.github/workflows: add cross-android

Fixes 4482 Signed-off-by: James Tucker <james@tailscale.com>
2022-04-21 10:26:40 -07:00 · 2022-04-21 10:13:27 -07:00 · 2022-04-21 10:00:02 -07:00
557 changed files with 9315 additions and 37912 deletions
--- a/.github/licenses.tmpl
+++ b/.github/licenses.tmpl
@@ -1,17 +0,0 @@
-# Tailscale CLI and daemon dependencies
-
-The following open source dependencies are used to build the [tailscale][] and
-[tailscaled][] commands. These are primarily used on Linux and BSD variants as
-well as an [option for macOS][].
-
-[tailscale]: https://pkg.go.dev/tailscale.com/cmd/tailscale
-[tailscaled]: https://pkg.go.dev/tailscale.com/cmd/tailscaled
-[option for macOS]: https://tailscale.com/kb/1065/macos-variants/
-
-## Go Packages
-
-Some packages may only be included on certain architectures or operating systems.
-
-{{ range . }}
- - [{{.Name}}](https://pkg.go.dev/{{.Name}}) ([{{.LicenseName}}]({{.LicenseURL}}))
-{{- end }}
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,15 +1,8 @@
 name: CIFuzz
-on:
-  push:
-    branches: [ main, release-branch/* ]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
+on: [pull_request]
 jobs:
  Fuzzing:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
    steps:
    - name: Build Fuzzers
      id: build
@@ -22,7 +15,7 @@ jobs:
      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
      with:
        oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 900
+        fuzz-seconds: 300
        dry-run: false
        language: go
    - name: Upload Crash
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,14 +20,10 @@ on:
  schedule:
    - cron: '31 14 * * 5'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  analyze:
    name: Analyze
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
--- a/.github/workflows/cross-android.yml
+++ b/.github/workflows/cross-android.yml
@@ -8,35 +8,34 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

-    - name: Android smoke build
-      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
-      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
-      # some Android breakages early.
-      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Android build cmd
      env:
        GOOS: android
-        GOARCH: arm64
-      run: go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: Android build tests (does not run tests)
+      env:
+        GOOS: android
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -run '^$' -c ); done

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -8,26 +8,23 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: macOS build cmd
      env:
        GOOS: darwin
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -8,26 +8,23 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: FreeBSD build cmd
      env:
        GOOS: freebsd
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -8,26 +8,23 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: OpenBSD build cmd
      env:
        GOOS: openbsd
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -8,26 +8,23 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: Windows build cmd
      env:
        GOOS: windows
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -8,25 +8,21 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest

    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18

-    - name: depaware
-      run: go run github.com/tailscale/depaware --check
-        tailscale.com/cmd/tailscaled
-        tailscale.com/cmd/tailscale
-        tailscale.com/cmd/derper
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: depaware tailscaled
+      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+
+    - name: depaware tailscale
+      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
--- a/.github/workflows/go-licenses.yml
+++ b/.github/workflows/go-licenses.yml
@@ -1,64 +0,0 @@
-name: go-licenses
-
-on:
-  # run action when a change lands in the main branch which updates go.mod or
-  # our license template file. Also allow manual triggering.
-  push:
-    branches:
-      - main
-    paths:
-      - go.mod
-      - .github/licenses.tmpl
-      - .github/workflows/go-licenses.yml
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  tailscale:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: Install go-licenses
-        run: |
-          go install github.com/google/go-licenses@v1.2.2-0.20220825154955-5eedde1c6584
-
-      - name: Run go-licenses
-        env:
-          # include all build tags to include platform-specific dependencies
-          GOFLAGS: "-tags=android,cgo,darwin,freebsd,ios,js,linux,openbsd,wasm,windows"
-        run: |
-          [ -d licenses ] || mkdir licenses
-          go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl
-
-      - name: Get access token
-        uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0
-        id: generate-token
-        with:
-          app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
-          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
-
-      - name: Send pull request
-        uses: peter-evans/create-pull-request@18f90432bedd2afd6a825469ffd38aa24712a91d #v4.1.1
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          author: License Updater <noreply@tailscale.com>
-          committer: License Updater <noreply@tailscale.com>
-          branch: licenses/cli
-          commit-message: "licenses: update tailscale{,d} licenses"
-          title: "licenses: update tailscale{,d} licenses"
-          body: Triggered by ${{ github.repository }}@${{ github.sha }}
-          signoff: true
-          delete-branch: true
-          team-reviewers: opensource-license-reviewers
--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@@ -9,25 +9,21 @@ on:
    branches:
      - "*"

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  check:
    runs-on: ubuntu-latest

    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.18
+
      - name: Check out code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
      - name: check 'go generate' is clean
        run: |
          if [[ "${{github.ref}}" == release-branch/* ]]
--- a/.github/workflows/go_mod_tidy.yml
+++ b/.github/workflows/go_mod_tidy.yml
@@ -1,35 +0,0 @@
-name: go mod tidy
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - "*"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: check 'go mod tidy' is clean
-        run: |
-          go mod tidy
-          echo
-          echo
-          git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -8,22 +8,18 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest

    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
+
+    - name: Check out code
+      uses: actions/checkout@v3

    - name: Run license checker
      run: ./scripts/check_license_headers.sh .
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -8,26 +8,23 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: Basic build
      run: go build ./cmd/...

--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -8,36 +8,32 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: Basic build
      run: go build ./cmd/...

-    - name: Build variants
-      run: |
-        go install --tags=ts_include_cli ./cmd/tailscaled
-        go install --tags=ts_omit_aws ./cmd/tailscaled
-
    - name: Get QEMU
      run: |
+        # The qemu in Ubuntu 20.04 (Focal) is too old; we need 5.x something
+        # to run Go binaries. 5.2.0 (Debian bullseye) empirically works, and
+        # use this PPA which brings in a modern qemu.
+        sudo add-apt-repository -y ppa:jacob/virtualisation
        sudo apt-get -y update
        sudo apt-get -y install qemu-user

--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -8,26 +8,23 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: Basic build
      run: GOARCH=386 go build ./cmd/...

--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -1,112 +0,0 @@
-name: static-analysis
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  gofmt:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-    - name: Run gofmt (goimports)
-      run: go run golang.org/x/tools/cmd/goimports -d --format-only .
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
-  vet:
-    runs-on: github-4vcpu-ubuntu-2204
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-    - name: Check out code
-      uses: actions/checkout@v3
-    - name: Run go vet
-      run: go vet ./...
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
-  staticcheck:
-    runs-on: github-4vcpu-ubuntu-2204
-    strategy:
-      matrix:
-        goos: [linux, windows, darwin]
-        goarch: [amd64]
-        include:
-          - goos: windows
-            goarch: 386
-
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Install staticcheck
-      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
-
-    - name: Print staticcheck version
-      run: "staticcheck -version"
-
-    - name: "Run staticcheck (${{ matrix.goos }}/${{ matrix.goarch }})"
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/staticcheck.yml
+++ b/.github/workflows/staticcheck.yml
@@ -1,4 +1,4 @@
-name: Wasm-Cross
+name: staticcheck

 on:
  push:
@@ -8,38 +8,51 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
-    runs-on: github-4vcpu-ubuntu-2204
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+    runs-on: ubuntu-latest

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
-      id: go
+        go-version: 1.18

-    - name: Wasm client build
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Run go vet
+      run: go vet ./...
+
+    - name: Install staticcheck
+      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
+
+    - name: Print staticcheck version
+      run: "staticcheck -version"
+
+    - name: Run staticcheck (linux/amd64)
      env:
-        GOOS: js
-        GOARCH: wasm
-      run: go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
+        GOOS: linux
+        GOARCH: amd64
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"

-    - name: tsconnect static build
-      # Use our custom Go toolchain, we set build tags (to control binary size)
-      # that depend on it.
-      run: |
-        ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect build-pkg
+    - name: Run staticcheck (darwin/amd64)
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - name: Run staticcheck (windows/amd64)
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - name: Run staticcheck (windows/386)
+      env:
+        GOOS: windows
+        GOARCH: "386"
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/tsconnect-pkg-publish.yml
+++ b/.github/workflows/tsconnect-pkg-publish.yml
@@ -1,30 +0,0 @@
-name: "@tailscale/connect npm publish"
-
-on: workflow_dispatch
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Set up node
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16.x"
-          registry-url: "https://registry.npmjs.org"
-
-      - name: Build package
-        # Build with build_dist.sh to ensure that version information is embedded.
-        # GOROOT is specified so that the Go/Wasm that is trigged by build-pk
-        # also picks up our custom Go toolchain.
-        run: |
-          ./build_dist.sh tailscale.com/cmd/tsconnect
-          GOROOT="${HOME}/.cache/tailscale-go" ./tsconnect build-pkg
-
-      - name: Publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.TSCONNECT_NPM_PUBLISH_AUTH_TOKEN }}
-        run: ./tool/yarn --cwd ./cmd/tsconnect/pkg publish --access public
--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -5,10 +5,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  ubuntu2004-LTS-cloud-base:
    runs-on: [ self-hosted, linux, vm ]
@@ -19,13 +15,13 @@ jobs:
      - name: Set GOPATH
        run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV

-      - name: Checkout Code
-        uses: actions/checkout@v3
-
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version-file: go.mod
+          go-version: 1.18
+
+      - name: Checkout Code
+        uses: actions/checkout@v3

      - name: Run VM tests
        run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
--- a/.github/workflows/windows-race.yml
+++ b/.github/workflows/windows-race.yml
@@ -0,0 +1,66 @@
+name: Windows race
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  test:
+    runs-on: windows-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Install Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.18.x
+
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike some other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        # The -race- here ensures that non-race builds and race builds do not
+        # overwrite each others cache, as while they share some files, they
+        # differ in most by volume (build cache).
+        # TODO(raggi): add a go version here.
+        key: ${{ runner.os }}-go-2-race-${{ hashFiles('**/go.sum') }}
+
+    - name: Test with -race flag
+      # Don't use -bench=. -benchtime=1x.
+      # Somewhere in the layers (powershell?)
+      # the equals signs cause great confusion.
+      run: go test -race -bench . -benchtime 1x ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -8,24 +8,21 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
-    runs-on: windows-8vcpu
+    runs-on: windows-latest

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Checkout code
-      uses: actions/checkout@v3

    - name: Install Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18.x
+
+    - name: Checkout code
+      uses: actions/checkout@v3

    - name: Restore Cache
      uses: actions/cache@v3
--- a/ALPINE.txt
+++ b/ALPINE.txt
@@ -1 +0,0 @@
-3.16
--- a/19
+++ b/19
@@ -32,25 +32,13 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.19-alpine AS build-env
+FROM golang:1.18-alpine AS build-env

 WORKDIR /go/src/tailscale

 COPY go.mod go.sum ./
 RUN go mod download

-# Pre-build some stuff before the following COPY line invalidates the Docker cache.
-RUN go install \
-    github.com/aws/aws-sdk-go-v2/aws \
-    github.com/aws/aws-sdk-go-v2/config \
-    gvisor.dev/gvisor/pkg/tcpip/adapters/gonet \
-    gvisor.dev/gvisor/pkg/tcpip/stack \
-    golang.org/x/crypto/ssh \
-    golang.org/x/crypto/acme \
-    nhooyr.io/websocket \
-    github.com/mdlayher/netlink \
-    golang.zx2c4.com/wireguard/device
-
 COPY . .

 # see build_docker.sh
@@ -68,8 +56,5 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
      -v ./cmd/tailscale ./cmd/tailscaled

-FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
-
+FROM ghcr.io/tailscale/alpine-base:3.14
 COPY --from=build-env /go/bin/* /usr/local/bin/
-COPY --from=build-env /go/src/tailscale/docs/k8s/run.sh /usr/local/bin/
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -2,5 +2,5 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.

-FROM alpine:3.16
+FROM alpine:3.15
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
--- a/19
+++ b/19
@@ -9,19 +9,15 @@ vet:
 	./tool/go vet ./...

 tidy:
-	./tool/go mod tidy
+	./tool/go mod tidy -compat=1.17

 updatedeps:
-	./tool/go run github.com/tailscale/depaware --update \
-		tailscale.com/cmd/tailscaled \
-		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
+	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
+	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale

 depaware:
-	./tool/go run github.com/tailscale/depaware --check \
-		tailscale.com/cmd/tailscaled \
-		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
+	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale

 buildwindows:
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
@@ -32,13 +28,10 @@ build386:
 buildlinuxarm:
 	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-buildwasm:
-	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-
 buildmultiarchimage:
 	./build_docker.sh

-check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm
+check: staticcheck vet depaware buildwindows build386 buildlinuxarm

 staticcheck:
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
--- a/README.md
+++ b/README.md
@@ -43,7 +43,10 @@ If your distro has conventions that preclude the use of
 `build_dist.sh`, please do the equivalent of what it does in your
 distro's way, so that bug reports contain useful version information.

-We require the latest Go release, currently Go 1.19.
+We only guarantee to support the latest Go release and any Go beta or
+release candidate builds (currently Go 1.18) in module mode. It might
+work in earlier Go versions or in GOPATH mode, but we're making no
+effort to keep those working.

 ## Bugs

--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.31.0
+1.23.0
--- a/api.md
+++ b/api.md
@@ -22,9 +22,9 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
 * **[Tailnets](#tailnet)**
  - ACLs
    - [GET tailnet ACL](#tailnet-acl-get)
-    - [POST tailnet ACL](#tailnet-acl-post)
-    - [POST tailnet ACL preview](#tailnet-acl-preview-post)
-	- [POST tailnet ACL validate](#tailnet-acl-validate-post)
+    - [POST tailnet ACL](#tailnet-acl-post): set ACL for a tailnet
+    - [POST tailnet ACL preview](#tailnet-acl-preview-post): preview rule matches on an ACL for a resource
+	- [POST tailnet ACL validate](#tailnet-acl-validate-post): run validation tests against the tailnet's existing ACL
  - [Devices](#tailnet-devices)
    - [GET tailnet devices](#tailnet-devices-get)
  - [Keys](#tailnet-keys)
@@ -42,12 +42,12 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/

 ## Device
 <!-- TODO: description about what devices are -->
-Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id".
+Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id". 
 You can use the deviceID to specify operations on a specific device, like retrieving its subnet routes.

-To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network.
+To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network. 
 Find the device you're looking for and get the "id" field.
-This is your deviceID.
+This is your deviceID. 

 <a name=device-get></a>

@@ -60,7 +60,7 @@ Use the `fields` query parameter to explicitly indicate which fields are returne
 ##### Parameters
 ##### Query Parameters
 `fields` - Controls which fields will be included in the returned response.
-Currently, supported options are:
+Currently, supported options are: 
 * `all`: returns all fields in the response.
 * `default`: return all fields except:
  * `enabledRoutes`
@@ -72,7 +72,7 @@ If more than one option is indicated, then the union is used.
 For example, for `fields=default,all`, all fields are returned.
 If the `fields` parameter is not provided, then the default option is used.

-##### Example
+##### Example 
 ```
 GET /api/v2/device/12345
 curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
@@ -102,10 +102,10 @@ Response
  "nodeKey":"nodekey:user1-node-key",
  "blocksIncomingConnections":false,
  "enabledRoutes":[
-
+    
  ],
  "advertisedRoutes":[
-
+    
  ],
  "clientConnectivity": {
    "endpoints":[
@@ -141,7 +141,7 @@ Response
 <a name=device-delete></a>

 #### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
-Deletes the provided device from its tailnet.
+Deletes the provided device from its tailnet. 
 The device must belong to the user's tailnet.
 Deleting shared/external devices is not supported.
 Supply the device of interest in the path using its ID.
@@ -159,7 +159,7 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \

 Response

-If successful, the response should be empty:
+If successful, the response should be empty: 
 ```
 < HTTP/1.1 200 OK
 ...
@@ -167,7 +167,7 @@ If successful, the response should be empty:
 * Closing connection 0
 ```

-If the device is not owned by your tailnet:
+If the device is not owned by your tailnet: 
 ```
 < HTTP/1.1 501 Not Implemented
 ...
@@ -317,9 +317,14 @@ Allows for updating properties on the device key.
 - Provide `false` to enable the device's key expiry. Sets the key to expire at the original expiry time prior to disabling. The key may already have expired. In that case, the device must be re-authenticated.
 - Empty value will not change the key expiry.

+`preauthorized`
+
+- If `true`, don't require machine authorization (if enabled on the tailnet)
+
 ```
 {
-  "keyExpiryDisabled": true
+  "keyExpiryDisabled": true,
+  "preauthorized": true
 }
 ```

@@ -334,8 +339,8 @@ curl 'https://api.tailscale.com/api/v2/device/11055/key' \
 The response is 2xx on success. The response body is currently an empty JSON
 object.

-## Tailnet
-A tailnet is the name of your Tailscale network.
+## Tailnet 
+A tailnet is the name of your Tailscale network. 
 You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.


@@ -615,12 +620,7 @@ Response:

 #### `POST /api/v2/tailnet/:tailnet/acl/validate` - run validation tests against the tailnet's active ACL

-This endpoint works in one of two modes:
-
-1. with a request body that's a JSON array, the body is interpreted as ACL tests to run against the domain's current ACLs.
-2. with a request body that's a JSON object, the body is interpreted as a hypothetical new JSON (HuJSON) body with new ACLs, including any tests.
-
-In either case, this endpoint does not modify the ACL in any way.
+Runs the provided ACL tests against the tailnet's existing ACL. This endpoint does not modify the ACL in any way.

 ##### Parameters

@@ -630,7 +630,7 @@ The POST body should be a JSON formatted array of ACL Tests.

 See https://tailscale.com/kb/1018/acls for more information on the format of ACL tests.

-##### Example with tests
+##### Example
 ```
 POST /api/v2/tailnet/example.com/acl/validate
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
@@ -641,28 +641,11 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
  ]'
 ```

-##### Example with an ACL body
-```
-POST /api/v2/tailnet/example.com/acl/validate
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
-  -u "tskey-yourapikey123:" \
-  --data-binary '
-  {
-    "ACLs": [
-     { "Action": "accept", "src": ["100.105.106.107"], "dst": ["1.2.3.4:*"] },
-    ],
-    "Tests", [
-      {"src": "100.105.106.107", "allow": ["1.2.3.4:80"]}
-    ],
-  }'
-```
-
 Response:
+If all the tests pass, the response will be empty, with an http status code of 200.

-The HTTP status code will be 200 if the request was well formed and there were no server errors, even in the case of failing tests or an invalid ACL. Look at the response body to determine whether there was a problem within your ACL or tests.
-
-If there's a problem, the response body will be a JSON object with a non-empty `message` property and optionally additional details in `data`:
-
+Failed test error response:
+A 400 http status code and the errors in the response body.  
 ```
 {
  "message":"test(s) failed",
@@ -675,8 +658,6 @@ If there's a problem, the response body will be a JSON object with a non-empty `
 }
 ```

-An empty body or a JSON object with no `message` is returned on success.
-
 <a name=tailnet-devices></a>

 ### Devices
@@ -684,7 +665,7 @@ An empty body or a JSON object with no `message` is returned on success.
 <a name=tailnet-devices-get></a>

 #### <a name="getdevices"></a> `GET /api/v2/tailnet/:tailnet/devices` - list the devices for a tailnet
-Lists the devices in a tailnet.
+Lists the devices in a tailnet. 
 Supply the tailnet of interest in the path.
 Use the `fields` query parameter to explicitly indicate which fields are returned.

@@ -693,7 +674,7 @@ Use the `fields` query parameter to explicitly indicate which fields are returne

 ###### Query Parameters
 `fields` - Controls which fields will be included in the returned response.
-Currently, supported options are:
+Currently, supported options are: 
 * `all`: Returns all fields in the response.
 * `default`: return all fields except:
  * `enabledRoutes`
@@ -713,7 +694,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
  -u "tskey-yourapikey123:"
 ```

-Response
+Response 
 ```
 {
  "devices":[
@@ -815,15 +796,11 @@ Supply the tailnet in the path.
 `capabilities` - A mapping of resources to permissible actions.
 ```
 {
-  "capabilities": {
+	"capabilities": {
    "devices": {
      "create": {
        "reusable": false,
-        "ephemeral": false,
-        "preauthorized": false,
-        "tags": [
-          "tag:example"
-        ]
+        "ephemeral": false
      }
    }
  }
@@ -843,13 +820,11 @@ The full key can no longer be retrieved by the server.

 ```
 echo '{
-  "capabilities": {
+	"capabilities": {
    "devices": {
      "create": {
        "reusable": false,
-        "ephemeral": false,
-        "preauthorized": false,
-        "tags": [ "tag:example" ]
+        "ephemeral": false
      }
    }
  }
@@ -865,7 +840,7 @@ Response:
 	"key":          "tskey-k123456CNTRL-abcdefghijklmnopqrstuvwxyz",
 	"created":      "2021-12-09T23:22:39Z",
 	"expires":      "2022-03-09T23:22:39Z",
-	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false, "preauthorized": false, "tags": [ "tag:example" ]}}}
+	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false}}}
 }
 ```

@@ -895,22 +870,10 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
 Response:
 ```
 {
-  "id": "k123456CNTRL",
-  "created": "2022-05-05T18:55:44Z",
-  "expires": "2022-08-03T18:55:44Z",
-  "capabilities": {
-    "devices": {
-      "create": {
-        "reusable": false,
-        "ephemeral": true,
-        "preauthorized": false,
-        "tags": [
-          "tag:bar",
-          "tag:foo"
-        ]
-      }
-    }
-  }
+	"id":           "k123456CNTRL",
+	"created":      "2021-12-09T22:13:53Z",
+	"expires":      "2022-03-09T22:13:53Z",
+	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false}}}
 }
 ```

@@ -941,13 +904,13 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k12345
 <a name=tailnet-dns-nameservers-get></a>

 #### `GET /api/v2/tailnet/:tailnet/dns/nameservers` - list the DNS nameservers for a tailnet
-Lists the DNS nameservers for a tailnet.
+Lists the DNS nameservers for a tailnet. 
 Supply the tailnet of interest in the path.

 ##### Parameters
 No parameters.

-##### Example
+##### Example 

 ```
 GET /api/v2/tailnet/example.com/dns/nameservers
@@ -955,7 +918,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
  -u "tskey-yourapikey123:"
 ```

-Response
+Response 
 ```
 {
  "dns": ["8.8.8.8"],
@@ -965,7 +928,7 @@ Response
 <a name=tailnet-dns-nameservers-post></a>

 #### `POST /api/v2/tailnet/:tailnet/dns/nameservers` - replaces the list of DNS nameservers for a tailnet
-Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user.
+Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user. 
 Supply the tailnet of interest in the path.
 Note that changing the list of DNS nameservers may also affect the status of MagicDNS (if MagicDNS is on).

@@ -979,7 +942,7 @@ Note that changing the list of DNS nameservers may also affect the status of Mag
 ```

 ##### Returns
-Returns the new list of nameservers and the status of MagicDNS.
+Returns the new list of nameservers and the status of MagicDNS. 

 If all nameservers have been removed, MagicDNS will be automatically disabled (until explicitly turned back on by the user).

@@ -1023,31 +986,31 @@ Retrieves the DNS preferences that are currently set for the given tailnet.
 Supply the tailnet of interest in the path.

 ##### Parameters
-No parameters.
+No parameters. 

 ##### Example
 ```
 GET /api/v2/tailnet/example.com/dns/preferences
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
-  -u "tskey-yourapikey123:"
+  -u "tskey-yourapikey123:" 
 ```

 Response:
 ```
 {
-  "magicDNS":false,
+  "magicDNS":false, 
 }
 ```

 <a name=tailnet-dns-preferences-post></a>

-#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet
+#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet 
 Replaces the DNS preferences for a tailnet, specifically, the MagicDNS setting.
-Note that MagicDNS is dependent on DNS servers.
+Note that MagicDNS is dependent on DNS servers. 

-If there is at least one DNS server, then MagicDNS can be enabled.
+If there is at least one DNS server, then MagicDNS can be enabled. 
 Otherwise, it returns an error.
-Note that removing all nameservers will turn off MagicDNS.
+Note that removing all nameservers will turn off MagicDNS. 
 To reenable it, nameservers must be added back, and MagicDNS must be explicitly turned on.

 ##### Parameters
@@ -1078,7 +1041,7 @@ If there are no DNS servers, it returns an error message:
 }
 ```

