net/netns, net/interfaces: move defaultRouteInterface, add Android fallback

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

.gitattributes

@@ -0,0 +1 @@
+go.mod filter=go-mod

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,37 @@
+---
+name: Bug report
+about: Create a bug report
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!-- Please note, this template is for definite bugs, not requests for
+support. If you need help with Tailscale, please email
+support@tailscale.com. We don't provide support via Github issues. -->
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Version information:**
+ - Device: [e.g. iPhone X, laptop]
+ - OS: [e.g. Windows, MacOS]
+ - OS version: [e.g. Windows 10, Ubuntu 18.04]
+ - Tailscale version: [e.g. 0.95-0]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Support and Product Questions
+    url: https://tailscale.com/kb/1023/troubleshooting
+    about: Please send support questions and questions about the Tailscale product to support@tailscale.com

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,26 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+
+A clear and concise description of what the problem is. Ex. I'm always
+frustrated when [...]
+
+**Describe the solution you'd like**
+
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+
+A clear and concise description of any alternative solutions or
+features you've considered.
+
+**Additional context**
+
+Add any other context or screenshots about the feature request here.

.github/workflows/cross-darwin.yml

@@ -0,0 +1,53 @@
+name: Darwin-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: macOS build cmd
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: macOS build tests
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/cross-freebsd.yml

@@ -0,0 +1,53 @@
+name: FreeBSD-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: FreeBSD build cmd
+      env:
+        GOOS: freebsd
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: FreeBSD build tests
+      env:
+        GOOS: freebsd
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/cross-openbsd.yml

@@ -0,0 +1,53 @@
+name: OpenBSD-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: OpenBSD build cmd
+      env:
+        GOOS: openbsd
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: OpenBSD build tests
+      env:
+        GOOS: openbsd
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/cross-windows.yml

@@ -0,0 +1,53 @@
+name: Windows-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: Windows build cmd
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: Windows build tests
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/license.yml

@@ -0,0 +1,40 @@
+name: license
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: Run license checker
+      run: ./scripts/check_license_headers.sh .
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/linux.yml

@@ -3,7 +3,7 @@ name: Linux
 on:
   push:
     branches:
-      - master
+      - main
   pull_request:
     branches:
       - '*'
@@ -16,10 +16,10 @@ jobs:
 
     steps:
 
-    - name: Set up Go 1.13
+    - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.13
+        go-version: 1.14
       id: go
 
     - name: Check out code into the Go module directory
@@ -28,7 +28,7 @@ jobs:
     - name: Basic build
       run: go build ./cmd/...
 
-    - name: Test build
+    - name: Run tests on linux
       run: go test ./...
 
     - uses: k0kubun/action-slack@v2.0.0
@@ -45,3 +45,4 @@ jobs:
       env:
         SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
       if: failure() && github.event_name == 'push'
+

.github/workflows/linux32.yml

@@ -0,0 +1,48 @@
+name: Linux 32-bit
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: Basic build
+      run: GOARCH=386 go build ./cmd/...
+
+    - name: Run tests on linux
+      run: GOARCH=386 go test ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+

.github/workflows/staticcheck.yml

@@ -3,7 +3,7 @@ name: staticcheck
 on:
   push:
     branches:
-      - master
+      - main
   pull_request:
     branches:
       - '*'
@@ -13,16 +13,22 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Set up Go 1.13
+    - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.13
+        go-version: 1.14
 
     - name: Check out code
       uses: actions/checkout@v1
 
+    - name: Run go vet
+      run: go vet ./...
+
+    - name: Print staticcheck version
+      run: go run honnef.co/go/tools/cmd/staticcheck -version
+
     - name: Run staticcheck
-      run: go run honnef.co/go/tools/cmd/staticcheck -- ./...
+      run: "go run honnef.co/go/tools/cmd/staticcheck -- $(go list ./... | grep -v tempfork)"
 
     - uses: k0kubun/action-slack@v2.0.0
       with:

.gitignore

@@ -1,6 +1,6 @@
 # Binaries for programs and plugins
+*~
 *.exe
-*.exe~
 *.dll
 *.so
 *.dylib

Dockerfile

@@ -2,14 +2,37 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
-FROM golang:1.13-alpine AS build-env
+# This Dockerfile includes all the tailscale binaries.
+#
+# To build the Dockerfile:
+#
+#     $ docker build -t tailscale:tailscale .
+#
+# To run the tailscaled agent:
+#
+#     $ docker run -d --name=tailscaled -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun --network=host --privileged tailscale:tailscale tailscaled
+#
+# To then log in:
+#
+#     $ docker exec tailscaled tailscale up
+#
+# To see status:
+#
+#     $ docker exec tailscaled tailscale status
+
+
+FROM golang:1.14-alpine AS build-env
 
 WORKDIR /go/src/tailscale
+
+COPY go.mod .
+COPY go.sum .
+RUN go mod download
+
 COPY . .
 
-RUN go get -d -v ./cmd/...
 RUN go install -v ./cmd/...
 
 FROM alpine:3.11
-RUN apk add --no-cache ca-certificates
-COPY --from=build-env /go/bin/tail* /usr/local/bin/
+RUN apk add --no-cache ca-certificates iptables iproute2
+COPY --from=build-env /go/bin/* /usr/local/bin/

Makefile

@@ -0,0 +1,7 @@
+usage:
+	echo "See Makefile"
+
+check: staticcheck
+
+staticcheck:
+	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)

README.md

@@ -6,11 +6,23 @@ Private WireGuard® networks made easy
 
 ## Overview
 
-This repository contains all the open source Tailscale code.
-It currently includes the Linux client.
+This repository contains all the open source Tailscale client code and
+the `tailscaled` daemon and `tailscale` CLI tool. The `tailscaled`
+daemon runs primarily on Linux; it also works to varying degrees on
+FreeBSD, OpenBSD, Darwin, and Windows.
 
-The Linux client is currently `cmd/relaynode`, but will
-soon be replaced by `cmd/tailscaled`.
+The Android app is at https://github.com/tailscale/tailscale-android
+
+## Using
+
+We serve packages for a variety of distros at
+https://pkgs.tailscale.com .
+
+## Other clients
+
+The [macOS, iOS, and Windows clients](https://tailscale.com/download)
+use the code in this repository but additionally include small GUI
+wrappers that are not open source.
 
