net/dnsfallback: update derp11a record

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
net/dns/resolver: make hasRDNSBonjourPrefix match shorter queries too
2021-10-14 12:38:05 -07:00 · 2021-10-13 15:49:45 -07:00 · 2021-10-13 17:55:14 -04:00 · 2021-10-13 14:52:50 -07:00 · 2021-10-13 17:34:23 -04:00 · 2021-10-13 15:34:44 -04:00
134 changed files with 3432 additions and 552 deletions
--- a/.bencher/config.yaml
+++ b/.bencher/config.yaml
@@ -0,0 +1 @@
+suppress_failure_on_regression: true
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,8 +0,0 @@
---
-name: Bug report
-about: Create a bug report
-title: ''
-labels: 'needs-triage'
-assignees: ''
-
---
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,74 @@
+name: Bug report
+description: File a bug report
+labels: [needs-triage, bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues).
+        Have an urgent issue? Let us know by emailing us at <support@tailscale.com>.
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What is the issue?
+      description: What happened? What did you expect to happen?
+      placeholder: oh no
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: What are the steps you took that hit this issue?
+    validations:
+      required: false
+  - type: textarea
+    id: changes
+    attributes:
+      label: Are there any recent changes that introduced the issue?
+      description: If so, what are those changes?
+    validations:
+      required: false
+  - type: dropdown
+    id: os
+    attributes:
+      label: OS
+      description: What OS are you using? You may select more than one.
+      multiple: true
+      options:
+        - Linux
+        - macOS
+        - Windows
+        - iOS
+        - Android
+        - Other
+    validations:
+      required: false
+  - type: input
+    id: os-version
+    attributes:
+      label: OS version
+      description: What OS version are you using?
+      placeholder: e.g., Debian 11.0, macOS Big Sur 11.6
+    validations:
+      required: false
+  - type: input
+    id: ts-version
+    attributes:
+      label: Tailscale version
+      description: What Tailscale version are you using?
+      placeholder: e.g., 1.14.4
+    validations:
+      required: false
+  - type: input
+    id: bug-report
+    attributes:
+      label: Bug report
+      description: Please run [`tailscale bugreport`](https://tailscale.com/kb/1080/cli/?q=Cli#bugreport) and share the bug identifier. The identifier is a random string which allows Tailscale support to locate your account and gives a point to focus on when looking for errors.
+      placeholder: e.g., BUG-1b7641a16971a9cd75822c0ed8043fee70ae88cf05c52981dc220eb96a5c49a8-20210427151443Z-fbcd4fd3a4b7ad94
+    validations:
+      required: false
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for filing a bug report!
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,5 +1,5 @@
 blank_issues_enabled: true
 contact_links:
-  - name: Support and Product Questions
+  - name: Support requests and Troubleshooting
    url: https://tailscale.com/kb/1023/troubleshooting
-    about: Please send support questions and questions about the Tailscale product to support@tailscale.com
+    about: Troubleshoot common issues. Contact us by email at support@tailscale.com.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,7 +0,0 @@
---
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: 'needs-triage'
-assignees: ''
---
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,49 @@
+name: Feature request
+description: Propose a new feature
+title: "FR: "
+labels: [needs-triage, fr]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please check if your feature request is [already filed](https://github.com/tailscale/tailscale/issues).
+  - type: input
+    id: request
+    attributes:
+      label: Tell us about your idea!
+      description: What is your feature request?
+      placeholder: e.g., A pet pangolin
+    validations:
+      required: true
+  - type: textarea
+    id: problem
+    attributes:
+      label: What are you trying to do?
+      description: Tell us about the problem you're trying to solve.
+    validations:
+      required: false
+  - type: textarea
+    id: solution
+    attributes:
+      label: How should we solve this?
+      description: If you have an idea of how you'd like to see this feature work, let us know.
+    validations:
+      required: false
+  - type: textarea
+    id: alternative
+    attributes:
+      label: What is the impact of not solving this?
+      description: (How) Are you currently working around the issue?
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Anything else?
+      description: Any additional context to share, e.g., links
+    validations:
+      required: false
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for filing a feature request!
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+# Documentation for this file can be found at:
+# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "go.mod:"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: ".github:"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,71 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main, release-branch/* ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '31 14 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -14,7 +14,7 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17

--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@@ -15,7 +15,7 @@ jobs:

    steps:
      - name: Set up Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v2.1.4
        with:
          go-version: 1.17

--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -14,7 +14,7 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17

--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17
      id: go
--- a/.github/workflows/staticcheck.yml
+++ b/.github/workflows/staticcheck.yml
@@ -14,7 +14,7 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17

--- a/.github/workflows/windows-race.yml
+++ b/.github/workflows/windows-race.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Install Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17.x

--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

    - name: Install Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v2.1.4
      with:
        go-version: 1.17.x

--- a/18
+++ b/18
@@ -4,17 +4,11 @@

 ############################################################################
 #
-# WARNING: Tailscale is not yet officially supported in Docker,
-# Kubernetes, etc.
+# WARNING: Tailscale is not yet officially supported in container
+# environments, such as Docker and Kubernetes. Though it should work, we
+# don't regularly test it, and we know there are some feature limitations.
 #
-# It might work, but we don't regularly test it, and it's not as polished as
-# our currently supported platforms. This is provided for people who know
-# how Tailscale works and what they're doing.
-#
-# Our tracking bug for officially support container use cases is:
-#    https://github.com/tailscale/tailscale/issues/504
-#
-# Also, see the various bugs tagged "containers":
+# See current bugs tagged "containers":
 #    https://github.com/tailscale/tailscale/labels/containers
 #
 ############################################################################
@@ -59,8 +53,8 @@ RUN go install -tags=xversion -ldflags="\
      -X tailscale.com/version.Long=$VERSION_LONG \
      -X tailscale.com/version.Short=$VERSION_SHORT \
      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
-      -v ./cmd/...
+      -v ./cmd/tailscale ./cmd/tailscaled

 FROM alpine:3.14
-RUN apk add --no-cache ca-certificates iptables iproute2
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
 COPY --from=build-env /go/bin/* /usr/local/bin/
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.15.0
+1.17.0
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -8,17 +8,11 @@
 #
 ############################################################################
 #
-# WARNING: Tailscale is not yet officially supported in Docker,
-# Kubernetes, etc.
+# WARNING: Tailscale is not yet officially supported in container
+# environments, such as Docker and Kubernetes. Though it should work, we
+# don't regularly test it, and we know there are some feature limitations.
 #
-# It might work, but we don't regularly test it, and it's not as polished as
-# our currently supported platforms. This is provided for people who know
-# how Tailscale works and what they're doing.
-#
-# Our tracking bug for officially support container use cases is:
-#    https://github.com/tailscale/tailscale/issues/504
-#
-# Also, see the various bugs tagged "containers":
+# See current bugs tagged "containers":
 #    https://github.com/tailscale/tailscale/labels/containers
 #
 ############################################################################
@@ -31,4 +25,4 @@ docker build \
  --build-arg VERSION_LONG=$VERSION_LONG \
  --build-arg VERSION_SHORT=$VERSION_SHORT \
  --build-arg VERSION_GIT_HASH=$VERSION_GIT_HASH \
-  -t tailscale:tailscale .
+  -t tailscale:$VERSION_SHORT -t tailscale:latest .
--- a/client/tailscale/example/servetls/servetls.go
+++ b/client/tailscale/example/servetls/servetls.go
@@ -0,0 +1,29 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The servetls program shows how to run an HTTPS server
+// using a Tailscale cert via LetsEncrypt.
+package main
+
+import (
+	"crypto/tls"
+	"io"
+	"log"
+	"net/http"
+
+	"tailscale.com/client/tailscale"
+)
+
+func main() {
+	s := &http.Server{
+		TLSConfig: &tls.Config{
+			GetCertificate: tailscale.GetCertificate,
+		},
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			io.WriteString(w, "<h1>Hello from Tailscale!</h1> It works.")
+		}),
+	}
+	log.Printf("Running TLS server on :443 ...")
+	log.Fatal(s.ListenAndServeTLS("", ""))
+}
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -21,6 +21,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"sync"
 	"time"