-If there are DNS servers:
+If there are DNS servers: 
 ```
 {
  "magicDNS":true,
@@ -1087,8 +1050,8 @@ If there are DNS servers:

 <a name=tailnet-dns-searchpaths-get></a>

-#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet
-Retrieves the list of search paths that is currently set for the given tailnet.
+#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet 
+Retrieves the list of search paths that is currently set for the given tailnet. 
 Supply the tailnet of interest in the path.


@@ -1099,7 +1062,7 @@ No parameters.
 ```
 GET /api/v2/tailnet/example.com/dns/searchpaths
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
-  -u "tskey-yourapikey123:"
+  -u "tskey-yourapikey123:" 
 ```

 Response:
@@ -1111,7 +1074,7 @@ Response:

 <a name=tailnet-dns-searchpaths-post></a>

-#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet
+#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet 
 Replaces the list of searchpaths with the list supplied by the user and returns an error otherwise.

 ##### Parameters
@@ -1120,7 +1083,7 @@ Replaces the list of searchpaths with the list supplied by the user and returns
 `searchPaths` - A list of searchpaths in JSON.
 ```
 {
-  "searchPaths": ["user1.example.com", "user2.example.com"]
+  "searchPaths: ["user1.example.com", "user2.example.com"]
 }
 ```

--- a/atomicfile/atomicfile.go
+++ b/atomicfile/atomicfile.go
@@ -9,15 +9,16 @@
 package atomicfile // import "tailscale.com/atomicfile"

 import (
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
 )

 // WriteFile writes data to filename+some suffix, then renames it
-// into filename. The perm argument is ignored on Windows.
+// into filename.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
-	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
+	f, err := ioutil.TempFile(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err
 	}
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -45,25 +45,4 @@ EOF
 	exit 0
 fi

-tags=""
-ldflags="-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}"
-
-# build_dist.sh arguments must precede go build arguments.
-while [ "$#" -gt 1 ]; do
-	case "$1" in
-	--extra-small)
-		shift
-		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws"
-		;;
-	--box)
-		shift
-		tags="${tags:+$tags,}ts_include_cli"
-		;;
-	*)
-		break
-		;;
-	esac
-done
-
-exec ./tool/go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
+exec ./tool/go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -25,14 +25,14 @@ export PATH=$PWD/tool:$PATH
 eval $(./build_dist.sh shellvars)
 DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
 DEFAULT_REPOS="tailscale/tailscale,ghcr.io/tailscale/tailscale"
-DEFAULT_BASE="ghcr.io/tailscale/alpine-base:3.16"
+DEFAULT_BASE="ghcr.io/tailscale/alpine-base:3.14"

 PUSH="${PUSH:-false}"
 REPOS="${REPOS:-${DEFAULT_REPOS}}"
 TAGS="${TAGS:-${DEFAULT_TAGS}}"
 BASE="${BASE:-${DEFAULT_BASE}}"

-go run github.com/tailscale/mkctr \
+go run github.com/tailscale/mkctr@latest \
  --gopaths="\
    tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
    tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled" \
@@ -40,9 +40,7 @@ go run github.com/tailscale/mkctr \
    -X tailscale.com/version.Long=${VERSION_LONG} \
    -X tailscale.com/version.Short=${VERSION_SHORT} \
    -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
-  --files="docs/k8s/run.sh:/tailscale/run.sh" \
  --base="${BASE}" \
  --tags="${TAGS}" \
  --repos="${REPOS}" \
-  --push="${PUSH}" \
-  /bin/sh /tailscale/run.sh
+  --push="${PUSH}"
--- a/chirp/chirp.go
+++ b/chirp/chirp.go
@@ -11,31 +11,15 @@ import (
 	"fmt"
 	"net"
 	"strings"
-	"time"
-)
-
-const (
-	// Maximum amount of time we should wait when reading a response from BIRD.
-	responseTimeout = 10 * time.Second
 )

 // New creates a BIRDClient.
 func New(socket string) (*BIRDClient, error) {
-	return newWithTimeout(socket, responseTimeout)
-}
-
-func newWithTimeout(socket string, timeout time.Duration) (*BIRDClient, error) {
 	conn, err := net.Dial("unix", socket)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
 	}
-	b := &BIRDClient{
-		socket:  socket,
-		conn:    conn,
-		scanner: bufio.NewScanner(conn),
-		timeNow: time.Now,
-		timeout: timeout,
-	}
+	b := &BIRDClient{socket: socket, conn: conn, scanner: bufio.NewScanner(conn)}
 	// Read and discard the first line as that is the welcome message.
 	if _, err := b.readResponse(); err != nil {
 		return nil, err
@@ -48,8 +32,6 @@ type BIRDClient struct {
 	socket  string
 	conn    net.Conn
 	scanner *bufio.Scanner
-	timeNow func() time.Time
-	timeout time.Duration
 }

 // Close closes the underlying connection to BIRD.
@@ -99,15 +81,10 @@ func (b *BIRDClient) EnableProtocol(protocol string) error {
 // 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.

 func (b *BIRDClient) exec(cmd string, args ...any) (string, error) {
-	if err := b.conn.SetWriteDeadline(b.timeNow().Add(b.timeout)); err != nil {
-		return "", err
-	}
 	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
 		return "", err
 	}
-	if _, err := fmt.Fprintln(b.conn); err != nil {
-		return "", err
-	}
+	fmt.Fprintln(b.conn)
 	return b.readResponse()
 }

@@ -128,20 +105,14 @@ func hasResponseCode(s []byte) bool {
 }

 func (b *BIRDClient) readResponse() (string, error) {
-	// Set the read timeout before we start reading anything.
-	if err := b.conn.SetReadDeadline(b.timeNow().Add(b.timeout)); err != nil {
-		return "", err
-	}
-
 	var resp strings.Builder
 	var done bool
 	for !done {
 		if !b.scanner.Scan() {
-			if err := b.scanner.Err(); err != nil {
-				return "", err
-			}
-
-			return "", fmt.Errorf("reading response from bird failed (EOF): %q", resp.String())
+			return "", fmt.Errorf("reading response from bird failed: %q", resp.String())
+		}
+		if err := b.scanner.Err(); err != nil {
+			return "", err
 		}
 		out := b.scanner.Bytes()
 		if _, err := resp.Write(out); err != nil {
--- a/chirp/chirp_test.go
+++ b/chirp/chirp_test.go
@@ -8,12 +8,9 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"os"
 	"path/filepath"
 	"strings"
-	"sync"
 	"testing"
-	"time"
 )

 type fakeBIRD struct {
@@ -112,82 +109,3 @@ func TestChirp(t *testing.T) {
 		t.Fatalf("disabling %q succeded", "rando")
 	}
 }
-
-type hangingListener struct {
-	net.Listener
-	t    *testing.T
-	done chan struct{}
-	wg   sync.WaitGroup
-	sock string
-}
-
-func newHangingListener(t *testing.T) *hangingListener {
-	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return &hangingListener{
-		Listener: l,
-		t:        t,
-		done:     make(chan struct{}),
-		sock:     sock,
-	}
-}
-
-func (hl *hangingListener) Stop() {
-	hl.Close()
-	close(hl.done)
-	hl.wg.Wait()
-}
-
-func (hl *hangingListener) listen() error {
-	for {
-		c, err := hl.Accept()
-		if err != nil {
-			if errors.Is(err, net.ErrClosed) {
-				return nil
-			}
-			return err
-		}
-		hl.wg.Add(1)
-		go hl.handle(c)
-	}
-}
-
-func (hl *hangingListener) handle(c net.Conn) {
-	defer hl.wg.Done()
-
-	// Write our fake first line of response so that we get into the read loop
-	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
-
-	ticker := time.NewTicker(2 * time.Second)
-	defer ticker.Stop()
-	for {
-		select {
-		case <-ticker.C:
-			hl.t.Logf("connection still hanging")
-		case <-hl.done:
-			return
-		}
-	}
-}
-
-func TestChirpTimeout(t *testing.T) {
-	fb := newHangingListener(t)
-	defer fb.Stop()
-	go fb.listen()
-
-	c, err := newWithTimeout(fb.sock, 500*time.Millisecond)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = c.EnableProtocol("tailscale")
-	if err == nil {
-		t.Fatal("got err=nil, want timeout")
-	}
-	if !os.IsTimeout(err) {
-		t.Fatalf("got err=%v, want os.IsTimeout(err)=true", err)
-	}
-}
--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -1,477 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.19
-// +build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-)
-
-// ACLRow defines a rule that grants access by a set of users or groups to a set
-// of servers and ports.
-// Only one of Src/Dst or Users/Ports may be specified.
-type ACLRow struct {
-	Action string   `json:"action,omitempty"` // valid values: "accept"
-	Users  []string `json:"users,omitempty"`  // old name for src
-	Ports  []string `json:"ports,omitempty"`  // old name for dst
-	Src    []string `json:"src,omitempty"`
-	Dst    []string `json:"dst,omitempty"`
-}
-
-// ACLTest defines a test for your ACLs to prevent accidental exposure or
-// revoking of access to key servers and ports. Only one of Src or User may be
-// specified, and only one of Allow/Accept may be specified.
-type ACLTest struct {
-	Src    string   `json:"src,omitempty"`    // source
-	User   string   `json:"user,omitempty"`   // old name for source
-	Accept []string `json:"accept,omitempty"` // expected destination ip:port that user can access
-	Deny   []string `json:"deny,omitempty"`   // expected destination ip:port that user cannot access
-
-	Allow []string `json:"allow,omitempty"` // old name for accept
-}
-
-// ACLDetails contains all the details for an ACL.
-type ACLDetails struct {
-	Tests     []ACLTest           `json:"tests,omitempty"`
-	ACLs      []ACLRow            `json:"acls,omitempty"`
-	Groups    map[string][]string `json:"groups,omitempty"`
-	TagOwners map[string][]string `json:"tagowners,omitempty"`
-	Hosts     map[string]string   `json:"hosts,omitempty"`
-}
-
-// ACL contains an ACLDetails and metadata.
-type ACL struct {
-	ACL  ACLDetails
-	ETag string // to check with version on server
-}
-
-// ACLHuJSON contains the HuJSON string of the ACL and metadata.
-type ACLHuJSON struct {
-	ACL      string
-	Warnings []string
-	ETag     string // to check with version on server
-}
-
-// ACL makes a call to the Tailscale server to get a JSON-parsed version of the ACL.
-// The JSON-parsed version of the ACL contains no comments as proper JSON does not support
-// comments.
-func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ACL: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/json")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	// Otherwise, try to decode the response.
-	var aclDetails ACLDetails
-	if err = json.Unmarshal(b, &aclDetails); err != nil {
-		return nil, err
-	}
-	acl = &ACL{
-		ACL:  aclDetails,
-		ETag: resp.Header.Get("ETag"),
-	}
-	return acl, nil
-}
-
-// ACLHuJSON makes a call to the Tailscale server to get the ACL HuJSON and returns
-// it as a string.
-// HuJSON is JSON with a few modifications to make it more human-friendly. The primary
-// changes are allowing comments and trailing comments. See the following links for more info:
-// https://tailscale.com/kb/1018/acls?q=acl#tailscale-acl-policy-format
-// https://github.com/tailscale/hujson
-func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ACLHuJSON: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/hujson")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	data := struct {
-		ACL      []byte   `json:"acl"`
-		Warnings []string `json:"warnings"`
-	}{}
-	if err := json.Unmarshal(b, &data); err != nil {
-		return nil, err
-	}
-
-	acl = &ACLHuJSON{
-		ACL:      string(data.ACL),
-		Warnings: data.Warnings,
-		ETag:     resp.Header.Get("ETag"),
-	}
-	return acl, nil
-}
-
-// ACLTestFailureSummary specifies a user for which ACL tests
-// failed and the related user-friendly error messages.
-//
-// ACLTestFailureSummary specifies the JSON format sent to the
-// JavaScript client to be rendered in the HTML.
-type ACLTestFailureSummary struct {
-	User   string   `json:"user"`
-	Errors []string `json:"errors"`
-}
-
-// ACLTestError is ErrResponse but with an extra field to account for ACLTestFailureSummary.
-type ACLTestError struct {
-	ErrResponse
-	Data []ACLTestFailureSummary `json:"data"`
-}
-
-func (e ACLTestError) Error() string {
-	return fmt.Sprintf("%s, Data: %+v", e.ErrResponse.Error(), e.Data)
-}
-
-func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, "", err
-	}
-
-	if avoidCollisions {
-		req.Header.Set("If-Match", etag)
-	}
-	req.Header.Set("Accept", acceptHeader)
-	req.Header.Set("Content-Type", "application/hujson")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		// check if test error
-		var ate ACLTestError
-		if err := json.Unmarshal(b, &ate); err != nil {
-			return nil, "", err
-		}
-		ate.Status = resp.StatusCode
-		return nil, "", ate
-	}
-	return b, resp.Header.Get("ETag"), nil
-}
-
-// SetACL sends a POST request to update the ACL according to the provided ACL object. If
-// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
-// header to check if the previously obtained ACL was the latest version and that no updates
-// were missed.
-//
-// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
-// Returns error if ACL has tests that fail.
-// Returns error if there are other errors with the ACL.
-func (c *Client) SetACL(ctx context.Context, acl ACL, avoidCollisions bool) (res *ACL, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetACL: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	// Otherwise, try to decode the response.
-	var aclDetails ACLDetails
-	if err = json.Unmarshal(b, &aclDetails); err != nil {
-		return nil, err
-	}
-	res = &ACL{
-		ACL:  aclDetails,
-		ETag: etag,
-	}
-	return res, nil
-}
-
-// SetACLHuJSON sends a POST request to update the ACL according to the provided ACL object. If
-// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
-// header to check if the previously obtained ACL was the latest version and that no updates
-// were missed.
-//
-// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
-// Returns error if the HuJSON is invalid.
-// Returns error if ACL has tests that fail.
-// Returns error if there are other errors with the ACL.
-func (c *Client) SetACLHuJSON(ctx context.Context, acl ACLHuJSON, avoidCollisions bool) (res *ACLHuJSON, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetACLHuJSON: %w", err)
-		}
-	}()
-
-	postData := []byte(acl.ACL)
-	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/hujson")
-	if err != nil {
-		return nil, err
-	}
-
-	res = &ACLHuJSON{
-		ACL:  string(b),
-		ETag: etag,
-	}
-	return res, nil
-}
-
-// UserRuleMatch specifies the source users/groups/hosts that a rule targets
-// and the destination ports that they can access.
-// LineNumber is only useful for requests provided in HuJSON form.
-// While JSON requests will have LineNumber, the value is not useful.
-type UserRuleMatch struct {
-	Users      []string `json:"users"`
-	Ports      []string `json:"ports"`
-	LineNumber int      `json:"lineNumber"`
-}
-
-// ACLPreviewResponse is the response type of previewACLPostRequest
-type ACLPreviewResponse struct {
-	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
-	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
-	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
-}
-
-// ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
-type ACLPreview struct {
-	Matches []UserRuleMatch `json:"matches"`
-	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
-	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
-}
-
-func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, err
-	}
-
-	q := req.URL.Query()
-	q.Add("type", previewType)
-	q.Add("previewFor", previewFor)
-	req.URL.RawQuery = q.Encode()
-
-	req.Header.Set("Content-Type", "application/hujson")
-	c.setAuth(req)
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-	if err = json.Unmarshal(b, &res); err != nil {
-		return nil, err
-	}
-
-	return res, nil
-}
-
-// PreviewACLForUser determines what rules match a given ACL for a user.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLForUser: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLForIPPort determines what rules match a given ACL for a ipport.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netip.AddrPort) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLForIPPort: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport.String())
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLHuJSONForUser determines what rules match a given ACL for a user.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, user string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLHuJSONForUser: %w", err)
-		}
-	}()
-	postData := []byte(acl.ACL)
-	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLHuJSONForIPPort determines what rules match a given ACL for a ipport.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, ipport string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLHuJSONForIPPort: %w", err)
-		}
-	}()
-	postData := []byte(acl.ACL)
-	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
-	}, nil
-}
-
-// ValidateACLJSON takes in the given source and destination (in this situation,
-// it is assumed that you are checking whether the source can connect to destination)
-// and creates an ACLTest from that. It then sends the ACLTest to the control api acl
-// validate endpoint, where the test is run. It returns a nil ACLTestError pointer if
-// no test errors occur.
-func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (testErr *ACLTestError, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ValidateACLJSON: %w", err)
-		}
-	}()
-
-	tests := []ACLTest{ACLTest{User: source, Allow: []string{dest}}}
-	postData, err := json.Marshal(tests)
-	if err != nil {
-		return nil, err
-	}
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
-	if err != nil {
-		return nil, err
-	}
-
-	req.Header.Set("Content-Type", "application/json")
-	c.setAuth(req)
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
-	}
-
-	// The test ran without fail
-	if len(b) == 0 {
-		return nil, nil
-	}
-
-	var res ACLTestError
-	// The test returned errors.
-	if err = json.Unmarshal(b, &res); err != nil {
-		// failed to unmarshal
-		return nil, err
-	}
-	return &res, nil
-}
--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// Package apitype contains types for the Tailscale local API and control plane API.
+// Package apitype contains types for the Tailscale local API.
 package apitype

 import "tailscale.com/tailcfg"
--- a/client/tailscale/apitype/controltype.go
+++ b/client/tailscale/apitype/controltype.go
@@ -1,20 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package apitype
-
-type DNSConfig struct {
-	Resolvers         []DNSResolver            `json:"resolvers"`
-	FallbackResolvers []DNSResolver            `json:"fallbackResolvers"`
-	Routes            map[string][]DNSResolver `json:"routes"`
-	Domains           []string                 `json:"domains"`
-	Nameservers       []string                 `json:"nameservers"`
-	Proxied           bool                     `json:"proxied"`
-	PerDomain         bool                     `json:",omitempty"`
-}
-
-type DNSResolver struct {
-	Addr                string   `json:"addr"`
-	BootstrapResolution []string `json:"bootstrapResolution,omitempty"`
-}
--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -1,262 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.19
-// +build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/url"
-	"strings"
-
-	"tailscale.com/types/opt"
-)
-
-type GetDevicesResponse struct {
-	Devices []*Device `json:"devices"`
-}
-
-type DerpRegion struct {
-	Preferred           bool    `json:"preferred,omitempty"`
-	LatencyMilliseconds float64 `json:"latencyMs"`
-}
-
-type ClientConnectivity struct {
-	Endpoints             []string `json:"endpoints"`
-	DERP                  string   `json:"derp"`
-	MappingVariesByDestIP opt.Bool `json:"mappingVariesByDestIP"`
-	// DERPLatency is mapped by region name (e.g. "New York City", "Seattle").
-	DERPLatency    map[string]DerpRegion `json:"latency"`
-	ClientSupports map[string]opt.Bool   `json:"clientSupports"`
-}
-
-type Device struct {
-	// Addresses is a list of the devices's Tailscale IP addresses.
-	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
-	Addresses []string `json:"addresses"`
-	DeviceID  string   `json:"id"`
-	User      string   `json:"user"`
-	Name      string   `json:"name"`
-	Hostname  string   `json:"hostname"`
-
-	ClientVersion     string `json:"clientVersion"`   // Empty for external devices.
-	UpdateAvailable   bool   `json:"updateAvailable"` // Empty for external devices.
-	OS                string `json:"os"`
-	Created           string `json:"created"` // Empty for external devices.
-	LastSeen          string `json:"lastSeen"`
-	KeyExpiryDisabled bool   `json:"keyExpiryDisabled"`
-	Expires           string `json:"expires"`
-	Authorized        bool   `json:"authorized"`
-	IsExternal        bool   `json:"isExternal"`
-	MachineKey        string `json:"machineKey"` // Empty for external devices.
-	NodeKey           string `json:"nodeKey"`
-
-	// BlocksIncomingConnections is configured via the device's
-	// Tailscale client preferences. This field is only reported
-	// to the API starting with Tailscale 1.3.x clients.
-	BlocksIncomingConnections bool `json:"blocksIncomingConnections"`
-
-	// The following fields are not included by default:
-
-	// EnabledRoutes are the previously-approved subnet routes
-	// (e.g. "192.168.4.16/24", "10.5.2.4/32").
-	EnabledRoutes []string `json:"enabledRoutes"` // Empty for external devices.
-	// AdvertisedRoutes are the subnets (both enabled and not enabled)
-	// being requested from the node.
-	AdvertisedRoutes []string `json:"advertisedRoutes"` // Empty for external devices.
-
-	ClientConnectivity *ClientConnectivity `json:"clientConnectivity"`
-}
-
-// DeviceFieldsOpts determines which fields should be returned in the response.
-//
-// Please only use DeviceAllFields and DeviceDefaultFields.
-// Other DeviceFieldsOpts are not supported.
-//
-// TODO: Support other DeviceFieldsOpts.
-// In the future, users should be able to create their own DeviceFieldsOpts
-// as valid arguments by setting the fields they want returned to a "non-nil"
-// value. For example, DeviceFieldsOpts{NodeID: "true"} should only return NodeIDs.
-type DeviceFieldsOpts Device
-
-func (d *DeviceFieldsOpts) addFieldsToQueryParameter() string {
-	if d == DeviceDefaultFields || d == nil {
-		return "default"
-	}
-	if d == DeviceAllFields {
-		return "all"
-	}
-
-	return ""
-}
-
-var (
-	DeviceAllFields = &DeviceFieldsOpts{}
-
-	// DeviceDefaultFields specifies that the following fields are returned:
-	//   Addresses, NodeID, User, Name, Hostname, ClientVersion, UpdateAvailable,
-	//   OS, Created, LastSeen, KeyExpiryDisabled, Expires, Authorized, IsExternal
-	//   MachineKey, NodeKey, BlocksIncomingConnections.
-	DeviceDefaultFields = &DeviceFieldsOpts{}
-)
-
-// Devices retrieves the list of devices for a tailnet.
-//
-// See the Device structure for the list of fields hidden for external devices.
-// The optional fields parameter specifies which fields of the devices to return; currently
-// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
-// Other values are currently undefined.
-func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceList []*Device, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Devices: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	// Add fields.
-	fieldStr := fields.addFieldsToQueryParameter()
-	q := req.URL.Query()
-	q.Add("fields", fieldStr)
-	req.URL.RawQuery = q.Encode()
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var devices GetDevicesResponse
-	err = json.Unmarshal(b, &devices)
-	return devices.Devices, err
-}
-
-// Device retrieved the details for a specific device.
-//
-// See the Device structure for the list of fields hidden for an external device.
-// The optional fields parameter specifies which fields of the devices to return; currently
-// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
-// Other values are currently undefined.
-func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFieldsOpts) (device *Device, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Device: %w", err)
-		}
-	}()
-	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	// Add fields.
-	fieldStr := fields.addFieldsToQueryParameter()
-	q := req.URL.Query()
-	q.Add("fields", fieldStr)
-	req.URL.RawQuery = q.Encode()
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	err = json.Unmarshal(b, &device)
-	return device, err
-}
-
-// DeleteDevice deletes the specified device from the Client's tailnet.
-// NOTE: Only devices that belong to the Client's tailnet can be deleted.
-// Deleting external devices is not supported.
-func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteDevice: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-	return nil
-}
-
-// AuthorizeDevice marks a device as authorized.
-func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
-	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}
-
-// SetTags updates the ACL tags on a device.
-func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) error {
-	params := &struct {
-		Tags []string `json:"tags"`
-	}{Tags: tags}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/tags", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}
--- a/client/tailscale/dns.go
+++ b/client/tailscale/dns.go
@@ -1,235 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.19
-// +build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"tailscale.com/client/tailscale/apitype"
-)
-
-// DNSNameServers is returned when retrieving the list of nameservers.
-// It is also the structure provided when setting nameservers.
-type DNSNameServers struct {
-	DNS []string `json:"dns"` // DNS name servers
-}
-
-// DNSNameServersPostResponse is returned when setting the list of DNS nameservers.
-//
-// It includes the MagicDNS status since nameservers changes may affect MagicDNS.
-type DNSNameServersPostResponse struct {
-	DNS      []string `json:"dns"`      // DNS name servers
-	MagicDNS bool     `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-// DNSSearchpaths is the list of search paths for a given domain.
-type DNSSearchPaths struct {
-	SearchPaths []string `json:"searchPaths"` // DNS search paths
-}
-
-// DNSPreferences is the preferences set for a given tailnet.
-//
-// It includes MagicDNS which can be turned on or off. To enable MagicDNS,
-// there must be at least one nameserver. When all nameservers are removed,
-// MagicDNS is disabled.
-type DNSPreferences struct {
-	MagicDNS bool `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData interface{}) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	data, err := json.Marshal(&postData)
-	if err != nil {
-		return nil, err
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	req.Header.Set("Content-Type", "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-// DNSConfig retrieves the DNSConfig settings for a domain.
-func (c *Client) DNSConfig(ctx context.Context) (cfg *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSConfig: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "config")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp apitype.DNSConfig
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-func (c *Client) SetDNSConfig(ctx context.Context, cfg apitype.DNSConfig) (resp *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSConfig: %w", err)
-		}
-	}()
-	var dnsResp apitype.DNSConfig
-	b, err := c.dnsPOSTRequest(ctx, "config", cfg)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-// NameServers retrieves the list of nameservers set for a domain.
-func (c *Client) NameServers(ctx context.Context) (nameservers []string, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.NameServers: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "nameservers")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSNameServers
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.DNS, err
-}
-
-// SetNameServers sets the list of nameservers for a tailnet to the list provided
-// by the user.
-//
-// It returns the new list of nameservers and the MagicDNS status in case it was
-// affected by the change. For example, removing all nameservers will turn off
-// MagicDNS.
-func (c *Client) SetNameServers(ctx context.Context, nameservers []string) (dnsResp *DNSNameServersPostResponse, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetNameServers: %w", err)
-		}
-	}()
-	dnsReq := DNSNameServers{DNS: nameservers}
-	b, err := c.dnsPOSTRequest(ctx, "nameservers", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// DNSPreferences retrieves the DNS preferences set for a tailnet.
-//
-// It returns the status of MagicDNS.
-func (c *Client) DNSPreferences(ctx context.Context) (dnsResp *DNSPreferences, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSPreferences: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "preferences")
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SetDNSPreferences sets the DNS preferences for a tailnet.
-//
-// MagicDNS can only be enabled when there is at least one nameserver provided.
-// When all nameservers are removed, MagicDNS is disabled and will stay disabled,
-// unless explicitly enabled by a user again.
-func (c *Client) SetDNSPreferences(ctx context.Context, magicDNS bool) (dnsResp *DNSPreferences, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSPreferences: %w", err)
-		}
-	}()
-	dnsReq := DNSPreferences{MagicDNS: magicDNS}
-	b, err := c.dnsPOSTRequest(ctx, "preferences", dnsReq)
-	if err != nil {
-		return
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SearchPaths retrieves the list of searchpaths set for a tailnet.
-func (c *Client) SearchPaths(ctx context.Context) (searchpaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SearchPaths: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "searchpaths")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp *DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}
-
-// SetSearchPaths sets the list of searchpaths for a tailnet.
-func (c *Client) SetSearchPaths(ctx context.Context, searchpaths []string) (newSearchPaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetSearchPaths: %w", err)
-		}
-	}()
-	dnsReq := DNSSearchPaths{SearchPaths: searchpaths}
-	b, err := c.dnsPOSTRequest(ctx, "searchpaths", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -1,747 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.19
-// +build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/http/httptrace"
-	"net/netip"
-	"net/url"
-	"os/exec"
-	"runtime"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"go4.org/mem"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/netutil"
-	"tailscale.com/paths"
-	"tailscale.com/safesocket"
-	"tailscale.com/tailcfg"
-	"tailscale.com/tka"
-)
-
-// defaultLocalClient is the default LocalClient when using the legacy
-// package-level functions.
-var defaultLocalClient LocalClient
-
-// LocalClient is a client to Tailscale's "local API", communicating with the
-// Tailscale daemon on the local machine. Its API is not necessarily stable and
-// subject to changes between releases. Some API calls have stricter
-// compatibility guarantees, once they've been widely adopted. See method docs
-// for details.
-//
-// Its zero value is valid to use.
-//
-// Any exported fields should be set before using methods on the type
-// and not changed thereafter.
-type LocalClient struct {
-	// Dial optionally specifies an alternate func that connects to the local
-	// machine's tailscaled or equivalent. If nil, a default is used.
-	Dial func(ctx context.Context, network, addr string) (net.Conn, error)
-
-	// Socket specifies an alternate path to the local Tailscale socket.
-	// If empty, a platform-specific default is used.
-	Socket string
-
-	// UseSocketOnly, if true, tries to only connect to tailscaled via the
-	// Unix socket and not via fallback mechanisms as done on macOS when
-	// connecting to the GUI client variants.
-	UseSocketOnly bool
-
-	// tsClient does HTTP requests to the local Tailscale daemon.
-	// It's lazily initialized on first use.
-	tsClient     *http.Client
-	tsClientOnce sync.Once
-}
-
-func (lc *LocalClient) socket() string {
-	if lc.Socket != "" {
-		return lc.Socket
-	}
-	return paths.DefaultTailscaledSocket()
-}
-
-func (lc *LocalClient) dialer() func(ctx context.Context, network, addr string) (net.Conn, error) {
-	if lc.Dial != nil {
-		return lc.Dial
-	}
-	return lc.defaultDialer
-}
-
-func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string) (net.Conn, error) {
-	if addr != "local-tailscaled.sock:80" {
-		return nil, fmt.Errorf("unexpected URL address %q", addr)
-	}
-	if !lc.UseSocketOnly {
-		// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
-		// a TCP server on a random port, find the random port. For HTTP connections,
-		// we don't send the token. It gets added in an HTTP Basic-Auth header.
-		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
-			var d net.Dialer
-			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
-		}
-	}
-	s := safesocket.DefaultConnectionStrategy(lc.socket())
-	// The user provided a non-default tailscaled socket address.
-	// Connect only to exactly what they provided.
-	s.UseFallback(false)
-	return safesocket.Connect(s)
-}
-
-// DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
-//
-// URLs are of the form http://local-tailscaled.sock/localapi/v0/whois?ip=1.2.3.4.
-//
-// The hostname must be "local-tailscaled.sock", even though it
-// doesn't actually do any DNS lookup. The actual means of connecting to and
-// authenticating to the local Tailscale daemon vary by platform.
-//
-// DoLocalRequest may mutate the request to add Authorization headers.
-func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error) {
-	lc.tsClientOnce.Do(func() {
-		lc.tsClient = &http.Client{
-			Transport: &http.Transport{
-				DialContext: lc.dialer(),
-			},
-		}
-	})
-	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
-		req.SetBasicAuth("", token)
-	}
-	return lc.tsClient.Do(req)
-}
-
-func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
-	res, err := lc.DoLocalRequest(req)
-	if err == nil {
-		if server := res.Header.Get("Tailscale-Version"); server != "" && server != ipn.IPCVersion() && onVersionMismatch != nil {
-			onVersionMismatch(ipn.IPCVersion(), server)
-		}
-		if res.StatusCode == 403 {
-			all, _ := io.ReadAll(res.Body)
-			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
-		}
-		return res, nil
-	}
-	if ue, ok := err.(*url.Error); ok {
-		if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
-			path := req.URL.Path
-			pathPrefix, _, _ := strings.Cut(path, "?")
-			return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
-		}
-	}
-	return nil, err
-}
-
-type errorJSON struct {
-	Error string
-}
-
-// AccessDeniedError is an error due to permissions.
-type AccessDeniedError struct {
-	err error
-}
-
-func (e *AccessDeniedError) Error() string { return fmt.Sprintf("Access denied: %v", e.err) }
-func (e *AccessDeniedError) Unwrap() error { return e.err }
-
-// IsAccessDeniedError reports whether err is or wraps an AccessDeniedError.
-func IsAccessDeniedError(err error) bool {
-	var ae *AccessDeniedError
-	return errors.As(err, &ae)
-}
-
-// bestError returns either err, or if body contains a valid JSON
-// object of type errorJSON, its non-empty error body.
-func bestError(err error, body []byte) error {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return errors.New(j.Error)
-	}
-	return err
-}
-
-func errorMessageFromBody(body []byte) string {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return j.Error
-	}
-	return strings.TrimSpace(string(body))
-}
-
-var onVersionMismatch func(clientVer, serverVer string)
-
-// SetVersionMismatchHandler sets f as the version mismatch handler
-// to be called when the client (the current process) has a version
-// number that doesn't match the server's declared version.
-func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
-	onVersionMismatch = f
-}
-
-func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
-	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