 ## Building
 
@@ -18,10 +30,10 @@ soon be replaced by `cmd/tailscaled`.
 go install tailscale.com/cmd/tailscale{,d}
 ```
 
-We only support the latest Go release and any Go beta or release
-candidate builds (currently Go 1.13.x or Go 1.14) in module mode. It
-might work in earlier Go versions or in GOPATH mode, but we're making
-no effort to keep those working.
+We only guarantee to support the latest Go release and any Go beta or
+release candidate builds (currently Go 1.14) in module mode. It might
+work in earlier Go versions or in GOPATH mode, but we're making no
+effort to keep those working.
 
 ## Bugs
 
@@ -30,10 +42,8 @@ Please file any issues about this code or the hosted service on
 
 ## Contributing
 
-`under_construction.gif`
-
-PRs welcome, but we are still working out our contribution process and
-tooling.
+PRs welcome! But please file bugs. Commit messages should [reference
+bugs](https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls).
 
 We require [Developer Certificate of
 Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)
@@ -41,7 +51,7 @@ Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)
 
 ## About Us
 
-We are apenwarr, bradfitz, crawshaw, danderson, dfcarney,
+We are apenwarr, bradfitz, crawshaw, danderson, dfcarney, josharian
 from Tailscale Inc.
 You can learn more about us from [our website](https://tailscale.com).
 

atomicfile/atomicfile.go

@@ -1,4 +1,4 @@
-// Copyright 2019 Tailscale & AUTHORS. All rights reserved.
+// Copyright (c) 2019 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
@@ -9,20 +9,39 @@
 package atomicfile // import "tailscale.com/atomicfile"
 
 import (
-	"fmt"
 	"io/ioutil"
 	"os"
+	"path/filepath"
+	"runtime"
 )
 
 // WriteFile writes data to filename+some suffix, then renames it
 // into filename.
-func WriteFile(filename string, data []byte, perm os.FileMode) error {
-	tmpname := filename + ".new.tmp"
-	if err := ioutil.WriteFile(tmpname, data, perm); err != nil {
-		return fmt.Errorf("%#v: %v", tmpname, err)
+func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
+	f, err := ioutil.TempFile(filepath.Dir(filename), filepath.Base(filename)+".tmp")
+	if err != nil {
+		return err
 	}
-	if err := os.Rename(tmpname, filename); err != nil {
-		return fmt.Errorf("%#v->%#v: %v", tmpname, filename, err)
+	tmpName := f.Name()
+	defer func() {
+		if err != nil {
+			f.Close()
+			os.Remove(tmpName)
+		}
+	}()
+	if _, err := f.Write(data); err != nil {
+		return err
 	}
-	return nil
+	if runtime.GOOS != "windows" {
+		if err := f.Chmod(perm); err != nil {
+			return err
+		}
+	}
+	if err := f.Sync(); err != nil {
+		return err
+	}
+	if err := f.Close(); err != nil {
+		return err
+	}
+	return os.Rename(tmpName, filename)
 }

cmd/cloner/cloner.go

@@ -0,0 +1,264 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Cloner is a tool to automate the creation of a Clone method.
+//
+// The result of the Clone method aliases no memory that can be edited
+// with the original.
+//
+// This tool makes lots of implicit assumptions about the types you feed it.
+// In particular, it can only write relatively "shallow" Clone methods.
+// That is, if a type contains another named struct type, cloner assumes that
+// named type will also have a Clone method.
+package main
+
+import (
+	"bytes"
+	"flag"
+	"fmt"
+	"go/ast"
+	"go/format"
+	"go/token"
+	"go/types"
+	"io/ioutil"
+	"log"
+	"os"
+	"strings"
+
+	"golang.org/x/tools/go/packages"
+)
+
+var (
+	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
+	flagOutput    = flag.String("output", "", "output file; required")
+	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
+)
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("cloner: ")
+	flag.Parse()
+	if len(*flagTypes) == 0 {
+		flag.Usage()
+		os.Exit(2)
+	}
+	typeNames := strings.Split(*flagTypes, ",")
+
+	cfg := &packages.Config{
+		Mode:  packages.NeedTypes | packages.NeedTypesInfo | packages.NeedSyntax | packages.NeedName,
+		Tests: false,
+	}
+	if *flagBuildTags != "" {
+		cfg.BuildFlags = []string{"-tags=" + *flagBuildTags}
+	}
+	pkgs, err := packages.Load(cfg, ".")
+	if err != nil {
+		log.Fatal(err)
+	}
+	if len(pkgs) != 1 {
+		log.Fatalf("wrong number of packages: %d", len(pkgs))
+	}
+	pkg := pkgs[0]
+	buf := new(bytes.Buffer)
+	imports := make(map[string]struct{})
+	for _, typeName := range typeNames {
+		found := false
+		for _, file := range pkg.Syntax {
+			//var fbuf bytes.Buffer
+			//ast.Fprint(&fbuf, pkg.Fset, file, nil)
+			//fmt.Println(fbuf.String())
+
+			for _, d := range file.Decls {
+				decl, ok := d.(*ast.GenDecl)
+				if !ok || decl.Tok != token.TYPE {
+					continue
+				}
+				for _, s := range decl.Specs {
+					spec, ok := s.(*ast.TypeSpec)
+					if !ok || spec.Name.Name != typeName {
+						continue
+					}
+					typeNameObj := pkg.TypesInfo.Defs[spec.Name]
+					typ, ok := typeNameObj.Type().(*types.Named)
+					if !ok {
+						continue
+					}
+					pkg := typeNameObj.Pkg()
+					gen(buf, imports, typeName, typ, pkg)
+				}
+				found = true
+			}
+		}
+		if !found {
+			log.Fatalf("could not find type %s", typeName)
+		}
+	}
+
+	contents := new(bytes.Buffer)
+	fmt.Fprintf(contents, header, *flagTypes, pkg.Name)
+	fmt.Fprintf(contents, "import (\n")
+	for s := range imports {
+		fmt.Fprintf(contents, "\t%q\n", s)
+	}
+	fmt.Fprintf(contents, ")\n\n")
+	contents.Write(buf.Bytes())
+
+	out, err := format.Source(contents.Bytes())
+	if err != nil {
+		log.Fatalf("%s, in source:\n%s", err, contents.Bytes())
+	}
+
+	output := *flagOutput
+	if output == "" {
+		flag.Usage()
+		os.Exit(2)
+	}
+	if err := ioutil.WriteFile(output, out, 0666); err != nil {
+		log.Fatal(err)
+	}
+}
+
+const header = `// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner -type %s; DO NOT EDIT.
+
+package %s
+
+`
+
+func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types.Named, thisPkg *types.Package) {
+	pkgQual := func(pkg *types.Package) string {
+		if thisPkg == pkg {
+			return ""
+		}
+		imports[pkg.Path()] = struct{}{}
+		return pkg.Name()
+	}
+	importedName := func(t types.Type) string {
+		return types.TypeString(t, pkgQual)
+	}
+
+	switch t := typ.Underlying().(type) {
+	case *types.Struct:
+		_ = t
+		name := typ.Obj().Name()
+		fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
+		fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
+		fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
+		writef := func(format string, args ...interface{}) {
+			fmt.Fprintf(buf, "\t"+format+"\n", args...)
+		}
+		writef("if src == nil {")
+		writef("\treturn nil")
+		writef("}")
+		writef("dst := new(%s)", name)
+		writef("*dst = *src")
+		for i := 0; i < t.NumFields(); i++ {
+			fname := t.Field(i).Name()
+			ft := t.Field(i).Type()
+			if !containsPointers(ft) {
+				continue
+			}
+			if named, _ := ft.(*types.Named); named != nil && !hasBasicUnderlying(ft) {
+				writef("dst.%s = *src.%s.Clone()", fname, fname)
+				continue
+			}
+			switch ft := ft.Underlying().(type) {
+			case *types.Slice:
+				if containsPointers(ft.Elem()) {
+					n := importedName(ft.Elem())
+					writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
+					writef("for i := range dst.%s {", fname)
+					if _, isPtr := ft.Elem().(*types.Pointer); isPtr {
+						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
+					} else {
+						writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
+					}
+					writef("}")
+				} else {
+					writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
+				}
+			case *types.Pointer:
+				if named, _ := ft.Elem().(*types.Named); named != nil && containsPointers(ft.Elem()) {
+					writef("dst.%s = src.%s.Clone()", fname, fname)
+					continue
+				}
+				n := importedName(ft.Elem())
+				writef("if dst.%s != nil {", fname)
+				writef("\tdst.%s = new(%s)", fname, n)
+				writef("\t*dst.%s = *src.%s", fname, fname)
+				if containsPointers(ft.Elem()) {
+					writef("\t" + `panic("TODO pointers in pointers")`)
+				}
+				writef("}")
+			case *types.Map:
+				writef("if dst.%s != nil {", fname)
+				writef("\tdst.%s = map[%s]%s{}", fname, importedName(ft.Key()), importedName(ft.Elem()))
+				if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
+					n := importedName(sliceType.Elem())
+					writef("\tfor k := range src.%s {", fname)
+					// use zero-length slice instead of nil to ensure
+					// the key is always copied.
+					writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
+					writef("\t}")
+				} else if containsPointers(ft.Elem()) {
+					writef("\t\t" + `panic("TODO map value pointers")`)
+				} else {
+					writef("\tfor k, v := range src.%s {", fname)
+					writef("\t\tdst.%s[k] = v", fname)
+					writef("\t}")
+				}
+				writef("}")
+			case *types.Struct:
+				writef(`panic("TODO struct %s")`, fname)
+			default:
+				writef(`panic(fmt.Sprintf("TODO: %T", ft))`)
+			}
+		}
+		writef("return dst")
+		fmt.Fprintf(buf, "}\n\n")
+	}
+}
+
+func hasBasicUnderlying(typ types.Type) bool {
+	switch typ.Underlying().(type) {
+	case *types.Slice, *types.Map:
+		return true
+	default:
+		return false
+	}
+}
+
+func containsPointers(typ types.Type) bool {
+	switch typ.String() {
+	case "time.Time":
+		// time.Time contains a pointer that does not need copying
+		return false
+	case "inet.af/netaddr.IP":
+		return false
+	}
+	switch ft := typ.Underlying().(type) {
+	case *types.Array:
+		return containsPointers(ft.Elem())
+	case *types.Chan:
+		return true
+	case *types.Interface:
+		return true // a little too broad
+	case *types.Map:
+		return true
+	case *types.Pointer:
+		return true
+	case *types.Slice:
+		return true
+	case *types.Struct:
+		for i := 0; i < ft.NumFields(); i++ {
+			if containsPointers(ft.Field(i).Type()) {
+				return true
+			}
+		}
+	}
+	return false
+}

cmd/derper/derper.go

@@ -0,0 +1,323 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The derper binary is a simple DERP server.
+package main // import "tailscale.com/cmd/derper"
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"expvar"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/tailscale/wireguard-go/wgcfg"
+	"golang.org/x/crypto/acme/autocert"
+	"tailscale.com/atomicfile"
+	"tailscale.com/derp"
+	"tailscale.com/derp/derphttp"
+	"tailscale.com/logpolicy"
+	"tailscale.com/metrics"
+	"tailscale.com/net/stun"
+	"tailscale.com/tsweb"
+	"tailscale.com/types/key"
+	"tailscale.com/version"
+)
+
+var (
+	dev           = flag.Bool("dev", false, "run in localhost development mode")
+	addr          = flag.String("a", ":443", "server address")
+	configPath    = flag.String("c", "", "config file path")
+	certDir       = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
+	hostname      = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
+	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
+	runSTUN       = flag.Bool("stun", false, "also run a STUN server")
+	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
+	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
+)
+
+type config struct {
+	PrivateKey wgcfg.PrivateKey
+}
+
+func loadConfig() config {
+	if *dev {
+		return config{PrivateKey: mustNewKey()}
+	}
+	if *configPath == "" {
+		log.Fatalf("derper: -c <config path> not specified")
+	}
+	b, err := ioutil.ReadFile(*configPath)
+	switch {
+	case os.IsNotExist(err):
+		return writeNewConfig()
+	case err != nil:
+		log.Fatal(err)
+		panic("unreachable")
+	default:
+		var cfg config
+		if err := json.Unmarshal(b, &cfg); err != nil {
+			log.Fatalf("derper: config: %v", err)
+		}
+		return cfg
+	}
+}
+
+func mustNewKey() wgcfg.PrivateKey {
+	key, err := wgcfg.NewPrivateKey()
+	if err != nil {
+		log.Fatal(err)
+	}
+	return key
+}
+
+func writeNewConfig() config {
+	key := mustNewKey()
+	if err := os.MkdirAll(filepath.Dir(*configPath), 0777); err != nil {
+		log.Fatal(err)
+	}
+	cfg := config{
+		PrivateKey: key,
+	}
+	b, err := json.MarshalIndent(cfg, "", "\t")
+	if err != nil {
+		log.Fatal(err)
+	}
+	if err := atomicfile.WriteFile(*configPath, b, 0666); err != nil {
+		log.Fatal(err)
+	}
+	return cfg
+}
+
+func main() {
+	flag.Parse()
+
+	if *dev {
+		*logCollection = ""
+		*addr = ":3340" // above the keys DERP
+		log.Printf("Running in dev mode.")
+		tsweb.DevMode = true
+	}
+
+	var logPol *logpolicy.Policy
+	if *logCollection != "" {
+		logPol = logpolicy.New(*logCollection)
+		log.SetOutput(logPol.Logtail)
+	}
+
+	cfg := loadConfig()
+
+	letsEncrypt := tsweb.IsProd443(*addr)
+
+	s := derp.NewServer(key.Private(cfg.PrivateKey), log.Printf)
+
+	if *meshPSKFile != "" {
+		b, err := ioutil.ReadFile(*meshPSKFile)
+		if err != nil {
+			log.Fatal(err)
+		}
+		key := strings.TrimSpace(string(b))
+		if matched, _ := regexp.MatchString(`(?i)^[0-9a-f]{64,}$`, key); !matched {
+			log.Fatalf("key in %s must contain 64+ hex digits", *meshPSKFile)
+		}
+		s.SetMeshKey(key)
+		log.Printf("DERP mesh key configured")
+	}
+	if err := startMesh(s); err != nil {
+		log.Fatalf("startMesh: %v", err)
+	}
+	expvar.Publish("derp", s.ExpVar())
+
+	// Create our own mux so we don't expose /debug/ stuff to the world.
+	mux := tsweb.NewMux(debugHandler(s))
+	mux.Handle("/derp", derphttp.Handler(s))
+	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(200)
+		io.WriteString(w, `<html><body>
+<h1>DERP</h1>
+<p>
+  This is a
+  <a href="https://tailscale.com/">Tailscale</a>
+  <a href="https://godoc.org/tailscale.com/derp">DERP</a>
+  server.
+</p>
+`)
+		if tsweb.AllowDebugAccess(r) {
+			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
+		}
+	}))
+
+	if *runSTUN {
+		go serveSTUN()
+	}
+
+	httpsrv := &http.Server{
+		Addr:    *addr,
+		Handler: mux,
+	}
+
+	var err error
+	if letsEncrypt {
+		if *certDir == "" {
+			log.Fatalf("missing required --certdir flag")
+		}
+		log.Printf("derper: serving on %s with TLS", *addr)
+		certManager := &autocert.Manager{
+			Prompt:     autocert.AcceptTOS,
+			HostPolicy: autocert.HostWhitelist(*hostname),
+			Cache:      autocert.DirCache(*certDir),
+		}
+		if *hostname == "derp.tailscale.com" {
+			certManager.HostPolicy = prodAutocertHostPolicy
+			certManager.Email = "security@tailscale.com"
+		}
+		httpsrv.TLSConfig = certManager.TLSConfig()
+		go func() {
+			err := http.ListenAndServe(":80", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
+			if err != nil {
+				if err != http.ErrServerClosed {
+					log.Fatal(err)
+				}
+			}
+		}()
+		err = httpsrv.ListenAndServeTLS("", "")
+	} else {
+		log.Printf("derper: serving on %s", *addr)
+		err = httpsrv.ListenAndServe()
+	}
+	if err != nil && err != http.ErrServerClosed {
+		log.Fatalf("derper: %v", err)
+	}
+}
+
+func debugHandler(s *derp.Server) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.RequestURI == "/debug/check" {
+			err := s.ConsistencyCheck()
+			if err != nil {
+				http.Error(w, err.Error(), 500)
+			} else {
+				io.WriteString(w, "derp.Server ConsistencyCheck okay")
+			}
+			return
+		}
+		f := func(format string, args ...interface{}) { fmt.Fprintf(w, format, args...) }
+		f(`<html><body>
+<h1>DERP debug</h1>
+<ul>
+`)
+		f("<li><b>Hostname:</b> %v</li>\n", *hostname)
+		f("<li><b>Uptime:</b> %v</li>\n", tsweb.Uptime())
+		f("<li><b>Mesh Key:</b> %v</li>\n", s.HasMeshKey())
+		f("<li><b>Version:</b> %v</li>\n", version.LONG)
+
+		f(`<li><a href="/debug/vars">/debug/vars</a> (Go)</li>
+   <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>
+   <li><a href="/debug/pprof/">/debug/pprof/</a></li>
+   <li><a href="/debug/pprof/goroutine?debug=1">/debug/pprof/goroutine</a> (collapsed)</li>
+   <li><a href="/debug/pprof/goroutine?debug=2">/debug/pprof/goroutine</a> (full)</li>
+   <li><a href="/debug/check">/debug/check</a> internal consistency check</li>
+<ul>
+</html>
+`)
+	})
+}
+
+func serveSTUN() {
+	pc, err := net.ListenPacket("udp", ":3478")
+	if err != nil {
+		log.Fatalf("failed to open STUN listener: %v", err)
+	}
+	log.Printf("running STUN server on %v", pc.LocalAddr())
+
+	var (
+		stats           = new(metrics.Set)
+		stunDisposition = &metrics.LabelMap{Label: "disposition"}
+		stunAddrFamily  = &metrics.LabelMap{Label: "family"}
+
+		stunReadError  = stunDisposition.Get("read_error")
+		stunNotSTUN    = stunDisposition.Get("not_stun")
+		stunWriteError = stunDisposition.Get("write_error")
+		stunSuccess    = stunDisposition.Get("success")
+
+		stunIPv4 = stunAddrFamily.Get("ipv4")
+		stunIPv6 = stunAddrFamily.Get("ipv6")
+	)
+	stats.Set("counter_requests", stunDisposition)
+	stats.Set("counter_addrfamily", stunAddrFamily)
+	expvar.Publish("stun", stats)
+
+	var buf [64 << 10]byte
+	for {
+		n, addr, err := pc.ReadFrom(buf[:])
+		if err != nil {
+			log.Printf("STUN ReadFrom: %v", err)
+			time.Sleep(time.Second)
+			stunReadError.Add(1)
+			continue
+		}
+		ua, ok := addr.(*net.UDPAddr)
+		if !ok {
+			log.Printf("STUN unexpected address %T %v", addr, addr)
+			stunReadError.Add(1)
+			continue
+		}
+		pkt := buf[:n]
+		if !stun.Is(pkt) {
+			stunNotSTUN.Add(1)
+			continue
+		}
+		txid, err := stun.ParseBindingRequest(pkt)
+		if err != nil {
+			stunNotSTUN.Add(1)
+			continue
+		}
+		if ua.IP.To4() != nil {
+			stunIPv4.Add(1)
+		} else {
+			stunIPv6.Add(1)
+		}
+		res := stun.Response(txid, ua.IP, uint16(ua.Port))
+		_, err = pc.WriteTo(res, addr)
+		if err != nil {
+			stunWriteError.Add(1)
+		} else {
+			stunSuccess.Add(1)
+		}
+	}
+}
+
+var validProdHostname = regexp.MustCompile(`^derp([^.]*)\.tailscale\.com\.?$`)
+
+func prodAutocertHostPolicy(_ context.Context, host string) error {
+	if validProdHostname.MatchString(host) {
+		return nil
+	}
+	return errors.New("invalid hostname")
+}
+
+func defaultMeshPSKFile() string {
+	try := []string{
+		"/home/derp/keys/derp-mesh.key",
+		filepath.Join(os.Getenv("HOME"), "keys", "derp-mesh.key"),
+	}
+	for _, p := range try {
+		if _, err := os.Stat(p); err == nil {
+			return p
+		}
+	}
+	return ""
+}

cmd/derper/derper_test.go

@@ -0,0 +1,35 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"context"
+	"testing"
+)
+
+func TestProdAutocertHostPolicy(t *testing.T) {
+	tests := []struct {
+		in     string
+		wantOK bool
+	}{
+		{"derp.tailscale.com", true},
+		{"derp.tailscale.com.", true},
+		{"derp1.tailscale.com", true},
+		{"derp1b.tailscale.com", true},
+		{"derp2.tailscale.com", true},
+		{"derp02.tailscale.com", true},
+		{"derp-nyc.tailscale.com", true},
+		{"derpfoo.tailscale.com", true},
+		{"derp02.bar.tailscale.com", false},
+		{"example.net", false},
+	}
+	for _, tt := range tests {
+		got := prodAutocertHostPolicy(context.Background(), tt.in) == nil
+		if got != tt.wantOK {
+			t.Errorf("f(%q) = %v; want %v", tt.in, got, tt.wantOK)
+		}
+	}
+
+}

cmd/derper/mesh.go

@@ -0,0 +1,45 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"strings"
+
+	"tailscale.com/derp"
+	"tailscale.com/derp/derphttp"
+	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
+)
+
+func startMesh(s *derp.Server) error {
+	if *meshWith == "" {
+		return nil
+	}
+	if !s.HasMeshKey() {
+		return errors.New("--mesh-with requires --mesh-psk-file")
+	}
+	for _, host := range strings.Split(*meshWith, ",") {
+		if err := startMeshWithHost(s, host); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func startMeshWithHost(s *derp.Server, host string) error {
+	logf := logger.WithPrefix(log.Printf, fmt.Sprintf("mesh(%q): ", host))
+	c, err := derphttp.NewClient(s.PrivateKey(), "https://"+host+"/derp", logf)
+	if err != nil {
+		return err
+	}
+	c.MeshKey = s.MeshKey()
+	add := func(k key.Public) { s.AddPacketForwarder(k, c) }
+	remove := func(k key.Public) { s.RemovePacketForwarder(k, c) }
+	go c.RunWatchConnectionLoop(s.PublicKey(), add, remove)
+	return nil
+}

cmd/microproxy/microproxy.go

@@ -0,0 +1,175 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// microproxy proxies incoming HTTPS connections to another
+// destination. Instead of managing its own TLS certificates, it
+// borrows issued certificates and keys from an autocert directory.
+package main
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"tailscale.com/logpolicy"
+	"tailscale.com/tsweb"
+)
+
+var (
+	addr          = flag.String("addr", ":4430", "server address")
+	certdir       = flag.String("certdir", "", "directory to borrow LetsEncrypt certificates from")
+	hostname      = flag.String("hostname", "", "hostname to serve")
+	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
+	nodeExporter  = flag.String("node-exporter", "http://localhost:9100", "URL of the local prometheus node exporter")
+	goVarsURL     = flag.String("go-vars-url", "http://localhost:8383/debug/vars", "URL of a local Go server's /debug/vars endpoint")
+)
+
+func main() {
+	flag.Parse()
+
+	if *logCollection != "" {
+		logpolicy.New(*logCollection)
+	}
+
+	ne, err := url.Parse(*nodeExporter)
+	if err != nil {
+		log.Fatalf("Couldn't parse URL %q: %v", *nodeExporter, err)
+	}
+	proxy := httputil.NewSingleHostReverseProxy(ne)
+	proxy.FlushInterval = time.Second
+
+	if _, err = url.Parse(*goVarsURL); err != nil {
+		log.Fatalf("Couldn't parse URL %q: %v", *goVarsURL, err)
+	}
+
+	mux := tsweb.NewMux(http.HandlerFunc(debugHandler))
+	mux.Handle("/metrics", tsweb.Protected(proxy))
+	mux.Handle("/varz", tsweb.Protected(tsweb.StdHandler(&goVarsHandler{*goVarsURL}, log.Printf)))
+
+	ch := &certHolder{
+		hostname: *hostname,
+		path:     filepath.Join(*certdir, *hostname),
+	}
+
+	httpsrv := &http.Server{
+		Addr:    *addr,
+		Handler: mux,
+		TLSConfig: &tls.Config{
+			GetCertificate: ch.GetCertificate,
+		},
+	}
+
+	if err := httpsrv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
+		log.Fatal(err)
+	}
+}
+
+type goVarsHandler struct {
+	url string
+}
+
+func promPrint(w io.Writer, prefix string, obj map[string]interface{}) {
+	for k, i := range obj {
+		if prefix != "" {
+			k = prefix + "_" + k
+		}
+		switch v := i.(type) {
+		case map[string]interface{}:
+			promPrint(w, k, v)
+		case float64:
+			fmt.Fprintf(w, "%s %f\n", k, v)
+		default:
+			fmt.Fprintf(w, "# Skipping key %q, unhandled type %T\n", k, v)
+		}
+	}
+}
+
+func (h *goVarsHandler) ServeHTTPReturn(w http.ResponseWriter, r *http.Request) error {
+	resp, err := http.Get(h.url)
+	if err != nil {
+		return tsweb.Error(http.StatusInternalServerError, "fetch failed", err)
+	}
+	defer resp.Body.Close()
+	var mon map[string]interface{}
+	if err := json.NewDecoder(resp.Body).Decode(&mon); err != nil {
+		return tsweb.Error(http.StatusInternalServerError, "fetch failed", err)
+	}
+
+	w.WriteHeader(http.StatusOK)
+	promPrint(w, "", mon)
+	return nil
+}
+
+// certHolder loads and caches a TLS certificate from disk, reloading
+// it every hour.
+type certHolder struct {
+	hostname string // only hostname allowed in SNI
+	path     string // path of certificate+key combined PEM file
+
+	mu     sync.Mutex
+	cert   *tls.Certificate // cached parsed cert+key
+	loaded time.Time
+}
+
+func (c *certHolder) GetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if ch.ServerName != c.hostname {
+		return nil, fmt.Errorf("wrong client SNI %q", ch.ServerName)
+	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if time.Since(c.loaded) > time.Hour {
+		if err := c.loadLocked(); err != nil {
+			log.Printf("Reloading cert %q: %v", c.path, err)
+			// continue anyway, we might be able to serve off the stale cert.
+		}
+	}
+	return c.cert, nil
+}
+
+// load reloads the TLS certificate and key from disk. Caller must
+// hold mu.
+func (c *certHolder) loadLocked() error {
+	bs, err := ioutil.ReadFile(c.path)
+	if err != nil {
+		return fmt.Errorf("reading %q: %v", c.path, err)
+	}
+	cert, err := tls.X509KeyPair(bs, bs)
+	if err != nil {
+		return fmt.Errorf("parsing %q: %v", c.path, err)
+	}
+
+	c.cert = &cert
+	c.loaded = time.Now()
+	return nil
+}
+
+// debugHandler serves a page with links to tsweb-managed debug URLs
+// at /debug/.
+func debugHandler(w http.ResponseWriter, r *http.Request) {
+	f := func(format string, args ...interface{}) { fmt.Fprintf(w, format, args...) }
+	f(`<html><body>
+<h1>microproxy debug</h1>
+<ul>
+`)
+	f("<li><b>Hostname:</b> %v</li>\n", *hostname)
+	f("<li><b>Uptime:</b> %v</li>\n", tsweb.Uptime())
+	f(`<li><a href="/debug/vars">/debug/vars</a> (Go)</li>
+   <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>
+   <li><a href="/debug/pprof/">/debug/pprof/</a></li>
+   <li><a href="/debug/pprof/goroutine?debug=1">/debug/pprof/goroutine</a> (collapsed)</li>
+   <li><a href="/debug/pprof/goroutine?debug=2">/debug/pprof/goroutine</a> (full)</li>
+<ul>
+</html>
+`)
+}

cmd/mkpkg/main.go

@@ -0,0 +1,118 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// mkpkg builds the Tailscale rpm and deb packages.
+package main
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"strings"
+
+	"github.com/goreleaser/nfpm"
+	_ "github.com/goreleaser/nfpm/deb"
+	_ "github.com/goreleaser/nfpm/rpm"
+	"github.com/pborman/getopt"
+)
+
+// parseFiles parses a comma-separated list of colon-separated pairs
+// into a map of filePathOnDisk -> filePathInPackage.
+func parseFiles(s string) (map[string]string, error) {
+	ret := map[string]string{}
+	for _, f := range strings.Split(s, ",") {
+		fs := strings.Split(f, ":")
+		if len(fs) != 2 {
+			return nil, fmt.Errorf("unparseable file field %q", f)
+		}
+		ret[fs[0]] = fs[1]
+	}
+	return ret, nil
+}
+
+func parseEmptyDirs(s string) []string {
+	// strings.Split("", ",") would return []string{""}, which is not suitable:
+	// this would create an empty dir record with path "", breaking the package
+	if s == "" {
+		return nil
+	}
+	return strings.Split(s, ",")
+}
+
+func main() {
+	out := getopt.StringLong("out", 'o', "", "output file to write")
+	goarch := getopt.StringLong("arch", 'a', "amd64", "GOARCH this package is for")
+	pkgType := getopt.StringLong("type", 't', "deb", "type of package to build (deb or rpm)")
+	files := getopt.StringLong("files", 'F', "", "comma-separated list of files in src:dst form")
+	configFiles := getopt.StringLong("configs", 'C', "", "like --files, but for files marked as user-editable config files")
+	emptyDirs := getopt.StringLong("emptydirs", 'E', "", "comma-separated list of empty directories")
+	version := getopt.StringLong("version", 0, "0.0.0", "version of the package")
+	postinst := getopt.StringLong("postinst", 0, "", "debian postinst script path")
+	prerm := getopt.StringLong("prerm", 0, "", "debian prerm script path")
+	postrm := getopt.StringLong("postrm", 0, "", "debian postrm script path")
+	replaces := getopt.StringLong("replaces", 0, "", "package which this package replaces, if any")
+	depends := getopt.StringLong("depends", 0, "", "comma-separated list of packages this package depends on")
+	getopt.Parse()
+
+	filesMap, err := parseFiles(*files)
+	if err != nil {
+		log.Fatalf("Parsing --files: %v", err)
+	}
+	configsMap, err := parseFiles(*configFiles)
+	if err != nil {
+		log.Fatalf("Parsing --configs: %v", err)
+	}
+	emptyDirList := parseEmptyDirs(*emptyDirs)
+	info := nfpm.WithDefaults(&nfpm.Info{
+		Name:        "tailscale",
+		Arch:        *goarch,
+		Platform:    "linux",
+		Version:     *version,
+		Maintainer:  "Tailscale Inc <info@tailscale.com>",
+		Description: "The easiest, most secure, cross platform way to use WireGuard + oauth2 + 2FA/SSO",
+		Homepage:    "https://www.tailscale.com",
+		License:     "MIT",
+		Overridables: nfpm.Overridables{
+			EmptyFolders: emptyDirList,
+			Files:        filesMap,
+			ConfigFiles:  configsMap,
+			Scripts: nfpm.Scripts{
+				PostInstall: *postinst,
+				PreRemove:   *prerm,
+				PostRemove:  *postrm,
+			},
+		},
+	})
+
+	if len(*depends) != 0 {
+		info.Overridables.Depends = strings.Split(*depends, ",")
+	}
+	if *replaces != "" {
+		info.Overridables.Replaces = []string{*replaces}
+		info.Overridables.Conflicts = []string{*replaces}
+	}
+
+	switch *pkgType {
+	case "deb":
+		info.Section = "net"
+		info.Priority = "extra"
+	case "rpm":
+		info.Overridables.RPM.Group = "Network"
+	}
+
+	pkg, err := nfpm.Get(*pkgType)
+	if err != nil {
+		log.Fatalf("Getting packager for %q: %v", *pkgType, err)
+	}
+
+	f, err := os.Create(*out)
+	if err != nil {
+		log.Fatalf("Creating output file %q: %v", *out, err)
+	}
+	defer f.Close()
+
+	if err := pkg.Package(info, f); err != nil {
+		log.Fatalf("Creating package %q: %v", *out, err)
+	}
+}

cmd/relaynode/.gitignore

@@ -1,14 +0,0 @@
-/*.tar.gz
-/*.deb
-/*.rpm
-/*.spec
-/pkgver
-debian/changelog
-debian/debhelper-build-stamp
-debian/files
-debian/*.log
-debian/*.substvars
-debian/*.debhelper
-debian/tailscale-relay
-/tailscale-relay/
-/tailscale-relay-*

cmd/relaynode/acl.json

@@ -1,63 +0,0 @@
-{
-  // Declare static groups of users beyond those in the identity service
-  "Groups": {
-    "group:eng": ["u1@example.com", "u2@example.com"]
-  },
-
-  // Declare convenient hostname aliases to use in place of IP addresses
-  "Hosts": {
-    "h222": "100.2.2.2"
-  },
-
-  // Access control list
-  "ACLs": [
-    {
-        "Action": "accept",
-        // Match any of several users
-        "Users": ["a@example.com", "b@example.com"],
-        // Match any port on h222, and port 22 of 10.1.2.3
-        "Ports": ["h222:*", "10.1.2.3:22"]
-    },
-    {
-        "Action": "accept",
-        // Match any user at all
-        "Users": ["*"],
-        // Match port 80 on one machine, ports 53 and 5353 on a second one,
-        // and ports 8000 through 8080 (a port range) on a third one.
-        "Ports": ["h222:80", "10.8.8.8:53,5353", "10.2.3.4:8000-8080"]
-    },
-    {
-        "Action": "accept",
-        // Match all users in the "Admin" role (network administrators)
-        "Users": ["role:Admin", "group:eng"],
-        // Allow access to port 22 on all servers
-        "Ports": ["*:22"]
-    },
-    {
-        "Action": "accept",
-        "Users": ["role:User"],
-        // Match only windows and linux workstations (not implemented yet)
-        "OS": ["windows", "linux"],
-        // Only desktop machines are allowed to access this server
-        "Ports": ["10.1.1.1:443"]
-    },
-    {
-        "Action": "accept",
-        "Users": ["*"],
-        // Match machines which have never been authorized, or which expired.
-        // (not implemented yet)
-        "MachineAuth": ["unauthorized", "expired"],
-        // Logged-in users on unauthorized machines can access the email server.
-        // Open the TLS ports for SMTP, IMAP, and HTTP.
-        "Ports": ["10.1.2.3:465", "10.1.2.3:993", "10.1.2.3:443"]
-    },
-
-    // Match absolutely everything. Comment out this section if you want
-    // the above ACLs to apply.
-    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
-
-    // Leave this line here so that every rule can end in a comma.
-    // It has no effect since it has no matching rules.
-    {"Action": "accept"}
-  ]
-}

cmd/relaynode/clean.do

@@ -1 +0,0 @@
-rm -f debian/changelog *~ debian/*~

cmd/relaynode/clean.od

@@ -1,13 +0,0 @@
-exec >&2
-read -r package <package
-rm -f *~ .*~ \
-	debian/*~ debian/changelog debian/debhelper-build-stamp \
-	debian/*.log debian/files debian/*.substvars debian/*.debhelper \
-	*.tar.gz *.deb *.rpm *.spec pkgver relaynode *.exe
-[ -n "$package" ] && rm -rf "debian/$package"
-for d in */.stamp; do
-	if [ -e "$d" ]; then
-		dir=$(dirname "$d")
-		rm -rf "$dir"
-	fi
-done

cmd/relaynode/deb.od

@@ -1,10 +0,0 @@
-exec >&2
-dir=${1%/*}
-redo-ifchange "$S/$dir/package" "$S/oss/version/short.txt"
-read -r package <"$S/$dir/package"
-read -r version <"$S/oss/version/short.txt"
-arch=$(dpkg --print-architecture)
-
-redo-ifchange "$dir/${package}_$arch.deb"
-rm -f "$dir/${package}"_*_"$arch.deb"
-ln -sf "${package}_$arch.deb" "$dir/${package}_${version}_$arch.deb"

cmd/relaynode/debian/README.Debian

@@ -1 +0,0 @@
-Tailscale IPN relay daemon.

cmd/relaynode/debian/changelog.do

@@ -1,5 +0,0 @@
-redo-ifchange ../../../version/short.txt gen-changelog
-(
-	cd ..
-	debian/gen-changelog
-) >$3

cmd/relaynode/debian/compat

@@ -1 +0,0 @@
-9

cmd/relaynode/debian/control

@@ -1,14 +0,0 @@
-Source: tailscale-relay
-Section: net
-Priority: extra
-Maintainer: Avery Pennarun <apenwarr@tailscale.com>
-Build-Depends: debhelper (>= 10.2.5), dh-systemd (>= 1.5)
-Standards-Version: 3.9.2
-Homepage: https://tailscale.com/
-Vcs-Git: https://github.com/tailscale/tailscale
-Vcs-Browser: https://github.com/tailscale/tailscale
-
-Package: tailscale-relay
-Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: Traffic relay node for Tailscale IPN

cmd/relaynode/debian/copyright

@@ -1,11 +0,0 @@
-Format: http://svn.debian.org/wsvn/dep/web/deps/dep5.mdwn?op=file&rev=173
-Upstream-Name: tailscale-relay
-Upstream-Contact: Avery Pennarun <apenwarr@tailscale.com>
-Source: https://github.com/tailscale/tailscale/
-
-Files: *
-Copyright: © 2019 Tailscale Inc. <info@tailscale.com>
-License: Proprietary
- *
- * Copyright 2019 Tailscale Inc. All rights reserved.
- *

cmd/relaynode/debian/gen-changelog

@@ -1,25 +0,0 @@
-#!/bin/sh
-read junk pkgname <debian/control
-read shortver <../../version/short.txt
-git log --pretty='format:'"$pkgname"' (SHA:%H) unstable; urgency=low
-
-  * %s
-  
- -- %aN <%aE>  %aD
-' . |
-python -Sc '
-import os, re, subprocess, sys
-
-first = True
-def Describe(g):
-  global first
-  if first:
-    s = sys.argv[1]
-    first = False
-  else:
-    sha = g.group(1)
-    s = subprocess.check_output(["git", "describe", "--always", "--", sha]).strip().decode("utf-8")
-  return re.sub(r"^\D*", "", s)
-
-print(re.sub(r"SHA:([0-9a-f]+)", Describe, sys.stdin.read()))
-' "$shortver"

cmd/relaynode/debian/install

@@ -1,4 +0,0 @@
-relaynode			/usr/sbin
-tailscale-login			/usr/sbin
-taillogin			/usr/sbin
-acl.json			/etc/tailscale

cmd/relaynode/debian/postinst

@@ -1,8 +0,0 @@
-#DEBHELPER#
-
-f=/var/lib/tailscale/relay.conf
-if ! [ -e "$f" ]; then
-	echo
-	echo "Note: Run tailscale-login to configure $f." >&2
-	echo
-fi

cmd/relaynode/debian/rules

@@ -1,10 +0,0 @@
-#!/usr/bin/make -f
-DESTDIR=debian/tailscale-relay
-
-override_dh_auto_test:
-override_dh_auto_install:
-	mkdir -p "${DESTDIR}/etc/default"
-	cp tailscale-relay.defaults "${DESTDIR}/etc/default/tailscale-relay"
-
-%:
-	dh $@ --with=systemd

cmd/relaynode/debian/tailscale-relay.service

@@ -1,12 +0,0 @@
-[Unit]
-Description=Traffic relay node for Tailscale IPN
-After=network.target
-ConditionPathExists=/var/lib/tailscale/relay.conf
-
-[Service]
-EnvironmentFile=/etc/default/tailscale-relay
-ExecStart=/usr/sbin/relaynode --config=/var/lib/tailscale/relay.conf --tun=wg0 $PORT $ACL_FILE $FLAGS
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target

cmd/relaynode/default.deb.od

@@ -1,20 +0,0 @@
-exec >&2
-dir=${1%/*}
-redo-ifchange "$S/oss/version/short.txt" "$S/$dir/package" "$dir/debtmp.dir"
-read -r package <"$S/$dir/package"
-read -r version <"$S/oss/version/short.txt"
-arch=$(dpkg --print-architecture)
-
-(
-	cd "$S/$dir"
-	git ls-files debian | xargs redo-ifchange debian/changelog
-)
-cp -a "$S/$dir/debian" "$dir/debtmp/"
-rm -f "$dir/debtmp/debian/$package.debhelper.log"
-(
-	cd "$dir/debtmp" &&
-	debian/rules build &&
-	fakeroot debian/rules binary
-)
-
-mv "$dir/${package}_${version}_${arch}.deb" "$3"

cmd/relaynode/default.dir.od

@@ -1,21 +0,0 @@
-# Generate a directory tree suitable for forming a tarball of
-# this package.
-exec >&2
-dir=${1%/*}
-outdir=$PWD/${1%.dir}
-rm -rf "$outdir"
-mkdir "$outdir"
-touch $outdir/.stamp
-sfiles="
-	tailscale-login
-	acl.json
-	debian/*.service
-	*.defaults
-"
-ofiles="
-	relaynode
-	../taillogin/taillogin
-"
-redo-ifchange "$outdir/.stamp"
-(cd "$S/$dir" && redo-ifchange $sfiles && cp $sfiles "$outdir/")
-(cd "$dir" && redo-ifchange $ofiles && cp $ofiles "$outdir/")

cmd/relaynode/default.rpm.od

@@ -1,14 +0,0 @@
-exec >&2
-dir=${1%/*}
-pkg=${1##*/}
-pkg=${pkg%.rpm}
-redo-ifchange "$S/oss/version/short.txt" "$dir/$pkg.tar.gz" "$dir/$pkg.spec"
-read -r pkgver junk <"$S/oss/version/short.txt"
-
-machine=$(uname -m)
-rpmbase=$HOME/rpmbuild
-
-mkdir -p "$rpmbase/SOURCES/"
-cp "$dir/$pkg.tar.gz" "$rpmbase/SOURCES/"
-rpmbuild -bb "$dir/$pkg.spec"
-mv "$rpmbase/RPMS/$machine/$pkg-$pkgver.$machine.rpm" $3

cmd/relaynode/default.spec.od

@@ -1,7 +0,0 @@
-redo-ifchange "$S/$1.in" "$S/oss/version/short.txt"
-read -r pkgver junk <"$S/oss/version/short.txt"
-basever=${pkgver%-*}
-subver=${pkgver#*-}
-sed -e "s/Version: 0.00$/Version: $basever/" \
-    -e "s/Release: 0$/Release: $subver/" \
-	<"$S/$1.in" >"$3"

cmd/relaynode/default.tar.gz.od

@@ -1,8 +0,0 @@
-exec >&2
-xdir=${1%.tar.gz}
-base=${xdir##*/}
-updir=${xdir%/*}
-redo-ifchange "$xdir.dir"
-OUT="$PWD/$3"
-
-cd "$updir" && tar -czvf "$OUT" --exclude "$base/.stamp" "$base"

cmd/relaynode/dist.od

@@ -1,15 +0,0 @@
-# Build packages for customer distribution.
-dir=${1%/*}
-cd "$dir"
-targets="tarball"
-if which dh_clean fakeroot dpkg >/dev/null; then
-	targets="$targets deb"
-else
-	echo "Skipping debian packages: debhelper and/or dpkg build tools missing." >&2
-fi
-if which rpm >/dev/null; then
-	targets="$targets rpm"
-else
-	echo "Skipping rpm packages: rpm build tools missing." >&2
-fi
-redo-ifchange $targets

cmd/relaynode/docker/.gitignore

@@ -1 +0,0 @@
-/relaynode

cmd/relaynode/docker/Dockerfile

@@ -1,17 +0,0 @@
-# Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-# Build with: docker build -t tailcontrol-alpine .
-# Run with: docker run --cap-add=NET_ADMIN --device=/dev/net/tun:/dev/net/tun -it tailcontrol-alpine
-
-FROM debian:stretch-slim
-
-RUN apt-get update && apt-get -y install iproute2 iptables
-RUN apt-get -y install ca-certificates
-RUN apt-get -y install nginx-light
-
-COPY relaynode /
-
-# tailcontrol -tun=wg0 -dbdir=$HOME/taildb >> tailcontrol.log 2>&1 &
-CMD ["/relaynode", "-R", "--config", "relay.conf"]

cmd/relaynode/docker/all.do

@@ -1 +0,0 @@
-redo-ifchange build

cmd/relaynode/docker/build.do

@@ -1,3 +0,0 @@
-exec >&2
-redo-ifchange Dockerfile relaynode
-docker build -t tailscale .

cmd/relaynode/docker/relaynode.do

@@ -1,2 +0,0 @@
-redo-ifchange ../relaynode
-cp ../relaynode $3

cmd/relaynode/docker/run.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-# Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-set -e
-redo-ifchange build
-docker run --cap-add=NET_ADMIN \