 	"go4.org/mem"
@@ -33,30 +34,39 @@ import (
 	"tailscale.com/version"
 )

-// TailscaledSocket is the tailscaled Unix socket.
-var TailscaledSocket = paths.DefaultTailscaledSocket()
+var (
+	// TailscaledSocket is the tailscaled Unix socket. It's used by the TailscaledDialer.
+	TailscaledSocket = paths.DefaultTailscaledSocket()

-// tsClient does HTTP requests to the local Tailscale daemon.
-var tsClient = &http.Client{
-	Transport: &http.Transport{
-		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			if addr != "local-tailscaled.sock:80" {
-				return nil, fmt.Errorf("unexpected URL address %q", addr)
-			}
-			if TailscaledSocket == paths.DefaultTailscaledSocket() {
-				// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
-				// a TCP server on a random port, find the random port. For HTTP connections,
-				// we don't send the token. It gets added in an HTTP Basic-Auth header.
-				if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
-					var d net.Dialer
-					return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
-				}
-			}
-			return safesocket.Connect(TailscaledSocket, 41112)
-		},
-	},
+	// TailscaledDialer is the DialContext func that connects to the local machine's
+	// tailscaled or equivalent.
+	TailscaledDialer = defaultDialer
+)
+
+func defaultDialer(ctx context.Context, network, addr string) (net.Conn, error) {
+	if addr != "local-tailscaled.sock:80" {
+		return nil, fmt.Errorf("unexpected URL address %q", addr)
+	}
+	if TailscaledSocket == paths.DefaultTailscaledSocket() {
+		// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
+		// a TCP server on a random port, find the random port. For HTTP connections,
+		// we don't send the token. It gets added in an HTTP Basic-Auth header.
+		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
+			var d net.Dialer
+			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
+		}
+	}
+	return safesocket.Connect(TailscaledSocket, 41112)
 }

+var (
+	// tsClient does HTTP requests to the local Tailscale daemon.
+	// We lazily initialize the client in case the caller wants to
+	// override TailscaledDialer.
+	tsClient     *http.Client
+	tsClientOnce sync.Once
+)
+
 // DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
 //
 // URLs are of the form http://local-tailscaled.sock/localapi/v0/whois?ip=1.2.3.4.
@@ -67,6 +77,13 @@ var tsClient = &http.Client{
 //
 // DoLocalRequest may mutate the request to add Authorization headers.
 func DoLocalRequest(req *http.Request) (*http.Response, error) {
+	tsClientOnce.Do(func() {
+		tsClient = &http.Client{
+			Transport: &http.Transport{
+				DialContext: TailscaledDialer,
+			},
+		}
+	})
 	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
 		req.SetBasicAuth("", token)
 	}
@@ -77,6 +94,20 @@ type errorJSON struct {
 	Error string
 }

+// AccessDeniedError is an error due to permissions.
+type AccessDeniedError struct {
+	err error
+}
+
+func (e *AccessDeniedError) Error() string { return fmt.Sprintf("Access denied: %v", e.err) }
+func (e *AccessDeniedError) Unwrap() error { return e.err }
+
+// IsAccessDeniedError reports whether err is or wraps an AccessDeniedError.
+func IsAccessDeniedError(err error) bool {
+	var ae *AccessDeniedError
+	return errors.As(err, &ae)
+}
+
 // bestError returns either err, or if body contains a valid JSON
 // object of type errorJSON, its non-empty error body.
 func bestError(err error, body []byte) error {
@@ -87,6 +118,14 @@ func bestError(err error, body []byte) error {
 	return err
 }

+func errorMessageFromBody(body []byte) string {
+	var j errorJSON
+	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
+		return j.Error
+	}
+	return strings.TrimSpace(string(body))
+}
+
 var onVersionMismatch func(clientVer, serverVer string)

 // SetVersionMismatchHandler sets f as the version mismatch handler
@@ -123,6 +162,9 @@ func send(ctx context.Context, method, path string, wantStatus int, body io.Read
 		return nil, err
 	}
 	if res.StatusCode != wantStatus {
+		if res.StatusCode == 403 {
+			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(slurp))}
+		}
 		err := fmt.Errorf("HTTP %s: %s (expected %v)", res.Status, slurp, wantStatus)
 		return nil, bestError(err, slurp)
 	}
@@ -154,6 +196,18 @@ func Goroutines(ctx context.Context) ([]byte, error) {
 	return get200(ctx, "/localapi/v0/goroutines")
 }

+// Profile returns a pprof profile of the Tailscale daemon.
+func Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
+	var secArg string
+	if sec < 0 || sec > 300 {
+		return nil, errors.New("duration out of range")
+	}
+	if sec != 0 || pprofType == "profile" {
+		secArg = fmt.Sprint(sec)
+	}
+	return get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
+}
+
 // BugReport logs and returns a log marker that can be shared by the user with support.
 func BugReport(ctx context.Context, note string) (string, error) {
 	body, err := send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -15,6 +15,7 @@ import (
 	"html"
 	"io"
 	"log"
+	"net"
 	"net/http"
 	"sort"
 	"sync"
@@ -22,6 +23,7 @@ import (