-	if err != nil {
-		return nil, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	slurp, err := io.ReadAll(res.Body)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != wantStatus {
-		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
-		return nil, bestError(err, slurp)
-	}
-	return slurp, nil
-}
-
-func (lc *LocalClient) get200(ctx context.Context, path string) ([]byte, error) {
-	return lc.send(ctx, "GET", path, 200, nil)
-}
-
-// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-//
-// Deprecated: use LocalClient.WhoIs.
-func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	return defaultLocalClient.WhoIs(ctx, remoteAddr)
-}
-
-// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-func (lc *LocalClient) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
-	if err != nil {
-		return nil, err
-	}
-	r := new(apitype.WhoIsResponse)
-	if err := json.Unmarshal(body, r); err != nil {
-		if max := 200; len(body) > max {
-			body = append(body[:max], "..."...)
-		}
-		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
-	}
-	return r, nil
-}
-
-// Goroutines returns a dump of the Tailscale daemon's current goroutines.
-func (lc *LocalClient) Goroutines(ctx context.Context) ([]byte, error) {
-	return lc.get200(ctx, "/localapi/v0/goroutines")
-}
-
-// DaemonMetrics returns the Tailscale daemon's metrics in
-// the Prometheus text exposition format.
-func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
-	return lc.get200(ctx, "/localapi/v0/metrics")
-}
-
-// Profile returns a pprof profile of the Tailscale daemon.
-func (lc *LocalClient) Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
-	var secArg string
-	if sec < 0 || sec > 300 {
-		return nil, errors.New("duration out of range")
-	}
-	if sec != 0 || pprofType == "profile" {
-		secArg = fmt.Sprint(sec)
-	}
-	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
-}
-
-// BugReport logs and returns a log marker that can be shared by the user with support.
-func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
-	if err != nil {
-		return "", err
-	}
-	return strings.TrimSpace(string(body)), nil
-}
-
-// DebugAction invokes a debug action, such as "rebind" or "restun".
-// These are development tools and subject to change or removal over time.
-func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
-	if err != nil {
-		return fmt.Errorf("error %w: %s", err, body)
-	}
-	return nil
-}
-
-// Status returns the Tailscale daemon's status.
-func Status(ctx context.Context) (*ipnstate.Status, error) {
-	return defaultLocalClient.Status(ctx)
-}
-
-// Status returns the Tailscale daemon's status.
-func (lc *LocalClient) Status(ctx context.Context) (*ipnstate.Status, error) {
-	return lc.status(ctx, "")
-}
-
-// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
-func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	return defaultLocalClient.StatusWithoutPeers(ctx)
-}
-
-// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
-func (lc *LocalClient) StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	return lc.status(ctx, "?peers=false")
-}
-
-func (lc *LocalClient) status(ctx context.Context, queryString string) (*ipnstate.Status, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/status"+queryString)
-	if err != nil {
-		return nil, err
-	}
-	st := new(ipnstate.Status)
-	if err := json.Unmarshal(body, st); err != nil {
-		return nil, err
-	}
-	return st, nil
-}
-
-// IDToken is a request to get an OIDC ID token for an audience.
-// The token can be presented to any resource provider which offers OIDC
-// Federation.
-func (lc *LocalClient) IDToken(ctx context.Context, aud string) (*tailcfg.TokenResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/id-token?aud="+url.QueryEscape(aud))
-	if err != nil {
-		return nil, err
-	}
-	tr := new(tailcfg.TokenResponse)
-	if err := json.Unmarshal(body, tr); err != nil {
-		return nil, err
-	}
-	return tr, nil
-}
-
-func (lc *LocalClient) WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/files/")
-	if err != nil {
-		return nil, err
-	}
-	var wfs []apitype.WaitingFile
-	if err := json.Unmarshal(body, &wfs); err != nil {
-		return nil, err
-	}
-	return wfs, nil
-}
-
-func (lc *LocalClient) DeleteWaitingFile(ctx context.Context, baseName string) error {
-	_, err := lc.send(ctx, "DELETE", "/localapi/v0/files/"+url.PathEscape(baseName), http.StatusNoContent, nil)
-	return err
-}
-
-func (lc *LocalClient) GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
-	if err != nil {
-		return nil, 0, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, 0, err
-	}
-	if res.ContentLength == -1 {
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("unexpected chunking")
-	}
-	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
-	}
-	return res.Body, res.ContentLength, nil
-}
-
-func (lc *LocalClient) FileTargets(ctx context.Context) ([]apitype.FileTarget, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/file-targets")
-	if err != nil {
-		return nil, err
-	}
-	var fts []apitype.FileTarget
-	if err := json.Unmarshal(body, &fts); err != nil {
-		return nil, fmt.Errorf("invalid JSON: %w", err)
-	}
-	return fts, nil
-}
-
-// PushFile sends Taildrop file r to target.
-//
-// A size of -1 means unknown.
-// The name parameter is the original filename, not escaped.
-func (lc *LocalClient) PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name string, r io.Reader) error {
-	req, err := http.NewRequestWithContext(ctx, "PUT", "http://local-tailscaled.sock/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
-	if err != nil {
-		return err
-	}
-	if size != -1 {
-		req.ContentLength = size
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return err
-	}
-	if res.StatusCode == 200 {
-		io.Copy(io.Discard, res.Body)
-		return nil
-	}
-	all, _ := io.ReadAll(res.Body)
-	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
-}
-
-// CheckIPForwarding asks the local Tailscale daemon whether it looks like the
-// machine is properly configured to forward IP packets as a subnet router
-// or exit node.
-func (lc *LocalClient) CheckIPForwarding(ctx context.Context) error {
-	body, err := lc.get200(ctx, "/localapi/v0/check-ip-forwarding")
-	if err != nil {
-		return err
-	}
-	var jres struct {
-		Warning string
-	}
-	if err := json.Unmarshal(body, &jres); err != nil {
-		return fmt.Errorf("invalid JSON from check-ip-forwarding: %w", err)
-	}
-	if jres.Warning != "" {
-		return errors.New(jres.Warning)
-	}
-	return nil
-}
-
-// CheckPrefs validates the provided preferences, without making any changes.
-//
-// The CLI uses this before a Start call to fail fast if the preferences won't
-// work. Currently (2022-04-18) this only checks for SSH server compatibility.
-// Note that EditPrefs does the same validation as this, so call CheckPrefs before
-// EditPrefs is not necessary.
-func (lc *LocalClient) CheckPrefs(ctx context.Context, p *ipn.Prefs) error {
-	pj, err := json.Marshal(p)
-	if err != nil {
-		return err
-	}
-	_, err = lc.send(ctx, "POST", "/localapi/v0/check-prefs", http.StatusOK, bytes.NewReader(pj))
-	return err
-}
-
-func (lc *LocalClient) GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/prefs")
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func (lc *LocalClient) EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
-	mpj, err := json.Marshal(mp)
-	if err != nil {
-		return nil, err
-	}
-	body, err := lc.send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func (lc *LocalClient) Logout(ctx context.Context) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
-	return err
-}
-
-// SetDNS adds a DNS TXT record for the given domain name, containing
-// the provided TXT value. The intended use case is answering
-// LetsEncrypt/ACME dns-01 challenges.
-//
-// The control plane will only permit SetDNS requests with very
-// specific names and values. The name should be
-// "_acme-challenge." + your node's MagicDNS name. It's expected that
-// clients cache the certs from LetsEncrypt (or whichever CA is
-// providing them) and only request new ones as needed; the control plane
-// rate limits SetDNS requests.
-//
-// This is a low-level interface; it's expected that most Tailscale
-// users use a higher level interface to getting/using TLS
-// certificates.
-func (lc *LocalClient) SetDNS(ctx context.Context, name, value string) error {
-	v := url.Values{}
-	v.Set("name", name)
-	v.Set("value", value)
-	_, err := lc.send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
-	return err
-}
-
-// DialTCP connects to the host's port via Tailscale.
-//
-// The host may be a base DNS name (resolved from the netmap inside
-// tailscaled), a FQDN, or an IP address.
-//
-// The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
-func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
-	connCh := make(chan net.Conn, 1)
-	trace := httptrace.ClientTrace{
-		GotConn: func(info httptrace.GotConnInfo) {
-			connCh <- info.Conn
-		},
-	}
-	ctx = httptrace.WithClientTrace(ctx, &trace)
-	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/dial", nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header = http.Header{
-		"Upgrade":    []string{"ts-dial"},
-		"Connection": []string{"upgrade"},
-		"Dial-Host":  []string{host},
-		"Dial-Port":  []string{fmt.Sprint(port)},
-	}
-	res, err := lc.DoLocalRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != http.StatusSwitchingProtocols {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
-	}
-	// From here on, the underlying net.Conn is ours to use, but there
-	// is still a read buffer attached to it within resp.Body. So, we
-	// must direct I/O through resp.Body, but we can still use the
-	// underlying net.Conn for stuff like deadlines.
-	var switchedConn net.Conn
-	select {
-	case switchedConn = <-connCh:
-	default:
-	}
-	if switchedConn == nil {
-		res.Body.Close()
-		return nil, fmt.Errorf("httptrace didn't provide a connection")
-	}
-	rwc, ok := res.Body.(io.ReadWriteCloser)
-	if !ok {
-		res.Body.Close()
-		return nil, errors.New("http Transport did not provide a writable body")
-	}
-	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
-}
-
-// CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
-// It is intended to be used with netcheck to see availability of DERPs.
-func (lc *LocalClient) CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
-	var derpMap tailcfg.DERPMap
-	res, err := lc.send(ctx, "GET", "/localapi/v0/derpmap", 200, nil)
-	if err != nil {
-		return nil, err
-	}
-	if err = json.Unmarshal(res, &derpMap); err != nil {
-		return nil, fmt.Errorf("invalid derp map json: %w", err)
-	}
-	return &derpMap, nil
-}
-
-// CertPair returns a cert and private key for the provided DNS domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// Deprecated: use LocalClient.CertPair.
-func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	return defaultLocalClient.CertPair(ctx, domain)
-}
-
-// CertPair returns a cert and private key for the provided DNS domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// API maturity: this is considered a stable API.
-func (lc *LocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	res, err := lc.send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	// with ?type=pair, the response PEM is first the one private
-	// key PEM block, then the cert PEM blocks.
-	i := mem.Index(mem.B(res), mem.S("--\n--"))
-	if i == -1 {
-		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
-	}
-	i += len("--\n")
-	keyPEM, certPEM = res[:i], res[i:]
-	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
-		return nil, nil, fmt.Errorf("unexpected output: key in cert")
-	}
-	return certPEM, keyPEM, nil
-}
-
-// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// It's the right signature to use as the value of
-// tls.Config.GetCertificate.
-//
-// Deprecated: use LocalClient.GetCertificate.
-func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	return defaultLocalClient.GetCertificate(hi)
-}
-
-// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// It's the right signature to use as the value of
-// tls.Config.GetCertificate.
-//
-// API maturity: this is considered a stable API.
-func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi == nil || hi.ServerName == "" {
-		return nil, errors.New("no SNI ServerName")
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-
-	name := hi.ServerName
-	if !strings.Contains(name, ".") {
-		if v, ok := lc.ExpandSNIName(ctx, name); ok {
-			name = v
-		}
-	}
-	certPEM, keyPEM, err := lc.CertPair(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-	cert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, err
-	}
-	return &cert, nil
-}
-
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
-//
-// Deprecated: use LocalClient.ExpandSNIName.
-func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	return defaultLocalClient.ExpandSNIName(ctx, name)
-}
-
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
-func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	st, err := lc.StatusWithoutPeers(ctx)
-	if err != nil {
-		return "", false
-	}
-	for _, d := range st.CertDomains {
-		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
-			return d, true
-		}
-	}
-	return "", false
-}
-
-// Ping sends a ping of the provided type to the provided IP and waits
-// for its response.
-func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
-	v := url.Values{}
-	v.Set("ip", ip.String())
-	v.Set("type", string(pingtype))
-	body, err := lc.send(ctx, "POST", "/localapi/v0/ping?"+v.Encode(), 200, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error %w: %s", err, body)
-	}
-	pr := new(ipnstate.PingResult)
-	if err := json.Unmarshal(body, pr); err != nil {
-		return nil, err
-	}
-	return pr, nil
-}
-
-// NetworkLockStatus fetches information about the tailnet key authority, if one is configured.
-func (lc *LocalClient) NetworkLockStatus(ctx context.Context) (*ipnstate.NetworkLockStatus, error) {
-	body, err := lc.send(ctx, "GET", "/localapi/v0/tka/status", 200, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error: %w", err)
-	}
-	pr := new(ipnstate.NetworkLockStatus)
-	if err := json.Unmarshal(body, pr); err != nil {
-		return nil, err
-	}
-	return pr, nil
-}
-
-// NetworkLockInit initializes the tailnet key authority.
-func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
-	var b bytes.Buffer
-	type initRequest struct {
-		Keys []tka.Key
-	}
-
-	if err := json.NewEncoder(&b).Encode(initRequest{Keys: keys}); err != nil {
-		return nil, err
-	}
-
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/init", 200, &b)
-	if err != nil {
-		return nil, fmt.Errorf("error: %w", err)
-	}
-
-	pr := new(ipnstate.NetworkLockStatus)
-	if err := json.Unmarshal(body, pr); err != nil {
-		return nil, err
-	}
-	return pr, nil
-}
-
-// tailscaledConnectHint gives a little thing about why tailscaled (or
-// platform equivalent) is not answering localapi connections.
-//
-// It ends in a punctuation. See caller.
-func tailscaledConnectHint() string {
-	if runtime.GOOS != "linux" {
-		// TODO(bradfitz): flesh this out
-		return "not running?"
-	}
-	out, err := exec.Command("systemctl", "show", "tailscaled.service", "--no-page", "--property", "LoadState,ActiveState,SubState").Output()
-	if err != nil {
-		return "not running?"
-	}
-	// Parse:
-	// LoadState=loaded
-	// ActiveState=inactive
-	// SubState=dead
-	st := map[string]string{}
-	for _, line := range strings.Split(string(out), "\n") {
-		if k, v, ok := strings.Cut(line, "="); ok {
-			st[k] = strings.TrimSpace(v)
-		}
-	}
-	if st["LoadState"] == "loaded" &&
-		(st["SubState"] != "running" || st["ActiveState"] != "active") {
-		return "systemd tailscaled.service not running."
-	}
-	return "not running?"
-}
--- a/client/tailscale/required_version.go
+++ b/client/tailscale/required_version.go
@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !go1.19
-// +build !go1.19
+//go:build !go1.18
+// +build !go1.18

 package tailscale

 func init() {
-	you_need_Go_1_19_to_compile_Tailscale()
+	you_need_Go_1_18_to_compile_Tailscale()
 }
--- a/client/tailscale/routes.go
+++ b/client/tailscale/routes.go
@@ -1,97 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.19
-// +build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-)
-
-// Routes contains the lists of subnet routes that are currently advertised by a device,
-// as well as the subnets that are enabled to be routed by the device.
-type Routes struct {
-	AdvertisedRoutes []netip.Prefix `json:"advertisedRoutes"`
-	EnabledRoutes    []netip.Prefix `json:"enabledRoutes"`
-}
-
-// Routes retrieves the list of subnet routes that have been enabled for a device.
-// The routes that are returned are not necessarily advertised by the device,
-// they have only been preapproved.
-func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Routes: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var sr Routes
-	err = json.Unmarshal(b, &sr)
-	return &sr, err
-}
-
-type postRoutesParams struct {
-	Routes []netip.Prefix `json:"routes"`
-}
-
-// SetRoutes updates the list of subnets that are enabled for a device.
-// Subnets must be parsable by net/netip.ParsePrefix.
-// Subnets do not have to be currently advertised by a device, they may be pre-enabled.
-// Returns the updated list of enabled and advertised subnet routes in a *Routes object.
-func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip.Prefix) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetRoutes: %w", err)
-		}
-	}()
-	params := &postRoutesParams{Routes: subnets}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return nil, err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var srr *Routes
-	if err := json.Unmarshal(b, &srr); err != nil {
-		return nil, err
-	}
-	return srr, err
-}
--- a/client/tailscale/tailnet.go
+++ b/client/tailscale/tailnet.go
@@ -1,42 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.19
-// +build go1.19
-
-package tailscale
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"net/url"
-)
-
-// TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
-func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteTailnet: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
-	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, path, nil)
-	if err != nil {
-		return err
-	}
-
-	c.setAuth(req)
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -1,159 +1,616 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

-// Package tailscale contains Go clients for the Tailscale Local API and
-// Tailscale control plane API.
-//
-// Warning: this package is in development and makes no API compatibility
-// promises as of 2022-04-29. It is subject to change at any time.
+// Package tailscale contains Tailscale client code.
 package tailscale

 import (
+	"bytes"
+	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
+	"net"
 	"net/http"
+	"net/http/httptrace"
+	"net/url"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"go4.org/mem"
+	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/netutil"
+	"tailscale.com/paths"
+	"tailscale.com/safesocket"
+	"tailscale.com/tailcfg"
+	"tailscale.com/version"
 )

-// I_Acknowledge_This_API_Is_Unstable must be set true to use this package
-// for now. It was added 2022-04-29 when it was moved to this git repo
-// and will be removed when the public API has settled.
+var (
+	// TailscaledSocket is the tailscaled Unix socket. It's used by the TailscaledDialer.
+	TailscaledSocket = paths.DefaultTailscaledSocket()
+
+	// TailscaledSocketSetExplicitly reports whether the user explicitly set TailscaledSocket.
+	TailscaledSocketSetExplicitly bool
+
+	// TailscaledDialer is the DialContext func that connects to the local machine's
+	// tailscaled or equivalent.
+	TailscaledDialer = defaultDialer
+)
+
+func defaultDialer(ctx context.Context, network, addr string) (net.Conn, error) {
+	if addr != "local-tailscaled.sock:80" {
+		return nil, fmt.Errorf("unexpected URL address %q", addr)
+	}
+	// TODO: make this part of a safesocket.ConnectionStrategy
+	if !TailscaledSocketSetExplicitly {
+		// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
+		// a TCP server on a random port, find the random port. For HTTP connections,
+		// we don't send the token. It gets added in an HTTP Basic-Auth header.
+		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
+			var d net.Dialer
+			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
+		}
+	}
+	s := safesocket.DefaultConnectionStrategy(TailscaledSocket)
+	// The user provided a non-default tailscaled socket address.
+	// Connect only to exactly what they provided.
+	s.UseFallback(false)
+	return safesocket.Connect(s)
+}
+
+var (
+	// tsClient does HTTP requests to the local Tailscale daemon.
+	// We lazily initialize the client in case the caller wants to
+	// override TailscaledDialer.
+	tsClient     *http.Client
+	tsClientOnce sync.Once
+)
+
+// DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
 //
-// TODO(bradfitz): remove this after the we're happy with the public API.
-var I_Acknowledge_This_API_Is_Unstable = false
-
-// TODO: use url.PathEscape() for deviceID and tailnets when constructing requests.
-
-const defaultAPIBase = "https://api.tailscale.com"
-
-// maxSize is the maximum read size (10MB) of responses from the server.
-const maxReadSize = 10 << 20
-
-// Client makes API calls to the Tailscale control plane API server.
+// URLs are of the form http://local-tailscaled.sock/localapi/v0/whois?ip=1.2.3.4.
 //
-// Use NewClient to instantiate one. Exported fields should be set before
-// the client is used and not changed thereafter.
-type Client struct {
-	// tailnet is the globally unique identifier for a Tailscale network, such
-	// as "example.com" or "user@gmail.com".
-	tailnet string
-	// auth is the authentication method to use for this client.
-	// nil means none, which generally won't work, but won't crash.
-	auth AuthMethod
-
-	// BaseURL optionally specifies an alternate API server to use.
-	// If empty, "https://api.tailscale.com" is used.
-	BaseURL string
-
-	// HTTPClient optionally specifies an alternate HTTP client to use.
-	// If nil, http.DefaultClient is used.
-	HTTPClient *http.Client
-}
-
-func (c *Client) httpClient() *http.Client {
-	if c.HTTPClient != nil {
-		return c.HTTPClient
-	}
-	return http.DefaultClient
-}
-
-func (c *Client) baseURL() string {
-	if c.BaseURL != "" {
-		return c.BaseURL
-	}
-	return defaultAPIBase
-}
-
-// AuthMethod is the interface for API authentication methods.
+// The hostname must be "local-tailscaled.sock", even though it
+// doesn't actually do any DNS lookup. The actual means of connecting to and
+// authenticating to the local Tailscale daemon vary by platform.
 //
-// Most users will use AuthKey.
-type AuthMethod interface {
-	modifyRequest(req *http.Request)
-}
-
-// APIKey is an AuthMethod for NewClient that authenticates requests
-// using an authkey.
-type APIKey string
-
-func (ak APIKey) modifyRequest(req *http.Request) {
-	req.SetBasicAuth(string(ak), "")
-}
-
-func (c *Client) setAuth(r *http.Request) {
-	if c.auth != nil {
-		c.auth.modifyRequest(r)
+// DoLocalRequest may mutate the request to add Authorization headers.
+func DoLocalRequest(req *http.Request) (*http.Response, error) {
+	tsClientOnce.Do(func() {
+		tsClient = &http.Client{
+			Transport: &http.Transport{
+				DialContext: TailscaledDialer,
+			},
+		}
+	})
+	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
+		req.SetBasicAuth("", token)
 	}
+	return tsClient.Do(req)
 }

-// NewClient is a convenience method for instantiating a new Client.
-//
-// tailnet is the globally unique identifier for a Tailscale network, such
-// as "example.com" or "user@gmail.com".
-// If httpClient is nil, then http.DefaultClient is used.
-// "api.tailscale.com" is set as the BaseURL for the returned client
-// and can be changed manually by the user.
-func NewClient(tailnet string, auth AuthMethod) *Client {
-	return &Client{
-		tailnet: tailnet,
-		auth:    auth,
+func doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
+	res, err := DoLocalRequest(req)
+	if err == nil {
+		if server := res.Header.Get("Tailscale-Version"); server != "" && server != version.Long && onVersionMismatch != nil {
+			onVersionMismatch(version.Long, server)
+		}
+		if res.StatusCode == 403 {
+			all, _ := ioutil.ReadAll(res.Body)
+			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
+		}
+		return res, nil
 	}
+	if ue, ok := err.(*url.Error); ok {
+		if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
+			path := req.URL.Path
+			pathPrefix, _, _ := strings.Cut(path, "?")
+			return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
+		}
+	}
+	return nil, err
 }

-func (c *Client) Tailnet() string { return c.tailnet }
-
-// Do sends a raw HTTP request, after adding any authentication headers.
-func (c *Client) Do(req *http.Request) (*http.Response, error) {
-	if !I_Acknowledge_This_API_Is_Unstable {
-		return nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
-	}
-	c.setAuth(req)
-	return c.httpClient().Do(req)
+type errorJSON struct {
+	Error string
 }

-// sendRequest add the authenication key to the request and sends it. It
-// receives the response and reads up to 10MB of it.
-func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
-	if !I_Acknowledge_This_API_Is_Unstable {
-		return nil, nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
+// AccessDeniedError is an error due to permissions.
+type AccessDeniedError struct {
+	err error
+}
+
+func (e *AccessDeniedError) Error() string { return fmt.Sprintf("Access denied: %v", e.err) }
+func (e *AccessDeniedError) Unwrap() error { return e.err }
+
+// IsAccessDeniedError reports whether err is or wraps an AccessDeniedError.
+func IsAccessDeniedError(err error) bool {
+	var ae *AccessDeniedError
+	return errors.As(err, &ae)
+}
+
+// bestError returns either err, or if body contains a valid JSON
+// object of type errorJSON, its non-empty error body.
+func bestError(err error, body []byte) error {
+	var j errorJSON
+	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
+		return errors.New(j.Error)
 	}
-	c.setAuth(req)
-	resp, err := c.httpClient().Do(req)
+	return err
+}
+
+func errorMessageFromBody(body []byte) string {
+	var j errorJSON
+	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
+		return j.Error
+	}
+	return strings.TrimSpace(string(body))
+}
+
+var onVersionMismatch func(clientVer, serverVer string)
+
+// SetVersionMismatchHandler sets f as the version mismatch handler
+// to be called when the client (the current process) has a version
+// number that doesn't match the server's declared version.
+func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
+	onVersionMismatch = f
+}
+
+func send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
+	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
 	if err != nil {
-		return nil, resp, err
+		return nil, err
 	}
-	defer resp.Body.Close()
-
-	// Read response. Limit the response to 10MB.
-	body := io.LimitReader(resp.Body, maxReadSize+1)
-	b, err := io.ReadAll(body)
-	if len(b) > maxReadSize {
-		err = errors.New("API response too large")
+	res, err := doLocalRequestNiceError(req)
+	if err != nil {
+		return nil, err
 	}
-	return b, resp, err
+	defer res.Body.Close()
+	slurp, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != wantStatus {
+		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
+		return nil, bestError(err, slurp)
+	}
+	return slurp, nil
 }

-// ErrResponse is the HTTP error returned by the Tailscale server.
-type ErrResponse struct {
-	Status  int
-	Message string
+func get200(ctx context.Context, path string) ([]byte, error) {
+	return send(ctx, "GET", path, 200, nil)
 }

-func (e ErrResponse) Error() string {
-	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
+// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
+func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
+	body, err := get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
+	if err != nil {
+		return nil, err
+	}
+	r := new(apitype.WhoIsResponse)
+	if err := json.Unmarshal(body, r); err != nil {
+		if max := 200; len(body) > max {
+			body = append(body[:max], "..."...)
+		}
+		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
+	}
+	return r, nil
 }

-// handleErrorResponse decodes the error message from the server and returns
-// an ErrResponse from it.
-func handleErrorResponse(b []byte, resp *http.Response) error {
-	var errResp ErrResponse
-	if err := json.Unmarshal(b, &errResp); err != nil {
+// Goroutines returns a dump of the Tailscale daemon's current goroutines.
+func Goroutines(ctx context.Context) ([]byte, error) {
+	return get200(ctx, "/localapi/v0/goroutines")
+}
+
+// DaemonMetrics returns the Tailscale daemon's metrics in
+// the Prometheus text exposition format.
+func DaemonMetrics(ctx context.Context) ([]byte, error) {
+	return get200(ctx, "/localapi/v0/metrics")
+}
+
+// Profile returns a pprof profile of the Tailscale daemon.
+func Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
+	var secArg string
+	if sec < 0 || sec > 300 {
+		return nil, errors.New("duration out of range")
+	}
+	if sec != 0 || pprofType == "profile" {
+		secArg = fmt.Sprint(sec)
+	}
+	return get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
+}
+
+// BugReport logs and returns a log marker that can be shared by the user with support.
+func BugReport(ctx context.Context, note string) (string, error) {
+	body, err := send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(body)), nil
+}
+
+// DebugAction invokes a debug action, such as "rebind" or "restun".
+// These are development tools and subject to change or removal over time.
+func DebugAction(ctx context.Context, action string) error {
+	body, err := send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
+	if err != nil {
+		return fmt.Errorf("error %w: %s", err, body)
+	}
+	return nil
+}
+
+// Status returns the Tailscale daemon's status.
+func Status(ctx context.Context) (*ipnstate.Status, error) {
+	return status(ctx, "")
+}
+
+// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
+func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
+	return status(ctx, "?peers=false")
+}
+
+func status(ctx context.Context, queryString string) (*ipnstate.Status, error) {
+	body, err := get200(ctx, "/localapi/v0/status"+queryString)
+	if err != nil {
+		return nil, err
+	}
+	st := new(ipnstate.Status)
+	if err := json.Unmarshal(body, st); err != nil {
+		return nil, err
+	}
+	return st, nil
+}
+
+// IDToken is a request to get an OIDC ID token for an audience.
+// The token can be presented to any resource provider which offers OIDC
+// Federation.
+func IDToken(ctx context.Context, aud string) (*tailcfg.TokenResponse, error) {
+	body, err := get200(ctx, "/localapi/v0/id-token?aud="+url.QueryEscape(aud))
+	if err != nil {
+		return nil, err
+	}
+	tr := new(tailcfg.TokenResponse)
+	if err := json.Unmarshal(body, tr); err != nil {
+		return nil, err
+	}
+	return tr, nil
+}
+
+func WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
+	body, err := get200(ctx, "/localapi/v0/files/")
+	if err != nil {
+		return nil, err
+	}
+	var wfs []apitype.WaitingFile
+	if err := json.Unmarshal(body, &wfs); err != nil {
+		return nil, err
+	}
+	return wfs, nil
+}
+
+func DeleteWaitingFile(ctx context.Context, baseName string) error {
+	_, err := send(ctx, "DELETE", "/localapi/v0/files/"+url.PathEscape(baseName), http.StatusNoContent, nil)
+	return err
+}
+
+func GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	res, err := doLocalRequestNiceError(req)
+	if err != nil {
+		return nil, 0, err
+	}
+	if res.ContentLength == -1 {
+		res.Body.Close()
+		return nil, 0, fmt.Errorf("unexpected chunking")
+	}
+	if res.StatusCode != 200 {
+		body, _ := ioutil.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
+	}
+	return res.Body, res.ContentLength, nil
+}
+
+func FileTargets(ctx context.Context) ([]apitype.FileTarget, error) {
+	body, err := get200(ctx, "/localapi/v0/file-targets")
+	if err != nil {
+		return nil, err
+	}
+	var fts []apitype.FileTarget
+	if err := json.Unmarshal(body, &fts); err != nil {
+		return nil, fmt.Errorf("invalid JSON: %w", err)
+	}
+	return fts, nil
+}
+
+// PushFile sends Taildrop file r to target.
+//
+// A size of -1 means unknown.
+// The name parameter is the original filename, not escaped.
+func PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name string, r io.Reader) error {
+	req, err := http.NewRequestWithContext(ctx, "PUT", "http://local-tailscaled.sock/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
+	if err != nil {
 		return err
 	}
-	errResp.Status = resp.StatusCode
-	return errResp
+	if size != -1 {
+		req.ContentLength = size
+	}
+	res, err := doLocalRequestNiceError(req)
+	if err != nil {
+		return err
+	}
+	if res.StatusCode == 200 {
+		io.Copy(io.Discard, res.Body)
+		return nil
+	}
+	all, _ := io.ReadAll(res.Body)
+	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
+}
+
+func CheckIPForwarding(ctx context.Context) error {
+	body, err := get200(ctx, "/localapi/v0/check-ip-forwarding")
+	if err != nil {
+		return err
+	}
+	var jres struct {
+		Warning string
+	}
+	if err := json.Unmarshal(body, &jres); err != nil {
+		return fmt.Errorf("invalid JSON from check-ip-forwarding: %w", err)
+	}
+	if jres.Warning != "" {
+		return errors.New(jres.Warning)
+	}
+	return nil
+}
+
+// CheckPrefs validates the provided preferences, without making any changes.
+//
+// The CLI uses this before a Start call to fail fast if the preferences won't
+// work. Currently (2022-04-18) this only checks for SSH server compatibility.
+// Note that EditPrefs does the same validation as this, so call CheckPrefs before
+// EditPrefs is not necessary.
+func CheckPrefs(ctx context.Context, p *ipn.Prefs) error {
+	pj, err := json.Marshal(p)
+	if err != nil {
+		return err
+	}
+	_, err = send(ctx, "POST", "/localapi/v0/check-prefs", http.StatusOK, bytes.NewReader(pj))
+	return err
+}
+
+func GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
+	body, err := get200(ctx, "/localapi/v0/prefs")
+	if err != nil {
+		return nil, err
+	}
+	var p ipn.Prefs
+	if err := json.Unmarshal(body, &p); err != nil {
+		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
+	}
+	return &p, nil
+}
+
+func EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
+	mpj, err := json.Marshal(mp)
+	if err != nil {
+		return nil, err
+	}
+	body, err := send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
+	if err != nil {
+		return nil, err
+	}
+	var p ipn.Prefs
+	if err := json.Unmarshal(body, &p); err != nil {
+		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
+	}
+	return &p, nil
+}
+
+func Logout(ctx context.Context) error {
+	_, err := send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
+	return err
+}
+
+// SetDNS adds a DNS TXT record for the given domain name, containing
+// the provided TXT value. The intended use case is answering
+// LetsEncrypt/ACME dns-01 challenges.
+//
+// The control plane will only permit SetDNS requests with very
+// specific names and values. The name should be
+// "_acme-challenge." + your node's MagicDNS name. It's expected that
+// clients cache the certs from LetsEncrypt (or whichever CA is
+// providing them) and only request new ones as needed; the control plane
+// rate limits SetDNS requests.
+//
+// This is a low-level interface; it's expected that most Tailscale
+// users use a higher level interface to getting/using TLS
+// certificates.
+func SetDNS(ctx context.Context, name, value string) error {
+	v := url.Values{}
+	v.Set("name", name)
+	v.Set("value", value)
+	_, err := send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
+	return err
+}
+
+// DialTCP connects to the host's port via Tailscale.
+//
