if err != nil {
+		return nil, err
+	}
+
+	return &proxy{
+		upstreamAddr:     upstreamAddr,
+		upstreamHost:     h,
+		upstreamCertPool: upstreamCertPool,
+		downstreamCert:   []tls.Certificate{downstreamCert},
+		client:           client,
+		errors:           metrics.LabelMap{Label: "kind"},
+	}, nil
+}
+
+// Expvar returns p's monitoring metrics.
+func (p *proxy) Expvar() expvar.Var {
+	ret := &metrics.Set{}
+	ret.Set("sessions_active", &p.activeSessions)
+	ret.Set("sessions_started", &p.startedSessions)
+	ret.Set("session_errors", &p.errors)
+	return ret
+}
+
+// Serve accepts postgres client connections on ln and proxies them to
+// the configured upstream. ln can be any net.Listener, but all client
+// connections must originate from tailscale IPs that can be verified
+// with WhoIs.
+func (p *proxy) Serve(ln net.Listener) error {
+	var lastSessionID int64
+	for {
+		c, err := ln.Accept()
+		if err != nil {
+			return err
+		}
+		id := time.Now().UnixNano()
+		if id == lastSessionID {
+			// Bluntly enforce SID uniqueness, even if collisions are
+			// fantastically unlikely (but OSes vary in how much timer
+			// precision they expose to the OS, so id might be rounded
+			// e.g. to the same millisecond)
+			id++
+		}
+		lastSessionID = id
+		go func(sessionID int64) {
+			if err := p.serve(sessionID, c); err != nil {
+				log.Printf("%d: session ended with error: %v", sessionID, err)
+			}
+		}(id)
+	}
+}
+
+var (
+	// sslStart is the magic bytes that postgres clients use to indicate
+	// that they want to do a TLS handshake. Servers should respond with
+	// the single byte "S" before starting a normal TLS handshake.
+	sslStart = [8]byte{0, 0, 0, 8, 0x04, 0xd2, 0x16, 0x2f}
+	// plaintextStart is the magic bytes that postgres clients use to
+	// indicate that they're starting a plaintext authentication
+	// handshake.
+	plaintextStart = [8]byte{0, 0, 0, 86, 0, 3, 0, 0}
+)
+
+// serve proxies the postgres client on c to the proxy's upstream,
+// enforcing strict TLS to the upstream.
+func (p *proxy) serve(sessionID int64, c net.Conn) error {
+	defer c.Close()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	whois, err := p.client.WhoIs(ctx, c.RemoteAddr().String())
+	if err != nil {
+		p.errors.Add("whois-failed", 1)
+		return fmt.Errorf("getting client identity: %v", err)
+	}
+
+	// Before anything else, log the connection attempt.
+	user, machine := "", ""
+	if whois.Node != nil {
+		if whois.Node.Hostinfo.ShareeNode() {
+			machine = "external-device"
+		} else {
+			machine = strings.TrimSuffix(whois.Node.Name, ".")
+		}
+	}
+	if whois.UserProfile != nil {
+		user = whois.UserProfile.LoginName
+		if user == "tagged-devices" && whois.Node != nil {
+			user = strings.Join(whois.Node.Tags, ",")
+		}
+	}
+	if user == "" || machine == "" {
+		p.errors.Add("no-ts-identity", 1)
+		return fmt.Errorf("couldn't identify source user and machine (user %q, machine %q)", user, machine)
+	}
+	log.Printf("%d: session start, from %s (machine %s, user %s)", sessionID, c.RemoteAddr(), machine, user)
+	start := time.Now()
+	defer func() {
+		elapsed := time.Since(start)
+		log.Printf("%d: session end, from %s (machine %s, user %s), lasted %s", sessionID, c.RemoteAddr(), machine, user, elapsed.Round(time.Millisecond))
+	}()
+
+	// Read the client's opening message, to figure out if it's trying
+	// to TLS or not.
+	var buf [8]byte
+	if _, err := io.ReadFull(c, buf[:len(sslStart)]); err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("initial magic read: %v", err)
+	}
+	var clientIsTLS bool
+	switch {
+	case buf == sslStart:
+		clientIsTLS = true
+	case buf == plaintextStart:
+		clientIsTLS = false
+	default:
+		p.errors.Add("client-bad-protocol", 1)
+		return fmt.Errorf("unrecognized initial packet = % 02x", buf)
+	}
+
+	// Dial & verify upstream connection.
+	var d net.Dialer
+	d.Timeout = 10 * time.Second
+	upc, err := d.Dial("tcp", p.upstreamAddr)
+	if err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("upstream dial: %v", err)
+	}
+	defer upc.Close()
+	if _, err := upc.Write(sslStart[:]); err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("upstream write of start-ssl magic: %v", err)
+	}
+	if _, err := io.ReadFull(upc, buf[:1]); err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("reading upstream start-ssl response: %v", err)
+	}
+	if buf[0] != 'S' {
+		p.errors.Add("upstream-bad-protocol", 1)
+		return fmt.Errorf("upstream didn't acknowldge start-ssl, said %q", buf[0])
+	}
+	tlsConf := &tls.Config{
+		ServerName: p.upstreamHost,
+		RootCAs:    p.upstreamCertPool,
+		MinVersion: tls.VersionTLS12,
+	}
+	uptc := tls.Client(upc, tlsConf)
+	if err = uptc.HandshakeContext(ctx); err != nil {
+		p.errors.Add("upstream-tls", 1)
+		return fmt.Errorf("upstream TLS handshake: %v", err)
+	}
+
+	// Accept the client conn and set it up the way the client wants.
+	var clientConn net.Conn
+	if clientIsTLS {
+		io.WriteString(c, "S") // yeah, we're good to speak TLS
+		s := tls.Server(c, &tls.Config{
+			ServerName:   p.upstreamHost,
+			Certificates: p.downstreamCert,
+			MinVersion:   tls.VersionTLS12,
+		})
+		if err = uptc.HandshakeContext(ctx); err != nil {
+			p.errors.Add("client-tls", 1)
+			return fmt.Errorf("client TLS handshake: %v", err)
+		}
+		clientConn = s
+	} else {
+		// Repeat the header we read earlier up to the server.
+		if _, err := uptc.Write(plaintextStart[:]); err != nil {
+			p.errors.Add("network-error", 1)
+			return fmt.Errorf("sending initial client bytes to upstream: %v", err)
+		}
+		clientConn = c
+	}
+
+	// Finally, proxy the client to the upstream.
+	errc := make(chan error, 1)
+	go func() {
+		_, err := io.Copy(uptc, clientConn)
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(clientConn, uptc)
+		errc <- err
+	}()
+	if err := <-errc; err != nil {
+		// Don't increment error counts here, because the most common
+		// cause of termination is client or server closing the
+		// connection normally, and it'll obscure "interesting"
+		// handshake errors.
+		return fmt.Errorf("session terminated with error: %v", err)
+	}
+	return nil
+}
+
+// mkSelfSigned creates and returns a self-signed TLS certificate for
+// hostname.
+func mkSelfSigned(hostname string) (tls.Certificate, error) {
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), crand.Reader)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	pub := priv.Public()
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"pgproxy"},
+		},
+		DNSNames:              []string{hostname},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+	derBytes, err := x509.CreateCertificate(crand.Reader, &template, &template, pub, priv)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	cert, err := x509.ParseCertificate(derBytes)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	return tls.Certificate{
+		Certificate: [][]byte{derBytes},
+		PrivateKey:  priv,
+		Leaf:        cert,
+	}, nil
+}

cmd/ssh-auth-none-demo/ssh-auth-none-demo.go

@@ -0,0 +1,189 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// ssh-auth-none-demo is a demo SSH server that's meant to run on the
+// public internet (at 188.166.70.128 port 2222) and
+// highlight the unique parts of the Tailscale SSH server so SSH
+// client authors can hit it easily and fix their SSH clients without
+// needing to set up Tailscale and Tailscale SSH.
+package main
+
+import (
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+	"time"
+
+	gossh "github.com/tailscale/golang-x-crypto/ssh"
+	"tailscale.com/tempfork/gliderlabs/ssh"
+)
+
+// keyTypes are the SSH key types that we either try to read from the
+// system's OpenSSH keys.
+var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
+
+var (
+	addr = flag.String("addr", ":2222", "address to listen on")
+)
+
+func main() {
+	flag.Parse()
+
+	cacheDir, err := os.UserCacheDir()
+	if err != nil {
+		log.Fatal(err)
+	}
+	dir := filepath.Join(cacheDir, "ssh-auth-none-demo")
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		log.Fatal(err)
+	}
+
+	keys, err := getHostKeys(dir)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if len(keys) == 0 {
+		log.Fatal("no host keys")
+	}
+
+	srv := &ssh.Server{
+		Addr:    *addr,
+		Version: "Tailscale",
+		Handler: handleSessionPostSSHAuth,
+		ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {
+			start := time.Now()
+			return &gossh.ServerConfig{
+				NextAuthMethodCallback: func(conn gossh.ConnMetadata, prevErrors []error) []string {
+					return []string{"tailscale"}
+				},
+				NoClientAuth: true, // required for the NoClientAuthCallback to run
+				NoClientAuthCallback: func(cm gossh.ConnMetadata) (*gossh.Permissions, error) {
+					cm.SendAuthBanner(fmt.Sprintf("# Banner: doing none auth at %v\r\n", time.Since(start)))
+
+					totalBanners := 2
+					if cm.User() == "banners" {
+						totalBanners = 5
+					}
+					for banner := 2; banner <= totalBanners; banner++ {
+						time.Sleep(time.Second)
+						if banner == totalBanners {
+							cm.SendAuthBanner(fmt.Sprintf("# Banner%d: access granted at %v\r\n", banner, time.Since(start)))
+						} else {
+							cm.SendAuthBanner(fmt.Sprintf("# Banner%d at %v\r\n", banner, time.Since(start)))
+						}
+					}
+					return nil, nil
+				},
+				BannerCallback: func(cm gossh.ConnMetadata) string {
+					log.Printf("Got connection from user %q, %q from %v", cm.User(), cm.ClientVersion(), cm.RemoteAddr())
+					return fmt.Sprintf("# Banner for user %q, %q\n", cm.User(), cm.ClientVersion())
+				},
+			}
+		},
+	}
+
+	for _, signer := range keys {
+		srv.AddHostKey(signer)
+	}
+
+	log.Printf("Running on %s ...", srv.Addr)
+	if err := srv.ListenAndServe(); err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("done")
+}
+
+func handleSessionPostSSHAuth(s ssh.Session) {
+	log.Printf("Started session from user %q", s.User())
+	fmt.Fprintf(s, "Hello user %q, it worked.\n", s.User())
+
+	// Abort the session on Control-C or Control-D.
+	go func() {
+		buf := make([]byte, 1024)
+		for {
+			n, err := s.Read(buf)
+			for _, b := range buf[:n] {
+				if b <= 4 { // abort on Control-C (3) or Control-D (4)
+					io.WriteString(s, "bye\n")
+					s.Exit(1)
+				}
+			}
+			if err != nil {
+				return
+			}
+		}
+	}()
+
+	for i := 10; i > 0; i-- {
+		fmt.Fprintf(s, "%v ...\n", i)
+		time.Sleep(time.Second)
+	}
+	s.Exit(0)
+}
+
+func getHostKeys(dir string) (ret []ssh.Signer, err error) {
+	for _, typ := range keyTypes {
+		hostKey, err := hostKeyFileOrCreate(dir, typ)
+		if err != nil {
+			return nil, err
+		}
+		signer, err := gossh.ParsePrivateKey(hostKey)
+		if err != nil {
+			return nil, err
+		}
+		ret = append(ret, signer)
+	}
+	return ret, nil
+}
+
+func hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
+	path := filepath.Join(keyDir, "ssh_host_"+typ+"_key")
+	v, err := ioutil.ReadFile(path)
+	if err == nil {
+		return v, nil
+	}
+	if !os.IsNotExist(err) {
+		return nil, err
+	}
+	var priv any
+	switch typ {
+	default:
+		return nil, fmt.Errorf("unsupported key type %q", typ)
+	case "ed25519":
+		_, priv, err = ed25519.GenerateKey(rand.Reader)
+	case "ecdsa":
+		// curve is arbitrary. We pick whatever will at
+		// least pacify clients as the actual encryption
+		// doesn't matter: it's all over WireGuard anyway.
+		curve := elliptic.P256()
+		priv, err = ecdsa.GenerateKey(curve, rand.Reader)
+	case "rsa":
+		// keySize is arbitrary. We pick whatever will at
+		// least pacify clients as the actual encryption
+		// doesn't matter: it's all over WireGuard anyway.
+		const keySize = 2048
+		priv, err = rsa.GenerateKey(rand.Reader, keySize)
+	}
+	if err != nil {
+		return nil, err
+	}
+	mk, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, err
+	}
+	pemGen := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: mk})
+	err = os.WriteFile(path, pemGen, 0700)
+	return pemGen, err
+}

cmd/tailscale/cli/bugreport.go

@@ -7,8 +7,11 @@ package cli
 import (
 	"context"
 	"errors"
+	"flag"
+	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 )
 
 var bugReportCmd = &ffcli.Command{
@@ -16,6 +19,17 @@ var bugReportCmd = &ffcli.Command{
 	Exec:       runBugReport,
 	ShortHelp:  "Print a shareable identifier to help diagnose issues",
 	ShortUsage: "bugreport [note]",
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("bugreport")
+		fs.BoolVar(&bugReportArgs.diagnose, "diagnose", false, "run additional in-depth checks")
+		fs.BoolVar(&bugReportArgs.record, "record", false, "if true, pause and then write another bugreport")
+		return fs
+	})(),
+}
+
+var bugReportArgs struct {
+	diagnose bool
+	record   bool
 }
 
 func runBugReport(ctx context.Context, args []string) error {
@@ -25,12 +39,46 @@ func runBugReport(ctx context.Context, args []string) error {
 	case 1:
 		note = args[0]
 	default:
-		return errors.New("unknown argumets")
+		return errors.New("unknown arguments")
 	}
-	logMarker, err := localClient.BugReport(ctx, note)
-	if err != nil {
-		return err
+	opts := tailscale.BugReportOpts{
+		Note:     note,
+		Diagnose: bugReportArgs.diagnose,
 	}
-	outln(logMarker)
+	if !bugReportArgs.record {
+		// Simple, non-record case
+		logMarker, err := localClient.BugReportWithOpts(ctx, opts)
+		if err != nil {
+			return err
+		}
+		outln(logMarker)
+		return nil
+	}
+
+	// Recording; run the request in the background
+	done := make(chan struct{})
+	opts.Record = done
+
+	type bugReportResp struct {
+		marker string
+		err    error
+	}
+	resCh := make(chan bugReportResp, 1)
+	go func() {
+		m, err := localClient.BugReportWithOpts(ctx, opts)
+		resCh <- bugReportResp{m, err}
+	}()
+
+	outln("Recording started; please reproduce your issue and then press Enter...")
+	fmt.Scanln()
+	close(done)
+	res := <-resCh
+
+	if res.err != nil {
+		return res.err
+	}
+
+	outln(res.marker)
+	outln("Please provide both bugreport markers above to the support team or GitHub issue.")
 	return nil
 }

cmd/tailscale/cli/cert.go

@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"errors"
 	"flag"
 	"fmt"
 	"log"
@@ -44,6 +45,7 @@ var certArgs struct {
 func runCert(ctx context.Context, args []string) error {
 	if certArgs.serve {
 		s := &http.Server{
+			Addr: ":443",
 			TLSConfig: &tls.Config{
 				GetCertificate: localClient.GetCertificate,
 			},
@@ -57,7 +59,16 @@ func runCert(ctx context.Context, args []string) error {
 				fmt.Fprintf(w, "<h1>Hello from Tailscale</h1>It works.")
 			}),
 		}
-		log.Printf("running TLS server on :443 ...")
+		switch len(args) {
+		case 0:
+			// Nothing.
+		case 1:
+			s.Addr = args[0]
+		default:
+			return errors.New("too many arguments; max 1 allowed with --serve-demo (the listen address)")
+		}
+
+		log.Printf("running TLS server on %s ...", s.Addr)
 		return s.ListenAndServeTLS("", "")
 	}
 

cmd/tailscale/cli/cli.go

@@ -157,6 +157,7 @@ change in the future.
 		Subcommands: []*ffcli.Command{
 			upCmd,
 			downCmd,
+			setCmd,
 			logoutCmd,
 			netcheckCmd,
 			ipCmd,
@@ -177,7 +178,9 @@ change in the future.
 		UsageFunc: usageFunc,
 	}
 	for _, c := range rootCmd.Subcommands {
-		c.UsageFunc = usageFunc
+		if c.UsageFunc == nil {
+			c.UsageFunc = usageFunc
+		}
 	}
 	if envknob.UseWIPCode() {
 		rootCmd.Subcommands = append(rootCmd.Subcommands, idTokenCmd)
@@ -292,7 +295,16 @@ func strSliceContains(ss []string, s string) bool {
 	return false
 }
 