-	--device=/dev/net/tun:/dev/net/tun \
-	-it tailscale

cmd/relaynode/package

@@ -1 +0,0 @@
-tailscale-relay

cmd/relaynode/relaynode.go

@@ -1,300 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Relaynode is the old Linux Tailscale daemon.
-//
-// Deprecated: this program will be soon deleted. The replacement is
-// cmd/tailscaled.
-package main // import "tailscale.com/cmd/relaynode"
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net/http"
-	"net/http/pprof"
-	"os"
-	"os/signal"
-	"strings"
-	"syscall"
-	"time"
-
-	"github.com/apenwarr/fixconsole"
-	"github.com/google/go-cmp/cmp"
-	"github.com/klauspost/compress/zstd"
-	"github.com/pborman/getopt/v2"
-	"github.com/tailscale/wireguard-go/wgcfg"
-	"tailscale.com/atomicfile"
-	"tailscale.com/control/controlclient"
-	"tailscale.com/control/policy"
-	"tailscale.com/logpolicy"
-	"tailscale.com/version"
-	"tailscale.com/wgengine"
-	"tailscale.com/wgengine/filter"
-	"tailscale.com/wgengine/magicsock"
-)
-
-func main() {
-	err := fixconsole.FixConsoleIfNeeded()
-	if err != nil {
-		log.Printf("fixConsoleOutput: %v\n", err)
-	}
-	config := getopt.StringLong("config", 'f', "", "path to config file")
-	server := getopt.StringLong("server", 's', "https://login.tailscale.com", "URL to tailcontrol server")
-	listenport := getopt.Uint16Long("port", 'p', magicsock.DefaultPort, "WireGuard port (0=autoselect)")
-	tunname := getopt.StringLong("tun", 0, "wg0", "tunnel interface name")
-	alwaysrefresh := getopt.BoolLong("always-refresh", 0, "force key refresh at startup")
-	fake := getopt.BoolLong("fake", 0, "fake tunnel+routing instead of tuntap")
-	nuroutes := getopt.BoolLong("no-single-routes", 'N', "disallow (non-subnet) routes to single nodes")
-	rroutes := getopt.BoolLong("remote-routes", 'R', "allow routing subnets to remote nodes")
-	droutes := getopt.BoolLong("default-routes", 'D', "allow default route on remote node")
-	routes := getopt.StringLong("routes", 0, "", "list of IP ranges this node can relay")
-	aclfile := getopt.StringLong("acl-file", 0, "", "restrict traffic relaying according to json ACL file")
-	derp := getopt.BoolLong("derp", 0, "enable bypass via Detour Encrypted Routing Protocol (DERP)", "false")
-	debug := getopt.StringLong("debug", 0, "", "Address of debug server")
-	getopt.Parse()
-	if len(getopt.Args()) > 0 {
-		log.Fatalf("too many non-flag arguments: %#v", getopt.Args()[0])
-	}
-	uflags := controlclient.UFlagsHelper(!*nuroutes, *rroutes, *droutes)
-	if *config == "" {
-		log.Fatal("no --config file specified")
-	}
-	if *tunname == "" {
-		log.Printf("Warning: no --tun device specified; routing disabled.\n")
-	}
-
-	pol := logpolicy.New("tailnode.log.tailscale.io", *config)
-
-	logf := wgengine.RusagePrefixLog(log.Printf)
-
-	// The wgengine takes a wireguard configuration produced by the
-	// controlclient, and runs the actual tunnels and packets.
-	var e wgengine.Engine
-	if *fake {
-		e, err = wgengine.NewFakeUserspaceEngine(logf, *listenport, *derp)
-	} else {
-		e, err = wgengine.NewUserspaceEngine(logf, *tunname, *listenport, *derp)
-	}
-	if err != nil {
-		log.Fatalf("Error starting wireguard engine: %v\n", err)
-	}
-
-	e = wgengine.NewWatchdog(e)
-	var lastacljson string
-	var p *policy.Policy
-
-	if *aclfile == "" {
-		e.SetFilter(nil)
-	} else {
-		lastacljson = readOrFatal(*aclfile)
-		p = installFilterOrFatal(e, *aclfile, lastacljson, nil)
-	}
-
-	var lastNetMap *controlclient.NetworkMap
-	var lastUserMap map[string][]filter.IP
-	statusFunc := func(new controlclient.Status) {
-		if new.URL != "" {
-			fmt.Fprintf(os.Stderr, "To authenticate, visit:\n\n\t%s\n\n", new.URL)
-			return
-		}
-		if new.Err != "" {
-			log.Print(new.Err)
-			return
-		}
-		if new.Persist != nil {
-			if err := saveConfig(*config, *new.Persist); err != nil {
-				log.Println(err)
-			}
-		}
-
-		if m := new.NetMap; m != nil {
-			if lastNetMap != nil {
-				s1 := strings.Split(lastNetMap.Concise(), "\n")
-				s2 := strings.Split(new.NetMap.Concise(), "\n")
-				logf("netmap diff:\n%v\n", cmp.Diff(s1, s2))
-			}
-			lastNetMap = m
-
-			if m.Equal(&controlclient.NetworkMap{}) {
-				return
-			}
-
-			wgcfg, err := m.WGCfg(uflags, m.DNS)
-			if err != nil {
-				log.Fatalf("Error getting wg config: %v\n", err)
-			}
-			err = e.Reconfig(wgcfg, m.DNSDomains)
-			if err != nil {
-				log.Fatalf("Error reconfiguring engine: %v\n", err)
-			}
-			lastUserMap = m.UserMap()
-			if p != nil {
-				matches, err := p.Expand(lastUserMap)
-				if err != nil {
-					log.Fatalf("Error expanding ACLs: %v\n", err)
-				}
-				e.SetFilter(filter.New(matches))
-			}
-		}
-	}
-
-	cfg, err := loadConfig(*config)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	hi := controlclient.NewHostinfo()
-	hi.FrontendLogID = pol.PublicID.String()
-	hi.BackendLogID = pol.PublicID.String()
-	if *routes != "" {
-		for _, routeStr := range strings.Split(*routes, ",") {
-			cidr, err := wgcfg.ParseCIDR(routeStr)
-			if err != nil {
-				log.Fatalf("--routes: not an IP range: %s", routeStr)
-			}
-			hi.RoutableIPs = append(hi.RoutableIPs, *cidr)
-		}
-	}
-
-	c, err := controlclient.New(controlclient.Options{
-		Persist:   cfg,
-		ServerURL: *server,
-		Hostinfo:  &hi,
-		NewDecompressor: func() (controlclient.Decompressor, error) {
-			return zstd.NewReader(nil)
-		},
-		KeepAlive: true,
-	})
-	c.SetStatusFunc(statusFunc)
-	if err != nil {
-		log.Fatal(err)
-	}
-	lf := controlclient.LoginDefault
-	if *alwaysrefresh {
-		lf |= controlclient.LoginInteractive
-	}
-	c.Login(nil, lf)
-
-	// Print the wireguard status when we get an update.
-	e.SetStatusCallback(func(s *wgengine.Status, err error) {
-		if err != nil {
-			log.Fatalf("Wireguard engine status error: %v\n", err)
-		}
-		var ss []string
-		for _, p := range s.Peers {
-			if p.LastHandshake.IsZero() {
-				ss = append(ss, "x")
-			} else {
-				ss = append(ss, fmt.Sprintf("%d/%d", p.RxBytes, p.TxBytes))
-			}
-		}
-		logf("v%v peers: %v\n", version.LONG, strings.Join(ss, " "))
-		c.UpdateEndpoints(0, s.LocalAddrs)
-	})
-
-	if *debug != "" {
-		go runDebugServer(*debug)
-	}
-
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, os.Interrupt)
-	signal.Notify(sigCh, syscall.SIGTERM)
-
-	t := time.NewTicker(5 * time.Second)
-loop:
-	for {
-		select {
-		case <-t.C:
-			// For the sake of curiosity, request a status
-			// update periodically.
-			e.RequestStatus()
-
-			// check if aclfile has changed.
-			// TODO(apenwarr): use fsnotify instead of polling?
-			if *aclfile != "" {
-				json := readOrFatal(*aclfile)
-				if json != lastacljson {
-					logf("ACL file (%v) changed. Reloading filter.\n", *aclfile)
-					lastacljson = json
-					p = installFilterOrFatal(e, *aclfile, json, lastUserMap)
-				}
-			}
-		case <-sigCh:
-			logf("signal received, exiting")
-			t.Stop()
-			break loop
-		}
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
-	defer cancel()
-
-	e.Close()
-	pol.Shutdown(ctx)
-}
-
-func loadConfig(path string) (cfg controlclient.Persist, err error) {
-	b, err := ioutil.ReadFile(path)
-	if os.IsNotExist(err) {
-		log.Printf("config %s does not exist", path)
-		return controlclient.Persist{}, nil
-	}
-	if err := json.Unmarshal(b, &cfg); err != nil {
-		return controlclient.Persist{}, fmt.Errorf("load config: %v", err)
-	}
-	return cfg, nil
-}
-
-func saveConfig(path string, cfg controlclient.Persist) error {
-	b, err := json.MarshalIndent(cfg, "", "\t")
-	if err != nil {
-		return fmt.Errorf("save config: %v", err)
-	}
-	if err := atomicfile.WriteFile(path, b, 0666); err != nil {
-		return fmt.Errorf("save config: %v", err)
-	}
-	return nil
-}
-
-func readOrFatal(filename string) string {
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		log.Fatalf("%v: ReadFile: %v\n", filename, err)
-	}
-	return string(b)
-}
-
-func installFilterOrFatal(e wgengine.Engine, filename, acljson string, usermap map[string][]filter.IP) *policy.Policy {
-	p, err := policy.Parse(acljson)
-	if err != nil {
-		log.Fatalf("%v: json filter: %v\n", filename, err)
-	}
-
-	matches, err := p.Expand(usermap)
-	if err != nil {
-		log.Fatalf("%v: json filter: %v\n", filename, err)
-	}
-
-	e.SetFilter(filter.New(matches))
-	return p
-}
-
-func runDebugServer(addr string) {
-	mux := http.NewServeMux()
-	mux.HandleFunc("/debug/pprof/", pprof.Index)
-	mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
-	mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
-	mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
-	mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
-	srv := http.Server{
-		Addr:    addr,
-		Handler: mux,
-	}
-	if err := srv.ListenAndServe(); err != nil {
-		log.Fatal(err)
-	}
-}

cmd/relaynode/rpm.od

@@ -1,9 +0,0 @@
-exec >&2
-dir=${2%/*}
-redo-ifchange "$S/$dir/package" "$S/oss/version/short.txt"
-read -r package <"$S/$dir/package"
-read -r pkgver <"$S/oss/version/short.txt"
-machine=$(uname -m)
-redo-ifchange "$dir/$package.rpm"
-rm -f "$dir/${package}"-*."$machine.rpm"
-ln -sf "$package.rpm" "$dir/$package-$pkgver.$machine.rpm"

cmd/relaynode/tailscale-login

@@ -1,4 +0,0 @@
-#!/bin/sh
-cfg=/var/lib/tailscale/relay.conf
-dir=$(dirname "$0")
-"$dir/taillogin" --config="$cfg"

cmd/relaynode/tailscale-relay.defaults

@@ -1,14 +0,0 @@
-# Set the port to listen on for incoming VPN packets.
-# Remote nodes will automatically be informed about the new port number,
-# but you might want to configure this in order to set external firewall
-# settings.
-PORT="--port=41641"
-
-# Comment out this line to allow all traffic to be relayed.
-# Or edit the given file to allow specific traffic.
-# The example file is unlikely to match any users on your network, so it
-# will block all incoming traffic by default.
-ACL_FILE="--acl-file=/etc/tailscale/acl.json"
-
-# Extra flags you might want to pass to relaynode.
-FLAGS=""

cmd/relaynode/tailscale-relay.spec.in

@@ -1,42 +0,0 @@
-Name: tailscale-relay
-Version: 0.00
-Release: 0
-Summary: Traffic relay node for Tailscale
-Group: Network
-License: Proprietary
-URL: https://tailscale.com/
-Vendor: Tailscale Inc.
-#Source: https://github.com/tailscale/tailscale
-Source0: tailscale-relay.tar.gz
-#Prefix: %{_prefix}
-Packager: Avery Pennarun <apenwarr@tailscale.com>
-BuildRoot: %{_tmppath}/%{name}-root
-
-%description
-Traffic relay node for Tailscale.
-
-%prep
-%setup -n tailscale-relay
-
-%build
-
-%install
-D=$RPM_BUILD_ROOT
-[ "$D" = "/" -o -z "$D" ] && exit 99
-rm -rf "$D"
-mkdir -p $D/usr/sbin $D/lib/systemd/system $D/etc/default $D/etc/tailscale
-cp taillogin tailscale-login relaynode $D/usr/sbin
-cp tailscale-relay.service $D/lib/systemd/system/
-cp tailscale-relay.defaults $D/etc/default/tailscale-relay
-cp acl.json $D/etc/tailscale/acl.json
-
-%clean
-
-%files
-%defattr(-,root,root)
-%config(noreplace) /etc/default/tailscale-relay
-%config(noreplace) /etc/tailscale/acl.json
-/lib/systemd/system/tailscale-relay.service
-/usr/sbin/taillogin
-/usr/sbin/tailscale-login
-/usr/sbin/relaynode

cmd/relaynode/tarball.od

@@ -1,7 +0,0 @@
-dir=${1%/*}
-redo-ifchange "$S/$dir/package" "$S/oss/version/short.txt"
-read -r package <"$S/$dir/package"
-read -r version <"$S/oss/version/short.txt"
-redo-ifchange "$dir/$package.tar.gz"
-rm -f "$dir/$package"-*.tar.gz
-ln -sf "$package.tar.gz" "$dir/$package-$version.tar.gz"

cmd/taillogin/taillogin.go

@@ -1,99 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The taillogin command, invoked via the tailscale-login shell script, is shipped
-// with the current (old) Linux client, to log in to Tailscale on a Linux box.
-//
-// Deprecated: this will be deleted, to be replaced by cmd/tailscale.
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"os"
-
-	"github.com/pborman/getopt/v2"
-	"tailscale.com/atomicfile"
-	"tailscale.com/control/controlclient"
-	"tailscale.com/logpolicy"
-)
-
-func main() {
-	config := getopt.StringLong("config", 'f', "", "path to config file")
-	server := getopt.StringLong("server", 's', "https://login.tailscale.com", "URL to tailgate server")
-	getopt.Parse()
-	if len(getopt.Args()) > 0 {
-		log.Fatal("too many non-flag arguments")
-	}
-	if *config == "" {
-		log.Fatal("no --config file specified")
-	}
-	pol := logpolicy.New("tailnode.log.tailscale.io", *config)
-	defer pol.Close()
-
-	cfg, err := loadConfig(*config)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	hi := controlclient.NewHostinfo()
-	hi.FrontendLogID = pol.PublicID.String()
-	hi.BackendLogID = pol.PublicID.String()
-
-	done := make(chan struct{}, 1)
-	c, err := controlclient.New(controlclient.Options{
-		Persist:   cfg,
-		ServerURL: *server,
-		Hostinfo:  &hi,
-	})
-	if err != nil {
-		log.Fatal(err)
-	}
-	c.SetStatusFunc(func(new controlclient.Status) {
-		if new.URL != "" {
-			fmt.Fprintf(os.Stderr, "To authenticate, visit:\n\n\t%s\n\n", new.URL)
-			return
-		}
-		if new.Err != "" {
-			log.Print(new.Err)
-			return
-		}
-		if new.Persist != nil {
-			if err := saveConfig(*config, *new.Persist); err != nil {
-				log.Println(err)
-			}
-		}
-		if new.NetMap != nil {
-			done <- struct{}{}
-		}
-	})
-	c.Login(nil, 0)
-	<-done
-	log.Printf("Success.\n")
-}
-
-func loadConfig(path string) (cfg controlclient.Persist, err error) {
-	b, err := ioutil.ReadFile(path)
-	if os.IsNotExist(err) {
-		log.Printf("config %s does not exist", path)
-		return controlclient.Persist{}, nil
-	}
-	if err := json.Unmarshal(b, &cfg); err != nil {
-		return controlclient.Persist{}, fmt.Errorf("load config: %v", err)
-	}
-	return cfg, nil
-}
-
-func saveConfig(path string, cfg controlclient.Persist) error {
-	b, err := json.MarshalIndent(cfg, "", "\t")
-	if err != nil {
-		return fmt.Errorf("save config: %v", err)
-	}
-	if err := atomicfile.WriteFile(path, b, 0666); err != nil {
-		return fmt.Errorf("save config: %v", err)
-	}
-	return nil
-}

cmd/tailscale/cli/cli.go

@@ -0,0 +1,128 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package cli contains the cmd/tailscale CLI code in a package that can be included
+// in other wrapper binaries such as the Mac and Windows clients.
+package cli
+
+import (
+	"context"
+	"flag"
+	"log"
+	"net"
+	"os"
+	"os/signal"
+	"runtime"
+	"strings"
+	"syscall"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/ipn"
+	"tailscale.com/paths"
+	"tailscale.com/safesocket"
+)
+
+// ActLikeCLI reports whether a GUI application should act like the
+// CLI based on os.Args, GOOS, the context the process is running in
+// (pty, parent PID), etc.
+func ActLikeCLI() bool {
+	if len(os.Args) < 2 {
+		return false
+	}
+	switch os.Args[1] {
+	case "up", "status", "netcheck", "version",
+		"-V", "--version", "-h", "--help":
+		return true
+	}
+	return false
+}
+
+// Run runs the CLI. The args do not include the binary name.
+func Run(args []string) error {
+	if len(args) == 1 && (args[0] == "-V" || args[0] == "--version") {
+		args = []string{"version"}
+	}
+
+	rootfs := flag.NewFlagSet("tailscale", flag.ExitOnError)
+	rootfs.StringVar(&rootArgs.socket, "socket", paths.DefaultTailscaledSocket(), "path to tailscaled's unix socket")
+
+	rootCmd := &ffcli.Command{
+		Name:       "tailscale",
+		ShortUsage: "tailscale subcommand [flags]",
+		ShortHelp:  "The easiest, most secure way to use WireGuard.",
+		LongHelp: strings.TrimSpace(`
+This CLI is still under active development. Commands and flags will
+change in the future.
+`),
+		Subcommands: []*ffcli.Command{
+			upCmd,
+			netcheckCmd,
+			statusCmd,
+			versionCmd,
+		},
+		FlagSet: rootfs,
+		Exec:    func(context.Context, []string) error { return flag.ErrHelp },
+	}
+
+	if err := rootCmd.Parse(args); err != nil {
+		return err
+	}
+
+	err := rootCmd.Run(context.Background())
+	if err == flag.ErrHelp {
+		return nil
+	}
+	return err
+}
+
+func fatalf(format string, a ...interface{}) {
+	log.SetFlags(0)
+	log.Fatalf(format, a...)
+}
+
+var rootArgs struct {
+	socket string
+}
+
+func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context, context.CancelFunc) {
+	c, err := safesocket.Connect(rootArgs.socket, 41112)
+	if err != nil {
+		if runtime.GOOS != "windows" && rootArgs.socket == "" {
+			fatalf("--socket cannot be empty")
+		}
+		fatalf("Failed to connect to connect to tailscaled. (safesocket.Connect: %v)\n", err)
+	}
+	clientToServer := func(b []byte) {
+		ipn.WriteMsg(c, b)
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+
+	go func() {
+		interrupt := make(chan os.Signal, 1)
+		signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
+		<-interrupt
+		c.Close()
+		cancel()
+	}()
+
+	bc := ipn.NewBackendClient(log.Printf, clientToServer)
+	return c, bc, ctx, cancel
+}
+
+// pump receives backend messages on conn and pushes them into bc.
+func pump(ctx context.Context, bc *ipn.BackendClient, conn net.Conn) {
+	defer conn.Close()
+	for ctx.Err() == nil {
+		msg, err := ipn.ReadMsg(conn)
+		if err != nil {
+			if ctx.Err() != nil {
+				return
+			}
+			log.Printf("ReadMsg: %v\n", err)
+			break
+		}
+		bc.GotNotifyMsg(msg)
+	}
+}

cmd/tailscale/cli/netcheck.go

@@ -0,0 +1,162 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/derp/derpmap"
+	"tailscale.com/net/dnscache"
+	"tailscale.com/net/netcheck"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/logger"
+)
+
+var netcheckCmd = &ffcli.Command{
+	Name:       "netcheck",
+	ShortUsage: "netcheck",
+	ShortHelp:  "Print an analysis of local network conditions",
+	Exec:       runNetcheck,
+	FlagSet: (func() *flag.FlagSet {
+		fs := flag.NewFlagSet("netcheck", flag.ExitOnError)
+		fs.StringVar(&netcheckArgs.format, "format", "", `output format; empty (for human-readable), "json" or "json-line"`)
+		fs.DurationVar(&netcheckArgs.every, "every", 0, "if non-zero, do an incremental report with the given frequency")
+		fs.BoolVar(&netcheckArgs.verbose, "verbose", false, "verbose logs")
+		return fs
+	})(),
+}
+
+var netcheckArgs struct {
+	format  string
+	every   time.Duration
+	verbose bool
+}
+
+func runNetcheck(ctx context.Context, args []string) error {
+	c := &netcheck.Client{
+		DNSCache: dnscache.Get(),
+	}
+	if netcheckArgs.verbose {
+		c.Logf = logger.WithPrefix(log.Printf, "netcheck: ")
+		c.Verbose = true
+	} else {
+		c.Logf = logger.Discard
+	}
+
+	if strings.HasPrefix(netcheckArgs.format, "json") {
+		fmt.Fprintln(os.Stderr, "# Warning: this JSON format is not yet considered a stable interface")
+	}
+
+	dm := derpmap.Prod()
+	for {
+		t0 := time.Now()
+		report, err := c.GetReport(ctx, dm)
+		d := time.Since(t0)
+		if netcheckArgs.verbose {
+			c.Logf("GetReport took %v; err=%v", d.Round(time.Millisecond), err)
+		}
+		if err != nil {
+			log.Fatalf("netcheck: %v", err)
+		}
+		if err := printReport(dm, report); err != nil {
+			return err
+		}
+		if netcheckArgs.every == 0 {
+			return nil
+		}
+		time.Sleep(netcheckArgs.every)
+	}
+}
+
+func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
+	var j []byte
+	var err error
+	switch netcheckArgs.format {
+	case "":
+		break
+	case "json":
+		j, err = json.MarshalIndent(report, "", "\t")
+	case "json-line":
+		j, err = json.Marshal(report)
+	default:
+		return fmt.Errorf("unknown output format %q", netcheckArgs.format)
+	}
+	if err != nil {
+		return err
+	}
+	if j != nil {
+		j = append(j, '\n')
+		os.Stdout.Write(j)
+		return nil
+	}
+
+	fmt.Printf("\nReport:\n")
+	fmt.Printf("\t* UDP: %v\n", report.UDP)
+	if report.GlobalV4 != "" {
+		fmt.Printf("\t* IPv4: yes, %v\n", report.GlobalV4)
+	} else {
+		fmt.Printf("\t* IPv4: (no addr found)\n")
+	}
+	if report.GlobalV6 != "" {
+		fmt.Printf("\t* IPv6: yes, %v\n", report.GlobalV6)
+	} else if report.IPv6 {
+		fmt.Printf("\t* IPv6: (no addr found)\n")
+	} else {
+		fmt.Printf("\t* IPv6: no\n")
+	}
+	fmt.Printf("\t* MappingVariesByDestIP: %v\n", report.MappingVariesByDestIP)
+	fmt.Printf("\t* HairPinning: %v\n", report.HairPinning)
+	fmt.Printf("\t* PortMapping: %v\n", portMapping(report))
+
+	// When DERP latency checking failed,
+	// magicsock will try to pick the DERP server that
+	// most of your other nodes are also using
+	if len(report.RegionLatency) == 0 {
+		fmt.Printf("\t* Nearest DERP: unknown (no response to latency probes)\n")
+	} else {
+		fmt.Printf("\t* Nearest DERP: %v (%v)\n", report.PreferredDERP, dm.Regions[report.PreferredDERP].RegionCode)
+		fmt.Printf("\t* DERP latency:\n")
+		var rids []int
+		for rid := range dm.Regions {
+			rids = append(rids, rid)
+		}
+		sort.Ints(rids)
+		for _, rid := range rids {
+			d, ok := report.RegionLatency[rid]
+			var latency string
+			if ok {
+				latency = d.Round(time.Millisecond / 10).String()
+			}
+			fmt.Printf("\t\t- %v, %3s = %s\n", rid, dm.Regions[rid].RegionCode, latency)
+		}
+	}
+	return nil
+}
+
+func portMapping(r *netcheck.Report) string {
+	if !r.AnyPortMappingChecked() {
+		return "not checked"
+	}
+	var got []string
+	if r.UPnP.EqualBool(true) {
+		got = append(got, "UPnP")
+	}
+	if r.PMP.EqualBool(true) {
+		got = append(got, "NAT-PMP")
+	}
+	if r.PCP.EqualBool(true) {
+		got = append(got, "PCP")
+	}
+	return strings.Join(got, ", ")
+}

cmd/tailscale/cli/status.go

@@ -0,0 +1,172 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"github.com/toqueteos/webbrowser"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/interfaces"
+)
+
+var statusCmd = &ffcli.Command{
+	Name:       "status",
+	ShortUsage: "status [-active] [-web] [-json]",
+	ShortHelp:  "Show state of tailscaled and its connections",
+	Exec:       runStatus,
+	FlagSet: (func() *flag.FlagSet {
+		fs := flag.NewFlagSet("status", flag.ExitOnError)
+		fs.BoolVar(&statusArgs.json, "json", false, "output in JSON format (WARNING: format subject to change)")
+		fs.BoolVar(&statusArgs.web, "web", false, "run webserver with HTML showing status")
+		fs.BoolVar(&statusArgs.active, "active", false, "filter output to only peers with active sessions (not applicable to web mode)")
+		fs.StringVar(&statusArgs.listen, "listen", "127.0.0.1:8384", "listen address; use port 0 for automatic")
+		fs.BoolVar(&statusArgs.browser, "browser", true, "Open a browser in web mode")
+		return fs
+	})(),
+}
+
+var statusArgs struct {
+	json    bool   // JSON output mode
+	web     bool   // run webserver
+	listen  string // in web mode, webserver address to listen on, empty means auto
+	browser bool   // in web mode, whether to open browser
+	active  bool   // in CLI mode, filter output to only peers with active sessions
+}
+
+func runStatus(ctx context.Context, args []string) error {
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	bc.AllowVersionSkew = true
+
+	ch := make(chan *ipnstate.Status, 1)
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			log.Fatal(*n.ErrMessage)
+		}
+		if n.Status != nil {
+			ch <- n.Status
+		}
+	})
+	go pump(ctx, bc, c)
+
+	getStatus := func() (*ipnstate.Status, error) {
+		bc.RequestStatus()
+		select {
+		case st := <-ch:
+			return st, nil
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		}
+	}
+	st, err := getStatus()
+	if err != nil {
+		return err
+	}
+	if statusArgs.json {
+		if statusArgs.active {
+			for peer, ps := range st.Peer {
+				if !peerActive(ps) {
+					delete(st.Peer, peer)
+				}
+			}
+		}
+		j, err := json.MarshalIndent(st, "", "  ")
+		if err != nil {
+			return err
+		}
+		fmt.Printf("%s", j)
+		return nil
+	}
+	if statusArgs.web {
+		ln, err := net.Listen("tcp", statusArgs.listen)
+		if err != nil {
+			return err
+		}
+		statusURL := interfaces.HTTPOfListener(ln)
+		fmt.Printf("Serving Tailscale status at %v ...\n", statusURL)
+		go func() {
+			<-ctx.Done()
+			ln.Close()
+		}()
+		if statusArgs.browser {
+			go webbrowser.Open(statusURL)
+		}
+		err = http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.RequestURI != "/" {
+				http.NotFound(w, r)
+				return
+			}
+			st, err := getStatus()
+			if err != nil {
+				http.Error(w, err.Error(), 500)
+				return
+			}
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			st.WriteHTML(w)
+		}))
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		return err
+	}
+
+	var buf bytes.Buffer
+	f := func(format string, a ...interface{}) { fmt.Fprintf(&buf, format, a...) }
+	for _, peer := range st.Peers() {
+		ps := st.Peer[peer]
+		active := peerActive(ps)
+		if statusArgs.active && !active {
+			continue
+		}
+		f("%s %-7s %-15s %-18s tx=%8d rx=%8d ",
+			peer.ShortString(),
+			ps.OS,
+			ps.TailAddr,
+			ps.SimpleHostName(),
+			ps.TxBytes,
+			ps.RxBytes,
+		)
+		relay := ps.Relay
+		if active && relay != "" && ps.CurAddr == "" {
+			relay = "*" + relay + "*"
+		} else {
+			relay = " " + relay
+		}
+		f("%-6s", relay)
+		for i, addr := range ps.Addrs {
+			if i != 0 {
+				f(", ")
+			}
+			if addr == ps.CurAddr {
+				f("*%s*", addr)
+			} else {
+				f("%s", addr)
+			}
+		}
+		f("\n")
+	}
+	os.Stdout.Write(buf.Bytes())
+	return nil
+}
+
+// peerActive reports whether ps has recent activity.
+//
+// TODO: have the server report this bool instead.
+func peerActive(ps *ipnstate.PeerStatus) bool {
+	return !ps.LastWrite.IsZero() && time.Since(ps.LastWrite) < 2*time.Minute
+}

cmd/tailscale/cli/up.go

@@ -0,0 +1,258 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"bytes"
+	"context"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"github.com/tailscale/wireguard-go/wgcfg"
+	"inet.af/netaddr"
+	"tailscale.com/ipn"
+	"tailscale.com/tailcfg"
+	"tailscale.com/version"
+	"tailscale.com/wgengine/router"
+)
+
+// globalStateKey is the ipn.StateKey that tailscaled loads on
+// startup.
+//
+// We have to support multiple state keys for other OSes (Windows in
+// particular), but right now Unix daemons run with a single
+// node-global state. To keep open the option of having per-user state
+// later, the global state key doesn't look like a username.
+const globalStateKey = "_daemon"
+
+var upCmd = &ffcli.Command{
+	Name:       "up",
+	ShortUsage: "up [flags]",
+	ShortHelp:  "Connect to your Tailscale network",
+
+	LongHelp: strings.TrimSpace(`
+"tailscale up" connects this machine to your Tailscale network,
+triggering authentication if necessary.
+
+The flags passed to this command are specific to this machine. If you don't
+specify any flags, options are reset to their default.
+`),
+	FlagSet: (func() *flag.FlagSet {
+		upf := flag.NewFlagSet("up", flag.ExitOnError)
+		upf.StringVar(&upArgs.server, "login-server", "https://login.tailscale.com", "base URL of control server")
+		upf.BoolVar(&upArgs.acceptRoutes, "accept-routes", false, "accept routes advertised by other Tailscale nodes")
+		upf.BoolVar(&upArgs.acceptDNS, "accept-dns", true, "accept DNS configuration from the admin panel")
+		upf.BoolVar(&upArgs.singleRoutes, "host-routes", true, "install host routes to other Tailscale nodes")
+		upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
+		upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "ACL tags to request (comma-separated, e.g. eng,montreal,ssh)")
+		upf.StringVar(&upArgs.authKey, "authkey", "", "node authorization key")
+		upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
+		upf.BoolVar(&upArgs.enableDERP, "enable-derp", true, "enable the use of DERP servers")
+		if runtime.GOOS == "linux" || isBSD(runtime.GOOS) || version.OS() == "macOS" {
+			upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. 10.0.0.0/8,192.168.0.0/24)")
+		}
+		if runtime.GOOS == "linux" {
+			upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with -advertise-routes")
+			upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", "on", "netfilter mode (one of on, nodivert, off)")
+		}
+		return upf
+	})(),
+	Exec: runUp,
+}
+
+var upArgs struct {
+	server          string
+	acceptRoutes    bool
+	acceptDNS       bool
+	singleRoutes    bool
+	shieldsUp       bool
+	advertiseRoutes string
+	advertiseTags   string
+	enableDERP      bool
+	snat            bool
+	netfilterMode   string
+	authKey         string
+	hostname        string
+}
+
+// parseIPOrCIDR parses an IP address or a CIDR prefix. If the input
+// is an IP address, it is returned in CIDR form with a /32 mask for
+// IPv4 or a /128 mask for IPv6.
+func parseIPOrCIDR(s string) (wgcfg.CIDR, bool) {
+	if strings.Contains(s, "/") {
+		ret, err := wgcfg.ParseCIDR(s)
+		if err != nil {
+			return wgcfg.CIDR{}, false
+		}
+		return ret, true
+	}
+
+	ip, ok := wgcfg.ParseIP(s)
+	if !ok {
+		return wgcfg.CIDR{}, false
+	}
+	if ip.Is4() {
+		return wgcfg.CIDR{IP: ip, Mask: 32}, true
+	} else {
+		return wgcfg.CIDR{IP: ip, Mask: 128}, true
+	}
+}
+
+func isBSD(s string) bool {
+	return s == "dragonfly" || s == "freebsd" || s == "netbsd" || s == "openbsd"
+}
+
+func warnf(format string, args ...interface{}) {
+	fmt.Printf("Warning: "+format+"\n", args...)
+}
+
+// checkIPForwarding prints warnings if IP forwarding is not
+// enabled, or if we were unable to verify the state of IP forwarding.
+func checkIPForwarding() {
+	var key string
+
+	if runtime.GOOS == "linux" {
+		key = "net.ipv4.ip_forward"
+	} else if isBSD(runtime.GOOS) || version.OS() == "macOS" {
+		key = "net.inet.ip.forwarding"
+	} else {
+		return
+	}
+
+	bs, err := exec.Command("sysctl", "-n", key).Output()
+	if err != nil {
+		warnf("couldn't check %s (%v).\nSubnet routes won't work without IP forwarding.", key, err)
+		return
+	}
+	on, err := strconv.ParseBool(string(bytes.TrimSpace(bs)))
+	if err != nil {
+		warnf("couldn't parse %s (%v).\nSubnet routes won't work without IP forwarding.", key, err)
+		return
+	}
+	if !on {
+		warnf("%s is disabled. Subnet routes won't work.", key)
+	}
+}
+
+func runUp(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		log.Fatalf("too many non-flag arguments: %q", args)
+	}
+
+	var routes []wgcfg.CIDR
+	if upArgs.advertiseRoutes != "" {
+		advroutes := strings.Split(upArgs.advertiseRoutes, ",")
+		for _, s := range advroutes {
+			cidr, ok := parseIPOrCIDR(s)
+			ipp, err := netaddr.ParseIPPrefix(s) // parse it with other pawith both packages
+			if !ok || err != nil {
+				fatalf("%q is not a valid IP address or CIDR prefix", s)
+			}
+			if ipp != ipp.Masked() {
+				fatalf("%s has non-address bits set; expected %s", ipp, ipp.Masked())
+			}
+			routes = append(routes, cidr)
+		}
+		checkIPForwarding()
+	}
+
+	var tags []string
+	if upArgs.advertiseTags != "" {
+		tags = strings.Split(upArgs.advertiseTags, ",")
+		for _, tag := range tags {
+			err := tailcfg.CheckTag(tag)
+			if err != nil {
+				fatalf("tag: %q: %s", tag, err)
+			}
+		}
+	}
+
+	if len(upArgs.hostname) > 256 {
+		fatalf("hostname too long: %d bytes (max 256)", len(upArgs.hostname))
+	}
+
+	// TODO(apenwarr): fix different semantics between prefs and uflags
+	// TODO(apenwarr): allow setting/using CorpDNS
+	prefs := ipn.NewPrefs()
+	prefs.ControlURL = upArgs.server
+	prefs.WantRunning = true
+	prefs.RouteAll = upArgs.acceptRoutes
+	prefs.CorpDNS = upArgs.acceptDNS
+	prefs.AllowSingleHosts = upArgs.singleRoutes
+	prefs.ShieldsUp = upArgs.shieldsUp
+	prefs.AdvertiseRoutes = routes
+	prefs.AdvertiseTags = tags
+	prefs.NoSNAT = !upArgs.snat
+	prefs.DisableDERP = !upArgs.enableDERP
+	prefs.Hostname = upArgs.hostname
+	if runtime.GOOS == "linux" {
+		switch upArgs.netfilterMode {
+		case "on":
+			prefs.NetfilterMode = router.NetfilterOn
+		case "nodivert":
+			prefs.NetfilterMode = router.NetfilterNoDivert
+			warnf("netfilter=nodivert; add iptables calls to ts-* chains manually.")
+		case "off":
+			prefs.NetfilterMode = router.NetfilterOff
+			warnf("netfilter=off; configure iptables yourself.")
+		default:
+			fatalf("invalid value --netfilter-mode: %q", upArgs.netfilterMode)
+		}
+	}
+
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	var printed bool
+
+	bc.SetPrefs(prefs)
+	opts := ipn.Options{
+		StateKey: globalStateKey,
+		AuthKey:  upArgs.authKey,
+		Notify: func(n ipn.Notify) {
+			if n.ErrMessage != nil {
+				fatalf("backend error: %v\n", *n.ErrMessage)
+			}
+			if s := n.State; s != nil {
+				switch *s {
+				case ipn.NeedsLogin:
+					printed = true
+					bc.StartLoginInteractive()
+				case ipn.NeedsMachineAuth:
+					printed = true
+					fmt.Fprintf(os.Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s/admin/machines\n\n", upArgs.server)
+				case ipn.Starting, ipn.Running:
+					// Done full authentication process
+					if printed {
+						// Only need to print an update if we printed the "please click" message earlier.
+						fmt.Fprintf(os.Stderr, "Success.\n")
+					}
+					cancel()
+				}
+			}
+			if url := n.BrowseToURL; url != nil {
+				fmt.Fprintf(os.Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
+			}
+		},
+	}
+	// We still have to Start right now because it's the only way to
+	// set up notifications and whatnot. This causes a bunch of churn
+	// every time the CLI touches anything.
+	//
+	// TODO(danderson): redo the frontend/backend API to assume
+	// ephemeral frontends that read/modify/write state, once
+	// Windows/Mac state is moved into backend.
+	bc.Start(opts)
+	pump(ctx, bc, c)
+
+	return nil
+}

cmd/tailscale/cli/version.go

@@ -0,0 +1,69 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/ipn"
+	"tailscale.com/version"
+)
+
+var versionCmd = &ffcli.Command{
+	Name:       "version",
+	ShortUsage: "version [flags]",
+	ShortHelp:  "Print Tailscale version",
+	FlagSet: (func() *flag.FlagSet {
+		fs := flag.NewFlagSet("version", flag.ExitOnError)
+		fs.BoolVar(&versionArgs.daemon, "daemon", false, "also print local node's daemon version")
+		return fs
+	})(),
+	Exec: runVersion,
+}
+
+var versionArgs struct {
+	daemon bool // also check local node's daemon version
+}
+
+func runVersion(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		log.Fatalf("too many non-flag arguments: %q", args)
+	}
+	if !versionArgs.daemon {
+		fmt.Println(version.LONG)
+		return nil
+	}
+	fmt.Printf("Client: %s\n", version.LONG)
+
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	bc.AllowVersionSkew = true
+
+	done := make(chan struct{})
+
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			log.Fatal(*n.ErrMessage)
+		}
+		if n.Status != nil {
+			fmt.Printf("Daemon: %s\n", n.Version)
+			close(done)
+		}
+	})
+	go pump(ctx, bc, c)
+
+	bc.RequestStatus()
+	select {
+	case <-done:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}

cmd/tailscale/ipn.go

@@ -1,149 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The tailscale command is the Tailscale command-line client. It interacts
-// with the tailscaled client daemon.
-package main // import "tailscale.com/cmd/tailscale"
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net"
-	"os"
-	"os/signal"
-	"syscall"
-
-	"github.com/apenwarr/fixconsole"
-	"github.com/pborman/getopt/v2"
-	"tailscale.com/atomicfile"
-	"tailscale.com/control/controlclient"
-	"tailscale.com/ipn"
-	"tailscale.com/logpolicy"
-	"tailscale.com/safesocket"
-)
-
-func pump(ctx context.Context, bc *ipn.BackendClient, c net.Conn) {
-	defer log.Printf("Control connection done.\n")
-	defer c.Close()
-	for ctx.Err() == nil {
-		msg, err := ipn.ReadMsg(c)
-		if err != nil {
-			log.Printf("ReadMsg: %v\n", err)
-			break
-		}
-		bc.GotNotifyMsg(msg)
-	}
-}
-
-func main() {
-	err := fixconsole.FixConsoleIfNeeded()
-	if err != nil {
-		log.Printf("fixConsoleOutput: %v\n", err)
-	}
-	config := getopt.StringLong("config", 'f', "", "path to config file")
-	server := getopt.StringLong("server", 's', "https://login.tailscale.com", "URL to tailcontrol server")
-	alwaysrefresh := getopt.BoolLong("always-refresh", 0, "force key refresh at startup")
-	nuroutes := getopt.BoolLong("no-single-routes", 'N', "disallow (non-subnet) routes to single nodes")
-	rroutes := getopt.BoolLong("remote-routes", 'R', "allow routing subnets to remote nodes")
-	droutes := getopt.BoolLong("default-routes", 'D', "allow default route on remote node")
-	getopt.Parse()
-	if *config == "" {
-		logpolicy.New("tailnode.log.tailscale.io", "tailscale")
-		log.Fatal("no --config file specified")
-	}
-	if len(getopt.Args()) > 0 {
-		log.Fatalf("too many non-flag arguments: %#v", getopt.Args()[0])
-	}
-
-	pol := logpolicy.New("tailnode.log.tailscale.io", *config)
-	defer pol.Close()
-
-	prefs, err := loadConfig(*config)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	// TODO(apenwarr): fix different semantics between prefs and uflags
-	// TODO(apenwarr): allow setting/using CorpDNS
-	prefs.WantRunning = true
-	prefs.RouteAll = *rroutes || *droutes
-	prefs.AllowSingleHosts = !*nuroutes
-
-	c, err := safesocket.Connect("", "Tailscale", "tailscaled", 41112)
-	if err != nil {
-		log.Fatalf("safesocket.Connect: %v\n", err)
-	}
-	clientToServer := func(b []byte) {
-		ipn.WriteMsg(c, b)
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	lf := controlclient.LoginDefault
-	if *alwaysrefresh {
-		lf |= controlclient.LoginInteractive
-	}
-
-	go func() {
-		interrupt := make(chan os.Signal, 1)
-		signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
-		<-interrupt
-		c.Close()
-	}()
-
-	bc := ipn.NewBackendClient(log.Printf, clientToServer)
-	opts := ipn.Options{
-		Prefs:      prefs,
-		ServerURL:  *server,
-		LoginFlags: lf,
-		Notify: func(n ipn.Notify) {
-			log.Printf("Notify: %v\n", n)
-			if n.ErrMessage != nil {
-				log.Fatalf("backend error: %v\n", *n.ErrMessage)
-			}
-			if s := n.State; s != nil {
-				switch *s {
-				case ipn.NeedsLogin:
-					bc.StartLoginInteractive()
-				case ipn.NeedsMachineAuth:
-					fmt.Fprintf(os.Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s/admin/machines\n\n", *server)
-				case ipn.Starting, ipn.Running:
-					// Done full authentication process
-					cancel()
-				}
-			}
-			if url := n.BrowseToURL; url != nil {
-				fmt.Fprintf(os.Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
-			}
-			if p := n.Prefs; p != nil {
-				prefs = *p
-				saveConfig(*config, *p)
-			}
-		},
-	}
-	bc.Start(opts)
-	pump(ctx, bc, c)
-}
-
-func loadConfig(path string) (ipn.Prefs, error) {
-	b, err := ioutil.ReadFile(path)
-	if os.IsNotExist(err) {
-		log.Printf("config %s does not exist", path)
-		return ipn.NewPrefs(), nil
-	}
-	return ipn.PrefsFromBytes(b, false)
-}
-
-func saveConfig(path string, prefs ipn.Prefs) error {
-	b, err := json.MarshalIndent(prefs, "", "\t")
-	if err != nil {
-		return fmt.Errorf("save config: %v", err)
-	}
-	if err := atomicfile.WriteFile(path, b, 0666); err != nil {