+// The host may be a base DNS name (resolved from the netmap inside
+// tailscaled), a FQDN, or an IP address.
+//
+// The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
+func DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
+	connCh := make(chan net.Conn, 1)
+	trace := httptrace.ClientTrace{
+		GotConn: func(info httptrace.GotConnInfo) {
+			connCh <- info.Conn
+		},
+	}
+	ctx = httptrace.WithClientTrace(ctx, &trace)
+	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/dial", nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header = http.Header{
+		"Upgrade":    []string{"ts-dial"},
+		"Connection": []string{"upgrade"},
+		"Dial-Host":  []string{host},
+		"Dial-Port":  []string{fmt.Sprint(port)},
+	}
+	res, err := DoLocalRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != http.StatusSwitchingProtocols {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
+	}
+	// From here on, the underlying net.Conn is ours to use, but there
+	// is still a read buffer attached to it within resp.Body. So, we
+	// must direct I/O through resp.Body, but we can still use the
+	// underlying net.Conn for stuff like deadlines.
+	var switchedConn net.Conn
+	select {
+	case switchedConn = <-connCh:
+	default:
+	}
+	if switchedConn == nil {
+		res.Body.Close()
+		return nil, fmt.Errorf("httptrace didn't provide a connection")
+	}
+	rwc, ok := res.Body.(io.ReadWriteCloser)
+	if !ok {
+		res.Body.Close()
+		return nil, errors.New("http Transport did not provide a writable body")
+	}
+	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
+}
+
+// CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
+// It is intended to be used with netcheck to see availability of DERPs.
+func CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
+	var derpMap tailcfg.DERPMap
+	res, err := send(ctx, "GET", "/localapi/v0/derpmap", 200, nil)
+	if err != nil {
+		return nil, err
+	}
+	if err = json.Unmarshal(res, &derpMap); err != nil {
+		return nil, fmt.Errorf("invalid derp map json: %w", err)
+	}
+	return &derpMap, nil
+}
+
+// CertPair returns a cert and private key for the provided DNS domain.
+//
+// It returns a cached certificate from disk if it's still valid.
+func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
+	res, err := send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	// with ?type=pair, the response PEM is first the one private
+	// key PEM block, then the cert PEM blocks.
+	i := mem.Index(mem.B(res), mem.S("--\n--"))
+	if i == -1 {
+		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
+	}
+	i += len("--\n")
+	keyPEM, certPEM = res[:i], res[i:]
+	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
+		return nil, nil, fmt.Errorf("unexpected output: key in cert")
+	}
+	return certPEM, keyPEM, nil
+}
+
+// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// It's the right signature to use as the value of
+// tls.Config.GetCertificate.
+func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if hi == nil || hi.ServerName == "" {
+		return nil, errors.New("no SNI ServerName")
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	name := hi.ServerName
+	if !strings.Contains(name, ".") {
+		if v, ok := ExpandSNIName(ctx, name); ok {
+			name = v
+		}
+	}
+	certPEM, keyPEM, err := CertPair(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return nil, err
+	}
+	return &cert, nil
+}
+
+// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
+	st, err := StatusWithoutPeers(ctx)
+	if err != nil {
+		return "", false
+	}
+	for _, d := range st.CertDomains {
+		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
+			return d, true
+		}
+	}
+	return "", false
+}
+
+// tailscaledConnectHint gives a little thing about why tailscaled (or
+// platform equivalent) is not answering localapi connections.
+//
+// It ends in a punctuation. See caller.
+func tailscaledConnectHint() string {
+	if runtime.GOOS != "linux" {
+		// TODO(bradfitz): flesh this out
+		return "not running?"
+	}
+	out, err := exec.Command("systemctl", "show", "tailscaled.service", "--no-page", "--property", "LoadState,ActiveState,SubState").Output()
+	if err != nil {
+		return "not running?"
+	}
+	// Parse:
+	// LoadState=loaded
+	// ActiveState=inactive
+	// SubState=dead
+	st := map[string]string{}
+	for _, line := range strings.Split(string(out), "\n") {
+		if k, v, ok := strings.Cut(line, "="); ok {
+			st[k] = strings.TrimSpace(v)
+		}
+	}
+	if st["LoadState"] == "loaded" &&
+		(st["SubState"] != "running" || st["ActiveState"] != "active") {
+		return "systemd tailscaled.service not running."
+	}
+	return "not running?"
 }
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -22,11 +22,13 @@ import (
 	"os"
 	"strings"

+	"golang.org/x/tools/go/packages"
 	"tailscale.com/util/codegen"
 )

 var (
 	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
+	flagOutput    = flag.String("output", "", "output file; required")
 	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
 	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
 )
@@ -41,18 +43,30 @@ func main() {
 	}
 	typeNames := strings.Split(*flagTypes, ",")

-	pkg, namedTypes, err := codegen.LoadTypes(*flagBuildTags, ".")
+	cfg := &packages.Config{
+		Mode:  packages.NeedTypes | packages.NeedTypesInfo | packages.NeedSyntax | packages.NeedName,
+		Tests: false,
+	}
+	if *flagBuildTags != "" {
+		cfg.BuildFlags = []string{"-tags=" + *flagBuildTags}
+	}
+	pkgs, err := packages.Load(cfg, ".")
 	if err != nil {
 		log.Fatal(err)
 	}
-	it := codegen.NewImportTracker(pkg.Types)
+	if len(pkgs) != 1 {
+		log.Fatalf("wrong number of packages: %d", len(pkgs))
+	}
+	pkg := pkgs[0]
 	buf := new(bytes.Buffer)
+	imports := make(map[string]struct{})
+	namedTypes := codegen.NamedTypes(pkg)
 	for _, typeName := range typeNames {
 		typ, ok := namedTypes[typeName]
 		if !ok {
 			log.Fatalf("could not find type %s", typeName)
 		}
-		gen(buf, it, typ)
+		gen(buf, imports, typ, pkg.Types)
 	}

 	w := func(format string, args ...any) {
@@ -79,13 +93,62 @@ func main() {
 		w("	return false")
 		w("}")
 	}
-	cloneOutput := pkg.Name + "_clone.go"
-	if err := codegen.WritePackageFile("tailscale.com/cmd/cloner", pkg, cloneOutput, it, buf); err != nil {
+
+	contents := new(bytes.Buffer)
+	var flagArgs []string
+	if *flagTypes != "" {
+		flagArgs = append(flagArgs, "-type="+*flagTypes)
+	}
+	if *flagOutput != "" {
+		flagArgs = append(flagArgs, "-output="+*flagOutput)
+	}
+	if *flagBuildTags != "" {
+		flagArgs = append(flagArgs, "-tags="+*flagBuildTags)
+	}
+	if *flagCloneFunc {
+		flagArgs = append(flagArgs, "-clonefunc")
+	}
+	fmt.Fprintf(contents, header, strings.Join(flagArgs, " "), pkg.Name)
+	fmt.Fprintf(contents, "import (\n")
+	for s := range imports {
+		fmt.Fprintf(contents, "\t%q\n", s)
+	}
+	fmt.Fprintf(contents, ")\n\n")
+	contents.Write(buf.Bytes())
+
+	output := *flagOutput
+	if output == "" {
+		flag.Usage()
+		os.Exit(2)
+	}
+	if err := codegen.WriteFormatted(contents.Bytes(), output); err != nil {
 		log.Fatal(err)
 	}
 }

-func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
+const header = `// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
+//` + `go:generate` + ` go run tailscale.com/cmd/cloner %s
+
+package %s
+
+`
+
+func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisPkg *types.Package) {
+	pkgQual := func(pkg *types.Package) string {
+		if thisPkg == pkg {
+			return ""
+		}
+		imports[pkg.Path()] = struct{}{}
+		return pkg.Name()
+	}
+	importedName := func(t types.Type) string {
+		return types.TypeString(t, pkgQual)
+	}
+
 	t, ok := typ.Underlying().(*types.Struct)
 	if !ok {
 		return
@@ -106,11 +169,11 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	for i := 0; i < t.NumFields(); i++ {
 		fname := t.Field(i).Name()
 		ft := t.Field(i).Type()
-		if !codegen.ContainsPointers(ft) || codegen.HasNoClone(t.Tag(i)) {
+		if !codegen.ContainsPointers(ft) {
 			continue
 		}
 		if named, _ := ft.(*types.Named); named != nil {
-			if codegen.IsViewType(ft) {
+			if isViewType(ft) {
 				writef("dst.%s = src.%s", fname, fname)
 				continue
 			}
@@ -122,16 +185,11 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 		switch ft := ft.Underlying().(type) {
 		case *types.Slice:
 			if codegen.ContainsPointers(ft.Elem()) {
-				n := it.QualifiedName(ft.Elem())
+				n := importedName(ft.Elem())
 				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
 				writef("for i := range dst.%s {", fname)
-				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
-						writef("\tx := *src.%s[i]", fname)
-						writef("\tdst.%s[i] = &x", fname)
-					} else {
-						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
-					}
+				if _, isPtr := ft.Elem().(*types.Pointer); isPtr {
+					writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 				} else {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}
@@ -144,7 +202,7 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = src.%s.Clone()", fname, fname)
 				continue
 			}
-			n := it.QualifiedName(ft.Elem())
+			n := importedName(ft.Elem())
 			writef("if dst.%s != nil {", fname)
 			writef("\tdst.%s = new(%s)", fname, n)
 			writef("\t*dst.%s = *src.%s", fname, fname)
@@ -153,25 +211,18 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 			}
 			writef("}")
 		case *types.Map:
-			elem := ft.Elem()
 			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
-			if sliceType, isSlice := elem.(*types.Slice); isSlice {
-				n := it.QualifiedName(sliceType.Elem())
+			writef("\tdst.%s = map[%s]%s{}", fname, importedName(ft.Key()), importedName(ft.Elem()))
+			if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
+				n := importedName(sliceType.Elem())
 				writef("\tfor k := range src.%s {", fname)
 				// use zero-length slice instead of nil to ensure
 				// the key is always copied.
 				writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
 				writef("\t}")
-			} else if codegen.ContainsPointers(elem) {
+			} else if codegen.ContainsPointers(ft.Elem()) {
 				writef("\tfor k, v := range src.%s {", fname)
-				switch elem.(type) {
-				case *types.Pointer:
-					writef("\t\tdst.%s[k] = v.Clone()", fname)
-				default:
-					writef("\t\tv2 := v.Clone()")
-					writef("\t\tdst.%s[k] = *v2", fname)
-				}
+				writef("\t\tdst.%s[k] = v.Clone()", fname)
 				writef("\t}")
 			} else {
 				writef("\tfor k, v := range src.%s {", fname)
@@ -186,10 +237,20 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	writef("return dst")
 	fmt.Fprintf(buf, "}\n\n")

-	buf.Write(codegen.AssertStructUnchanged(t, name, "Clone", it))
+	buf.Write(codegen.AssertStructUnchanged(t, thisPkg, name, "Clone", imports))
+}
+
+func isViewType(typ types.Type) bool {
+	t, ok := typ.Underlying().(*types.Struct)
+	if !ok {
+		return false
+	}
+	if t.NumFields() != 1 {
+		return false
+	}
+	return t.Field(0).Name() == "ж"
 }

-// hasBasicUnderlying reports true when typ.Underlying() is a slice or a map.
 func hasBasicUnderlying(typ types.Type) bool {
 	switch typ.Underlying().(type) {
 	case *types.Slice, *types.Map:
--- a/cmd/derper/bootstrap_dns.go
+++ b/cmd/derper/bootstrap_dns.go
@@ -12,36 +12,20 @@ import (
 	"net"
 	"net/http"
 	"strings"
+	"sync/atomic"
 	"time"
-
-	"tailscale.com/syncs"
 )

-const refreshTimeout = time.Minute
+var dnsCache atomic.Value // of []byte

-type dnsEntryMap map[string][]net.IP
-
-var (
-	dnsCache            syncs.AtomicValue[dnsEntryMap]
-	dnsCacheBytes       syncs.AtomicValue[[]byte] // of JSON
-	unpublishedDNSCache syncs.AtomicValue[dnsEntryMap]
-)
-
-var (
-	bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
-	publishedDNSHits     = expvar.NewInt("counter_bootstrap_dns_published_hits")
-	publishedDNSMisses   = expvar.NewInt("counter_bootstrap_dns_published_misses")
-	unpublishedDNSHits   = expvar.NewInt("counter_bootstrap_dns_unpublished_hits")
-	unpublishedDNSMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
-)
+var bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")

 func refreshBootstrapDNSLoop() {
-	if *bootstrapDNS == "" && *unpublishedDNS == "" {
+	if *bootstrapDNS == "" {
 		return
 	}
 	for {
 		refreshBootstrapDNS()
-		refreshUnpublishedDNS()
 		time.Sleep(10 * time.Minute)
 	}
 }
@@ -50,34 +34,10 @@ func refreshBootstrapDNS() {
 	if *bootstrapDNS == "" {
 		return
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
+	dnsEntries := make(map[string][]net.IP)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	dnsEntries := resolveList(ctx, strings.Split(*bootstrapDNS, ","))
-	j, err := json.MarshalIndent(dnsEntries, "", "\t")
-	if err != nil {
-		// leave the old values in place
-		return
-	}
-
-	dnsCache.Store(dnsEntries)
-	dnsCacheBytes.Store(j)
-}
-
-func refreshUnpublishedDNS() {
-	if *unpublishedDNS == "" {
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
-	defer cancel()
-
-	dnsEntries := resolveList(ctx, strings.Split(*unpublishedDNS, ","))
-	unpublishedDNSCache.Store(dnsEntries)
-}
-
-func resolveList(ctx context.Context, names []string) dnsEntryMap {
-	dnsEntries := make(dnsEntryMap)
-
+	names := strings.Split(*bootstrapDNS, ",")
 	var r net.Resolver
 	for _, name := range names {
 		addrs, err := r.LookupIP(ctx, "ip", name)
@@ -87,47 +47,21 @@ func resolveList(ctx context.Context, names []string) dnsEntryMap {
 		}
 		dnsEntries[name] = addrs
 	}
-	return dnsEntries
+	j, err := json.MarshalIndent(dnsEntries, "", "\t")
+	if err != nil {
+		// leave the old values in place
+		return
+	}
+	dnsCache.Store(j)
 }

 func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	bootstrapDNSRequests.Add(1)
-
 	w.Header().Set("Content-Type", "application/json")
-	// Bootstrap DNS requests occur cross-regions, and are randomized per
-	// request, so keeping a connection open is pointlessly expensive.
+	j, _ := dnsCache.Load().([]byte)
+	// Bootstrap DNS requests occur cross-regions,
+	// and are randomized per request,
+	// so keeping a connection open is pointlessly expensive.
 	w.Header().Set("Connection", "close")
-
-	// Try answering a query from our hidden map first
-	if q := r.URL.Query().Get("q"); q != "" {
-		if ips, ok := unpublishedDNSCache.Load()[q]; ok && len(ips) > 0 {
-			unpublishedDNSHits.Add(1)
-
-			// Only return the specific query, not everything.
-			m := dnsEntryMap{q: ips}
-			j, err := json.MarshalIndent(m, "", "\t")
-			if err == nil {
-				w.Write(j)
-				return
-			}
-		}
-
-		// If we have a "q" query for a name in the published cache
-		// list, then track whether that's a hit/miss.
-		if m, ok := dnsCache.Load()[q]; ok {
-			if len(m) > 0 {
-				publishedDNSHits.Add(1)
-			} else {
-				publishedDNSMisses.Add(1)
-			}
-		} else {
-			// If it wasn't in either cache, treat this as a query
-			// for the unpublished cache, and thus a cache miss.
-			unpublishedDNSMisses.Add(1)
-		}
-	}
-
-	// Fall back to returning the public set of cached DNS names
-	j := dnsCacheBytes.Load()
 	w.Write(j)
 }
--- a/cmd/derper/bootstrap_dns_test.go
+++ b/cmd/derper/bootstrap_dns_test.go
@@ -5,12 +5,7 @@
 package main

 import (
-	"encoding/json"
-	"net"
 	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"reflect"
 	"testing"
 )

@@ -22,12 +17,11 @@ func BenchmarkHandleBootstrapDNS(b *testing.B) {
 	}()
 	refreshBootstrapDNS()
 	w := new(bitbucketResponseWriter)
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape("log.tailscale.io"), nil)
 	b.ReportAllocs()
 	b.ResetTimer()
 	b.RunParallel(func(b *testing.PB) {
 		for b.Next() {
-			handleBootstrapDNS(w, req)
+			handleBootstrapDNS(w, nil)
 		}
 	})
 }
@@ -39,116 +33,3 @@ func (b *bitbucketResponseWriter) Header() http.Header { return make(http.Header
 func (b *bitbucketResponseWriter) Write(p []byte) (int, error) { return len(p), nil }

 func (b *bitbucketResponseWriter) WriteHeader(statusCode int) {}
-
-func getBootstrapDNS(t *testing.T, q string) dnsEntryMap {
-	t.Helper()
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape(q), nil)
-	w := httptest.NewRecorder()
-	handleBootstrapDNS(w, req)
-
-	res := w.Result()
-	if res.StatusCode != 200 {
-		t.Fatalf("got status=%d; want %d", res.StatusCode, 200)
-	}
-	var ips dnsEntryMap
-	if err := json.NewDecoder(res.Body).Decode(&ips); err != nil {
-		t.Fatalf("error decoding response body: %v", err)
-	}
-	return ips
-}
-
-func TestUnpublishedDNS(t *testing.T) {
-	const published = "login.tailscale.com"
-	const unpublished = "log.tailscale.io"
-
-	prev1, prev2 := *bootstrapDNS, *unpublishedDNS
-	*bootstrapDNS = published
-	*unpublishedDNS = unpublished
-	t.Cleanup(func() {
-		*bootstrapDNS = prev1
-		*unpublishedDNS = prev2
-	})
-
-	refreshBootstrapDNS()
-	refreshUnpublishedDNS()
-
-	hasResponse := func(q string) bool {
-		_, found := getBootstrapDNS(t, q)[q]
-		return found
-	}
-
-	if !hasResponse(published) {
-		t.Errorf("expected response for: %s", published)
-	}
-	if !hasResponse(unpublished) {
-		t.Errorf("expected response for: %s", unpublished)
-	}
-
-	// Verify that querying for a random query or a real query does not
-	// leak our unpublished domain
-	m1 := getBootstrapDNS(t, published)
-	if _, found := m1[unpublished]; found {
-		t.Errorf("found unpublished domain %s: %+v", unpublished, m1)
-	}
-	m2 := getBootstrapDNS(t, "random.example.com")
-	if _, found := m2[unpublished]; found {
-		t.Errorf("found unpublished domain %s: %+v", unpublished, m2)
-	}
-}
-
-func resetMetrics() {
-	publishedDNSHits.Set(0)
-	publishedDNSMisses.Set(0)
-	unpublishedDNSHits.Set(0)
-	unpublishedDNSMisses.Set(0)
-}
-
-// Verify that we don't count an empty list in the unpublishedDNSCache as a
-// cache hit in our metrics.
-func TestUnpublishedDNSEmptyList(t *testing.T) {
-	pub := dnsEntryMap{
-		"tailscale.com": {net.IPv4(10, 10, 10, 10)},
-	}
-	dnsCache.Store(pub)
-	dnsCacheBytes.Store([]byte(`{"tailscale.com":["10.10.10.10"]}`))
-
-	unpublishedDNSCache.Store(dnsEntryMap{
-		"log.tailscale.io":           {},
-		"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)},
-	})
-
-	t.Run("CacheMiss", func(t *testing.T) {
-		// One domain in map but empty, one not in map at all
-		for _, q := range []string{"log.tailscale.io", "login.tailscale.com"} {
-			resetMetrics()
-			ips := getBootstrapDNS(t, q)
-
-			// Expected our public map to be returned on a cache miss
-			if !reflect.DeepEqual(ips, pub) {
-				t.Errorf("got ips=%+v; want %+v", ips, pub)
-			}
-			if v := unpublishedDNSHits.Value(); v != 0 {
-				t.Errorf("got hits=%d; want 0", v)
-			}
-			if v := unpublishedDNSMisses.Value(); v != 1 {
-				t.Errorf("got misses=%d; want 1", v)
-			}
-		}
-	})
-
-	// Verify that we do get a valid response and metric.
-	t.Run("CacheHit", func(t *testing.T) {
-		resetMetrics()
-		ips := getBootstrapDNS(t, "controlplane.tailscale.com")
-		want := dnsEntryMap{"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)}}
-		if !reflect.DeepEqual(ips, want) {
-			t.Errorf("got ips=%+v; want %+v", ips, want)
-		}
-		if v := unpublishedDNSHits.Value(); v != 1 {
-			t.Errorf("got hits=%d; want 1", v)
-		}
-		if v := unpublishedDNSMisses.Value(); v != 0 {
-			t.Errorf("got misses=%d; want 0", v)
-		}
-	})
-}
--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -20,11 +20,6 @@ var unsafeHostnameCharacters = regexp.MustCompile(`[^a-zA-Z0-9-\.]`)

 type certProvider interface {
 	// TLSConfig creates a new TLS config suitable for net/http.Server servers.
-	//
-	// The returned Config must have a GetCertificate function set and that
-	// function must return a unique *tls.Certificate for each call. The
-	// returned *tls.Certificate will be mutated by the caller to append to the
-	// (*tls.Certificate).Certificate field.
 	TLSConfig() *tls.Config
 	// HTTPHandler handle ACME related request, if any.
 	HTTPHandler(fallback http.Handler) http.Handler
@@ -92,13 +87,7 @@ func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certif
 	if hi.ServerName != m.hostname {
 		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
 	}
-
-	// Return a shallow copy of the cert so the caller can append to its
-	// Certificate field.
-	certCopy := new(tls.Certificate)
-	*certCopy = *m.cert
-	certCopy.Certificate = certCopy.Certificate[:len(certCopy.Certificate):len(certCopy.Certificate)]
-	return certCopy, nil
+	return m.cert, nil
 }

 func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -1,197 +0,0 @@
-tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depaware)
-
-        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
-        filippo.io/edwards25519/field                                from filippo.io/edwards25519
-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
-   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
-        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
-   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
-        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
-   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
-     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
-        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
-     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter
-   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
-        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
-        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
-        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
-        tailscale.com                                                from tailscale.com/version
-        tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
-        tailscale.com/client/tailscale                               from tailscale.com/derp
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale
-        tailscale.com/derp                                           from tailscale.com/cmd/derper+
-        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
-        tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/envknob                                        from tailscale.com/derp+
-        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
-        tailscale.com/ipn                                            from tailscale.com/client/tailscale
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
-     💣 tailscale.com/metrics                                        from tailscale.com/cmd/derper+
-        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
-        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
-     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
-        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
-        tailscale.com/net/netknob                                    from tailscale.com/net/netns
-        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
-        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
-        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
-        tailscale.com/net/stun                                       from tailscale.com/cmd/derper
-        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
-        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
-     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
-        tailscale.com/paths                                          from tailscale.com/client/tailscale
-        tailscale.com/safesocket                                     from tailscale.com/client/tailscale
-        tailscale.com/syncs                                          from tailscale.com/cmd/derper+
-        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
-        tailscale.com/tka                                            from tailscale.com/client/tailscale+
-   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
-        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
-        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
-        tailscale.com/types/empty                                    from tailscale.com/ipn
-        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
-        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
-        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
-        tailscale.com/types/netmap                                   from tailscale.com/ipn
-        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
-        tailscale.com/types/pad32                                    from tailscale.com/derp
-        tailscale.com/types/persist                                  from tailscale.com/ipn
-        tailscale.com/types/preftype                                 from tailscale.com/ipn
-        tailscale.com/types/structs                                  from tailscale.com/ipn+
-        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
-        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
-        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
-   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
-        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
-   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
-        tailscale.com/version                                        from tailscale.com/derp+
-        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
-        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
-        golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert
-        golang.org/x/crypto/acme/autocert                            from tailscale.com/cmd/derper
-        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/blake2s                                  from tailscale.com/tka
-        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
-        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
-        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
-        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
-        golang.org/x/crypto/curve25519                               from crypto/tls+
-        golang.org/x/crypto/hkdf                                     from crypto/tls
-        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
-        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
-        golang.org/x/net/dns/dnsmessage                              from net+
-        golang.org/x/net/http/httpguts                               from net/http
-        golang.org/x/net/http/httpproxy                              from net/http
-        golang.org/x/net/http2/hpack                                 from net/http
-        golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
-        golang.org/x/net/proxy                                       from tailscale.com/net/netns
-   D    golang.org/x/net/route                                       from net+
-        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
-   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
-   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
-        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
-        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
-        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
-        golang.org/x/time/rate                                       from tailscale.com/cmd/derper+
-        bufio                                                        from compress/flate+
-        bytes                                                        from bufio+
-        compress/flate                                               from compress/gzip+
-        compress/gzip                                                from internal/profile+
-        container/list                                               from crypto/tls+
-        context                                                      from crypto/tls+
-        crypto                                                       from crypto/ecdsa+
-        crypto/aes                                                   from crypto/ecdsa+
-        crypto/cipher                                                from crypto/aes+
-        crypto/des                                                   from crypto/tls+
-        crypto/dsa                                                   from crypto/x509
-        crypto/ecdsa                                                 from crypto/tls+
-        crypto/ed25519                                               from crypto/tls+
-        crypto/elliptic                                              from crypto/ecdsa+
-        crypto/hmac                                                  from crypto/tls+
-        crypto/md5                                                   from crypto/tls+
-        crypto/rand                                                  from crypto/ed25519+
-        crypto/rc4                                                   from crypto/tls
-        crypto/rsa                                                   from crypto/tls+
-        crypto/sha1                                                  from crypto/tls+
-        crypto/sha256                                                from crypto/tls+
-        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
-        crypto/tls                                                   from golang.org/x/crypto/acme+
-        crypto/x509                                                  from crypto/tls+
-        crypto/x509/pkix                                             from crypto/x509+
-        embed                                                        from crypto/internal/nistec+
-        encoding                                                     from encoding/json+
-        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
-        encoding/base64                                              from encoding/json+
-        encoding/binary                                              from compress/gzip+
-        encoding/hex                                                 from crypto/x509+
-        encoding/json                                                from expvar+
-        encoding/pem                                                 from crypto/tls+
-        errors                                                       from bufio+
-        expvar                                                       from tailscale.com/cmd/derper+
-        flag                                                         from tailscale.com/cmd/derper
-        fmt                                                          from compress/flate+
-        hash                                                         from crypto+
-        hash/crc32                                                   from compress/gzip+
-        hash/maphash                                                 from go4.org/mem
-        html                                                         from net/http/pprof+
-        io                                                           from bufio+
-        io/fs                                                        from crypto/x509+
-        io/ioutil                                                    from github.com/mitchellh/go-ps+
-        log                                                          from expvar+
-        math                                                         from compress/flate+
-        math/big                                                     from crypto/dsa+
-        math/bits                                                    from compress/flate+
-        math/rand                                                    from github.com/mdlayher/netlink+
-        mime                                                         from mime/multipart+
-        mime/multipart                                               from net/http
-        mime/quotedprintable                                         from mime/multipart
-        net                                                          from crypto/tls+
-        net/http                                                     from expvar+
-        net/http/httptrace                                           from net/http+
-        net/http/internal                                            from net/http
-        net/http/pprof                                               from tailscale.com/tsweb
-        net/netip                                                    from go4.org/netipx+
-        net/textproto                                                from golang.org/x/net/http/httpguts+
-        net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
-        os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-        path                                                         from golang.org/x/crypto/acme/autocert+
-        path/filepath                                                from crypto/x509+
-        reflect                                                      from crypto/x509+
-        regexp                                                       from internal/profile+
-        regexp/syntax                                                from regexp
-        runtime/debug                                                from golang.org/x/crypto/acme+
-        runtime/pprof                                                from net/http/pprof
-        runtime/trace                                                from net/http/pprof
-        sort                                                         from compress/flate+
-        strconv                                                      from compress/flate+
-        strings                                                      from bufio+
-        sync                                                         from compress/flate+
-        sync/atomic                                                  from context+
-        syscall                                                      from crypto/rand+
-        text/tabwriter                                               from runtime/pprof
-        time                                                         from compress/gzip+
-        unicode                                                      from bytes+
-        unicode/utf16                                                from crypto/x509+
-        unicode/utf8                                                 from bufio+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -14,22 +14,22 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"math"
 	"net"
 	"net/http"
-	"net/netip"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"time"

-	"go4.org/mem"
 	"golang.org/x/time/rate"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
+	"tailscale.com/logpolicy"
 	"tailscale.com/metrics"
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
@@ -37,22 +37,21 @@ import (
 )

 var (
-	dev        = flag.Bool("dev", false, "run in localhost development mode")
-	addr       = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
-	httpPort   = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	stunPort   = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	configPath = flag.String("c", "", "config file path")
-	certMode   = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
-	certDir    = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
-	hostname   = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
-	runSTUN    = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
-	runDERP    = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
+	dev           = flag.Bool("dev", false, "run in localhost development mode")
+	addr          = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
+	httpPort      = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	stunPort      = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	configPath    = flag.String("c", "", "config file path")
+	certMode      = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
+	certDir       = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
+	hostname      = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
+	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
+	runSTUN       = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")