+// usageFuncNoDefaultValues is like usageFunc but doesn't print default values.
+func usageFuncNoDefaultValues(c *ffcli.Command) string {
+	return usageFuncOpt(c, false)
+}
+
 func usageFunc(c *ffcli.Command) string {
+	return usageFuncOpt(c, true)
+}
+
+func usageFuncOpt(c *ffcli.Command, withDefaults bool) string {
 	var b strings.Builder
 
 	fmt.Fprintf(&b, "USAGE\n")
@@ -323,6 +335,9 @@ func usageFunc(c *ffcli.Command) string {
 		c.FlagSet.VisitAll(func(f *flag.Flag) {
 			var s string
 			name, usage := flag.UnquoteUsage(f)
+			if strings.HasPrefix(usage, "HIDDEN: ") {
+				return
+			}
 			if isBoolFlag(f) {
 				s = fmt.Sprintf("  --%s, --%s=false", f.Name, f.Name)
 			} else {
@@ -336,7 +351,7 @@ func usageFunc(c *ffcli.Command) string {
 			s += "\n    \t"
 			s += strings.ReplaceAll(usage, "\n", "\n    \t")
 
-			if f.DefValue != "" {
+			if f.DefValue != "" && withDefaults {
 				s += fmt.Sprintf(" (default %s)", f.DefValue)
 			}
 

cmd/tailscale/cli/cli_test.go

@@ -39,7 +39,7 @@ func TestUpdateMaskedPrefsFromUpFlag(t *testing.T) {
 		fs := newUpFlagSet(goos, &upArgs)
 		fs.VisitAll(func(f *flag.Flag) {
 			mp := new(ipn.MaskedPrefs)
-			updateMaskedPrefsFromUpFlag(mp, f.Name)
+			updateMaskedPrefsFromUpOrSetFlag(mp, f.Name)
 			got := mp.Pretty()
 			wantEmpty := preflessFlag(f.Name)
 			isEmpty := got == "MaskedPrefs{}"
@@ -410,7 +410,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
 		},
 		{
-			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
+			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Issue 3480
 			flags:         []string{"--hostname=foo"},
 			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
 			curPrefs: &ipn.Prefs{
@@ -448,7 +448,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		},
 		{
 			// Issue 3176: on Synology, don't require --accept-routes=false because user
-			// migth've had old an install, and we don't support --accept-routes anyway.
+			// might've had an old install, and we don't support --accept-routes anyway.
 			name:  "synology_permit_omit_accept_routes",
 			flags: []string{"--hostname=foo"},
 			curPrefs: &ipn.Prefs{

cmd/tailscale/cli/configure-host.go

@@ -48,7 +48,7 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if uid := os.Getuid(); uid != 0 {
 		return fmt.Errorf("must be run as root, not %q (%v)", os.Getenv("USER"), uid)
 	}
-	hi:= hostinfo.New()
+	hi := hostinfo.New()
 	isDSM6 := strings.HasPrefix(hi.DistroVersion, "6.")
 	isDSM7 := strings.HasPrefix(hi.DistroVersion, "7.")
 	if !isDSM6 && !isDSM7 {

cmd/tailscale/cli/debug.go

@@ -42,7 +42,7 @@ var debugCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("debug")
 		fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
-		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-sec seconds and write it to this file; - for stdout")
+		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-seconds seconds and write it to this file; - for stdout")
 		fs.StringVar(&debugArgs.memFile, "mem-profile", "", "if non-empty, grab a memory profile and write it to this file; - for stdout")
 		fs.IntVar(&debugArgs.cpuSec, "profile-seconds", 15, "number of seconds to run a CPU profile for, when --cpu-profile is non-empty")
 		return fs
@@ -53,6 +53,16 @@ var debugCmd = &ffcli.Command{
 			Exec:      runDERPMap,
 			ShortHelp: "print DERP map",
 		},
+		{
+			Name:      "component-logs",
+			Exec:      runDebugComponentLogs,
+			ShortHelp: "enable/disable debug logs for a component",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("component-logs")
+				fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
+				return fs
+			})(),
+		},
 		{
 			Name:      "daemon-goroutines",
 			Exec:      runDaemonGoroutines,
@@ -134,6 +144,16 @@ var debugCmd = &ffcli.Command{
 				return fs
 			})(),
 		},
+		{
+			Name:      "dev-store-set",
+			Exec:      runDevStoreSet,
+			ShortHelp: "set a key/value pair during development",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("store-set")
+				fs.BoolVar(&devStoreSetArgs.danger, "danger", false, "accept danger")
+				return fs
+			})(),
+		},
 	},
 }
 
@@ -513,3 +533,64 @@ func runTS2021(ctx context.Context, args []string) error {
 	log.Printf("final underlying conn: %v / %v", conn.LocalAddr(), conn.RemoteAddr())
 	return nil
 }
+
+var debugComponentLogsArgs struct {
+	forDur time.Duration
+}
+
+func runDebugComponentLogs(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		return errors.New("usage: debug component-logs <component>")
+	}
+	component := args[0]
+	dur := debugComponentLogsArgs.forDur
+
+	err := localClient.SetComponentDebugLogging(ctx, component, dur)
+	if err != nil {
+		return err
+	}
+	if debugComponentLogsArgs.forDur <= 0 {
+		fmt.Printf("Disabled debug logs for component %q\n", component)
+	} else {
+		fmt.Printf("Enabled debug logs for component %q for %v\n", component, dur)
+	}
+	return nil
+}
+
+var devStoreSetArgs struct {
+	danger bool
+}
+
+func runDevStoreSet(ctx context.Context, args []string) error {
+	// TODO(bradfitz): remove this temporary (2022-11-09) hack once
+	// profile stuff and serving CLI commands are more fleshed out.
+	isServe := len(args) >= 1 && strings.HasPrefix(args[0], "_serve/")
+	if isServe {
+		st, err := localClient.StatusWithoutPeers(ctx)
+		if err != nil {
+			return err
+		}
+		args[0] = "_serve/node-" + string(st.Self.ID)
+		log.Printf("Using key %q instead.", args[0])
+	}
+	if len(args) != 2 {
+		return errors.New("usage: dev-store-set --danger <key> <value>")
+	}
+	if !devStoreSetArgs.danger {
+		return errors.New("this command is dangerous; use --danger to proceed")
+	}
+	key, val := args[0], args[1]
+	if val == "-" {
+		valb, err := io.ReadAll(os.Stdin)
+		if err != nil {
+			return err
+		}
+		if isServe {
+			if err := json.Unmarshal(valb, new(ipn.ServeConfig)); err != nil {
+				return fmt.Errorf("invalid JSON: %w", err)
+			}
+		}
+		val = string(valb)
+	}
+	return localClient.SetDevStoreKeyValue(ctx, key, val)
+}

cmd/tailscale/cli/diag.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build linux || windows || darwin
-// +build linux windows darwin
 
 package cli
 

cmd/tailscale/cli/diag_other.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build !linux && !windows && !darwin
-// +build !linux,!windows,!darwin
 
 package cli
 

cmd/tailscale/cli/network-lock.go

@@ -5,6 +5,7 @@
 package cli
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -17,11 +18,17 @@ import (
 )
 
 var netlockCmd = &ffcli.Command{
-	Name:        "lock",
-	ShortUsage:  "lock <sub-command> <arguments>",
-	ShortHelp:   "Manipulate the tailnet key authority",
-	Subcommands: []*ffcli.Command{nlInitCmd, nlStatusCmd},
-	Exec:        runNetworkLockStatus,
+	Name:       "lock",
+	ShortUsage: "lock <sub-command> <arguments>",
+	ShortHelp:  "Manipulate the tailnet key authority",
+	Subcommands: []*ffcli.Command{
+		nlInitCmd,
+		nlStatusCmd,
+		nlAddCmd,
+		nlRemoveCmd,
+		nlSignCmd,
+	},
+	Exec: runNetworkLockStatus,
 }
 
 var nlInitCmd = &ffcli.Command{
@@ -41,32 +48,15 @@ func runNetworkLockInit(ctx context.Context, args []string) error {
 	}
 
 	// Parse the set of initially-trusted keys.
-	// Keys are specified using their key.NLPublic.MarshalText representation,
-	// with an optional '?<votes>' suffix.
-	var keys []tka.Key
-	for i, a := range args {
-		var key key.NLPublic
-		spl := strings.SplitN(a, "?", 2)
-		if err := key.UnmarshalText([]byte(spl[0])); err != nil {
-			return fmt.Errorf("parsing key %d: %v", i+1, err)
-		}
-
-		k := tka.Key{
-			Kind:   tka.Key25519,
-			Public: key.Verifier(),
-			Votes:  1,
-		}
-		if len(spl) > 1 {
-			votes, err := strconv.Atoi(spl[1])
-			if err != nil {
-				return fmt.Errorf("parsing key %d votes: %v", i+1, err)
-			}
-			k.Votes = uint(votes)
-		}
-		keys = append(keys, k)
+	keys, err := parseNLKeyArgs(args)
+	if err != nil {
+		return err
 	}
 
-	status, err := localClient.NetworkLockInit(ctx, keys)
+	// TODO(tom): Implement specification of disablement values from the command line.
+	disablementValues := [][]byte{bytes.Repeat([]byte{0xa5}, 32)}
+
+	status, err := localClient.NetworkLockInit(ctx, keys, disablementValues)
 	if err != nil {
 		return err
 	}
@@ -99,3 +89,102 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
 	fmt.Printf("our public-key: %s\n", p)
 	return nil
 }
+
+var nlAddCmd = &ffcli.Command{
+	Name:       "add",
+	ShortUsage: "add <public-key>...",
+	ShortHelp:  "Adds one or more signing keys to the tailnet key authority",
+	Exec: func(ctx context.Context, args []string) error {
+		return runNetworkLockModify(ctx, args, nil)
+	},
+}
+
+var nlRemoveCmd = &ffcli.Command{
+	Name:       "remove",
+	ShortUsage: "remove <public-key>...",
+	ShortHelp:  "Removes one or more signing keys to the tailnet key authority",
+	Exec: func(ctx context.Context, args []string) error {
+		return runNetworkLockModify(ctx, nil, args)
+	},
+}
+
+// parseNLKeyArgs converts a slice of strings into a slice of tka.Key. The keys
+// should be specified using their key.NLPublic.MarshalText representation with
+// an optional '?<votes>' suffix. If any of the keys encounters an error, a nil
+// slice is returned along with an appropriate error.
+func parseNLKeyArgs(args []string) ([]tka.Key, error) {
+	var keys []tka.Key
+	for i, a := range args {
+		var nlpk key.NLPublic
+		spl := strings.SplitN(a, "?", 2)
+		if err := nlpk.UnmarshalText([]byte(spl[0])); err != nil {
+			return nil, fmt.Errorf("parsing key %d: %v", i+1, err)
+		}
+
+		k := tka.Key{
+			Kind:   tka.Key25519,
+			Public: nlpk.Verifier(),
+			Votes:  1,
+		}
+		if len(spl) > 1 {
+			votes, err := strconv.Atoi(spl[1])
+			if err != nil {
+				return nil, fmt.Errorf("parsing key %d votes: %v", i+1, err)
+			}
+			k.Votes = uint(votes)
+		}
+		keys = append(keys, k)
+	}
+	return keys, nil
+}
+
+func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) error {
+	st, err := localClient.NetworkLockStatus(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	if st.Enabled {
+		return errors.New("network-lock is already enabled")
+	}
+
+	addKeys, err := parseNLKeyArgs(addArgs)
+	if err != nil {
+		return err
+	}
+	removeKeys, err := parseNLKeyArgs(removeArgs)
+	if err != nil {
+		return err
+	}
+
+	status, err := localClient.NetworkLockModify(ctx, addKeys, removeKeys)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Status: %+v\n\n", status)
+	return nil
+}
+
+var nlSignCmd = &ffcli.Command{
+	Name:       "sign",
+	ShortUsage: "sign <node-key>",
+	ShortHelp:  "Signs a node-key and transmits that signature to the control plane",
+	Exec:       runNetworkLockSign,
+}
+
+// TODO(tom): Implement specifying the rotation key for the signature.
+func runNetworkLockSign(ctx context.Context, args []string) error {
+	switch len(args) {
+	case 0:
+		return errors.New("expected node-key as second argument")
+	case 1:
+		var nodeKey key.NodePublic
+		if err := nodeKey.UnmarshalText([]byte(args[0])); err != nil {
+			return fmt.Errorf("decoding node-key: %w", err)
+		}
+
+		return localClient.NetworkLockSign(ctx, nodeKey, nil)
+	default:
+		return errors.New("expected a single node-key as only argument")
+	}
+}