-		return fmt.Errorf("save config: %v", err)
-	}
-	return nil
-}

cmd/tailscale/tailscale.go

@@ -0,0 +1,28 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The tailscale command is the Tailscale command-line client. It interacts
+// with the tailscaled node agent.
+package main // import "tailscale.com/cmd/tailscale"
+
+import (
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/apenwarr/fixconsole"
+	"tailscale.com/cmd/tailscale/cli"
+)
+
+func main() {
+	err := fixconsole.FixConsoleIfNeeded()
+	if err != nil {
+		log.Printf("fixConsoleOutput: %v\n", err)
+	}
+
+	if err := cli.Run(os.Args[1:]); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}

cmd/tailscaled/ipnd.go

@@ -1,88 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The tailscaled program is the Tailscale client daemon. It's configured
-// and controlled via the tailscale CLI program.
-//
-// It primarily supports Linux, though other systems will likely be
-// supported in the future.
-package main // import "tailscale.com/cmd/tailscaled"
-
-import (
-	"context"
-	"log"
-	"net/http"
-	"net/http/pprof"
-
-	"github.com/apenwarr/fixconsole"
-	"github.com/pborman/getopt/v2"
-	"tailscale.com/ipn/ipnserver"
-	"tailscale.com/logpolicy"
-	"tailscale.com/wgengine"
-)
-
-func main() {
-	fake := getopt.BoolLong("fake", 0, "fake tunnel+routing instead of tuntap")
-	debug := getopt.StringLong("debug", 0, "", "Address of debug server")
-
-	logf := wgengine.RusagePrefixLog(log.Printf)
-
-	err := fixconsole.FixConsoleIfNeeded()
-	if err != nil {
-		logf("fixConsoleOutput: %v\n", err)
-	}
-	pol := logpolicy.New("tailnode.log.tailscale.io", "tailscaled")
-
-	getopt.Parse()
-	if len(getopt.Args()) > 0 {
-		log.Fatalf("too many non-flag arguments: %#v", getopt.Args()[0])
-	}
-
-	if *debug != "" {
-		go runDebugServer(*debug)
-	}
-
-	var e wgengine.Engine
-	if *fake {
-		e, err = wgengine.NewFakeUserspaceEngine(logf, 0, false)
-	} else {
-		e, err = wgengine.NewUserspaceEngine(logf, "ts0", 0, false)
-	}
-	if err != nil {
-		log.Fatalf("wgengine.New: %v\n", err)
-	}
-	e = wgengine.NewWatchdog(e)
-
-	opts := ipnserver.Options{
-		SurviveDisconnects: true,
-		AllowQuit:          false,
-	}
-	err = ipnserver.Run(context.Background(), logf, pol.PublicID.String(), opts, e)
-	if err != nil {
-		log.Fatalf("tailscaled: %v\n", err)
-	}
-
-	// TODO(crawshaw): It would be nice to start a timeout context the moment a signal
-	// is received and use that timeout to give us a moment to finish uploading logs
-	// here. But the signal is handled inside ipnserver.Run, so some plumbing is needed.
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-	pol.Shutdown(ctx)
-}
-
-func runDebugServer(addr string) {
-	mux := http.NewServeMux()
-	mux.HandleFunc("/debug/pprof/", pprof.Index)
-	mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
-	mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
-	mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
-	mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
-	srv := http.Server{
-		Addr:    addr,
-		Handler: mux,
-	}
-	if err := srv.ListenAndServe(); err != nil {
-		log.Fatal(err)
-	}
-}

cmd/tailscaled/tailscaled.defaults

@@ -0,0 +1,8 @@
+# Set the port to listen on for incoming VPN packets.
+# Remote nodes will automatically be informed about the new port number,
+# but you might want to configure this in order to set external firewall
+# settings.
+PORT="41641"
+
+# Extra flags you might want to pass to tailscaled.
+FLAGS=""

cmd/tailscaled/tailscaled.go

@@ -0,0 +1,205 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The tailscaled program is the Tailscale client daemon. It's configured
+// and controlled via the tailscale CLI program.
+//
+// It primarily supports Linux, though other systems will likely be
+// supported in the future.
+package main // import "tailscale.com/cmd/tailscaled"
+
+import (
+	"context"
+	"log"
+	"net/http"
+	"net/http/pprof"
+	"os"
+	"os/signal"
+	"runtime"
+	"runtime/debug"
+	"syscall"
+	"time"
+
+	"github.com/apenwarr/fixconsole"
+	"github.com/pborman/getopt/v2"
+	"tailscale.com/ipn/ipnserver"
+	"tailscale.com/logpolicy"
+	"tailscale.com/paths"
+	"tailscale.com/types/logger"
+	"tailscale.com/wgengine"
+	"tailscale.com/wgengine/magicsock"
+	"tailscale.com/wgengine/router"
+)
+
+// globalStateKey is the ipn.StateKey that tailscaled loads on
+// startup.
+//
+// We have to support multiple state keys for other OSes (Windows in
+// particular), but right now Unix daemons run with a single
+// node-global state. To keep open the option of having per-user state
+// later, the global state key doesn't look like a username.
+const globalStateKey = "_daemon"
+
+// defaultTunName returns the default tun device name for the platform.
+func defaultTunName() string {
+	switch runtime.GOOS {
+	case "openbsd":
+		return "tun"
+	case "windows":
+		return "Tailscale"
+	}
+	return "tailscale0"
+}
+
+var args struct {
+	cleanup    bool
+	fake       bool
+	debug      string
+	tunname    string
+	port       uint16
+	statepath  string
+	socketpath string
+}
+
+func main() {
+	// We aren't very performance sensitive, and the parts that are
+	// performance sensitive (wireguard) try hard not to do any memory
+	// allocations. So let's be aggressive about garbage collection,
+	// unless the user specifically overrides it in the usual way.
+	if _, ok := os.LookupEnv("GOGC"); !ok {
+		debug.SetGCPercent(10)
+	}
+
+	// Set default values for getopt.
+	args.tunname = defaultTunName()
+	args.port = magicsock.DefaultPort
+	args.statepath = paths.DefaultTailscaledStateFile()
+	args.socketpath = paths.DefaultTailscaledSocket()
+
+	getopt.FlagLong(&args.cleanup, "cleanup", 0, "clean up system state and exit")
+	getopt.FlagLong(&args.fake, "fake", 0, "fake tunnel+routing instead of tuntap")
+	getopt.FlagLong(&args.debug, "debug", 0, "address of debug server")
+	getopt.FlagLong(&args.tunname, "tun", 0, "tunnel interface name")
+	getopt.FlagLong(&args.port, "port", 'p', "WireGuard port (0=autoselect)")
+	getopt.FlagLong(&args.statepath, "state", 0, "path of state file")
+	getopt.FlagLong(&args.socketpath, "socket", 's', "path of the service unix socket")
+
+	err := fixconsole.FixConsoleIfNeeded()
+	if err != nil {
+		log.Fatalf("fixConsoleOutput: %v", err)
+	}
+
+	getopt.Parse()
+	if len(getopt.Args()) > 0 {
+		log.Fatalf("too many non-flag arguments: %#v", getopt.Args()[0])
+	}
+
+	if args.statepath == "" {
+		log.Fatalf("--state is required")
+	}
+
+	if args.socketpath == "" && runtime.GOOS != "windows" {
+		log.Fatalf("--socket is required")
+	}
+
+	if err := run(); err != nil {
+		// No need to log; the func already did
+		os.Exit(1)
+	}
+}
+
+func run() error {
+	var err error
+
+	pol := logpolicy.New("tailnode.log.tailscale.io")
+	defer func() {
+		// Finish uploading logs after closing everything else.
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+		defer cancel()
+		pol.Shutdown(ctx)
+	}()
+
+	logf := wgengine.RusagePrefixLog(log.Printf)
+	logf = logger.RateLimitedFn(logf, 5*time.Second, 5, 100)
+
+	if args.cleanup {
+		router.Cleanup(logf, args.tunname)
+		return nil
+	}
+
+	var debugMux *http.ServeMux
+	if args.debug != "" {
+		debugMux = newDebugMux()
+		go runDebugServer(debugMux, args.debug)
+	}
+
+	var e wgengine.Engine
+	if args.fake {
+		e, err = wgengine.NewFakeUserspaceEngine(logf, 0)
+	} else {
+		e, err = wgengine.NewUserspaceEngine(logf, args.tunname, args.port)
+	}
+	if err != nil {
+		logf("wgengine.New: %v", err)
+		return err
+	}
+	e = wgengine.NewWatchdog(e)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	// Exit gracefully by cancelling the ipnserver context in most common cases:
+	// interrupted from the TTY or killed by a service manager.
+	interrupt := make(chan os.Signal, 1)
+	signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
+	// SIGPIPE sometimes gets generated when CLIs disconnect from
+	// tailscaled. The default action is to terminate the process, we
+	// want to keep running.
+	signal.Ignore(syscall.SIGPIPE)
+	go func() {
+		select {
+		case s := <-interrupt:
+			logf("tailscaled got signal %v; shutting down", s)
+			cancel()
+		case <-ctx.Done():
+			// continue
+		}
+	}()
+
+	opts := ipnserver.Options{
+		SocketPath:         args.socketpath,
+		Port:               41112,
+		StatePath:          args.statepath,
+		AutostartStateKey:  globalStateKey,
+		LegacyConfigPath:   paths.LegacyConfigPath(),
+		SurviveDisconnects: true,
+		DebugMux:           debugMux,
+	}
+	err = ipnserver.Run(ctx, logf, pol.PublicID.String(), ipnserver.FixedEngine(e), opts)
+	// Cancelation is not an error: it is the only way to stop ipnserver.
+	if err != nil && err != context.Canceled {
+		logf("ipnserver.Run: %v", err)
+		return err
+	}
+
+	return nil
+}
+
+func newDebugMux() *http.ServeMux {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/debug/pprof/", pprof.Index)
+	mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
+	mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
+	mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+	mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
+	return mux
+}
+
+func runDebugServer(mux *http.ServeMux, addr string) {
+	srv := &http.Server{
+		Addr:    addr,
+		Handler: mux,
+	}
+	if err := srv.ListenAndServe(); err != nil {
+		log.Fatal(err)
+	}
+}

cmd/tailscaled/tailscaled.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Tailscale node agent
+Documentation=https://tailscale.com/kb/
+Wants=network-pre.target
+After=network-pre.target
+
+[Service]
+EnvironmentFile=/etc/default/tailscaled
+ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port $PORT $FLAGS
+ExecStopPost=/usr/sbin/tailscaled --cleanup
+
+Restart=on-failure
+
+RuntimeDirectory=tailscale
+RuntimeDirectoryMode=0755
+StateDirectory=tailscale
+StateDirectoryMode=0750
+CacheDirectory=tailscale
+CacheDirectoryMode=0750
+
+[Install]
+WantedBy=multi-user.target

cmd/tsshd/tsshd.go

@@ -0,0 +1,161 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !windows
+
+// The tsshd binary is an SSH server that accepts connections
+// from anybody on the same Tailscale network.
+//
+// It does not use passwords or SSH public key.
+//
+// Any user name is accepted; users are logged in as whoever is
+// running this daemon.
+//
+// Warning: use at your own risk. This code has had very few eyeballs
+// on it.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"net"
+	"os"
+	"os/exec"
+	"syscall"
+	"time"
+	"unsafe"
+
+	"github.com/gliderlabs/ssh"
+	"github.com/kr/pty"
+	gossh "golang.org/x/crypto/ssh"
+	"tailscale.com/net/interfaces"
+)
+
+var (
+	port    = flag.Int("port", 2200, "port to listen on")
+	hostKey = flag.String("hostkey", "", "SSH host key")
+)
+
+func main() {
+	flag.Parse()
+	if *hostKey == "" {
+		log.Fatalf("missing required --hostkey")
+	}
+	hostKey, err := ioutil.ReadFile(*hostKey)
+	if err != nil {
+		log.Fatal(err)
+	}
+	signer, err := gossh.ParsePrivateKey(hostKey)
+	if err != nil {
+		log.Printf("failed to parse SSH host key: %v", err)
+		return
+	}
+
+	warned := false
+	for {
+		addr, iface, err := interfaces.Tailscale()
+		if err != nil {
+			log.Fatalf("listing interfaces: %v", err)
+		}
+		if addr == nil {
+			if !warned {
+				log.Printf("no tailscale interface found; polling until one is available")
+				warned = true
+			}
+			// TODO: use netlink or other OS-specific mechanism to efficiently
+			// wait for change in interfaces. Polling every N seconds is good enough
+			// for now.
+			time.Sleep(5 * time.Second)
+			continue
+		}
+		warned = false
+		listen := net.JoinHostPort(addr.String(), fmt.Sprint(*port))
+		log.Printf("tailscale ssh server listening on %v, %v", iface.Name, listen)
+		s := &ssh.Server{
+			Addr:    listen,
+			Handler: handleSSH,
+		}
+		s.AddHostKey(signer)
+
+		err = s.ListenAndServe()
+		log.Fatalf("tailscale sshd failed: %v", err)
+	}
+
+}
+
+func handleSSH(s ssh.Session) {
+	user := s.User()
+	addr := s.RemoteAddr()
+	ta, ok := addr.(*net.TCPAddr)
+	if !ok {
+		log.Printf("tsshd: rejecting non-TCP addr %T %v", addr, addr)
+		s.Exit(1)
+		return
+	}
+	if !interfaces.IsTailscaleIP(ta.IP) {
+		log.Printf("tsshd: rejecting non-Tailscale addr %v", ta.IP)
+		s.Exit(1)
+		return
+	}
+
+	log.Printf("new session for %q from %v", user, ta)
+	defer log.Printf("closing session for %q from %v", user, ta)
+	ptyReq, winCh, isPty := s.Pty()
+	if !isPty {
+		fmt.Fprintf(s, "TODO scp etc")
+		s.Exit(1)
+		return
+	}
+
+	userWantsShell := len(s.Command()) == 0
+
+	if userWantsShell {
+		shell, err := shellOfUser(s.User())
+		if err != nil {
+			fmt.Fprintf(s, "failed to find shell: %v\n", err)
+			s.Exit(1)
+			return
+		}
+		cmd := exec.Command(shell)
+		cmd.Env = append(cmd.Env, fmt.Sprintf("TERM=%s", ptyReq.Term))
+		f, err := pty.Start(cmd)
+		if err != nil {
+			log.Printf("running shell: %v", err)
+			s.Exit(1)
+			return
+		}
+		defer f.Close()
+		go func() {
+			for win := range winCh {
+				setWinsize(f, win.Width, win.Height)
+			}
+		}()
+		go func() {
+			io.Copy(f, s) // stdin
+		}()
+		io.Copy(s, f) // stdout
+		cmd.Process.Kill()
+		if err := cmd.Wait(); err != nil {
+			s.Exit(1)
+		}
+		s.Exit(0)
+		return
+	}
+
+	fmt.Fprintf(s, "TODO: args\n")
+	s.Exit(1)
+}
+
+func shellOfUser(user string) (string, error) {
+	// TODO
+	return "/bin/bash", nil
+}
+
+func setWinsize(f *os.File, w, h int) {
+	syscall.Syscall(syscall.SYS_IOCTL, f.Fd(), uintptr(syscall.TIOCSWINSZ),
+		uintptr(unsafe.Pointer(&struct{ h, w, x, y uint16 }{uint16(h), uint16(w), 0, 0})))
+}

cmd/tsshd/tsshd_windows.go

@@ -0,0 +1,11 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build windows
+
+package main
+
+func main() {
+	panic("tsshd does not work on windows yet")
+}

control/controlclient/auto.go

@@ -2,7 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package controlclient implements the client for the IPN control plane.
+// Package controlclient implements the client for the Tailscale
+// control plane.
 //
 // It handles authentication, port picking, and collects the local
 // network configuration.
@@ -16,42 +17,46 @@ import (
 	"sync"
 	"time"
 
+	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/oauth2"
-	"tailscale.com/logger"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/empty"
+	"tailscale.com/types/logger"
+	"tailscale.com/types/structs"
 )
 
-// TODO(apenwarr): eliminate the 'state' variable, as it's now obsolete.
-//  It's used only by the unit tests.
-type state int
+// State is the high-level state of the client. It is used only in
+// unit tests for proper sequencing, don't depend on it anywhere else.
+// TODO(apenwarr): eliminate 'state', as it's now obsolete.
+type State int
 
 const (
-	stateNew = state(iota)
-	stateNotAuthenticated
-	stateAuthenticating
-	stateURLVisitRequired
-	stateAuthenticated
-	stateSynchronized // connected and received map update
+	StateNew = State(iota)
+	StateNotAuthenticated
+	StateAuthenticating
+	StateURLVisitRequired
+	StateAuthenticated
+	StateSynchronized // connected and received map update
 )
 
-func (s state) MarshalText() ([]byte, error) {
+func (s State) MarshalText() ([]byte, error) {
 	return []byte(s.String()), nil
 }
 
-func (s state) String() string {
+func (s State) String() string {
 	switch s {
-	case stateNew:
+	case StateNew:
 		return "state:new"
-	case stateNotAuthenticated:
+	case StateNotAuthenticated:
 		return "state:not-authenticated"
-	case stateAuthenticating:
+	case StateAuthenticating:
 		return "state:authenticating"
-	case stateURLVisitRequired:
+	case StateURLVisitRequired:
 		return "state:url-visit-required"
-	case stateAuthenticated:
+	case StateAuthenticated:
 		return "state:authenticated"
-	case stateSynchronized:
+	case StateSynchronized:
 		return "state:synchronized"
 	default:
 		return fmt.Sprintf("state:unknown:%d", int(s))
@@ -59,13 +64,14 @@ func (s state) String() string {
 }
 
 type Status struct {
-	LoginFinished *struct{}
+	_             structs.Incomparable
+	LoginFinished *empty.Message
 	Err           string
 	URL           string
-	Persist       *Persist         // locally persisted configuration
-	NetMap        *NetworkMap      // server-pushed configuration
-	Hostinfo      tailcfg.Hostinfo // current Hostinfo data
-	state         state
+	Persist       *Persist          // locally persisted configuration
+	NetMap        *NetworkMap       // server-pushed configuration
+	Hostinfo      *tailcfg.Hostinfo // current Hostinfo data
+	State         State
 }
 
 // Equal reports whether s and s2 are equal.
@@ -80,7 +86,7 @@ func (s *Status) Equal(s2 *Status) bool {
 		reflect.DeepEqual(s.Persist, s2.Persist) &&
 		reflect.DeepEqual(s.NetMap, s2.NetMap) &&
 		reflect.DeepEqual(s.Hostinfo, s2.Hostinfo) &&
-		s.state == s2.state
+		s.State == s2.State
 }
 
 func (s Status) String() string {
@@ -88,10 +94,11 @@ func (s Status) String() string {
 	if err != nil {
 		panic(err)
 	}
-	return s.state.String() + " " + string(b)
+	return s.State.String() + " " + string(b)
 }
 
 type LoginGoal struct {
+	_            structs.Incomparable
 	wantLoggedIn bool          // true if we *want* to be logged in
 	token        *oauth2.Token // oauth token to use when logging in
 	flags        LoginFlags    // flags to use when logging in
@@ -110,13 +117,15 @@ type Client struct {
 	mu         sync.Mutex   // mutex guards the following fields
 	statusFunc func(Status) // called to update Client status
 
-	loggedIn     bool       // true if currently logged in
-	loginGoal    *LoginGoal // non-nil if some login activity is desired
-	synced       bool       // true if our netmap is up-to-date
-	hostinfo     tailcfg.Hostinfo
-	inPollNetMap bool // true if currently running a PollNetMap
-	inSendStatus int  // number of sendStatus calls currently in progress
-	state        state
+	paused         bool // whether we should stop making HTTP requests
+	unpauseWaiters []chan struct{}
+	loggedIn       bool       // true if currently logged in
+	loginGoal      *LoginGoal // non-nil if some login activity is desired
+	synced         bool       // true if our netmap is up-to-date
+	hostinfo       *tailcfg.Hostinfo
+	inPollNetMap   bool // true if currently running a PollNetMap
+	inSendStatus   int  // number of sendStatus calls currently in progress
+	state          State
 
 	authCtx    context.Context // context used for auth requests
 	mapCtx     context.Context // context used for netmap requests
@@ -145,6 +154,9 @@ func NewNoStart(opts Options) (*Client, error) {
 	if opts.Logf == nil {
 		opts.Logf = func(fmt string, args ...interface{}) {}
 	}
+	if opts.TimeNow == nil {
+		opts.TimeNow = time.Now
+	}
 	c := &Client{
 		direct:   direct,
 		timeNow:  opts.TimeNow,
@@ -159,6 +171,27 @@ func NewNoStart(opts Options) (*Client, error) {
 	return c, nil
 }
 
+// SetPaused controls whether HTTP activity should be paused.
+//
+// The client can be paused and unpaused repeatedly, unlike Start and Shutdown, which can only be used once.
+func (c *Client) SetPaused(paused bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if paused == c.paused {
+		return
+	}
+	c.paused = paused
+	if paused {
+		// Just cancel the map routine. The auth routine isn't expensive.
+		c.cancelMapLocked()
+	} else {
+		for _, ch := range c.unpauseWaiters {
+			close(ch)
+		}
+		c.unpauseWaiters = nil
+	}
+}
+
 // Start starts the client's goroutines.
 //
 // It should only be called for clients created by NewNoStart.
@@ -197,7 +230,7 @@ func (c *Client) cancelMapSafely() {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
-	c.logf("cancelMapSafely: synced=%v\n", c.synced)
+	c.logf("cancelMapSafely: synced=%v", c.synced)
 
 	if c.inPollNetMap {
 		// received at least one netmap since the last
@@ -219,23 +252,23 @@ func (c *Client) cancelMapSafely() {
 		// request.
 		select {
 		case c.newMapCh <- struct{}{}:
-			c.logf("cancelMapSafely: wrote to channel\n")
+			c.logf("cancelMapSafely: wrote to channel")
 		default:
 			// if channel write failed, then there was already
 			// an outstanding newMapCh request. One is enough,
 			// since it'll always use the latest endpoints.
-			c.logf("cancelMapSafely: channel was full\n")
+			c.logf("cancelMapSafely: channel was full")
 		}
 	}
 }
 
 func (c *Client) authRoutine() {
 	defer close(c.authDone)
-	bo := backoff.Backoff{Name: "authRoutine"}
+	bo := backoff.NewBackoff("authRoutine", c.logf, 30*time.Second)
 
 	for {
 		c.mu.Lock()
-		c.logf("authRoutine: %s\n", c.state)
+		c.logf("authRoutine: %s", c.state)
 		expiry := c.expiry
 		goal := c.loginGoal
 		ctx := c.authCtx
@@ -244,13 +277,13 @@ func (c *Client) authRoutine() {
 
 		select {
 		case <-c.quit:
-			c.logf("authRoutine: quit\n")
+			c.logf("authRoutine: quit")
 			return
 		default:
 		}
 
 		report := func(err error, msg string) {
-			c.logf("%s: %v\n", msg, err)
+			c.logf("%s: %v", msg, err)
 			err = fmt.Errorf("%s: %v", msg, err)
 			// don't send status updates for context errors,
 			// since context cancelation is always on purpose.
@@ -262,6 +295,7 @@ func (c *Client) authRoutine() {
 		if goal == nil {
 			// Wait for something interesting to happen
 			var exp <-chan time.Time
+			var expTimer *time.Timer
 			if expiry != nil && !expiry.IsZero() {
 				// if expiry is in the future, don't delay
 				// past that time.
@@ -274,19 +308,23 @@ func (c *Client) authRoutine() {
 					if delay > 5*time.Second {
 						delay = time.Second
 					}
-					exp = time.After(delay)
+					expTimer = time.NewTimer(delay)
+					exp = expTimer.C
 				}
 			}
 			select {
 			case <-ctx.Done():
-				c.logf("authRoutine: context done.\n")
+				if expTimer != nil {
+					expTimer.Stop()
+				}
+				c.logf("authRoutine: context done.")
 			case <-exp:
 				// Unfortunately the key expiry isn't provided
 				// by the control server until mapRequest.
 				// So we have to do some hackery with c.expiry
 				// in here.
 				// TODO(apenwarr): add a key expiry field in RegisterResponse.
-				c.logf("authRoutine: key expiration check.\n")
+				c.logf("authRoutine: key expiration check.")
 				if synced && expiry != nil && !expiry.IsZero() && expiry.Before(c.timeNow()) {
 					c.logf("Key expired; setting loggedIn=false.")
 
@@ -300,7 +338,7 @@ func (c *Client) authRoutine() {
 				}
 			}
 		} else if !goal.wantLoggedIn {
-			err := c.direct.TryLogout(c.authCtx)
+			err := c.direct.TryLogout(ctx)
 			if err != nil {
 				report(err, "TryLogout")
 				bo.BackOff(ctx, err)
@@ -311,7 +349,7 @@ func (c *Client) authRoutine() {
 			c.mu.Lock()
 			c.loggedIn = false
 			c.loginGoal = nil
-			c.state = stateNotAuthenticated
+			c.state = StateNotAuthenticated
 			c.synced = false
 			c.mu.Unlock()
 
@@ -320,9 +358,9 @@ func (c *Client) authRoutine() {
 		} else { // ie. goal.wantLoggedIn
 			c.mu.Lock()
 			if goal.url != "" {
-				c.state = stateURLVisitRequired
+				c.state = StateURLVisitRequired
 			} else {
-				c.state = stateAuthenticating
+				c.state = StateAuthenticating
 			}
 			c.mu.Unlock()
 
@@ -345,13 +383,14 @@ func (c *Client) authRoutine() {
 					err = fmt.Errorf("weird: server required a new url?")
 					report(err, "WaitLoginURL")
 				}
-				goal.url = url
-				goal.token = nil
-				goal.flags = LoginDefault
 
 				c.mu.Lock()
-				c.loginGoal = goal
-				c.state = stateURLVisitRequired
+				c.loginGoal = &LoginGoal{
+					wantLoggedIn: true,
+					flags:        LoginDefault,
+					url:          url,
+				}
+				c.state = StateURLVisitRequired
 				c.synced = false
 				c.mu.Unlock()
 
@@ -364,7 +403,7 @@ func (c *Client) authRoutine() {
 			c.mu.Lock()
 			c.loggedIn = true
 			c.loginGoal = nil
-			c.state = stateAuthenticated
+			c.state = StateAuthenticated
 			c.mu.Unlock()
 
 			c.sendStatus("authRoutine4", nil, "", nil)
@@ -374,26 +413,63 @@ func (c *Client) authRoutine() {
 	}
 }
 
+// Expiry returns the credential expiration time, or the zero time if
+// the expiration time isn't known. Used in tests only.
+func (c *Client) Expiry() *time.Time {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.expiry
+}
+
+// Direct returns the underlying direct client object. Used in tests
+// only.
+func (c *Client) Direct() *Direct {
+	return c.direct
+}
+
+// unpausedChanLocked returns a new channel that is closed when the
+// current Client pause is unpaused.
+//
+// c.mu must be held
+func (c *Client) unpausedChanLocked() <-chan struct{} {
+	unpaused := make(chan struct{})
+	c.unpauseWaiters = append(c.unpauseWaiters, unpaused)
+	return unpaused
+}
+
 func (c *Client) mapRoutine() {
 	defer close(c.mapDone)
-	bo := backoff.Backoff{Name: "mapRoutine"}
+	bo := backoff.NewBackoff("mapRoutine", c.logf, 30*time.Second)
 
 	for {
 		c.mu.Lock()
-		c.logf("mapRoutine: %s\n", c.state)
+		if c.paused {
+			unpaused := c.unpausedChanLocked()
+			c.mu.Unlock()
+			c.logf("mapRoutine: awaiting unpause")
+			select {
+			case <-unpaused:
+				c.logf("mapRoutine: unpaused")
+			case <-c.quit:
+				c.logf("mapRoutine: quit")
+				return
+			}
+			continue
+		}
+		c.logf("mapRoutine: %s", c.state)
 		loggedIn := c.loggedIn
 		ctx := c.mapCtx
 		c.mu.Unlock()
 
 		select {
 		case <-c.quit:
-			c.logf("mapRoutine: quit\n")
+			c.logf("mapRoutine: quit")
 			return
 		default:
 		}
 
 		report := func(err error, msg string) {
-			c.logf("%s: %v\n", msg, err)
+			c.logf("%s: %v", msg, err)
 			err = fmt.Errorf("%s: %v", msg, err)
 			// don't send status updates for context errors,
 			// since context cancelation is always on purpose.
@@ -411,9 +487,9 @@ func (c *Client) mapRoutine() {
 
 			select {
 			case <-ctx.Done():
-				c.logf("mapRoutine: context done.\n")
+				c.logf("mapRoutine: context done.")
 			case <-c.newMapCh:
-				c.logf("mapRoutine: new map needed while idle.\n")
+				c.logf("mapRoutine: new map needed while idle.")
 			}
 		} else {
 			// Be sure this is false when we're not inside
@@ -428,7 +504,7 @@ func (c *Client) mapRoutine() {
 
 				select {
 				case <-c.newMapCh:
-					c.logf("mapRoutine: new map request during PollNetMap. canceling.\n")
+					c.logf("mapRoutine: new map request during PollNetMap. canceling.")
 					c.cancelMapLocked()
 
 					// Don't emit this netmap; we're
@@ -441,7 +517,7 @@ func (c *Client) mapRoutine() {
 				c.synced = true
 				c.inPollNetMap = true
 				if c.loggedIn {
-					c.state = stateSynchronized
+					c.state = StateSynchronized
 				}
 				exp := nm.Expiry
 				c.expiry = &exp
@@ -450,7 +526,7 @@ func (c *Client) mapRoutine() {
 
 				c.mu.Unlock()
 
-				c.logf("mapRoutine: netmap received: %s\n", state)
+				c.logf("mapRoutine: netmap received: %s", state)
 				if stillAuthed {
 					c.sendStatus("mapRoutine2", nil, "", nm)
 				}
@@ -459,11 +535,17 @@ func (c *Client) mapRoutine() {
 			c.mu.Lock()
 			c.synced = false
 			c.inPollNetMap = false
-			if c.state == stateSynchronized {
-				c.state = stateAuthenticated
+			if c.state == StateSynchronized {
+				c.state = StateAuthenticated
 			}
+			paused := c.paused
 			c.mu.Unlock()
 
+			if paused {
+				c.logf("mapRoutine: paused")
+				continue
+			}
+
 			if err != nil {
 				report(err, "PollNetMap")
 				bo.BackOff(ctx, err)
@@ -487,12 +569,34 @@ func (c *Client) SetStatusFunc(fn func(Status)) {
 	c.mu.Unlock()
 }
 
-func (c *Client) SetHostinfo(hi tailcfg.Hostinfo) {
-	c.direct.SetHostinfo(hi)
+func (c *Client) SetHostinfo(hi *tailcfg.Hostinfo) {
+	if hi == nil {
+		panic("nil Hostinfo")
+	}
+	if !c.direct.SetHostinfo(hi) {
+		// No changes. Don't log.
+		return
+	}
+	c.logf("Hostinfo: %v", hi)
+
 	// Send new Hostinfo to server
 	c.cancelMapSafely()
 }
 
+func (c *Client) SetNetInfo(ni *tailcfg.NetInfo) {
+	if ni == nil {
+		panic("nil NetInfo")
+	}
+	if !c.direct.SetNetInfo(ni) {
+		c.logf("[unexpected] duplicate NetInfo: %v", ni)
+		return
+	}
+	c.logf("NetInfo: %v", ni)
+
+	// Send new Hostinfo (which includes NetInfo) to server
+	c.cancelMapSafely()
+}
+
 func (c *Client) sendStatus(who string, err error, url string, nm *NetworkMap) {
 	c.mu.Lock()
 	state := c.state
@@ -503,12 +607,12 @@ func (c *Client) sendStatus(who string, err error, url string, nm *NetworkMap) {
 	c.inSendStatus++
 	c.mu.Unlock()
 
-	c.logf("sendStatus: %s: %v\n", who, state)
+	c.logf("sendStatus: %s: %v", who, state)
 
 	var p *Persist
-	var fin *struct{}
-	if state == stateAuthenticated {
-		fin = &struct{}{}
+	var fin *empty.Message
+	if state == StateAuthenticated {
+		fin = new(empty.Message)
 	}
 	if nm != nil && loggedIn && synced {
 		pp := c.direct.GetPersist()
@@ -524,7 +628,7 @@ func (c *Client) sendStatus(who string, err error, url string, nm *NetworkMap) {
 		Persist:       p,
 		NetMap:        nm,
 		Hostinfo:      hi,
-		state:         state,
+		State:         state,
 	}
 	if err != nil {
 		new.Err = err.Error()
@@ -539,7 +643,7 @@ func (c *Client) sendStatus(who string, err error, url string, nm *NetworkMap) {
 }
 
 func (c *Client) Login(t *oauth2.Token, flags LoginFlags) {
-	c.logf("client.Login(%v, %v)\n", t != nil, flags)
+	c.logf("client.Login(%v, %v)", t != nil, flags)
 
 	c.mu.Lock()
 	c.loginGoal = &LoginGoal{
@@ -553,7 +657,7 @@ func (c *Client) Login(t *oauth2.Token, flags LoginFlags) {
 }
 
 func (c *Client) Logout() {
-	c.logf("client.Logout()\n")
+	c.logf("client.Logout()")
 
 	c.mu.Lock()
 	c.loginGoal = &LoginGoal{
@@ -565,16 +669,14 @@ func (c *Client) Logout() {
 }
 
 func (c *Client) UpdateEndpoints(localPort uint16, endpoints []string) {
-	changed, err := c.direct.SetEndpoints(localPort, endpoints)
-	if err != nil {
-		c.sendStatus("updateEndpoints", err, "", nil)
-	} else if changed {
+	changed := c.direct.SetEndpoints(localPort, endpoints)
+	if changed {
 		c.cancelMapSafely()
 	}
 }
 
 func (c *Client) Shutdown() {
-	c.logf("client.Shutdown()\n")
+	c.logf("client.Shutdown()")
 
 	c.mu.Lock()
 	inSendStatus := c.inSendStatus
@@ -585,13 +687,30 @@ func (c *Client) Shutdown() {
 	}
 	c.mu.Unlock()
 
-	c.logf("client.Shutdown: inSendStatus=%v\n", inSendStatus)
+	c.logf("client.Shutdown: inSendStatus=%v", inSendStatus)
 	if !closed {
 		close(c.quit)
 		c.cancelAuth()
 		<-c.authDone
 		c.cancelMapUnsafely()
 		<-c.mapDone
-		c.logf("Client.Shutdown done.\n")
+		c.logf("Client.Shutdown done.")
 	}
 }
+
+// NodePublicKey returns the node public key currently in use. This is
+// used exclusively in tests.
+func (c *Client) TestOnlyNodePublicKey() wgcfg.Key {
+	priv := c.direct.GetPersist()
+	return priv.PrivateNodeKey.Public()
+}
+
+func (c *Client) TestOnlySetAuthKey(authkey string) {
+	c.direct.mu.Lock()
+	defer c.direct.mu.Unlock()
+	c.direct.authKey = authkey
+}
+
+func (c *Client) TestOnlyTimeNow() time.Time {
+	return c.timeNow()
+}

control/controlclient/controlclient_test.go

@@ -7,18 +7,22 @@ package controlclient
 import (
 	"reflect"
 	"testing"
+
+	"tailscale.com/types/empty"
 )
 
 func fieldsOf(t reflect.Type) (fields []string) {
 	for i := 0; i < t.NumField(); i++ {
-		fields = append(fields, t.Field(i).Name)
+		if name := t.Field(i).Name; name != "_" {
+			fields = append(fields, name)
+		}
 	}
 	return
 }
 
 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"LoginFinished", "Err", "URL", "Persist", "NetMap", "Hostinfo", "state"}
+	equalHandles := []string{"LoginFinished", "Err", "URL", "Persist", "NetMap", "Hostinfo", "State"}
 	if have := fieldsOf(reflect.TypeOf(Status{})); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)
@@ -44,18 +48,18 @@ func TestStatusEqual(t *testing.T) {
 			true,
 		},
 		{
-			&Status{state: stateNew},
-			&Status{state: stateNew},
+			&Status{State: StateNew},
+			&Status{State: StateNew},
 			true,
 		},
 		{
-			&Status{state: stateNew},
-			&Status{state: stateAuthenticated},
+			&Status{State: StateNew},
+			&Status{State: StateAuthenticated},
 			false,
 		},
 		{
 			&Status{LoginFinished: nil},
-			&Status{LoginFinished: new(struct{})},
+			&Status{LoginFinished: new(empty.Message)},
 			false,
 		},
 	}
@@ -66,3 +70,10 @@ func TestStatusEqual(t *testing.T) {
 		}
 	}
 }
+
+func TestOSVersion(t *testing.T) {
+	if osVersion == nil {
+		t.Skip("not available for OS")
+	}
+	t.Logf("Got: %#q", osVersion())
+}

control/controlclient/direct.go

@@ -4,6 +4,8 @@
 
 package controlclient
 
+//go:generate go run tailscale.com/cmd/cloner -type=Persist -output=direct_clone.go
+
 import (
 	"bytes"
 	"context"
@@ -16,8 +18,12 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
+	"net/url"
 	"os"
+	"reflect"
 	"runtime"
+	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -25,13 +31,18 @@ import (
 	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/crypto/nacl/box"
 	"golang.org/x/oauth2"
-	"tailscale.com/logger"
+	"inet.af/netaddr"
+	"tailscale.com/log/logheap"
+	"tailscale.com/net/netns"
+	"tailscale.com/net/tlsdial"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/logger"
+	"tailscale.com/types/structs"
 	"tailscale.com/version"
-	"tailscale.com/wgengine/filter"
 )
 
 type Persist struct {
+	_                 structs.Incomparable
 	PrivateMachineKey wgcfg.PrivateKey
 	PrivateNodeKey    wgcfg.PrivateKey
 	OldPrivateNodeKey wgcfg.PrivateKey // needed to request key rotation
@@ -39,6 +50,21 @@ type Persist struct {
 	LoginName         string
 }
 
+func (p *Persist) Equals(p2 *Persist) bool {
+	if p == nil && p2 == nil {
+		return true
+	}
+	if p == nil || p2 == nil {
+		return false
+	}
+
+	return p.PrivateMachineKey.Equal(p2.PrivateMachineKey) &&
+		p.PrivateNodeKey.Equal(p2.PrivateNodeKey) &&
+		p.OldPrivateNodeKey.Equal(p2.OldPrivateNodeKey) &&
+		p.Provider == p2.Provider &&
+		p.LoginName == p2.LoginName
+}
+
 func (p *Persist) Pretty() string {
 	var mk, ok, nk wgcfg.Key
 	if !p.PrivateMachineKey.IsZero() {
@@ -60,29 +86,35 @@ type Direct struct {
 	httpc           *http.Client // HTTP client used to talk to tailcontrol
 	serverURL       string       // URL of the tailcontrol server
 	timeNow         func() time.Time
+	lastPrintMap    time.Time
 	newDecompressor func() (Decompressor, error)
 	keepAlive       bool
 	logf            logger.Logf
+	discoPubKey     tailcfg.DiscoKey
 
 	mu           sync.Mutex // mutex guards the following fields
 	serverKey    wgcfg.Key
 	persist      Persist
+	authKey      string
 	tryingNewKey wgcfg.PrivateKey
 	expiry       *time.Time
-	hostinfo     tailcfg.Hostinfo
-	endpoints    []string
-	localPort    uint16
+	// hostinfo is mutated in-place while mu is held.
+	hostinfo  *tailcfg.Hostinfo // always non-nil
+	endpoints []string
+	localPort uint16 // or zero to mean auto
 }
 
 type Options struct {
-	Persist         Persist          // initial persistent data
-	HTTPC           *http.Client     // HTTP client used to talk to tailcontrol
-	ServerURL       string           // URL of the tailcontrol server
-	TimeNow         func() time.Time // time.Now implementation used by Client
-	Hostinfo        *tailcfg.Hostinfo
+	Persist         Persist           // initial persistent data
+	ServerURL       string            // URL of the tailcontrol server
+	AuthKey         string            // optional node auth key for auto registration
+	TimeNow         func() time.Time  // time.Now implementation used by Client
+	Hostinfo        *tailcfg.Hostinfo // non-nil passes ownership, nil means to use default using os.Hostname, etc
+	DiscoPublicKey  tailcfg.DiscoKey
 	NewDecompressor func() (Decompressor, error)
 	KeepAlive       bool
 	Logf            logger.Logf
+	HTTPTestClient  *http.Client // optional HTTP client to use (for tests only)
 }
 
 type Decompressor interface {
@@ -96,61 +128,99 @@ func NewDirect(opts Options) (*Direct, error) {
 		return nil, errors.New("controlclient.New: no server URL specified")
 	}
 	opts.ServerURL = strings.TrimRight(opts.ServerURL, "/")
-	if opts.HTTPC == nil {
-		opts.HTTPC = http.DefaultClient
+	serverURL, err := url.Parse(opts.ServerURL)
+	if err != nil {
+		return nil, err
 	}
 	if opts.TimeNow == nil {
 		opts.TimeNow = time.Now
 	}
 	if opts.Logf == nil {
 		// TODO(apenwarr): remove this default and fail instead.
+		// TODO(bradfitz): ... but then it shouldn't be in Options.
 		opts.Logf = log.Printf
 	}
 
+	httpc := opts.HTTPTestClient
+	if httpc == nil {
+		dialer := netns.NewDialer()
+		tr := http.DefaultTransport.(*http.Transport).Clone()
+		tr.DialContext = dialer.DialContext
+		tr.ForceAttemptHTTP2 = true
+		tr.TLSClientConfig = tlsdial.Config(serverURL.Host, tr.TLSClientConfig)
+		httpc = &http.Client{Transport: tr}
+	}
+
 	c := &Direct{
-		httpc:           opts.HTTPC,
+		httpc:           httpc,
 		serverURL:       opts.ServerURL,
 		timeNow:         opts.TimeNow,
 		logf:            opts.Logf,
 		newDecompressor: opts.NewDecompressor,
 		keepAlive:       opts.KeepAlive,
 		persist:         opts.Persist,
+		authKey:         opts.AuthKey,
+		discoPubKey:     opts.DiscoPublicKey,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(NewHostinfo())
 	} else {
-		c.SetHostinfo(*opts.Hostinfo)
+		c.SetHostinfo(opts.Hostinfo)
 	}
-
 	return c, nil
 }
 
-func NewHostinfo() tailcfg.Hostinfo {
-	hostname, _ := os.Hostname()
-	os := runtime.GOOS
-	switch os {
-	case "darwin":
-		switch runtime.GOARCH {
-		case "arm", "arm64":
-			os = "iOS"
-		default:
-			os = "macOS"
-		}
-	}
+var osVersion func() string // non-nil on some platforms
 
-	return tailcfg.Hostinfo{
+func NewHostinfo() *tailcfg.Hostinfo {
+	hostname, _ := os.Hostname()
+	var osv string
+	if osVersion != nil {
+		osv = osVersion()
+	}
+	return &tailcfg.Hostinfo{
 		IPNVersion: version.LONG,
 		Hostname:   hostname,
-		OS:         os,
+		OS:         version.OS(),
+		OSVersion:  osv,
+		GoArch:     runtime.GOARCH,
 	}
 }
 
-func (c *Direct) SetHostinfo(hi tailcfg.Hostinfo) {
+// SetHostinfo clones the provided Hostinfo and remembers it for the
+// next update. It reports whether the Hostinfo has changed.
+func (c *Direct) SetHostinfo(hi *tailcfg.Hostinfo) bool {
+	if hi == nil {
+		panic("nil Hostinfo")
+	}
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
-	c.logf("Hostinfo: %v\n", hi)
-	c.hostinfo = hi
+	if hi.Equal(c.hostinfo) {
+		return false
+	}
+	c.hostinfo = hi.Clone()
+	return true
+}
+
+// SetNetInfo clones the provided NetInfo and remembers it for the
+// next update. It reports whether the NetInfo has changed.