-	meshPSKFile    = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
-	meshWith       = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
-	bootstrapDNS   = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	unpublishedDNS = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list")
-	verifyClients  = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
+	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
+	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
+	bootstrapDNS  = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
+	verifyClients = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")

 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
@@ -98,7 +97,7 @@ func loadConfig() config {
 		}
 		log.Printf("no config path specified; using %s", *configPath)
 	}
-	b, err := os.ReadFile(*configPath)
+	b, err := ioutil.ReadFile(*configPath)
 	switch {
 	case errors.Is(err, os.ErrNotExist):
 		return writeNewConfig()
@@ -136,6 +135,7 @@ func main() {
 	flag.Parse()

 	if *dev {
+		*logCollection = ""
 		*addr = ":3340" // above the keys DERP
 		log.Printf("Running in dev mode.")
 		tsweb.DevMode = true
@@ -146,6 +146,12 @@ func main() {
 		log.Fatalf("invalid server address: %v", err)
 	}

+	var logPol *logpolicy.Policy
+	if *logCollection != "" {
+		logPol = logpolicy.New(*logCollection)
+		log.SetOutput(logPol.Logtail)
+	}
+
 	cfg := loadConfig()

 	serveTLS := tsweb.IsProd443(*addr) || *certMode == "manual"
@@ -154,7 +160,7 @@ func main() {
 	s.SetVerifyClient(*verifyClients)

 	if *meshPSKFile != "" {
-		b, err := os.ReadFile(*meshPSKFile)
+		b, err := ioutil.ReadFile(*meshPSKFile)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -171,15 +177,9 @@ func main() {
 	expvar.Publish("derp", s.ExpVar())

 	mux := http.NewServeMux()
-	if *runDERP {
-		derpHandler := derphttp.Handler(s)
-		derpHandler = addWebSocketSupport(s, derpHandler)
-		mux.Handle("/derp", derpHandler)
-	} else {
-		mux.Handle("/derp", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			http.Error(w, "derp server disabled", http.StatusNotFound)
-		}))
-	}
+	derpHandler := derphttp.Handler(s)
+	derpHandler = addWebSocketSupport(s, derpHandler)
+	mux.Handle("/derp", derpHandler)
 	mux.HandleFunc("/derp/probe", probeHandler)
 	go refreshBootstrapDNSLoop()
 	mux.HandleFunc("/bootstrap-dns", handleBootstrapDNS)
@@ -195,17 +195,10 @@ func main() {
  server.
 </p>
 `)
-		if !*runDERP {
-			io.WriteString(w, `<p>Status: <b>disabled</b></p>`)
-		}
 		if tsweb.AllowDebugAccess(r) {
 			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
 		}
 	}))
-	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		io.WriteString(w, "User-agent: *\nDisallow: /\n")
-	}))
-	mux.Handle("/generate_204", http.HandlerFunc(serveNoContent))
 	debug := tsweb.Debugger(mux)
 	debug.KV("TLS hostname", *hostname)
 	debug.KV("Mesh key", s.HasMeshKey())
@@ -223,11 +216,9 @@ func main() {
 		go serveSTUN(listenHost, *stunPort)
 	}

-	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
-		Addr:     *addr,
-		Handler:  mux,
-		ErrorLog: quietLogger,
+		Addr:    *addr,
+		Handler: mux,

 		// Set read/write timeout. For derper, this basically
 		// only affects TLS setup, as read/write deadlines are
@@ -293,13 +284,9 @@ func main() {
 		})
 		if *httpPort > -1 {
 			go func() {
-				port80mux := http.NewServeMux()
-				port80mux.HandleFunc("/generate_204", serveNoContent)
-				port80mux.Handle("/", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 				port80srv := &http.Server{
 					Addr:        net.JoinHostPort(listenHost, fmt.Sprintf("%d", *httpPort)),
-					Handler:     port80mux,
-					ErrorLog:    quietLogger,
+					Handler:     certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}),
 					ReadTimeout: 30 * time.Second,
 					// Crank up WriteTimeout a bit more than usually
 					// necessary just so we can do long CPU profiles
@@ -325,11 +312,6 @@ func main() {
 	}
 }

-// For captive portal detection
-func serveNoContent(w http.ResponseWriter, r *http.Request) {
-	w.WriteHeader(http.StatusNoContent)
-}
-
 // probeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
 func probeHandler(w http.ResponseWriter, r *http.Request) {
@@ -383,8 +365,7 @@ func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
 		} else {
 			stunIPv6.Add(1)
 		}
-		addr, _ := netip.AddrFromSlice(ua.IP)
-		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(ua.Port)))
+		res := stun.Response(txid, ua.IP, uint16(ua.Port))
 		_, err = pc.WriteTo(res, ua)
 		if err != nil {
 			stunWriteError.Add(1)
@@ -475,22 +456,3 @@ func (l *rateLimitedListener) Accept() (net.Conn, error) {
 	l.numAccepts.Add(1)
 	return cn, nil
 }
-
-// logFilter is used to filter out useless error logs that are logged to
-// the net/http.Server.ErrorLog logger.
-type logFilter struct{}
-
-func (logFilter) Write(p []byte) (int, error) {
-	b := mem.B(p)
-	if mem.HasSuffix(b, mem.S(": EOF\n")) ||
-		mem.HasSuffix(b, mem.S(": i/o timeout\n")) ||
-		mem.HasSuffix(b, mem.S(": read: connection reset by peer\n")) ||
-		mem.HasSuffix(b, mem.S(": remote error: tls: bad certificate\n")) ||
-		mem.HasSuffix(b, mem.S(": tls: first record does not look like a TLS handshake\n")) {
-		// Skip this log message, but say that we processed it
-		return len(p), nil
-	}
-
-	log.Printf("%s", p)
-	return len(p), nil
-}
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -13,6 +13,7 @@ import (

 	"nhooyr.io/websocket"
 	"tailscale.com/derp"
+	"tailscale.com/derp/wsconn"
 )

 var counterWebSocketAccepts = expvar.NewInt("derp_websocket_accepts")
@@ -33,12 +34,6 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
 			Subprotocols:   []string{"derp"},
 			OriginPatterns: []string{"*"},
-			// Disable compression because we transmit WireGuard messages that
-			// are not compressible.
-			// Additionally, Safari has a broken implementation of compression
-			// (see https://github.com/nhooyr/websocket/issues/218) that makes
-			// enabling it actively harmful.
-			CompressionMode: websocket.CompressionDisabled,
 		})
 		if err != nil {
 			log.Printf("websocket.Accept: %v", err)
@@ -50,8 +45,8 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 			return
 		}
 		counterWebSocketAccepts.Add(1)
-		wc := websocket.NetConn(r.Context(), c, websocket.MessageBinary)
+		wc := wsconn.New(c)
 		brw := bufio.NewReadWriter(bufio.NewReader(wc), bufio.NewWriter(wc))
-		s.Accept(r.Context(), wc, brw, r.RemoteAddr)
+		s.Accept(wc, brw, r.RemoteAddr)
 	})
 }
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -360,7 +360,7 @@ func probeUDP(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (la
 				time.Sleep(100 * time.Millisecond)
 				continue
 			}
-			txBack, _, err := stun.ParseResponse(buf[:n])
+			txBack, _, _, err := stun.ParseResponse(buf[:n])
 			if err != nil {
 				return 0, fmt.Errorf("parsing STUN response from %v: %v", ip, err)
 			}
--- a/cmd/gitops-pusher/.gitignore
+++ b/cmd/gitops-pusher/.gitignore
@@ -1 +0,0 @@
-version-cache.json
--- a/cmd/gitops-pusher/README.md
+++ b/cmd/gitops-pusher/README.md
@@ -1,48 +0,0 @@
-# gitops-pusher
-
-This is a small tool to help people achieve a
-[GitOps](https://about.gitlab.com/topics/gitops/) workflow with Tailscale ACL
-changes. This tool is intended to be used in a CI flow that looks like this:
-
-```yaml
-name: Tailscale ACL syncing
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-
-jobs:
-  acls:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-      
-      - name: Setup Go environment
-        uses: actions/setup-go@v3.2.0
-        
-      - name: Install gitops-pusher
-        run: go install tailscale.com/cmd/gitops-pusher@latest
-              
-      - name: Deploy ACL
-        if: github.event_name == 'push'
-        env:
-          TS_API_KEY: ${{ secrets.TS_API_KEY }}
-          TS_TAILNET: ${{ secrets.TS_TAILNET }}
-        run: |
-          ~/go/bin/gitops-pusher --policy-file ./policy.hujson apply
-
-      - name: ACL tests
-        if: github.event_name == 'pull_request'
-        env:
-          TS_API_KEY: ${{ secrets.TS_API_KEY }}
-          TS_TAILNET: ${{ secrets.TS_TAILNET }}
-        run: |
-          ~/go/bin/gitops-pusher --policy-file ./policy.hujson test
-```
-
-Change the value of the `--policy-file` flag to point to the policy file on
-disk. Policy files should be in [HuJSON](https://github.com/tailscale/hujson)
-format.
--- a/cmd/gitops-pusher/cache.go
+++ b/cmd/gitops-pusher/cache.go
@@ -1,67 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"encoding/json"
-	"os"
-)
-
-// Cache contains cached information about the last time this tool was run.
-//
-// This is serialized to a JSON file that should NOT be checked into git.
-// It should be managed with either CI cache tools or stored locally somehow. The
-// exact mechanism is irrelevant as long as it is consistent.
-//
-// This allows gitops-pusher to detect external ACL changes. I'm not sure what to
-// call this problem, so I've been calling it the "three version problem" in my
-// notes. The basic problem is that at any given time we only have two versions
-// of the ACL file at any given point. In order to check if there has been
-// tampering of the ACL files in the admin panel, we need to have a _third_ version
-// to compare against.
-//
-// In this case I am not storing the old ACL entirely (though that could be a
-// reasonable thing to add in the future), but only its sha256sum. This allows
-// us to detect if the shasum in control matches the shasum we expect, and if that
-// expectation fails, then we can react accordingly.
-type Cache struct {
-	PrevETag string // Stores the previous ETag of the ACL to allow
-}
-
-// Save persists the cache to a given file.
-func (c *Cache) Save(fname string) error {
-	os.Remove(fname)
-	fout, err := os.Create(fname)
-	if err != nil {
-		return err
-	}
-	defer fout.Close()
-
-	return json.NewEncoder(fout).Encode(c)
-}
-
-// LoadCache loads the cache from a given file.
-func LoadCache(fname string) (*Cache, error) {
-	var result Cache
-
-	fin, err := os.Open(fname)
-	if err != nil {
-		return nil, err
-	}
-	defer fin.Close()
-
-	err = json.NewDecoder(fin).Decode(&result)
-	if err != nil {
-		return nil, err
-	}
-
-	return &result, nil
-}
-
-// Shuck removes the first and last character of a string, analogous to
-// shucking off the husk of an ear of corn.
-func Shuck(s string) string {
-	return s[1 : len(s)-1]
-}
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -1,370 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Command gitops-pusher allows users to use a GitOps flow for managing Tailscale ACLs.
-//
-// See README.md for more details.
-package main
-
-import (
-	"bytes"
-	"context"
-	"crypto/sha256"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"regexp"
-	"strings"
-	"time"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"github.com/tailscale/hujson"
-)
-
-var (
-	rootFlagSet  = flag.NewFlagSet("gitops-pusher", flag.ExitOnError)
-	policyFname  = rootFlagSet.String("policy-file", "./policy.hujson", "filename for policy file")
-	cacheFname   = rootFlagSet.String("cache-file", "./version-cache.json", "filename for the previous known version hash")
-	timeout      = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run")
-	githubSyntax = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)")
-)
-
-func modifiedExternallyError() {
-	if *githubSyntax {
-		fmt.Printf("::warning file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.\n", *policyFname)
-	} else {
-		fmt.Printf("The policy file was modified externally in the admin console.\n")
-	}
-}
-
-func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
-	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
-		if err != nil {
-			return err
-		}
-
-		localEtag, err := sumFile(*policyFname)
-		if err != nil {
-			return err
-		}
-
-		if cache.PrevETag == "" {
-			log.Println("no previous etag found, assuming local file is correct and recording that")
-			cache.PrevETag = localEtag
-		}
-
-		log.Printf("control: %s", controlEtag)
-		log.Printf("local:   %s", localEtag)
-		log.Printf("cache:   %s", cache.PrevETag)
-
-		if cache.PrevETag != controlEtag {
-			modifiedExternallyError()
-		}
-
-		if controlEtag == localEtag {
-			cache.PrevETag = localEtag
-			log.Println("no update needed, doing nothing")
-			return nil
-		}
-
-		if err := applyNewACL(ctx, tailnet, apiKey, *policyFname, controlEtag); err != nil {
-			return err
-		}
-
-		cache.PrevETag = localEtag
-
-		return nil
-	}
-}
-
-func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
-	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
-		if err != nil {
-			return err
-		}
-
-		localEtag, err := sumFile(*policyFname)
-		if err != nil {
-			return err
-		}
-
-		if cache.PrevETag == "" {
-			log.Println("no previous etag found, assuming local file is correct and recording that")
-			cache.PrevETag = localEtag
-		}
-
-		log.Printf("control: %s", controlEtag)
-		log.Printf("local:   %s", localEtag)
-		log.Printf("cache:   %s", cache.PrevETag)
-
-		if cache.PrevETag != controlEtag {
-			modifiedExternallyError()
-		}
-
-		if controlEtag == localEtag {
-			log.Println("no updates found, doing nothing")
-			return nil
-		}
-
-		if err := testNewACLs(ctx, tailnet, apiKey, *policyFname); err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-func getChecksums(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
-	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
-		if err != nil {
-			return err
-		}
-
-		localEtag, err := sumFile(*policyFname)
-		if err != nil {
-			return err
-		}
-
-		if cache.PrevETag == "" {
-			log.Println("no previous etag found, assuming local file is correct and recording that")
-			cache.PrevETag = Shuck(localEtag)
-		}
-
-		log.Printf("control: %s", controlEtag)
-		log.Printf("local:   %s", localEtag)
-		log.Printf("cache:   %s", cache.PrevETag)
-
-		return nil
-	}
-}
-
-func main() {
-	tailnet, ok := os.LookupEnv("TS_TAILNET")
-	if !ok {
-		log.Fatal("set envvar TS_TAILNET to your tailnet's name")
-	}
-	apiKey, ok := os.LookupEnv("TS_API_KEY")
-	if !ok {
-		log.Fatal("set envvar TS_API_KEY to your Tailscale API key")
-	}
-	cache, err := LoadCache(*cacheFname)
-	if err != nil {
-		if os.IsNotExist(err) {
-			cache = &Cache{}
-		} else {
-			log.Fatalf("error loading cache: %v", err)
-		}
-	}
-	defer cache.Save(*cacheFname)
-
-	applyCmd := &ffcli.Command{
-		Name:       "apply",
-		ShortUsage: "gitops-pusher [options] apply",
-		ShortHelp:  "Pushes changes to CONTROL",
-		LongHelp:   `Pushes changes to CONTROL`,
-		Exec:       apply(cache, tailnet, apiKey),
-	}
-
-	testCmd := &ffcli.Command{
-		Name:       "test",
-		ShortUsage: "gitops-pusher [options] test",
-		ShortHelp:  "Tests ACL changes",
-		LongHelp:   "Tests ACL changes",
-		Exec:       test(cache, tailnet, apiKey),
-	}
-
-	cksumCmd := &ffcli.Command{
-		Name:       "checksum",
-		ShortUsage: "Shows checksums of ACL files",
-		ShortHelp:  "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
-		LongHelp:   "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
-		Exec:       getChecksums(cache, tailnet, apiKey),
-	}
-
-	root := &ffcli.Command{
-		ShortUsage:  "gitops-pusher [options] <command>",
-		ShortHelp:   "Push Tailscale ACLs to CONTROL using a GitOps workflow",
-		Subcommands: []*ffcli.Command{applyCmd, cksumCmd, testCmd},
-		FlagSet:     rootFlagSet,
-	}
-
-	if err := root.Parse(os.Args[1:]); err != nil {
-		log.Fatal(err)
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), *timeout)
-	defer cancel()
-
-	if err := root.Run(ctx); err != nil {
-		fmt.Println(err)
-		os.Exit(1)
-	}
-}
-
-func sumFile(fname string) (string, error) {
-	data, err := os.ReadFile(fname)
-	if err != nil {
-		return "", err
-	}
-
-	formatted, err := hujson.Format(data)
-	if err != nil {
-		return "", err
-	}
-
-	h := sha256.New()
-	_, err = h.Write(formatted)
-	if err != nil {
-		return "", err
-	}
-
-	return fmt.Sprintf("%x", h.Sum(nil)), nil
-}
-
-func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag string) error {
-	fin, err := os.Open(policyFname)
-	if err != nil {
-		return err
-	}
-	defer fin.Close()
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl", tailnet), fin)
-	if err != nil {
-		return err
-	}
-
-	req.SetBasicAuth(apiKey, "")
-	req.Header.Set("Content-Type", "application/hujson")
-	req.Header.Set("If-Match", `"`+oldEtag+`"`)
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	got := resp.StatusCode
-	want := http.StatusOK
-	if got != want {
-		var ate ACLTestError
-		err := json.NewDecoder(resp.Body).Decode(&ate)
-		if err != nil {
-			return err
-		}
-
-		return ate
-	}
-
-	return nil
-}
-
-func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error {
-	data, err := os.ReadFile(policyFname)
-	if err != nil {
-		return err
-	}
-	data, err = hujson.Standardize(data)
-	if err != nil {
-		return err
-	}
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), bytes.NewBuffer(data))
-	if err != nil {
-		return err
-	}
-
-	req.SetBasicAuth(apiKey, "")
-	req.Header.Set("Content-Type", "application/hujson")
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	var ate ACLTestError
-	err = json.NewDecoder(resp.Body).Decode(&ate)
-	if err != nil {
-		return err
-	}
-
-	if len(ate.Message) != 0 || len(ate.Data) != 0 {
-		return ate
-	}
-
-	got := resp.StatusCode
-	want := http.StatusOK
-	if got != want {
-		return fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
-	}
-
-	return nil
-}
-
-var lineColMessageSplit = regexp.MustCompile(`line ([0-9]+), column ([0-9]+): (.*)$`)
-
-type ACLTestError struct {
-	Message string               `json:"message"`
-	Data    []ACLTestErrorDetail `json:"data"`
-}
-
-func (ate ACLTestError) Error() string {
-	var sb strings.Builder
-
-	if *githubSyntax && lineColMessageSplit.MatchString(ate.Message) {
-		sp := lineColMessageSplit.FindStringSubmatch(ate.Message)
-
-		line := sp[1]
-		col := sp[2]
-		msg := sp[3]
-
-		fmt.Fprintf(&sb, "::error file=%s,line=%s,col=%s::%s", *policyFname, line, col, msg)
-	} else {
-		fmt.Fprintln(&sb, ate.Message)
-	}
-	fmt.Fprintln(&sb)
-
-	for _, data := range ate.Data {
-		fmt.Fprintf(&sb, "For user %s:\n", data.User)
-		for _, err := range data.Errors {
-			fmt.Fprintf(&sb, "- %s\n", err)
-		}
-	}
-
-	return sb.String()
-}
-
-type ACLTestErrorDetail struct {
-	User   string   `json:"user"`
-	Errors []string `json:"errors"`
-}
-
-func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl", tailnet), nil)
-	if err != nil {
-		return "", err
-	}
-
-	req.SetBasicAuth(apiKey, "")
-	req.Header.Set("Accept", "application/hujson")
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return "", err
-	}
-	defer resp.Body.Close()
-
-	got := resp.StatusCode
-	want := http.StatusOK
-	if got != want {
-		return "", fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
-	}
-
-	return Shuck(resp.Header.Get("ETag")), nil
-}
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -13,6 +13,7 @@ import (
 	"errors"
 	"flag"
 	"html/template"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -105,7 +106,7 @@ func devMode() bool { return *httpsAddr == "" && *httpAddr != "" }

 func getTmpl() (*template.Template, error) {
 	if devMode() {
-		tmplData, err := os.ReadFile("hello.tmpl.html")
+		tmplData, err := ioutil.ReadFile("hello.tmpl.html")
 		if os.IsNotExist(err) {
 			log.Printf("using baked-in template in dev mode; can't find hello.tmpl.html in current directory")
 			return tmpl, nil
@@ -134,13 +135,13 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 		return ""
 	}
 	for _, nodeIP := range who.Node.Addresses {
-		if nodeIP.Addr().Is4() && nodeIP.IsSingleIP() {
-			return nodeIP.Addr().String()
+		if nodeIP.IP().Is4() && nodeIP.IsSingleIP() {
+			return nodeIP.IP().String()
 		}
 	}
 	for _, nodeIP := range who.Node.Addresses {
 		if nodeIP.IsSingleIP() {
-			return nodeIP.Addr().String()
+			return nodeIP.IP().String()
 		}
 	}
 	return ""
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@@ -63,19 +63,17 @@ func main() {
 			return
 		}

-		// tailnet of connected node. When accessing shared nodes, this
-		// will be empty because the tailnet of the sharee is not exposed.
-		var tailnet string
-
-		if !info.Node.Hostinfo.ShareeNode() {
-			var ok bool
-			_, tailnet, ok = strings.Cut(info.Node.Name, info.Node.ComputedName+".")
-			if !ok {
-				w.WriteHeader(http.StatusUnauthorized)
-				log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
-				return
-			}
-			tailnet = strings.TrimSuffix(tailnet, ".beta.tailscale.net")
+		_, tailnet, ok := strings.Cut(info.Node.Name, info.Node.ComputedName+".")
+		if !ok {
+			w.WriteHeader(http.StatusUnauthorized)
+			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
+			return
+		}
+		tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net")
+		if !ok {
+			w.WriteHeader(http.StatusUnauthorized)
+			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
+			return
 		}

 		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {
--- a/cmd/printdep/printdep.go
+++ b/cmd/printdep/printdep.go
@@ -19,15 +19,10 @@ import (
 var (
 	goToolchain    = flag.Bool("go", false, "print the supported Go toolchain git hash (a github.com/tailscale/go commit)")
 	goToolchainURL = flag.Bool("go-url", false, "print the URL to the tarball of the Tailscale Go toolchain")
-	alpine         = flag.Bool("alpine", false, "print the tag of alpine docker image")
 )

 func main() {
 	flag.Parse()
-	if *alpine {
-		fmt.Println(strings.TrimSpace(ts.AlpineDockerTag))
-		return
-	}
 	if *goToolchain {
 		fmt.Println(strings.TrimSpace(ts.GoToolchainRev))
 	}
--- a/cmd/proxy-to-grafana/proxy-to-grafana.go
+++ b/cmd/proxy-to-grafana/proxy-to-grafana.go
@@ -14,14 +14,14 @@
 //
 // Use this Grafana configuration to enable the auth proxy:
 //
-//	[auth.proxy]
-//	enabled = true
-//	header_name = X-WEBAUTH-USER
-//	header_property = username
-//	auto_sign_up = true
-//	whitelist = 127.0.0.1
-//	headers = Name:X-WEBAUTH-NAME
-//	enable_login_token = true
+//     [auth.proxy]
+//     enabled = true
+//     header_name = X-WEBAUTH-USER
+//     header_property = username
+//     auto_sign_up = true
+//     whitelist = 127.0.0.1
+//     headers = Name:X-WEBAUTH-NAME
+//     enable_login_token = true
 package main

 import (
@@ -62,12 +62,6 @@ func main() {
 		Hostname: *hostname,
 	}

-	// TODO(bradfitz,maisem): move this to a method on tsnet.Server probably.
-	if err := ts.Start(); err != nil {
-		log.Fatalf("Error starting tsnet.Server: %v", err)
-	}
-	localClient, _ := ts.LocalClient()
-
 	url, err := url.Parse(fmt.Sprintf("http://%s", *backendAddr))
 	if err != nil {
 		log.Fatalf("couldn't parse backend address: %v", err)
@@ -77,20 +71,20 @@ func main() {
 	originalDirector := proxy.Director
 	proxy.Director = func(req *http.Request) {
 		originalDirector(req)
-		modifyRequest(req, localClient)
+		modifyRequest(req)
 	}

 	var ln net.Listener
 	if *useHTTPS {
 		ln, err = ts.Listen("tcp", ":443")
 		ln = tls.NewListener(ln, &tls.Config{
-			GetCertificate: localClient.GetCertificate,
+			GetCertificate: tailscale.GetCertificate,
 		})

 		go func() {
 			// wait for tailscale to start before trying to fetch cert names
 			for i := 0; i < 60; i++ {
-				st, err := localClient.Status(context.Background())
+				st, err := tailscale.Status(context.Background())
 				if err != nil {
 					log.Printf("error retrieving tailscale status; retrying: %v", err)
 				} else {
@@ -106,7 +100,7 @@ func main() {
 			if err != nil {
 				log.Fatal(err)
 			}
-			name, ok := localClient.ExpandSNIName(context.Background(), *hostname)
+			name, ok := tailscale.ExpandSNIName(context.Background(), *hostname)
 			if !ok {
 				log.Fatalf("can't get hostname for https redirect")
 			}
@@ -126,14 +120,14 @@ func main() {
 	log.Fatal(http.Serve(ln, proxy))
 }

-func modifyRequest(req *http.Request, localClient *tailscale.LocalClient) {
+func modifyRequest(req *http.Request) {
 	// with enable_login_token set to true, we get a cookie that handles
 	// auth for paths that are not /login
 	if req.URL.Path != "/login" {
 		return
 	}

-	user, err := getTailscaleUser(req.Context(), localClient, req.RemoteAddr)
+	user, err := getTailscaleUser(req.Context(), req.RemoteAddr)
 	if err != nil {
 		log.Printf("error getting Tailscale user: %v", err)
 		return
@@ -143,8 +137,8 @@ func modifyRequest(req *http.Request, localClient *tailscale.LocalClient) {
 	req.Header.Set("X-Webauth-Name", user.DisplayName)
 }

-func getTailscaleUser(ctx context.Context, localClient *tailscale.LocalClient, ipPort string) (*tailcfg.UserProfile, error) {
-	whois, err := localClient.WhoIs(ctx, ipPort)
+func getTailscaleUser(ctx context.Context, ipPort string) (*tailcfg.UserProfile, error) {
+	whois, err := tailscale.WhoIs(ctx, ipPort)
 	if err != nil {
 		return nil, fmt.Errorf("failed to identify remote host: %w", err)
 	}
--- a/cmd/speedtest/speedtest.go
+++ b/cmd/speedtest/speedtest.go
@@ -110,12 +110,11 @@ func runSpeedtest(ctx context.Context, args []string) error {
 	w := tabwriter.NewWriter(os.Stdout, 12, 0, 0, ' ', tabwriter.TabIndent)
 	fmt.Println("Results:")
 	fmt.Fprintln(w, "Interval\t\tTransfer\t\tBandwidth\t\t")
-	startTime := results[0].IntervalStart
 	for _, r := range results {
 		if r.Total {
 			fmt.Fprintln(w, "-------------------------------------------------------------------------")
 		}
-		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Sub(startTime).Seconds(), r.IntervalEnd.Sub(startTime).Seconds(), r.MegaBits(), r.MBitsPerSecond())
+		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Seconds(), r.IntervalEnd.Seconds(), r.MegaBits(), r.MBitsPerSecond())
 	}
 	w.Flush()
 	return nil
--- a/cmd/tailscale/cli/bugreport.go
+++ b/cmd/tailscale/cli/bugreport.go
@@ -9,6 +9,7 @@ import (
 	"errors"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 )

 var bugReportCmd = &ffcli.Command{
@@ -27,7 +28,7 @@ func runBugReport(ctx context.Context, args []string) error {
 	default:
 		return errors.New("unknown argumets")
 	}
-	logMarker, err := localClient.BugReport(ctx, note)
+	logMarker, err := tailscale.BugReport(ctx, note)
 	if err != nil {
 		return err
 	}
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -17,6 +17,7 @@ import (

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/atomicfile"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/version"
 )
@@ -29,7 +30,7 @@ var certCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("cert")
 		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output key file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
+		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
 		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
 		return fs
 	})(),
@@ -45,11 +46,11 @@ func runCert(ctx context.Context, args []string) error {
 	if certArgs.serve {
 		s := &http.Server{
 			TLSConfig: &tls.Config{
-				GetCertificate: localClient.GetCertificate,
+				GetCertificate: tailscale.GetCertificate,
 			},
 			Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				if r.TLS != nil && !strings.Contains(r.Host, ".") && r.Method == "GET" {
-					if v, ok := localClient.ExpandSNIName(r.Context(), r.Host); ok {
+					if v, ok := tailscale.ExpandSNIName(r.Context(), r.Host); ok {
 						http.Redirect(w, r, "https://"+v+r.URL.Path, http.StatusTemporaryRedirect)
 						return
 					}
@@ -63,7 +64,7 @@ func runCert(ctx context.Context, args []string) error {

 	if len(args) != 1 {
 		var hint bytes.Buffer
-		if st, err := localClient.Status(ctx); err == nil {
+		if st, err := tailscale.Status(ctx); err == nil {
 			if st.BackendState != ipn.Running.String() {
 				fmt.Fprintf(&hint, "\nTailscale is not running.\n")
 			} else if len(st.CertDomains) == 0 {
@@ -89,7 +90,7 @@ func runCert(ctx context.Context, args []string) error {
 		certArgs.certFile = domain + ".crt"
 		certArgs.keyFile = domain + ".key"
 	}
-	certPEM, keyPEM, err := localClient.CertPair(ctx, domain)
+	certPEM, keyPEM, err := tailscale.CertPair(ctx, domain)
 	if err != nil {
 		return err
 	}
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -29,6 +29,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
+	"tailscale.com/syncs"
 	"tailscale.com/version/distro"
 )

@@ -124,12 +125,8 @@ func CleanUpArgs(args []string) []string {
 	return out
 }

-var localClient tailscale.LocalClient
-
 // Run runs the CLI. The args do not include the binary name.
 func Run(args []string) (err error) {
-	args = CleanUpArgs(args)
-
 	if len(args) == 1 && (args[0] == "-V" || args[0] == "--version") {
 		args = []string{"version"}
 	}
@@ -169,8 +166,6 @@ change in the future.
 			fileCmd,
 			bugReportCmd,
 			certCmd,
-			netlockCmd,
-			licensesCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
@@ -198,10 +193,10 @@ change in the future.
 		return err
 	}

-	localClient.Socket = rootArgs.socket
+	tailscale.TailscaledSocket = rootArgs.socket
 	rootfs.Visit(func(f *flag.Flag) {
 		if f.Name == "socket" {
-			localClient.UseSocketOnly = true
+			tailscale.TailscaledSocketSetExplicitly = true
 		}
 	})

@@ -231,6 +226,8 @@ var rootArgs struct {
 	socket string
 }

+var gotSignal syncs.AtomicBool
+
 func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context, context.CancelFunc) {
 	s := safesocket.DefaultConnectionStrategy(rootArgs.socket)
 	c, err := safesocket.Connect(s)
@@ -256,6 +253,7 @@ func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context
 			signal.Reset(syscall.SIGINT, syscall.SIGTERM)
 			return
 		}
+		gotSignal.Set(true)
 		c.Close()
 		cancel()
 	}()
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -9,13 +9,13 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"net/netip"
 	"reflect"
 	"strings"
 	"testing"

 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp"
+	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tstest"
@@ -56,7 +56,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		flags    []string // argv to be parsed by FlagSet
 		curPrefs *ipn.Prefs

-		curExitNodeIP netip.Addr
+		curExitNodeIP netaddr.IP
 		curUser       string // os.Getenv("USER") on the client side
 		goos          string // empty means "linux"
 		distro        distro.Distro
@@ -152,10 +152,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.42.0/24"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-routes=10.0.42.0/24 --advertise-exit-node",
@@ -168,10 +168,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.42.0/24"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
 			want: "",
@@ -184,10 +184,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.42.0/24"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
 			want: "",
@@ -212,8 +212,8 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,

-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -226,10 +226,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -255,16 +255,16 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				ControlURL:       ipn.DefaultControlURL,
 				RouteAll:         true,
 				AllowSingleHosts: false,
-				ExitNodeIP:       netip.MustParseAddr("100.64.5.6"),
+				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
 				CorpDNS:          false,
 				ShieldsUp:        true,
 				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
 				Hostname:         "myhostname",
 				ForceDaemon:      true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.0.0/16"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.0.0/16"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 				NetfilterMode: preftype.NetfilterNoDivert,
 				OperatorUser:  "alice",
@@ -280,14 +280,14 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				ControlURL:       ipn.DefaultControlURL,
 				RouteAll:         true,
 				AllowSingleHosts: false,
-				ExitNodeIP:       netip.MustParseAddr("100.64.5.6"),
+				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
 				CorpDNS:          false,
 				ShieldsUp:        true,
 				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
 				Hostname:         "myhostname",
 				ForceDaemon:      true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.0.0/16"),
 				},
 				NetfilterMode: preftype.NetfilterNoDivert,
 				OperatorUser:  "alice",
@@ -344,10 +344,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --operator=expbits --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -360,10 +360,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-routes=1.2.0.0/16 --operator=expbits --advertise-exit-node",
@@ -391,14 +391,14 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,

-				ExitNodeIP: netip.MustParseAddr("100.64.5.4"),
+				ExitNodeIP: netaddr.MustParseIP("100.64.5.4"),
 			},
 			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.4",
 		},
 		{
 			name:          "error_exit_node_omit_with_id_pref",
 			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netip.MustParseAddr("100.64.5.7"),
+			curExitNodeIP: netaddr.MustParseIP("100.64.5.7"),
 			curPrefs: &ipn.Prefs{
 				ControlURL:       ipn.DefaultControlURL,
 				AllowSingleHosts: true,
@@ -412,7 +412,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		{
 			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
 			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
+			curExitNodeIP: netaddr.MustParseIP("100.2.3.4"),
 			curPrefs: &ipn.Prefs{
 				ControlURL:       ipn.DefaultControlURL,
 				AllowSingleHosts: true,
@@ -493,16 +493,14 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			upEnv := upCheckEnv{
+			applyImplicitPrefs(newPrefs, tt.curPrefs, tt.curUser)
+			var got string
+			if err := checkForAccidentalSettingReverts(newPrefs, tt.curPrefs, upCheckEnv{
 				goos:          goos,
 				flagSet:       flagSet,
 				curExitNodeIP: tt.curExitNodeIP,
 				distro:        tt.distro,
-				user:          tt.curUser,
-			}
-			applyImplicitPrefs(newPrefs, tt.curPrefs, upEnv)
-			var got string
-			if err := checkForAccidentalSettingReverts(newPrefs, tt.curPrefs, upEnv); err != nil {
+			}); err != nil {
 				got = err.Error()
 			}
 			if strings.TrimSpace(got) != tt.want {
@@ -562,9 +560,9 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				WantRunning:      true,
 				AllowSingleHosts: true,
 				CorpDNS:          true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 				NetfilterMode: preftype.NetfilterOn,
 			},
@@ -631,7 +629,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				exitNodeIP: "100.105.106.107",
 			},
 			st: &ipnstate.Status{
-				TailscaleIPs: []netip.Addr{netip.MustParseAddr("100.105.106.107")},
+				TailscaleIPs: []netaddr.IP{netaddr.MustParseIP("100.105.106.107")},
 			},
 			wantErr: `cannot use 100.105.106.107 as an exit node as it is a local IP address to this machine; did you mean --advertise-exit-node?`,
 		},
@@ -666,13 +664,13 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			goos: "linux",
 			args: upArgsT{
 				advertiseRoutes: "fd7a:115c:a1e0:b1a::bb:10.0.0.0/112",
-				netfilterMode:   "off",
+				netfilterMode: "off",
 			},
 			want: &ipn.Prefs{
-				WantRunning: true,
-				NoSNAT:      true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
+				WantRunning:   true,
+				NoSNAT:        true,
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
 				},
 			},
 		},
@@ -681,7 +679,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			goos: "linux",
 			args: upArgsT{
 				advertiseRoutes: "fd7a:115c:a1e0:b1a::/64",
-				netfilterMode:   "off",
+				netfilterMode: "off",
 			},
 			wantErr: "fd7a:115c:a1e0:b1a::/64 4-in-6 prefix must be at least a /96",
 		},
@@ -690,7 +688,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			goos: "linux",
 			args: upArgsT{
 				advertiseRoutes: "fd7a:115c:a1e0:b1a:1234:5678::/112",
-				netfilterMode:   "off",
+				netfilterMode: "off",
 			},
 			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xff or less",
 		},