cmd/tailscale/cli/set.go

@@ -0,0 +1,130 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/ipn"
+	"tailscale.com/safesocket"
+)
+
+var setCmd = &ffcli.Command{
+	Name:       "set",
+	ShortUsage: "set [flags]",
+	ShortHelp:  "Change specified preferences",
+	LongHelp: `"tailscale set" allows changing specific preferences.
+
+Unlike "tailscale up", this command does not require the complete set of desired settings.
+
+Only settings explicitly mentioned will be set. There are no default values.`,
+	FlagSet:   setFlagSet,
+	Exec:      runSet,
+	UsageFunc: usageFuncNoDefaultValues,
+}
+
+type setArgsT struct {
+	acceptRoutes           bool
+	acceptDNS              bool
+	exitNodeIP             string
+	exitNodeAllowLANAccess bool
+	shieldsUp              bool
+	runSSH                 bool
+	hostname               string
+	advertiseRoutes        string
+	advertiseDefaultRoute  bool
+	opUser                 string
+	acceptedRisks          string
+}
+
+func newSetFlagSet(goos string, setArgs *setArgsT) *flag.FlagSet {
+	setf := newFlagSet("set")
+
+	setf.BoolVar(&setArgs.acceptRoutes, "accept-routes", false, "accept routes advertised by other Tailscale nodes")
+	setf.BoolVar(&setArgs.acceptDNS, "accept-dns", false, "accept DNS configuration from the admin panel")
+	setf.StringVar(&setArgs.exitNodeIP, "exit-node", "", "Tailscale exit node (IP or base name) for internet traffic, or empty string to not use an exit node")
+	setf.BoolVar(&setArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
+	setf.BoolVar(&setArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
+	setf.BoolVar(&setArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
+	setf.StringVar(&setArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
+	setf.StringVar(&setArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. \"10.0.0.0/8,192.168.0.0/24\") or empty string to not advertise routes")
+	setf.BoolVar(&setArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
+	if safesocket.GOOSUsesPeerCreds(goos) {
+		setf.StringVar(&setArgs.opUser, "operator", "", "Unix username to allow to operate on tailscaled without sudo")
+	}
+	registerAcceptRiskFlag(setf, &setArgs.acceptedRisks)
+	return setf
+}
+
+var (
+	setArgs    setArgsT
+	setFlagSet = newSetFlagSet(effectiveGOOS(), &setArgs)
+)
+
+func runSet(ctx context.Context, args []string) (retErr error) {
+	if len(args) > 0 {
+		fatalf("too many non-flag arguments: %q", args)
+	}
+
+	st, err := localClient.Status(ctx)
+	if err != nil {
+		return err
+	}
+
+	routes, err := calcAdvertiseRoutes(setArgs.advertiseRoutes, setArgs.advertiseDefaultRoute)
+	if err != nil {
+		return err
+	}
+
+	maskedPrefs := &ipn.MaskedPrefs{
+		Prefs: ipn.Prefs{
+			RouteAll:               setArgs.acceptRoutes,
+			CorpDNS:                setArgs.acceptDNS,
+			ExitNodeAllowLANAccess: setArgs.exitNodeAllowLANAccess,
+			ShieldsUp:              setArgs.shieldsUp,
+			RunSSH:                 setArgs.runSSH,
+			Hostname:               setArgs.hostname,
+			AdvertiseRoutes:        routes,
+			OperatorUser:           setArgs.opUser,
+		},
+	}
+
+	if setArgs.exitNodeIP != "" {
+		if err := maskedPrefs.Prefs.SetExitNodeIP(setArgs.exitNodeIP, st); err != nil {
+			var e ipn.ExitNodeLocalIPError
+			if errors.As(err, &e) {
+				return fmt.Errorf("%w; did you mean --advertise-exit-node?", err)
+			}
+			return err
+		}
+	}
+
+	setFlagSet.Visit(func(f *flag.Flag) {
+		updateMaskedPrefsFromUpOrSetFlag(maskedPrefs, f.Name)
+	})
+
+	if maskedPrefs.IsEmpty() {
+		return flag.ErrHelp
+	}
+
+	if maskedPrefs.RunSSHSet {
+		curPrefs, err := localClient.GetPrefs(ctx)
+		if err != nil {
+			return err
+		}
+
+		wantSSH, haveSSH := maskedPrefs.RunSSH, curPrefs.RunSSH
+		if err := presentSSHToggleRisk(wantSSH, haveSSH, setArgs.acceptedRisks); err != nil {
+			return err
+		}
+	}
+
+	_, err = localClient.EditPrefs(ctx, maskedPrefs)
+	return err
+}

cmd/tailscale/cli/ssh.go

@@ -28,7 +28,23 @@ var sshCmd = &ffcli.Command{
 	Name:       "ssh",
 	ShortUsage: "ssh [user@]<host> [args...]",
 	ShortHelp:  "SSH to a Tailscale machine",
-	Exec:       runSSH,
+	LongHelp: strings.TrimSpace(`
+
+The 'tailscale ssh' command is an optional wrapper around the system 'ssh'
+command that's useful in some cases. Tailscale SSH does not require its use;
+most users running the Tailscale SSH server will prefer to just use the normal
+'ssh' command or their normal SSH client.
+
+The 'tailscale ssh' wrapper adds a few things:
+
+* It resolves the destination server name in its arugments using MagicDNS,
+  even if --accept-dns=false.
+* It works in userspace-networking mode, by supplying a ProxyCommand to the
+  system 'ssh' command that connects via a pipe through tailscaled.
+* It automatically checks the destination server's SSH host key against the
+  node's SSH host key as advertised via the Tailscale coordination server.
+`),
+	Exec: runSSH,
 }
 
 func runSSH(ctx context.Context, args []string) error {

cmd/tailscale/cli/ssh_exec.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build !js && !windows
-// +build !js,!windows
 
 package cli
 

cmd/tailscale/cli/ssh_exec_windows.go

@@ -13,7 +13,7 @@ import (
 
 func findSSH() (string, error) {
 	// use C:\Windows\System32\OpenSSH\ssh.exe since unexpected behavior
-	// occured with ssh.exe provided by msys2/cygwin and other environments.
+	// occurred with ssh.exe provided by msys2/cygwin and other environments.
 	if systemRoot := os.Getenv("SystemRoot"); systemRoot != "" {
 		exe := filepath.Join(systemRoot, "System32", "OpenSSH", "ssh.exe")
 		if st, err := os.Stat(exe); err == nil && !st.IsDir() {

cmd/tailscale/cli/ssh_unix.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build !js && !windows
-// +build !js,!windows
 
 package cli
 

cmd/tailscale/cli/up.go

@@ -95,7 +95,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	upf.StringVar(&upArgs.server, "login-server", ipn.DefaultControlURL, "base URL of control server")
 	upf.BoolVar(&upArgs.acceptRoutes, "accept-routes", acceptRouteDefault(goos), "accept routes advertised by other Tailscale nodes")
 	upf.BoolVar(&upArgs.acceptDNS, "accept-dns", true, "accept DNS configuration from the admin panel")
-	upf.BoolVar(&upArgs.singleRoutes, "host-routes", true, "install host routes to other Tailscale nodes")
+	upf.BoolVar(&upArgs.singleRoutes, "host-routes", true, "HIDDEN: install host routes to other Tailscale nodes")
 	upf.StringVar(&upArgs.exitNodeIP, "exit-node", "", "Tailscale exit node (IP or base name) for internet traffic, or empty string to not use an exit node")
 	upf.BoolVar(&upArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
 	upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
@@ -380,15 +380,8 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 	// Do this after validations to avoid the 5s delay if we're going to error
 	// out anyway.
 	wantSSH, haveSSH := env.upArgs.runSSH, curPrefs.RunSSH
-	if wantSSH != haveSSH && isSSHOverTailscale() {
-		if wantSSH {
-			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, env.upArgs.acceptedRisks)
-		} else {
-			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`, env.upArgs.acceptedRisks)
-		}
-		if err != nil {
-			return false, nil, err
-		}
+	if err := presentSSHToggleRisk(wantSSH, haveSSH, env.upArgs.acceptedRisks); err != nil {
+		return false, nil, err
 	}
 
 	tagsChanged := !reflect.DeepEqual(curPrefs.AdvertiseTags, prefs.AdvertiseTags)
@@ -413,13 +406,23 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 			visitFlags = env.flagSet.VisitAll
 		}
 		visitFlags(func(f *flag.Flag) {
-			updateMaskedPrefsFromUpFlag(justEditMP, f.Name)
+			updateMaskedPrefsFromUpOrSetFlag(justEditMP, f.Name)
 		})
 	}
 
 	return simpleUp, justEditMP, nil
 }
 
+func presentSSHToggleRisk(wantSSH, haveSSH bool, acceptedRisks string) error {
+	if !isSSHOverTailscale() || wantSSH == haveSSH {
+		return nil
+	}
+	if wantSSH {
+		return presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, acceptedRisks)
+	}
+	return presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`, acceptedRisks)
+}
+
 func runUp(ctx context.Context, args []string) (retErr error) {
 	var egg bool
 	if len(args) > 0 {
@@ -501,7 +504,7 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
-		justEditMP.EggSet = true
+		justEditMP.EggSet = egg
 		_, err := localClient.EditPrefs(ctx, justEditMP)
 		return err
 	}
@@ -632,7 +635,6 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 			return err
 		}
 		opts := ipn.Options{
-			StateKey:    ipn.GlobalDaemonStateKey,
 			AuthKey:     authKey,
 			UpdatePrefs: prefs,
 		}
@@ -645,9 +647,6 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		// StateKey based on the connection identity. So for now, just
 		// do as the Windows GUI's always done:
 		if effectiveGOOS() == "windows" {
-			// The Windows service will set this as needed based
-			// on our connection's identity.
-			opts.StateKey = ""
 			opts.Prefs = prefs
 		}
 
@@ -773,7 +772,7 @@ func preflessFlag(flagName string) bool {
 	return false
 }
 
-func updateMaskedPrefsFromUpFlag(mp *ipn.MaskedPrefs, flagName string) {
+func updateMaskedPrefsFromUpOrSetFlag(mp *ipn.MaskedPrefs, flagName string) {
 	if preflessFlag(flagName) {
 		return
 	}

cmd/tailscale/cli/web.go

@@ -474,8 +474,8 @@ func tailscaleUp(ctx context.Context, prefs *ipn.Prefs, forceReauth bool) (authU
 			authURL = *url
 			cancel()
 		}
-		if !forceReauth && n.Prefs != nil {
-			p1, p2 := *n.Prefs, *prefs
+		if !forceReauth && n.Prefs != nil && n.Prefs.Valid() {
+			p1, p2 := n.Prefs.AsStruct(), *prefs
 			p1.Persist = nil
 			p2.Persist = nil
 			if p1.Equals(&p2) {
@@ -496,9 +496,7 @@ func tailscaleUp(ctx context.Context, prefs *ipn.Prefs, forceReauth bool) (authU
 
 	bc.SetPrefs(prefs)
 
-	bc.Start(ipn.Options{
-		StateKey: ipn.GlobalDaemonStateKey,
-	})
+	bc.Start(ipn.Options{})
 	if forceReauth {
 		bc.StartLoginInteractive()
 	}

cmd/tailscale/depaware.txt

@@ -52,7 +52,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
         tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
         tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
-     💣 tailscale.com/metrics                                        from tailscale.com/derp
+        tailscale.com/metrics                                        from tailscale.com/derp
         tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp+
         tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp
         tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
@@ -70,6 +70,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
         tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
+        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
         tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
         tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
         tailscale.com/syncs                                          from tailscale.com/net/netcheck+
@@ -86,7 +87,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/types/netmap                                   from tailscale.com/ipn
         tailscale.com/types/nettype                                  from tailscale.com/net/netcheck+
         tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
-        tailscale.com/types/pad32                                    from tailscale.com/derp
         tailscale.com/types/persist                                  from tailscale.com/ipn
         tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
         tailscale.com/types/structs                                  from tailscale.com/ipn+
@@ -95,6 +95,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
         tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
    W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
+   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
    W    tailscale.com/util/endian                                    from tailscale.com/net/netns
         tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
@@ -135,6 +136,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+
    W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
    W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
         golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
         golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
         golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+

cmd/tailscaled/debug.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 package main
 
@@ -88,6 +87,8 @@ func runMonitor(ctx context.Context, loop bool) error {
 	if err != nil {
 		return err
 	}
+	defer mon.Close()
+
 	mon.RegisterChangeCallback(func(changed bool, st *interfaces.State) {
 		if !changed {
 			log.Printf("Link monitor fired; no change")
@@ -162,7 +163,7 @@ func getURL(ctx context.Context, urlStr string) error {
 	return res.Write(os.Stdout)
 }
 
-func checkDerp(ctx context.Context, derpRegion string) error {
+func checkDerp(ctx context.Context, derpRegion string) (err error) {
 	req, err := http.NewRequestWithContext(ctx, "GET", ipn.DefaultControlURL+"/derpmap/default", nil)
 	if err != nil {
 		return fmt.Errorf("create derp map request: %w", err)
@@ -201,6 +202,12 @@ func checkDerp(ctx context.Context, derpRegion string) error {
 
 	c1 := derphttp.NewRegionClient(priv1, log.Printf, getRegion)
 	c2 := derphttp.NewRegionClient(priv2, log.Printf, getRegion)
+	defer func() {
+		if err != nil {
+			c1.Close()
+			c2.Close()
+		}
+	}()
 
 	c2.NotePreferred(true) // just to open it
 

cmd/tailscaled/depaware.txt

@@ -109,7 +109,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
         github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
         github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
-   L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router
+   L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router+
         github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
   LD    github.com/u-root/u-root/pkg/termios                         from tailscale.com/ssh/tailssh
    L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
@@ -190,6 +190,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/derp                                           from tailscale.com/derp/derphttp+
         tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
         tailscale.com/disco                                          from tailscale.com/derp+
+        tailscale.com/doctor                                         from tailscale.com/ipn/ipnlocal
+        tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
         tailscale.com/envknob                                        from tailscale.com/control/controlclient+
         tailscale.com/health                                         from tailscale.com/control/controlclient+
         tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
@@ -210,7 +212,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/logtail                                        from tailscale.com/control/controlclient+
         tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
         tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
-     💣 tailscale.com/metrics                                        from tailscale.com/derp+
+        tailscale.com/metrics                                        from tailscale.com/derp+
         tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver+
         tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
@@ -224,12 +226,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns+
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
-     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
+     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver+
         tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/packet                                     from tailscale.com/net/tstun+
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
+        tailscale.com/net/routetable                                 from tailscale.com/doctor/routetable
         tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
         tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
         tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
@@ -237,8 +240,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
         tailscale.com/net/tstun                                      from tailscale.com/net/dns+
+        tailscale.com/net/tunstats                                   from tailscale.com/net/tstun
+        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
         tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
-        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
+     💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
         tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
   LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
@@ -257,10 +262,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
         tailscale.com/types/key                                      from tailscale.com/control/controlbase+
         tailscale.com/types/logger                                   from tailscale.com/control/controlclient+
+        tailscale.com/types/netlogtype                               from tailscale.com/net/tstun+
         tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
         tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock+
         tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
-        tailscale.com/types/pad32                                    from tailscale.com/derp
         tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
         tailscale.com/types/preftype                                 from tailscale.com/ipn+
         tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
@@ -270,8 +275,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
   LW    tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
      💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
+   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
   LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
+        tailscale.com/util/goroutines                                from tailscale.com/control/controlclient+
         tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
      💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
@@ -283,7 +290,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
         tailscale.com/util/strs                                      from tailscale.com/hostinfo+
         tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
-        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
+        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock+
      💣 tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
         tailscale.com/version                                        from tailscale.com/derp+
         tailscale.com/version/distro                                 from tailscale.com/hostinfo+
@@ -292,6 +299,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
      💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
+        tailscale.com/wgengine/netlog                                from tailscale.com/wgengine
         tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
         tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
@@ -299,7 +307,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 tailscale.com/wgengine/wgint                                 from tailscale.com/wgengine
         tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
    W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
-        golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
+        golang.org/x/crypto/acme                                     from tailscale.com/ipn/ipnlocal
         golang.org/x/crypto/argon2                                   from tailscale.com/tka
         golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
         golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
@@ -317,6 +325,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
         golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
+        golang.org/x/exp/maps                                        from tailscale.com/wgengine
         golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
         golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
         golang.org/x/net/dns/dnsmessage                              from net+
@@ -338,7 +347,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    W    golang.org/x/sys/windows/registry                            from golang.org/x/sys/windows/svc/eventlog+
    W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
    W    golang.org/x/sys/windows/svc/eventlog                        from tailscale.com/cmd/tailscaled
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled+
         golang.org/x/term                                            from tailscale.com/logpolicy
         golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
         golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+

cmd/tailscaled/install_darwin.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 package main
 