 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
+	"tailscale.com/net/stun"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
@@ -67,22 +69,27 @@ func getOverallStatus() (o overallStatus) {
 	if age := now.Sub(lastDERPMapAt); age > time.Minute {
 		o.addBadf("DERPMap hasn't been successfully refreshed in %v", age.Round(time.Second))
 	}
+
+	addPairMeta := func(pair nodePair) {
+		st, ok := state[pair]
+		age := now.Sub(st.at).Round(time.Second)
+		switch {
+		case !ok:
+			o.addBadf("no state for %v", pair)
+		case st.err != nil:
+			o.addBadf("%v: %v", pair, st.err)
+		case age > 90*time.Second:
+			o.addBadf("%v: update is %v old", pair, age)
+		default:
+			o.addGoodf("%v: %v, %v ago", pair, st.latency.Round(time.Millisecond), age)
+		}
+	}
+
 	for _, reg := range sortedRegions(lastDERPMap) {
 		for _, from := range reg.Nodes {
+			addPairMeta(nodePair{"UDP", from.Name})
 			for _, to := range reg.Nodes {
-				pair := nodePair{from.Name, to.Name}
-				st, ok := state[pair]
-				age := now.Sub(st.at).Round(time.Second)
-				switch {
-				case !ok:
-					o.addBadf("no state for %v", pair)
-				case st.err != nil:
-					o.addBadf("%v: %v", pair, st.err)
-				case age > 90*time.Second:
-					o.addBadf("%v: update is %v old", pair, age)
-				default:
-					o.addGoodf("%v: %v, %v ago", pair, st.latency.Round(time.Millisecond), age)
-				}
+				addPairMeta(nodePair{from.Name, to.Name})
 			}
 		}
 	}
@@ -117,7 +124,8 @@ func sortedRegions(dm *tailcfg.DERPMap) []*tailcfg.DERPRegion {
 }

 type nodePair struct {
-	from, to string // DERPNode.Name
+	from string // DERPNode.Name, or "UDP" for a STUN query to 'to'
+	to   string // DERPNode.Name
 }

 func (p nodePair) String() string { return fmt.Sprintf("(%s→%s)", p.from, p.to) }
@@ -177,6 +185,8 @@ func probe() error {
 		go func() {
 			defer wg.Done()
 			for _, from := range reg.Nodes {
+				latency, err := probeUDP(ctx, dm, from)
+				setState(nodePair{"UDP", from.Name}, latency, err)
 				for _, to := range reg.Nodes {
 					latency, err := probeNodePair(ctx, dm, from, to)
 					setState(nodePair{from.Name, to.Name}, latency, err)
@@ -189,6 +199,65 @@ func probe() error {
 	return ctx.Err()
 }

+func probeUDP(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (latency time.Duration, err error) {
+	pc, err := net.ListenPacket("udp", ":0")
+	if err != nil {
+		return 0, err
+	}
+	defer pc.Close()
+	uc := pc.(*net.UDPConn)
+
+	tx := stun.NewTxID()
+	req := stun.Request(tx)
+
+	for _, ipStr := range []string{n.IPv4, n.IPv6} {
+		if ipStr == "" {
+			continue
+		}
+		port := n.STUNPort
+		if port == -1 {
+			continue
+		}
+		if port == 0 {
+			port = 3478
+		}
+		for {
+			ip := net.ParseIP(ipStr)
+			_, err := uc.WriteToUDP(req, &net.UDPAddr{IP: ip, Port: port})
+			if err != nil {
+				return 0, err
+			}
+			buf := make([]byte, 1500)
+			uc.SetReadDeadline(time.Now().Add(2 * time.Second))
+			t0 := time.Now()
+			n, _, err := uc.ReadFromUDP(buf)
+			d := time.Since(t0)
+			if err != nil {
+				if ctx.Err() != nil {
+					return 0, fmt.Errorf("timeout reading from %v: %v", ip, err)
+				}
+				if d < time.Second {
+					return 0, fmt.Errorf("error reading from %v: %v", ip, err)
+				}
+				time.Sleep(100 * time.Millisecond)
+				continue
+			}
+			txBack, _, _, err := stun.ParseResponse(buf[:n])
+			if err != nil {
+				return 0, fmt.Errorf("parsing STUN response from %v: %v", ip, err)
+			}
+			if txBack != tx {
+				return 0, fmt.Errorf("read wrong tx back from %v", ip)
+			}
+			if latency == 0 || d < latency {
+				latency = d
+			}
+			break
+		}
+	}
+	return latency, nil
+}
+
 func probeNodePair(ctx context.Context, dm *tailcfg.DERPMap, from, to *tailcfg.DERPNode) (latency time.Duration, err error) {
 	// The passed in context is a minute for the whole region. The
 	// idea is that each node pair in the region will be done
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -13,11 +13,14 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"runtime"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/atomicfile"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn"
+	"tailscale.com/version"
 )

 var certCmd = &ffcli.Command{
@@ -27,8 +30,8 @@ var certCmd = &ffcli.Command{
 	ShortUsage: "cert [flags] <domain>",
 	FlagSet: (func() *flag.FlagSet {
 		fs := flag.NewFlagSet("cert", flag.ExitOnError)
-		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file; defaults to DOMAIN.crt")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file; defaults to DOMAIN.key")
+		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
+		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
 		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
 		return fs
 	})(),
@@ -61,42 +64,88 @@ func runCert(ctx context.Context, args []string) error {
 	}

 	if len(args) != 1 {
-		return fmt.Errorf("Usage: tailscale cert [flags] <domain>")
+		var hint bytes.Buffer
+		if st, err := tailscale.Status(ctx); err == nil {
+			if st.BackendState != ipn.Running.String() {
+				fmt.Fprintf(&hint, "\nTailscale is not running.\n")
+			} else if len(st.CertDomains) == 0 {
+				fmt.Fprintf(&hint, "\nHTTPS cert support is not enabled/configured for your tailnet.\n")
+			} else if len(st.CertDomains) == 1 {
+				fmt.Fprintf(&hint, "\nFor domain, use %q.\n", st.CertDomains[0])
+			} else {
+				fmt.Fprintf(&hint, "\nValid domain options: %q.\n", st.CertDomains)
+			}
+		}
+		return fmt.Errorf("Usage: tailscale cert [flags] <domain>%s", hint.Bytes())
 	}
 	domain := args[0]

-	if certArgs.certFile == "" {
-		certArgs.certFile = domain + ".crt"
+	printf := func(format string, a ...interface{}) {
+		fmt.Printf(format, a...)
 	}
-	if certArgs.keyFile == "" {
+	if certArgs.certFile == "-" || certArgs.keyFile == "-" {
+		printf = log.Printf
+		log.SetFlags(0)
+	}
+	if certArgs.certFile == "" && certArgs.keyFile == "" {
+		certArgs.certFile = domain + ".crt"
 		certArgs.keyFile = domain + ".key"
 	}
 	certPEM, keyPEM, err := tailscale.CertPair(ctx, domain)
+	if tailscale.IsAccessDeniedError(err) && os.Getuid() != 0 && runtime.GOOS != "windows" {
+		return fmt.Errorf("%v\n\nUse 'sudo tailscale cert' or 'tailscale up --operator=$USER' to not require root.", err)
+	}
 	if err != nil {
 		return err
 	}
-	certChanged, err := writeIfChanged(certArgs.certFile, certPEM, 0644)
-	if err != nil {
-		return err
+	needMacWarning := version.IsSandboxedMacOS()
+	macWarn := func() {
+		if !needMacWarning {
+			return
+		}
+		needMacWarning = false
+		dir := "io.tailscale.ipn.macos"
+		if version.IsMacSysExt() {
+			dir = "io.tailscale.ipn.macsys"
+		}
+		printf("Warning: the macOS CLI runs in a sandbox; this binary's filesystem writes go to $HOME/Library/Containers/%s\n", dir)
 	}
-	if certChanged {
-		fmt.Printf("Wrote public cert to %v\n", certArgs.certFile)
-	} else {
-		fmt.Printf("Public cert unchanged at %v\n", certArgs.certFile)
+	if certArgs.certFile != "" {
+		certChanged, err := writeIfChanged(certArgs.certFile, certPEM, 0644)
+		if err != nil {
+			return err
+		}
+		if certArgs.certFile != "-" {
+			macWarn()
+			if certChanged {
+				printf("Wrote public cert to %v\n", certArgs.certFile)
+			} else {
+				printf("Public cert unchanged at %v\n", certArgs.certFile)
+			}
+		}
 	}
-	keyChanged, err := writeIfChanged(certArgs.keyFile, keyPEM, 0600)
-	if err != nil {
-		return err
-	}
-	if keyChanged {
-		fmt.Printf("Wrote private key to %v\n", certArgs.keyFile)
-	} else {
-		fmt.Printf("Private key unchanged at %v\n", certArgs.keyFile)
+	if certArgs.keyFile != "" {
+		keyChanged, err := writeIfChanged(certArgs.keyFile, keyPEM, 0600)
+		if err != nil {
+			return err
+		}
+		if certArgs.keyFile != "-" {
+			macWarn()
+			if keyChanged {
+				printf("Wrote private key to %v\n", certArgs.keyFile)
+			} else {
+				printf("Private key unchanged at %v\n", certArgs.keyFile)
+			}
+		}
 	}
 	return nil
 }