@@ -762,9 +760,6 @@ func TestPrefFlagMapping(t *testing.T) {
 		case "NotepadURLs":
 			// TODO(bradfitz): https://github.com/tailscale/tailscale/issues/1830
 			continue
-		case "Egg":
-			// Not applicable.
-			continue
 		}
 		t.Errorf("unexpected new ipn.Pref field %q is not handled by up.go (see addPrefFlagMapping and checkForAccidentalSettingReverts)", prefName)
 	}
@@ -789,14 +784,6 @@ func TestUpdatePrefs(t *testing.T) {
 		curPrefs *ipn.Prefs
 		env      upCheckEnv // empty goos means "linux"

-		// sshOverTailscale specifies if the cmd being run over SSH over Tailscale.
-		// It is used to test the --accept-risks flag.
-		sshOverTailscale bool
-
-		// checkUpdatePrefsMutations, if non-nil, is run with the new prefs after
-		// updatePrefs might've mutated them (from applyImplicitPrefs).
-		checkUpdatePrefsMutations func(t *testing.T, newPrefs *ipn.Prefs)
-
 		wantSimpleUp   bool
 		wantJustEditMP *ipn.MaskedPrefs
 		wantErrSubtr   string
@@ -898,181 +885,15 @@ func TestUpdatePrefs(t *testing.T) {
 			},
 			env: upCheckEnv{backendState: "Running"},
 		},
-		{
-			// Issue 3808: explicitly empty --operator= should clear value.
-			name:  "explicit_empty_operator",
-			flags: []string{"--operator="},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				CorpDNS:          true,
-				AllowSingleHosts: true,
-				NetfilterMode:    preftype.NetfilterOn,
-				OperatorUser:     "somebody",
-			},
-			env: upCheckEnv{user: "somebody", backendState: "Running"},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				OperatorUserSet: true,
-				WantRunningSet:  true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, prefs *ipn.Prefs) {
-				if prefs.OperatorUser != "" {
-					t.Errorf("operator sent to backend should be empty; got %q", prefs.OperatorUser)
-				}
-			},
-		},
-		{
-			name:  "enable_ssh",
-			flags: []string{"--ssh"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
-		{
-			name:  "disable_ssh",
-			flags: []string{"--ssh=false"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				RunSSH:           true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to false")
-				}
-			},
-			env: upCheckEnv{backendState: "Running", upArgs: upArgsT{
-				runSSH: true,
-			}},
-		},
-		{
-			name:             "disable_ssh_over_ssh_no_risk",
-			flags:            []string{"--ssh=false"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				RunSSH:           true,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env:          upCheckEnv{backendState: "Running"},
-			wantErrSubtr: "aborted, no changes made",
-		},
-		{
-			name:             "enable_ssh_over_ssh_no_risk",
-			flags:            []string{"--ssh=true"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env:          upCheckEnv{backendState: "Running"},
-			wantErrSubtr: "aborted, no changes made",
-		},
-		{
-			name:             "enable_ssh_over_ssh",
-			flags:            []string{"--ssh=true", "--accept-risk=lose-ssh"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
-		{
-			name:             "disable_ssh_over_ssh",
-			flags:            []string{"--ssh=false", "--accept-risk=lose-ssh"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				RunSSH:           true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to false")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.sshOverTailscale {
-				old := getSSHClientEnvVar
-				getSSHClientEnvVar = func() string { return "100.100.100.100 1 1" }
-				t.Cleanup(func() { getSSHClientEnvVar = old })
-			}
 			if tt.env.goos == "" {
 				tt.env.goos = "linux"
 			}
 			tt.env.flagSet = newUpFlagSet(tt.env.goos, &tt.env.upArgs)
 			flags := CleanUpArgs(tt.flags)
-			if err := tt.env.flagSet.Parse(flags); err != nil {
-				t.Fatal(err)
-			}
+			tt.env.flagSet.Parse(flags)

 			newPrefs, err := prefsFromUpArgs(tt.env.upArgs, t.Logf, new(ipnstate.Status), tt.env.goos)
 			if err != nil {
@@ -1087,11 +908,6 @@ func TestUpdatePrefs(t *testing.T) {
 					return
 				}
 				t.Fatal(err)
-			} else if tt.wantErrSubtr != "" {
-				t.Fatalf("want error %q, got nil", tt.wantErrSubtr)
-			}
-			if tt.checkUpdatePrefsMutations != nil {
-				tt.checkUpdatePrefsMutations(t, newPrefs)
 			}
 			if simpleUp != tt.wantSimpleUp {
 				t.Fatalf("simpleUp=%v, want %v", simpleUp, tt.wantSimpleUp)
@@ -1102,19 +918,14 @@ func TestUpdatePrefs(t *testing.T) {
 				justEditMP.Prefs = ipn.Prefs{} // uninteresting
 			}
 			if !reflect.DeepEqual(justEditMP, tt.wantJustEditMP) {
-				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was \n%v", asJSON(oldEditPrefs))
+				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was %+v", oldEditPrefs)
 				t.Fatalf("justEditMP: %v\n\n: ", cmp.Diff(justEditMP, tt.wantJustEditMP, cmpIP))
 			}
 		})
 	}
 }

-func asJSON(v any) string {
-	b, _ := json.MarshalIndent(v, "", "\t")
-	return string(b)
-}
-
-var cmpIP = cmp.Comparer(func(a, b netip.Addr) bool {
+var cmpIP = cmp.Comparer(func(a, b netaddr.IP) bool {
 	return a == b
 })

--- a/cmd/tailscale/cli/configure-host.go
+++ b/cmd/tailscale/cli/configure-host.go
@@ -48,11 +48,11 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if uid := os.Getuid(); uid != 0 {
 		return fmt.Errorf("must be run as root, not %q (%v)", os.Getenv("USER"), uid)
 	}
-	hi:= hostinfo.New()
-	isDSM6 := strings.HasPrefix(hi.DistroVersion, "6.")
-	isDSM7 := strings.HasPrefix(hi.DistroVersion, "7.")
+	osVer := hostinfo.GetOSVersion()
+	isDSM6 := strings.HasPrefix(osVer, "Synology 6")
+	isDSM7 := strings.HasPrefix(osVer, "Synology 7")
 	if !isDSM6 && !isDSM7 {
-		return fmt.Errorf("unsupported DSM version %q", hi.DistroVersion)
+		return fmt.Errorf("unsupported DSM version %q", osVer)
 	}
 	if _, err := os.Stat("/dev/net/tun"); os.IsNotExist(err) {
 		if err := os.MkdirAll("/dev/net", 0755); err != nil {
@@ -62,14 +62,11 @@ func runConfigureHost(ctx context.Context, args []string) error {
 			return fmt.Errorf("creating /dev/net/tun: %v, %s", err, out)
 		}
 	}
-	if err := os.Chmod("/dev/net", 0755); err != nil {
-		return err
-	}
 	if err := os.Chmod("/dev/net/tun", 0666); err != nil {
 		return err
 	}
 	if isDSM6 {
-		printf("/dev/net/tun exists and has permissions 0666. Skipping setcap on DSM6.\n")
+		fmt.Printf("/dev/net/tun exists and has permissions 0666. Skipping setcap on DSM6.\n")
 		return nil
 	}

@@ -83,6 +80,6 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if out, err := exec.Command("/bin/setcap", "cap_net_admin,cap_net_raw+eip", daemonBin).CombinedOutput(); err != nil {
 		return fmt.Errorf("setcap: %v, %s", err, out)
 	}
-	printf("Done. To restart Tailscale to use the new permissions, run:\n\n  sudo synosystemctl restart pkgctl-Tailscale.service\n\n")
+	fmt.Printf("Done. To restart Tailscale to use the new permissions, run:\n\n  sudo synosystemctl restart pkgctl-Tailscale.service\n\n")
 	return nil
 }
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -15,9 +15,6 @@ import (
 	"fmt"
 	"io"
 	"log"
-	"net"
-	"net/http"
-	"net/netip"
 	"os"
 	"runtime"
 	"strconv"
@@ -25,14 +22,13 @@ import (
 	"time"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/control/controlhttp"
+	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
 )

 var debugCmd = &ffcli.Command{
@@ -73,11 +69,6 @@ var debugCmd = &ffcli.Command{
 			Exec:      runEnv,
 			ShortHelp: "print cmd/tailscale environment",
 		},
-		{
-			Name:      "stat",
-			Exec:      runStat,
-			ShortHelp: "stat a file",
-		},
 		{
 			Name:      "hostinfo",
 			Exec:      runHostinfo,
@@ -123,17 +114,6 @@ var debugCmd = &ffcli.Command{
 			Exec:      runVia,
 			ShortHelp: "convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
 		},
-		{
-			Name:      "ts2021",
-			Exec:      runTS2021,
-			ShortHelp: "debug ts2021 protocol connectivity",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("ts2021")
-				fs.StringVar(&ts2021Args.host, "host", "controlplane.tailscale.com", "hostname of control plane")
-				fs.IntVar(&ts2021Args.version, "version", int(tailcfg.CurrentCapabilityVersion), "protocol version")
-				return fs
-			})(),
-		},
 	},
 }

@@ -170,7 +150,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if out := debugArgs.cpuFile; out != "" {
 		usedFlag = true // TODO(bradfitz): add "profile" subcommand
 		log.Printf("Capturing CPU profile for %v seconds ...", debugArgs.cpuSec)
-		if v, err := localClient.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
+		if v, err := tailscale.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
 			return err
 		} else {
 			if err := writeProfile(out, v); err != nil {
@@ -182,7 +162,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if out := debugArgs.memFile; out != "" {
 		usedFlag = true // TODO(bradfitz): add "profile" subcommand
 		log.Printf("Capturing memory profile ...")
-		if v, err := localClient.Profile(ctx, "heap", 0); err != nil {
+		if v, err := tailscale.Profile(ctx, "heap", 0); err != nil {
 			return err
 		} else {
 			if err := writeProfile(out, v); err != nil {
@@ -194,7 +174,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if debugArgs.file != "" {
 		usedFlag = true // TODO(bradfitz): add "file" subcommand
 		if debugArgs.file == "get" {
-			wfs, err := localClient.WaitingFiles(ctx)
+			wfs, err := tailscale.WaitingFiles(ctx)
 			if err != nil {
 				fatalf("%v\n", err)
 			}
@@ -205,9 +185,9 @@ func runDebug(ctx context.Context, args []string) error {
 		}
 		delete := strings.HasPrefix(debugArgs.file, "delete:")
 		if delete {
-			return localClient.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
+			return tailscale.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
 		}
-		rc, size, err := localClient.GetWaitingFile(ctx, debugArgs.file)
+		rc, size, err := tailscale.GetWaitingFile(ctx, debugArgs.file)
 		if err != nil {
 			return err
 		}
@@ -242,7 +222,7 @@ var prefsArgs struct {
 }

 func runPrefs(ctx context.Context, args []string) error {
-	prefs, err := localClient.GetPrefs(ctx)
+	prefs, err := tailscale.GetPrefs(ctx)
 	if err != nil {
 		return err
 	}
@@ -276,7 +256,7 @@ func runWatchIPN(ctx context.Context, args []string) error {
 }

 func runDERPMap(ctx context.Context, args []string) error {
-	dm, err := localClient.CurrentDERPMap(ctx)
+	dm, err := tailscale.CurrentDERPMap(ctx)
 	if err != nil {
 		return fmt.Errorf(
 			"failed to get local derp map, instead `curl %s/derpmap/default`: %w", ipn.DefaultControlURL, err,
@@ -293,7 +273,7 @@ func localAPIAction(action string) func(context.Context, []string) error {
 		if len(args) > 0 {
 			return errors.New("unexpected arguments")
 		}
-		return localClient.DebugAction(ctx, action)
+		return tailscale.DebugAction(ctx, action)
 	}
 }

@@ -304,28 +284,6 @@ func runEnv(ctx context.Context, args []string) error {
 	return nil
 }

-func runStat(ctx context.Context, args []string) error {
-	for _, a := range args {
-		fi, err := os.Lstat(a)
-		if err != nil {
-			printf("%s: %v\n", a, err)
-			continue
-		}
-		printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
-		if fi.IsDir() {
-			ents, _ := os.ReadDir(a)
-			for i, ent := range ents {
-				if i == 25 {
-					printf("  ...\n")
-					break
-				}
-				printf("  - %s\n", ent.Name())
-			}
-		}
-	}
-	return nil
-}
-
 func runHostinfo(ctx context.Context, args []string) error {
 	hi := hostinfo.New()
 	j, _ := json.MarshalIndent(hi, "", "  ")
@@ -334,7 +292,7 @@ func runHostinfo(ctx context.Context, args []string) error {
 }

 func runDaemonGoroutines(ctx context.Context, args []string) error {
-	goroutines, err := localClient.Goroutines(ctx)
+	goroutines, err := tailscale.Goroutines(ctx)
 	if err != nil {
 		return err
 	}
@@ -349,7 +307,7 @@ var metricsArgs struct {
 func runDaemonMetrics(ctx context.Context, args []string) error {
 	last := map[string]int64{}
 	for {
-		out, err := localClient.DaemonMetrics(ctx)
+		out, err := tailscale.DaemonMetrics(ctx)
 		if err != nil {
 			return err
 		}
@@ -404,23 +362,23 @@ func runVia(ctx context.Context, args []string) error {
 	default:
 		return errors.New("expect either <site-id> <v4-cidr> or <v6-route>")
 	case 1:
-		ipp, err := netip.ParsePrefix(args[0])
+		ipp, err := netaddr.ParseIPPrefix(args[0])
 		if err != nil {
 			return err
 		}
-		if !ipp.Addr().Is6() {
+		if !ipp.IP().Is6() {
 			return errors.New("with one argument, expect an IPv6 CIDR")
 		}
-		if !tsaddr.TailscaleViaRange().Contains(ipp.Addr()) {
+		if !tsaddr.TailscaleViaRange().Contains(ipp.IP()) {
 			return errors.New("not a via route")
 		}
 		if ipp.Bits() < 96 {
 			return errors.New("short length, want /96 or more")
 		}
-		v4 := tsaddr.UnmapVia(ipp.Addr())
-		a := ipp.Addr().As16()
+		v4 := tsaddr.UnmapVia(ipp.IP())
+		a := ipp.IP().As16()
 		siteID := binary.BigEndian.Uint32(a[8:12])
-		printf("site %v (0x%x), %v\n", siteID, siteID, netip.PrefixFrom(v4, ipp.Bits()-96))
+		fmt.Printf("site %v (0x%x), %v\n", siteID, siteID, netaddr.IPPrefixFrom(v4, ipp.Bits()-96))
 	case 2:
 		siteID, err := strconv.ParseUint(args[0], 0, 32)
 		if err != nil {
@@ -429,7 +387,7 @@ func runVia(ctx context.Context, args []string) error {
 		if siteID > 0xff {
 			return fmt.Errorf("site-id values over 255 are currently reserved")
 		}
-		ipp, err := netip.ParsePrefix(args[1])
+		ipp, err := netaddr.ParseIPPrefix(args[1])
 		if err != nil {
 			return err
 		}
@@ -437,79 +395,7 @@ func runVia(ctx context.Context, args []string) error {
 		if err != nil {
 			return err
 		}
-		outln(via)
+		fmt.Println(via)
 	}
 	return nil
 }
-
-var ts2021Args struct {
-	host    string // "controlplane.tailscale.com"
-	version int    // 27 or whatever
-}
-
-func runTS2021(ctx context.Context, args []string) error {
-	log.SetOutput(os.Stdout)
-	log.SetFlags(log.Ltime | log.Lmicroseconds)
-
-	machinePrivate := key.NewMachine()
-	var dialer net.Dialer
-
-	var keys struct {
-		PublicKey key.MachinePublic
-	}
-	keysURL := "https://" + ts2021Args.host + "/key?v=" + strconv.Itoa(ts2021Args.version)
-	log.Printf("Fetching keys from %s ...", keysURL)
-	req, err := http.NewRequestWithContext(ctx, "GET", keysURL, nil)
-	if err != nil {
-		return err
-	}
-	res, err := http.DefaultClient.Do(req)
-	if err != nil {
-		log.Printf("Do: %v", err)
-		return err
-	}
-	if res.StatusCode != 200 {
-		log.Printf("Status: %v", res.Status)
-		return errors.New(res.Status)
-	}
-	if err := json.NewDecoder(res.Body).Decode(&keys); err != nil {
-		log.Printf("JSON: %v", err)
-		return fmt.Errorf("decoding /keys JSON: %w", err)
-	}
-	res.Body.Close()
-
-	dialFunc := func(ctx context.Context, network, address string) (net.Conn, error) {
-		log.Printf("Dial(%q, %q) ...", network, address)
-		c, err := dialer.DialContext(ctx, network, address)
-		if err != nil {
-			log.Printf("Dial(%q, %q) = %v", network, address, err)
-		} else {
-			log.Printf("Dial(%q, %q) = %v / %v", network, address, c.LocalAddr(), c.RemoteAddr())
-		}
-		return c, err
-	}
-
-	conn, err := (&controlhttp.Dialer{
-		Hostname:        ts2021Args.host,
-		HTTPPort:        "80",
-		HTTPSPort:       "443",
-		MachineKey:      machinePrivate,
-		ControlKey:      keys.PublicKey,
-		ProtocolVersion: uint16(ts2021Args.version),
-		Dialer:          dialFunc,
-	}).Dial(ctx)
-	log.Printf("controlhttp.Dial = %p, %v", conn, err)
-	if err != nil {
-		return err
-	}
-	log.Printf("did noise handshake")
-
-	gotPeer := conn.Peer()
-	if gotPeer != keys.PublicKey {
-		log.Printf("peer = %v, want %v", gotPeer, keys.PublicKey)
-		return errors.New("key mismatch")
-	}
-
-	log.Printf("final underlying conn: %v / %v", conn.LocalAddr(), conn.RemoteAddr())
-	return nil
-}
--- a/cmd/tailscale/cli/down.go
+++ b/cmd/tailscale/cli/down.go
@@ -6,10 +6,10 @@ package cli

 import (
 	"context"
-	"flag"
 	"fmt"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 )

@@ -18,18 +18,7 @@ var downCmd = &ffcli.Command{
 	ShortUsage: "down",
 	ShortHelp:  "Disconnect from Tailscale",

-	Exec:    runDown,
-	FlagSet: newDownFlagSet(),
-}
-
-var downArgs struct {
-	acceptedRisks string
-}
-
-func newDownFlagSet() *flag.FlagSet {
-	downf := newFlagSet("down")
-	registerAcceptRiskFlag(downf, &downArgs.acceptedRisks)
-	return downf
+	Exec: runDown,
 }

 func runDown(ctx context.Context, args []string) error {
@@ -37,13 +26,7 @@ func runDown(ctx context.Context, args []string) error {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}

-	if isSSHOverTailscale() {
-		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`, downArgs.acceptedRisks); err != nil {
-			return err
-		}
-	}
-
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return fmt.Errorf("error fetching current status: %w", err)
 	}
@@ -51,7 +34,7 @@ func runDown(ctx context.Context, args []string) error {
 		fmt.Fprintf(Stderr, "Tailscale was already stopped.\n")
 		return nil
 	}
-	_, err = localClient.EditPrefs(ctx, &ipn.MaskedPrefs{
+	_, err = tailscale.EditPrefs(ctx, &ipn.MaskedPrefs{
 		Prefs: ipn.Prefs{
 			WantRunning: false,
 		},
--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -14,7 +14,6 @@ import (
 	"log"
 	"mime"
 	"net/http"
-	"net/netip"
 	"os"
 	"path"
 	"path/filepath"
@@ -24,6 +23,8 @@ import (

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/time/rate"
+	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -85,7 +86,7 @@ func runCp(ctx context.Context, args []string) error {
 		hadBrackets = true
 		target = strings.TrimSuffix(strings.TrimPrefix(target, "["), "]")
 	}
-	if ip, err := netip.ParseAddr(target); err == nil && ip.Is6() && !hadBrackets {
+	if ip, err := netaddr.ParseIP(target); err == nil && ip.Is6() && !hadBrackets {
 		return fmt.Errorf("an IPv6 literal must be written as [%s]", ip)
 	} else if hadBrackets && (err != nil || !ip.Is6()) {
 		return errors.New("unexpected brackets around target")
@@ -156,7 +157,7 @@ func runCp(ctx context.Context, args []string) error {
 		if cpArgs.verbose {
 			log.Printf("sending %q to %v/%v/%v ...", name, target, ip, stableID)
 		}
-		err := localClient.PushFile(ctx, stableID, contentLength, name, fileContents)
+		err := tailscale.PushFile(ctx, stableID, contentLength, name, fileContents)
 		if err != nil {
 			return err
 		}
@@ -168,18 +169,18 @@ func runCp(ctx context.Context, args []string) error {
 }

 func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNodeID, isOffline bool, err error) {
-	ip, err := netip.ParseAddr(ipStr)
+	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
 		return "", false, err
 	}
-	fts, err := localClient.FileTargets(ctx)
+	fts, err := tailscale.FileTargets(ctx)
 	if err != nil {
 		return "", false, err
 	}
 	for _, ft := range fts {
 		n := ft.Node
 		for _, a := range n.Addresses {
-			if a.Addr() != ip {
+			if a.IP() != ip {
 				continue
 			}
 			isOffline = n.Online != nil && !*n.Online
@@ -191,9 +192,9 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode

 // fileTargetErrorDetail returns a non-nil error saying why ip is an
 // invalid file sharing target.
-func fileTargetErrorDetail(ctx context.Context, ip netip.Addr) error {
+func fileTargetErrorDetail(ctx context.Context, ip netaddr.IP) error {
 	found := false
-	if st, err := localClient.Status(ctx); err == nil && st.Self != nil {
+	if st, err := tailscale.Status(ctx); err == nil && st.Self != nil {
 		for _, peer := range st.Peer {
 			for _, pip := range peer.TailscaleIPs {
 				if pip == ip {
@@ -260,7 +261,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("invalid arguments with --targets")
 	}
-	fts, err := localClient.FileTargets(ctx)
+	fts, err := tailscale.FileTargets(ctx)
 	if err != nil {
 		return err
 	}
@@ -281,7 +282,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 		if detail != "" {
 			detail = "\t" + detail
 		}
-		printf("%s\t%s%s\n", n.Addresses[0].Addr(), n.ComputedName, detail)
+		printf("%s\t%s%s\n", n.Addresses[0].IP(), n.ComputedName, detail)
 	}
 	return nil
 }
@@ -384,7 +385,7 @@ func openFileOrSubstitute(dir, base string, action onConflict) (*os.File, error)
 }

 func receiveFile(ctx context.Context, wf apitype.WaitingFile, dir string) (targetFile string, size int64, err error) {
-	rc, size, err := localClient.GetWaitingFile(ctx, wf.Name)
+	rc, size, err := tailscale.GetWaitingFile(ctx, wf.Name)
 	if err != nil {
 		return "", 0, fmt.Errorf("opening inbox file %q: %w", wf.Name, err)
 	}
@@ -406,7 +407,7 @@ func runFileGetOneBatch(ctx context.Context, dir string) []error {
 	var err error
 	var errs []error
 	for len(errs) == 0 {
-		wfs, err = localClient.WaitingFiles(ctx)
+		wfs, err = tailscale.WaitingFiles(ctx)
 		if err != nil {
 			errs = append(errs, fmt.Errorf("getting WaitingFiles: %w", err))
 			break
@@ -427,7 +428,7 @@ func runFileGetOneBatch(ctx context.Context, dir string) []error {
 		if len(errs) > 100 {
 			// Likely, everything is broken.
 			// Don't try to receive any more files in this batch.
-			errs = append(errs, fmt.Errorf("too many errors in runFileGetOneBatch(). %d files unexamined", len(wfs)-i))
+			errs = append(errs, fmt.Errorf("too many errors in runFileGetOneBatch(). %d files unexamined", len(wfs) - i))
 			break
 		}
 		writtenFile, size, err := receiveFile(ctx, wf, dir)
@@ -438,7 +439,7 @@ func runFileGetOneBatch(ctx context.Context, dir string) []error {
 		if getArgs.verbose {
 			printf("wrote %v as %v (%d bytes)\n", wf.Name, writtenFile, size)
 		}
-		if err = localClient.DeleteWaitingFile(ctx, wf.Name); err != nil {
+		if err = tailscale.DeleteWaitingFile(ctx, wf.Name); err != nil {
 			errs = append(errs, fmt.Errorf("deleting %q from inbox: %v", wf.Name, err))
 			continue
 		}
@@ -502,7 +503,7 @@ func wipeInbox(ctx context.Context) error {
 	if getArgs.wait {
 		return errors.New("can't use --wait with /dev/null target")
 	}
-	wfs, err := localClient.WaitingFiles(ctx)
+	wfs, err := tailscale.WaitingFiles(ctx)
 	if err != nil {
 		return fmt.Errorf("getting WaitingFiles: %w", err)
 	}
@@ -511,7 +512,7 @@ func wipeInbox(ctx context.Context) error {
 		if getArgs.verbose {
 			log.Printf("deleting %v ...", wf.Name)
 		}
-		if err := localClient.DeleteWaitingFile(ctx, wf.Name); err != nil {
+		if err := tailscale.DeleteWaitingFile(ctx, wf.Name); err != nil {
 			return fmt.Errorf("deleting %q: %v", wf.Name, err)
 		}
 		deleted++
--- a/cmd/tailscale/cli/id-token.go
+++ b/cmd/tailscale/cli/id-token.go
@@ -7,8 +7,10 @@ package cli
 import (
 	"context"
 	"errors"
+	"fmt"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 )

 var idTokenCmd = &ffcli.Command{
@@ -23,11 +25,11 @@ func runIDToken(ctx context.Context, args []string) error {
 		return errors.New("usage: id-token <aud>")
 	}

-	tr, err := localClient.IDToken(ctx, args[0])
+	tr, err := tailscale.IDToken(ctx, args[0])
 	if err != nil {
 		return err
 	}

-	outln(tr.IDToken)
+	fmt.Println(tr.IDToken)
 	return nil
 }
--- a/cmd/tailscale/cli/ip.go
+++ b/cmd/tailscale/cli/ip.go
@@ -9,9 +9,10 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"net/netip"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn/ipnstate"
 )

@@ -58,7 +59,7 @@ func runIP(ctx context.Context, args []string) error {
 	if !v4 && !v6 {
 		v4, v6 = true, true
 	}
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return err
 	}
@@ -100,7 +101,7 @@ func runIP(ctx context.Context, args []string) error {
 }

 func peerMatchingIP(st *ipnstate.Status, ipStr string) (ps *ipnstate.PeerStatus, ok bool) {
-	ip, err := netip.ParseAddr(ipStr)
+	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
 		return
 	}
--- a/cmd/tailscale/cli/licenses.go
+++ b/cmd/tailscale/cli/licenses.go
@@ -1,45 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"runtime"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-)
-
-var licensesCmd = &ffcli.Command{
-	Name:       "licenses",
-	ShortUsage: "licenses",
-	ShortHelp:  "Get open source license information",
-	LongHelp:   "Get open source license information",
-	Exec:       runLicenses,
-}
-
-// licensesURL returns the absolute URL containing open source license information for the current platform.
-func licensesURL() string {
-	switch runtime.GOOS {
-	case "android":
-		return "https://tailscale.com/licenses/android"
-	case "darwin", "ios":
-		return "https://tailscale.com/licenses/apple"
-	case "windows":
-		return "https://tailscale.com/licenses/windows"
-	default:
-		return "https://tailscale.com/licenses/tailscale"
-	}
-}
-
-func runLicenses(ctx context.Context, args []string) error {
-	licenses := licensesURL()
-	outln(`
-Tailscale wouldn't be possible without the contributions of thousands of open
-source developers. To see the open source packages included in Tailscale and
-their respective license information, visit:
-
-    ` + licenses)
-	return nil
-}
--- a/cmd/tailscale/cli/logout.go
+++ b/cmd/tailscale/cli/logout.go
@@ -10,6 +10,7 @@ import (
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 )

 var logoutCmd = &ffcli.Command{
@@ -29,5 +30,5 @@ func runLogout(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}
-	return localClient.Logout(ctx)
+	return tailscale.Logout(ctx)
 }
--- a/cmd/tailscale/cli/nc.go
+++ b/cmd/tailscale/cli/nc.go
@@ -13,6 +13,7 @@ import (
 	"strconv"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 )

 var ncCmd = &ffcli.Command{
@@ -23,7 +24,7 @@ var ncCmd = &ffcli.Command{
 }

 func runNC(ctx context.Context, args []string) error {
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -44,7 +45,7 @@ func runNC(ctx context.Context, args []string) error {
 	}

 	// TODO(bradfitz): also add UDP too, via flag?
-	c, err := localClient.DialTCP(ctx, hostOrIP, uint16(port))
+	c, err := tailscale.DialTCP(ctx, hostOrIP, uint16(port))
 	if err != nil {
 		return fmt.Errorf("Dial(%q, %v): %w", hostOrIP, port, err)
 	}
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -10,6 +10,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"sort"
@@ -17,6 +18,7 @@ import (
 	"time"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netcheck"
@@ -61,7 +63,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 		fmt.Fprintln(Stderr, "# Warning: this JSON format is not yet considered a stable interface")
 	}

-	dm, err := localClient.CurrentDERPMap(ctx)
+	dm, err := tailscale.CurrentDERPMap(ctx)
 	noRegions := dm != nil && len(dm.Regions) == 0
 	if noRegions {
 		log.Printf("No DERP map from tailscaled; using default.")
@@ -125,17 +127,12 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 		printf("\t* IPv6: yes, %v\n", report.GlobalV6)
 	} else if report.IPv6 {
 		printf("\t* IPv6: (no addr found)\n")
-	} else if report.OSHasIPv6 {
-		printf("\t* IPv6: no, but OS has support\n")
 	} else {
-		printf("\t* IPv6: no, unavailable in OS\n")
+		printf("\t* IPv6: no\n")
 	}
 	printf("\t* MappingVariesByDestIP: %v\n", report.MappingVariesByDestIP)
 	printf("\t* HairPinning: %v\n", report.HairPinning)
 	printf("\t* PortMapping: %v\n", portMapping(report))
-	if report.CaptivePortal != "" {
-		printf("\t* CaptivePortal: %v\n", report.CaptivePortal)
-	}

 	// When DERP latency checking failed,
 	// magicsock will try to pick the DERP server that
@@ -204,7 +201,7 @@ func prodDERPMap(ctx context.Context, httpc *http.Client) (*tailcfg.DERPMap, err
 		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
 	}
 	defer res.Body.Close()
-	b, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
 	}
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -1,101 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strconv"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/tka"
-	"tailscale.com/types/key"
-)
-
-var netlockCmd = &ffcli.Command{
-	Name:        "lock",
-	ShortUsage:  "lock <sub-command> <arguments>",
-	ShortHelp:   "Manipulate the tailnet key authority",
-	Subcommands: []*ffcli.Command{nlInitCmd, nlStatusCmd},
-	Exec:        runNetworkLockStatus,
-}
-
-var nlInitCmd = &ffcli.Command{
-	Name:       "init",
-	ShortUsage: "init <public-key>...",
-	ShortHelp:  "Initialize the tailnet key authority",
-	Exec:       runNetworkLockInit,
-}
-
-func runNetworkLockInit(ctx context.Context, args []string) error {
-	st, err := localClient.NetworkLockStatus(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	if st.Enabled {
-		return errors.New("network-lock is already enabled")
-	}
-
-	// Parse the set of initially-trusted keys.
-	// Keys are specified using their key.NLPublic.MarshalText representation,
-	// with an optional '?<votes>' suffix.
-	var keys []tka.Key
-	for i, a := range args {
-		var key key.NLPublic
-		spl := strings.SplitN(a, "?", 2)
-		if err := key.UnmarshalText([]byte(spl[0])); err != nil {
-			return fmt.Errorf("parsing key %d: %v", i+1, err)
-		}
-
-		k := tka.Key{
-			Kind:   tka.Key25519,
-			Public: key.Verifier(),
-			Votes:  1,
-		}
-		if len(spl) > 1 {
-			votes, err := strconv.Atoi(spl[1])
-			if err != nil {
-				return fmt.Errorf("parsing key %d votes: %v", i+1, err)
-			}
-			k.Votes = uint(votes)
-		}
-		keys = append(keys, k)
-	}
-
-	status, err := localClient.NetworkLockInit(ctx, keys)
-	if err != nil {
-		return err
-	}
-
-	fmt.Printf("Status: %+v\n\n", status)
-	return nil
-}
-
-var nlStatusCmd = &ffcli.Command{
-	Name:       "status",
-	ShortUsage: "status",
-	ShortHelp:  "Outputs the state of network lock",
-	Exec:       runNetworkLockStatus,
-}
-
-func runNetworkLockStatus(ctx context.Context, args []string) error {
-	st, err := localClient.NetworkLockStatus(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	if st.Enabled {
-		fmt.Println("Network-lock is ENABLED.")
-	} else {
-		fmt.Println("Network-lock is NOT enabled.")
-	}
-	p, err := st.PublicKey.MarshalText()
-	if err != nil {
-		return err
-	}
-	fmt.Printf("our public-key: %s\n", p)
-	return nil
-}
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -11,14 +11,14 @@ import (
 	"fmt"
 	"log"
 	"net"
-	"net/netip"
 	"os"
 	"strings"
 	"time"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
 )

 var pingCmd = &ffcli.Command{
@@ -27,7 +27,7 @@ var pingCmd = &ffcli.Command{
 	ShortHelp:  "Ping a host at the Tailscale layer, see how it routed",
 	LongHelp: strings.TrimSpace(`

-The 'tailscale ping' command pings a peer node from the Tailscale layer
+The 'tailscale ping' command pings a peer node at the Tailscale layer
 and reports which route it took for each response. The first ping or
 so will likely go over DERP (Tailscale's TCP relay protocol) while NAT
 traversal finds a direct path through.
@@ -49,9 +49,7 @@ relay node.
 		fs := newFlagSet("ping")
 		fs.BoolVar(&pingArgs.verbose, "verbose", false, "verbose output")
 		fs.BoolVar(&pingArgs.untilDirect, "until-direct", true, "stop once a direct path is established")
-		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through WireGuard, but not either host OS stack)")
-		fs.BoolVar(&pingArgs.icmp, "icmp", false, "do a ICMP-level ping (through WireGuard, but not the local host OS stack)")
-		fs.BoolVar(&pingArgs.peerAPI, "peerapi", false, "try hitting the peer's peerapi HTTP server")
+		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through IP + wireguard, but not involving host OS stack)")
 		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
 		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
 		return fs
@@ -63,26 +61,11 @@ var pingArgs struct {
 	untilDirect bool
 	verbose     bool
 	tsmp        bool
-	icmp        bool
-	peerAPI     bool
 	timeout     time.Duration
 }

-func pingType() tailcfg.PingType {
-	if pingArgs.tsmp {
-		return tailcfg.PingTSMP
-	}
-	if pingArgs.icmp {
-		return tailcfg.PingICMP
-	}
-	if pingArgs.peerAPI {
-		return tailcfg.PingPeerAPI
-	}
-	return tailcfg.PingDisco
-}
-
 func runPing(ctx context.Context, args []string) error {
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -92,10 +75,24 @@ func runPing(ctx context.Context, args []string) error {
 		os.Exit(1)
 	}

+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
 	if len(args) != 1 || args[0] == "" {
 		return errors.New("usage: ping <hostname-or-IP>")
 	}
 	var ip string
+	prc := make(chan *ipnstate.PingResult, 1)
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			fatalf("Notify.ErrMessage: %v", *n.ErrMessage)
+		}
+		if pr := n.PingResult; pr != nil && pr.IP == ip {
+			prc <- pr
+		}
+	})
+	pumpErr := make(chan error, 1)
+	go func() { pumpErr <- pump(ctx, bc, c) }()

 	hostOrIP := args[0]
 	ip, self, err := tailscaleIPFromArg(ctx, hostOrIP)
@@ -115,57 +112,48 @@ func runPing(ctx context.Context, args []string) error {
 	anyPong := false
 	for {
 		n++
-		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
-		pr, err := localClient.Ping(ctx, netip.MustParseAddr(ip), pingType())
-		cancel()
-		if err != nil {
-			if errors.Is(err, context.DeadlineExceeded) {
-				printf("ping %q timed out\n", ip)
-				if n == pingArgs.num {
-					if !anyPong {
-						return errors.New("no reply")
-					}
+		bc.Ping(ip, pingArgs.tsmp)
+		timer := time.NewTimer(pingArgs.timeout)
+		select {
+		case <-timer.C:
+			printf("timeout waiting for ping reply\n")
+		case err := <-pumpErr:
+			return err
+		case pr := <-prc:
+			timer.Stop()
+			if pr.Err != "" {
+				if pr.IsLocalIP {
+					outln(pr.Err)
 					return nil
 				}
-				continue
+				return errors.New(pr.Err)
 			}
-			return err
-		}
-		if pr.Err != "" {
-			if pr.IsLocalIP {
-				outln(pr.Err)
+			latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
+			via := pr.Endpoint
+			if pr.DERPRegionID != 0 {
+				via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
+			}
+			if pingArgs.tsmp {
+				// TODO(bradfitz): populate the rest of ipnstate.PingResult for TSMP queries?
+				// For now just say it came via TSMP.
+				via = "TSMP"
+			}
+			anyPong = true
+			extra := ""
+			if pr.PeerAPIPort != 0 {
+				extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
+			}
+			printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
+			if pingArgs.tsmp {
 				return nil
 			}
-			return errors.New(pr.Err)
+			if pr.Endpoint != "" && pingArgs.untilDirect {
+				return nil
+			}
+			time.Sleep(time.Second)
+		case <-ctx.Done():
+			return ctx.Err()
 		}
-		latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
-		via := pr.Endpoint
-		if pr.DERPRegionID != 0 {
-			via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
-		}
-		if via == "" {
-			// TODO(bradfitz): populate the rest of ipnstate.PingResult for TSMP queries?
-			// For now just say which protocol it used.
-			via = string(pingType())
-		}
-		if pingArgs.peerAPI {
-			printf("hit peerapi of %s (%s) at %s in %s\n", pr.NodeIP, pr.NodeName, pr.PeerAPIURL, latency)
-			return nil
-		}
-		anyPong = true
-		extra := ""
-		if pr.PeerAPIPort != 0 {
-			extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
-		}
-		printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
-		if pingArgs.tsmp || pingArgs.icmp {
-			return nil
-		}
-		if pr.Endpoint != "" && pingArgs.untilDirect {
-			return nil
-		}
-		time.Sleep(time.Second)
-
 		if n == pingArgs.num {
 			if !anyPong {
 				return errors.New("no reply")
@@ -185,7 +173,7 @@ func tailscaleIPFromArg(ctx context.Context, hostOrIP string) (ip string, self b
 	}

 	// Otherwise, try to resolve it first from the network peer list.
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return "", false, err
 	}
--- a/cmd/tailscale/cli/risks.go
+++ b/cmd/tailscale/cli/risks.go
@@ -1,82 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"errors"
-	"flag"
-	"fmt"
-	"os"
-	"os/signal"
-	"strings"
-	"syscall"
-	"time"
-)
-
-var (
-	riskTypes   []string
-	riskLoseSSH = registerRiskType("lose-ssh")
-)
-
-func registerRiskType(riskType string) string {
-	riskTypes = append(riskTypes, riskType)
-	return riskType
-}
-
-// registerAcceptRiskFlag registers the --accept-risk flag. Accepted risks are accounted for
-// in presentRiskToUser.
-func registerAcceptRiskFlag(f *flag.FlagSet, acceptedRisks *string) {
-	f.StringVar(acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
-}
-
-// isRiskAccepted reports whether riskType is in the comma-separated list of
-// risks in acceptedRisks.