@@ -11,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/fs"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -83,6 +83,13 @@ func uninstallSystemDaemonDarwin(args []string) (ret error) {
 			ret = err
 		}
 	}
+
+	// Do not delete targetBin if it's a symlink, which happens if it was installed via
+	// Homebrew.
+	if isSymlink(targetBin) {
+		return ret
+	}
+
 	if err := os.Remove(targetBin); err != nil {
 		if os.IsNotExist(err) {
 			err = nil
@@ -107,40 +114,24 @@ func installSystemDaemonDarwin(args []string) (err error) {
 	// Best effort:
 	uninstallSystemDaemonDarwin(nil)
 
-	// Copy ourselves to /usr/local/bin/tailscaled.
-	if err := os.MkdirAll(filepath.Dir(targetBin), 0755); err != nil {
-		return err
-	}
 	exe, err := os.Executable()
 	if err != nil {
 		return fmt.Errorf("failed to find our own executable path: %w", err)
 	}
-	tmpBin := targetBin + ".tmp"
-	f, err := os.Create(tmpBin)
+
+	same, err := sameFile(exe, targetBin)
 	if err != nil {
 		return err
 	}
-	self, err := os.Open(exe)
-	if err != nil {
-		f.Close()
-		return err
-	}
-	_, err = io.Copy(f, self)
-	self.Close()
-	if err != nil {
-		f.Close()
-		return err
-	}
-	if err := f.Close(); err != nil {
-		return err
-	}
-	if err := os.Chmod(tmpBin, 0755); err != nil {
-		return err
-	}
-	if err := os.Rename(tmpBin, targetBin); err != nil {
-		return err
-	}
 
+	// Do not overwrite targetBin with the binary file if it it's already
+	// pointing to it. This is primarily to handle Homebrew that writes
+	// /usr/local/bin/tailscaled is a symlink to the actual binary.
+	if !same {
+		if err := copyBinary(exe, targetBin); err != nil {
+			return err
+		}
+	}
 	if err := os.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
 		return err
 	}
@@ -155,3 +146,55 @@ func installSystemDaemonDarwin(args []string) (err error) {
 
 	return nil
 }
+
+// copyBinary copies binary file `src` into `dst`.
+func copyBinary(src, dst string) error {
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
+		return err
+	}
+	tmpBin := dst + ".tmp"
+	f, err := os.Create(tmpBin)
+	if err != nil {
+		return err
+	}
+	srcf, err := os.Open(src)
+	if err != nil {
+		f.Close()
+		return err
+	}
+	_, err = io.Copy(f, srcf)
+	srcf.Close()
+	if err != nil {
+		f.Close()
+		return err
+	}
+	if err := f.Close(); err != nil {
+		return err
+	}
+	if err := os.Chmod(tmpBin, 0755); err != nil {
+		return err
+	}
+	if err := os.Rename(tmpBin, dst); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func isSymlink(path string) bool {
+	fi, err := os.Lstat(path)
+	return err == nil && (fi.Mode()&os.ModeSymlink == os.ModeSymlink)
+}
+
+// sameFile returns true if both file paths exist and resolve to the same file.
+func sameFile(path1, path2 string) (bool, error) {
+	dst1, err := filepath.EvalSymlinks(path1)
+	if err != nil && !errors.Is(err, fs.ErrNotExist) {
+		return false, fmt.Errorf("EvalSymlinks(%s): %w", path1, err)
+	}
+	dst2, err := filepath.EvalSymlinks(path2)
+	if err != nil && !errors.Is(err, fs.ErrNotExist) {
+		return false, fmt.Errorf("EvalSymlinks(%s): %w", path2, err)
+	}
+	return dst1 == dst2, nil
+}

cmd/tailscaled/install_windows.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 package main
 

cmd/tailscaled/proxy.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 // HTTP proxy code
 

cmd/tailscaled/required_version.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build !go1.19
-// +build !go1.19
 
 package main
 

cmd/tailscaled/ssh.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build linux || darwin
-// +build linux darwin
 
 package main
 

cmd/tailscaled/tailscaled.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 // The tailscaled program is the Tailscale client daemon. It's configured
 // and controlled via the tailscale CLI program.
@@ -34,7 +33,7 @@ import (
 	"tailscale.com/cmd/tailscaled/childproc"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
-	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/ipn/store"
 	"tailscale.com/logpolicy"
@@ -88,7 +87,7 @@ func defaultTunName() string {
 			// see https://github.com/tailscale/tailscale/issues/391
 			//
 			// But Gokrazy does have the tun module built-in, so users
-			// can stil run --tun=tailscale0 if they wish, if they
+			// can still run --tun=tailscale0 if they wish, if they
 			// arrange for iptables to be present or run in "tailscale
 			// up --netfilter-mode=off" mode, perhaps. Untested.
 			return "userspace-networking"
@@ -158,7 +157,7 @@ func main() {
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
 	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
+	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an ephemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
@@ -307,7 +306,6 @@ func ipnServerOpts() (o ipnserver.Options) {
 		fallthrough
 	default:
 		o.SurviveDisconnects = true
-		o.AutostartStateKey = ipn.GlobalDaemonStateKey
 	case "windows":
 		// Not those.
 	}
@@ -375,8 +373,7 @@ func run() error {
 
 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)
 
-	dialer := new(tsdial.Dialer) // mutated below (before used)
-	dialer.Logf = logf
+	dialer := &tsdial.Dialer{Logf: logf} // mutated below (before used)
 	e, useNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
 		return fmt.Errorf("createEngine: %w", err)
@@ -454,7 +451,11 @@ func run() error {
 	if err != nil {
 		return fmt.Errorf("store.New: %w", err)
 	}
-	srv, err := ipnserver.New(logf, pol.PublicID.String(), store, e, dialer, nil, opts)
+	pm, err := ipnlocal.NewProfileManager(store, logf, "")
+	if err != nil {
+		return fmt.Errorf("ipnlocal.NewProfileManager: %w", err)
+	}
+	srv, err := ipnserver.New(logf, pol.PublicID.String(), pm, e, dialer, opts)
 	if err != nil {
 		return fmt.Errorf("ipnserver.New: %w", err)
 	}
@@ -565,6 +566,8 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 		}
 		d, err := dns.NewOSConfigurator(logf, devName)
 		if err != nil {
+			dev.Close()
+			r.Close()
 			return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 		}
 		conf.DNS = d

cmd/tailscaled/tailscaled_bird.go

@@ -2,9 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.19 && (linux || darwin || freebsd || openbsd)
-// +build go1.19
-// +build linux darwin freebsd openbsd
+//go:build go1.19 && (linux || darwin || freebsd || openbsd) && !ts_omit_bird
 
 package main
 

cmd/tailscaled/tailscaled_notwindows.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build !windows && go1.19
-// +build !windows,go1.19
 
 package main // import "tailscale.com/cmd/tailscaled"
 

cmd/tailscaled/tailscaled_windows.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build go1.19
-// +build go1.19
 
 package main // import "tailscale.com/cmd/tailscaled"
 
@@ -23,6 +22,7 @@ package main // import "tailscale.com/cmd/tailscaled"
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log"
 	"net/netip"
@@ -192,7 +192,7 @@ func beWindowsSubprocess() bool {
 	}
 	logid := os.Args[2]
 
-	// Remove the date/time prefix; the logtail + file logggers add it.
+	// Remove the date/time prefix; the logtail + file loggers add it.
 	log.SetFlags(0)
 
 	log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
@@ -265,11 +265,17 @@ func startIPNServer(ctx context.Context, logid string) error {
 	if err != nil {
 		return fmt.Errorf("monitor: %w", err)
 	}
-	dialer := new(tsdial.Dialer)
+	dialer := &tsdial.Dialer{Logf: logf}
 
 	getEngineRaw := func() (wgengine.Engine, *netstack.Impl, error) {
 		dev, devName, err := tstun.New(logf, "Tailscale")
 		if err != nil {
+			if errors.Is(err, windows.ERROR_DEVICE_NOT_AVAILABLE) {
+				// Wintun is not installing correctly. Dump the state of NetSetupSvc
+				// (which is a user-mode service that must be active for network devices
+				// to install) and its dependencies to the log.
+				winutil.LogSvcState(logf, "NetSetupSvc")
+			}
 			return nil, nil, fmt.Errorf("TUN: %w", err)
 		}
 		r, err := router.New(logf, dev, nil)

cmd/tailscaled/with_cli.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build ts_include_cli
-// +build ts_include_cli
 
 package main
 

cmd/tsconnect/README.md

@@ -31,7 +31,7 @@ By default the build output is placed in the `dist/` directory and embedded in t
 