 func writeIfChanged(filename string, contents []byte, mode os.FileMode) (changed bool, err error) {
+	if filename == "-" {
+		os.Stdout.Write(contents)
+		return false, nil
+	}
 	if old, err := os.ReadFile(filename); err == nil && bytes.Equal(contents, old) {
 		return false, nil
 	}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -34,13 +34,18 @@ var debugCmd = &ffcli.Command{
 		fs.BoolVar(&debugArgs.derpMap, "derp", false, "If true, dump DERP map")
 		fs.BoolVar(&debugArgs.pretty, "pretty", false, "If true, pretty-print output (for --prefs)")
 		fs.BoolVar(&debugArgs.netMap, "netmap", true, "whether to include netmap in --ipn mode")
+		fs.BoolVar(&debugArgs.env, "env", false, "dump environment")
 		fs.BoolVar(&debugArgs.localCreds, "local-creds", false, "print how to connect to local tailscaled")
 		fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
+		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-sec seconds and write it to this file; - for stdout")
+		fs.StringVar(&debugArgs.memFile, "mem-profile", "", "if non-empty, grab a memory profile and write it to this file; - for stdout")
+		fs.IntVar(&debugArgs.cpuSec, "profile-seconds", 15, "number of seconds to run a CPU profile for, when --cpu-profile is non-empty")
 		return fs
 	})(),
 }

 var debugArgs struct {
+	env        bool
 	localCreds bool
 	goroutines bool
 	ipn        bool
@@ -49,12 +54,39 @@ var debugArgs struct {
 	file       string
 	prefs      bool
 	pretty     bool
+	cpuSec     int
+	cpuFile    string
+	memFile    string
+}
+
+func writeProfile(dst string, v []byte) error {
+	if dst == "-" {
+		_, err := os.Stdout.Write(v)
+		return err
+	}
+	return os.WriteFile(dst, v, 0600)
+}
+
+func outName(dst string) string {
+	if dst == "-" {
+		return "stdout"
+	}
+	if runtime.GOOS == "darwin" {
+		return fmt.Sprintf("%s (warning: sandboxed macOS binaries write to Library/Containers; use - to write to stdout and redirect to file instead)", dst)
+	}
+	return dst
 }

 func runDebug(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("unknown arguments")
 	}
+	if debugArgs.env {
+		for _, e := range os.Environ() {
+			fmt.Println(e)
+		}
+		return nil
+	}
 	if debugArgs.localCreds {
 		port, token, err := safesocket.LocalTCPPortAndToken()
 		if err == nil {
@@ -68,6 +100,28 @@ func runDebug(ctx context.Context, args []string) error {
 		fmt.Printf("curl --unix-socket %s http://foo/localapi/v0/status\n", paths.DefaultTailscaledSocket())
 		return nil
 	}
+	if out := debugArgs.cpuFile; out != "" {
+		log.Printf("Capturing CPU profile for %v seconds ...", debugArgs.cpuSec)
+		if v, err := tailscale.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
+			return err
+		} else {
+			if err := writeProfile(out, v); err != nil {
+				return err
+			}
+			log.Printf("CPU profile written to %s", outName(out))
+		}
+	}
+	if out := debugArgs.memFile; out != "" {
+		log.Printf("Capturing memory profile ...")
+		if v, err := tailscale.Profile(ctx, "heap", 0); err != nil {
+			return err
+		} else {
+			if err := writeProfile(out, v); err != nil {
+				return err
+			}
+			log.Printf("Memory profile written to %s", outName(out))
+		}
+	}
 	if debugArgs.prefs {
 		prefs, err := tailscale.GetPrefs(ctx)
 		if err != nil {
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -64,7 +64,11 @@ func runNetcheck(ctx context.Context, args []string) error {
 	}

 	dm, err := tailscale.CurrentDERPMap(ctx)
-	if err != nil {
+	noRegions := dm != nil && len(dm.Regions) == 0
+	if noRegions {
+		log.Printf("No DERP map from tailscaled; using default.")
+	}
+	if err != nil || noRegions {
 		dm, err = prodDERPMap(ctx, http.DefaultClient)
 		if err != nil {
 			return err
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	"log"
 	"os"
 	"reflect"
 	"runtime"
@@ -18,6 +19,7 @@ import (

 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
+	qrcode "github.com/skip2/go-qrcode"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
@@ -63,6 +65,7 @@ var upFlagSet = newUpFlagSet(effectiveGOOS(), &upArgs)
 func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	upf := flag.NewFlagSet("up", flag.ExitOnError)

+	upf.BoolVar(&upArgs.qr, "qr", false, "show QR code for login URLs")
 	upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication")
 	upf.BoolVar(&upArgs.reset, "reset", false, "reset unspecified settings to their default values")

@@ -74,7 +77,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	upf.BoolVar(&upArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
 	upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
 	upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "comma-separated ACL tags to request; each must start with \"tag:\" (e.g. \"tag:eng,tag:montreal,tag:ssh\")")
-	upf.StringVar(&upArgs.authKey, "authkey", "", "node authorization key")
+	upf.StringVar(&upArgs.authKeyOrFile, "authkey", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
 	upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
 	upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. \"10.0.0.0/8,192.168.0.0/24\") or empty string to not advertise routes")
 	upf.BoolVar(&upArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
@@ -99,6 +102,7 @@ func defaultNetfilterMode() string {
 }

 type upArgsT struct {
+	qr                     bool
 	reset                  bool
 	server                 string
 	acceptRoutes           bool
@@ -114,11 +118,24 @@ type upArgsT struct {
 	advertiseTags          string
 	snat                   bool
 	netfilterMode          string
-	authKey                string
+	authKeyOrFile          string // "secret" or "file:/path/to/secret"
 	hostname               string
 	opUser                 string
 }