+func (c *Direct) SetNetInfo(ni *tailcfg.NetInfo) bool {
+	if ni == nil {
+		panic("nil NetInfo")
+	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.hostinfo == nil {
+		c.logf("[unexpected] SetNetInfo called with no HostInfo; ignoring NetInfo update: %+v", ni)
+		return false
+	}
+	if reflect.DeepEqual(ni, c.hostinfo.NetInfo) {
+		return false
+	}
+	c.hostinfo.NetInfo = ni.Clone()
+	return true
 }
 
 func (c *Direct) GetPersist() Persist {
@@ -167,7 +237,7 @@ const (
 )
 
 func (c *Direct) TryLogout(ctx context.Context) error {
-	c.logf("direct.TryLogout()\n")
+	c.logf("direct.TryLogout()")
 
 	c.mu.Lock()
 	defer c.mu.Unlock()
@@ -183,12 +253,12 @@ func (c *Direct) TryLogout(ctx context.Context) error {
 }
 
 func (c *Direct) TryLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags) (url string, err error) {
-	c.logf("direct.TryLogin(%v, %v)\n", t != nil, flags)
+	c.logf("direct.TryLogin(%v, %v)", t != nil, flags)
 	return c.doLoginOrRegen(ctx, t, flags, false, "")
 }
 
 func (c *Direct) WaitLoginURL(ctx context.Context, url string) (newUrl string, err error) {
-	c.logf("direct.WaitLoginURL\n")
+	c.logf("direct.WaitLoginURL")
 	return c.doLoginOrRegen(ctx, nil, LoginDefault, false, url)
 }
 
@@ -208,11 +278,14 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	persist := c.persist
 	tryingNewKey := c.tryingNewKey
 	serverKey := c.serverKey
+	authKey := c.authKey
+	hostinfo := c.hostinfo.Clone()
+	backendLogID := hostinfo.BackendLogID
 	expired := c.expiry != nil && !c.expiry.IsZero() && c.expiry.Before(c.timeNow())
 	c.mu.Unlock()
 
 	if persist.PrivateMachineKey == (wgcfg.PrivateKey{}) {
-		c.logf("Generating a new machinekey.\n")
+		c.logf("Generating a new machinekey.")
 		mkey, err := wgcfg.NewPrivateKey()
 		if err != nil {
 			log.Fatal(err)
@@ -221,15 +294,15 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	}
 
 	if expired {
-		c.logf("Old key expired -> regen=true\n")
+		c.logf("Old key expired -> regen=true")
 		regen = true
 	}
 	if (flags & LoginInteractive) != 0 {
-		c.logf("LoginInteractive -> regen=true\n")
+		c.logf("LoginInteractive -> regen=true")
 		regen = true
 	}
 
-	c.logf("doLogin(regen=%v, hasUrl=%v)\n", regen, url != "")
+	c.logf("doLogin(regen=%v, hasUrl=%v)", regen, url != "")
 	if serverKey == (wgcfg.Key{}) {
 		var err error
 		serverKey, err = loadServerKey(ctx, c.httpc, c.serverURL)
@@ -245,7 +318,7 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	var oldNodeKey wgcfg.Key
 	if url != "" {
 	} else if regen || persist.PrivateNodeKey == (wgcfg.PrivateKey{}) {
-		c.logf("Generating a new nodekey.\n")
+		c.logf("Generating a new nodekey.")
 		persist.OldPrivateNodeKey = persist.PrivateNodeKey
 		key, err := wgcfg.NewPrivateKey()
 		if err != nil {
@@ -262,9 +335,9 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	}
 
 	if tryingNewKey == (wgcfg.PrivateKey{}) {
-		log.Fatalf("tryingNewKey is empty, give up\n")
+		log.Fatalf("tryingNewKey is empty, give up")
 	}
-	if c.hostinfo.BackendLogID == "" {
+	if backendLogID == "" {
 		err = errors.New("hostinfo: BackendLogID missing")
 		return regen, url, err
 	}
@@ -272,15 +345,16 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 		Version:    1,
 		OldNodeKey: tailcfg.NodeKey(oldNodeKey),
 		NodeKey:    tailcfg.NodeKey(tryingNewKey.Public()),
-		Hostinfo:   c.hostinfo,
+		Hostinfo:   hostinfo,
 		Followup:   url,
 	}
-	c.logf("RegisterReq: onode=%v node=%v fup=%v\n",
-		request.OldNodeKey.AbbrevString(),
-		request.NodeKey.AbbrevString(), url != "")
+	c.logf("RegisterReq: onode=%v node=%v fup=%v",
+		request.OldNodeKey.ShortString(),
+		request.NodeKey.ShortString(), url != "")
 	request.Auth.Oauth2Token = t
 	request.Auth.Provider = persist.Provider
 	request.Auth.LoginName = persist.LoginName
+	request.Auth.AuthKey = authKey
 	bodyData, err := encode(request, &serverKey, &persist.PrivateMachineKey)
 	if err != nil {
 		return regen, url, err
@@ -298,7 +372,7 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	if err != nil {
 		return regen, url, fmt.Errorf("register request: %v", err)
 	}
-	c.logf("RegisterReq: returned.\n")
+	c.logf("RegisterReq: returned.")
 	resp := tailcfg.RegisterResponse{}
 	if err := decode(res, &resp, &serverKey, &persist.PrivateMachineKey); err != nil {
 		return regen, url, fmt.Errorf("register request: %v", err)
@@ -309,7 +383,7 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 			return true, "", fmt.Errorf("weird: regen=true but server says NodeKeyExpired: %v", request.NodeKey)
 		}
 		c.logf("server reports new node key %v has expired",
-			request.NodeKey.AbbrevString())
+			request.NodeKey.ShortString())
 		return true, "", nil
 	}
 	if persist.Provider == "" {
@@ -326,9 +400,9 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	//	- user is disabled
 
 	if resp.AuthURL != "" {
-		c.logf("AuthURL is %.20v...\n", resp.AuthURL)
+		c.logf("AuthURL is %v", resp.AuthURL)
 	} else {
-		c.logf("No AuthURL\n")
+		c.logf("No AuthURL")
 	}
 
 	c.mu.Lock()
@@ -363,7 +437,11 @@ func sameStrings(a, b []string) bool {
 	return true
 }
 
-func (c *Direct) newEndpoints(localPort uint16, endpoints []string) bool {
+// newEndpoints acquires c.mu and sets the local port and endpoints and reports
+// whether they've changed.
+//
+// It does not retain the provided slice.
+func (c *Direct) newEndpoints(localPort uint16, endpoints []string) (changed bool) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
@@ -371,24 +449,19 @@ func (c *Direct) newEndpoints(localPort uint16, endpoints []string) bool {
 	if c.localPort == localPort && sameStrings(c.endpoints, endpoints) {
 		return false // unchanged
 	}
-	c.logf("client.newEndpoints(%v, %v)\n", localPort, endpoints)
-	if len(c.endpoints) > 0 {
-		// empty the old list without deallocating it
-		c.endpoints = c.endpoints[:0]
-	}
+	c.logf("client.newEndpoints(%v, %v)", localPort, endpoints)
 	c.localPort = localPort
-	c.endpoints = append(c.endpoints, endpoints...)
+	c.endpoints = append(c.endpoints[:0], endpoints...)
 	return true // changed
 }
 
 // SetEndpoints updates the list of locally advertised endpoints.
 // It won't be replicated to the server until a *fresh* call to PollNetMap().
 // You don't need to restart PollNetMap if we return changed==false.
-func (c *Direct) SetEndpoints(localPort uint16, endpoints []string) (changed bool, err error) {
+func (c *Direct) SetEndpoints(localPort uint16, endpoints []string) (changed bool) {
 	// (no log message on function entry, because it clutters the logs
 	//  if endpoints haven't changed. newEndpoints() will log it.)
-	changed = c.newEndpoints(localPort, endpoints)
-	return changed, nil
+	return c.newEndpoints(localPort, endpoints)
 }
 
 func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkMap)) error {
@@ -396,25 +469,35 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 	persist := c.persist
 	serverURL := c.serverURL
 	serverKey := c.serverKey
-	hostinfo := c.hostinfo
+	hostinfo := c.hostinfo.Clone()
+	backendLogID := hostinfo.BackendLogID
 	localPort := c.localPort
 	ep := append([]string(nil), c.endpoints...)
 	c.mu.Unlock()
 
-	if hostinfo.BackendLogID == "" {
+	if backendLogID == "" {
 		return errors.New("hostinfo: BackendLogID missing")
 	}
 
 	allowStream := maxPolls != 1
-	c.logf("PollNetMap: stream=%v :%v %v\n", maxPolls, localPort, ep)
+	c.logf("PollNetMap: stream=%v :%v %v", maxPolls, localPort, ep)
+
+	vlogf := logger.Discard
+	if Debug.NetMap {
+		vlogf = c.logf
+	}
 
 	request := tailcfg.MapRequest{
-		Version:   4,
-		KeepAlive: c.keepAlive,
-		NodeKey:   tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
-		Endpoints: ep,
-		Stream:    allowStream,
-		Hostinfo:  hostinfo,
+		Version:         4,
+		IncludeIPv6:     true,
+		DeltaPeers:      true,
+		KeepAlive:       c.keepAlive,
+		NodeKey:         tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
+		DiscoKey:        c.discoPubKey,
+		Endpoints:       ep,
+		Stream:          allowStream,
+		Hostinfo:        hostinfo,
+		DebugForceDisco: Debug.ForceDisco,
 	}
 	if c.newDecompressor != nil {
 		request.Compress = "zstd"
@@ -422,9 +505,11 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 
 	bodyData, err := encode(request, &serverKey, &persist.PrivateMachineKey)
 	if err != nil {
+		vlogf("netmap: encode: %v", err)
 		return err
 	}
 
+	t0 := time.Now()
 	u := fmt.Sprintf("%s/machine/%s/map", serverURL, persist.PrivateMachineKey.Public().HexString())
 	req, err := http.NewRequest("POST", u, bytes.NewReader(bodyData))
 	if err != nil {
@@ -436,8 +521,10 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 
 	res, err := c.httpc.Do(req)
 	if err != nil {
+		vlogf("netmap: Do: %v", err)
 		return err
 	}
+	vlogf("netmap: Do = %v after %v", res.StatusCode, time.Since(t0).Round(time.Millisecond))
 	if res.StatusCode != 200 {
 		msg, _ := ioutil.ReadAll(res.Body)
 		res.Body.Close()
@@ -452,26 +539,35 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 	const pollTimeout = 120 * time.Second
 	timeout := time.NewTimer(pollTimeout)
 	timeoutReset := make(chan struct{})
-	defer close(timeoutReset)
+	pollDone := make(chan struct{})
+	defer close(pollDone)
 	go func() {
 		for {
 			select {
+			case <-pollDone:
+				vlogf("netmap: ending timeout goroutine")
+				return
 			case <-timeout.C:
 				c.logf("map response long-poll timed out!")
 				cancel()
 				return
-			case _, ok := <-timeoutReset:
-				if !ok {
-					return // channel closed, shut down goroutine
-				}
+			case <-timeoutReset:
 				if !timeout.Stop() {
-					<-timeout.C
+					select {
+					case <-timeout.C:
+					case <-pollDone:
+						vlogf("netmap: ending timeout goroutine")
+						return
+					}
 				}
+				vlogf("netmap: reset timeout timer")
 				timeout.Reset(pollTimeout)
 			}
 		}
 	}()
 
+	var lastDERPMap *tailcfg.DERPMap
+
 	// If allowStream, then the server will use an HTTP long poll to
 	// return incremental results. There is always one response right
 	// away, followed by a delay, and eventually others.
@@ -479,39 +575,73 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 	// the same format before just closing the connection.
 	// We can use this same read loop either way.
 	var msg []byte
+	var previousPeers []*tailcfg.Node // for delta-purposes
 	for i := 0; i < maxPolls || maxPolls < 0; i++ {
+		vlogf("netmap: starting size read after %v (poll %v)", time.Since(t0).Round(time.Millisecond), i)
 		var siz [4]byte
 		if _, err := io.ReadFull(res.Body, siz[:]); err != nil {
+			vlogf("netmap: size read error after %v: %v", time.Since(t0).Round(time.Millisecond), err)
 			return err
 		}
 		size := binary.LittleEndian.Uint32(siz[:])
+		vlogf("netmap: read size %v after %v", size, time.Since(t0).Round(time.Millisecond))
 		msg = append(msg[:0], make([]byte, size)...)
 		if _, err := io.ReadFull(res.Body, msg); err != nil {
+			vlogf("netmap: body read error: %v", err)
 			return err
 		}
+		vlogf("netmap: read body after %v", time.Since(t0).Round(time.Millisecond))
 
 		var resp tailcfg.MapResponse
-
-		// Default filter if the key is missing from the incoming
-		// json (ie. old tailcontrol server without PacketFilter
-		// support). If even an empty PacketFilter is provided, this
-		// will be overwritten.
-		// TODO(apenwarr 2020-02-01): remove after tailcontrol is fully deployed.
-		resp.PacketFilter = filter.MatchAllowAll
-
 		if err := c.decodeMsg(msg, &resp); err != nil {
+			vlogf("netmap: decode error: %v")
 			return err
 		}
+
+		if resp.KeepAlive {
+			vlogf("netmap: got keep-alive")
+		} else {
+			vlogf("netmap: got new map")
+		}
+		select {
+		case timeoutReset <- struct{}{}:
+			vlogf("netmap: sent timer reset")
+		case <-ctx.Done():
+			c.logf("netmap: not resetting timer; context done: %v", ctx.Err())
+			return ctx.Err()
+		}
 		if resp.KeepAlive {
-			c.logf("map response keep alive received")
-			timeoutReset <- struct{}{}
 			continue
 		}
 
+		undeltaPeers(&resp, previousPeers)
+		previousPeers = cloneNodes(resp.Peers) // defensive/lazy clone, since this escapes to who knows where
+
+		if resp.DERPMap != nil {
+			vlogf("netmap: new map contains DERP map")
+			lastDERPMap = resp.DERPMap
+		}
+		if resp.Debug != nil && resp.Debug.LogHeapPprof {
+			go logheap.LogHeap(resp.Debug.LogHeapURL)
+		}
+		// Temporarily (2020-06-29) support removing all but
+		// discovery-supporting nodes during development, for
+		// less noise.
+		if Debug.OnlyDisco {
+			filtered := resp.Peers[:0]
+			for _, p := range resp.Peers {
+				if !p.DiscoKey.IsZero() {
+					filtered = append(filtered, p)
+				}
+			}
+			resp.Peers = filtered
+		}
+
 		nm := &NetworkMap{
 			NodeKey:      tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
 			PrivateKey:   persist.PrivateNodeKey,
 			Expiry:       resp.Node.KeyExpiry,
+			Name:         resp.Node.Name,
 			Addresses:    resp.Node.Addresses,
 			Peers:        resp.Peers,
 			LocalPort:    localPort,
@@ -519,10 +649,11 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 			UserProfiles: make(map[tailcfg.UserID]tailcfg.UserProfile),
 			Domain:       resp.Domain,
 			Roles:        resp.Roles,
-			DNS:          resp.DNS,
-			DNSDomains:   resp.SearchPaths,
+			DNS:          resp.DNSConfig,
 			Hostinfo:     resp.Node.Hostinfo,
-			PacketFilter: resp.PacketFilter,
+			PacketFilter: c.parsePacketFilter(resp.PacketFilter),
+			DERPMap:      lastDERPMap,
+			Debug:        resp.Debug,
 		}
 		for _, profile := range resp.UserProfiles {
 			nm.UserProfiles[profile.ID] = profile
@@ -532,7 +663,26 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 		} else {
 			nm.MachineStatus = tailcfg.MachineUnauthorized
 		}
-		//c.logf("new network map[%d]:\n%s", i, nm.Concise())
+		if len(resp.DNS) > 0 {
+			nm.DNS.Nameservers = wgIPToNetaddr(resp.DNS)
+		}
+		if len(resp.SearchPaths) > 0 {
+			nm.DNS.Domains = resp.SearchPaths
+		}
+		if Debug.ProxyDNS {
+			nm.DNS.Proxied = true
+		}
+
+		// Printing the netmap can be extremely verbose, but is very
+		// handy for debugging. Let's limit how often we do it.
+		// Code elsewhere prints netmap diffs every time, so this
+		// occasional full dump, plus incremental diffs, should do
+		// the job.
+		now := c.timeNow()
+		if now.Sub(c.lastPrintMap) >= 5*time.Minute {
+			c.lastPrintMap = now
+			c.logf("new network map[%d]:\n%s", i, nm.Concise())
+		}
 
 		c.mu.Lock()
 		c.expiry = &nm.Expiry
@@ -559,8 +709,10 @@ func decode(res *http.Response, v interface{}, serverKey *wgcfg.Key, mkey *wgcfg
 }
 
 func (c *Direct) decodeMsg(msg []byte, v interface{}) error {
+	c.mu.Lock()
 	mkey := c.persist.PrivateMachineKey
 	serverKey := c.serverKey
+	c.mu.Unlock()
 
 	decrypted, err := decryptMsg(msg, &serverKey, &mkey)
 	if err != nil {
@@ -570,7 +722,6 @@ func (c *Direct) decodeMsg(msg []byte, v interface{}) error {
 	if c.newDecompressor == nil {
 		b = decrypted
 	} else {
-		//decoder, err := zstd.NewReader(nil)
 		decoder, err := c.newDecompressor()
 		if err != nil {
 			return err
@@ -620,6 +771,12 @@ func encode(v interface{}, serverKey *wgcfg.Key, mkey *wgcfg.PrivateKey) ([]byte
 	if err != nil {
 		return nil, err
 	}
+	const debugMapRequests = false
+	if debugMapRequests {
+		if _, ok := v.(tailcfg.MapRequest); ok {
+			log.Printf("MapRequest: %s", b)
+		}
+	}
 	var nonce [24]byte
 	if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
 		panic(err)
@@ -653,3 +810,146 @@ func loadServerKey(ctx context.Context, httpc *http.Client, serverURL string) (w
 	}
 	return key, nil
 }
+
+func wgIPToNetaddr(ips []wgcfg.IP) (ret []netaddr.IP) {
+	for _, ip := range ips {
+		nip, ok := netaddr.FromStdIP(ip.IP())
+		if !ok {
+			panic(fmt.Sprintf("conversion of %s from wgcfg to netaddr IP failed", ip))
+		}
+		ret = append(ret, nip.Unmap())
+	}
+	return ret
+}
+
+// Debug contains temporary internal-only debug knobs.
+// They're unexported to not draw attention to them.
+var Debug = initDebug()
+
+type debug struct {
+	NetMap     bool
+	ProxyDNS   bool
+	OnlyDisco  bool
+	Disco      bool
+	ForceDisco bool // ask control server to not filter out our disco key
+}
+
+func initDebug() debug {
+	d := debug{
+		NetMap:     envBool("TS_DEBUG_NETMAP"),
+		ProxyDNS:   envBool("TS_DEBUG_PROXY_DNS"),
+		OnlyDisco:  os.Getenv("TS_DEBUG_USE_DISCO") == "only",
+		ForceDisco: os.Getenv("TS_DEBUG_USE_DISCO") == "only" || envBool("TS_DEBUG_USE_DISCO"),
+	}
+	if d.ForceDisco || os.Getenv("TS_DEBUG_USE_DISCO") == "" {
+		// This is now defaults to on.
+		d.Disco = true
+	}
+	return d
+}
+
+func envBool(k string) bool {
+	e := os.Getenv(k)
+	if e == "" {
+		return false
+	}
+	v, err := strconv.ParseBool(e)
+	if err != nil {
+		panic(fmt.Sprintf("invalid non-bool %q for env var %q", e, k))
+	}
+	return v
+}
+
+// undeltaPeers updates mapRes.Peers to be complete based on the provided previous peer list
+// and the PeersRemoved and PeersChanged fields in mapRes.
+// It then also nils out the delta fields.
+func undeltaPeers(mapRes *tailcfg.MapResponse, prev []*tailcfg.Node) {
+	if len(mapRes.Peers) > 0 {
+		// Not delta encoded.
+		if !nodesSorted(mapRes.Peers) {
+			log.Printf("netmap: undeltaPeers: MapResponse.Peers not sorted; sorting")
+			sortNodes(mapRes.Peers)
+		}
+		return
+	}
+
+	var removed map[tailcfg.NodeID]bool
+	if pr := mapRes.PeersRemoved; len(pr) > 0 {
+		removed = make(map[tailcfg.NodeID]bool, len(pr))
+		for _, id := range pr {
+			removed[id] = true
+		}
+	}
+	changed := mapRes.PeersChanged
+
+	if len(removed) == 0 && len(changed) == 0 {
+		// No changes fast path.
+		mapRes.Peers = prev
+		return
+	}
+
+	if !nodesSorted(changed) {
+		log.Printf("netmap: undeltaPeers: MapResponse.PeersChanged not sorted; sorting")
+		sortNodes(changed)
+	}
+	if !nodesSorted(prev) {
+		// Internal error (unrelated to the network) if we get here.
+		log.Printf("netmap: undeltaPeers: [unexpected] prev not sorted; sorting")
+		sortNodes(prev)
+	}
+
+	newFull := make([]*tailcfg.Node, 0, len(prev)-len(removed))
+	for len(prev) > 0 && len(changed) > 0 {
+		pID := prev[0].ID
+		cID := changed[0].ID
+		if removed[pID] {
+			prev = prev[1:]
+			continue
+		}
+		switch {
+		case pID < cID:
+			newFull = append(newFull, prev[0])
+			prev = prev[1:]
+		case pID == cID:
+			newFull = append(newFull, changed[0])
+			prev, changed = prev[1:], changed[1:]
+		case cID < pID:
+			newFull = append(newFull, changed[0])
+			changed = changed[1:]
+		}
+	}
+	newFull = append(newFull, changed...)
+	for _, n := range prev {
+		if !removed[n.ID] {
+			newFull = append(newFull, n)
+		}
+	}
+	sortNodes(newFull)
+	mapRes.Peers = newFull
+	mapRes.PeersChanged = nil
+	mapRes.PeersRemoved = nil
+}
+
+func nodesSorted(v []*tailcfg.Node) bool {
+	for i, n := range v {
+		if i > 0 && n.ID <= v[i-1].ID {
+			return false
+		}
+	}
+	return true
+}
+
+func sortNodes(v []*tailcfg.Node) {
+	sort.Slice(v, func(i, j int) bool { return v[i].ID < v[j].ID })
+}
+
+func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
+	if v1 == nil {
+		return nil
+	}
+	v2 := make([]*tailcfg.Node, len(v1))
+	for i, n := range v1 {
+		v2[i] = n.Clone()
+	}
+	return v2
+}

control/controlclient/direct_clone.go

@@ -0,0 +1,20 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner -type Persist; DO NOT EDIT.
+
+package controlclient
+
+import ()
+
+// Clone makes a deep copy of Persist.
+// The result aliases no memory with the original.
+func (src *Persist) Clone() *Persist {
+	if src == nil {
+		return nil
+	}
+	dst := new(Persist)
+	*dst = *src
+	return dst
+}

control/controlclient/direct_test.go

@@ -2,304 +2,92 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build depends_on_currently_unreleased
-
 package controlclient
 
 import (
-	"context"
-	"io/ioutil"
-	"net/http"
-	"net/http/httptest"
-	"os"
+	"fmt"
+	"reflect"
+	"strings"
 	"testing"
-	"time"
 
-	"github.com/klauspost/compress/zstd"
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"tailscale.com/tailcfg"
-	"tailscale.io/control" // not yet released
 )
 
-func TestClientsReusingKeys(t *testing.T) {
-	tmpdir, err := ioutil.TempDir("", "control-test-")
-	if err != nil {
-		t.Fatal(err)
+func TestUndeltaPeers(t *testing.T) {
+	n := func(id tailcfg.NodeID, name string) *tailcfg.Node {
+		return &tailcfg.Node{ID: id, Name: name}
 	}
-	var server *control.Server
-	httpsrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		server.ServeHTTP(w, r)
-	}))
-	server, err = control.New(tmpdir, httpsrv.URL, true)
-	if err != nil {
-		t.Fatal(err)
-	}
-	server.QuietLogging = true
-	defer func() {
-		httpsrv.CloseClientConnections()
-		httpsrv.Close()
-		os.RemoveAll(tmpdir)
-	}()
-
-	hi := NewHostinfo()
-	hi.FrontendLogID = "go-test-only"
-	hi.BackendLogID = "go-test-only"
-	c1, err := NewDirect(Options{
-		ServerURL: httpsrv.URL,
-		HTTPC:     httpsrv.Client(),
-		//TimeNow:   s.control.TimeNow,
-		Logf: func(fmt string, args ...interface{}) {
-			t.Helper()
-			t.Logf("c1: "+fmt, args...)
-		},
-		Hostinfo: &hi,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	authURL, err := c1.TryLogin(ctx, nil, 0)
-	if err != nil {
-		t.Fatal(err)
-	}
-	const user = "testuser1@tailscale.onmicrosoft.com"
-	postAuthURL(t, ctx, httpsrv.Client(), user, authURL)
-	newURL, err := c1.WaitLoginURL(ctx, authURL)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if newURL != "" {
-		t.Fatalf("unexpected newURL: %s", newURL)
-	}
-
-	pollErrCh := make(chan error)
-	go func() {
-		err := c1.PollNetMap(ctx, -1, func(netMap *NetworkMap) {})
-		pollErrCh <- err
-	}()
-
-	select {
-	case err := <-pollErrCh:
-		t.Fatal(err)
-	default:
-	}
-
-	c2, err := NewDirect(Options{
-		ServerURL: httpsrv.URL,
-		HTTPC:     httpsrv.Client(),
-		Logf: func(fmt string, args ...interface{}) {
-			t.Helper()
-			t.Logf("c2: "+fmt, args...)
-		},
-		Persist:  c1.GetPersist(),
-		Hostinfo: &hi,
-		NewDecompressor: func() (Decompressor, error) {
-			return zstd.NewReader(nil)
-		},
-		KeepAlive: true,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	authURL, err = c2.TryLogin(ctx, nil, 0)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if authURL != "" {
-		t.Errorf("unexpected authURL %s", authURL)
-	}
-
-	err = c2.PollNetMap(ctx, 1, func(netMap *NetworkMap) {})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	select {
-	case err := <-pollErrCh:
-		t.Logf("expected poll error: %v", err)
-	case <-time.After(5 * time.Second):
-		t.Fatal("first client poll failed to close")
-	}
-}
-
-func TestClientsReusingOldKey(t *testing.T) {
-	tmpdir, err := ioutil.TempDir("", "control-test-")
-	if err != nil {
-		t.Fatal(err)
-	}
-	var server *control.Server
-	httpsrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		server.ServeHTTP(w, r)
-	}))
-	server, err = control.New(tmpdir, httpsrv.URL, true)
-	if err != nil {
-		t.Fatal(err)
-	}
-	server.QuietLogging = true
-	defer func() {
-		httpsrv.CloseClientConnections()
-		httpsrv.Close()
-		os.RemoveAll(tmpdir)
-	}()
-
-	hi := NewHostinfo()
-	hi.FrontendLogID = "go-test-only"
-	hi.BackendLogID = "go-test-only"
-	genOpts := func() Options {
-		return Options{
-			ServerURL: httpsrv.URL,
-			HTTPC:     httpsrv.Client(),
-			//TimeNow:   s.control.TimeNow,
-			Logf: func(fmt string, args ...interface{}) {
-				t.Helper()
-				t.Logf("c1: "+fmt, args...)
+	peers := func(nv ...*tailcfg.Node) []*tailcfg.Node { return nv }
+	tests := []struct {
+		name   string
+		mapRes *tailcfg.MapResponse
+		prev   []*tailcfg.Node
+		want   []*tailcfg.Node
+	}{
+		{
+			name: "full_peers",
+			mapRes: &tailcfg.MapResponse{
+				Peers: peers(n(1, "foo"), n(2, "bar")),
 			},
-			Hostinfo: &hi,
-		}
+			want: peers(n(1, "foo"), n(2, "bar")),
+		},
+		{
+			name: "full_peers_ignores_deltas",
+			mapRes: &tailcfg.MapResponse{
+				Peers:        peers(n(1, "foo"), n(2, "bar")),
+				PeersRemoved: []tailcfg.NodeID{2},
+			},
+			want: peers(n(1, "foo"), n(2, "bar")),
+		},
+		{
+			name: "add_and_update",
+			prev: peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{
+				PeersChanged: peers(n(0, "zero"), n(2, "bar2"), n(3, "three")),
+			},
+			want: peers(n(0, "zero"), n(1, "foo"), n(2, "bar2"), n(3, "three")),
+		},
+		{
+			name: "remove",
+			prev: peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{
+				PeersRemoved: []tailcfg.NodeID{1},
+			},
+			want: peers(n(2, "bar")),
+		},
+		{
+			name: "add_and_remove",
+			prev: peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{
+				PeersChanged: peers(n(1, "foo2")),
+				PeersRemoved: []tailcfg.NodeID{2},
+			},
+			want: peers(n(1, "foo2")),
+		},
+		{
+			name:   "unchanged",
+			prev:   peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{},
+			want:   peers(n(1, "foo"), n(2, "bar")),
+		},
 	}
-
-	// Login with a new node key. This requires authorization.
-	c1, err := NewDirect(genOpts())
-	if err != nil {
-		t.Fatal(err)
-	}
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	authURL, err := c1.TryLogin(ctx, nil, 0)
-	if err != nil {
-		t.Fatal(err)
-	}
-	const user = "testuser1@tailscale.onmicrosoft.com"
-	postAuthURL(t, ctx, httpsrv.Client(), user, authURL)
-	newURL, err := c1.WaitLoginURL(ctx, authURL)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if newURL != "" {
-		t.Fatalf("unexpected newURL: %s", newURL)
-	}
-
-	if err := c1.PollNetMap(ctx, 1, func(netMap *NetworkMap) {}); err != nil {
-		t.Fatal(err)
-	}
-
-	newPrivKey := func(t *testing.T) wgcfg.PrivateKey {
-		t.Helper()
-		k, err := wgcfg.NewPrivateKey()
-		if err != nil {
-			t.Fatal(err)
-		}
-		return k
-	}
-
-	// Replace the previous key with a new key.
-	persist1 := c1.GetPersist()
-	persist2 := Persist{
-		PrivateMachineKey: persist1.PrivateMachineKey,
-		OldPrivateNodeKey: persist1.PrivateNodeKey,
-		PrivateNodeKey:    newPrivKey(t),
-	}
-	opts := genOpts()
-	opts.Persist = persist2
-
-	c1, err = NewDirect(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if authURL, err := c1.TryLogin(ctx, nil, 0); err != nil {
-		t.Fatal(err)
-	} else if authURL == "" {
-		t.Fatal("expected authURL for reused oldNodeKey, got none")
-	} else {
-		postAuthURL(t, ctx, httpsrv.Client(), user, authURL)
-		if newURL, err := c1.WaitLoginURL(ctx, authURL); err != nil {
-			t.Fatal(err)
-		} else if newURL != "" {
-			t.Fatalf("unexpected newURL: %s", newURL)
-		}
-	}
-	if p := c1.GetPersist(); p.PrivateNodeKey != opts.Persist.PrivateNodeKey {
-		t.Error("unexpected node key change")
-	} else {
-		persist2 = p
-	}
-
-	// Here we simulate a client using using old persistent data.
-	// We use the key we have already replaced as the old node key.
-	// This requires the user to authenticate.
-	persist3 := Persist{
-		PrivateMachineKey: persist1.PrivateMachineKey,
-		OldPrivateNodeKey: persist1.PrivateNodeKey,
-		PrivateNodeKey:    newPrivKey(t),
-	}
-	opts = genOpts()
-	opts.Persist = persist3
-
-	c1, err = NewDirect(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if authURL, err := c1.TryLogin(ctx, nil, 0); err != nil {
-		t.Fatal(err)
-	} else if authURL == "" {
-		t.Fatal("expected authURL for reused oldNodeKey, got none")
-	} else {
-		postAuthURL(t, ctx, httpsrv.Client(), user, authURL)
-		if newURL, err := c1.WaitLoginURL(ctx, authURL); err != nil {
-			t.Fatal(err)
-		} else if newURL != "" {
-			t.Fatalf("unexpected newURL: %s", newURL)
-		}
-	}
-	if err := c1.PollNetMap(ctx, 1, func(netMap *NetworkMap) {}); err != nil {
-		t.Fatal(err)
-	}
-
-	// At this point, there should only be one node for the machine key
-	// registered as active in the server.
-	mkey := tailcfg.MachineKey(persist1.PrivateMachineKey.Public())
-	nodeIDs, err := server.DB().MachineNodes(mkey)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(nodeIDs) != 1 {
-		t.Logf("active nodes for machine key %v:", mkey)
-		for i, nodeID := range nodeIDs {
-			nodeKey := server.DB().NodeKey(nodeID)
-			t.Logf("\tnode %d: id=%v, key=%v", i, nodeID, nodeKey)
-		}
-		t.Fatalf("want 1 active node for the client machine, got %d", len(nodeIDs))
-	}
-
-	// Now try the previous node key. It should fail.
-	opts = genOpts()
-	opts.Persist = persist2
-	c1, err = NewDirect(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-	// TODO(crawshaw): make this return an actual error.
-	// Have cfgdb track expired keys, and when an expired key is reused
-	// produce an error.
-	if authURL, err := c1.TryLogin(ctx, nil, 0); err != nil {
-		t.Fatal(err)
-	} else if authURL == "" {
-		t.Fatal("expected authURL for reused nodeKey, got none")
-	} else {
-		postAuthURL(t, ctx, httpsrv.Client(), user, authURL)
-		if newURL, err := c1.WaitLoginURL(ctx, authURL); err != nil {
-			t.Fatal(err)
-		} else if newURL != "" {
-			t.Fatalf("unexpected newURL: %s", newURL)
-		}
-	}
-	if err := c1.PollNetMap(ctx, 1, func(netMap *NetworkMap) {}); err != nil {
-		t.Fatal(err)
-	}
-	if nodeIDs, err := server.DB().MachineNodes(mkey); err != nil {
-		t.Fatal(err)
-	} else if len(nodeIDs) != 1 {
-		t.Fatalf("want 1 active node for the client machine, got %d", len(nodeIDs))
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			undeltaPeers(tt.mapRes, tt.prev)
+			if !reflect.DeepEqual(tt.mapRes.Peers, tt.want) {
+				t.Errorf("wrong results\n got: %s\nwant: %s", formatNodes(tt.mapRes.Peers), formatNodes(tt.want))
+			}
+		})
 	}
 }
+
+func formatNodes(nodes []*tailcfg.Node) string {
+	var sb strings.Builder
+	for i, n := range nodes {
+		if i > 0 {
+			sb.WriteString(", ")
+		}
+		fmt.Fprintf(&sb, "(%d, %q)", n.ID, n.Name)
+	}
+	return sb.String()
+}

control/controlclient/filter.go

@@ -0,0 +1,84 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlclient
+
+import (
+	"fmt"
+	"net"
+	"tailscale.com/tailcfg"
+	"tailscale.com/wgengine/filter"
+)
+
+func parseIP(host string, defaultBits int) (filter.Net, error) {
+	ip := net.ParseIP(host)
+	if ip != nil && ip.IsUnspecified() {
+		// For clarity, reject 0.0.0.0 as an input
+		return filter.NetNone, fmt.Errorf("ports=%#v: to allow all IP addresses, use *:port, not 0.0.0.0:port", host)
+	} else if ip == nil && host == "*" {
+		// User explicitly requested wildcard dst ip
+		return filter.NetAny, nil
+	} else {
+		if ip != nil {
+			ip = ip.To4()
+		}
+		if ip == nil || len(ip) != 4 {
+			return filter.NetNone, fmt.Errorf("ports=%#v: invalid IPv4 address", host)
+		}
+		return filter.Net{
+			IP:   filter.NewIP(ip),
+			Mask: filter.Netmask(defaultBits),
+		}, nil
+	}
+}
+
+// Parse a backward-compatible FilterRule used by control's wire format,
+// producing the most current filter.Matches format.
+func (c *Direct) parsePacketFilter(pf []tailcfg.FilterRule) filter.Matches {
+	mm := make([]filter.Match, 0, len(pf))
+	var erracc error
+
+	for _, r := range pf {
+		m := filter.Match{}
+
+		for i, s := range r.SrcIPs {
+			bits := 32
+			if len(r.SrcBits) > i {
+				bits = r.SrcBits[i]
+			}
+			net, err := parseIP(s, bits)
+			if err != nil && erracc == nil {
+				erracc = err
+				continue
+			}
+			m.Srcs = append(m.Srcs, net)
+		}
+
+		for _, d := range r.DstPorts {
+			bits := 32
+			if d.Bits != nil {
+				bits = *d.Bits
+			}
+			net, err := parseIP(d.IP, bits)
+			if err != nil && erracc == nil {
+				erracc = err
+				continue
+			}
+			m.Dsts = append(m.Dsts, filter.NetPortRange{
+				Net: net,
+				Ports: filter.PortRange{
+					First: d.Ports.First,
+					Last:  d.Ports.Last,
+				},
+			})
+		}
+
+		mm = append(mm, m)
+	}
+
+	if erracc != nil {
+		c.logf("parsePacketFilter: %s\n", erracc)
+	}
+	return mm
+}

control/controlclient/hostinfo_linux.go

@@ -0,0 +1,87 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux,!android
+
+package controlclient
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+	"syscall"
+
+	"go4.org/mem"
+	"tailscale.com/util/lineread"
+)
+
+func init() {
+	osVersion = osVersionLinux
+}
+
+func osVersionLinux() string {
+	m := map[string]string{}
+	lineread.File("/etc/os-release", func(line []byte) error {
+		eq := bytes.IndexByte(line, '=')
+		if eq == -1 {
+			return nil
+		}
+		k, v := string(line[:eq]), strings.Trim(string(line[eq+1:]), `"`)
+		m[k] = v
+		return nil
+	})
+
+	var un syscall.Utsname
+	syscall.Uname(&un)
+
+	var attrBuf strings.Builder
+	attrBuf.WriteString("; kernel=")
+	for _, b := range un.Release {
+		if b == 0 {
+			break
+		}
+		attrBuf.WriteByte(byte(b))
+	}
+	if inContainer() {
+		attrBuf.WriteString("; container")
+	}
+	attr := attrBuf.String()
+
+	id := m["ID"]
+
+	switch id {
+	case "debian":
+		slurp, _ := ioutil.ReadFile("/etc/debian_version")
+		return fmt.Sprintf("Debian %s (%s)%s", bytes.TrimSpace(slurp), m["VERSION_CODENAME"], attr)
+	case "ubuntu":
+		return fmt.Sprintf("Ubuntu %s%s", m["VERSION"], attr)
+	case "", "centos": // CentOS 6 has no /etc/os-release, so its id is ""
+		if cr, _ := ioutil.ReadFile("/etc/centos-release"); len(cr) > 0 { // "CentOS release 6.10 (Final)
+			return fmt.Sprintf("%s%s", bytes.TrimSpace(cr), attr)
+		}
+		fallthrough
+	case "fedora", "rhel", "alpine":
+		// Their PRETTY_NAME is fine as-is for all versions I tested.
+		fallthrough
+	default:
+		if v := m["PRETTY_NAME"]; v != "" {
+			return fmt.Sprintf("%s%s", v, attr)
+		}
+	}
+	return fmt.Sprintf("Other%s", attr)
+}
+
+func inContainer() (ret bool) {
+	lineread.File("/proc/1/cgroup", func(line []byte) error {
+		if mem.Contains(mem.B(line), mem.S("/docker/")) ||
+			mem.Contains(mem.B(line), mem.S("/lxc/")) {
+			ret = true
+			return io.EOF // arbitrary non-nil error to stop loop
+		}
+		return nil
+	})
+	return
+}

control/controlclient/hostinfo_windows.go

@@ -0,0 +1,26 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlclient
+
+import (
+	"os/exec"
+	"strings"
+	"syscall"
+)
+
+func init() {
+	osVersion = osVersionWindows
+}
+
+func osVersionWindows() string {
+	cmd := exec.Command("cmd", "/c", "ver")
+	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
+	out, _ := cmd.Output() // "\nMicrosoft Windows [Version 10.0.19041.388]\n\n"
+	s := strings.TrimSpace(string(out))
+	s = strings.TrimPrefix(s, "Microsoft Windows [")
+	s = strings.TrimSuffix(s, "]")
+	s = strings.TrimPrefix(s, "Version ") // is this localized? do it last in case.
+	return s                              // "10.0.19041.388", ideally
+}

control/controlclient/netmap.go

@@ -5,36 +5,43 @@
 package controlclient
 
 import (
-	"bytes"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"log"
 	"net"
-	"runtime"
+	"reflect"
+	"strconv"
 	"strings"
 	"time"
 
 	"github.com/tailscale/wireguard-go/wgcfg"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/logger"
 	"tailscale.com/wgengine/filter"
 )
 
 type NetworkMap struct {
 	// Core networking
 
-	NodeKey       tailcfg.NodeKey
-	PrivateKey    wgcfg.PrivateKey
-	Expiry        time.Time
+	NodeKey    tailcfg.NodeKey
+	PrivateKey wgcfg.PrivateKey
+	Expiry     time.Time
+	// Name is the DNS name assigned to this node.
+	Name          string
 	Addresses     []wgcfg.CIDR
 	LocalPort     uint16 // used for debugging
 	MachineStatus tailcfg.MachineStatus
-	Peers         []tailcfg.Node
-	DNS           []wgcfg.IP
-	DNSDomains    []string
+	Peers         []*tailcfg.Node // sorted by Node.ID
+	DNS           tailcfg.DNSConfig
 	Hostinfo      tailcfg.Hostinfo
 	PacketFilter  filter.Matches
 
+	// DERPMap is the last DERP server map received. It's reused
+	// between updates and should not be modified.
+	DERPMap *tailcfg.DERPMap
+
+	// Debug knobs from control server for debug or feature gating.
+	Debug *tailcfg.Debug
+
 	// ACLs
 
 	User   tailcfg.UserID
@@ -47,55 +54,155 @@ type NetworkMap struct {
 	// TODO(crawshaw): Capabilities []tailcfg.Capability
 }
 
-func (n *NetworkMap) Equal(n2 *NetworkMap) bool {
-	// TODO(crawshaw): this is crude, but is an easy way to avoid bugs.
-	b, err := json.Marshal(n)
-	if err != nil {
-		panic(err)
-	}
-	b2, err := json.Marshal(n2)
-	if err != nil {
-		panic(err)
-	}
-	return bytes.Equal(b, b2)
-}
-
 func (nm NetworkMap) String() string {
 	return nm.Concise()
 }
 
-func keyString(key [32]byte) string {
-	b64 := base64.StdEncoding.EncodeToString(key[:])
-	abbrev := "invalid"
-	if len(b64) == 44 {
-		abbrev = b64[0:4] + "…" + b64[39:43]
-	}
-	return fmt.Sprintf("[%s]", abbrev)
-}
-
 func (nm *NetworkMap) Concise() string {
 	buf := new(strings.Builder)
-	fmt.Fprintf(buf, "NetworkMap: self: %v auth=%v :%v %v\n",
-		keyString(nm.NodeKey), nm.MachineStatus,
-		nm.LocalPort, nm.Addresses)
+
+	nm.printConciseHeader(buf)
 	for _, p := range nm.Peers {
-		aip := make([]string, len(p.AllowedIPs))
-		for i, a := range p.AllowedIPs {
-			aip[i] = fmt.Sprint(a)
-		}
-		u := fmt.Sprint(p.User)
-		if strings.HasPrefix(u, "userid:") {
-			u = "u:" + u[7:]
-		}
-		f1 := fmt.Sprintf(" %v %-6v %v",
-			keyString(p.Key), u, p.Endpoints)
-		f2 := fmt.Sprintf(" %*v\n", 70-len(f1),
-			strings.Join(aip, " "))
-		fmt.Fprintf(buf, "%s%s", f1, f2)
+		printPeerConcise(buf, p)
 	}
 	return buf.String()
 }
 
+// printConciseHeader prints a concise header line representing nm to buf.
+//
+// If this function is changed to access different fields of nm, keep
+// in equalConciseHeader in sync.
+func (nm *NetworkMap) printConciseHeader(buf *strings.Builder) {
+	fmt.Fprintf(buf, "netmap: self: %v auth=%v",
+		nm.NodeKey.ShortString(), nm.MachineStatus)
+	if nm.LocalPort != 0 {
+		fmt.Fprintf(buf, " port=%v", nm.LocalPort)
+	}
+	if nm.Debug != nil {
+		j, _ := json.Marshal(nm.Debug)
+		fmt.Fprintf(buf, " debug=%s", j)
+	}
+	fmt.Fprintf(buf, " %v", nm.Addresses)
+	buf.WriteByte('\n')
+}
+
+// equalConciseHeader reports whether a and b are equal for the fields
+// used by printConciseHeader.
+func (a *NetworkMap) equalConciseHeader(b *NetworkMap) bool {
+	if a.NodeKey != b.NodeKey ||
+		a.MachineStatus != b.MachineStatus ||
+		a.LocalPort != b.LocalPort ||
+		len(a.Addresses) != len(b.Addresses) {
+		return false
+	}
+	for i, a := range a.Addresses {
+		if b.Addresses[i] != a {
+			return false
+		}
+	}
+	return (a.Debug == nil && b.Debug == nil) || reflect.DeepEqual(a.Debug, b.Debug)
+}
+
+// printPeerConcise appends to buf a line repsenting the peer p.
+//
+// If this function is changed to access different fields of p, keep
+// in nodeConciseEqual in sync.
+func printPeerConcise(buf *strings.Builder, p *tailcfg.Node) {
+	aip := make([]string, len(p.AllowedIPs))
+	for i, a := range p.AllowedIPs {