 # Library / NPM Package
 
-The client is also available as an NPM package. To build it, run:
+The client is also available as [an NPM package](https://www.npmjs.com/package/@tailscale/connect). To build it, run:
 
 ```
 ./tool/go run ./cmd/tsconnect build-pkg

cmd/tsconnect/README.pkg.md

@@ -0,0 +1,3 @@
+# @tailscale/connect
+
+NPM package that contains a WebAssembly-based Tailscale client, see [the `cmd/tsconnect` directory in the tailscale repo](https://github.com/tailscale/tailscale/tree/main/cmd/tsconnect#library--npm-package) for more details.

cmd/tsconnect/build-pkg.go

@@ -12,6 +12,7 @@ import (
 	"path"
 
 	"github.com/tailscale/hujson"
+	"tailscale.com/util/precompress"
 	"tailscale.com/version"
 )
 
@@ -26,7 +27,7 @@ func runBuildPkg() {
 		log.Fatalf("Linting failed: %v", err)
 	}
 
-	if err := cleanDir(*pkgDir, "package.json"); err != nil {
+	if err := cleanDir(*pkgDir); err != nil {
 		log.Fatalf("Cannot clean %s: %v", *pkgDir, err)
 	}
 
@@ -37,6 +38,10 @@ func runBuildPkg() {
 
 	runEsbuild(*buildOptions)
 
+	if err := precompressWasm(); err != nil {
+		log.Fatalf("Could not pre-recompress wasm: %v", err)
+	}
+
 	log.Printf("Generating types...\n")
 	if err := runYarn("pkg-types"); err != nil {
 		log.Fatalf("Type generation failed: %v", err)
@@ -46,9 +51,20 @@ func runBuildPkg() {
 		log.Fatalf("Cannot update version: %v", err)
 	}
 
+	if err := copyReadme(); err != nil {
+		log.Fatalf("Cannot copy readme: %v", err)
+	}
+
 	log.Printf("Built package version %s", version.Long)
 }
 
+func precompressWasm() error {
+	log.Printf("Pre-compressing main.wasm...\n")
+	return precompress.Precompress(path.Join(*pkgDir, "main.wasm"), precompress.Options{
+		FastCompression: *fastCompression,
+	})
+}
+
 func updateVersion() error {
 	packageJSONBytes, err := os.ReadFile("package.json.tmpl")
 	if err != nil {
@@ -72,3 +88,11 @@ func updateVersion() error {
 
 	return os.WriteFile(path.Join(*pkgDir, "package.json"), packageJSONBytes, 0644)
 }
+
+func copyReadme() error {
+	readmeBytes, err := os.ReadFile("README.pkg.md")
+	if err != nil {
+		return fmt.Errorf("Could not read README.pkg.md: %w", err)
+	}
+	return os.WriteFile(path.Join(*pkgDir, "README.md"), readmeBytes, 0644)
+}

cmd/tsconnect/build.go

@@ -57,7 +57,7 @@ func runBuild() {
 
 // fixEsbuildMetadataPaths re-keys the esbuild metadata file to use paths
 // relative to the dist directory (it normally uses paths relative to the cwd,
-// which are akward if we're running with a different cwd at serving time).
+// which are awkward if we're running with a different cwd at serving time).
 func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
 	var metadata EsbuildMetadata
 	if err := json.Unmarshal([]byte(metadataStr), &metadata); err != nil {

cmd/tsconnect/common.go

@@ -187,7 +187,12 @@ func buildWasm(dev bool) ([]byte, error) {
 		return nil, fmt.Errorf("Cannot create main.wasm output file: %w", err)
 	}
 	outputPath := outputFile.Name()
+
 	defer os.Remove(outputPath)
+	// Running defer (*os.File).Close() in defer order before os.Remove
+	// because on some systems like Windows, it is possible for os.Remove
+	// to fail for unclosed files.
+	defer outputFile.Close()
 
 	args := []string{"build", "-tags", "tailscale_go,osusergo,netgo,nethttpomithttp2,omitidna,omitpemdecrypt"}
 	if !dev {
@@ -211,10 +216,41 @@ func buildWasm(dev bool) ([]byte, error) {
 	if err != nil {
 		return nil, fmt.Errorf("Cannot build main.wasm: %w", err)
 	}
-	log.Printf("Built wasm in %v\n", time.Since(start))
+	log.Printf("Built wasm in %v\n", time.Since(start).Round(time.Millisecond))
+
+	if !dev {
+		err := runWasmOpt(outputPath)
+		if err != nil {
+			return nil, fmt.Errorf("Cannot run wasm-opt: %w", err)
+		}
+	}
+
 	return os.ReadFile(outputPath)
 }
 
+func runWasmOpt(path string) error {
+	start := time.Now()
+	stat, err := os.Stat(path)
+	if err != nil {
+		return fmt.Errorf("Cannot stat %v: %w", path, err)
+	}
+	startSize := stat.Size()
+	cmd := exec.Command("../../tool/wasm-opt", "-Oz", path, "-o", path)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	err = cmd.Run()
+	if err != nil {
+		return fmt.Errorf("Cannot run wasm-opt: %w", err)
+	}
+	stat, err = os.Stat(path)
+	if err != nil {
+		return fmt.Errorf("Cannot stat %v: %w", path, err)
+	}
+	endSize := stat.Size()
+	log.Printf("Ran wasm-opt in %v, size dropped by %dK\n", time.Since(start).Round(time.Millisecond), (startSize-endSize)/1024)
+	return nil
+}
+
 // installJSDeps installs the JavaScript dependencies specified by package.json
 func installJSDeps() error {
 	log.Printf("Installing JS deps...\n")
@@ -251,7 +287,7 @@ func setupEsbuildTailwind(build esbuild.PluginBuild, dev bool) {
 		}
 		cmd := exec.Command(*yarnPath, yarnArgs...)
 		tailwindOutput, err := cmd.Output()
-		log.Printf("Ran tailwind in %v\n", time.Since(start))
+		log.Printf("Ran tailwind in %v\n", time.Since(start).Round(time.Millisecond))
 		if err != nil {
 			if exitErr, ok := err.(*exec.ExitError); ok {
 				log.Printf("Tailwind stderr: %s", exitErr.Stderr)

cmd/tsconnect/package.json

@@ -10,9 +10,9 @@
     "qrcode": "^1.5.0",
     "tailwindcss": "^3.1.6",
     "typescript": "^4.7.4",
-    "xterm": "5.0.0-beta.58",
-    "xterm-addon-fit": "^0.5.0",
-    "xterm-addon-web-links": "0.7.0-beta.6"
+    "xterm": "^5.0.0",
+    "xterm-addon-fit": "^0.6.0",
+    "xterm-addon-web-links": "^0.7.0"
   },
   "scripts": {
     "lint": "tsc --noEmit",

cmd/tsconnect/package.json.tmpl

@@ -9,7 +9,7 @@
   "author": "Tailscale Inc.",
   "description": "Tailscale Connect SDK",
   "license": "BSD-3-Clause",
-  "name": "tailscale-connect",
+  "name": "@tailscale/connect",
   "type": "module",
   "main": "./pkg.js",
   "types": "./pkg.d.ts",

cmd/tsconnect/src/app/ssh.tsx

@@ -46,7 +46,12 @@ function SSHSession({
   const ref = useRef<HTMLDivElement>(null)
   useEffect(() => {
     if (ref.current) {
-      runSSHSession(ref.current, def, ipn, onDone, (err) => console.error(err))
+      runSSHSession(ref.current, def, ipn, {
+        onConnectionProgress: (p) => console.log("Connection progress", p),
+        onConnected() {},
+        onError: (err) => console.error(err),
+        onDone,
+      })
     }
   }, [ref])
 

cmd/tsconnect/src/lib/ssh.ts

@@ -9,12 +9,18 @@ export type SSHSessionDef = {
   timeoutSeconds?: number
 }
 
+export type SSHSessionCallbacks = {
+  onConnectionProgress: (messsage: string) => void
+  onConnected: () => void
+  onDone: () => void
+  onError?: (err: string) => void
+}
+
 export function runSSHSession(
   termContainerNode: HTMLDivElement,
   def: SSHSessionDef,
   ipn: IPN,
-  onDone: () => void,
-  onError?: (err: string) => void,
+  callbacks: SSHSessionCallbacks,
   terminalOptions?: ITerminalOptions
 ) {
   const parentWindow = termContainerNode.ownerDocument.defaultView ?? window
@@ -42,14 +48,14 @@ export function runSSHSession(
   term.focus()
 
   let resizeObserver: ResizeObserver | undefined
-  let handleBeforeUnload: ((e: BeforeUnloadEvent) => void) | undefined
+  let handleUnload: ((e: Event) => void) | undefined
 
   const sshSession = ipn.ssh(def.hostname, def.username, {
     writeFn(input) {
       term.write(input)
     },
     writeErrorFn(err) {
-      onError?.(err)
+      callbacks.onError?.(err)
       term.write(err)
     },
     setReadFn(hook) {
@@ -57,13 +63,15 @@ export function runSSHSession(
     },
     rows: term.rows,
     cols: term.cols,
+    onConnectionProgress: callbacks.onConnectionProgress,
+    onConnected: callbacks.onConnected,
     onDone() {
       resizeObserver?.disconnect()
       term.dispose()
-      if (handleBeforeUnload) {
-        parentWindow.removeEventListener("beforeunload", handleBeforeUnload)
+      if (handleUnload) {
+        parentWindow.removeEventListener("unload", handleUnload)
       }
-      onDone()
+      callbacks.onDone()
     },
     timeoutSeconds: def.timeoutSeconds,
   })
@@ -75,6 +83,6 @@ export function runSSHSession(
 
   // Close the session if the user closes the window without an explicit
   // exit.
-  handleBeforeUnload = () => sshSession.close()
-  parentWindow.addEventListener("beforeunload", handleBeforeUnload)
+  handleUnload = () => sshSession.close()
+  parentWindow.addEventListener("unload", handleUnload)
 }

cmd/tsconnect/src/pkg/pkg.ts

@@ -15,12 +15,12 @@ import wasmURL from "./main.wasm"
  * needed for the package to function.
  */
 type IPNPackageConfig = IPNConfig & {
-  // Auth key used to intitialize the Tailscale client (required)
+  // Auth key used to initialize the Tailscale client (required)
   authKey: string
   // URL of the main.wasm file that is included in the page, if it is not
   // accessible via a relative URL.
   wasmURL?: string
-  // Funtion invoked if the Go process panics or unexpectedly exits.
+  // Function invoked if the Go process panics or unexpectedly exits.
   panicHandler: (err: string) => void
 }
 

cmd/tsconnect/src/types/wasm_js.d.ts

@@ -25,6 +25,8 @@ declare global {
         cols: number
         /** Defaults to 5 seconds */
         timeoutSeconds?: number
+        onConnectionProgress: (message: string) => void
+        onConnected: () => void
         onDone: () => void
       }
     ): IPNSSHSession

cmd/tsconnect/wasm/wasm_js.go

@@ -96,7 +96,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 	logtail := logtail.NewLogger(c, log.Printf)
 	logf := logtail.Logf
 
-	dialer := new(tsdial.Dialer)
+	dialer := &tsdial.Dialer{Logf: logf}
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
 		Dialer: dialer,
 	})
@@ -124,7 +124,11 @@ func newIPN(jsConfig js.Value) map[string]any {
 		return ns.DialContextTCP(ctx, dst)
 	}
 
-	srv, err := ipnserver.New(logf, lpc.PublicID.String(), store, eng, dialer, nil, ipnserver.Options{
+	pm, err := ipnlocal.NewProfileManager(store, logf, "wasm")
+	if err != nil {
+		log.Fatalf("ipnlocal.NewProfileManager: %v", err)
+	}
+	srv, err := ipnserver.New(logf, lpc.PublicID.String(), pm, eng, dialer, ipnserver.Options{
 		SurviveDisconnects: true,
 		LoginFlags:         controlclient.LoginEphemeral,
 	})
@@ -284,7 +288,6 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 
 	go func() {
 		err := i.lb.Start(ipn.Options{
-			StateKey: "wasm",
 			UpdatePrefs: &ipn.Prefs{
 				ControlURL:       i.controlURL,
 				RouteAll:         false,
@@ -364,15 +367,21 @@ func (s *jsSSHSession) Run() {
 	if jsTimeoutSeconds := s.termConfig.Get("timeoutSeconds"); jsTimeoutSeconds.Type() == js.TypeNumber {
 		timeoutSeconds = jsTimeoutSeconds.Float()
 	}
+	onConnectionProgress := s.termConfig.Get("onConnectionProgress")
+	onConnected := s.termConfig.Get("onConnected")
 	onDone := s.termConfig.Get("onDone")
 	defer onDone.Invoke()
 
 	writeError := func(label string, err error) {
 		writeErrorFn.Invoke(fmt.Sprintf("%s Error: %v\r\n", label, err))
 	}
+	reportProgress := func(message string) {
+		onConnectionProgress.Invoke(message)
+	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeoutSeconds*float64(time.Second)))
 	defer cancel()
+	reportProgress(fmt.Sprintf("Connecting to %s…", strings.Split(s.host, ".")[0]))
 	c, err := s.jsIPN.dialer.UserDial(ctx, "tcp", net.JoinHostPort(s.host, "22"))
 	if err != nil {
 		writeError("Dial", err)
@@ -381,10 +390,16 @@ func (s *jsSSHSession) Run() {
 	defer c.Close()
 
 	config := &ssh.ClientConfig{
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-		User:            s.username,
+		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+			// Host keys are not used with Tailscale SSH, but we can use this
+			// callback to know that the connection has been established.
+			reportProgress("SSH connection established…")
+			return nil
+		},
+		User: s.username,
 	}
 
+	reportProgress("Starting SSH client…")
 	sshConn, _, _, err := ssh.NewClientConn(c, s.host, config)
 	if err != nil {
 		writeError("SSH Connection", err)
@@ -442,6 +457,7 @@ func (s *jsSSHSession) Run() {
 		return
 	}
 
+	onConnected.Invoke()
 	err = session.Wait()
 	if err != nil {
 		writeError("Wait", err)
@@ -450,6 +466,10 @@ func (s *jsSSHSession) Run() {
 }
 
 func (s *jsSSHSession) Close() error {
+	if s.session == nil {
+		// We never had a chance to open the session, ignore the close request.
+		return nil
+	}
 	return s.session.Close()
 }
 

cmd/tsconnect/yarn.lock

@@ -639,20 +639,20 @@ xtend@^4.0.2:
   resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"
   integrity sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==
 
-xterm-addon-fit@^0.5.0:
-  version "0.5.0"
-  resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.5.0.tgz#2d51b983b786a97dcd6cde805e700c7f913bc596"
-  integrity sha512-DsS9fqhXHacEmsPxBJZvfj2la30Iz9xk+UKjhQgnYNkrUIN5CYLbw7WEfz117c7+S86S/tpHPfvNxJsF5/G8wQ==
+xterm-addon-fit@^0.6.0:
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.6.0.tgz#142e1ce181da48763668332593fc440349c88c34"
+  integrity sha512-9/7A+1KEjkFam0yxTaHfuk9LEvvTSBi0PZmEkzJqgafXPEXL9pCMAVV7rB09sX6ATRDXAdBpQhZkhKj7CGvYeg==
 
-xterm@5.0.0-beta.58:
-  version "5.0.0-beta.58"
-  resolved "https://registry.yarnpkg.com/xterm/-/xterm-5.0.0-beta.58.tgz#e3e96ab9fd24d006ec16cc9351a060cc79e67e80"
-  integrity sha512-gjg39oKdgUKful27+7I1hvSK51lu/LRhdimFhfZyMvdk0iATH0FAfzv1eAvBKWY2UBgYUfxhicTkanYioANdMw==
+xterm-addon-web-links@^0.7.0:
+  version "0.7.0"
+  resolved "https://registry.yarnpkg.com/xterm-addon-web-links/-/xterm-addon-web-links-0.7.0.tgz#dceac36170605f9db10a01d716bd83ee38f65c17"
+  integrity sha512-6PqoqzzPwaeSq22skzbvyboDvSnYk5teUYEoKBwMYvhbkwOQkemZccjWHT5FnNA8o1aInTc4PRYAl4jjPucCKA==
 
-xterm-addon-web-links@0.7.0-beta.6:
-  version "0.7.0-beta.6"
-  resolved "https://registry.yarnpkg.com/xterm-addon-web-links/-/xterm-addon-web-links-0.7.0-beta.6.tgz#ec63b681b4f0f0135fa039f53664f65fe9d9f43a"
-  integrity sha512-nD/r/GchGTN4c9gAIVLWVoxExTzAUV7E9xZnwsvhuwI4CEE6yqO15ns8g2hdcUrsPyCbNEw05mIrkF6W5Yj8qA==