+func (a upArgsT) getAuthKey() (string, error) {
+	v := a.authKeyOrFile
+	if strings.HasPrefix(v, "file:") {
+		file := strings.TrimPrefix(v, "file:")
+		b, err := os.ReadFile(file)
+		if err != nil {
+			return "", err
+		}
+		return strings.TrimSpace(string(b)), nil
+	}
+	return v, nil
+}
+
 var upArgs upArgsT

 func warnf(format string, args ...interface{}) {
@@ -130,17 +147,11 @@ var (
 	ipv6default = netaddr.MustParseIPPrefix("::/0")
 )

-// prefsFromUpArgs returns the ipn.Prefs for the provided args.
-//
-// Note that the parameters upArgs and warnf are named intentionally
-// to shadow the globals to prevent accidental misuse of them. This
-// function exists for testing and should have no side effects or
-// outside interactions (e.g. no making Tailscale local API calls).
-func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goos string) (*ipn.Prefs, error) {
+func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netaddr.IPPrefix, error) {
 	routeMap := map[netaddr.IPPrefix]bool{}
-	var default4, default6 bool
-	if upArgs.advertiseRoutes != "" {
-		advroutes := strings.Split(upArgs.advertiseRoutes, ",")
+	if advertiseRoutes != "" {
+		var default4, default6 bool
+		advroutes := strings.Split(advertiseRoutes, ",")
 		for _, s := range advroutes {
 			ipp, err := netaddr.ParseIPPrefix(s)
 			if err != nil {
@@ -162,7 +173,7 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv6default, ipv4default)
 		}
 	}
-	if upArgs.advertiseDefaultRoute {
+	if advertiseDefaultRoute {
 		routeMap[netaddr.MustParseIPPrefix("0.0.0.0/0")] = true
 		routeMap[netaddr.MustParseIPPrefix("::/0")] = true
 	}
@@ -176,6 +187,20 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		}
 		return routes[i].IP().Less(routes[j].IP())
 	})
+	return routes, nil
+}
+
+// prefsFromUpArgs returns the ipn.Prefs for the provided args.
+//
+// Note that the parameters upArgs and warnf are named intentionally
+// to shadow the globals to prevent accidental misuse of them. This
+// function exists for testing and should have no side effects or
+// outside interactions (e.g. no making Tailscale local API calls).
+func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goos string) (*ipn.Prefs, error) {
+	routes, err := calcAdvertiseRoutes(upArgs.advertiseRoutes, upArgs.advertiseDefaultRoute)
+	if err != nil {
+		return nil, err
+	}

 	var exitNodeIP netaddr.IP
 	if upArgs.exitNodeIP != "" {
@@ -280,7 +305,7 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 	justEdit := env.backendState == ipn.Running.String() &&
 		!env.upArgs.forceReauth &&
 		!env.upArgs.reset &&
-		env.upArgs.authKey == "" &&
+		env.upArgs.authKeyOrFile == "" &&
 		!controlURLChanged
 	if justEdit {
 		justEditMP = new(ipn.MaskedPrefs)
@@ -308,7 +333,7 @@ func runUp(ctx context.Context, args []string) error {
 	// printAuthURL reports whether we should print out the
 	// provided auth URL from an IPN notify.
 	printAuthURL := func(url string) bool {
-		if upArgs.authKey != "" {
+		if upArgs.authKeyOrFile != "" {
 			// Issue 1755: when using an authkey, don't
 			// show an authURL that might still be pending
 			// from a previous non-completed interactive
@@ -424,6 +449,15 @@ func runUp(ctx context.Context, args []string) error {
 		if url := n.BrowseToURL; url != nil && printAuthURL(*url) {
 			printed = true
 			fmt.Fprintf(os.Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
+			if upArgs.qr {
+				q, err := qrcode.New(*url, qrcode.Medium)
+				if err != nil {
+					log.Printf("QR code error: %v", err)
+				} else {
+					fmt.Fprintf(os.Stderr, "%s\n", q.ToString(false))
+				}
+
+			}
 		}
 	})
 	// Wait for backend client to be connected so we know
@@ -452,9 +486,13 @@ func runUp(ctx context.Context, args []string) error {
 			return err
 		}
 	} else {
+		authKey, err := upArgs.getAuthKey()
+		if err != nil {
+			return err
+		}
 		opts := ipn.Options{
 			StateKey:    ipn.GlobalDaemonStateKey,
-			AuthKey:     upArgs.authKey,
+			AuthKey:     authKey,
 			UpdatePrefs: prefs,
 		}
 		// On Windows, we still run in mostly the "legacy" way that
@@ -547,7 +585,7 @@ func addPrefFlagMapping(flagName string, prefNames ...string) {
 // correspond to an ipn.Pref.
 func preflessFlag(flagName string) bool {
 	switch flagName {
-	case "authkey", "force-reauth", "reset":
+	case "authkey", "force-reauth", "reset", "qr":
 		return true
 	}
 	return false
--- a/cmd/tailscale/cli/web.css
+++ b/cmd/tailscale/cli/web.css
@@ -1335,3 +1335,14 @@ html {
 	border-color: #6c94ec;
 	border-color: rgba(108, 148, 236, var(--border-opacity));
 }
+
+.button-red {
+	background-color: #d04841;
+	border-color: #d04841;
+	color: #fff;
+}
+
+.button-red:enabled:hover {
+	background-color: #b22d30;
+	border-color: #b22d30;
+}
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -7,23 +7,27 @@ package cli
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	_ "embed"
 	"encoding/json"
 	"encoding/xml"
 	"flag"
 	"fmt"
 	"html/template"
+	"io"
 	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"net/http/cgi"
 	"net/url"
+	"os"
 	"os/exec"
 	"runtime"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
@@ -49,11 +53,13 @@ func init() {
 }

 type tmplData struct {
-	Profile      tailcfg.UserProfile
-	SynologyUser string
-	Status       string
-	DeviceName   string
-	IP           string
+	Profile           tailcfg.UserProfile
+	SynologyUser      string
+	Status            string
+	DeviceName        string
+	IP                string
+	AdvertiseExitNode bool
+	AdvertiseRoutes   string
 }

 var webCmd = &ffcli.Command{
@@ -83,6 +89,29 @@ var webArgs struct {
 	cgi    bool
 }

+func tlsConfigFromEnvironment() *tls.Config {
+	crt := os.Getenv("TLS_CRT_PEM")
+	key := os.Getenv("TLS_KEY_PEM")
+	if crt == "" || key == "" {
+		return nil
+	}
+
+	// We support passing in the complete certificate and key from environment
+	// variables because pfSense stores its cert+key in the PHP config. We populate
+	// TLS_CRT_PEM and TLS_KEY_PEM from PHP code before starting tailscale web.
+	// These are the PEM-encoded Certificate and Private Key.
+
+	cert, err := tls.X509KeyPair([]byte(crt), []byte(key))
+	if err != nil {
+		log.Printf("tlsConfigFromEnvironment: %v", err)
+
+		// Fallback to unencrypted HTTP.
+		return nil
+	}
+
+	return &tls.Config{Certificates: []tls.Certificate{cert}}
+}
+
 func runWeb(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		log.Fatalf("too many non-flag arguments: %q", args)
@@ -96,8 +125,20 @@ func runWeb(ctx context.Context, args []string) error {
 		return nil
 	}