+		s := strings.TrimSuffix(fmt.Sprint(a), "/32")
+		aip[i] = s
+	}
+
+	ep := make([]string, len(p.Endpoints))
+	for i, e := range p.Endpoints {
+		// Align vertically on the ':' between IP and port
+		colon := strings.IndexByte(e, ':')
+		spaces := 0
+		for colon > 0 && len(e)+spaces-colon < 6 {
+			spaces++
+			colon--
+		}
+		ep[i] = fmt.Sprintf("%21v", e+strings.Repeat(" ", spaces))
+	}
+
+	derp := p.DERP
+	const derpPrefix = "127.3.3.40:"
+	if strings.HasPrefix(derp, derpPrefix) {
+		derp = "D" + derp[len(derpPrefix):]
+	}
+	var discoShort string
+	if !p.DiscoKey.IsZero() {
+		discoShort = p.DiscoKey.ShortString() + " "
+	}
+
+	// Most of the time, aip is just one element, so format the
+	// table to look good in that case. This will also make multi-
+	// subnet nodes stand out visually.
+	fmt.Fprintf(buf, " %v %s%-2v %-15v : %v\n",
+		p.Key.ShortString(),
+		discoShort,
+		derp,
+		strings.Join(aip, " "),
+		strings.Join(ep, " "))
+}
+
+// nodeConciseEqual reports whether a and b are equal for the fields accessed by printPeerConcise.
+func nodeConciseEqual(a, b *tailcfg.Node) bool {
+	return a.Key == b.Key &&
+		a.DERP == b.DERP &&
+		a.DiscoKey == b.DiscoKey &&
+		eqCIDRsIgnoreNil(a.AllowedIPs, b.AllowedIPs) &&
+		eqStringsIgnoreNil(a.Endpoints, b.Endpoints)
+}
+
+func (b *NetworkMap) ConciseDiffFrom(a *NetworkMap) string {
+	var diff strings.Builder
+
+	// See if header (non-peers, "bare") part of the network map changed.
+	// If so, print its diff lines first.
+	if !a.equalConciseHeader(b) {
+		diff.WriteByte('-')
+		a.printConciseHeader(&diff)
+		diff.WriteByte('+')
+		b.printConciseHeader(&diff)
+	}
+
+	aps, bps := a.Peers, b.Peers
+	for len(aps) > 0 && len(bps) > 0 {
+		pa, pb := aps[0], bps[0]
+		switch {
+		case pa.ID == pb.ID:
+			if !nodeConciseEqual(pa, pb) {
+				diff.WriteByte('-')
+				printPeerConcise(&diff, pa)
+				diff.WriteByte('+')
+				printPeerConcise(&diff, pb)
+			}
+			aps, bps = aps[1:], bps[1:]
+		case pa.ID > pb.ID:
+			// New peer in b.
+			diff.WriteByte('+')
+			printPeerConcise(&diff, pb)
+			bps = bps[1:]
+		case pb.ID > pa.ID:
+			// Deleted peer in b.
+			diff.WriteByte('-')
+			printPeerConcise(&diff, pa)
+			aps = aps[1:]
+		}
+	}
+	for _, pa := range aps {
+		diff.WriteByte('-')
+		printPeerConcise(&diff, pa)
+	}
+	for _, pb := range bps {
+		diff.WriteByte('+')
+		printPeerConcise(&diff, pb)
+	}
+	return diff.String()
+}
+
 func (nm *NetworkMap) JSON() string {
 	b, err := json.MarshalIndent(*nm, "", "  ")
 	if err != nil {
@@ -104,184 +211,126 @@ func (nm *NetworkMap) JSON() string {
 	return string(b)
 }
 
-// TODO(apenwarr): delete me once relaynode doesn't need this anymore.
-// control.go:userMap() supercedes it. This does not belong in the client.
-func (nm *NetworkMap) UserMap() map[string][]filter.IP {
-	// Make a lookup table of roles
-	log.Printf("roles list is: %v\n", nm.Roles)
-	roles := make(map[tailcfg.RoleID]tailcfg.Role)
-	for _, role := range nm.Roles {
-		roles[role.ID] = role
-	}
-
-	// First, go through each node's addresses and make a lookup table
-	// of IP->User.
-	fwd := make(map[wgcfg.IP]string)
-	for _, node := range nm.Peers {
-		for _, addr := range node.Addresses {
-			if addr.Mask == 32 && addr.IP.Is4() {
-				user, ok := nm.UserProfiles[node.User]
-				if ok {
-					fwd[addr.IP] = user.LoginName
-				}
-			}
-		}
-	}
-
-	// Next, reverse the mapping into User->IP.
-	rev := make(map[string][]filter.IP)
-	for ip, username := range fwd {
-		ip4 := ip.To4()
-		if ip4 != nil {
-			fip := filter.NewIP(net.IP(ip4))
-			rev[username] = append(rev[username], fip)
-		}
-	}
-
-	// Now add roles, which are lists of users, and therefore lists
-	// of those users' IP addresses.
-	for _, user := range nm.UserProfiles {
-		for _, roleid := range user.Roles {
-			role, ok := roles[roleid]
-			if ok {
-				rolename := "role:" + role.Name
-				rev[rolename] = append(rev[rolename], rev[user.LoginName]...)
-			}
-		}
-	}
-
-	//log.Printf("Usermap is: %v\n", rev)
-	return rev
-}
-
-var iOS = runtime.GOOS == "darwin" && (runtime.GOARCH == "arm" || runtime.GOARCH == "arm64")
-var keepalive = !iOS
+// WGConfigFlags is a bitmask of flags to control the behavior of the
+// wireguard configuration generation done by NetMap.WGCfg.
+type WGConfigFlags int
 
 const (
-	UAllowSingleHosts = 1 << iota
-	UAllowSubnetRoutes
-	UAllowDefaultRoute
-	UHackDefaultRoute
-
-	UDefault = 0
+	AllowSingleHosts WGConfigFlags = 1 << iota
+	AllowSubnetRoutes
+	AllowDefaultRoute
+	HackDefaultRoute
 )
 
-// Several programs need to parse these arguments into uflags, so let's
-// centralize it here.
-func UFlagsHelper(uroutes, rroutes, droutes bool) int {
-	uflags := 0
-	if uroutes {
-		uflags |= UAllowSingleHosts
-	}
-	if rroutes {
-		uflags |= UAllowSubnetRoutes
-	}
-	if droutes {
-		uflags |= UAllowDefaultRoute
-	}
-	return uflags
-}
+// EndpointDiscoSuffix is appended to the hex representation of a peer's discovery key
+// and is then the sole wireguard endpoint for peers with a non-zero discovery key.
+// This form is then recognize by magicsock's CreateEndpoint.
+const EndpointDiscoSuffix = ".disco.tailscale:12345"
 
-func (nm *NetworkMap) UAPI(uflags int, dnsOverride []wgcfg.IP) string {
-	wgcfg, err := nm.WGCfg(uflags, dnsOverride)
-	if err != nil {
-		log.Fatalf("WGCfg() failed unexpectedly: %v\n", err)
+// WGCfg returns the NetworkMaps's Wireguard configuration.
+func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Config, error) {
+	cfg := &wgcfg.Config{
+		Name:       "tailscale",
+		PrivateKey: nm.PrivateKey,
+		Addresses:  nm.Addresses,
+		ListenPort: nm.LocalPort,
+		Peers:      make([]wgcfg.Peer, 0, len(nm.Peers)),
 	}
-	s, err := wgcfg.ToUAPI()
-	if err != nil {
-		log.Fatalf("ToUAPI() failed unexpectedly: %v\n", err)
-	}
-	return s
-}
 
-func (nm *NetworkMap) WGCfg(uflags int, dnsOverride []wgcfg.IP) (*wgcfg.Config, error) {
-	s := nm._WireGuardConfig(uflags, dnsOverride, true)
-	return wgcfg.FromWgQuick(s, "tailscale")
-}
-
-// TODO(apenwarr): This mode is dangerous.
-// Discarding the extra endpoints is almost universally the wrong choice.
-// Except that plain wireguard can't handle a peer with multiple endpoints.
-// (Yet?)
-func (nm *NetworkMap) WireGuardConfigOneEndpoint(uflags int, dnsOverride []wgcfg.IP) string {
-	return nm._WireGuardConfig(uflags, dnsOverride, false)
-}
-
-func (nm *NetworkMap) _WireGuardConfig(uflags int, dnsOverride []wgcfg.IP, allEndpoints bool) string {
-	buf := new(strings.Builder)
-	fmt.Fprintf(buf, "[Interface]\n")
-	fmt.Fprintf(buf, "PrivateKey = %s\n", base64.StdEncoding.EncodeToString(nm.PrivateKey[:]))
-	if len(nm.Addresses) > 0 {
-		fmt.Fprintf(buf, "Address = ")
-		for i, cidr := range nm.Addresses {
-			if i > 0 {
-				fmt.Fprintf(buf, ", ")
-			}
-			fmt.Fprintf(buf, "%s", cidr)
-		}
-		fmt.Fprintf(buf, "\n")
-	}
-	fmt.Fprintf(buf, "ListenPort = %d\n", nm.LocalPort)
-	if len(dnsOverride) > 0 {
-		dnss := []string{}
-		for _, ip := range dnsOverride {
-			dnss = append(dnss, ip.String())
-		}
-		fmt.Fprintf(buf, "DNS = %s\n", strings.Join(dnss, ","))
-	}
-	fmt.Fprintf(buf, "\n")
-
-	for i, peer := range nm.Peers {
-		if (uflags&UAllowSingleHosts) == 0 && len(peer.AllowedIPs) < 2 {
-			log.Printf("wgcfg: %v skipping a single-host peer.\n", peer.Key.AbbrevString())
+	for _, peer := range nm.Peers {
+		if Debug.OnlyDisco && peer.DiscoKey.IsZero() {
 			continue
 		}
-		if i > 0 {
-			fmt.Fprintf(buf, "\n")
+		if (flags&AllowSingleHosts) == 0 && len(peer.AllowedIPs) < 2 {
+			logf("wgcfg: %v skipping a single-host peer.", peer.Key.ShortString())
+			continue
 		}
-		fmt.Fprintf(buf, "[Peer]\n")
-		fmt.Fprintf(buf, "PublicKey = %s\n", base64.StdEncoding.EncodeToString(peer.Key[:]))
-		if len(peer.Endpoints) > 0 {
-			if len(peer.Endpoints) == 1 {
-				fmt.Fprintf(buf, "Endpoint = %s", peer.Endpoints[0])
-			} else if allEndpoints {
-				// TODO(apenwarr): This mode is incompatible.
-				// Normal wireguard clients don't know how to
-				// parse it (yet?)
-				fmt.Fprintf(buf, "Endpoint = %s",
-					strings.Join(peer.Endpoints, ","))
-			} else {
-				fmt.Fprintf(buf, "Endpoint = %s # other endpoints: %s",
-					peer.Endpoints[0],
-					strings.Join(peer.Endpoints[1:], ", "))
+		cfg.Peers = append(cfg.Peers, wgcfg.Peer{
+			PublicKey: wgcfg.Key(peer.Key),
+		})
+		cpeer := &cfg.Peers[len(cfg.Peers)-1]
+		if peer.KeepAlive {
+			cpeer.PersistentKeepalive = 25 // seconds
+		}
+
+		if !peer.DiscoKey.IsZero() {
+			if err := appendEndpoint(cpeer, fmt.Sprintf("%x%s", peer.DiscoKey[:], EndpointDiscoSuffix)); err != nil {
+				return nil, err
+			}
+			cpeer.Endpoints = []wgcfg.Endpoint{{Host: fmt.Sprintf("%x.disco.tailscale", peer.DiscoKey[:]), Port: 12345}}
+		} else {
+			if err := appendEndpoint(cpeer, peer.DERP); err != nil {
+				return nil, err
+			}
+			for _, ep := range peer.Endpoints {
+				if err := appendEndpoint(cpeer, ep); err != nil {
+					return nil, err
+				}
 			}
-			buf.WriteByte('\n')
 		}
-		var aips []string
 		for _, allowedIP := range peer.AllowedIPs {
-			aip := allowedIP.String()
 			if allowedIP.Mask == 0 {
-				if (uflags & UAllowDefaultRoute) == 0 {
-					log.Printf("wgcfg: %v skipping default route\n", peer.Key.AbbrevString())
+				if (flags & AllowDefaultRoute) == 0 {
+					logf("wgcfg: %v skipping default route", peer.Key.ShortString())
 					continue
 				}
-				if (uflags & UHackDefaultRoute) != 0 {
-					aip = "10.0.0.0/8"
-					log.Printf("wgcfg: %v converting default route => %v\n", peer.Key.AbbrevString(), aip)
+				if (flags & HackDefaultRoute) != 0 {
+					allowedIP = wgcfg.CIDR{IP: wgcfg.IPv4(10, 0, 0, 0), Mask: 8}
+					logf("wgcfg: %v converting default route => %v", peer.Key.ShortString(), allowedIP.String())
 				}
 			} else if allowedIP.Mask < 32 {
-				if (uflags & UAllowSubnetRoutes) == 0 {
-					log.Printf("wgcfg: %v skipping subnet route\n", peer.Key.AbbrevString())
+				if (flags & AllowSubnetRoutes) == 0 {
+					logf("wgcfg: %v skipping subnet route", peer.Key.ShortString())
 					continue
 				}
 			}
-			aips = append(aips, aip)
-		}
-		fmt.Fprintf(buf, "AllowedIPs = %s\n", strings.Join(aips, ", "))
-		if keepalive {
-			fmt.Fprintf(buf, "PersistentKeepalive = 25\n")
+			cpeer.AllowedIPs = append(cpeer.AllowedIPs, allowedIP)
 		}
 	}
 
-	return buf.String()
+	return cfg, nil
+}
+
+func appendEndpoint(peer *wgcfg.Peer, epStr string) error {
+	if epStr == "" {
+		return nil
+	}
+	host, port, err := net.SplitHostPort(epStr)
+	if err != nil {
+		return fmt.Errorf("malformed endpoint %q for peer %v", epStr, peer.PublicKey.ShortString())
+	}
+	port16, err := strconv.ParseUint(port, 10, 16)
+	if err != nil {
+		return fmt.Errorf("invalid port in endpoint %q for peer %v", epStr, peer.PublicKey.ShortString())
+	}
+	peer.Endpoints = append(peer.Endpoints, wgcfg.Endpoint{Host: host, Port: uint16(port16)})
+	return nil
+}
+
+// eqStringsIgnoreNil reports whether a and b have the same length and
+// contents, but ignore whether a or b are nil.
+func eqStringsIgnoreNil(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i, v := range a {
+		if v != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
+// eqCIDRsIgnoreNil reports whether a and b have the same length and
+// contents, but ignore whether a or b are nil.
+func eqCIDRsIgnoreNil(a, b []wgcfg.CIDR) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i, v := range a {
+		if v != b[i] {
+			return false
+		}
+	}
+	return true
 }

control/controlclient/netmap_test.go

@@ -0,0 +1,284 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlclient
+
+import (
+	"encoding/hex"
+	"testing"
+
+	"github.com/tailscale/wireguard-go/wgcfg"
+	"tailscale.com/tailcfg"
+)
+
+func testNodeKey(b byte) (ret tailcfg.NodeKey) {
+	for i := range ret {
+		ret[i] = b
+	}
+	return
+}
+
+func testDiscoKey(hexPrefix string) (ret tailcfg.DiscoKey) {
+	b, err := hex.DecodeString(hexPrefix)
+	if err != nil {
+		panic(err)
+	}
+	copy(ret[:], b)
+	return
+}
+
+func TestNetworkMapConcise(t *testing.T) {
+	for _, tt := range []struct {
+		name string
+		nm   *NetworkMap
+		want string
+	}{
+		{
+			name: "basic",
+			nm: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+					{
+						Key:       testNodeKey(3),
+						DERP:      "127.3.3.40:4",
+						Endpoints: []string{"10.2.0.100:12", "10.1.0.100:12345"},
+					},
+				},
+			},
+			want: "netmap: self: [AQEBA] auth=machine-unknown []\n [AgICA] D2                 :    192.168.0.100:12     192.168.0.100:12354\n [AwMDA] D4                 :       10.2.0.100:12        10.1.0.100:12345\n",
+		},
+		{
+			name: "debug_non_nil",
+			nm: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Debug:   &tailcfg.Debug{},
+			},
+			want: "netmap: self: [AQEBA] auth=machine-unknown debug={} []\n",
+		},
+		{
+			name: "debug_values",
+			nm: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Debug:   &tailcfg.Debug{LogHeapPprof: true},
+			},
+			want: "netmap: self: [AQEBA] auth=machine-unknown debug={\"LogHeapPprof\":true} []\n",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			var got string
+			n := int(testing.AllocsPerRun(1000, func() {
+				got = tt.nm.Concise()
+			}))
+			t.Logf("Allocs = %d", n)
+			if got != tt.want {
+				t.Errorf("Wrong output\n Got: %q\nWant: %q\n## Got (unescaped):\n%s\n## Want (unescaped):\n%s\n", got, tt.want, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestConciseDiffFrom(t *testing.T) {
+	for _, tt := range []struct {
+		name string
+		a, b *NetworkMap
+		want string
+	}{
+		{
+			name: "no_change",
+			a: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+				},
+			},
+			b: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+				},
+			},
+			want: "",
+		},
+		{
+			name: "header_change",
+			a: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+				},
+			},
+			b: &NetworkMap{
+				NodeKey: testNodeKey(2),
+				Peers: []*tailcfg.Node{
+					{
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+				},
+			},
+			want: "-netmap: self: [AQEBA] auth=machine-unknown []\n+netmap: self: [AgICA] auth=machine-unknown []\n",
+		},
+		{
+			name: "peer_add",
+			a: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:        2,
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+				},
+			},
+			b: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:        1,
+						Key:       testNodeKey(1),
+						DERP:      "127.3.3.40:1",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+					{
+						ID:        2,
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+					{
+						ID:        3,
+						Key:       testNodeKey(3),
+						DERP:      "127.3.3.40:3",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+				},
+			},
+			want: "+ [AQEBA] D1                 :    192.168.0.100:12     192.168.0.100:12354\n+ [AwMDA] D3                 :    192.168.0.100:12     192.168.0.100:12354\n",
+		},
+		{
+			name: "peer_remove",
+			a: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:        1,
+						Key:       testNodeKey(1),
+						DERP:      "127.3.3.40:1",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+					{
+						ID:        2,
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+					{
+						ID:        3,
+						Key:       testNodeKey(3),
+						DERP:      "127.3.3.40:3",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+				},
+			},
+			b: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:        2,
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "192.168.0.100:12354"},
+					},
+				},
+			},
+			want: "- [AQEBA] D1                 :    192.168.0.100:12     192.168.0.100:12354\n- [AwMDA] D3                 :    192.168.0.100:12     192.168.0.100:12354\n",
+		},
+		{
+			name: "peer_port_change",
+			a: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:        2,
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "1.1.1.1:1"},
+					},
+				},
+			},
+			b: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:        2,
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "1.1.1.1:2"},
+					},
+				},
+			},
+			want: "- [AgICA] D2                 :    192.168.0.100:12             1.1.1.1:1  \n+ [AgICA] D2                 :    192.168.0.100:12             1.1.1.1:2  \n",
+		},
+		{
+			name: "disco_key_only_change",
+			a: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:         2,
+						Key:        testNodeKey(2),
+						DERP:       "127.3.3.40:2",
+						Endpoints:  []string{"192.168.0.100:41641", "1.1.1.1:41641"},
+						DiscoKey:   testDiscoKey("f00f00f00f"),
+						AllowedIPs: []wgcfg.CIDR{{IP: wgcfg.IPv4(100, 102, 103, 104), Mask: 32}},
+					},
+				},
+			},
+			b: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:         2,
+						Key:        testNodeKey(2),
+						DERP:       "127.3.3.40:2",
+						Endpoints:  []string{"192.168.0.100:41641", "1.1.1.1:41641"},
+						DiscoKey:   testDiscoKey("ba4ba4ba4b"),
+						AllowedIPs: []wgcfg.CIDR{{IP: wgcfg.IPv4(100, 102, 103, 104), Mask: 32}},
+					},
+				},
+			},
+			want: "- [AgICA] d:f00f00f00f000000 D2 100.102.103.104 :   192.168.0.100:41641         1.1.1.1:41641\n+ [AgICA] d:ba4ba4ba4b000000 D2 100.102.103.104 :   192.168.0.100:41641         1.1.1.1:41641\n",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			var got string
+			n := int(testing.AllocsPerRun(50, func() {
+				got = tt.b.ConciseDiffFrom(tt.a)
+			}))
+			t.Logf("Allocs = %d", n)
+			if got != tt.want {
+				t.Errorf("Wrong output\n Got: %q\nWant: %q\n## Got (unescaped):\n%s\n## Want (unescaped):\n%s\n", got, tt.want, got, tt.want)
+			}
+		})
+	}
+}

control/controlclient/persist_test.go

@@ -0,0 +1,98 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlclient
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/tailscale/wireguard-go/wgcfg"
+)
+
+func TestPersistEqual(t *testing.T) {
+	persistHandles := []string{"PrivateMachineKey", "PrivateNodeKey", "OldPrivateNodeKey", "Provider", "LoginName"}
+	if have := fieldsOf(reflect.TypeOf(Persist{})); !reflect.DeepEqual(have, persistHandles) {
+		t.Errorf("Persist.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
+			have, persistHandles)
+	}
+
+	newPrivate := func() wgcfg.PrivateKey {
+		k, err := wgcfg.NewPrivateKey()
+		if err != nil {
+			panic(err)
+		}
+		return k
+	}
+	k1 := newPrivate()
+	tests := []struct {
+		a, b *Persist
+		want bool
+	}{
+		{nil, nil, true},
+		{nil, &Persist{}, false},
+		{&Persist{}, nil, false},
+		{&Persist{}, &Persist{}, true},
+
+		{
+			&Persist{PrivateMachineKey: k1},
+			&Persist{PrivateMachineKey: newPrivate()},
+			false,
+		},
+		{
+			&Persist{PrivateMachineKey: k1},
+			&Persist{PrivateMachineKey: k1},
+			true,
+		},
+
+		{
+			&Persist{PrivateNodeKey: k1},
+			&Persist{PrivateNodeKey: newPrivate()},
+			false,
+		},
+		{
+			&Persist{PrivateNodeKey: k1},
+			&Persist{PrivateNodeKey: k1},
+			true,
+		},
+
+		{
+			&Persist{OldPrivateNodeKey: k1},
+			&Persist{OldPrivateNodeKey: newPrivate()},
+			false,
+		},
+		{
+			&Persist{OldPrivateNodeKey: k1},
+			&Persist{OldPrivateNodeKey: k1},
+			true,
+		},
+
+		{
+			&Persist{Provider: "google"},
+			&Persist{Provider: "o365"},
+			false,
+		},
+		{
+			&Persist{Provider: "google"},
+			&Persist{Provider: "google"},
+			true,
+		},
+
+		{
+			&Persist{LoginName: "foo@tailscale.com"},
+			&Persist{LoginName: "bar@tailscale.com"},
+			false,
+		},
+		{
+			&Persist{LoginName: "foo@tailscale.com"},
+			&Persist{LoginName: "foo@tailscale.com"},
+			true,
+		},
+	}
+	for i, test := range tests {
+		if got := test.a.Equals(test.b); got != test.want {
+			t.Errorf("%d. Equals = %v; want %v", i, got, test.want)
+		}
+	}
+}

control/policy/policy.go

@@ -1,228 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package policy
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"net"
-	"strconv"
-	"strings"
-
-	"github.com/tailscale/hujson"
-	"tailscale.com/wgengine/filter"
-)
-
-type IP = filter.IP
-
-const IPAny = filter.IPAny
-
-type row struct {
-	Action string
-	Users  []string
-	Ports  []string
-}
-
-type Policy struct {
-	ACLs   []row
-	Groups map[string][]string
-	Hosts  map[string]IP
-}
-
-func lineAndColumn(b []byte, ofs int64) (line, col int) {
-	line = 1
-	for _, c := range b[:ofs] {
-		if c == '\n' {
-			col = 1
-			line++
-		} else {
-			col++
-		}
-	}
-	return line, col
-}
-
-func betterUnmarshal(b []byte, obj interface{}) error {
-	bio := bytes.NewReader(b)
-	d := hujson.NewDecoder(bio)
-	d.DisallowUnknownFields()
-	err := d.Decode(obj)
-	if err != nil {
-		switch ee := err.(type) {
-		case *hujson.SyntaxError:
-			row, col := lineAndColumn(b, ee.Offset)
-			return fmt.Errorf("line %d col %d: %v", row, col, ee)
-		default:
-			return fmt.Errorf("parser: %v", err)
-		}
-	}
-	return nil
-}
-
-func Parse(acljson string) (*Policy, error) {
-	p := &Policy{}
-	err := betterUnmarshal([]byte(acljson), p)
-	if err != nil {
-		return nil, err
-	}
-
-	// Check syntax with an empty usermap to start with.
-	// The caller might not have a valid usermap at startup, but we still
-	// want to check that the acljson doesn't have any syntax errors
-	// as early as possible. When the usermap updates later, it won't
-	// add any new syntax errors.
-	//
-	// TODO(apenwarr): change unmarshal code to detect syntax errors above.
-	//  Right now some of the sub-objects aren't parsed until .Expand().
-	emptyUserMap := make(map[string][]IP)
-	_, err = p.Expand(emptyUserMap)
-	if err != nil {
-		return nil, err
-	}
-
-	return p, nil
-}
-
-func parseHostPortRange(hostport string) (host string, ports []filter.PortRange, err error) {
-	hl := strings.Split(hostport, ":")
-	if len(hl) != 2 {
-		return "", nil, errors.New("hostport must have exactly one colon(:)")
-	}
-	host = hl[0]
-	portlist := hl[1]
-
-	if portlist == "*" {
-		// Special case: permit hostname:* as a port wildcard.
-		ports = append(ports, filter.PortRangeAny)
-		return host, ports, nil
-	}
-
-	pl := strings.Split(portlist, ",")
-	for _, pp := range pl {
-		if len(pp) == 0 {
-			return "", nil, fmt.Errorf("invalid port list: %#v", portlist)
-		}
-
-		pr := strings.Split(pp, "-")
-		if len(pr) > 2 {
-			return "", nil, fmt.Errorf("port range %#v: too many dashes(-)", pp)
-		}
-
-		var first, last uint64
-		first, err := strconv.ParseUint(pr[0], 10, 16)
-		if err != nil {
-			return "", nil, fmt.Errorf("port range %#v: invalid first integer", pp)
-		}
-
-		if len(pr) >= 2 {
-			last, err = strconv.ParseUint(pr[1], 10, 16)
-			if err != nil {
-				return "", nil, fmt.Errorf("port range %#v: invalid last integer", pp)
-			}
-		} else {
-			last = first
-		}
-
-		if first == 0 {
-			return "", nil, fmt.Errorf("port range %#v: first port must be >0, or use '*' for wildcard", pp)
-		}
-
-		if first > last {
-			return "", nil, fmt.Errorf("port range %#v: first port must be >= last port", pp)
-		}
-
-		ports = append(ports, filter.PortRange{uint16(first), uint16(last)})
-	}
-
-	return host, ports, nil
-}
-
-func (p *Policy) Expand(usermap map[string][]IP) (filter.Matches, error) {
-	lcusermap := make(map[string][]IP)
-	for k, v := range usermap {
-		k = strings.ToLower(k)
-		lcusermap[k] = v
-	}
-
-	for k, userlist := range p.Groups {
-		k = strings.ToLower(k)
-		if !strings.HasPrefix(k, "group:") {
-			return nil, fmt.Errorf("group[%#v]: group names must start with 'group:'", k)
-		}
-		for _, u := range userlist {
-			uips := lcusermap[u]
-			lcusermap[k] = append(lcusermap[k], uips...)
-		}
-	}
-
-	hosts := p.Hosts
-
-	var out filter.Matches
-	for _, acl := range p.ACLs {
-		if acl.Action != "accept" {
-			return nil, fmt.Errorf("action=%#v is not supported", acl.Action)
-		}
-
-		var srcs []IP
-		for _, user := range acl.Users {
-			user = strings.ToLower(user)
-			if user == "*" {
-				srcs = append(srcs, IPAny)
-				continue
-			} else if strings.Contains(user, "@") ||
-				strings.HasPrefix(user, "role:") ||
-				strings.HasPrefix(user, "group:") {
-				// fine if the requested user doesn't exist.
-				// we don't want to crash ACL parsing just
-				// because a previously authed user gets
-				// deleted. We'll silently ignore it and
-				// no firewall rules are needed.
-				// TODO(apenwarr): maybe print a warning?
-				for _, ip := range lcusermap[user] {
-					if ip != IPAny {
-						srcs = append(srcs, ip)
-					}
-				}
-			} else {
-				return nil, fmt.Errorf("wgengine/filter: invalid username: %q: needs '@domain' or 'group:' or 'role:'", user)
-			}
-		}
-
-		var dsts []filter.IPPortRange
-		for _, hostport := range acl.Ports {
-			host, ports, err := parseHostPortRange(hostport)
-			if err != nil {
-				return nil, fmt.Errorf("ports=%#v: %v", hostport, err)
-			}
-			ip := net.ParseIP(host)
-			ipv, ok := hosts[host]
-			if ok {
-				// matches an alias; ipv is now valid
-			} else if ip != nil && ip.IsUnspecified() {
-				// For clarity, reject 0.0.0.0 as an input
-				return nil, fmt.Errorf("ports=%#v: to allow all IP addresses, use *:port, not 0.0.0.0:port", hostport)
-			} else if ip == nil && host == "*" {
-				// User explicitly requested wildcard dst ip
-				ipv = IPAny
-			} else {
-				if ip != nil {
-					ip = ip.To4()
-				}
-				if ip == nil || len(ip) != 4 {
-					return nil, fmt.Errorf("ports=%#v: %#v: invalid IPv4 address", hostport, host)
-				}
-				ipv = filter.NewIP(ip)
-			}
-
-			for _, pr := range ports {
-				dsts = append(dsts, filter.IPPortRange{ipv, pr})
-			}
-		}
-
-		out = append(out, filter.Match{DstPorts: dsts, SrcIPs: srcs})
-	}
-	return out, nil
-}

control/policy/policy_test.go

@@ -1,156 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package policy
-
-import (
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"tailscale.com/wgengine/filter"
-)
-
-type PortRange = filter.PortRange
-type IPPortRange = filter.IPPortRange
-
-var syntax_errors = []string{
-	`{ "ACLs": []! }`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "xPorts": ["100.122.98.50:22"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "drop", "Users": [], "Ports": ["100.122.98.50:22"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Users": [], "Ports": ["100.122.98.50:22"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["1.2.3.4"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["1.2.3.4:0"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["0.0.0.0:12"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["*:0"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["1.2.3.4:5:6"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["1.2.3.4.5:12"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["1.2.3.4::12"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["1.2.3.4"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["1.2.3.4:0-0"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["1.2.3.4:1-10,2-"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["1.2.3.4:1-10,*"]}
-	]}`,
-
-	`{ "ACLs": [
-	  {"Action": "accept", "Users": [], "Ports": ["1.2.3.4,5.6.7.8:1-10"]}
-	]}`,
-
-	`{ "Hosts": {"mailserver": "not-an-ip"} }`,
-
-	`{ "Hosts": {"mailserver": "1.2.3.4:55"} }`,
-
-	`{ "xGroups": {
-	  "bob": ["user1", "user2"]
-	 }}`,
-}
-
-func TestSyntaxErrors(t *testing.T) {
-	for _, s := range syntax_errors {
-		_, err := Parse(s)
-		if err == nil {
-			t.Fatalf("Parse passed when it shouldn't. json:\n---\n%v\n---", s)
-		}
-	}
-}
-
-func ippr(ip IP, start, end uint16) []IPPortRange {
-	return []IPPortRange{
-		IPPortRange{ip, PortRange{start, end}},
-	}
-}
-
-func TestPolicy(t *testing.T) {
-	// Check ACL table parsing
-
-	usermap := map[string][]IP{
-		"A@b.com":    []IP{0x08010101, 0x08020202},
-		"role:admin": []IP{0x02020202},
-		"user1@org":  []IP{0x99010101, 0x99010102},
-		// user2 is intentionally missing
-		"user3@org": []IP{0x99030303},
-		"user4@org": []IP{},
-	}
-	want := filter.Matches{
-		{SrcIPs: []IP{0x08010101, 0x08020202}, DstPorts: []IPPortRange{
-			IPPortRange{0x01020304, PortRange{22, 22}},
-			IPPortRange{0x05060708, PortRange{23, 24}},
-			IPPortRange{0x05060708, PortRange{27, 28}},
-		}},
-		{SrcIPs: []IP{0x02020202}, DstPorts: ippr(0x08010101, 22, 22)},
-		{SrcIPs: []IP{0}, DstPorts: []IPPortRange{
-			IPPortRange{0x647a6232, PortRange{0, 65535}},
-			IPPortRange{0, PortRange{443, 443}},
-		}},
-		{SrcIPs: []IP{0x99010101, 0x99010102, 0x99030303}, DstPorts: ippr(0x01020304, 999, 999)},
-	}
-
-	p, err := Parse(`
-{
-    // Test comment
-    "Hosts": {
-    	"h1": "1.2.3.4", /* test comment */
-    	"h2": "5.6.7.8"
-    },
-    "Groups": {
-    	"group:eng": ["user1@org", "user2@org", "user3@org", "user4@org"]
-    },
-    "ACLs": [
-	{"Action": "accept", "Users": ["a@b.com"], "Ports": ["h1:22", "h2:23-24,27-28"]},
-	{"Action": "accept", "Users": ["role:Admin"], "Ports": ["8.1.1.1:22"]},
-	{"Action": "accept", "Users": ["*"], "Ports": ["100.122.98.50:*", "*:443"]},
-	{"Action": "accept", "Users": ["group:eng"], "Ports": ["h1:999"]},
-    ]}
-`)
-	if err != nil {
-		t.Fatalf("Parse failed: %v", err)
-	}
-	matches, err := p.Expand(usermap)
-	if err != nil {
-		t.Fatalf("Expand failed: %v", err)
-	}
-	if diff := cmp.Diff(want, matches); diff != "" {
-		t.Fatalf("Expand mismatch (-want +got):\n%s", diff)
-	}
-}

derp/derp.go

@@ -0,0 +1,209 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package derp implements DERP, the Detour Encrypted Routing Protocol.
+//
+// DERP routes packets to clients using curve25519 keys as addresses.
+//
+// DERP is used by Tailscale nodes to proxy encrypted WireGuard
+// packets through the Tailscale cloud servers when a direct path
+// cannot be found or opened. DERP is a last resort. Both sides
+// between very aggressive NATs, firewalls, no IPv6, etc? Well, DERP.
+package derp
+
+import (
+	"bufio"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"time"
+)
+
+// MaxPacketSize is the maximum size of a packet sent over DERP.
+// (This only includes the data bytes visible to magicsock, not
+// including its on-wire framing overhead)
+const MaxPacketSize = 64 << 10
+
+// magic is the DERP magic number, sent in the frameServerKey frame
+// upon initial connection.
+const magic = "DERP🔑" // 8 bytes: 0x44 45 52 50 f0 9f 94 91
+
+const (
+	nonceLen       = 24
+	frameHeaderLen = 1 + 4 // frameType byte + 4 byte length
+	keyLen         = 32
+	maxInfoLen     = 1 << 20
+	keepAlive      = 60 * time.Second
+)
+
+// protocolVersion is bumped whenever there's a wire-incompatible change.
+//   * version 1 (zero on wire): consistent box headers, in use by employee dev nodes a bit
+//   * version 2: received packets have src addrs in frameRecvPacket at beginning
+const protocolVersion = 2
+
+const (
+	protocolSrcAddrs = 2 // protocol version at which client expects src addresses
+)
+
+// frameType is the one byte frame type at the beginning of the frame
+// header.  The second field is a big-endian uint32 describing the
+// length of the remaining frame (not including the initial 5 bytes).
+type frameType byte
+
+/*
+Protocol flow:
+
+Login:
+* client connects
+* server sends frameServerKey
+* client sends frameClientInfo
+* server sends frameServerInfo
+
+Steady state:
+* server occasionally sends frameKeepAlive
+* client sends frameSendPacket
+* server then sends frameRecvPacket to recipient
+*/
+const (
+	frameServerKey     = frameType(0x01) // 8B magic + 32B public key + (0+ bytes future use)
+	frameClientInfo    = frameType(0x02) // 32B pub key + 24B nonce + naclbox(json)
+	frameServerInfo    = frameType(0x03) // 24B nonce + naclbox(json)
+	frameSendPacket    = frameType(0x04) // 32B dest pub key + packet bytes
+	frameForwardPacket = frameType(0x0a) // 32B src pub key + 32B dst pub key + packet bytes
+	frameRecvPacket    = frameType(0x05) // v0/1: packet bytes, v2: 32B src pub key + packet bytes
+	frameKeepAlive     = frameType(0x06) // no payload, no-op (to be replaced with ping/pong)
+	frameNotePreferred = frameType(0x07) // 1 byte payload: 0x01 or 0x00 for whether this is client's home node
+
+	// framePeerGone is sent from server to client to signal that
+	// a previous sender is no longer connected. That is, if A
+	// sent to B, and then if A disconnects, the server sends
+	// framePeerGone to B so B can forget that a reverse path
+	// exists on that connection to get back to A.
+	framePeerGone = frameType(0x08) // 32B pub key of peer that's gone
+
+	// framePeerPresent is like framePeerGone, but for other
+	// members of the DERP region when they're meshed up together.
+	framePeerPresent = frameType(0x09) // 32B pub key of peer that's connected
+
+	// frameWatchConns is how one DERP node in a regional mesh
+	// subscribes to the others in the region.
+	// There's no payload. If the sender doesn't have permission, the connection
+	// is closed. Otherwise, the client is initially flooded with
+	// framePeerPresent for all connected nodes, and then a stream of
+	// framePeerPresent & framePeerGone has peers connect and disconnect.
+	frameWatchConns = frameType(0x10)
+
+	// frameClosePeer is a privileged frame type (requires the
+	// mesh key for now) that closes the provided peer's
+	// connection. (To be used for cluster load balancing
+	// purposes, when clients end up on a non-ideal node)
+	frameClosePeer = frameType(0x11) // 32B pub key of peer to close.
+)
+
+var bin = binary.BigEndian
+
+func writeUint32(bw *bufio.Writer, v uint32) error {
+	var b [4]byte
+	bin.PutUint32(b[:], v)
+	_, err := bw.Write(b[:])
+	return err
+}
+
+func readUint32(br *bufio.Reader) (uint32, error) {
+	b := make([]byte, 4)
+	if _, err := io.ReadFull(br, b); err != nil {
+		return 0, err
+	}
+	return bin.Uint32(b), nil
+}
+
+func readFrameTypeHeader(br *bufio.Reader, wantType frameType) (frameLen uint32, err error) {
+	gotType, frameLen, err := readFrameHeader(br)
+	if err == nil && wantType != gotType {
+		err = fmt.Errorf("bad frame type 0x%X, want 0x%X", gotType, wantType)
+	}
+	return frameLen, err
+}
+
+func readFrameHeader(br *bufio.Reader) (t frameType, frameLen uint32, err error) {
+	tb, err := br.ReadByte()
+	if err != nil {
+		return 0, 0, err
+	}
+	frameLen, err = readUint32(br)
+	if err != nil {
+		return 0, 0, err
+	}
+	return frameType(tb), frameLen, nil
+}
+
+// readFrame reads a frame header and then reads its payload into
+// b[:frameLen].
+//
+// If the frame header length is greater than maxSize, readFrame returns
+// an error after reading the frame header.
+//
+// If the frame is less than maxSize but greater than len(b), len(b)
+// bytes are read, err will be io.ErrShortBuffer, and frameLen and t
+// will both be set. That is, callers need to explicitly handle when
+// they get more data than expected.
+func readFrame(br *bufio.Reader, maxSize uint32, b []byte) (t frameType, frameLen uint32, err error) {
+	t, frameLen, err = readFrameHeader(br)
+	if err != nil {
+		return 0, 0, err
+	}
+	if frameLen > maxSize {
+		return 0, 0, fmt.Errorf("frame header size %d exceeds reader limit of %d", frameLen, maxSize)
+	}
+
+	n, err := io.ReadFull(br, b[:minUint32(frameLen, uint32(len(b)))])
+	if err != nil {
+		return 0, 0, err
+	}
+	remain := frameLen - uint32(n)
+	if remain > 0 {
+		if _, err := io.CopyN(ioutil.Discard, br, int64(remain)); err != nil {
+			return 0, 0, err
+		}
+		err = io.ErrShortBuffer
+	}
+	return t, frameLen, err
+}
+
+func writeFrameHeader(bw *bufio.Writer, t frameType, frameLen uint32) error {
+	if err := bw.WriteByte(byte(t)); err != nil {
+		return err
+	}
+	return writeUint32(bw, frameLen)
+}
+
+// writeFrame writes a complete frame & flushes it.
+func writeFrame(bw *bufio.Writer, t frameType, b []byte) error {
+	if len(b) > 10<<20 {
+		return errors.New("unreasonably large frame write")
+	}
+	if err := writeFrameHeader(bw, t, uint32(len(b))); err != nil {
+		return err
+	}
+	if _, err := bw.Write(b); err != nil {
+		return err
+	}
+	return bw.Flush()
+}
+
+func minInt(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}
+
+func minUint32(a, b uint32) uint32 {
+	if a < b {
+		return a
+	}
+	return b
+}

derp/derp_client.go

@@ -6,84 +6,133 @@ package derp
 
 import (
 	"bufio"
-	"crypto/rand"
+	crand "crypto/rand"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
-	"net"
+	"sync"
 	"time"
 
-	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/nacl/box"
-	"tailscale.com/logger"
+	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
 )
 
+// Client is a DERP client.
 type Client struct {
-	serverKey  [32]byte
-	privateKey [32]byte // TODO(crawshaw): make this wgcfg.PrivateKey?
-	publicKey  [32]byte
-	logf       logger.Logf
-	netConn    net.Conn
-	conn       *bufio.ReadWriter
+	serverKey    key.Public // of the DERP server; not a machine or node key
+	privateKey   key.Private
+	publicKey    key.Public // of privateKey
+	protoVersion int        // min of server+client
+	logf         logger.Logf
+	nc           Conn
+	br           *bufio.Reader
+	meshKey      string
+
+	wmu sync.Mutex // hold while writing to bw
+	bw  *bufio.Writer
+
+	// Owned by Recv:
+	peeked  int   // bytes to discard on next Recv
+	readErr error // sticky read error
 }
 
-func NewClient(privateKey [32]byte, netConn net.Conn, conn *bufio.ReadWriter, logf logger.Logf) (*Client, error) {
+// ClientOpt is an option passed to NewClient.
+type ClientOpt interface {
+	update(*clientOpt)
+}
+
+type clientOptFunc func(*clientOpt)
+
+func (f clientOptFunc) update(o *clientOpt) { f(o) }
+
+// clientOpt are the options passed to newClient.
+type clientOpt struct {
+	MeshKey string
+}
+
+// MeshKey returns a ClientOpt to pass to the DERP server during connect to get
+// access to join the mesh.
+//
+// An empty key means to not use a mesh key.
+func MeshKey(key string) ClientOpt { return clientOptFunc(func(o *clientOpt) { o.MeshKey = key }) }
+
+func NewClient(privateKey key.Private, nc Conn, brw *bufio.ReadWriter, logf logger.Logf, opts ...ClientOpt) (*Client, error) {
+	var opt clientOpt
+	for _, o := range opts {
+		if o == nil {
+			return nil, errors.New("nil ClientOpt")
+		}
+		o.update(&opt)
+	}
+	return newClient(privateKey, nc, brw, logf, opt)
+}
+
+func newClient(privateKey key.Private, nc Conn, brw *bufio.ReadWriter, logf logger.Logf, opt clientOpt) (*Client, error) {
 	c := &Client{
 		privateKey: privateKey,
+		publicKey:  privateKey.Public(),
 		logf:       logf,
-		netConn:    netConn,