+xterm@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/xterm/-/xterm-5.0.0.tgz#0af50509b33d0dc62fde7a4ec17750b8e453cc5c"
+  integrity sha512-tmVsKzZovAYNDIaUinfz+VDclraQpPUnAME+JawosgWRMphInDded/PuY0xmU5dOhyeYZsI0nz5yd8dPYsdLTA==
 
 y18n@^4.0.0:
   version "4.0.3"

cmd/tsshd/tsshd.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build ignore
-// +build ignore
 
 // The tsshd binary was an experimental SSH server that accepts connections
 // from anybody on the same Tailscale network.

cmd/viewer/viewer.go

@@ -388,7 +388,7 @@ func main() {
 		log.Fatal(err)
 	}
 	if runCloner {
-		// When a new pacakge is added or when existing generated files have
+		// When a new package is added or when existing generated files have
 		// been deleted, we might run into a case where tailscale.com/cmd/cloner
 		// has not run yet. We detect this by verifying that all the structs we
 		// interacted with have had Clone method already generated. If they

control/controlclient/auto.go

@@ -88,11 +88,17 @@ func New(opts Options) (*Auto, error) {
 }
 
 // NewNoStart creates a new Auto, but without calling Start on it.
-func NewNoStart(opts Options) (*Auto, error) {
+func NewNoStart(opts Options) (_ *Auto, err error) {
 	direct, err := NewDirect(opts)
 	if err != nil {
 		return nil, err
 	}
+	defer func() {
+		if err != nil {
+			direct.Close()
+		}
+	}()
+
 	if opts.Status == nil {
 		return nil, errors.New("missing required Options.Status")
 	}
@@ -555,6 +561,11 @@ func (c *Auto) SetNetInfo(ni *tailcfg.NetInfo) {
 	c.sendNewMapRequest()
 }
 
+// SetTKAHead updates the TKA head hash that map-request infrastructure sends.
+func (c *Auto) SetTKAHead(headHash string) {
+	c.direct.SetTKAHead(headHash)
+}
+
 func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkMap) {
 	c.mu.Lock()
 	if c.closed {
@@ -579,7 +590,7 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 	}
 	if nm != nil && loggedIn && synced {
 		pp := c.direct.GetPersist()
-		p = &pp
+		p = pp.AsStruct()
 	} else {
 		// don't send netmap status, as it's misleading when we're
 		// not logged in.
@@ -697,7 +708,7 @@ func (c *Auto) Shutdown() {
 // used exclusively in tests.
 func (c *Auto) TestOnlyNodePublicKey() key.NodePublic {
 	priv := c.direct.GetPersist()
-	return priv.PrivateNodeKey.Public()
+	return priv.PrivateNodeKey().Public()
 }
 
 func (c *Auto) TestOnlySetAuthKey(authkey string) {
@@ -719,3 +730,13 @@ func (c *Auto) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
 func (c *Auto) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 	return c.direct.DoNoiseRequest(req)
 }
+
+// GetSingleUseNoiseRoundTripper returns a RoundTripper that can be only be used
+// once (and must be used once) to make a single HTTP request over the noise
+// channel to the coordination server.
+//
+// In addition to the RoundTripper, it returns the HTTP/2 channel's early noise
+// payload, if any.
+func (c *Auto) GetSingleUseNoiseRoundTripper(ctx context.Context) (http.RoundTripper, *tailcfg.EarlyNoise, error) {
+	return c.direct.GetSingleUseNoiseRoundTripper(ctx)
+}

control/controlclient/client.go

@@ -65,6 +65,9 @@ type Client interface {
 	// in a separate http request. It has nothing to do with the rest of
 	// the state machine.
 	SetNetInfo(*tailcfg.NetInfo)
+	// SetTKAHead changes the TKA head hash value that will be sent in
+	// subsequent netmap requests.
+	SetTKAHead(headHash string)
 	// UpdateEndpoints changes the Endpoint structure that will be sent
 	// in subsequent node registration requests.
 	// TODO: a server-side change would let us simply upload this

control/controlclient/debug.go

@@ -8,12 +8,11 @@ import (
 	"bytes"
 	"compress/gzip"
 	"context"
-	"fmt"
 	"log"
 	"net/http"
-	"runtime"
-	"strconv"
 	"time"
+
+	"tailscale.com/util/goroutines"
 )
 
 func dumpGoroutinesToURL(c *http.Client, targetURL string) {
@@ -22,7 +21,7 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {
 
 	zbuf := new(bytes.Buffer)
 	zw := gzip.NewWriter(zbuf)
-	zw.Write(scrubbedGoroutineDump())
+	zw.Write(goroutines.ScrubbedGoroutineDump())
 	zw.Close()
 
 	req, err := http.NewRequestWithContext(ctx, "PUT", targetURL, zbuf)
@@ -40,83 +39,3 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {
 		log.Printf("dumpGoroutinesToURL complete to %v (after %v)", targetURL, d)
 	}
 }
-
-// scrubbedGoroutineDump returns the list of all current goroutines, but with the actual
-// values of arguments scrubbed out, lest it contain some private key material.
-func scrubbedGoroutineDump() []byte {
-	var buf []byte
-	// Grab stacks multiple times into increasingly larger buffer sizes
-	// to minimize the risk that we blow past our iOS memory limit.
-	for size := 1 << 10; size <= 1<<20; size += 1 << 10 {
-		buf = make([]byte, size)
-		buf = buf[:runtime.Stack(buf, true)]
-		if len(buf) < size {
-			// It fit.
-			break
-		}
-	}
-	return scrubHex(buf)
-}
-
-func scrubHex(buf []byte) []byte {
-	saw := map[string][]byte{} // "0x123" => "v1%3" (unique value 1 and its value mod 8)
-
-	foreachHexAddress(buf, func(in []byte) {
-		if string(in) == "0x0" {
-			return
-		}
-		if v, ok := saw[string(in)]; ok {
-			for i := range in {
-				in[i] = '_'
-			}
-			copy(in, v)
-			return
-		}
-		inStr := string(in)
-		u64, err := strconv.ParseUint(string(in[2:]), 16, 64)
-		for i := range in {
-			in[i] = '_'
-		}
-		if err != nil {
-			in[0] = '?'
-			return
-		}
-		v := []byte(fmt.Sprintf("v%d%%%d", len(saw)+1, u64%8))
-		saw[inStr] = v
-		copy(in, v)
-	})
-	return buf
-}
-
-var ohx = []byte("0x")
-
-// foreachHexAddress calls f with each subslice of b that matches
-// regexp `0x[0-9a-f]*`.
-func foreachHexAddress(b []byte, f func([]byte)) {
-	for len(b) > 0 {
-		i := bytes.Index(b, ohx)
-		if i == -1 {
-			return
-		}
-		b = b[i:]
-		hx := hexPrefix(b)
-		f(hx)
-		b = b[len(hx):]
-	}
-}
-
-func hexPrefix(b []byte) []byte {
-	for i, c := range b {
-		if i < 2 {
-			continue
-		}
-		if !isHexByte(c) {
-			return b[:i]
-		}
-	}
-	return b
-}
-
-func isHexByte(b byte) bool {
-	return '0' <= b && b <= '9' || 'a' <= b && b <= 'f' || 'A' <= b && b <= 'F'
-}

control/controlclient/direct.go

@@ -43,11 +43,13 @@ import (
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tka"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
+	"tailscale.com/types/tkatype"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/multierr"
 	"tailscale.com/util/singleflight"
@@ -68,7 +70,7 @@ type Direct struct {
 	linkMon                *monitor.Mon // or nil
 	discoPubKey            key.DiscoPublic
 	getMachinePrivKey      func() (key.MachinePrivate, error)
-	getNLPublicKey         func() (key.NLPublic, error) // or nil
+	getNLPrivateKey        func() (key.NLPrivate, error) // or nil
 	debugFlags             []string
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
@@ -82,8 +84,8 @@ type Direct struct {
 	serverKey      key.MachinePublic // original ("legacy") nacl crypto_box-based public key
 	serverNoiseKey key.MachinePublic
 
-	sfGroup     singleflight.Group[struct{}, *noiseClient] // protects noiseClient creation.
-	noiseClient *noiseClient
+	sfGroup     singleflight.Group[struct{}, *NoiseClient] // protects noiseClient creation.
+	noiseClient *NoiseClient
 
 	persist       persist.Persist
 	authKey       string
@@ -92,6 +94,7 @@ type Direct struct {
 	hostinfo      *tailcfg.Hostinfo // always non-nil
 	netinfo       *tailcfg.NetInfo
 	endpoints     []tailcfg.Endpoint
+	tkaHead       string
 	everEndpoints bool   // whether we've ever had non-empty endpoints
 	lastPingURL   string // last PingRequest.URL received, for dup suppression
 }
@@ -115,9 +118,9 @@ type Options struct {
 	Dialer               *tsdial.Dialer   // non-nil
 	C2NHandler           http.Handler     // or nil
 
-	// GetNLPublicKey specifies an optional function to use
+	// GetNLPrivateKey specifies an optional function to use
 	// Network Lock. If nil, it's not used.
-	GetNLPublicKey func() (key.NLPublic, error)
+	GetNLPrivateKey func() (key.NLPrivate, error)
 
 	// Status is called when there's a change in status.
 	Status func(Status)
@@ -229,7 +232,7 @@ func NewDirect(opts Options) (*Direct, error) {
 	c := &Direct{
 		httpc:                  httpc,
 		getMachinePrivKey:      opts.GetMachinePrivateKey,
-		getNLPublicKey:         opts.GetNLPublicKey,
+		getNLPrivateKey:        opts.GetNLPrivateKey,
 		serverURL:              opts.ServerURL,
 		timeNow:                opts.TimeNow,
 		logf:                   opts.Logf,
@@ -259,7 +262,7 @@ func NewDirect(opts Options) (*Direct, error) {
 		}
 	}
 	if opts.NoiseTestClient != nil {
-		c.noiseClient = &noiseClient{
+		c.noiseClient = &NoiseClient{
 			Client: opts.NoiseTestClient,
 		}
 		c.serverNoiseKey = key.NewMachine().Public() // prevent early error before hitting test client
@@ -315,16 +318,31 @@ func (c *Direct) SetNetInfo(ni *tailcfg.NetInfo) bool {
 	return true
 }
 
-func (c *Direct) GetPersist() persist.Persist {
+// SetNetInfo stores a new TKA head value for next update.
+// It reports whether the TKA head changed.
+func (c *Direct) SetTKAHead(tkaHead string) bool {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	return c.persist
+
+	if tkaHead == c.tkaHead {
+		return false
+	}
+
+	c.tkaHead = tkaHead
+	c.logf("tkaHead: %v", tkaHead)
+	return true
+}
+
+func (c *Direct) GetPersist() persist.PersistView {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.persist.View()
 }
 
 func (c *Direct) TryLogout(ctx context.Context) error {
 	c.logf("[v1] direct.TryLogout()")
 
-	mustRegen, newURL, err := c.doLogin(ctx, loginOpt{Logout: true})
+	mustRegen, newURL, _, err := c.doLogin(ctx, loginOpt{Logout: true})
 	c.logf("[v1] TryLogout control response: mustRegen=%v, newURL=%v, err=%v", mustRegen, newURL, err)
 
 	c.mu.Lock()
@@ -348,13 +366,14 @@ func (c *Direct) WaitLoginURL(ctx context.Context, url string) (newURL string, e
 }
 
 func (c *Direct) doLoginOrRegen(ctx context.Context, opt loginOpt) (newURL string, err error) {
-	mustRegen, url, err := c.doLogin(ctx, opt)
+	mustRegen, url, oldNodeKeySignature, err := c.doLogin(ctx, opt)
 	if err != nil {
 		return url, err
 	}
 	if mustRegen {
 		opt.Regen = true
-		_, url, err = c.doLogin(ctx, opt)
+		opt.OldNodeKeySignature = oldNodeKeySignature
+		_, url, _, err = c.doLogin(ctx, opt)
 	}
 	return url, err
 }
@@ -380,6 +399,10 @@ type loginOpt struct {
 	// It is ignored if Logout is set since Logout works by setting a
 	// expiry time in the far past.
 	Expiry *time.Time
+
+	// OldNodeKeySignature indicates the former NodeKeySignature
+	// that must be resigned for the new node-key.
+	OldNodeKeySignature tkatype.MarshaledSignature
 }
 
 // httpClient provides a common interface for the noiseClient and
@@ -396,7 +419,7 @@ func (c *Direct) hostInfoLocked() *tailcfg.Hostinfo {
 	return hi
 }
 
-func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, err error) {
+func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, nks tkatype.MarshaledSignature, err error) {
 	c.mu.Lock()
 	persist := c.persist
 	tryingNewKey := c.tryingNewKey
@@ -410,10 +433,10 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 
 	machinePrivKey, err := c.getMachinePrivKey()
 	if err != nil {
-		return false, "", fmt.Errorf("getMachinePrivKey: %w", err)
+		return false, "", nil, fmt.Errorf("getMachinePrivKey: %w", err)
 	}
 	if machinePrivKey.IsZero() {
-		return false, "", errors.New("getMachinePrivKey returned zero key")
+		return false, "", nil, errors.New("getMachinePrivKey returned zero key")
 	}
 
 	regen := opt.Regen
@@ -435,7 +458,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	if serverKey.IsZero() {
 		keys, err := loadServerPubKeys(ctx, c.httpc, c.serverURL)
 		if err != nil {
-			return regen, opt.URL, err
+			return regen, opt.URL, nil, err
 		}
 		c.logf("control server key from %s: ts2021=%s, legacy=%v", c.serverURL, keys.PublicKey.ShortString(), keys.LegacyPublicKey.ShortString())
 
@@ -472,43 +495,53 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		oldNodeKey = persist.OldPrivateNodeKey.Public()
 	}
 
-	var nlPub key.NLPublic
-	if c.getNLPublicKey != nil {
-		nlPub, err = c.getNLPublicKey()
-		if err != nil {
-			return false, "", fmt.Errorf("get nl key: %v", err)
-		}
-	}
-
 	if tryingNewKey.IsZero() {
 		if opt.Logout {
-			return false, "", errors.New("no nodekey to log out")
+			return false, "", nil, errors.New("no nodekey to log out")
 		}
 		log.Fatalf("tryingNewKey is empty, give up")
 	}
+
+	var nlPub key.NLPublic
+	var nodeKeySignature tkatype.MarshaledSignature
+	if c.getNLPrivateKey != nil {
+		priv, err := c.getNLPrivateKey()
+		if err != nil {
+			return false, "", nil, fmt.Errorf("get nl key: %v", err)
+		}
+		nlPub = priv.Public()
+
+		if !oldNodeKey.IsZero() && opt.OldNodeKeySignature != nil {
+			if nodeKeySignature, err = resignNKS(priv, tryingNewKey.Public(), opt.OldNodeKeySignature); err != nil {
+				c.logf("Failed re-signing node-key signature: %v", err)
+			}
+		}
+	}
+
 	if backendLogID == "" {
 		err = errors.New("hostinfo: BackendLogID missing")
-		return regen, opt.URL, err
+		return regen, opt.URL, nil, err
 	}
 	now := time.Now().Round(time.Second)
 	request := tailcfg.RegisterRequest{
-		Version:    1,
-		OldNodeKey: oldNodeKey,
-		NodeKey:    tryingNewKey.Public(),
-		NLKey:      nlPub,
-		Hostinfo:   hi,
-		Followup:   opt.URL,
-		Timestamp:  &now,
-		Ephemeral:  (opt.Flags & LoginEphemeral) != 0,
+		Version:          1,
+		OldNodeKey:       oldNodeKey,
+		NodeKey:          tryingNewKey.Public(),
+		NLKey:            nlPub,
+		Hostinfo:         hi,
+		Followup:         opt.URL,
+		Timestamp:        &now,
+		Ephemeral:        (opt.Flags & LoginEphemeral) != 0,
+		NodeKeySignature: nodeKeySignature,
 	}
 	if opt.Logout {
 		request.Expiry = time.Unix(123, 0) // far in the past
 	} else if opt.Expiry != nil {