-	log.Printf("web server running on: %s", urlOfListenAddr(webArgs.listen))
-	return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
+	tlsConfig := tlsConfigFromEnvironment()
+	if tlsConfig != nil {
+		server := &http.Server{
+			Addr:      webArgs.listen,
+			TLSConfig: tlsConfig,
+			Handler:   http.HandlerFunc(webHandler),
+		}
+
+		log.Printf("web server runNIng on: https://%s", server.Addr)
+		return server.ListenAndServeTLS("", "")
+	} else {
+		log.Printf("web server running on: %s", urlOfListenAddr(webArgs.listen))
+		return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
+	}
 }

 // urlOfListenAddr parses a given listen address into a formatted URL
@@ -266,15 +307,45 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	if r.Method == "POST" {
+		defer r.Body.Close()
+		var postData struct {
+			AdvertiseRoutes   string
+			AdvertiseExitNode bool
+			Reauthenticate    bool
+		}
 		type mi map[string]interface{}
+		if err := json.NewDecoder(r.Body).Decode(&postData); err != nil {
+			w.WriteHeader(400)
+			json.NewEncoder(w).Encode(mi{"error": err.Error()})
+			return
+		}
+		prefs, err := tailscale.GetPrefs(r.Context())
+		if err != nil && !postData.Reauthenticate {
+			w.WriteHeader(http.StatusInternalServerError)
+			json.NewEncoder(w).Encode(mi{"error": err.Error()})
+			return
+		} else {
+			routes, err := calcAdvertiseRoutes(postData.AdvertiseRoutes, postData.AdvertiseExitNode)
+			if err != nil {
+				w.WriteHeader(http.StatusInternalServerError)
+				json.NewEncoder(w).Encode(mi{"error": err.Error()})
+				return
+			}
+			prefs.AdvertiseRoutes = routes
+		}
+
 		w.Header().Set("Content-Type", "application/json")
-		url, err := tailscaleUpForceReauth(r.Context())
+		url, err := tailscaleUp(r.Context(), prefs, postData.Reauthenticate)
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
 		}
-		json.NewEncoder(w).Encode(mi{"url": url})
+		if url != "" {
+			json.NewEncoder(w).Encode(mi{"url": url})
+		} else {
+			io.WriteString(w, "{}")
+		}
 		return
 	}

@@ -283,6 +354,11 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
+	prefs, err := tailscale.GetPrefs(r.Context())
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}

 	profile := st.User[st.Self.UserID]
 	deviceName := strings.Split(st.Self.DNSName, ".")[0]
@@ -292,6 +368,18 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		Status:       st.BackendState,
 		DeviceName:   deviceName,
 	}
+	exitNodeRouteV4 := netaddr.MustParseIPPrefix("0.0.0.0/0")
+	exitNodeRouteV6 := netaddr.MustParseIPPrefix("::/0")
+	for _, r := range prefs.AdvertiseRoutes {
+		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
+			data.AdvertiseExitNode = true
+		} else {
+			if data.AdvertiseRoutes != "" {
+				data.AdvertiseRoutes = ","
+			}
+			data.AdvertiseRoutes += r.String()
+		}
+	}
 	if len(st.TailscaleIPs) != 0 {
 		data.IP = st.TailscaleIPs[0].String()
 	}
@@ -305,13 +393,15 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 }

 // TODO(crawshaw): some of this is very similar to the code in 'tailscale up', can we share anything?
-func tailscaleUpForceReauth(ctx context.Context) (authURL string, retErr error) {
-	prefs := ipn.NewPrefs()
-	prefs.ControlURL = ipn.DefaultControlURL
-	prefs.WantRunning = true
-	prefs.CorpDNS = true
-	prefs.AllowSingleHosts = true
-	prefs.ForceDaemon = (runtime.GOOS == "windows")
+func tailscaleUp(ctx context.Context, prefs *ipn.Prefs, forceReauth bool) (authURL string, retErr error) {
+	if prefs == nil {
+		prefs = ipn.NewPrefs()
+		prefs.ControlURL = ipn.DefaultControlURL
+		prefs.WantRunning = true
+		prefs.CorpDNS = true
+		prefs.AllowSingleHosts = true
+		prefs.ForceDaemon = (runtime.GOOS == "windows")
+	}

 	if distro.Get() == distro.Synology {
 		prefs.NetfilterMode = preftype.NetfilterOff
@@ -358,6 +448,14 @@ func tailscaleUpForceReauth(ctx context.Context) (authURL string, retErr error)
 			authURL = *url
 			cancel()
 		}
+		if !forceReauth && n.Prefs != nil {
+			p1, p2 := *n.Prefs, *prefs
+			p1.Persist = nil
+			p2.Persist = nil
+			if p1.Equals(&p2) {
+				cancel()
+			}
+		}
 	})
 	// Wait for backend client to be connected so we know
 	// we're subscribed to updates. Otherwise we can miss
@@ -375,10 +473,15 @@ func tailscaleUpForceReauth(ctx context.Context) (authURL string, retErr error)
 	bc.Start(ipn.Options{
 		StateKey: ipn.GlobalDaemonStateKey,
 	})
-	bc.StartLoginInteractive()
+	if forceReauth {
+		bc.StartLoginInteractive()
+	}

 	<-pumpCtx.Done() // wait for authURL or complete failure
 	if authURL == "" && retErr == nil {
+		if !forceReauth {
+			return "", nil // no auth URL is fine
+		}
 		retErr = pumpCtx.Err()
 	}
 	if authURL == "" && retErr == nil {
--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
@@ -86,14 +86,30 @@
 	<div class="mb-4">
 		<p>You are connected! Access this device over Tailscale using the device name or IP address above.</p>
 	</div>
-	<a href="#" class="mb-4 link font-medium js-loginButton" target="_blank">Reauthenticate</a>
+	<div class="mb-4">
+	<a href="#" class="mb-4 js-advertiseExitNode">
+		{{if .AdvertiseExitNode}}
+		<button class="button button-red button-medium" id="enabled">Stop advertising Exit Node</button>
+		{{else}}
+		<button class="button button-blue button-medium" id="enabled">Advertise as Exit Node</button>
+		{{end}}
+	</a>
+	</div>
+	<div class="mb-4">
+		<a href="#" class="mb-4 link font-medium js-loginButton" target="_blank">Reauthenticate</a>
+	</div>
 	{{ end }}
 </main>
 <script>(function () {
-let loginButtons = document.querySelectorAll(".js-loginButton");
+const advertiseExitNode = {{.AdvertiseExitNode}};
 let fetchingUrl = false;
+var data = {
+	AdvertiseRoutes: "{{.AdvertiseRoutes}}",
+	AdvertiseExitNode: advertiseExitNode,
+	Reauthenticate: false
+};