-		conn:       conn,
+		nc:         nc,
+		br:         brw.Reader,
+		bw:         brw.Writer,
+		meshKey:    opt.MeshKey,
 	}
-	curve25519.ScalarBaseMult(&c.publicKey, &c.privateKey)
-
 	if err := c.recvServerKey(); err != nil {
 		return nil, fmt.Errorf("derp.Client: failed to receive server key: %v", err)
 	}
 	if err := c.sendClientKey(); err != nil {
 		return nil, fmt.Errorf("derp.Client: failed to send client key: %v", err)
 	}
-	_, err := c.recvServerInfo()
+	info, err := c.recvServerInfo()
 	if err != nil {
 		return nil, fmt.Errorf("derp.Client: failed to receive server info: %v", err)
 	}
-
+	c.protoVersion = minInt(protocolVersion, info.Version)
 	return c, nil
 }
 
 func (c *Client) recvServerKey() error {
-	gotMagic, err := readUint32(c.conn, 0xffffffff)
+	var buf [40]byte
+	t, flen, err := readFrame(c.br, 1<<10, buf[:])
+	if err == io.ErrShortBuffer {
+		// For future-proofing, allow server to send more in its greeting.
+		err = nil
+	}
 	if err != nil {
 		return err
 	}
-	if gotMagic != magic {
-		return fmt.Errorf("bad magic %x, want %x", gotMagic, magic)
-	}
-	if err := readType(c.conn.Reader, typeServerKey); err != nil {
-		return err
-	}
-	if _, err := io.ReadFull(c.conn, c.serverKey[:]); err != nil {
-		return err
+	if flen < uint32(len(buf)) || t != frameServerKey || string(buf[:len(magic)]) != magic {
+		return errors.New("invalid server greeting")
 	}
+	copy(c.serverKey[:], buf[len(magic):])
 	return nil
 }
 
 func (c *Client) recvServerInfo() (*serverInfo, error) {
-	if err := readType(c.conn.Reader, typeServerInfo); err != nil {
+	fl, err := readFrameTypeHeader(c.br, frameServerInfo)
+	if err != nil {
 		return nil, err
 	}
-	var nonce [24]byte
-	if _, err := io.ReadFull(c.conn, nonce[:]); err != nil {
+	const maxLength = nonceLen + maxInfoLen
+	if fl < nonceLen {
+		return nil, fmt.Errorf("short serverInfo frame")
+	}
+	if fl > maxLength {
+		return nil, fmt.Errorf("long serverInfo frame")
+	}
+	// TODO: add a read-nonce-and-box helper
+	var nonce [nonceLen]byte
+	if _, err := io.ReadFull(c.br, nonce[:]); err != nil {
 		return nil, fmt.Errorf("nonce: %v", err)
 	}
-	msgLen, err := readUint32(c.conn, oneMB)
-	if err != nil {
-		return nil, fmt.Errorf("msglen: %v", err)
-	}
+	msgLen := fl - nonceLen
 	msgbox := make([]byte, msgLen)
-	if _, err := io.ReadFull(c.conn, msgbox); err != nil {
+	if _, err := io.ReadFull(c.br, msgbox); err != nil {
 		return nil, fmt.Errorf("msgbox: %v", err)
 	}
-	msg, ok := box.Open(nil, msgbox, &nonce, &c.serverKey, &c.privateKey)
+	msg, ok := box.Open(nil, msgbox, &nonce, c.serverKey.B32(), c.privateKey.B32())
 	if !ok {
 		return nil, fmt.Errorf("msgbox: cannot open len=%d with server key %x", msgLen, c.serverKey[:])
 	}
@@ -94,90 +143,280 @@ func (c *Client) recvServerInfo() (*serverInfo, error) {
 	return info, nil
 }
 
+type clientInfo struct {
+	Version int // `json:"version,omitempty"`
+
+	// MeshKey optionally specifies a pre-shared key used by
+	// trusted clients.  It's required to subscribe to the
+	// connection list & forward packets. It's empty for regular
+	// users.
+	MeshKey string // `json:"meshKey,omitempty"`
+}
+
 func (c *Client) sendClientKey() error {
-	var nonce [24]byte
-	if _, err := rand.Read(nonce[:]); err != nil {
+	var nonce [nonceLen]byte
+	if _, err := crand.Read(nonce[:]); err != nil {
 		return err
 	}
-	msg := []byte("{}") // no clientInfo for now
-	msgbox := box.Seal(nil, msg, &nonce, &c.serverKey, &c.privateKey)
-
-	if _, err := c.conn.Write(c.publicKey[:]); err != nil {
-		return err
-	}
-	if _, err := c.conn.Write(nonce[:]); err != nil {
-		return err
-	}
-	if err := putUint32(c.conn.Writer, uint32(len(msgbox))); err != nil {
-		return err
-	}
-	if _, err := c.conn.Write(msgbox); err != nil {
-		return err
-	}
-	return c.conn.Flush()
-}
-
-func (c *Client) Send(dstKey [32]byte, msg []byte) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("derp.Send: %v", err)
-		}
-	}()
-
-	if err := c.conn.WriteByte(typeSendPacket); err != nil {
-		return err
-	}
-	if _, err := c.conn.Write(dstKey[:]); err != nil {
-		return err
-	}
-	msgLen := uint32(len(msg))
-	if int(msgLen) != len(msg) {
-		return fmt.Errorf("packet too big: %d", len(msg))
-	}
-	if err := putUint32(c.conn.Writer, msgLen); err != nil {
-		return err
-	}
-	if _, err := c.conn.Write(msg); err != nil {
-		return err
-	}
-	return c.conn.Flush()
-}
-
-func (c *Client) Recv(b []byte) (n int, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("derp.Recv: %v", err)
-		}
-	}()
-
-loop:
-	for {
-		c.netConn.SetReadDeadline(time.Now().Add(120 * time.Second))
-		packetType, err := c.conn.ReadByte()
-		if err != nil {
-			return 0, err
-		}
-		switch packetType {
-		case typeKeepAlive:
-			continue
-		case typeRecvPacket:
-			break loop
-		default:
-			return 0, fmt.Errorf("derp.Recv: unknown packet type %d", packetType)
-		}
-	}
-
-	packetLen, err := readUint32(c.conn.Reader, oneMB)
+	msg, err := json.Marshal(clientInfo{
+		Version: protocolVersion,
+		MeshKey: c.meshKey,
+	})
 	if err != nil {
-		return 0, err
+		return err
+	}
+	msgbox := box.Seal(nil, msg, &nonce, c.serverKey.B32(), c.privateKey.B32())
+
+	buf := make([]byte, 0, nonceLen+keyLen+len(msgbox))
+	buf = append(buf, c.publicKey[:]...)
+	buf = append(buf, nonce[:]...)
+	buf = append(buf, msgbox...)
+	return writeFrame(c.bw, frameClientInfo, buf)
+}
+
+// ServerPublicKey returns the server's public key.
+func (c *Client) ServerPublicKey() key.Public { return c.serverKey }
+
+// Send sends a packet to the Tailscale node identified by dstKey.
+//
+// It is an error if the packet is larger than 64KB.
+func (c *Client) Send(dstKey key.Public, pkt []byte) error { return c.send(dstKey, pkt) }
+
+func (c *Client) send(dstKey key.Public, pkt []byte) (ret error) {
+	defer func() {
+		if ret != nil {
+			ret = fmt.Errorf("derp.Send: %w", ret)
+		}
+	}()
+
+	if len(pkt) > MaxPacketSize {
+		return fmt.Errorf("packet too big: %d", len(pkt))
+	}
+
+	c.wmu.Lock()
+	defer c.wmu.Unlock()
+
+	if err := writeFrameHeader(c.bw, frameSendPacket, uint32(len(dstKey)+len(pkt))); err != nil {
+		return err
+	}
+	if _, err := c.bw.Write(dstKey[:]); err != nil {
+		return err
+	}
+	if _, err := c.bw.Write(pkt); err != nil {
+		return err
+	}
+	return c.bw.Flush()
+}
+
+func (c *Client) ForwardPacket(srcKey, dstKey key.Public, pkt []byte) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("derp.ForwardPacket: %w", err)
+		}
+	}()
+
+	if len(pkt) > MaxPacketSize {
+		return fmt.Errorf("packet too big: %d", len(pkt))
+	}
+
+	c.wmu.Lock()
+	defer c.wmu.Unlock()
+
+	timer := time.AfterFunc(5*time.Second, c.writeTimeoutFired)
+	defer timer.Stop()
+
+	if err := writeFrameHeader(c.bw, frameForwardPacket, uint32(keyLen*2+len(pkt))); err != nil {
+		return err
+	}
+	if _, err := c.bw.Write(srcKey[:]); err != nil {
+		return err
+	}
+	if _, err := c.bw.Write(dstKey[:]); err != nil {
+		return err
+	}
+	if _, err := c.bw.Write(pkt); err != nil {
+		return err
+	}
+	return c.bw.Flush()
+}
+
+func (c *Client) writeTimeoutFired() { c.nc.Close() }
+
+// NotePreferred sends a packet that tells the server whether this
+// client is the user's preferred server. This is only used in the
+// server for stats.
+func (c *Client) NotePreferred(preferred bool) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("derp.NotePreferred: %v", err)
+		}
+	}()
+
+	c.wmu.Lock()
+	defer c.wmu.Unlock()
+
+	if err := writeFrameHeader(c.bw, frameNotePreferred, 1); err != nil {
+		return err
+	}
+	var b byte = 0x00
+	if preferred {
+		b = 0x01
+	}
+	if err := c.bw.WriteByte(b); err != nil {
+		return err
+	}
+	return c.bw.Flush()
+}
+
+// WatchConnectionChanges sends a request to subscribe to the peer's connection list.
+// It's a fatal error if the client wasn't created using MeshKey.
+func (c *Client) WatchConnectionChanges() error {
+	c.wmu.Lock()
+	defer c.wmu.Unlock()
+	if err := writeFrameHeader(c.bw, frameWatchConns, 0); err != nil {
+		return err
+	}
+	return c.bw.Flush()
+}
+
+// ClosePeer asks the server to close target's TCP connection.
+// It's a fatal error if the client wasn't created using MeshKey.
+func (c *Client) ClosePeer(target key.Public) error {
+	c.wmu.Lock()
+	defer c.wmu.Unlock()
+	return writeFrame(c.bw, frameClosePeer, target[:])
+}
+
+// ReceivedMessage represents a type returned by Client.Recv. Unless
+// otherwise documented, the returned message aliases the byte slice
+// provided to Recv and thus the message is only as good as that
+// buffer, which is up to the caller.
+type ReceivedMessage interface {
+	msg()
+}
+
+// ReceivedPacket is a ReceivedMessage representing an incoming packet.
+type ReceivedPacket struct {
+	Source key.Public
+	// Data is the received packet bytes. It aliases the memory
+	// passed to Client.Recv.
+	Data []byte
+}
+
+func (ReceivedPacket) msg() {}
+
+// PeerGoneMessage is a ReceivedMessage that indicates that the client
+// identified by the underlying public key had previously sent you a
+// packet but has now disconnected from the server.
+type PeerGoneMessage key.Public
+
+func (PeerGoneMessage) msg() {}
+
+// PeerPresentMessage is a ReceivedMessage that indicates that the client
+// is connected to the server. (Only used by trusted mesh clients)
+type PeerPresentMessage key.Public
+
+func (PeerPresentMessage) msg() {}
+
+// Recv reads a message from the DERP server.
+//
+// The returned message may alias memory owned by the Client; it
+// should only be accessed until the next call to Client.
+//
+// Once Recv returns an error, the Client is dead forever.
+func (c *Client) Recv() (m ReceivedMessage, err error) {
+	return c.recvTimeout(120 * time.Second)
+}
+
+func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err error) {
+	if c.readErr != nil {
+		return nil, c.readErr
+	}
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("derp.Recv: %w", err)
+			c.readErr = err
+		}
+	}()
+
+	for {
+		c.nc.SetReadDeadline(time.Now().Add(timeout))
+
+		// Discard any peeked bytes from a previous Recv call.
+		if c.peeked != 0 {
+			if n, err := c.br.Discard(c.peeked); err != nil || n != c.peeked {
+				// Documented to never fail, but might as well check.
+				return nil, fmt.Errorf("bufio.Reader.Discard(%d bytes): got %v, %v", c.peeked, n, err)
+			}
+			c.peeked = 0
+		}
+
+		t, n, err := readFrameHeader(c.br)
+		if err != nil {
+			return nil, err
+		}
+		if n > 1<<20 {
+			return nil, fmt.Errorf("unexpectedly large frame of %d bytes returned", n)
+		}
+
+		var b []byte // frame payload (past the 5 byte header)
+
+		// If the frame fits in our bufio.Reader buffer, just use it.
+		// In practice it's 4KB (from derphttp.Client's bufio.NewReader(httpConn)) and
+		// in practive, WireGuard packets (and thus DERP frames) are under 1.5KB.
+		// So This is the common path.
+		if int(n) <= c.br.Size() {
+			b, err = c.br.Peek(int(n))
+			c.peeked = int(n)
+		} else {
+			// But if for some reason we read a large DERP message (which isn't necessarily
+			// a Wireguard packet), then just allocate memory for it.
+			// TODO(bradfitz): use a pool if large frames ever happen in practice.
+			b = make([]byte, n)
+			_, err = io.ReadFull(c.br, b)
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		switch t {
+		default:
+			continue
+		case frameKeepAlive:
+			// TODO: eventually we'll have server->client pings that
+			// require ack pongs.
+			continue
+		case framePeerGone:
+			if n < keyLen {
+				c.logf("[unexpected] dropping short peerGone frame from DERP server")
+				continue
+			}
+			var pg PeerGoneMessage
+			copy(pg[:], b[:keyLen])
+			return pg, nil
+
+		case framePeerPresent:
+			if n < keyLen {
+				c.logf("[unexpected] dropping short peerPresent frame from DERP server")
+				continue
+			}
+			var pg PeerPresentMessage
+			copy(pg[:], b[:keyLen])
+			return pg, nil
+
+		case frameRecvPacket:
+			var rp ReceivedPacket
+			if c.protoVersion < protocolSrcAddrs {
+				rp.Data = b[:n]
+			} else {
+				if n < keyLen {
+					c.logf("[unexpected] dropping short packet from DERP server")
+					continue
+				}
+				copy(rp.Source[:], b[:keyLen])
+				rp.Data = b[keyLen:n]
+			}
+			return rp, nil
+		}
 	}
-	if int(packetLen) > len(b) {
-		// TODO(crawshaw): discard the packet
-		return 0, io.ErrShortBuffer
-	}
-	b = b[:packetLen]
-	if _, err := io.ReadFull(c.conn, b); err != nil {
-		return 0, err
-	}
-	return int(packetLen), nil
 }

derp/derp_test.go

@@ -6,83 +6,107 @@ package derp
 
 import (
 	"bufio"
-	"crypto/rand"
+	"context"
+	crand "crypto/rand"
+	"errors"
+	"expvar"
+	"fmt"
+	"io"
 	"net"
+	"reflect"
+	"sync"
 	"testing"
 	"time"
 
-	"golang.org/x/crypto/curve25519"
+	"tailscale.com/net/nettest"
+	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
 )
 
+func newPrivateKey(tb testing.TB) (k key.Private) {
+	tb.Helper()
+	if _, err := crand.Read(k[:]); err != nil {
+		tb.Fatal(err)
+	}
+	return
+}
+
 func TestSendRecv(t *testing.T) {
+	serverPrivateKey := newPrivateKey(t)
+	s := NewServer(serverPrivateKey, t.Logf)
+	defer s.Close()
+
 	const numClients = 3
-	var serverPrivateKey [32]byte
-	if _, err := rand.Read(serverPrivateKey[:]); err != nil {
-		t.Fatal(err)
-	}
-	var clientPrivateKeys [][32]byte
+	var clientPrivateKeys []key.Private
+	var clientKeys []key.Public
 	for i := 0; i < numClients; i++ {
-		var key [32]byte
-		if _, err := rand.Read(key[:]); err != nil {
-			t.Fatal(err)
-		}
-		clientPrivateKeys = append(clientPrivateKeys, key)
-	}
-	var clientKeys [][32]byte
-	for _, privKey := range clientPrivateKeys {
-		var key [32]byte
-		curve25519.ScalarBaseMult(&key, &privKey)
-		clientKeys = append(clientKeys, key)
+		priv := newPrivateKey(t)
+		clientPrivateKeys = append(clientPrivateKeys, priv)
+		clientKeys = append(clientKeys, priv.Public())
 	}
 
-	ln, err := net.Listen("tcp", ":0")
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		t.Fatal(err)
 	}
-
-	var clientConns []net.Conn
-	for i := 0; i < numClients; i++ {
-		conn, err := net.Dial("tcp", ln.Addr().String())
-		if err != nil {
-			t.Fatal(err)
-		}
-		clientConns = append(clientConns, conn)
-	}
-	s := NewServer(serverPrivateKey, t.Logf)
-	defer s.Close()
-	for i := 0; i < numClients; i++ {
-		netConn, err := ln.Accept()
-		if err != nil {
-			t.Fatal(err)
-		}
-		conn := bufio.NewReadWriter(bufio.NewReader(netConn), bufio.NewWriter(netConn))
-		go s.Accept(netConn, conn)
-	}
+	defer ln.Close()
 
 	var clients []*Client
+	var connsOut []Conn
 	var recvChs []chan []byte
 	errCh := make(chan error, 3)
+
 	for i := 0; i < numClients; i++ {
+		t.Logf("Connecting client %d ...", i)
+		cout, err := net.Dial("tcp", ln.Addr().String())
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer cout.Close()
+		connsOut = append(connsOut, cout)
+
+		cin, err := ln.Accept()
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer cin.Close()
+		brwServer := bufio.NewReadWriter(bufio.NewReader(cin), bufio.NewWriter(cin))
+		go s.Accept(cin, brwServer, fmt.Sprintf("test-client-%d", i))
+
 		key := clientPrivateKeys[i]
-		netConn := clientConns[i]
-		conn := bufio.NewReadWriter(bufio.NewReader(netConn), bufio.NewWriter(netConn))
-		c, err := NewClient(key, netConn, conn, t.Logf)
+		brw := bufio.NewReadWriter(bufio.NewReader(cout), bufio.NewWriter(cout))
+		c, err := NewClient(key, cout, brw, t.Logf)
 		if err != nil {
 			t.Fatalf("client %d: %v", i, err)
 		}
 		clients = append(clients, c)
 		recvChs = append(recvChs, make(chan []byte))
+		t.Logf("Connected client %d.", i)
+	}
 
+	var peerGoneCount expvar.Int
+
+	t.Logf("Starting read loops")
+	for i := 0; i < numClients; i++ {
 		go func(i int) {
 			for {
-				b := make([]byte, 1<<16)
-				n, err := c.Recv(b)
+				m, err := clients[i].Recv()
 				if err != nil {
 					errCh <- err
 					return
 				}
-				b = b[:n]
-				recvChs[i] <- b
+				switch m := m.(type) {
+				default:
+					t.Errorf("unexpected message type %T", m)
+					continue
+				case PeerGoneMessage:
+					peerGoneCount.Add(1)
+				case ReceivedPacket:
+					if m.Source.IsZero() {
+						t.Errorf("zero Source address in ReceivedPacket")
+					}
+					recvChs[i] <- append([]byte(nil), m.Data...)
+				}
 			}
 		}(i)
 	}
@@ -107,6 +131,32 @@ func TestSendRecv(t *testing.T) {
 		}
 	}
 
+	wantActive := func(total, home int64) {
+		t.Helper()
+		dl := time.Now().Add(5 * time.Second)
+		var gotTotal, gotHome int64
+		for time.Now().Before(dl) {
+			gotTotal, gotHome = s.curClients.Value(), s.curHomeClients.Value()
+			if gotTotal == total && gotHome == home {
+				return
+			}
+			time.Sleep(10 * time.Millisecond)
+		}
+		t.Errorf("total/home=%v/%v; want %v/%v", gotTotal, gotHome, total, home)
+	}
+
+	wantClosedPeers := func(want int64) {
+		t.Helper()
+		var got int64
+		dl := time.Now().Add(5 * time.Second)
+		for time.Now().Before(dl) {
+			if got = peerGoneCount.Value(); got == want {
+				return
+			}
+		}
+		t.Errorf("peer gone count = %v; want %v", got, want)
+	}
+
 	msg1 := []byte("hello 0->1\n")
 	if err := clients[0].Send(clientKeys[1], msg1); err != nil {
 		t.Fatal(err)
@@ -122,4 +172,634 @@ func TestSendRecv(t *testing.T) {
 	recv(2, string(msg2))
 	recvNothing(0)
 	recvNothing(1)
+
+	wantActive(3, 0)
+	clients[0].NotePreferred(true)
+	wantActive(3, 1)
+	clients[0].NotePreferred(true)
+	wantActive(3, 1)
+	clients[0].NotePreferred(false)
+	wantActive(3, 0)
+	clients[0].NotePreferred(false)
+	wantActive(3, 0)
+	clients[1].NotePreferred(true)
+	wantActive(3, 1)
+	connsOut[1].Close()
+	wantActive(2, 0)
+	wantClosedPeers(1)
+	clients[2].NotePreferred(true)
+	wantActive(2, 1)
+	clients[2].NotePreferred(false)
+	wantActive(2, 0)
+	connsOut[2].Close()
+	wantActive(1, 0)
+	wantClosedPeers(1)
+
+	t.Logf("passed")
+	s.Close()
+
+}
+
+func TestSendFreeze(t *testing.T) {
+	serverPrivateKey := newPrivateKey(t)
+	s := NewServer(serverPrivateKey, t.Logf)
+	defer s.Close()
+	s.WriteTimeout = 100 * time.Millisecond
+
+	// We send two streams of messages:
+	//
+	//	alice --> bob
+	//	alice --> cathy
+	//
+	// Then cathy stops processing messsages.
+	// That should not interfere with alice talking to bob.
+
+	newClient := func(name string, k key.Private) (c *Client, clientConn nettest.Conn) {
+		t.Helper()
+		c1, c2 := nettest.NewConn(name, 1024)
+		go s.Accept(c1, bufio.NewReadWriter(bufio.NewReader(c1), bufio.NewWriter(c1)), name)
+
+		brw := bufio.NewReadWriter(bufio.NewReader(c2), bufio.NewWriter(c2))
+		c, err := NewClient(k, c2, brw, t.Logf)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return c, c2
+	}
+
+	aliceKey := newPrivateKey(t)
+	aliceClient, aliceConn := newClient("alice", aliceKey)
+
+	bobKey := newPrivateKey(t)
+	bobClient, bobConn := newClient("bob", bobKey)
+
+	cathyKey := newPrivateKey(t)
+	cathyClient, cathyConn := newClient("cathy", cathyKey)
+
+	var (
+		aliceCh = make(chan struct{}, 32)
+		bobCh   = make(chan struct{}, 32)
+		cathyCh = make(chan struct{}, 32)
+	)
+	chs := func(name string) chan struct{} {
+		switch name {
+		case "alice":
+			return aliceCh
+		case "bob":
+			return bobCh
+		case "cathy":
+			return cathyCh
+		default:
+			panic("unknown ch: " + name)
+		}
+	}
+
+	errCh := make(chan error, 4)
+	recv := func(name string, client *Client) {
+		ch := chs(name)
+		for {
+			m, err := client.Recv()
+			if err != nil {
+				errCh <- fmt.Errorf("%s: %w", name, err)
+				return
+			}
+			switch m := m.(type) {
+			default:
+				errCh <- fmt.Errorf("%s: unexpected message type %T", name, m)
+				return
+			case ReceivedPacket:
+				if m.Source.IsZero() {
+					errCh <- fmt.Errorf("%s: zero Source address in ReceivedPacket", name)
+					return
+				}
+				select {
+				case ch <- struct{}{}:
+				default:
+				}
+			}
+		}
+	}
+	go recv("alice", aliceClient)
+	go recv("bob", bobClient)
+	go recv("cathy", cathyClient)
+
+	var cancel func()
+	go func() {
+		t := time.NewTicker(2 * time.Millisecond)
+		defer t.Stop()
+		var ctx context.Context
+		ctx, cancel = context.WithCancel(context.Background())
+		for {
+			select {
+			case <-t.C:
+			case <-ctx.Done():
+				errCh <- nil
+				return
+			}
+
+			msg1 := []byte("hello alice->bob\n")
+			if err := aliceClient.Send(bobKey.Public(), msg1); err != nil {
+				errCh <- fmt.Errorf("alice send to bob: %w", err)
+				return
+			}
+			msg2 := []byte("hello alice->cathy\n")
+
+			// TODO: an error is expected here.
+			// We ignore it, maybe we should log it somehow?
+			aliceClient.Send(cathyKey.Public(), msg2)
+		}
+	}()
+
+	drainAny := func(ch chan struct{}) {
+		// We are draining potentially infinite sources,
+		// so place some reasonable upper limit.
+		//
+		// The important thing here is to make sure that
+		// if any tokens remain in the channel, they
+		// must have been generated after drainAny was
+		// called.
+		for i := 0; i < cap(ch); i++ {
+			select {
+			case <-ch:
+			default:
+				return
+			}
+		}
+	}
+	drain := func(t *testing.T, name string) bool {
+		t.Helper()
+		timer := time.NewTimer(1 * time.Second)
+		defer timer.Stop()
+
+		// Ensure ch has at least one element.
+		ch := chs(name)
+		select {
+		case <-ch:
+		case <-timer.C:
+			t.Errorf("no packet received by %s", name)
+			return false
+		}
+		// Drain remaining.
+		drainAny(ch)
+		return true
+	}
+	isEmpty := func(t *testing.T, name string) {
+		t.Helper()
+		select {
+		case <-chs(name):
+			t.Errorf("packet received by %s, want none", name)
+		default:
+		}
+	}
+
+	t.Run("initial send", func(t *testing.T) {
+		drain(t, "bob")
+		drain(t, "cathy")
+		isEmpty(t, "alice")
+	})
+
+	t.Run("block cathy", func(t *testing.T) {
+		// Block cathy. Now the cathyConn buffer will fill up quickly,
+		// and the derp server will back up.
+		cathyConn.SetReadBlock(true)
+		time.Sleep(2 * s.WriteTimeout)
+
+		drain(t, "bob")
+		drainAny(chs("cathy"))
+		isEmpty(t, "alice")
+
+		// Now wait a little longer, and ensure packets still flow to bob
+		if !drain(t, "bob") {
+			t.Errorf("connection alice->bob frozen by alice->cathy")
+		}
+	})
+
+	// Cleanup, make sure we process all errors.
+	t.Logf("TEST COMPLETE, cancelling sender")
+	cancel()
+	t.Logf("closing connections")
+	aliceConn.Close()
+	bobConn.Close()
+	cathyConn.Close()
+
+	for i := 0; i < cap(errCh); i++ {
+		err := <-errCh
+		if err != nil {
+			if errors.Is(err, io.EOF) {
+				continue
+			}
+			t.Error(err)
+		}
+	}
+}
+
+type testServer struct {
+	s    *Server
+	ln   net.Listener
+	logf logger.Logf
+
+	mu      sync.Mutex
+	pubName map[key.Public]string
+	clients map[*testClient]bool
+}
+
+func (ts *testServer) addTestClient(c *testClient) {
+	ts.mu.Lock()
+	defer ts.mu.Unlock()
+	ts.clients[c] = true
+}
+
+func (ts *testServer) addKeyName(k key.Public, name string) {
+	ts.mu.Lock()
+	defer ts.mu.Unlock()
+	ts.pubName[k] = name
+	ts.logf("test adding named key %q for %x", name, k)
+}
+
+func (ts *testServer) keyName(k key.Public) string {
+	ts.mu.Lock()
+	defer ts.mu.Unlock()
+	if name, ok := ts.pubName[k]; ok {
+		return name
+	}
+	return k.ShortString()
+}
+
+func (ts *testServer) close(t *testing.T) error {
+	ts.ln.Close()
+	ts.s.Close()
+	for c := range ts.clients {
+		c.close(t)
+	}
+	return nil
+}
+
+func newTestServer(t *testing.T) *testServer {
+	t.Helper()
+	logf := logger.WithPrefix(t.Logf, "derp-server: ")
+	s := NewServer(newPrivateKey(t), logf)
+	s.SetMeshKey("mesh-key")
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	go func() {
+		i := 0
+		for {
+			i++
+			c, err := ln.Accept()
+			if err != nil {
+				return
+			}
+			// TODO: register c in ts so Close also closes it?
+			go func(i int) {
+				brwServer := bufio.NewReadWriter(bufio.NewReader(c), bufio.NewWriter(c))
+				go s.Accept(c, brwServer, fmt.Sprintf("test-client-%d", i))
+			}(i)
+		}
+	}()
+	return &testServer{
+		s:       s,
+		ln:      ln,
+		logf:    logf,
+		clients: map[*testClient]bool{},
+		pubName: map[key.Public]string{},
+	}
+}
+
+type testClient struct {
+	name   string
+	c      *Client
+	nc     net.Conn
+	pub    key.Public
+	ts     *testServer
+	closed bool
+}
+
+func newTestClient(t *testing.T, ts *testServer, name string, newClient func(net.Conn, key.Private, logger.Logf) (*Client, error)) *testClient {
+	t.Helper()
+	nc, err := net.Dial("tcp", ts.ln.Addr().String())
+	if err != nil {
+		t.Fatal(err)
+	}
+	key := newPrivateKey(t)
+	ts.addKeyName(key.Public(), name)
+	c, err := newClient(nc, key, logger.WithPrefix(t.Logf, "client-"+name+": "))
+	if err != nil {
+		t.Fatal(err)
+	}
+	tc := &testClient{
+		name: name,
+		nc:   nc,
+		c:    c,
+		ts:   ts,
+		pub:  key.Public(),
+	}
+	ts.addTestClient(tc)
+	return tc
+}
+
+func newRegularClient(t *testing.T, ts *testServer, name string) *testClient {
+	return newTestClient(t, ts, name, func(nc net.Conn, priv key.Private, logf logger.Logf) (*Client, error) {
+		brw := bufio.NewReadWriter(bufio.NewReader(nc), bufio.NewWriter(nc))
+		return NewClient(priv, nc, brw, logf)
+	})
+}
+
+func newTestWatcher(t *testing.T, ts *testServer, name string) *testClient {
+	return newTestClient(t, ts, name, func(nc net.Conn, priv key.Private, logf logger.Logf) (*Client, error) {
+		brw := bufio.NewReadWriter(bufio.NewReader(nc), bufio.NewWriter(nc))
+		c, err := NewClient(priv, nc, brw, logf, MeshKey("mesh-key"))
+		if err != nil {
+			return nil, err
+		}
+		if err := c.WatchConnectionChanges(); err != nil {
+			return nil, err
+		}
+		return c, nil
+	})
+}
+
+func (tc *testClient) wantPresent(t *testing.T, peers ...key.Public) {
+	t.Helper()
+	want := map[key.Public]bool{}
+	for _, k := range peers {
+		want[k] = true
+	}
+
+	for {
+		m, err := tc.c.recvTimeout(time.Second)
+		if err != nil {
+			t.Fatal(err)
+		}
+		switch m := m.(type) {
+		case PeerPresentMessage:
+			got := key.Public(m)
+			if !want[got] {
+				t.Fatalf("got peer present for %v; want present for %v", tc.ts.keyName(got), logger.ArgWriter(func(bw *bufio.Writer) {
+					for _, pub := range peers {
+						fmt.Fprintf(bw, "%s ", tc.ts.keyName(pub))
+					}
+				}))
+			}
+			delete(want, got)
+			if len(want) == 0 {
+				return
+			}
+		default:
+			t.Fatalf("unexpected message type %T", m)
+		}
+	}
+}
+
+func (tc *testClient) wantGone(t *testing.T, peer key.Public) {
+	t.Helper()
+	m, err := tc.c.recvTimeout(time.Second)
+	if err != nil {
+		t.Fatal(err)
+	}
+	switch m := m.(type) {
+	case PeerGoneMessage:
+		got := key.Public(m)
+		if peer != got {
+			t.Errorf("got gone message for %v; want gone for %v", tc.ts.keyName(got), tc.ts.keyName(peer))
+		}
+	default:
+		t.Fatalf("unexpected message type %T", m)
+	}
+}
+
+func (c *testClient) close(t *testing.T) {
+	t.Helper()
+	if c.closed {
+		return
+	}
+	c.closed = true
+	t.Logf("closing client %q (%x)", c.name, c.pub)
+	c.nc.Close()
+}
+
+// TestWatch tests the connection watcher mechanism used by regional
+// DERP nodes to mesh up with each other.
+func TestWatch(t *testing.T) {
+	ts := newTestServer(t)
+	defer ts.close(t)
+
+	w1 := newTestWatcher(t, ts, "w1")
+	w1.wantPresent(t, w1.pub)
+
+	c1 := newRegularClient(t, ts, "c1")
+	w1.wantPresent(t, c1.pub)
+
+	c2 := newRegularClient(t, ts, "c2")
+	w1.wantPresent(t, c2.pub)
+
+	w2 := newTestWatcher(t, ts, "w2")
+	w1.wantPresent(t, w2.pub)
+	w2.wantPresent(t, w1.pub, w2.pub, c1.pub, c2.pub)
+
+	c3 := newRegularClient(t, ts, "c3")
+	w1.wantPresent(t, c3.pub)
+	w2.wantPresent(t, c3.pub)
+
+	c2.close(t)
+	w1.wantGone(t, c2.pub)
+	w2.wantGone(t, c2.pub)
+
+	w3 := newTestWatcher(t, ts, "w3")
+	w1.wantPresent(t, w3.pub)
+	w2.wantPresent(t, w3.pub)
+	w3.wantPresent(t, c1.pub, c3.pub, w1.pub, w2.pub, w3.pub)
+
+	c1.close(t)
+	w1.wantGone(t, c1.pub)
+	w2.wantGone(t, c1.pub)
+	w3.wantGone(t, c1.pub)
+}
+
+type testFwd int
+
+func (testFwd) ForwardPacket(key.Public, key.Public, []byte) error { panic("not called in tests") }
+
+func pubAll(b byte) (ret key.Public) {
+	for i := range ret {
+		ret[i] = b
+	}
+	return
+}
+
+func TestForwarderRegistration(t *testing.T) {
+	s := &Server{
+		clients:     make(map[key.Public]*sclient),
+		clientsMesh: map[key.Public]PacketForwarder{},
+	}
+	want := func(want map[key.Public]PacketForwarder) {
+		t.Helper()
+		if got := s.clientsMesh; !reflect.DeepEqual(got, want) {
+			t.Fatalf("mismatch\n got: %v\nwant: %v\n", got, want)
+		}
+	}
+	wantCounter := func(c *expvar.Int, want int) {
+		t.Helper()
+		if got := c.Value(); got != int64(want) {
+			t.Errorf("counter = %v; want %v", got, want)
+		}
+	}
+
+	u1 := pubAll(1)
+	u2 := pubAll(2)
+	u3 := pubAll(3)
+
+	s.AddPacketForwarder(u1, testFwd(1))
+	s.AddPacketForwarder(u2, testFwd(2))
+	want(map[key.Public]PacketForwarder{
+		u1: testFwd(1),
+		u2: testFwd(2),
+	})
+
+	// Verify a remove of non-registered forwarder is no-op.
+	s.RemovePacketForwarder(u2, testFwd(999))
+	want(map[key.Public]PacketForwarder{
+		u1: testFwd(1),
+		u2: testFwd(2),
+	})
+
+	// Verify a remove of non-registered user is no-op.
+	s.RemovePacketForwarder(u3, testFwd(1))
+	want(map[key.Public]PacketForwarder{
+		u1: testFwd(1),
+		u2: testFwd(2),
+	})
+
+	// Actual removal.
+	s.RemovePacketForwarder(u2, testFwd(2))
+	want(map[key.Public]PacketForwarder{
+		u1: testFwd(1),
+	})
+
+	// Adding a dup for a user.
+	wantCounter(&s.multiForwarderCreated, 0)
+	s.AddPacketForwarder(u1, testFwd(100))
+	want(map[key.Public]PacketForwarder{
+		u1: multiForwarder{
+			testFwd(1):   1,
+			testFwd(100): 2,
+		},
+	})
+	wantCounter(&s.multiForwarderCreated, 1)
+
+	// Removing a forwarder in a multi set that doesn't exist; does nothing.
+	s.RemovePacketForwarder(u1, testFwd(55))
+	want(map[key.Public]PacketForwarder{
+		u1: multiForwarder{
+			testFwd(1):   1,
+			testFwd(100): 2,
+		},
+	})
+
+	// Removing a forwarder in a multi set that does exist should collapse it away
+	// from being a multiForwarder.
+	wantCounter(&s.multiForwarderDeleted, 0)
+	s.RemovePacketForwarder(u1, testFwd(1))
+	want(map[key.Public]PacketForwarder{
+		u1: testFwd(100),
+	})
+	wantCounter(&s.multiForwarderDeleted, 1)
+
+	// Removing an entry for a client that's still connected locally should result
+	// in a nil forwarder.
+	u1c := &sclient{
+		key:  u1,
+		logf: logger.Discard,
+	}
+	s.clients[u1] = u1c
+	s.RemovePacketForwarder(u1, testFwd(100))
+	want(map[key.Public]PacketForwarder{
+		u1: nil,
+	})
+
+	// But once that client disconnects, it should go away.
+	s.unregisterClient(u1c)
+	want(map[key.Public]PacketForwarder{})
+
+	// But if it already has a forwarder, it's not removed.
+	s.AddPacketForwarder(u1, testFwd(2))
+	s.unregisterClient(u1c)
+	want(map[key.Public]PacketForwarder{
+		u1: testFwd(2),
+	})
+
+	// Now pretend u1 was already connected locally (so clientsMesh[u1] is nil), and then we heard
+	// that they're also connected to a peer of ours. That sholdn't transition the forwarder
+	// from nil to the new one, not a multiForwarder.
+	s.clients[u1] = u1c
+	s.clientsMesh[u1] = nil
+	want(map[key.Public]PacketForwarder{
+		u1: nil,
+	})
+	s.AddPacketForwarder(u1, testFwd(3))
+	want(map[key.Public]PacketForwarder{
+		u1: testFwd(3),
+	})
+}
+
+func BenchmarkSendRecv(b *testing.B) {
+	for _, size := range []int{10, 100, 1000, 10000} {
+		b.Run(fmt.Sprintf("msgsize=%d", size), func(b *testing.B) { benchmarkSendRecvSize(b, size) })
+	}
+}
+
+func benchmarkSendRecvSize(b *testing.B, packetSize int) {
+	serverPrivateKey := newPrivateKey(b)
+	s := NewServer(serverPrivateKey, logger.Discard)
+	defer s.Close()
+
+	key := newPrivateKey(b)
+	clientKey := key.Public()
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer ln.Close()
+
+	connOut, err := net.Dial("tcp", ln.Addr().String())
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer connOut.Close()
+
+	connIn, err := ln.Accept()
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer connIn.Close()
+
+	brwServer := bufio.NewReadWriter(bufio.NewReader(connIn), bufio.NewWriter(connIn))
+	go s.Accept(connIn, brwServer, "test-client")
+
+	brw := bufio.NewReadWriter(bufio.NewReader(connOut), bufio.NewWriter(connOut))
+	client, err := NewClient(key, connOut, brw, logger.Discard)
+	if err != nil {
+		b.Fatalf("client: %v", err)
+	}
+
+	go func() {
+		for {
+			_, err := client.Recv()
+			if err != nil {
+				return
+			}
+		}
+	}()
+
+	msg := make([]byte, packetSize)
+	b.SetBytes(int64(len(msg)))
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		if err := client.Send(clientKey, msg); err != nil {
+			b.Fatal(err)
+		}
+	}
 }

derp/derphttp/derphttp_client.go

@@ -12,193 +12,605 @@ package derphttp
 
 import (
 	"bufio"
-	"bytes"
+	"context"
 	"crypto/tls"
 	"errors"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
 	"sync"
+	"time"
 
+	"inet.af/netaddr"
 	"tailscale.com/derp"
-	"tailscale.com/logger"
+	"tailscale.com/net/dnscache"
+	"tailscale.com/net/netns"
+	"tailscale.com/net/tlsdial"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
 )
 
 // Client is a DERP-over-HTTP client.
 //
 // It automatically reconnects on error retry. That is, a failed Send or
 // Recv will report the error and not retry, but subsequent calls to
-// Send/Recv will completely re-establish the connection.
+// Send/Recv will completely re-establish the connection (unless Close
+// has been called).
 type Client struct {
-	privateKey [32]byte
+	TLSConfig *tls.Config        // optional; nil means default
+	DNSCache  *dnscache.Resolver // optional; nil means no caching
+	MeshKey   string             // optional; for trusted clients
+
+	privateKey key.Private
 	logf       logger.Logf
-	closed     chan struct{}
-	url        *url.URL
-	resp       *http.Response
 
-	netConnMu sync.Mutex
-	netConn   net.Conn
+	// Either url or getRegion is non-nil:
+	url       *url.URL
+	getRegion func() *tailcfg.DERPRegion
 
-	clientMu sync.Mutex
-	client   *derp.Client
+	ctx       context.Context // closed via cancelCtx in Client.Close
+	cancelCtx context.CancelFunc
+
+	mu           sync.Mutex
+	preferred    bool
+	closed       bool
+	netConn      io.Closer
+	client       *derp.Client
+	connGen      int // incremented once per new connection; valid values are >0
+	serverPubKey key.Public
 }
 
-func NewClient(privateKey [32]byte, serverURL string, logf logger.Logf) (*Client, error) {
+// NewRegionClient returns a new DERP-over-HTTP client. It connects lazily.
+// To trigger a connection, use Connect.
+func NewRegionClient(privateKey key.Private, logf logger.Logf, getRegion func() *tailcfg.DERPRegion) *Client {
+	ctx, cancel := context.WithCancel(context.Background())
+	c := &Client{
+		privateKey: privateKey,
+		logf:       logf,
+		getRegion:  getRegion,
+		ctx:        ctx,
+		cancelCtx:  cancel,
+	}
+	return c
+}
+
+// NewNetcheckClient returns a Client that's only able to have its DialRegion method called.
+// It's used by the netcheck package.
+func NewNetcheckClient(logf logger.Logf) *Client {
+	return &Client{logf: logf}
+}
+
+// NewClient returns a new DERP-over-HTTP client. It connects lazily.
+// To trigger a connection, use Connect.
+func NewClient(privateKey key.Private, serverURL string, logf logger.Logf) (*Client, error) {
 	u, err := url.Parse(serverURL)
 	if err != nil {
 		return nil, fmt.Errorf("derphttp.NewClient: %v", err)
 	}
+	if urlPort(u) == "" {
+		return nil, fmt.Errorf("derphttp.NewClient: invalid URL scheme %q", u.Scheme)
+	}
 
+	ctx, cancel := context.WithCancel(context.Background())
 	c := &Client{
 		privateKey: privateKey,
 		logf:       logf,
 		url:        u,
-		closed:     make(chan struct{}),
-	}
-	if _, err := c.connect("derphttp.NewClient"); err != nil {
-		c.logf("%v", err)
+		ctx:        ctx,
+		cancelCtx:  cancel,
 	}
 	return c, nil
 }
 
-func (c *Client) connect(caller string) (client *derp.Client, err error) {
-	select {
-	case <-c.closed:
-		return nil, ErrClientClosed
-	default:
+// Connect connects or reconnects to the server, unless already connected.
+// It returns nil if there was already a good connection, or if one was made.
+func (c *Client) Connect(ctx context.Context) error {
+	_, _, err := c.connect(ctx, "derphttp.Client.Connect")
+	return err
+}
+
+// ServerPublicKey returns the server's public key.
+//
+// It only returns a non-zero value once a connection has succeeded
+// from an earlier call.
+func (c *Client) ServerPublicKey() key.Public {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.serverPubKey
+}
+
+func urlPort(u *url.URL) string {
+	if p := u.Port(); p != "" {
+		return p
 	}
+	switch u.Scheme {
+	case "https":
+		return "443"
+	case "http":
+		return "80"
+	}
+	return ""
+}
 
-	c.clientMu.Lock()
-	defer c.clientMu.Unlock()
+func (c *Client) targetString(reg *tailcfg.DERPRegion) string {
+	if c.url != nil {
+		return c.url.String()
+	}
+	return fmt.Sprintf("region %d (%v)", reg.RegionID, reg.RegionCode)
+}
 
+func (c *Client) useHTTPS() bool {
+	if c.url != nil && c.url.Scheme == "http" {
+		return false
+	}
+	return true
+}
+
+// tlsServerName returns the tls.Config.ServerName value (for the TLS ClientHello).
+func (c *Client) tlsServerName(node *tailcfg.DERPNode) string {
+	if c.url != nil {
+		return c.url.Host
+	}
+	return node.HostName
+}
+
+func (c *Client) urlString(node *tailcfg.DERPNode) string {
+	if c.url != nil {
+		return c.url.String()
+	}
+	return fmt.Sprintf("https://%s/derp", node.HostName)
+}
+
+func (c *Client) connect(ctx context.Context, caller string) (client *derp.Client, connGen int, err error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.closed {
+		return nil, 0, ErrClientClosed
+	}
 	if c.client != nil {
-		return c.client, nil
+		return c.client, c.connGen, nil
 	}
 
-	c.logf("%s: connecting", caller)
+	// timeout is the fallback maximum time (if ctx doesn't limit
+	// it further) to do all of: DNS + TCP + TLS + HTTP Upgrade +
+	// DERP upgrade.
+	const timeout = 10 * time.Second
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	go func() {
+		select {
+		case <-ctx.Done():
+			// Either timeout fired (handled below), or
+			// we're returning via the defer cancel()
+			// below.
+		case <-c.ctx.Done():
+			// Propagate a Client.Close call into
+			// cancelling this context.
+			cancel()
+		}
+	}()
+	defer cancel()
+
+	var reg *tailcfg.DERPRegion // nil when using c.url to dial
+	if c.getRegion != nil {
+		reg = c.getRegion()
+		if reg == nil {
+			return nil, 0, errors.New("DERP region not available")