 		request.Expiry = *opt.Expiry
 	}
-	c.logf("RegisterReq: onode=%v node=%v fup=%v",
+	c.logf("RegisterReq: onode=%v node=%v fup=%v nks=%v",
 		request.OldNodeKey.ShortString(),
-		request.NodeKey.ShortString(), opt.URL != "")
+		request.NodeKey.ShortString(), opt.URL != "", len(nodeKeySignature) > 0)
 	request.Auth.Oauth2Token = opt.Token
 	request.Auth.Provider = persist.Provider
 	request.Auth.LoginName = persist.LoginName
@@ -542,33 +575,33 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		request.Version = tailcfg.CurrentCapabilityVersion
 		httpc, err = c.getNoiseClient()
 		if err != nil {
-			return regen, opt.URL, fmt.Errorf("getNoiseClient: %w", err)
+			return regen, opt.URL, nil, fmt.Errorf("getNoiseClient: %w", err)
 		}
 		url = fmt.Sprintf("%s/machine/register", c.serverURL)
 		url = strings.Replace(url, "http:", "https:", 1)
 	}
 	bodyData, err := encode(request, serverKey, serverNoiseKey, machinePrivKey)
 	if err != nil {
-		return regen, opt.URL, err
+		return regen, opt.URL, nil, err
 	}
 	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyData))
 	if err != nil {
-		return regen, opt.URL, err
+		return regen, opt.URL, nil, err
 	}
 	res, err := httpc.Do(req)
 	if err != nil {
-		return regen, opt.URL, fmt.Errorf("register request: %w", err)
+		return regen, opt.URL, nil, fmt.Errorf("register request: %w", err)
 	}
 	if res.StatusCode != 200 {
 		msg, _ := io.ReadAll(res.Body)
 		res.Body.Close()
-		return regen, opt.URL, fmt.Errorf("register request: http %d: %.200s",
+		return regen, opt.URL, nil, fmt.Errorf("register request: http %d: %.200s",
 			res.StatusCode, strings.TrimSpace(string(msg)))
 	}
 	resp := tailcfg.RegisterResponse{}
 	if err := decode(res, &resp, serverKey, serverNoiseKey, machinePrivKey); err != nil {
 		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
-		return regen, opt.URL, fmt.Errorf("register request: %v", err)
+		return regen, opt.URL, nil, fmt.Errorf("register request: %v", err)
 	}
 	if debugRegister() {
 		j, _ := json.MarshalIndent(resp, "", "\t")
@@ -580,15 +613,19 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		resp.NodeKeyExpired, resp.MachineAuthorized, resp.AuthURL != "")
 
 	if resp.Error != "" {
-		return false, "", UserVisibleError(resp.Error)
+		return false, "", nil, UserVisibleError(resp.Error)
 	}
+	if len(resp.NodeKeySignature) > 0 {
+		return true, "", resp.NodeKeySignature, nil
+	}
+
 	if resp.NodeKeyExpired {
 		if regen {
-			return true, "", fmt.Errorf("weird: regen=true but server says NodeKeyExpired: %v", request.NodeKey)
+			return true, "", nil, fmt.Errorf("weird: regen=true but server says NodeKeyExpired: %v", request.NodeKey)
 		}
 		c.logf("server reports new node key %v has expired",
 			request.NodeKey.ShortString())
-		return true, "", nil
+		return true, "", nil, nil
 	}
 	if resp.Login.Provider != "" {
 		persist.Provider = resp.Login.Provider
@@ -621,12 +658,51 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	c.mu.Unlock()
 
 	if err != nil {
-		return regen, "", err
+		return regen, "", nil, err
 	}
 	if ctx.Err() != nil {
-		return regen, "", ctx.Err()
+		return regen, "", nil, ctx.Err()
 	}
-	return false, resp.AuthURL, nil
+	return false, resp.AuthURL, nil, nil
+}
+
+// resignNKS re-signs a node-key signature for a new node-key.
+//
+// This only matters on network-locked tailnets, because node-key signatures are
+// how other nodes know that a node-key is authentic. When the node-key is
+// rotated then the existing signature becomes invalid, so this function is
+// responsible for generating a new wrapping signature to certify the new node-key.
+//
+// The signature itself is a SigRotation signature, which embeds the old signature
+// and certifies the new node-key as a replacement for the old by signing the new
+// signature with RotationPubkey (which is the node's own network-lock key).
+func resignNKS(priv key.NLPrivate, nodeKey key.NodePublic, oldNKS tkatype.MarshaledSignature) (tkatype.MarshaledSignature, error) {
+	var oldSig tka.NodeKeySignature
+	if err := oldSig.Unserialize(oldNKS); err != nil {
+		return nil, fmt.Errorf("decoding NKS: %w", err)
+	}
+
+	nk, err := nodeKey.MarshalBinary()
+	if err != nil {
+		return nil, fmt.Errorf("marshalling node-key: %w", err)
+	}
+
+	if bytes.Equal(nk, oldSig.Pubkey) {
+		// The old signature is valid for the node-key we are using, so just
+		// use it verbatim.
+		return oldNKS, nil
+	}
+
+	newSig := tka.NodeKeySignature{
+		SigKind: tka.SigRotation,
+		Pubkey:  nk,
+		Nested:  &oldSig,
+	}
+	if newSig.Signature, err = priv.SignNKS(newSig.SigHash()); err != nil {
+		return nil, fmt.Errorf("signing NKS: %w", err)
+	}
+
+	return newSig.Serialize(), nil
 }
 
 func sameEndpoints(a, b []tailcfg.Endpoint) bool {
@@ -761,7 +837,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 	request := &tailcfg.MapRequest{
 		Version:       tailcfg.CurrentCapabilityVersion,
 		KeepAlive:     c.keepAlive,
-		NodeKey:       persist.PrivateNodeKey.Public(),
+		NodeKey:       persist.PublicNodeKey(),
 		DiscoKey:      c.discoPubKey,
 		Endpoints:     epStrs,
 		EndpointTypes: epTypes,
@@ -769,6 +845,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		Hostinfo:      hi,
 		DebugFlags:    c.debugFlags,
 		OmitPeers:     cb == nil,
+		TKAHead:       c.tkaHead,
 
 		// On initial startup before we know our endpoints, set the ReadOnly flag
 		// to tell the control server not to distribute out our (empty) endpoints to peers.
@@ -776,7 +853,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		// with useful results. The first POST just gets us the DERP map which we
 		// need to do the STUN queries to discover our endpoints.
 		// TODO(bradfitz): we skip this optimization in tests, though,
-		// because the e2e tests are currently hyperspecific about the
+		// because the e2e tests are currently hyper-specific about the
 		// ordering of things. The e2e tests need love.
 		ReadOnly: readOnly || (len(epStrs) == 0 && !everEndpoints && !inTest()),
 	}
@@ -1393,7 +1470,7 @@ func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<-
 }
 
 // getNoiseClient returns the noise client, creating one if one doesn't exist.
-func (c *Direct) getNoiseClient() (*noiseClient, error) {
+func (c *Direct) getNoiseClient() (*NoiseClient, error) {
 	c.mu.Lock()
 	serverNoiseKey := c.serverNoiseKey
 	nc := c.noiseClient
@@ -1408,13 +1485,13 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 	if c.dialPlan != nil {
 		dp = c.dialPlan.Load
 	}
-	nc, err, _ := c.sfGroup.Do(struct{}{}, func() (*noiseClient, error) {
+	nc, err, _ := c.sfGroup.Do(struct{}{}, func() (*NoiseClient, error) {
 		k, err := c.getMachinePrivKey()
 		if err != nil {
 			return nil, err
 		}
 		c.logf("creating new noise client")
-		nc, err := newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer, dp)
+		nc, err := NewNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer, dp)
 		if err != nil {
 			return nil, err
 		}
@@ -1438,7 +1515,7 @@ func (c *Direct) setDNSNoise(ctx context.Context, req *tailcfg.SetDNSRequest) er
 	if err != nil {
 		return err
 	}
-	res, err := nc.post(ctx, "/machine/set-dns", req)
+	res, err := nc.post(ctx, "/machine/set-dns", &newReq)
 	if err != nil {
 		return err
 	}
@@ -1530,6 +1607,20 @@ func (c *Direct) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 	return nc.Do(req)
 }
 
+// GetSingleUseNoiseRoundTripper returns a RoundTripper that can be only be used
+// once (and must be used once) to make a single HTTP request over the noise
+// channel to the coordination server.
+//
+// In addition to the RoundTripper, it returns the HTTP/2 channel's early noise
+// payload, if any.
+func (c *Direct) GetSingleUseNoiseRoundTripper(ctx context.Context) (http.RoundTripper, *tailcfg.EarlyNoise, error) {
+	nc, err := c.getNoiseClient()
+	if err != nil {
+		return nil, nil, err
+	}
+	return nc.GetSingleUseRoundTripper(ctx)
+}
+
 // doPingerPing sends a Ping to pr.IP using pinger, and sends an http request back to
 // pr.URL with ping response data.
 func doPingerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger, pingType tailcfg.PingType) {

control/controlclient/map.go

@@ -35,7 +35,7 @@ type mapSession struct {
 	machinePubKey          key.MachinePublic
 	keepSharerAndUserSplit bool // see Options.KeepSharerAndUserSplit
 
-	// Fields storing state over the the coards of multiple MapResponses.
+	// Fields storing state over the course of multiple MapResponses.
 	lastNode               *tailcfg.Node
 	lastDNSConfig          *tailcfg.DNSConfig
 	lastDERPMap            *tailcfg.DERPMap
@@ -45,6 +45,7 @@ type mapSession struct {
 	collectServices        bool
 	previousPeers          []*tailcfg.Node // for delta-purposes
 	lastDomain             string
+	lastDomainAuditLogID   string
 	lastHealth             []string
 	lastPopBrowserURL      string
 	stickyDebug            tailcfg.Debug // accumulated opt.Bool values
@@ -113,6 +114,9 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	if resp.Domain != "" {
 		ms.lastDomain = resp.Domain
 	}
+	if resp.DomainDataPlaneAuditLogID != "" {
+		ms.lastDomainAuditLogID = resp.DomainDataPlaneAuditLogID
+	}
 	if resp.Health != nil {
 		ms.lastHealth = resp.Health
 	}
@@ -143,20 +147,21 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	}
 
 	nm := &netmap.NetworkMap{
-		NodeKey:         ms.privateNodeKey.Public(),
-		PrivateKey:      ms.privateNodeKey,
-		MachineKey:      ms.machinePubKey,
-		Peers:           resp.Peers,
-		UserProfiles:    make(map[tailcfg.UserID]tailcfg.UserProfile),
-		Domain:          ms.lastDomain,
-		DNS:             *ms.lastDNSConfig,
-		PacketFilter:    ms.lastParsedPacketFilter,
-		SSHPolicy:       ms.lastSSHPolicy,
-		CollectServices: ms.collectServices,
-		DERPMap:         ms.lastDERPMap,
-		Debug:           debug,
-		ControlHealth:   ms.lastHealth,
-		TKAEnabled:      ms.lastTKAInfo != nil && !ms.lastTKAInfo.Disabled,
+		NodeKey:          ms.privateNodeKey.Public(),
+		PrivateKey:       ms.privateNodeKey,
+		MachineKey:       ms.machinePubKey,
+		Peers:            resp.Peers,
+		UserProfiles:     make(map[tailcfg.UserID]tailcfg.UserProfile),
+		Domain:           ms.lastDomain,
+		DomainAuditLogID: ms.lastDomainAuditLogID,
+		DNS:              *ms.lastDNSConfig,
+		PacketFilter:     ms.lastParsedPacketFilter,
+		SSHPolicy:        ms.lastSSHPolicy,
+		CollectServices:  ms.collectServices,
+		DERPMap:          ms.lastDERPMap,
+		Debug:            debug,
+		ControlHealth:    ms.lastHealth,
+		TKAEnabled:       ms.lastTKAInfo != nil && !ms.lastTKAInfo.Disabled,
 	}
 	ms.netMapBuilding = nm
 

control/controlclient/map_test.go

@@ -466,7 +466,7 @@ func TestNetmapForResponse(t *testing.T) {
 	})
 }
 
-// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResposnes
+// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResponses
 // entirely or have their opt.Bool values unspecified between MapResponses in a
 // session and that should mean no change. (as of capver 37). But two Debug
 // fields existed prior to capver 37 that weren't opt.Bool; we test that we both

control/controlclient/noise.go

@@ -7,10 +7,11 @@ package controlclient
 import (
 	"bytes"
 	"context"
-	"crypto/tls"
+	"encoding/binary"
 	"encoding/json"
+	"errors"
+	"io"
 	"math"
-	"net"
 	"net/http"
 	"net/url"
 	"sync"
@@ -24,6 +25,7 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/util/mak"
 	"tailscale.com/util/multierr"
+	"tailscale.com/util/singleflight"
 )
 
 // noiseConn is a wrapper around controlbase.Conn.
@@ -33,7 +35,96 @@ import (
 type noiseConn struct {
 	*controlbase.Conn
 	id   int
-	pool *noiseClient
+	pool *NoiseClient
+	h2cc *http2.ClientConn
+
+	readHeaderOnce    sync.Once     // guards init of reader field
+	reader            io.Reader     // (effectively Conn.Reader after header)
+	earlyPayloadReady chan struct{} // closed after earlyPayload is set (including set to nil)
+	earlyPayload      *tailcfg.EarlyNoise
+	earlyPayloadErr   error
+}
+
+func (c *noiseConn) RoundTrip(r *http.Request) (*http.Response, error) {
+	return c.h2cc.RoundTrip(r)
+}
+
+// getEarlyPayload waits for the early noise payload to arrive.
+// It may return (nil, nil) if the server begins HTTP/2 without one.
+func (c *noiseConn) getEarlyPayload(ctx context.Context) (*tailcfg.EarlyNoise, error) {
+	select {
+	case <-c.earlyPayloadReady:
+		return c.earlyPayload, c.earlyPayloadErr
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	}
+}
+
+// The first 9 bytes from the server to client over Noise are either an HTTP/2
+// settings frame (a normal HTTP/2 setup) or, as we added later, an "early payload"
+// header that's also 9 bytes long: 5 bytes (earlyPayloadMagic) followed by 4 bytes
+// of length. Then that many bytes of JSON-encoded tailcfg.EarlyNoise.
+// The early payload is optional. Some servers may not send it.
+const (
+	hdrLen            = 9 // http2 frame header size; also size of our early payload size header
+	earlyPayloadMagic = "\xff\xff\xffTS"
+)
+
+// returnErrReader is an io.Reader that always returns an error.
+type returnErrReader struct {
+	err error // the error to return
+}
+
+func (r returnErrReader) Read([]byte) (int, error) { return 0, r.err }
+
+// Read is basically the same as controlbase.Conn.Read, but it first reads the
+// "early payload" header from the server which may or may not be present,
+// depending on the server.
+func (c *noiseConn) Read(p []byte) (n int, err error) {
+	c.readHeaderOnce.Do(c.readHeader)
+	return c.reader.Read(p)
+}
+
+// readHeader reads the optional "early payload" from the server that arrives
+// after the Noise handshake but before the HTTP/2 session begins.
+//
+// readHeader is responsible for reading the header (if present), initializing
+// c.earlyPayload, closing c.earlyPayloadReady, and initializing c.reader for
+// future reads.