-function handleClick(e) {
+function postData(e) {
 	e.preventDefault();

 	if (fetchingUrl) {
@@ -116,7 +132,8 @@ function handleClick(e) {
 		headers: {
 			"Accept": "application/json",
 			"Content-Type": "application/json",
-		}
+		},
+		body: JSON.stringify(data)
 	}).then(res => res.json()).then(res => {
 		fetchingUrl = false;
 		const err = res["error"];
@@ -134,9 +151,19 @@ function handleClick(e) {
 	});
 }

-Array.from(loginButtons).forEach(el => {
-	el.addEventListener("click", handleClick);
+Array.from(document.querySelectorAll(".js-loginButton")).forEach(el => {
+	el.addEventListener("click", function(e) {
+		data.Reauthenticate = true;
+		postData(e);
+	});
 })
+Array.from(document.querySelectorAll(".js-advertiseExitNode")).forEach(el => {
+	el.addEventListener("click", function(e) {
+		data.AdvertiseExitNode = !advertiseExitNode;
+		postData(e);
+	});
+})
+
 })();</script>
 </body>

--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -7,6 +7,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli+
        github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
        github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
+        github.com/skip2/go-qrcode                                   from tailscale.com/cmd/tailscale/cli
+        github.com/skip2/go-qrcode/bitset                            from github.com/skip2/go-qrcode+
+        github.com/skip2/go-qrcode/reedsolomon                       from github.com/skip2/go-qrcode
        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
        github.com/tailscale/goupnp/dcps/internetgateway2            from tailscale.com/net/portmapper
        github.com/tailscale/goupnp/httpu                            from github.com/tailscale/goupnp+
@@ -37,6 +40,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
+        tailscale.com/net/netknob                                    from tailscale.com/net/netns
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
@@ -44,7 +48,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
        tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
-        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
+     💣 tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
@@ -79,7 +83,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/hkdf                                     from crypto/tls
        golang.org/x/crypto/nacl/box                                 from tailscale.com/derp+
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
+        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/net/dns/dnsmessage                              from net
        golang.org/x/net/http/httpguts                               from net/http+
@@ -101,8 +105,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/time/rate                                       from tailscale.com/cmd/tailscale/cli+
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
-        compress/flate                                               from compress/gzip
+        compress/flate                                               from compress/gzip+
        compress/gzip                                                from net/http
+        compress/zlib                                                from image/png
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdsa+
@@ -139,10 +144,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        flag                                                         from github.com/peterbourgon/ff/v3+
        fmt                                                          from compress/flate+
        hash                                                         from crypto+
+        hash/adler32                                                 from compress/zlib
        hash/crc32                                                   from compress/gzip+
        hash/maphash                                                 from go4.org/mem
        html                                                         from tailscale.com/ipn/ipnstate+
        html/template                                                from tailscale.com/cmd/tailscale/cli
+        image                                                        from github.com/skip2/go-qrcode+
+        image/color                                                  from github.com/skip2/go-qrcode+
+        image/png                                                    from github.com/skip2/go-qrcode
        io                                                           from bufio+
        io/fs                                                        from crypto/rand+
        io/ioutil                                                    from golang.org/x/sys/cpu+
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -138,11 +138,18 @@ func getURL(ctx context.Context, urlStr string) error {
 		if err == nil && auth != "" {
 			tr.ProxyConnectHeader.Set("Proxy-Authorization", auth)
 		}
+		log.Printf("tshttpproxy.GetAuthHeader(%v) got: auth of %d bytes, err=%v", proxyURL, len(auth), err)
 		const truncLen = 20
 		if len(auth) > truncLen {
 			auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
 		}
-		log.Printf("tshttpproxy.GetAuthHeader(%v) for Proxy-Auth: = %q, %v", proxyURL, auth, err)
+		if auth != "" {
+			// We used log.Printf above (for timestamps).
+			// Use fmt.Printf here instead just to appease
+			// a security scanner, despite log.Printf only
+			// going to stdout.
+			fmt.Printf("... Proxy-Authorization = %q\n", auth)
+		}
 	}
 	res, err := tr.RoundTrip(req)
 	if err != nil {
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -1,28 +1,85 @@
 tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)