+		}
+	}
+
+	var tcpConn net.Conn
 
-	var netConn net.Conn
 	defer func() {
 		if err != nil {
-			err = fmt.Errorf("%s connect: %v", caller, err)
-			if netConn := netConn; netConn != nil {
-				netConn.Close()
+			if ctx.Err() != nil {
+				err = fmt.Errorf("%v: %v", ctx.Err(), err)
+			}
+			err = fmt.Errorf("%s connect to %v: %v", caller, c.targetString(reg), err)
+			if tcpConn != nil {
+				go tcpConn.Close()
 			}
 		}
 	}()
 
-	if c.url.Scheme == "https" {
-		port := c.url.Port()
-		if port == "" {
-			port = "443"
-		}
-		config := &tls.Config{}
-		var tlsConn *tls.Conn
-		tlsConn, err = tls.Dial("tcp", net.JoinHostPort(c.url.Host, port), config)
-		if tlsConn != nil {
-			netConn = tlsConn
-		}
+	var node *tailcfg.DERPNode // nil when using c.url to dial
+	if c.url != nil {
+		c.logf("%s: connecting to %v", caller, c.url)
+		tcpConn, err = c.dialURL(ctx)
 	} else {
-		netConn, err = net.Dial("tcp", c.url.Host)
+		c.logf("%s: connecting to derp-%d (%v)", caller, reg.RegionID, reg.RegionCode)
+		tcpConn, node, err = c.dialRegion(ctx, reg)
 	}
 	if err != nil {
-		return nil, err
+		return nil, 0, err
 	}
 
-	c.netConnMu.Lock()
-	c.netConn = netConn
-	c.netConnMu.Unlock()
+	// Now that we have a TCP connection, force close it if the
+	// TLS handshake + DERP setup takes too long.
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-done:
+			// Normal path. Upgrade occurred in time.
+		case <-ctx.Done():
+			select {
+			case <-done:
+				// Normal path. Upgrade occurred in time.
+				// But the ctx.Done() is also done because
+				// the "defer cancel()" above scheduled
+				// before this goroutine.
+			default:
+				// The TLS or HTTP or DERP exchanges didn't complete
+				// in time. Force close the TCP connection to force
+				// them to fail quickly.
+				tcpConn.Close()
+			}
+		}
+	}()
 
-	conn := bufio.NewReadWriter(bufio.NewReader(netConn), bufio.NewWriter(netConn))
+	var httpConn net.Conn // a TCP conn or a TLS conn; what we speak HTTP to
+	if c.useHTTPS() {
+		httpConn = c.tlsClient(tcpConn, node)
+	} else {
+		httpConn = tcpConn
+	}
 
-	req, err := http.NewRequest("GET", c.url.String(), nil)
+	brw := bufio.NewReadWriter(bufio.NewReader(httpConn), bufio.NewWriter(httpConn))
+
+	req, err := http.NewRequest("GET", c.urlString(node), nil)
 	if err != nil {
-		return nil, err
+		return nil, 0, err
 	}
-	req.Header.Set("Upgrade", "WebSocket")
+	req.Header.Set("Upgrade", "DERP")
 	req.Header.Set("Connection", "Upgrade")
-	if err := req.Write(conn); err != nil {
-		return nil, err
+
+	if err := req.Write(brw); err != nil {
+		return nil, 0, err
 	}
-	if err := conn.Flush(); err != nil {
-		return nil, err
+	if err := brw.Flush(); err != nil {
+		return nil, 0, err
 	}
 
-	resp, err := http.ReadResponse(conn.Reader, req)
+	resp, err := http.ReadResponse(brw.Reader, req)
 	if err != nil {
-		return nil, err
+		return nil, 0, err
 	}
 	if resp.StatusCode != http.StatusSwitchingProtocols {
 		b, _ := ioutil.ReadAll(resp.Body)
 		resp.Body.Close()
-		return nil, fmt.Errorf("GET failed: %v: %s", err, b)
+		return nil, 0, fmt.Errorf("GET failed: %v: %s", err, b)
 	}
-	resp.Body = ioutil.NopCloser(bytes.NewReader([]byte{}))
 
-	derpClient, err := derp.NewClient(c.privateKey, netConn, conn, c.logf)
+	derpClient, err := derp.NewClient(c.privateKey, httpConn, brw, c.logf, derp.MeshKey(c.MeshKey))
 	if err != nil {
-		return nil, err
+		return nil, 0, err
 	}
-	c.resp = resp
+	if c.preferred {
+		if err := derpClient.NotePreferred(true); err != nil {
+			go httpConn.Close()
+			return nil, 0, err
+		}
+	}
+
+	c.serverPubKey = derpClient.ServerPublicKey()
 	c.client = derpClient
-	return c.client, nil
+	c.netConn = tcpConn
+	c.connGen++
+	return c.client, c.connGen, nil
 }
 
-func (c *Client) Send(dstKey [32]byte, b []byte) error {
-	client, err := c.connect("derphttp.Client.Send")
+func (c *Client) dialURL(ctx context.Context) (net.Conn, error) {
+	host := c.url.Hostname()
+	hostOrIP := host
+
+	dialer := netns.NewDialer()
+
+	if c.DNSCache != nil {
+		ip, err := c.DNSCache.LookupIP(ctx, host)
+		if err == nil {
+			hostOrIP = ip.String()
+		}
+		if err != nil && netns.IsSOCKSDialer(dialer) {
+			// Return an error if we're not using a dial
+			// proxy that can do DNS lookups for us.
+			return nil, err
+		}
+	}
+
+	tcpConn, err := dialer.DialContext(ctx, "tcp", net.JoinHostPort(hostOrIP, urlPort(c.url)))
+	if err != nil {
+		return nil, fmt.Errorf("dial of %v: %v", host, err)
+	}
+	return tcpConn, nil
+}
+
+// dialRegion returns a TCP connection to the provided region, trying
+// each node in order (with dialNode) until one connects or ctx is
+// done.
+func (c *Client) dialRegion(ctx context.Context, reg *tailcfg.DERPRegion) (net.Conn, *tailcfg.DERPNode, error) {
+	if len(reg.Nodes) == 0 {
+		return nil, nil, fmt.Errorf("no nodes for %s", c.targetString(reg))
+	}
+	var firstErr error
+	for _, n := range reg.Nodes {
+		if n.STUNOnly {
+			if firstErr == nil {
+				firstErr = fmt.Errorf("no non-STUNOnly nodes for %s", c.targetString(reg))
+			}
+			continue
+		}
+		c, err := c.dialNode(ctx, n)
+		if err == nil {
+			return c, n, nil
+		}
+		if firstErr == nil {
+			firstErr = err
+		}
+	}
+	return nil, nil, firstErr
+}
+
+func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
+	tlsConf := tlsdial.Config(c.tlsServerName(node), c.TLSConfig)
+	if node != nil {
+		if node.DERPTestPort != 0 {
+			tlsConf.InsecureSkipVerify = true
+		}
+		if node.CertName != "" {
+			tlsdial.SetConfigExpectedCert(tlsConf, node.CertName)
+		}
+	}
+	return tls.Client(nc, tlsConf)
+}
+
+func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tlsConn *tls.Conn, connClose io.Closer, err error) {
+	tcpConn, node, err := c.dialRegion(ctx, reg)
+	if err != nil {
+		return nil, nil, err
+	}
+	done := make(chan bool) // unbufferd
+	defer close(done)
+
+	tlsConn = c.tlsClient(tcpConn, node)
+	go func() {
+		select {
+		case <-done:
+		case <-ctx.Done():
+			tcpConn.Close()
+		}
+	}()
+	err = tlsConn.Handshake()
+	if err != nil {
+		return nil, nil, err
+	}
+	select {
+	case done <- true:
+		return tlsConn, tcpConn, nil
+	case <-ctx.Done():
+		return nil, nil, ctx.Err()
+	}
+}
+
+func (c *Client) dialContext(ctx context.Context, proto, addr string) (net.Conn, error) {
+	return netns.NewDialer().DialContext(ctx, proto, addr)
+}
+
+// shouldDialProto reports whether an explicitly provided IPv4 or IPv6
+// address (given in s) is valid. An empty value means to dial, but to
+// use DNS. The predicate function reports whether the non-empty
+// string s contained a valid IP address of the right family.
+func shouldDialProto(s string, pred func(netaddr.IP) bool) bool {
+	if s == "" {
+		return true
+	}
+	ip, _ := netaddr.ParseIP(s)
+	return pred(ip)
+}
+
+const dialNodeTimeout = 1500 * time.Millisecond
+
+// dialNode returns a TCP connection to node n, racing IPv4 and IPv6
+// (both as applicable) against each other.
+// A node is only given dialNodeTimeout to connect.
+//
+// TODO(bradfitz): longer if no options remain perhaps? ...  Or longer
+// overall but have dialRegion start overlapping races?
+func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, error) {
+	type res struct {
+		c   net.Conn
+		err error
+	}
+	resc := make(chan res) // must be unbuffered
+	ctx, cancel := context.WithTimeout(ctx, dialNodeTimeout)
+	defer cancel()
+
+	nwait := 0
+	startDial := func(dstPrimary, proto string) {
+		nwait++
+		go func() {
+			dst := dstPrimary
+			if dst == "" {
+				dst = n.HostName
+			}
+			port := "443"
+			if n.DERPTestPort != 0 {
+				port = fmt.Sprint(n.DERPTestPort)
+			}
+			c, err := c.dialContext(ctx, proto, net.JoinHostPort(dst, port))
+			select {
+			case resc <- res{c, err}:
+			case <-ctx.Done():
+				if c != nil {
+					c.Close()
+				}
+			}
+		}()
+	}
+	if shouldDialProto(n.IPv4, netaddr.IP.Is4) {
+		startDial(n.IPv4, "tcp4")
+	}
+	if shouldDialProto(n.IPv6, netaddr.IP.Is6) {
+		startDial(n.IPv6, "tcp6")
+	}
+	if nwait == 0 {
+		return nil, errors.New("both IPv4 and IPv6 are explicitly disabled for node")
+	}
+
+	var firstErr error
+	for {
+		select {
+		case res := <-resc:
+			nwait--
+			if res.err == nil {
+				return res.c, nil
+			}
+			if firstErr == nil {
+				firstErr = res.err
+			}
+			if nwait == 0 {
+				return nil, firstErr
+			}
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		}
+	}
+}
+
+func (c *Client) Send(dstKey key.Public, b []byte) error {
+	client, _, err := c.connect(context.TODO(), "derphttp.Client.Send")
 	if err != nil {
 		return err
 	}
 	if err := client.Send(dstKey, b); err != nil {
-		c.close()
+		c.closeForReconnect(client)
 	}
 	return err
 }
 
-func (c *Client) Recv(b []byte) (int, error) {
-	client, err := c.connect("derphttp.Client.Recv")
+func (c *Client) ForwardPacket(from, to key.Public, b []byte) error {
+	client, _, err := c.connect(context.TODO(), "derphttp.Client.ForwardPacket")
 	if err != nil {
-		return 0, err
+		return err
 	}
-	n, err := client.Recv(b)
-	if err != nil {
-		c.close()
+	if err := client.ForwardPacket(from, to, b); err != nil {
+		c.closeForReconnect(client)
 	}
-	return n, err
+	return err
 }
 
-func (c *Client) Close() error {
-	select {
-	case <-c.closed:
-		return ErrClientClosed
-	default:
+// NotePreferred notes whether this Client is the caller's preferred
+// (home) DERP node. It's only used for stats.
+func (c *Client) NotePreferred(v bool) {
+	c.mu.Lock()
+	if c.preferred == v {
+		c.mu.Unlock()
+		return
+	}
+	c.preferred = v
+	client := c.client
+	c.mu.Unlock()
+
+	if client != nil {
+		if err := client.NotePreferred(v); err != nil {
+			c.closeForReconnect(client)
+		}
+	}
+}
+
+// WatchConnectionChanges sends a request to subscribe to
+// notifications about clients connecting & disconnecting.
+//
+// Only trusted connections (using MeshKey) are allowed to use this.
+func (c *Client) WatchConnectionChanges() error {
+	client, _, err := c.connect(context.TODO(), "derphttp.Client.WatchConnectionChanges")
+	if err != nil {
+		return err
+	}
+	err = client.WatchConnectionChanges()
+	if err != nil {
+		c.closeForReconnect(client)
+	}
+	return err
+}
+
+// ClosePeer asks the server to close target's TCP connection.
+//
+// Only trusted connections (using MeshKey) are allowed to use this.
+func (c *Client) ClosePeer(target key.Public) error {
+	client, _, err := c.connect(context.TODO(), "derphttp.Client.ClosePeer")
+	if err != nil {
+		return err
+	}
+	err = client.ClosePeer(target)
+	if err != nil {
+		c.closeForReconnect(client)
+	}
+	return err
+}
+
+// Recv reads a message from c. The returned message may alias memory from Client.
+// The message should only be used until the next Client call.
+func (c *Client) Recv() (derp.ReceivedMessage, error) {
+	m, _, err := c.RecvDetail()
+	return m, err
+}
+
+// RecvDetail is like Recv, but additional returns the connection generation on each message.
+// The connGen value is incremented every time the derphttp.Client reconnects to the server.
+func (c *Client) RecvDetail() (m derp.ReceivedMessage, connGen int, err error) {
+	client, connGen, err := c.connect(context.TODO(), "derphttp.Client.Recv")
+	if err != nil {
+		return nil, 0, err
+	}
+	m, err = client.Recv()
+	if err != nil {
+		c.closeForReconnect(client)
+	}
+	return m, connGen, err
+}
+
+// Close closes the client. It will not automatically reconnect after
+// being closed.
+func (c *Client) Close() error {
+	c.cancelCtx() // not in lock, so it can cancel Connect, which holds mu
+
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.closed {
+		return ErrClientClosed
+	}
+	c.closed = true
+	if c.netConn != nil {
+		c.netConn.Close()
 	}
-	close(c.closed)
-	c.close()
 	return nil
 }
 
-func (c *Client) close() {
-	c.netConnMu.Lock()
-	netConn := c.netConn
-	c.netConnMu.Unlock()
-
-	if netConn != nil {
-		netConn.Close()
-	}
-
-	c.clientMu.Lock()
-	defer c.clientMu.Unlock()
-	if c.client == nil {
+// closeForReconnect closes the underlying network connection and
+// zeros out the client field so future calls to Connect will
+// reconnect.
+//
+// The provided brokenClient is the client to forget. If current
+// client is not brokenClient, closeForReconnect does nothing. (This
+// prevents a send and receive goroutine from failing at the ~same
+// time and both calling closeForReconnect and the caller goroutines
+// forever calling closeForReconnect in lockstep endlessly;
+// https://github.com/tailscale/tailscale/pull/264)
+func (c *Client) closeForReconnect(brokenClient *derp.Client) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.client != brokenClient {
 		return
 	}
-	c.resp = nil
+	if c.netConn != nil {
+		c.netConn.Close()
+		c.netConn = nil
+	}
 	c.client = nil
-	c.netConnMu.Lock()
-	c.netConn = nil
-	c.netConnMu.Unlock()
 }
 
 var ErrClientClosed = errors.New("derphttp.Client closed")

derp/derphttp/derphttp_server.go

@@ -5,6 +5,7 @@
 package derphttp
 
 import (
+	"log"
 	"net/http"
 
 	"tailscale.com/derp"
@@ -12,11 +13,11 @@ import (
 
 func Handler(s *derp.Server) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Header.Get("Upgrade") != "WebSocket" {
+		if p := r.Header.Get("Upgrade"); p != "WebSocket" && p != "DERP" {
 			http.Error(w, "DERP requires connection upgrade", http.StatusUpgradeRequired)
 			return
 		}
-		w.Header().Set("Upgrade", "WebSocket")
+		w.Header().Set("Upgrade", "DERP")
 		w.Header().Set("Connection", "Upgrade")
 		w.WriteHeader(http.StatusSwitchingProtocols)
 
@@ -27,9 +28,10 @@ func Handler(s *derp.Server) http.Handler {
 		}
 		netConn, conn, err := h.Hijack()
 		if err != nil {
+			log.Printf("Hijack failed: %v", err)
 			http.Error(w, "HTTP does not support general TCP support", 500)
 			return
 		}
-		s.Accept(netConn, conn)
+		s.Accept(netConn, conn, netConn.RemoteAddr().String())
 	})
 }

derp/derphttp/derphttp_test.go

@@ -5,7 +5,8 @@
 package derphttp
 
 import (
-	"crypto/rand"
+	"context"
+	crand "crypto/rand"
 	"crypto/tls"
 	"net"
 	"net/http"
@@ -13,29 +14,27 @@ import (
 	"testing"
 	"time"
 
-	"golang.org/x/crypto/curve25519"
 	"tailscale.com/derp"
+	"tailscale.com/types/key"
 )
 
 func TestSendRecv(t *testing.T) {
 	const numClients = 3
-	var serverPrivateKey [32]byte
-	if _, err := rand.Read(serverPrivateKey[:]); err != nil {
+	var serverPrivateKey key.Private
+	if _, err := crand.Read(serverPrivateKey[:]); err != nil {
 		t.Fatal(err)
 	}
-	var clientPrivateKeys [][32]byte
+	var clientPrivateKeys []key.Private
 	for i := 0; i < numClients; i++ {
-		var key [32]byte
-		if _, err := rand.Read(key[:]); err != nil {
+		var key key.Private
+		if _, err := crand.Read(key[:]); err != nil {
 			t.Fatal(err)
 		}
 		clientPrivateKeys = append(clientPrivateKeys, key)
 	}
-	var clientKeys [][32]byte
+	var clientKeys []key.Public
 	for _, privKey := range clientPrivateKeys {
-		var key [32]byte
-		curve25519.ScalarBaseMult(&key, &privKey)
-		clientKeys = append(clientKeys, key)
+		clientKeys = append(clientKeys, privKey.Public())
 	}
 
 	s := derp.NewServer(serverPrivateKey, t.Logf)
@@ -79,6 +78,9 @@ func TestSendRecv(t *testing.T) {
 		if err != nil {
 			t.Fatalf("client %d: %v", i, err)
 		}
+		if err := c.Connect(context.Background()); err != nil {
+			t.Fatalf("client %d Connect: %v", i, err)
+		}
 		clients = append(clients, c)
 		recvChs = append(recvChs, make(chan []byte))
 
@@ -91,14 +93,20 @@ func TestSendRecv(t *testing.T) {
 					return
 				default:
 				}
-				b := make([]byte, 1<<16)
-				n, err := c.Recv(b)
+				m, err := c.Recv()
 				if err != nil {
 					t.Logf("client%d: %v", i, err)
 					break
 				}
-				b = b[:n]
-				recvChs[i] <- b
+				switch m := m.(type) {
+				default:
+					t.Errorf("unexpected message type %T", m)
+					continue
+				case derp.PeerGoneMessage:
+					// Ignore.
+				case derp.ReceivedPacket:
+					recvChs[i] <- append([]byte(nil), m.Data...)
+				}
 			}
 		}(i)
 	}

derp/derphttp/mesh_client.go

@@ -0,0 +1,122 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package derphttp
+
+import (
+	"sync"
+	"time"
+
+	"tailscale.com/derp"
+	"tailscale.com/types/key"
+)
+
+// RunWatchConnectionLoop loops forever, sending WatchConnectionChanges and subscribing to
+// connection changes.
+//
+// If the server's public key is ignoreServerKey, RunWatchConnectionLoop returns.
+//
+// Otherwise, the add and remove funcs are called as clients come & go.
+func (c *Client) RunWatchConnectionLoop(ignoreServerKey key.Public, add, remove func(key.Public)) {
+	logf := c.logf
+	const retryInterval = 5 * time.Second
+	const statusInterval = 10 * time.Second
+	var (
+		mu              sync.Mutex
+		present         = map[key.Public]bool{}
+		loggedConnected = false
+	)
+	clear := func() {
+		mu.Lock()
+		defer mu.Unlock()
+		if len(present) == 0 {
+			return
+		}
+		logf("reconnected; clearing %d forwarding mappings", len(present))
+		for k := range present {
+			remove(k)
+		}
+		present = map[key.Public]bool{}
+	}
+	lastConnGen := 0
+	lastStatus := time.Now()
+	logConnectedLocked := func() {
+		if loggedConnected {
+			return
+		}
+		logf("connected; %d peers", len(present))
+		loggedConnected = true
+	}
+
+	const logConnectedDelay = 200 * time.Millisecond
+	timer := time.AfterFunc(2*time.Second, func() {
+		mu.Lock()
+		defer mu.Unlock()
+		logConnectedLocked()
+	})
+	defer timer.Stop()
+
+	updatePeer := func(k key.Public, isPresent bool) {
+		if isPresent {
+			add(k)
+		} else {
+			remove(k)
+		}
+
+		mu.Lock()
+		defer mu.Unlock()
+		if isPresent {
+			present[k] = true
+			if !loggedConnected {
+				timer.Reset(logConnectedDelay)
+			}
+		} else {
+			// If we got a peerGone message, that means the initial connection's
+			// flood of peerPresent messages is done, so we can log already:
+			logConnectedLocked()
+			delete(present, k)
+		}
+	}
+
+	for {
+		err := c.WatchConnectionChanges()
+		if err != nil {
+			clear()
+			logf("WatchConnectionChanges: %v", err)
+			time.Sleep(retryInterval)
+			continue
+		}
+
+		if c.ServerPublicKey() == ignoreServerKey {
+			logf("detected self-connect; ignoring host")
+			return
+		}
+		for {
+			m, connGen, err := c.RecvDetail()
+			if err != nil {
+				clear()
+				logf("Recv: %v", err)
+				time.Sleep(retryInterval)
+				break
+			}
+			if connGen != lastConnGen {
+				lastConnGen = connGen
+				clear()
+			}
+			switch m := m.(type) {
+			case derp.PeerPresentMessage:
+				updatePeer(key.Public(m), true)
+			case derp.PeerGoneMessage:
+				updatePeer(key.Public(m), false)
+			default:
+				continue
+			}
+			if now := time.Now(); now.Sub(lastStatus) > statusInterval {
+				lastStatus = now
+				logf("%d peers", len(present))
+			}
+		}
+	}
+
+}

derp/derpmap/derpmap.go

@@ -0,0 +1,65 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package derpmap contains information about Tailscale.com's production DERP nodes.
+package derpmap
+
+import (
+	"fmt"
+	"strings"
+
+	"tailscale.com/tailcfg"
+)
+
+func derpNode(suffix, v4, v6 string) *tailcfg.DERPNode {
+	return &tailcfg.DERPNode{
+		Name:     suffix, // updated later
+		RegionID: 0,      // updated later
+		IPv4:     v4,
+		IPv6:     v6,
+	}
+}
+
+func derpRegion(id int, code string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRegion {
+	region := &tailcfg.DERPRegion{
+		RegionID:   id,
+		RegionCode: code,
+		Nodes:      nodes,
+	}
+	for _, n := range nodes {
+		n.Name = fmt.Sprintf("%d%s", id, n.Name)
+		n.RegionID = id
+		n.HostName = fmt.Sprintf("derp%s.tailscale.com", strings.TrimSuffix(n.Name, "a"))
+	}
+	return region
+}
+
+// Prod returns Tailscale's map of relay servers.
+//
+// This list is only used by cmd/tailscale's netcheck subcommand. In
+// normal operation the Tailscale nodes get this sent to them from the
+// control server.
+//
+// This list is subject to change and should not be relied on.
+func Prod() *tailcfg.DERPMap {
+	return &tailcfg.DERPMap{
+		Regions: map[int]*tailcfg.DERPRegion{
+			1: derpRegion(1, "nyc",
+				derpNode("a", "159.89.225.99", "2604:a880:400:d1::828:b001"),
+			),
+			2: derpRegion(2, "sfo",
+				derpNode("a", "167.172.206.31", "2604:a880:2:d1::c5:7001"),
+			),
+			3: derpRegion(3, "sin",
+				derpNode("a", "68.183.179.66", "2400:6180:0:d1::67d:8001"),
+			),
+			4: derpRegion(4, "fra",
+				derpNode("a", "167.172.182.26", "2a03:b0c0:3:e0::36e:9001"),
+			),
+			5: derpRegion(5, "syd",
+				derpNode("a", "103.43.75.49", "2001:19f0:5801:10b7:5400:2ff:feaa:284c"),
+			),
+		},
+	}
+}

derp/doc.go

@@ -1,13 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package derp implements DERP, the Detour Encrypted Routing Protocol.
-//
-// DERP routes packets to clients using curve25519 keys as addresses.
-//
-// DERP is used by Tailscale nodes to proxy encrypted WireGuard
-// packets through the Tailscale cloud servers when a direct path
-// cannot be found or opened. DERP is a last resort. Both sides
-// between very aggressive NATs, firewalls, no IPv6, etc? Well, DERP.
-package derp

disco/disco.go

@@ -0,0 +1,179 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package disco contains the discovery message types.
+//
+// A discovery message is:
+//
+// Header:
+//     magic          [6]byte  // “TS💬” (0x54 53 f0 9f 92 ac)
+//     senderDiscoPub [32]byte // nacl public key
+//     nonce          [24]byte
+//
+// The recipient then decrypts the bytes following (the nacl secretbox)
+// and then the inner payload structure is:
+//
+//     messageType    byte  (the MessageType constants below)
+//     messageVersion byte  (0 for now; but always ignore bytes at the end)
+//     message-paylod [...]byte
+package disco
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"net"
+
+	"inet.af/netaddr"
+)
+
+// Magic is the 6 byte header of all discovery messages.
+const Magic = "TS💬" // 6 bytes: 0x54 53 f0 9f 92 ac
+
+const keyLen = 32
+
+// NonceLen is the length of the nonces used by nacl secretboxes.
+const NonceLen = 24
+
+type MessageType byte
+
+const (
+	TypePing        = MessageType(0x01)
+	TypePong        = MessageType(0x02)
+	TypeCallMeMaybe = MessageType(0x03)
+)
+
+const v0 = byte(0)
+
+var errShort = errors.New("short message")
+
+// LooksLikeDiscoWrapper reports whether p looks like it's a packet
+// containing an encrypted disco message.
+func LooksLikeDiscoWrapper(p []byte) bool {
+	if len(p) < len(Magic)+keyLen+NonceLen {
+		return false
+	}
+	return string(p[:len(Magic)]) == Magic
+}
+
+// Parse parses the encrypted part of the message from inside the
+// nacl secretbox.
+func Parse(p []byte) (Message, error) {
+	if len(p) < 2 {
+		return nil, errShort
+	}
+	t, ver, p := MessageType(p[0]), p[1], p[2:]
+	switch t {
+	case TypePing:
+		return parsePing(ver, p)
+	case TypePong:
+		return parsePong(ver, p)
+	case TypeCallMeMaybe:
+		return CallMeMaybe{}, nil
+	default:
+		return nil, fmt.Errorf("unknown message type 0x%02x", byte(t))
+	}
+}
+
+// Message a discovery message.
+type Message interface {
+	// AppendMarshal appends the message's marshaled representation.
+	AppendMarshal([]byte) []byte
+}
+
+// appendMsgHeader appends two bytes (for t and ver) and then also
+// dataLen bytes to b, returning the appended slice in all. The
+// returned data slice is a subslice of all with just dataLen bytes of
+// where the caller will fill in the data.
+func appendMsgHeader(b []byte, t MessageType, ver uint8, dataLen int) (all, data []byte) {
+	// TODO: optimize this?
+	all = append(b, make([]byte, dataLen+2)...)
+	all[len(b)] = byte(t)
+	all[len(b)+1] = ver
+	data = all[len(b)+2:]
+	return
+}
+
+type Ping struct {
+	TxID [12]byte
+}
+
+func (m *Ping) AppendMarshal(b []byte) []byte {
+	ret, d := appendMsgHeader(b, TypePing, v0, 12)
+	copy(d, m.TxID[:])
+	return ret
+}
+
+func parsePing(ver uint8, p []byte) (m *Ping, err error) {
+	if len(p) < 12 {
+		return nil, errShort
+	}
+	m = new(Ping)
+	copy(m.TxID[:], p)
+	return m, nil
+}
+
+// CallMeMaybe is a message sent only over DERP to request that the recipient try
+// to open up a magicsock path back to the sender.
+//
+// The sender should've already sent UDP packets to the peer to open
+// up the stateful firewall mappings inbound.
+//
+// The recipient may choose to not open a path back, if it's already
+// happy with its path. But usually it will.
+type CallMeMaybe struct{}
+
+func (CallMeMaybe) AppendMarshal(b []byte) []byte {
+	ret, _ := appendMsgHeader(b, TypeCallMeMaybe, v0, 0)
+	return ret
+}
+
+// Pong is a response a Ping.
+//
+// It includes the sender's source IP + port, so it's effectively a
+// STUN response.
+type Pong struct {
+	TxID [12]byte
+	Src  netaddr.IPPort // 18 bytes (16+2) on the wire; v4-mapped ipv6 for IPv4
+}
+
+const pongLen = 12 + 16 + 2
+
+func (m *Pong) AppendMarshal(b []byte) []byte {
+	ret, d := appendMsgHeader(b, TypePong, v0, pongLen)
+	d = d[copy(d, m.TxID[:]):]
+	ip16 := m.Src.IP.As16()
+	d = d[copy(d, ip16[:]):]
+	binary.BigEndian.PutUint16(d, m.Src.Port)
+	return ret
+}
+
+func parsePong(ver uint8, p []byte) (m *Pong, err error) {
+	if len(p) < pongLen {
+		return nil, errShort
+	}
+	m = new(Pong)
+	copy(m.TxID[:], p)
+	p = p[12:]
+
+	m.Src.IP, _ = netaddr.FromStdIP(net.IP(p[:16]))
+	p = p[16:]
+
+	m.Src.Port = binary.BigEndian.Uint16(p)
+	return m, nil
+}
+
+// MessageSummary returns a short summary of m for logging purposes.
+func MessageSummary(m Message) string {
+	switch m := m.(type) {
+	case *Ping:
+		return fmt.Sprintf("ping tx=%x", m.TxID[:6])
+	case *Pong:
+		return fmt.Sprintf("pong tx=%x", m.TxID[:6])
+	case CallMeMaybe:
+		return "call-me-maybe"
+	default:
+		return fmt.Sprintf("%#v", m)
+	}
+}

disco/disco_test.go

@@ -0,0 +1,82 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package disco
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"testing"
+
+	"inet.af/netaddr"
+)
+
+func TestMarshalAndParse(t *testing.T) {
+	tests := []struct {
+		name string
+		want string
+		m    Message
+	}{
+		{
+			name: "ping",
+			m: &Ping{
+				TxID: [12]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12},
+			},
+			want: "01 00 01 02 03 04 05 06 07 08 09 0a 0b 0c",
+		},
+		{
+			name: "pong",
+			m: &Pong{
+				TxID: [12]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12},
+				Src:  mustIPPort("2.3.4.5:1234"),
+			},
+			want: "02 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 00 00 00 00 00 00 00 00 00 00 ff ff 02 03 04 05 04 d2",
+		},
+		{
+			name: "pongv6",
+			m: &Pong{
+				TxID: [12]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12},
+				Src:  mustIPPort("[fed0::12]:6666"),
+			},
+			want: "02 00 01 02 03 04 05 06 07 08 09 0a 0b 0c fe d0 00 00 00 00 00 00 00 00 00 00 00 00 00 12 1a 0a",
+		},
+		{
+			name: "call_me_maybe",
+			m:    CallMeMaybe{},
+			want: "03 00",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			foo := []byte("foo")
+			got := string(tt.m.AppendMarshal(foo))
+			if !strings.HasPrefix(got, "foo") {
+				t.Fatalf("didn't start with foo: got %q", got)
+			}
+			got = strings.TrimPrefix(got, "foo")
+
+			gotHex := fmt.Sprintf("% x", got)
+			if gotHex != tt.want {
+				t.Fatalf("wrong marshal\n got: %s\nwant: %s\n", gotHex, tt.want)
+			}
+
+			back, err := Parse([]byte(got))
+			if err != nil {
+				t.Fatalf("parse back: %v", err)
+			}
+			if !reflect.DeepEqual(back, tt.m) {
+				t.Errorf("message in %+v doesn't match Parse back result %+v", tt.m, back)
+			}
+		})
+	}
+}
+
+func mustIPPort(s string) netaddr.IPPort {
+	ipp, err := netaddr.ParseIPPort(s)
+	if err != nil {
+		panic(err)
+	}
+	return ipp
+}

go.mod

@@ -1,20 +1,38 @@
 module tailscale.com
 
-go 1.13
+go 1.14
 
 require (
+	github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect
 	github.com/apenwarr/fixconsole v0.0.0-20191012055117-5a9f6489cc29
+	github.com/coreos/go-iptables v0.4.5
+	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
+	github.com/gliderlabs/ssh v0.2.2
 	github.com/go-ole/go-ole v1.2.4
+	github.com/godbus/dbus/v5 v5.0.3
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
 	github.com/google/go-cmp v0.4.0
-	github.com/klauspost/compress v1.9.8
+	github.com/goreleaser/nfpm v1.1.10
+	github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4
+	github.com/klauspost/compress v1.10.10
+	github.com/kr/pty v1.1.1
 	github.com/mdlayher/netlink v1.1.0
+	github.com/miekg/dns v1.1.30
 	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
-	github.com/tailscale/hujson v0.0.0-20190930033718-5098e564d9b3
-	github.com/tailscale/wireguard-go v0.0.0-20200211020303-f39bc8eeee1b
-	golang.org/x/crypto v0.0.0-20200210222208-86ce3cb69678
+	github.com/peterbourgon/ff/v2 v2.0.0
+	github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f
+	github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a
+	github.com/tcnksm/go-httpstat v0.2.0
+	github.com/toqueteos/webbrowser v1.2.0
+	go4.org/mem v0.0.0-20200706164138-185c595c3ecc
+	golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
+	golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5
-	gortc.io/stun v1.22.1
-	honnef.co/go/tools v0.0.1-2019.2.3 // indirect
+	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
+	golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3
+	golang.org/x/time v0.0.0-20191024005414-555d28b269f0
+	golang.org/x/tools v0.0.0-20191216052735-49a3e744a425
+	honnef.co/go/tools v0.0.1-2020.1.4
+	inet.af/netaddr v0.0.0-20200810144936-56928fe48a98
+	rsc.io/goversion v1.2.0
 )

go.sum

@@ -1,12 +1,37 @@
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Masterminds/semver/v3 v3.0.3 h1:znjIyLfpXEDQjOIEWh+ehwpTU14UzUPub3c3sm36u14=
+github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
+github.com/alecthomas/kingpin v2.2.6+incompatible h1:5svnBTFgJjZvGKyYBtMB0+m5wvrbUHiqye8wRJMlnYI=
+github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d h1:UQZhZ2O0vMHr2cI+DC1Mbh0TJxzA3RcLoMsFw+aXw7E=
+github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
+github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/apenwarr/fixconsole v0.0.0-20191012055117-5a9f6489cc29 h1:muXWUcay7DDy1/hEQWrYlBy+g0EuwT70sBHg65SeUc4=
 github.com/apenwarr/fixconsole v0.0.0-20191012055117-5a9f6489cc29/go.mod h1:JYWahgHer+Z2xbsgHPtaDYVWzeHDminu+YIBWkxpCAY=
 github.com/apenwarr/w32 v0.0.0-20190407065021-aa00fece76ab h1:CMGzRRCjnD50RjUFSArBLuCxiDvdp7b8YPAcikBEQ+k=
 github.com/apenwarr/w32 v0.0.0-20190407065021-aa00fece76ab/go.mod h1:nfFtvHn2Hgs9G1u0/J6LHQv//EksNC+7G8vXmd1VTJ8=
+github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb h1:m935MPodAbYS46DG4pJSv7WO+VECIWUQ7OJYSoTrMh4=
+github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
+github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e h1:hHg27A0RSSp2Om9lubZpiMgVbvn39bsUmW9U5h0twqc=
+github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
+github.com/coreos/go-iptables v0.4.5 h1:DpHb9vJrZQEFMcVLFKAAGMUVX0XoRC0ptCthinRYm38=
+github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
+github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
+github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
+github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
+github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME=
+github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
@@ -16,82 +41,134 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0 h1:BW6OvS3kpT5UEPbCZ+KyX/OB4Ks9/MNMhWjqPPkZxsE=
+github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg=
+github.com/goreleaser/nfpm v1.1.10 h1:0nwzKUJTcygNxTzVKq2Dh9wpVP1W2biUH6SNKmoxR3w=
+github.com/goreleaser/nfpm v1.1.10/go.mod h1:oOcoGRVwvKIODz57NUfiRwFWGfn00NXdgnn6MrYtO5k=
+github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
+github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4 h1:nwOc1YaOrYJ37sEBrtWZrdqzK22hiJs3GpDmP3sR2Yw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.9.8 h1:VMAMUUOh+gaxKTMk+zqbjsSjsIcUcL/LF4o63i82QyA=
-github.com/klauspost/compress v1.9.8/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/compress v1.10.10 h1:a/y8CglcM7gLGYmlbP/stPE5sR3hbhFRUjCBfd/0B3I=
+github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/mattn/go-zglob v0.0.1 h1:xsEx/XUoVlI6yXjqBK062zYhRTZltCNmYPx6v+8DNaY=
+github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
 github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
 github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M=
 github.com/mdlayher/netlink v1.1.0 h1:mpdLgm+brq10nI9zM1BpX1kpDbh3NLl3RSnVq6ZSkfg=
 github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY=
+github.com/miekg/dns v1.1.30 h1:Qww6FseFn8PRfw07jueqIXqodm0JKiiKuK0DeXSqfyo=
+github.com/miekg/dns v1.1.30/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
+github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
+github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3 h1:YtFkrqsMEj7YqpIhRteVxJxCeC3jJBieuLr0d4C4rSA=
 github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
+github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
+github.com/peterbourgon/ff/v2 v2.0.0 h1:lx0oYI5qr/FU1xnpNhQ+EZM04gKgn46jyYvGEEqBBbY=
+github.com/peterbourgon/ff/v2 v2.0.0/go.mod h1:xjwr+t+SjWm4L46fcj/D+Ap+6ME7+HqFzaP22pP5Ggk=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/tailscale/hujson v0.0.0-20190930033718-5098e564d9b3 h1:rdtXEo9yffOjh4vZQJw3heaY+ggXKp+zvMX5fihh6lI=
-github.com/tailscale/hujson v0.0.0-20190930033718-5098e564d9b3/go.mod h1:STqf+YV0ADdzk4ejtXFsGqDpATP9JoL0OB+hiFQbkdE=
-github.com/tailscale/wireguard-go v0.0.0-20191108062213-b93cdd0582db h1:oP0crfwOb3WZSVrMVm/o51NXN2JirDlcdlNEIPTmgI0=
-github.com/tailscale/wireguard-go v0.0.0-20200207221558-a158079b156a h1:5TWA3nl2QUfL9OiE3tlBpqJd4GYd4hbGtDNkWQQ2fyc=
-github.com/tailscale/wireguard-go v0.0.0-20200207221558-a158079b156a/go.mod h1:QPS8HjBzzAXoQNndUNx2efJaQbCCz8nI2Cv1ksTUHyY=
-github.com/tailscale/wireguard-go v0.0.0-20200208161837-3cd0a483944a h1:vIyObUBvnXB1XTKTBM4AgoUFR9RHiz/kslGHClkXQVg=
-github.com/tailscale/wireguard-go v0.0.0-20200208161837-3cd0a483944a/go.mod h1:JPm5cTfu1K+qDFRbiHy0sOlHUylYQbpl356sdYFD8V4=
-github.com/tailscale/wireguard-go v0.0.0-20200208214841-2981baf46731 h1:sNmny/5pHqHdm081Fx8rcNFnwt0zTGuee/0+Jz+tXCA=
-github.com/tailscale/wireguard-go v0.0.0-20200208214841-2981baf46731/go.mod h1:JPm5cTfu1K+qDFRbiHy0sOlHUylYQbpl356sdYFD8V4=
-github.com/tailscale/wireguard-go v0.0.0-20200211020303-f39bc8eeee1b h1:99LOgoPy0PcmT+yg1HiPJXk/aV/KWeGGh4WtSVB7noM=
-github.com/tailscale/wireguard-go v0.0.0-20200211020303-f39bc8eeee1b/go.mod h1:JPm5cTfu1K+qDFRbiHy0sOlHUylYQbpl356sdYFD8V4=
+github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b h1:+gCnWOZV8Z/8jehJ2CdqB47Z3S+SREmQcuXkRFLNsiI=
+github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f h1:uFj5bslHsMzxIM8UTjAhq4VXeo6GfNW91rpoh/WMJaY=
+github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f/go.mod h1:x880GWw5fvrl2DVTQ04ttXQD4DuppTt1Yz6wLibbjNE=
+github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a h1:dQEgNpoOJf+8MswlvXJicb8ZDQqZAGe8f/WfzbDMvtE=
+github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
+github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
+github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
+github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
+github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
+github.com/ulikunitz/xz v0.5.6 h1:jGHAfXawEGZQ3blwU5wnWKQJvAraT7Ftq9EXjnXYgt8=
+github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
+github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
+github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
+go4.org/mem v0.0.0-20200706164138-185c595c3ecc h1:paujszgN6SpsO/UsXC7xax3gQAKz/XQKCYZLQdU34Tw=
+go4.org/mem v0.0.0-20200706164138-185c595c3ecc/go.mod h1:NEYvpHWemiG/E5UWfaN5QAIGZeT1sa0Z2UNk6oeMb/k=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200206161412-a0c6ece9d31a h1:aczoJ0HPNE92XKa7DrIzkNN6esOKO2TBwiiYoKcINhA=
-golang.org/x/crypto v0.0.0-20200206161412-a0c6ece9d31a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200208060501-ecb85df21340 h1:KOcEaR10tFr7gdJV2GCKw8Os5yED1u1aOqHjOAb6d2Y=
-golang.org/x/crypto v0.0.0-20200208060501-ecb85df21340/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200210222208-86ce3cb69678 h1:wCWoJcFExDgyYx2m2hpHgwz8W3+FPdfldvIgzqDIhyg=
-golang.org/x/crypto v0.0.0-20200210222208-86ce3cb69678/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79 h1:IaQbIIB2X/Mp/DKctl6ROxz1KyMlKp4uyvL6+kQ7C88=
+golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191003171128-d98b1b443823/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5 h1:WQ8q63x+f/zpC8Ac1s9wLElVoHhm32p6tudrU72n1QA=
+golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190310054646-10058d7d4faa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191003212358-c178f38b412c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 h1:5B6i6EAiSYyejWfvc5Rc9BbI3rzIsrrXfAQBWnYfn+w=
+golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac h1:MQEvx39qSf8vyrx3XRaOe+j1UDIzKwkYOVObRgGPVqI=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d h1:/iIZNFGxc/a7C3yWjGcnboV+Tkc7mxr+p6fDztwoxuM=
+golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191216052735-49a3e744a425 h1:VvQyQJN0tSuecqgcIxMWnnfG5kSmgy9KZR9sW3W5QeA=
+golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/wireguard v0.0.20200121 h1:vcswa5Q6f+sylDfjqyrVNNrjsFUUbPsgAQTBCAg/Qf8=
-golang.zx2c4.com/wireguard v0.0.20200121/go.mod h1:P2HsVp8SKwZEufsnezXZA4GRX/T49/HlU7DGuelXsU4=
 google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gortc.io/stun v1.22.1 h1:96mOdDATYRqhYB+TZdenWBg4CzL2Ye5kPyBXQ8KAB+8=
-gortc.io/stun v1.22.1/go.mod h1:XD5lpONVyjvV3BgOyJFNo0iv6R2oZB4L+weMqxts+zg=
-honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
+gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8=
+honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c h1:si3Owrfem175Ry6gKqnh59eOXxDojyBTIHxUKuvK/Eo=
+inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c/go.mod h1:qqYzz/2whtrbWJvt+DNWQyvekNN4ePQZcg2xc2/Yjww=
+inet.af/netaddr v0.0.0-20200810144936-56928fe48a98 h1:bWyWDZP0l6VnQ1TDKf6yNwuiEDV6Q3q1Mv34m+lzT1I=
+inet.af/netaddr v0.0.0-20200810144936-56928fe48a98/go.mod h1:qqYzz/2whtrbWJvt+DNWQyvekNN4ePQZcg2xc2/Yjww=
+rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=
+rsc.io/goversion v1.2.0/go.mod h1:Eih9y/uIBS3ulggl7KNJ09xGSLcuNaLgmvvqa07sgfo=