-func isRiskAccepted(riskType, acceptedRisks string) bool {
-	for _, r := range strings.Split(acceptedRisks, ",") {
-		if r == riskType {
-			return true
-		}
-	}
-	return false
-}
-
-var errAborted = errors.New("aborted, no changes made")
-
-// riskAbortTimeSeconds is the number of seconds to wait after displaying the
-// risk message before continuing with the operation.
-// It is used by the presentRiskToUser function below.
-const riskAbortTimeSeconds = 5
-
-// presentRiskToUser displays the risk message and waits for the user to cancel.
-// It returns errorAborted if the user aborts. In tests it returns errAborted
-// immediately unless the risk has been explicitly accepted.
-func presentRiskToUser(riskType, riskMessage, acceptedRisks string) error {
-	if isRiskAccepted(riskType, acceptedRisks) {
-		return nil
-	}
-	if inTest() {
-		return errAborted
-	}
-	outln(riskMessage)
-	printf("To skip this warning, use --accept-risk=%s\n", riskType)
-
-	interrupt := make(chan os.Signal, 1)
-	signal.Notify(interrupt, syscall.SIGINT)
-	var msgLen int
-	for left := riskAbortTimeSeconds; left > 0; left-- {
-		msg := fmt.Sprintf("\rContinuing in %d seconds...", left)
-		msgLen = len(msg)
-		printf(msg)
-		select {
-		case <-interrupt:
-			printf("\r%s\r", strings.Repeat("x", msgLen+1))
-			return errAborted
-		case <-time.After(time.Second):
-			continue
-		}
-	}
-	printf("\r%s\r", strings.Repeat(" ", msgLen))
-	return errAborted
-}
--- a/cmd/tailscale/cli/ssh.go
+++ b/cmd/tailscale/cli/ssh.go
@@ -10,18 +10,20 @@ import (
 	"errors"
 	"fmt"
 	"log"
-	"net/netip"
 	"os"
+	"os/exec"
 	"os/user"
 	"path/filepath"
 	"runtime"
 	"strings"
+	"syscall"

+	"github.com/alessio/shellescape"
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/tsaddr"
-	"tailscale.com/version"
 )

 var sshCmd = &ffcli.Command{
@@ -32,9 +34,6 @@ var sshCmd = &ffcli.Command{
 }

 func runSSH(ctx context.Context, args []string) error {
-	if runtime.GOOS == "darwin" && version.IsSandboxedMacOS() && !envknob.UseWIPCode() {
-		return errors.New("The 'tailscale ssh' subcommand is not available on sandboxed macOS builds.\nUse the regular 'ssh' client instead.")
-	}
 	if len(args) == 0 {
 		return errors.New("usage: ssh [user@]<host>")
 	}
@@ -49,7 +48,7 @@ func runSSH(ctx context.Context, args []string) error {
 		username = lu.Username
 	}

-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return err
 	}
@@ -62,7 +61,7 @@ func runSSH(ctx context.Context, args []string) error {
 		hostForSSH = v
 	}

-	ssh, err := findSSH()
+	ssh, err := exec.LookPath("ssh")
 	if err != nil {
 		// TODO(bradfitz): use Go's crypto/ssh client instead
 		// of failing. But for now:
@@ -77,49 +76,55 @@ func runSSH(ctx context.Context, args []string) error {
 		return err
 	}

-	argv := []string{ssh}
+	argv := append([]string{
+		ssh,

-	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
-		argv = append(argv, "-vvv")
-	}
-	argv = append(argv,
 		// Only trust SSH hosts that we know about.
-		"-o", fmt.Sprintf("UserKnownHostsFile %q", knownHostsFile),
+		"-o", fmt.Sprintf("UserKnownHostsFile %s",
+			shellescape.Quote(knownHostsFile),
+		),
 		"-o", "UpdateHostKeys no",
 		"-o", "StrictHostKeyChecking yes",
-	)

-	// TODO(bradfitz): nc is currently broken on macOS:
-	// https://github.com/tailscale/tailscale/issues/4529
-	// So don't use it for now. MagicDNS is usually working on macOS anyway
-	// and they're not in userspace mode, so 'nc' isn't very useful.
-	if runtime.GOOS != "darwin" {
-		argv = append(argv,
-			"-o", fmt.Sprintf("ProxyCommand %q --socket=%q nc %%h %%p",
-				tailscaleBin,
-				rootArgs.socket,
-			))
+		"-o", fmt.Sprintf("ProxyCommand %s --socket=%s nc %%h %%p",
+			shellescape.Quote(tailscaleBin),
+			shellescape.Quote(rootArgs.socket),
+		),
+
+		// Explicitly rebuild the user@host argument rather than
+		// passing it through.  In general, the use of OpenSSH's ssh
+		// binary is a crutch for now.  We don't want to be
+		// Hyrum-locked into passing through all OpenSSH flags to the
+		// OpenSSH client forever. We try to make our flags and args
+		// be compatible, but only a subset. The "tailscale ssh"
+		// command should be a simple and portable one. If they want
+		// to use a different one, we'll later be making stock ssh
+		// work well by default too. (doing things like automatically
+		// setting known_hosts, etc)
+		username + "@" + hostForSSH,
+	}, argRest...)
+
+	if runtime.GOOS == "windows" {
+		// Don't use syscall.Exec on Windows.
+		cmd := exec.Command(ssh, argv[1:]...)
+		cmd.Stderr = os.Stderr
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		var ee *exec.ExitError
+		err := cmd.Run()
+		if errors.As(err, &ee) {
+			os.Exit(ee.ExitCode())
+		}
+		return err
 	}

-	// Explicitly rebuild the user@host argument rather than
-	// passing it through.  In general, the use of OpenSSH's ssh
-	// binary is a crutch for now.  We don't want to be
-	// Hyrum-locked into passing through all OpenSSH flags to the
-	// OpenSSH client forever. We try to make our flags and args
-	// be compatible, but only a subset. The "tailscale ssh"
-	// command should be a simple and portable one. If they want
-	// to use a different one, we'll later be making stock ssh
-	// work well by default too. (doing things like automatically
-	// setting known_hosts, etc)
-	argv = append(argv, username+"@"+hostForSSH)
-
-	argv = append(argv, argRest...)
-
 	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
 		log.Printf("Running: %q, %q ...", ssh, argv)
 	}
-
-	return execSSH(ssh, argv)
+	if err := syscall.Exec(ssh, argv, os.Environ()); err != nil {
+		return err
+	}
+	return errors.New("unreachable")
 }

 func writeKnownHosts(st *ipnstate.Status) (knownHostsFile string, err error) {
@@ -163,10 +168,10 @@ func nodeDNSNameFromArg(st *ipnstate.Status, arg string) (dnsName string, ok boo
 	if arg == "" {
 		return
 	}
-	argIP, _ := netip.ParseAddr(arg)
+	argIP, _ := netaddr.ParseIP(arg)
 	for _, ps := range st.Peer {
 		dnsName = ps.DNSName
-		if argIP.IsValid() {
+		if !argIP.IsZero() {
 			for _, ip := range ps.TailscaleIPs {
 				if ip == argIP {
 					return dnsName, true
@@ -183,28 +188,3 @@ func nodeDNSNameFromArg(st *ipnstate.Status, arg string) (dnsName string, ok boo
 	}
 	return "", false
 }
-
-// getSSHClientEnvVar returns the "SSH_CLIENT" environment variable
-// for the current process group, if any.
-var getSSHClientEnvVar = func() string {
-	return ""
-}
-
-// isSSHOverTailscale checks if the invocation is in a SSH session over Tailscale.
-// It is used to detect if the user is about to take an action that might result in them
-// disconnecting from the machine (e.g. disabling SSH)
-func isSSHOverTailscale() bool {
-	sshClient := getSSHClientEnvVar()
-	if sshClient == "" {
-		return false
-	}
-	ipStr, _, ok := strings.Cut(sshClient, " ")
-	if !ok {
-		return false
-	}
-	ip, err := netip.ParseAddr(ipStr)
-	if err != nil {
-		return false
-	}
-	return tsaddr.IsTailscaleIP(ip)
-}
--- a/cmd/tailscale/cli/ssh_exec.go
+++ b/cmd/tailscale/cli/ssh_exec.go
@@ -1,26 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !js && !windows
-// +build !js,!windows
-
-package cli
-
-import (
-	"errors"
-	"os"
-	"os/exec"
-	"syscall"
-)
-
-func findSSH() (string, error) {
-	return exec.LookPath("ssh")
-}
-
-func execSSH(ssh string, argv []string) error {
-	if err := syscall.Exec(ssh, argv, os.Environ()); err != nil {
-		return err
-	}
-	return errors.New("unreachable")
-}
--- a/cmd/tailscale/cli/ssh_exec_js.go
+++ b/cmd/tailscale/cli/ssh_exec_js.go
@@ -1,17 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"errors"
-)
-
-func findSSH() (string, error) {
-	return "", errors.New("Not implemented")
-}
-
-func execSSH(ssh string, argv []string) error {
-	return errors.New("Not implemented")
-}
--- a/cmd/tailscale/cli/ssh_exec_windows.go
+++ b/cmd/tailscale/cli/ssh_exec_windows.go
@@ -1,38 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"errors"
-	"os"
-	"os/exec"
-	"path/filepath"
-)
-
-func findSSH() (string, error) {
-	// use C:\Windows\System32\OpenSSH\ssh.exe since unexpected behavior
-	// occured with ssh.exe provided by msys2/cygwin and other environments.
-	if systemRoot := os.Getenv("SystemRoot"); systemRoot != "" {
-		exe := filepath.Join(systemRoot, "System32", "OpenSSH", "ssh.exe")
-		if st, err := os.Stat(exe); err == nil && !st.IsDir() {
-			return exe, nil
-		}
-	}
-	return exec.LookPath("ssh")
-}
-
-func execSSH(ssh string, argv []string) error {
-	// Don't use syscall.Exec on Windows, it's not fully implemented.
-	cmd := exec.Command(ssh, argv[1:]...)
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	var ee *exec.ExitError
-	err := cmd.Run()
-	if errors.As(err, &ee) {
-		os.Exit(ee.ExitCode())
-	}
-	return err
-}
--- a/cmd/tailscale/cli/ssh_unix.go
+++ b/cmd/tailscale/cli/ssh_unix.go
@@ -1,51 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !js && !windows
-// +build !js,!windows
-
-package cli
-
-import (
-	"bytes"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strconv"
-
-	"golang.org/x/sys/unix"
-)
-
-func init() {
-	getSSHClientEnvVar = func() string {
-		if os.Getenv("SUDO_USER") == "" {
-			// No sudo, just check the env.
-			return os.Getenv("SSH_CLIENT")
-		}
-		if runtime.GOOS != "linux" {
-			// TODO(maisem): implement this for other platforms. It's not clear
-			// if there is a way to get the environment for a given process on
-			// darwin and bsd.
-			return ""
-		}
-		// SID is the session ID of the user's login session.
-		// It is also the process ID of the original shell that the user logged in with.
-		// We only need to check the environment of that process.
-		sid, err := unix.Getsid(os.Getpid())
-		if err != nil {
-			return ""
-		}
-		b, err := os.ReadFile(filepath.Join("/proc", strconv.Itoa(sid), "environ"))
-		if err != nil {
-			return ""
-		}
-		prefix := []byte("SSH_CLIENT=")
-		for _, env := range bytes.Split(b, []byte{0}) {
-			if bytes.HasPrefix(env, prefix) {
-				return string(env[len(prefix):])
-			}
-		}
-		return ""
-	}
-}
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -13,12 +13,13 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"net/netip"
 	"os"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/toqueteos/webbrowser"
+	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
@@ -72,9 +73,9 @@ func runStatus(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("unexpected non-flag arguments to 'tailscale status'")
 	}
-	getStatus := localClient.Status
+	getStatus := tailscale.Status
 	if !statusArgs.peers {
-		getStatus = localClient.StatusWithoutPeers
+		getStatus = tailscale.StatusWithoutPeers
 	}
 	st, err := getStatus(ctx)
 	if err != nil {
@@ -114,7 +115,7 @@ func runStatus(ctx context.Context, args []string) error {
 				http.NotFound(w, r)
 				return
 			}
-			st, err := localClient.Status(ctx)
+			st, err := tailscale.Status(ctx)
 			if err != nil {
 				http.Error(w, err.Error(), 500)
 				return
@@ -128,8 +129,12 @@ func runStatus(ctx context.Context, args []string) error {
 		return err
 	}

-	// print health check information prior to checking LocalBackend state as
-	// it may provide an explanation to the user if we choose to exit early
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		outln(description)
+		os.Exit(1)
+	}
+
 	if len(st.Health) > 0 {
 		printf("# Health check:\n")
 		for _, m := range st.Health {
@@ -138,12 +143,6 @@ func runStatus(ctx context.Context, args []string) error {
 		outln()
 	}

-	description, ok := isRunningOrStarting(st)
-	if !ok {
-		outln(description)
-		os.Exit(1)
-	}
-
 	var buf bytes.Buffer
 	f := func(format string, a ...any) { fmt.Fprintf(&buf, format, a...) }
 	printPS := func(ps *ipnstate.PeerStatus) {
@@ -260,7 +259,7 @@ func ownerLogin(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	return u.LoginName
 }

-func firstIPString(v []netip.Addr) string {
+func firstIPString(v []netaddr.IP) string {
 	if len(v) == 0 {
 		return ""
 	}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -13,18 +13,18 @@ import (
 	"flag"
 	"fmt"
 	"log"
-	"net/netip"
 	"os"
 	"reflect"
 	"runtime"
 	"sort"
 	"strings"
 	"sync"
-	"time"

 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
+	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -52,7 +52,7 @@ down").
 If flags are specified, the flags must be the complete set of desired
 settings. An error is returned if any setting would be changed as a
 result of an unspecified flag's default value, unless the --reset flag
-is also used. (The flags --auth-key, --force-reauth, and --qr are not
+is also used. (The flags --authkey, --force-reauth, and --qr are not
 considered settings that need to be re-specified when modifying
 settings.)
 `),
@@ -115,8 +115,6 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	case "windows":
 		upf.BoolVar(&upArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
 	}
-	upf.DurationVar(&upArgs.timeout, "timeout", 0, "maximum amount of time to wait for tailscaled to enter a Running state; default (0s) blocks forever")
-	registerAcceptRiskFlag(upf, &upArgs.acceptedRisks)
 	return upf
 }

@@ -149,8 +147,6 @@ type upArgsT struct {
 	hostname               string
 	opUser                 string
 	json                   bool
-	timeout                time.Duration
-	acceptedRisks          string
 }

 func (a upArgsT) getAuthKey() (string, error) {
@@ -179,16 +175,15 @@ var upArgs upArgsT
 // JSON block will be output. The AuthURL and QR fields will not be present, the
 // BackendState and Error fields will give the result of the authentication.
 // Ex:
+// {
+//    "AuthURL": "https://login.tailscale.com/a/0123456789abcdef",
+//    "QR": "data:image/png;base64,0123...cdef"
+//    "BackendState": "NeedsLogin"
+// }
+// {
+//    "BackendState": "Running"
+// }
 //
-//	{
-//	   "AuthURL": "https://login.tailscale.com/a/0123456789abcdef",
-//	   "QR": "data:image/png;base64,0123...cdef"
-//	   "BackendState": "NeedsLogin"
-//	}
-//
-//	{
-//	   "BackendState": "Running"
-//	}
 type upOutputJSON struct {
 	AuthURL      string `json:",omitempty"` // Authentication URL of the form https://login.tailscale.com/a/0123456789
 	QR           string `json:",omitempty"` // a DataURL (base64) PNG of a QR code AuthURL
@@ -201,18 +196,18 @@ func warnf(format string, args ...any) {
 }

 var (
-	ipv4default = netip.MustParsePrefix("0.0.0.0/0")
-	ipv6default = netip.MustParsePrefix("::/0")
+	ipv4default = netaddr.MustParseIPPrefix("0.0.0.0/0")
+	ipv6default = netaddr.MustParseIPPrefix("::/0")
 )

-func validateViaPrefix(ipp netip.Prefix) error {
+func validateViaPrefix(ipp netaddr.IPPrefix) error {
 	if !tsaddr.IsViaPrefix(ipp) {
 		return fmt.Errorf("%v is not a 4-in-6 prefix", ipp)
 	}
 	if ipp.Bits() < (128 - 32) {
 		return fmt.Errorf("%v 4-in-6 prefix must be at least a /%v", ipp, 128-32)
 	}
-	a := ipp.Addr().As16()
+	a := ipp.IP().As16()
 	// The first 64 bits of a are the via prefix.
 	// The next 32 bits are the "site ID".
 	// The last 32 bits are the IPv4.
@@ -225,13 +220,13 @@ func validateViaPrefix(ipp netip.Prefix) error {
 	return nil
 }

-func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netip.Prefix, error) {
-	routeMap := map[netip.Prefix]bool{}
+func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netaddr.IPPrefix, error) {
+	routeMap := map[netaddr.IPPrefix]bool{}
 	if advertiseRoutes != "" {
 		var default4, default6 bool
 		advroutes := strings.Split(advertiseRoutes, ",")
 		for _, s := range advroutes {
-			ipp, err := netip.ParsePrefix(s)
+			ipp, err := netaddr.ParseIPPrefix(s)
 			if err != nil {
 				return nil, fmt.Errorf("%q is not a valid IP address or CIDR prefix", s)
 			}
@@ -253,14 +248,14 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 		if default4 && !default6 {
 			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv4default, ipv6default)
 		} else if default6 && !default4 {
-			return nil, fmt.Errorf("%s advertised without its IPv4 counterpart, please also advertise %s", ipv6default, ipv4default)
+			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv6default, ipv4default)
 		}
 	}
 	if advertiseDefaultRoute {
-		routeMap[netip.MustParsePrefix("0.0.0.0/0")] = true
-		routeMap[netip.MustParsePrefix("::/0")] = true
+		routeMap[netaddr.MustParseIPPrefix("0.0.0.0/0")] = true
+		routeMap[netaddr.MustParseIPPrefix("::/0")] = true
 	}
-	routes := make([]netip.Prefix, 0, len(routeMap))
+	routes := make([]netaddr.IPPrefix, 0, len(routeMap))
 	for r := range routeMap {
 		routes = append(routes, r)
 	}
@@ -268,7 +263,7 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 		if routes[i].Bits() != routes[j].Bits() {
 			return routes[i].Bits() < routes[j].Bits()
 		}
-		return routes[i].Addr().Less(routes[j].Addr())
+		return routes[i].IP().Less(routes[j].IP())
 	})
 	return routes, nil
 }
@@ -364,7 +359,7 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 // without changing any settings.
 func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, justEditMP *ipn.MaskedPrefs, err error) {
 	if !env.upArgs.reset {
-		applyImplicitPrefs(prefs, curPrefs, env)
+		applyImplicitPrefs(prefs, curPrefs, env.user)

 		if err := checkForAccidentalSettingReverts(prefs, curPrefs, env); err != nil {
 			return false, nil, err
@@ -377,20 +372,6 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 		return false, nil, fmt.Errorf("can't change --login-server without --force-reauth")
 	}

-	// Do this after validations to avoid the 5s delay if we're going to error
-	// out anyway.
-	wantSSH, haveSSH := env.upArgs.runSSH, curPrefs.RunSSH
-	if wantSSH != haveSSH && isSSHOverTailscale() {
-		if wantSSH {
-			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, env.upArgs.acceptedRisks)
-		} else {
-			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`, env.upArgs.acceptedRisks)
-		}
-		if err != nil {
-			return false, nil, err
-		}
-	}
-
 	tagsChanged := !reflect.DeepEqual(curPrefs.AdvertiseTags, prefs.AdvertiseTags)

 	simpleUp = env.flagSet.NFlag() == 0 &&
@@ -420,16 +401,12 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 	return simpleUp, justEditMP, nil
 }

-func runUp(ctx context.Context, args []string) (retErr error) {
-	var egg bool
+func runUp(ctx context.Context, args []string) error {
 	if len(args) > 0 {
-		egg = fmt.Sprint(args) == "[up down down left right left right b a]"
-		if !egg {
-			fatalf("too many non-flag arguments: %q", args)
-		}
+		fatalf("too many non-flag arguments: %q", args)
 	}

-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -470,12 +447,12 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 	}

 	if len(prefs.AdvertiseRoutes) > 0 {
-		if err := localClient.CheckIPForwarding(context.Background()); err != nil {
+		if err := tailscale.CheckIPForwarding(context.Background()); err != nil {
 			warnf("%v", err)
 		}
 	}

-	curPrefs, err := localClient.GetPrefs(ctx)
+	curPrefs, err := tailscale.GetPrefs(ctx)
 	if err != nil {
 		return err
 	}
@@ -489,20 +466,12 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		backendState:  st.BackendState,
 		curExitNodeIP: exitNodeIP(curPrefs, st),
 	}
-
-	defer func() {
-		if retErr == nil {
-			checkSSHUpWarnings(ctx)
-		}
-	}()
-
 	simpleUp, justEditMP, err := updatePrefs(prefs, curPrefs, env)
 	if err != nil {
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
-		justEditMP.EggSet = true
-		_, err := localClient.EditPrefs(ctx, justEditMP)
+		_, err := tailscale.EditPrefs(ctx, justEditMP)
 		return err
 	}

@@ -580,9 +549,9 @@ func runUp(ctx context.Context, args []string) (retErr error) {

 				data, err := json.MarshalIndent(js, "", "\t")
 				if err != nil {
-					printf("upOutputJSON marshalling error: %v", err)
+					log.Printf("upOutputJSON marshalling error: %v", err)
 				} else {
-					outln(string(data))
+					fmt.Println(string(data))
 				}
 			} else {
 				fmt.Fprintf(Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
@@ -613,7 +582,7 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 	// Special case: bare "tailscale up" means to just start
 	// running, if there's ever been a login.
 	if simpleUp {
-		_, err := localClient.EditPrefs(ctx, &ipn.MaskedPrefs{
+		_, err := tailscale.EditPrefs(ctx, &ipn.MaskedPrefs{
 			Prefs: ipn.Prefs{
 				WantRunning: true,
 			},
@@ -623,7 +592,7 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 			return err
 		}
 	} else {
-		if err := localClient.CheckPrefs(ctx, prefs); err != nil {
+		if err := tailscale.CheckPrefs(ctx, prefs); err != nil {
 			return err
 		}

@@ -664,12 +633,6 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 	// need to prioritize reads from 'running' if it's
 	// readable; its send does happen before the pump mechanism
 	// shuts down. (Issue 2333)
-	var timeoutCh <-chan time.Time
-	if upArgs.timeout > 0 {
-		timeoutTimer := time.NewTimer(upArgs.timeout)
-		defer timeoutTimer.Stop()
-		timeoutCh = timeoutTimer.C
-	}
 	select {
 	case <-running:
 		return nil
@@ -687,30 +650,6 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		default:
 		}
 		return err
-	case <-timeoutCh:
-		return errors.New(`timeout waiting for Tailscale service to enter a Running state; check health with "tailscale status"`)
-	}
-}
-
-func checkSSHUpWarnings(ctx context.Context) {
-	if !upArgs.runSSH {
-		return
-	}
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		// Ignore. Don't spam more.
-		return
-	}
-	if len(st.Health) == 0 {
-		return
-	}
-	if len(st.Health) == 1 && strings.Contains(st.Health[0], "SSH") {
-		printf("%s\n", st.Health[0])
-		return
-	}
-	printf("# Health check:\n")
-	for _, m := range st.Health {
-		printf("    - %s\n", m)
 	}
 }

@@ -720,7 +659,7 @@ func printUpDoneJSON(state ipn.State, errorString string) {
 	if err != nil {
 		log.Printf("printUpDoneJSON marshalling error: %v", err)
 	} else {
-		outln(string(data))
+		fmt.Println(string(data))
 	}
 }

@@ -767,7 +706,7 @@ func addPrefFlagMapping(flagName string, prefNames ...string) {
 // correspond to an ipn.Pref.
 func preflessFlag(flagName string) bool {
 	switch flagName {
-	case "auth-key", "force-reauth", "reset", "qr", "json", "timeout", "accept-risk":
+	case "auth-key", "force-reauth", "reset", "qr", "json":
 		return true
 	}
 	return false
@@ -800,7 +739,7 @@ type upCheckEnv struct {
 	flagSet       *flag.FlagSet
 	upArgs        upArgsT
 	backendState  string
-	curExitNodeIP netip.Addr
+	curExitNodeIP netaddr.IP
 	distro        distro.Distro
 }

@@ -891,20 +830,13 @@ func checkForAccidentalSettingReverts(newPrefs, curPrefs *ipn.Prefs, env upCheck
 	return errors.New(sb.String())
 }

-// applyImplicitPrefs mutates prefs to add implicit preferences for the user operator.
-// If the operator flag is passed no action is taken, otherwise this only needs to be set if it doesn't
+// applyImplicitPrefs mutates prefs to add implicit preferences. Currently
+// this is just the operator user, which only needs to be set if it doesn't
 // match the current user.
 //
 // curUser is os.Getenv("USER"). It's pulled out for testability.
-func applyImplicitPrefs(prefs, oldPrefs *ipn.Prefs, env upCheckEnv) {
-	explicitOperator := false
-	env.flagSet.Visit(func(f *flag.Flag) {
-		if f.Name == "operator" {
-			explicitOperator = true
-		}
-	})
-
-	if prefs.OperatorUser == "" && oldPrefs.OperatorUser == env.user && !explicitOperator {
+func applyImplicitPrefs(prefs, oldPrefs *ipn.Prefs, curUser string) {
+	if prefs.OperatorUser == "" && oldPrefs.OperatorUser == curUser {
 		prefs.OperatorUser = oldPrefs.OperatorUser
 	}
 }
@@ -923,10 +855,10 @@ func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]any) {
 	ret := make(map[string]any)

 	exitNodeIPStr := func() string {
-		if prefs.ExitNodeIP.IsValid() {
+		if !prefs.ExitNodeIP.IsZero() {
 			return prefs.ExitNodeIP.String()
 		}
-		if prefs.ExitNodeID.IsZero() || !env.curExitNodeIP.IsValid() {
+		if prefs.ExitNodeID.IsZero() || env.curExitNodeIP.IsZero() {
 			return ""
 		}
 		return env.curExitNodeIP.String()
@@ -1001,13 +933,13 @@ func fmtFlagValueArg(flagName string, val any) string {
 	return fmt.Sprintf("--%s=%v", flagName, shellquote.Join(fmt.Sprint(val)))
 }

-func hasExitNodeRoutes(rr []netip.Prefix) bool {
+func hasExitNodeRoutes(rr []netaddr.IPPrefix) bool {
 	var v4, v6 bool
 	for _, r := range rr {
 		if r.Bits() == 0 {
-			if r.Addr().Is4() {
+			if r.IP().Is4() {
 				v4 = true
-			} else if r.Addr().Is6() {
+			} else if r.IP().Is6() {
 				v6 = true
 			}
 		}
@@ -1018,11 +950,11 @@ func hasExitNodeRoutes(rr []netip.Prefix) bool {
 // withoutExitNodes returns rr unchanged if it has only 1 or 0 /0
 // routes. If it has both IPv4 and IPv6 /0 routes, then it returns
 // a copy with all /0 routes removed.
-func withoutExitNodes(rr []netip.Prefix) []netip.Prefix {
+func withoutExitNodes(rr []netaddr.IPPrefix) []netaddr.IPPrefix {
 	if !hasExitNodeRoutes(rr) {
 		return rr
 	}
-	var out []netip.Prefix
+	var out []netaddr.IPPrefix
 	for _, r := range rr {
 		if r.Bits() > 0 {
 			out = append(out, r)
@@ -1033,11 +965,11 @@ func withoutExitNodes(rr []netip.Prefix) []netip.Prefix {

 // exitNodeIP returns the exit node IP from p, using st to map
 // it from its ID form to an IP address if needed.
-func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netip.Addr) {
+func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netaddr.IP) {
 	if p == nil {
 		return
 	}
-	if p.ExitNodeIP.IsValid() {
+	if !p.ExitNodeIP.IsZero() {
 		return p.ExitNodeIP
 	}
 	id := p.ExitNodeID
--- a/cmd/tailscale/cli/version.go
+++ b/cmd/tailscale/cli/version.go
@@ -10,6 +10,7 @@ import (
 	"fmt"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/version"
 )

@@ -40,7 +41,7 @@ func runVersion(ctx context.Context, args []string) error {

 	printf("Client: %s\n", version.String())

-	st, err := localClient.StatusWithoutPeers(ctx)
+	st, err := tailscale.StatusWithoutPeers(ctx)
 	if err != nil {
 		return err
 	}
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -15,11 +15,11 @@ import (
 	"fmt"
 	"html/template"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"net/http/cgi"
-	"net/netip"
 	"net/url"
 	"os"
 	"os/exec"
@@ -27,6 +27,8 @@ import (
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
@@ -58,7 +60,6 @@ type tmplData struct {
 	IP                string
 	AdvertiseExitNode bool
 	AdvertiseRoutes   string
-	LicensesURL       string
 }

 var webCmd = &ffcli.Command{
@@ -208,20 +209,12 @@ func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
 		return "", nil, err
 	}
 	token, err := r.Cookie("qtoken")
-	if err == nil {
-		return qnapAuthnQtoken(r, user.Value, token.Value)
+	if err != nil {
+		return "", nil, err
 	}
-	sid, err := r.Cookie("NAS_SID")
-	if err == nil {
-		return qnapAuthnSid(r, user.Value, sid.Value)
-	}
-	return "", nil, fmt.Errorf("not authenticated by any mechanism")
-}
-
-func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
 	query := url.Values{
-		"qtoken": []string{token},
-		"user":   []string{user},
+		"qtoken": []string{token.Value},
+		"user":   []string{user.Value},
 	}
 	u := url.URL{
 		Scheme:   r.URL.Scheme,
@@ -229,31 +222,12 @@ func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResp
 		Path:     "/cgi-bin/authLogin.cgi",
 		RawQuery: query.Encode(),
 	}
-
-	return qnapAuthnFinish(user, u.String())
-}
-
-func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"sid": []string{sid},
-	}
-	u := url.URL{
-		Scheme:   r.URL.Scheme,
-		Host:     r.URL.Host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-
-	return qnapAuthnFinish(user, u.String())
-}
-
-func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
-	resp, err := http.Get(url)
+	resp, err := http.Get(u.String())
 	if err != nil {
 		return "", nil, err
 	}
 	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
+	out, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", nil, err
 	}
@@ -264,7 +238,7 @@ func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
 	if authResp.AuthPassed == 0 {
 		return "", nil, fmt.Errorf("not authenticated")
 	}
-	return user, authResp, nil
+	return user.Value, authResp, nil
 }

 func synoAuthn() (string, error) {
@@ -344,7 +318,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
 		}
-		prefs, err := localClient.GetPrefs(r.Context())
+		prefs, err := tailscale.GetPrefs(r.Context())
 		if err != nil && !postData.Reauthenticate {
 			w.WriteHeader(http.StatusInternalServerError)
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
@@ -374,12 +348,12 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	st, err := localClient.Status(r.Context())
+	st, err := tailscale.Status(r.Context())
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	prefs, err := localClient.GetPrefs(r.Context())
+	prefs, err := tailscale.GetPrefs(r.Context())
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -392,10 +366,9 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		Profile:      profile,
 		Status:       st.BackendState,
 		DeviceName:   deviceName,
-		LicensesURL:  licensesURL(),
 	}
-	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
-	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
+	exitNodeRouteV4 := netaddr.MustParseIPPrefix("0.0.0.0/0")
+	exitNodeRouteV6 := netaddr.MustParseIPPrefix("::/0")
 	for _, r := range prefs.AdvertiseRoutes {
 		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
 			data.AdvertiseExitNode = true
@@ -433,7 +406,7 @@ func tailscaleUp(ctx context.Context, prefs *ipn.Prefs, forceReauth bool) (authU
 		prefs.NetfilterMode = preftype.NetfilterOff
 	}

-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return "", fmt.Errorf("can't fetch status: %v", err)
 	}
--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
@@ -11,7 +11,7 @@
 </head>

 <body class="py-14">
-<main class="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
+<main class="container max-w-lg mx-auto py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
 	<header class="flex justify-between items-center min-width-0 py-2 mb-8">
 		<svg width="26" height="26" viewBox="0 0 23 23" title="Tailscale" fill="none" xmlns="http://www.w3.org/2000/svg"
 			class="flex-shrink-0 mr-4">
@@ -100,9 +100,6 @@
 	</div>
 	{{ end }}
 </main>
-<footer class="container max-w-lg mx-auto text-center">
-	<a class="text-xs text-gray-500 hover:text-gray-600" href="{{ .LicensesURL }}">Open Source Licenses</a>
-</footer>
 <script>(function () {
 const advertiseExitNode = {{.AdvertiseExitNode}};
 let fetchingUrl = false;
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -1,18 +1,15 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)

-        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
-        filippo.io/edwards25519/field                                from filippo.io/edwards25519
+        github.com/alessio/shellescape                               from tailscale.com/cmd/tailscale/cli
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
-        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
+   L    github.com/klauspost/compress/flate                          from nhooyr.io/websocket
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
@@ -30,51 +27,47 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
-        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
+     💣 go4.org/intern                                               from inet.af/netaddr
     💣 go4.org/mem                                                  from tailscale.com/derp+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter
+        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
-        nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
-        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
-        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
+        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
+   L    nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
+   L    nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
+   L    nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
        tailscale.com                                                from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli+
        tailscale.com/client/tailscale/apitype                       from tailscale.com/cmd/tailscale/cli+
        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
-        tailscale.com/control/controlbase                            from tailscale.com/control/controlhttp
-        tailscale.com/control/controlhttp                            from tailscale.com/cmd/tailscale/cli
        tailscale.com/control/controlknobs                           from tailscale.com/net/portmapper
        tailscale.com/derp                                           from tailscale.com/derp/derphttp
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck
+   L    tailscale.com/derp/wsconn                                    from tailscale.com/derp/derphttp
        tailscale.com/disco                                          from tailscale.com/derp
        tailscale.com/envknob                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
     💣 tailscale.com/metrics                                        from tailscale.com/derp
-        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp+
-        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp
+        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
        tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
        tailscale.com/net/netknob                                    from tailscale.com/net/netns
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
-        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
+        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
-        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck
-        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
+        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
        tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
-        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
+     💣 tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
+        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/tka                                            from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
@@ -84,53 +77,43 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/key                                      from tailscale.com/derp+
        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
-        tailscale.com/types/nettype                                  from tailscale.com/net/netcheck+
        tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
        tailscale.com/types/pad32                                    from tailscale.com/derp
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/structs                                  from tailscale.com/ipn+
-        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
        tailscale.com/types/views                                    from tailscale.com/tailcfg+
        tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
-        tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
-        tailscale.com/util/mak                                       from tailscale.com/net/netcheck
-        tailscale.com/util/multierr                                  from tailscale.com/control/controlhttp
-        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
-   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
+   W    tailscale.com/util/winutil                                   from tailscale.com/hostinfo
+   W 💣 tailscale.com/util/winutil/vss                               from tailscale.com/util/winutil
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
-        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/blake2s                                  from tailscale.com/control/controlbase+
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