+func (c *noiseConn) readHeader() {
+	defer close(c.earlyPayloadReady)
+
+	setErr := func(err error) {
+		c.reader = returnErrReader{err}
+		c.earlyPayloadErr = err
+	}
+
+	var hdr [hdrLen]byte
+	if _, err := io.ReadFull(c.Conn, hdr[:]); err != nil {
+		setErr(err)
+		return
+	}
+	if string(hdr[:len(earlyPayloadMagic)]) != earlyPayloadMagic {
+		// No early payload. We have to return the 9 bytes read we already
+		// consumed.
+		c.reader = io.MultiReader(bytes.NewReader(hdr[:]), c.Conn)
+		return
+	}
+	epLen := binary.BigEndian.Uint32(hdr[len(earlyPayloadMagic):])
+	if epLen > 10<<20 {
+		setErr(errors.New("invalid early payload length"))
+		return
+	}
+	payBuf := make([]byte, epLen)
+	if _, err := io.ReadFull(c.Conn, payBuf); err != nil {
+		setErr(err)
+		return
+	}
+	if err := json.Unmarshal(payBuf, &c.earlyPayload); err != nil {
+		setErr(err)
+		return
+	}
+	c.reader = c.Conn
 }
 
 func (c *noiseConn) Close() error {
@@ -44,10 +135,27 @@ func (c *noiseConn) Close() error {
 	return nil
 }
 
-// noiseClient provides a http.Client to connect to tailcontrol over
+// NoiseClient provides a http.Client to connect to tailcontrol over
 // the ts2021 protocol.
-type noiseClient struct {
-	*http.Client // HTTP client used to talk to tailcontrol
+type NoiseClient struct {
+	// Client is an HTTP client to talk to the coordination server.
+	// It automatically makes a new Noise connection as needed.
+	// It does not support node key proofs. To do that, call
+	// noiseClient.getConn instead to make a connection.
+	*http.Client
+
+	// h2t is the HTTP/2 transport we use a bit to create new
+	// *http2.ClientConns. We don't use its connection pool and we don't use its
+	// dialing. We use it for exactly one reason: its idle timeout that can only
+	// be configured via the HTTP/1 config. And then we call NewClientConn (with
+	// an existing Noise connection) on the http2.Transport which sets up an
+	// http2.ClientConn using that idle timeout from an http1.Transport.
+	h2t *http2.Transport
+
+	// sfDial ensures that two concurrent requests for a noise connection only
+	// produce one shared one between the two callers.
+	sfDial singleflight.Group[struct{}, *noiseConn]
+
 	dialer       *tsdial.Dialer
 	privKey      key.MachinePrivate
 	serverPubKey key.MachinePublic
@@ -62,15 +170,16 @@ type noiseClient struct {
 
 	// mu only protects the following variables.
 	mu       sync.Mutex
+	last     *noiseConn // or nil
 	nextID   int
 	connPool map[int]*noiseConn // active connections not yet closed; see noiseConn.Close
 }
 
-// newNoiseClient returns a new noiseClient for the provided server and machine key.
+// NewNoiseClient returns a new noiseClient for the provided server and machine key.
 // serverURL is of the form https://<host>:<port> (no trailing slash).
 //
 // dialPlan may be nil
-func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer, dialPlan func() *tailcfg.ControlDialPlan) (*noiseClient, error) {
+func NewNoiseClient(privKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer, dialPlan func() *tailcfg.ControlDialPlan) (*NoiseClient, error) {
 	u, err := url.Parse(serverURL)
 	if err != nil {
 		return nil, err
@@ -91,9 +200,9 @@ func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, s
 		httpPort = "80"
 		httpsPort = "443"
 	}
-	np := &noiseClient{
+	np := &NoiseClient{
 		serverPubKey: serverPubKey,
-		privKey:      priKey,
+		privKey:      privKey,
 		host:         u.Hostname(),
 		httpPort:     httpPort,
 		httpsPort:    httpsPort,
@@ -112,35 +221,76 @@ func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, s
 	if err != nil {
 		return nil, err
 	}
+	np.h2t = h2Transport
 
-	// Let the HTTP/2 Transport think it's dialing out using TLS,
-	// but it's actually our Noise dialer:
-	h2Transport.DialTLS = np.dial
-
-	// ConfigureTransports assumes it's being used to wire up an HTTP/1
-	// and HTTP/2 Transport together, so its returned http2.Transport
-	// has a ConnPool already initialized that's configured to not dial
-	// (assuming it's only called from the HTTP/1 Transport). But we
-	// want it to dial, so nil it out before use. On first use it has
-	// a sync.Once that lazily initializes the ConnPool to its default
-	// one that dials.
-	h2Transport.ConnPool = nil
-
-	np.Client = &http.Client{Transport: h2Transport}
+	np.Client = &http.Client{Transport: np}
 	return np, nil
 }
 
+// GetSingleUseRoundTripper returns a RoundTripper that can be only be used once
+// (and must be used once) to make a single HTTP request over the noise channel
+// to the coordination server.
+//
+// In addition to the RoundTripper, it returns the HTTP/2 channel's early noise
+// payload, if any.
+func (nc *NoiseClient) GetSingleUseRoundTripper(ctx context.Context) (http.RoundTripper, *tailcfg.EarlyNoise, error) {
+	for tries := 0; tries < 3; tries++ {
+		conn, err := nc.getConn(ctx)
+		if err != nil {
+			return nil, nil, err
+		}
+		earlyPayloadMaybeNil, err := conn.getEarlyPayload(ctx)
+		if err != nil {
+			return nil, nil, err
+		}
+		if conn.h2cc.ReserveNewRequest() {
+			return conn, earlyPayloadMaybeNil, nil
+		}
+	}
+	return nil, nil, errors.New("[unexpected] failed to reserve a request on a connection")
+}
+
+func (nc *NoiseClient) getConn(ctx context.Context) (*noiseConn, error) {
+	nc.mu.Lock()
+	if last := nc.last; last != nil && last.canTakeNewRequest() {
+		nc.mu.Unlock()
+		return last, nil
+	}
+	nc.mu.Unlock()
+
+	conn, err, _ := nc.sfDial.Do(struct{}{}, nc.dial)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+func (nc *NoiseClient) RoundTrip(req *http.Request) (*http.Response, error) {
+	ctx := req.Context()
+	conn, err := nc.getConn(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return conn.RoundTrip(req)
+}
+
 // connClosed removes the connection with the provided ID from the pool
 // of active connections.
-func (nc *noiseClient) connClosed(id int) {
+func (nc *NoiseClient) connClosed(id int) {
 	nc.mu.Lock()
 	defer nc.mu.Unlock()
-	delete(nc.connPool, id)
+	conn := nc.connPool[id]
+	if conn != nil {
+		delete(nc.connPool, id)
+		if nc.last == conn {
+			nc.last = nil
+		}
+	}
 }
 
 // Close closes all the underlying noise connections.
 // It is a no-op and returns nil if the connection is already closed.
-func (nc *noiseClient) Close() error {
+func (nc *NoiseClient) Close() error {
 	nc.mu.Lock()
 	conns := nc.connPool
 	nc.connPool = nil
@@ -156,10 +306,8 @@ func (nc *noiseClient) Close() error {
 }
 
 // dial opens a new connection to tailcontrol, fetching the server noise key
-// if not cached. It implements the signature needed by http2.Transport.DialTLS
-// but ignores all params as it only dials out to the server the noiseClient was
-// created for.
-func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
+// if not cached.
+func (nc *NoiseClient) dial() (*noiseConn, error) {
 	nc.mu.Lock()
 	connID := nc.nextID
 	nc.nextID++
@@ -210,7 +358,7 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
-	conn, err := (&controlhttp.Dialer{
+	clientConn, err := (&controlhttp.Dialer{
 		Hostname:        nc.host,
 		HTTPPort:        nc.httpPort,
 		HTTPSPort:       nc.httpsPort,
@@ -224,14 +372,27 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 		return nil, err
 	}
 
+	ncc := &noiseConn{
+		Conn:              clientConn.Conn,
+		id:                connID,
+		pool:              nc,
+		earlyPayloadReady: make(chan struct{}),
+	}
+
+	h2cc, err := nc.h2t.NewClientConn(ncc)
+	if err != nil {
+		return nil, err
+	}
+	ncc.h2cc = h2cc
+
 	nc.mu.Lock()
 	defer nc.mu.Unlock()
-	ncc := &noiseConn{Conn: conn, id: connID, pool: nc}
 	mak.Set(&nc.connPool, ncc.id, ncc)
+	nc.last = ncc
 	return ncc, nil
 }
 
-func (nc *noiseClient) post(ctx context.Context, path string, body any) (*http.Response, error) {
+func (nc *NoiseClient) post(ctx context.Context, path string, body any) (*http.Response, error) {
 	jbody, err := json.Marshal(body)
 	if err != nil {
 		return nil, err
@@ -241,5 +402,14 @@ func (nc *noiseClient) post(ctx context.Context, path string, body any) (*http.R
 		return nil, err
 	}
 	req.Header.Set("Content-Type", "application/json")
-	return nc.Do(req)
+
+	conn, err := nc.getConn(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return conn.h2cc.RoundTrip(req)
+}
+
+func (c *noiseConn) canTakeNewRequest() bool {
+	return c.h2cc.CanTakeNewRequest()
 }

control/controlclient/noise_test.go

@@ -5,10 +5,22 @@
 package controlclient
 
 import (
+	"context"
+	"encoding/binary"
+	"encoding/json"
+	"io"
 	"math"
+	"net/http"
+	"net/http/httptest"
 	"testing"
+	"time"
 
+	"golang.org/x/net/http2"
+	"tailscale.com/control/controlhttp"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
 )
 
 // maxAllowedNoiseVersion is the highest we expect the Tailscale
@@ -26,3 +38,172 @@ func TestNoiseVersion(t *testing.T) {
 		t.Fatalf("tailcfg.CurrentCapabilityVersion is %d, want <=%d", tailcfg.CurrentCapabilityVersion, maxAllowedNoiseVersion)
 	}
 }
+
+type noiseClientTest struct {
+	sendEarlyPayload bool
+}
+
+func TestNoiseClientHTTP2Upgrade(t *testing.T) {
+	noiseClientTest{}.run(t)
+}
+
+func TestNoiseClientHTTP2Upgrade_earlyPayload(t *testing.T) {
+	noiseClientTest{
+		sendEarlyPayload: true,
+	}.run(t)
+}
+
+func (tt noiseClientTest) run(t *testing.T) {
+	serverPrivate := key.NewMachine()
+	clientPrivate := key.NewMachine()
+	chalPrivate := key.NewChallenge()
+
+	const msg = "Hello, client"
+	h2 := &http2.Server{}
+	hs := httptest.NewServer(&Upgrader{
+		h2srv:            h2,
+		noiseKeyPriv:     serverPrivate,
+		sendEarlyPayload: tt.sendEarlyPayload,
+		challenge:        chalPrivate,
+		httpBaseConfig: &http.Server{
+			Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Set("Content-Type", "text/plain")
+				io.WriteString(w, msg)
+			}),
+		},
+	})
+	defer hs.Close()
+
+	dialer := new(tsdial.Dialer)
+	nc, err := NewNoiseClient(clientPrivate, serverPrivate.Public(), hs.URL, dialer, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Get a conn and verify it read its early payload before the http/2
+	// handshake.
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	c, err := nc.getConn(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+	select {
+	case <-c.earlyPayloadReady:
+		gotNonNil := c.earlyPayload != nil
+		if gotNonNil != tt.sendEarlyPayload {
+			t.Errorf("sendEarlyPayload = %v but got earlyPayload = %T", tt.sendEarlyPayload, c.earlyPayload)
+		}
+		if c.earlyPayload != nil {
+			if c.earlyPayload.NodeKeyChallenge != chalPrivate.Public() {
+				t.Errorf("earlyPayload.NodeKeyChallenge = %v; want %v", c.earlyPayload.NodeKeyChallenge, chalPrivate.Public())
+			}
+		}
+
+	case <-ctx.Done():
+		t.Fatal("timed out waiting for didReadHeaderCh")
+	}
+
+	checkRes := func(t *testing.T, res *http.Response) {
+		t.Helper()
+		defer res.Body.Close()
+		all, err := io.ReadAll(res.Body)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(all) != msg {
+			t.Errorf("got response %q; want %q", all, msg)
+		}
+	}
+
+	// And verify we can do HTTP/2 against that conn.
+	res, err := (&http.Client{Transport: c}).Get("https://unused.example/")
+	if err != nil {
+		t.Fatal(err)
+	}
+	checkRes(t, res)
+
+	// And try using the high-level nc.post API as well.
+	res, err = nc.post(context.Background(), "/", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	checkRes(t, res)
+}
+
+// Upgrader is an http.Handler that hijacks and upgrades POST-with-Upgrade
+// request to a Tailscale 2021 connection, then hands the resulting
+// controlbase.Conn off to h2srv.
+type Upgrader struct {
+	// h2srv is that will handle requests after the
+	// connection has been upgraded to HTTP/2-over-noise.
+	h2srv *http2.Server
+
+	// httpBaseConfig is the http1 server config that h2srv is
+	// associated with.
+	httpBaseConfig *http.Server
+
+	logf logger.Logf
+
+	noiseKeyPriv key.MachinePrivate
+	challenge    key.ChallengePrivate
+
+	sendEarlyPayload bool
+}
+
+func (up *Upgrader) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if up == nil || up.h2srv == nil {
+		http.Error(w, "invalid server config", http.StatusServiceUnavailable)
+		return
+	}
+	if r.URL.Path != "/ts2021" {
+		http.Error(w, "ts2021 upgrader installed at wrong path", http.StatusBadGateway)
+		return
+	}
+	if up.noiseKeyPriv.IsZero() {
+		http.Error(w, "keys not available", http.StatusServiceUnavailable)
+		return
+	}
+
+	earlyWriteFn := func(protocolVersion int, w io.Writer) error {
+		if !up.sendEarlyPayload {
+			return nil
+		}
+		earlyJSON, err := json.Marshal(&tailcfg.EarlyNoise{
+			NodeKeyChallenge: up.challenge.Public(),
+		})
+		if err != nil {
+			return err
+		}
+		// 5 bytes that won't be mistaken for an HTTP/2 frame:
+		// https://httpwg.org/specs/rfc7540.html#rfc.section.4.1 (Especially not
+		// an HTTP/2 settings frame, which isn't of type 'T')
+		var notH2Frame [5]byte
+		copy(notH2Frame[:], earlyPayloadMagic)
+		var lenBuf [4]byte
+		binary.BigEndian.PutUint32(lenBuf[:], uint32(len(earlyJSON)))
+		// These writes are all buffered by caller, so fine to do them
+		// separately:
+		if _, err := w.Write(notH2Frame[:]); err != nil {
+			return err
+		}
+		if _, err := w.Write(lenBuf[:]); err != nil {
+			return err
+		}
+		if _, err := w.Write(earlyJSON[:]); err != nil {
+			return err
+		}
+		return nil
+	}
+
+	cbConn, err := controlhttp.AcceptHTTP(r.Context(), w, r, up.noiseKeyPriv, earlyWriteFn)
+	if err != nil {
+		up.logf("controlhttp: Accept: %v", err)
+		return
+	}
+	defer cbConn.Close()
+
+	up.h2srv.ServeConn(cbConn, &http2.ServeConnOpts{
+		BaseConfig: up.httpBaseConfig,
+	})
+}

control/controlclient/sign_supported.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build windows && cgo
-// +build windows,cgo
 
 // darwin,cgo is also supported by certstore but machineCertificateSubject will
 // need to be loaded by a different mechanism, so this is not currently enabled