-        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from crypto/tls+
-        golang.org/x/crypto/hkdf                                     from crypto/tls+
+        golang.org/x/crypto/hkdf                                     from crypto/tls
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http+
        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2/hpack                                 from net/http
-        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.org/x/net/icmp+
-        golang.org/x/net/ipv6                                        from golang.org/x/net/icmp
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from tailscale.com/derp+
+        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
  LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+
   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
@@ -170,7 +153,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        embed                                                        from tailscale.com/cmd/tailscale/cli+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
@@ -191,7 +173,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        image/color                                                  from github.com/skip2/go-qrcode+
        image/png                                                    from github.com/skip2/go-qrcode
        io                                                           from bufio+
-        io/fs                                                        from crypto/x509+
+        io/fs                                                        from crypto/rand+
        io/ioutil                                                    from golang.org/x/sys/cpu+
        log                                                          from expvar+
        math                                                         from compress/flate+
@@ -206,7 +188,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        net/http/cgi                                                 from tailscale.com/cmd/tailscale/cli
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
        net/http/internal                                            from net/http
-        net/netip                                                    from net+
+        net/netip                                                    from net
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
@@ -218,7 +200,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/tailscale/goupnp/httpu+
        regexp/syntax                                                from regexp
-        runtime/debug                                                from tailscale.com/util/singleflight+
+        runtime/debug                                                from golang.org/x/sync/singleflight+
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
        strings                                                      from bufio+
--- a/cmd/tailscale/tailscale.go
+++ b/cmd/tailscale/tailscale.go
@@ -17,6 +17,7 @@ import (

 func main() {
 	args := os.Args[1:]
+	args = cli.CleanUpArgs(args)
 	if name, _ := os.Executable(); strings.HasSuffix(filepath.Base(name), ".cgi") {
 		args = []string{"web", "-cgi"}
 	}
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package main

@@ -15,16 +15,17 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"net/http/httptrace"
-	"net/netip"
 	"net/url"
 	"os"
 	"strings"
 	"time"

+	"inet.af/netaddr"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -172,7 +173,7 @@ func checkDerp(ctx context.Context, derpRegion string) error {
 		return fmt.Errorf("fetch derp map failed: %w", err)
 	}
 	defer res.Body.Close()
-	b, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return fmt.Errorf("fetch derp map failed: %w", err)
 	}
@@ -265,11 +266,11 @@ func debugPortmap(ctx context.Context) error {
 		return err
 	}

-	gatewayAndSelfIP := func() (gw, self netip.Addr, ok bool) {
+	gatewayAndSelfIP := func() (gw, self netaddr.IP, ok bool) {
 		if v := os.Getenv("TS_DEBUG_GW_SELF"); strings.Contains(v, "/") {
 			i := strings.Index(v, "/")
-			gw = netip.MustParseAddr(v[:i])
-			self = netip.MustParseAddr(v[i+1:])
+			gw = netaddr.MustParseIP(v[:i])
+			self = netaddr.MustParseIP(v[i+1:])
 			return gw, self, true
 		}
 		return linkMon.GatewayAndSelfIP()
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -1,7 +1,5 @@
 tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)

-        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
-        filippo.io/edwards25519/field                                from filippo.io/edwards25519
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
@@ -64,13 +62,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
  LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns+
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
@@ -80,15 +76,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
+   L    github.com/klauspost/compress/flate                          from nhooyr.io/websocket
        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/internal/cpuinfo               from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-        github.com/kortschak/wol                                     from tailscale.com/ipn/ipnlocal
-  LD    github.com/kr/fs                                             from github.com/pkg/sftp
   L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
@@ -96,8 +89,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
   W    github.com/pkg/errors                                        from github.com/tailscale/certstore
-  LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
-  LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
  LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
  LD 💣 github.com/tailscale/golang-x-crypto/internal/subtle         from github.com/tailscale/golang-x-crypto/chacha20
@@ -117,9 +108,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
-        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
-     💣 go4.org/mem                                                  from tailscale.com/control/controlbase+
-        go4.org/netipx                                               from tailscale.com/ipn/ipnlocal+
+     💣 go4.org/intern                                               from inet.af/netaddr
+     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
+        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
   W 💣 golang.zx2c4.com/wintun                                      from golang.zx2c4.com/wireguard/tun
     💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
   W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
@@ -133,8 +124,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/cmd/tailscaled+
        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/tcpip+
-        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/bufferv2
-     💣 gvisor.dev/gvisor/pkg/bufferv2                               from gvisor.dev/gvisor/pkg/tcpip+
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip/stack
        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs+
     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
@@ -146,8 +136,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
-        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
+        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
+     💣 gvisor.dev/gvisor/pkg/tcpip/buffer                           from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
        gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
        gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
        gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
@@ -156,47 +147,48 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
        gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
        gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/network/internal/multicast       from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/net/tstun+
        gvisor.dev/gvisor/pkg/tcpip/network/ipv6                     from tailscale.com/wgengine/netstack
        gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
-     💣 gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/header/parse+
-        gvisor.dev/gvisor/pkg/tcpip/transport                        from gvisor.dev/gvisor/pkg/tcpip/transport/internal/network+
+     💣 gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/transport                        from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
        gvisor.dev/gvisor/pkg/tcpip/transport/icmp                   from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/transport/internal/network       from gvisor.dev/gvisor/pkg/tcpip/transport/raw+
+        gvisor.dev/gvisor/pkg/tcpip/transport/internal/network       from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
        gvisor.dev/gvisor/pkg/tcpip/transport/internal/noop          from gvisor.dev/gvisor/pkg/tcpip/transport/raw
        gvisor.dev/gvisor/pkg/tcpip/transport/packet                 from gvisor.dev/gvisor/pkg/tcpip/transport/raw
-        gvisor.dev/gvisor/pkg/tcpip/transport/raw                    from gvisor.dev/gvisor/pkg/tcpip/transport/udp+
+        gvisor.dev/gvisor/pkg/tcpip/transport/raw                    from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
     💣 gvisor.dev/gvisor/pkg/tcpip/transport/tcp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
        gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
-        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from tailscale.com/net/tstun+
+        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
+        inet.af/netaddr                                              from inet.af/wf+
        inet.af/peercred                                             from tailscale.com/ipn/ipnserver
   W 💣 inet.af/wf                                                   from tailscale.com/wf
-        nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
-        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
-        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
+   L    nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
+   L    nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
+   L    nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
        tailscale.com                                                from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
  LD    tailscale.com/chirp                                          from tailscale.com/cmd/tailscaled
        tailscale.com/client/tailscale                               from tailscale.com/derp
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
-        tailscale.com/cmd/tailscaled/childproc                       from tailscale.com/ssh/tailssh+
+        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
+        tailscale.com/cmd/tailscaled/childproc                       from tailscale.com/cmd/tailscaled+
        tailscale.com/control/controlbase                            from tailscale.com/control/controlclient+
-        tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
+        tailscale.com/control/controlclient                          from tailscale.com/cmd/tailscaled+
        tailscale.com/control/controlhttp                            from tailscale.com/control/controlclient
        tailscale.com/control/controlknobs                           from tailscale.com/control/controlclient+
        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
-        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
+        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/tailscaled+
+   L    tailscale.com/derp/wsconn                                    from tailscale.com/derp/derphttp
        tailscale.com/disco                                          from tailscale.com/derp+
-        tailscale.com/envknob                                        from tailscale.com/control/controlclient+
+        tailscale.com/envknob                                        from tailscale.com/cmd/tailscaled+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
        tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
-        tailscale.com/ipn                                            from tailscale.com/ipn/ipnlocal+
-        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ssh/tailssh+
+        tailscale.com/ipn                                            from tailscale.com/client/tailscale+
+        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/control/controlclient+
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
        tailscale.com/ipn/store                                      from tailscale.com/cmd/tailscaled
@@ -207,45 +199,42 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled+
-        tailscale.com/logtail                                        from tailscale.com/control/controlclient+
-        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
+        tailscale.com/logtail                                        from tailscale.com/cmd/tailscaled+
+        tailscale.com/logtail/backoff                                from tailscale.com/cmd/tailscaled+
        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
     💣 tailscale.com/metrics                                        from tailscale.com/derp+
-        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver+
+        tailscale.com/net/dns                                        from tailscale.com/cmd/tailscaled+
+        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver
        tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
        tailscale.com/net/dns/resolver                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient+
        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
-     💣 tailscale.com/net/interfaces                                 from tailscale.com/control/controlclient+
-        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscaled+
        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
        tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
-        tailscale.com/net/netknob                                    from tailscale.com/net/netns+
-        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
+        tailscale.com/net/netknob                                    from tailscale.com/logpolicy+
+        tailscale.com/net/netns                                      from tailscale.com/cmd/tailscaled+
     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
        tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/packet                                     from tailscale.com/net/tstun+
-        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
-        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
+        tailscale.com/net/portmapper                                 from tailscale.com/cmd/tailscaled+
        tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
        tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
-        tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
-     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
-        tailscale.com/net/tstun                                      from tailscale.com/net/dns+
-        tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
+        tailscale.com/net/tsdial                                     from tailscale.com/cmd/tailscaled+
+     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/cmd/tailscaled+
+        tailscale.com/net/tstun                                      from tailscale.com/cmd/tailscaled+
+     💣 tailscale.com/paths                                          from tailscale.com/client/tailscale+
        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
-        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
-        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
+        tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
+        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
-        tailscale.com/tka                                            from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
@@ -255,53 +244,47 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
        tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
-        tailscale.com/types/key                                      from tailscale.com/control/controlbase+
-        tailscale.com/types/logger                                   from tailscale.com/control/controlclient+
+        tailscale.com/types/key                                      from tailscale.com/cmd/tailscaled+
+        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
-        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock+
+        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
        tailscale.com/types/pad32                                    from tailscale.com/derp
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
-        tailscale.com/types/tkatype                                  from tailscale.com/tka+
        tailscale.com/types/views                                    from tailscale.com/ipn/ipnlocal+
-        tailscale.com/util/clientmetric                              from tailscale.com/control/controlclient+
-        tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
+        tailscale.com/util/clientmetric                              from tailscale.com/cmd/tailscaled+
  LW    tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
-     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
-        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
+        tailscale.com/util/multierr                                  from tailscale.com/cmd/tailscaled+
+        tailscale.com/util/netconv                                   from tailscale.com/wgengine/magicsock
+        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
-        tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
-        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
-     💣 tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
-        tailscale.com/version                                        from tailscale.com/derp+
-        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
+        tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
+   W 💣 tailscale.com/util/winutil/vss                               from tailscale.com/util/winutil
+        tailscale.com/version                                        from tailscale.com/client/tailscale+
+        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscaled+
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
-        tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
-        tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
-        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
-        tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/monitor                               from tailscale.com/cmd/tailscaled+
+        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
+        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
-     💣 tailscale.com/wgengine/wgint                                 from tailscale.com/wgengine
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
-        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
  LD    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf+
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305+
@@ -315,9 +298,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
-        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
+  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
@@ -325,19 +306,18 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/http2                                       from golang.org/x/net/http2/h2c+
        golang.org/x/net/http2/h2c                                   from tailscale.com/ipn/ipnlocal
        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
-        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device+
+        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device
        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
+        golang.org/x/sync/singleflight                               from tailscale.com/control/controlclient+
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
  LD    golang.org/x/sys/unix                                        from github.com/insomniacslk/dhcp/interfaces+
   W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
-   W    golang.org/x/sys/windows/registry                            from golang.org/x/sys/windows/svc/eventlog+
+   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
-   W    golang.org/x/sys/windows/svc/eventlog                        from tailscale.com/cmd/tailscaled
   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
        golang.org/x/term                                            from tailscale.com/logpolicy
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
@@ -369,31 +349,30 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/sha256                                                from crypto/tls+
        crypto/sha512                                                from crypto/ecdsa+
        crypto/subtle                                                from crypto/aes+
-        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
+        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
-        embed                                                        from tailscale.com+
+        embed                                                        from crypto/elliptic+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
        encoding/json                                                from expvar+
        encoding/pem                                                 from crypto/tls+
-        encoding/xml                                                 from github.com/tailscale/goupnp+
+        encoding/xml                                                 from github.com/aws/aws-sdk-go-v2/aws/protocol/xml+
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/derp+
-        flag                                                         from tailscale.com/control/controlclient+
+        flag                                                         from tailscale.com/cmd/tailscaled+
        fmt                                                          from compress/flate+
        hash                                                         from crypto+
        hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
+        hash/fnv                                                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv6+
        hash/maphash                                                 from go4.org/mem
-        html                                                         from tailscale.com/ipn/ipnlocal+
+        html                                                         from net/http/pprof+
        io                                                           from bufio+
-        io/fs                                                        from crypto/x509+
-        io/ioutil                                                    from github.com/godbus/dbus/v5+
+        io/fs                                                        from crypto/rand+
+        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
        log                                                          from expvar+
  LD    log/syslog                                                   from tailscale.com/ssh/tailssh
        math                                                         from compress/flate+
@@ -405,25 +384,24 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        mime/quotedprintable                                         from mime/multipart
        net                                                          from crypto/tls+
        net/http                                                     from expvar+
-        net/http/httptest                                            from tailscale.com/control/controlclient
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
        net/http/internal                                            from net/http+
        net/http/pprof                                               from tailscale.com/cmd/tailscaled+
        net/netip                                                    from golang.zx2c4.com/wireguard/conn+
-        net/textproto                                                from golang.org/x/net/http/httpguts+
+        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
-        os/exec                                                      from github.com/coreos/go-iptables/iptables+
+        os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
        os/signal                                                    from tailscale.com/cmd/tailscaled+
        os/user                                                      from github.com/godbus/dbus/v5+
-        path                                                         from github.com/godbus/dbus/v5+
+        path                                                         from github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
-        regexp                                                       from github.com/coreos/go-iptables/iptables+
+        regexp                                                       from github.com/aws/aws-sdk-go-v2/internal/endpoints/v2+
        regexp/syntax                                                from regexp
        runtime/debug                                                from github.com/klauspost/compress/zstd+
-        runtime/pprof                                                from tailscale.com/log/logheap+
+        runtime/pprof                                                from net/http/pprof+
        runtime/trace                                                from net/http/pprof
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
--- a/cmd/tailscaled/install_darwin.go
+++ b/cmd/tailscaled/install_darwin.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package main

@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -141,7 +142,7 @@ func installSystemDaemonDarwin(args []string) (err error) {
 		return err
 	}

-	if err := os.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
+	if err := ioutil.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
 		return err
 	}

--- a/cmd/tailscaled/install_windows.go
+++ b/cmd/tailscaled/install_windows.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package main

--- a/cmd/tailscaled/proxy.go
+++ b/cmd/tailscaled/proxy.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 // HTTP proxy code

--- a/cmd/tailscaled/required_version.go
+++ b/cmd/tailscaled/required_version.go
@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !go1.19
-// +build !go1.19
+//go:build !go1.18
+// +build !go1.18

 package main

 func init() {
-	you_need_Go_1_19_to_compile_Tailscale()
+	you_need_Go_1_18_to_compile_Tailscale()
 }
--- a/cmd/tailscaled/ssh.go
+++ b/cmd/tailscaled/ssh.go
@@ -9,3 +9,4 @@ package main

 // Force registration of tailssh with LocalBackend.
 import _ "tailscale.com/ssh/tailssh"
+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 // The tailscaled program is the Tailscale client daemon. It's configured
 // and controlled via the tailscale CLI program.
@@ -21,16 +21,15 @@ import (
 	"net"
 	"net/http"
 	"net/http/pprof"
-	"net/netip"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"runtime"
-	"strconv"
 	"strings"
 	"syscall"
 	"time"

+	"inet.af/netaddr"
 	"tailscale.com/cmd/tailscaled/childproc"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
@@ -98,20 +97,6 @@ func defaultTunName() string {
 	return "tailscale0"
 }

-// defaultPort returns the default UDP port to listen on for disco+wireguard.
-// By default it returns 0, to pick one randomly from the kernel.
-// If the environment variable PORT is set, that's used instead.
-// The PORT environment variable is chosen to match what the Linux systemd
-// unit uses, to make documentation more consistent.
-func defaultPort() uint16 {
-	if s := envknob.String("PORT"); s != "" {
-		if p, err := strconv.ParseUint(s, 10, 16); err == nil {
-			return uint16(p)
-		}
-	}
-	return 0
-}
-
 var args struct {
 	// tunname is a /dev/net/tun tunnel name ("tailscale0"), the
 	// string "userspace-networking", "tap:TAPNAME[:BRIDGENAME]"
@@ -128,7 +113,6 @@ var args struct {
 	verbose        int
 	socksAddr      string // listen address for SOCKS5 server
 	httpProxyAddr  string // listen address for HTTP proxy server
-	disableLogs    bool
 }

 var (
@@ -144,12 +128,7 @@ var subCommands = map[string]*func([]string) error{
 	"be-child":                &beChildFunc,
 }

-var beCLI func() // non-nil if CLI is linked in
-
 func main() {
-	envknob.PanicIfAnyEnvCheckedInInit()
-	envknob.ApplyDiskConfig()
-
 	printVersion := false
 	flag.IntVar(&args.verbose, "verbose", 0, "log verbosity level; 0 is default, 1 or higher are increasingly verbose")
 	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
@@ -157,18 +136,12 @@ func main() {
 	flag.StringVar(&args.socksAddr, "socks5-server", "", `optional [ip]:port to run a SOCK5 server (e.g. "localhost:1080")`)
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
-	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
+	flag.Var(flagtype.PortValue(&args.port, 0), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
+	flag.StringVar(&args.statepath, "state", paths.DefaultTailscaledStateFile(), "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state")
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
 	flag.BoolVar(&printVersion, "version", false, "print version information and exit")
-	flag.BoolVar(&args.disableLogs, "no-logs-no-support", false, "disable log uploads; this also disables any technical support")
-
-	if len(os.Args) > 0 && filepath.Base(os.Args[0]) == "tailscale" && beCLI != nil {
-		beCLI()
-		return
-	}

 	if len(os.Args) > 1 {
 		sub := os.Args[1]
@@ -185,12 +158,13 @@ func main() {
 		}
 	}

+	if beWindowsSubprocess() {
+		return
+	}
+
 	flag.Parse()
 	if flag.NArg() > 0 {
-		// Windows subprocess is spawned with /subprocess, so we need to avoid this check there.
-		if runtime.GOOS != "windows" || (flag.Arg(0) != "/subproc" && flag.Arg(0) != "/firewall") {
-			log.Fatalf("tailscaled does not take non-flag arguments: %q", flag.Args())
-		}
+		log.Fatalf("tailscaled does not take non-flag arguments: %q", flag.Args())
 	}

 	if printVersion {
@@ -213,20 +187,6 @@ func main() {
 		log.Fatalf("--bird-socket is not supported on %s", runtime.GOOS)
 	}

-	// Only apply a default statepath when neither have been provided, so that a
-	// user may specify only --statedir if they wish.
-	if args.statepath == "" && args.statedir == "" {
-		args.statepath = paths.DefaultTailscaledStateFile()
-	}
-
-	if args.disableLogs {
-		envknob.SetNoLogsNoSupport()
-	}
-
-	if beWindowsSubprocess() {
-		return
-	}
-
 	err := run()

 	// Remove file sharing from Windows shell (noop in non-windows)
@@ -326,10 +286,6 @@ func run() error {
 		pol.Shutdown(ctx)
 	}()

-	if err := envknob.ApplyDiskConfigError(); err != nil {
-		log.Printf("Error reading environment config: %v", err)
-	}
-
 	if isWindowsService() {
 		// Run the IPN server from the Windows service manager.
 		log.Printf("Running service...")
@@ -376,7 +332,6 @@ func run() error {
 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)

 	dialer := new(tsdial.Dialer) // mutated below (before used)
-	dialer.Logf = logf
 	e, useNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
 		return fmt.Errorf("createEngine: %w", err)
@@ -386,7 +341,7 @@ func run() error {
 	}
 	if debugMux != nil {
 		if ig, ok := e.(wgengine.InternalsGetter); ok {
-			if _, mc, _, ok := ig.GetInternals(); ok {
+			if _, mc, ok := ig.GetInternals(); ok {
 				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
 			}
 		}
@@ -398,14 +353,14 @@ func run() error {
 		return fmt.Errorf("newNetstack: %w", err)
 	}
 	ns.ProcessLocalIPs = useNetstack
-	ns.ProcessSubnets = useNetstack || shouldWrapNetstack()
+	ns.ProcessSubnets = useNetstack || wrapNetstack

 	if useNetstack {
-		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
+		dialer.UseNetstackForIP = func(ip netaddr.IP) bool {
 			_, ok := e.PeerForIP(ip)
 			return ok
 		}
-		dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
+		dialer.NetstackDialTCP = func(ctx context.Context, dst netaddr.IPPort) (net.Conn, error) {
 			return ns.DialContextTCP(ctx, dst)
 		}
 	}
@@ -471,7 +426,6 @@ func run() error {
 	if err != nil {
 		return fmt.Errorf("safesocket.Listen: %v", err)
 	}
-	defer dialer.Close()

 	err = srv.Run(ctx, ln)
 	// Cancelation is not an error: it is the only way to stop ipnserver.
@@ -499,6 +453,8 @@ func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer)
 	return nil, false, multierr.New(errs...)
 }

+var wrapNetstack = shouldWrapNetstack()
+
 func shouldWrapNetstack() bool {
 	if v, ok := envknob.LookupBool("TS_DEBUG_WRAP_NETSTACK"); ok {
 		return v
@@ -507,7 +463,7 @@ func shouldWrapNetstack() bool {
 		return true
 	}
 	switch runtime.GOOS {
-	case "windows", "darwin", "freebsd", "openbsd":
+	case "windows", "darwin", "freebsd":
 		// Enable on Windows and tailscaled-on-macOS (this doesn't
 		// affect the GUI clients), and on FreeBSD.
 		return true
@@ -548,7 +504,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 	} else {
 		dev, devName, err := tstun.New(logf, name)
 		if err != nil {
-			tstun.Diagnose(logf, name, err)
+			tstun.Diagnose(logf, name)
 			return nil, false, fmt.Errorf("tstun.New(%q): %w", name, err)
 		}
 		conf.Tun = dev
@@ -569,7 +525,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 		}
 		conf.DNS = d
 		conf.Router = r
-		if shouldWrapNetstack() {
+		if wrapNetstack {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
 		}
 	}
@@ -608,11 +564,11 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 }

 func newNetstack(logf logger.Logf, dialer *tsdial.Dialer, e wgengine.Engine) (*netstack.Impl, error) {
-	tunDev, magicConn, dns, ok := e.(wgengine.InternalsGetter).GetInternals()
+	tunDev, magicConn, ok := e.(wgengine.InternalsGetter).GetInternals()
 	if !ok {
 		return nil, fmt.Errorf("%T is not a wgengine.InternalsGetter", e)
 	}
-	return netstack.Create(logf, tunDev, e, magicConn, dialer, dns)
+	return netstack.Create(logf, tunDev, e, magicConn, dialer)
 }

 // mustStartProxyListeners creates listeners for local SOCKS and HTTP
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -7,7 +7,7 @@ After=network-pre.target NetworkManager.service systemd-resolved.service
 [Service]
 EnvironmentFile=/etc/default/tailscaled
 ExecStartPre=/usr/sbin/tailscaled --cleanup
-ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS
+ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port $PORT $FLAGS
 ExecStopPost=/usr/sbin/tailscaled --cleanup

 Restart=on-failure
--- a/cmd/tailscaled/tailscaled_bird.go
+++ b/cmd/tailscaled/tailscaled_bird.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19 && (linux || darwin || freebsd || openbsd)
-// +build go1.19
+//go:build go1.18 && (linux || darwin || freebsd || openbsd)
+// +build go1.18
 // +build linux darwin freebsd openbsd

 package main
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
James Tucker	20cd690970	.github/workflows: add cross-android Fixes 4482 Signed-off-by: James Tucker <james@tailscale.com>	2022-04-21 10:26:40 -07:00
James Tucker	26fe00e7bd	.github/workflows: add cross-android Fixes 4482 Signed-off-by: James Tucker <james@tailscale.com>	2022-04-21 10:13:27 -07:00
James Tucker	972df80be2	.github/workflows: add cross-android Fixes 4482 Signed-off-by: James Tucker <james@tailscale.com>	2022-04-21 10:00:02 -07:00
@@ -1 +1 @@
 .31.0
 .23.0