-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+   L    github.com/aws/aws-sdk-go-v2                                 from github.com/aws/aws-sdk-go-v2/internal/ini
+   L    github.com/aws/aws-sdk-go-v2/aws                             from github.com/aws/aws-sdk-go-v2/aws/middleware+
+   L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/aws
+   L    github.com/aws/aws-sdk-go-v2/aws/middleware                  from github.com/aws/aws-sdk-go-v2/aws/retry+
+   L    github.com/aws/aws-sdk-go-v2/aws/protocol/query              from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/aws-sdk-go-v2/aws/protocol/restjson           from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/aws/protocol/xml                from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/aws-sdk-go-v2/aws/ratelimit                   from github.com/aws/aws-sdk-go-v2/aws/retry
+   L    github.com/aws/aws-sdk-go-v2/aws/retry                       from github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client+
+   L    github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4          from github.com/aws/aws-sdk-go-v2/aws/signer/v4
+   L    github.com/aws/aws-sdk-go-v2/aws/signer/v4                   from github.com/aws/aws-sdk-go-v2/service/internal/presigned-url+
+   L    github.com/aws/aws-sdk-go-v2/aws/transport/http              from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/config                          from tailscale.com/ipn/store/aws
+   L    github.com/aws/aws-sdk-go-v2/credentials                     from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds        from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/credentials/endpointcreds       from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client from github.com/aws/aws-sdk-go-v2/credentials/endpointcreds
+   L    github.com/aws/aws-sdk-go-v2/credentials/processcreds        from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/credentials/ssocreds            from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/credentials/stscreds            from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/feature/ec2/imds                from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config from github.com/aws/aws-sdk-go-v2/feature/ec2/imds
+   L    github.com/aws/aws-sdk-go-v2/internal/endpoints              from github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints+
+   L    github.com/aws/aws-sdk-go-v2/internal/ini                    from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/internal/rand                   from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/aws-sdk-go-v2/internal/sdk                    from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/aws-sdk-go-v2/internal/sdkio                  from github.com/aws/aws-sdk-go-v2/credentials/processcreds
+   L    github.com/aws/aws-sdk-go-v2/internal/strings                from github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4
+   L    github.com/aws/aws-sdk-go-v2/internal/sync/singleflight      from github.com/aws/aws-sdk-go-v2/aws
+   L    github.com/aws/aws-sdk-go-v2/internal/timeconv               from github.com/aws/aws-sdk-go-v2/aws/retry
+   L    github.com/aws/aws-sdk-go-v2/service/internal/presigned-url  from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/aws-sdk-go-v2/service/ssm                     from tailscale.com/ipn/store/aws
+   L    github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/ssm
+   L    github.com/aws/aws-sdk-go-v2/service/ssm/types               from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/service/sso                     from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sso
+   L    github.com/aws/aws-sdk-go-v2/service/sso/types               from github.com/aws/aws-sdk-go-v2/service/sso
+   L    github.com/aws/aws-sdk-go-v2/service/sts                     from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/aws-sdk-go-v2/service/sts/types               from github.com/aws/aws-sdk-go-v2/credentials/stscreds+
+   L    github.com/aws/smithy-go                                     from github.com/aws/aws-sdk-go-v2/aws/protocol/restjson+
+   L    github.com/aws/smithy-go/document                            from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/smithy-go/encoding                            from github.com/aws/smithy-go/encoding/json+
+   L    github.com/aws/smithy-go/encoding/httpbinding                from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
+   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm
+   L    github.com/aws/smithy-go/encoding/xml                        from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/smithy-go/io                                  from github.com/aws/aws-sdk-go-v2/feature/ec2/imds+
+   L    github.com/aws/smithy-go/logging                             from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/smithy-go/middleware                          from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/smithy-go/ptr                                 from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/smithy-go/rand                                from github.com/aws/aws-sdk-go-v2/aws/middleware+
+   L    github.com/aws/smithy-go/time                                from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/smithy-go/transport/http                      from github.com/aws/aws-sdk-go-v2/aws/middleware+
+   L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
+   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
-        github.com/go-multierror/multierror                          from tailscale.com/wgengine/router+
+        github.com/go-multierror/multierror                          from tailscale.com/cmd/tailscaled+
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
-        github.com/golang/snappy                                     from github.com/klauspost/compress/zstd
        github.com/google/btree                                      from inet.af/netstack/tcpip/header+
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/rfc1035label                    from github.com/insomniacslk/dhcp/dhcpv4
+   L    github.com/jmespath/go-jmespath                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
+        github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-   L 💣 github.com/mdlayher/netlink                                  from tailscale.com/wgengine/monitor+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/mdlayher/netlink+
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
@@ -39,7 +96,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/u-root/uio/ubinary                                from github.com/u-root/uio/uio
   L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
     💣 go4.org/intern                                               from inet.af/netaddr
-     💣 go4.org/mem                                                  from tailscale.com/derp+
+     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
     💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
   W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
@@ -51,9 +108,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.zx2c4.com/wireguard/rwcancel                          from golang.zx2c4.com/wireguard/device+
        golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device
     💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/tun/wintun                        from golang.zx2c4.com/wireguard/tun+
-   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
-        inet.af/netaddr                                              from tailscale.com/control/controlclient+
+   W 💣 golang.zx2c4.com/wireguard/tun/wintun                        from golang.zx2c4.com/wireguard/tun
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/cmd/tailscaled+
+        inet.af/netaddr                                              from inet.af/wf+
        inet.af/netstack/atomicbitops                                from inet.af/netstack/tcpip+
     💣 inet.af/netstack/buffer                                      from inet.af/netstack/tcpip/stack
     💣 inet.af/netstack/gohacks                                     from inet.af/netstack/state/wire+
@@ -61,7 +118,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        inet.af/netstack/log                                         from inet.af/netstack/state+
        inet.af/netstack/rand                                        from inet.af/netstack/tcpip/network/hash+
     💣 inet.af/netstack/sleep                                       from inet.af/netstack/tcpip/transport/tcp
-     💣 inet.af/netstack/state                                       from inet.af/netstack/tcpip+
+     💣 inet.af/netstack/state                                       from inet.af/netstack/atomicbitops+
        inet.af/netstack/state/wire                                  from inet.af/netstack/state
     💣 inet.af/netstack/sync                                        from inet.af/netstack/linewriter+
        inet.af/netstack/tcpip                                       from inet.af/netstack/tcpip/adapters/gonet+
@@ -74,7 +131,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        inet.af/netstack/tcpip/network/hash                          from inet.af/netstack/tcpip/network/ipv4+
        inet.af/netstack/tcpip/network/internal/fragmentation        from inet.af/netstack/tcpip/network/ipv4+
        inet.af/netstack/tcpip/network/internal/ip                   from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/network/ipv4                          from tailscale.com/wgengine/netstack+
+        inet.af/netstack/tcpip/network/ipv4                          from tailscale.com/net/tstun+
        inet.af/netstack/tcpip/network/ipv6                          from tailscale.com/wgengine/netstack
        inet.af/netstack/tcpip/ports                                 from inet.af/netstack/tcpip/stack+
        inet.af/netstack/tcpip/seqnum                                from inet.af/netstack/tcpip/header+
@@ -91,52 +148,54 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
  LD    tailscale.com/chirp                                          from tailscale.com/cmd/tailscaled
        tailscale.com/client/tailscale                               from tailscale.com/derp
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
+        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
        tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
        tailscale.com/control/controlknobs                           from tailscale.com/control/controlclient+
        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
-        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
+        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/tailscaled+
        tailscale.com/disco                                          from tailscale.com/derp+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
        tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
-        tailscale.com/ipn                                            from tailscale.com/ipn/ipnserver+
+        tailscale.com/ipn                                            from tailscale.com/client/tailscale+
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/ipn+
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
+        tailscale.com/ipn/store/aws                                  from tailscale.com/ipn/ipnserver
        tailscale.com/kube                                           from tailscale.com/ipn
        tailscale.com/log/filelogger                                 from tailscale.com/ipn/ipnserver
        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled
        tailscale.com/logtail                                        from tailscale.com/logpolicy
-        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
+        tailscale.com/logtail/backoff                                from tailscale.com/cmd/tailscaled+
        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
     💣 tailscale.com/metrics                                        from tailscale.com/derp
-        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/dns/resolver                               from tailscale.com/wgengine+
+        tailscale.com/net/dns                                        from tailscale.com/cmd/tailscaled+
+        tailscale.com/net/dns/resolver                               from tailscale.com/net/dns+
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient
-        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
+        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscaled+
        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
-        tailscale.com/net/netns                                      from tailscale.com/control/controlclient+
+        tailscale.com/net/netknob                                    from tailscale.com/ipn/localapi+
+        tailscale.com/net/netns                                      from tailscale.com/cmd/tailscaled+
     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
-        tailscale.com/net/packet                                     from tailscale.com/wgengine+
-        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
+        tailscale.com/net/packet                                     from tailscale.com/net/tstun+
+        tailscale.com/net/portmapper                                 from tailscale.com/cmd/tailscaled+
        tailscale.com/net/socks5                                     from tailscale.com/net/socks5/tssocks
        tailscale.com/net/socks5/tssocks                             from tailscale.com/cmd/tailscaled
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn/ipnlocal+
-     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
+     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/cmd/tailscaled+
        tailscale.com/net/tstun                                      from tailscale.com/cmd/tailscaled+
-        tailscale.com/paths                                          from tailscale.com/cmd/tailscaled+
+     💣 tailscale.com/paths                                          from tailscale.com/client/tailscale+
        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
-        tailscale.com/safesocket                                     from tailscale.com/ipn/ipnserver+
+        tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
-     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
-        tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
+     💣 tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
+        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
@@ -145,20 +204,20 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
        tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
-        tailscale.com/types/key                                      from tailscale.com/derp+
+        tailscale.com/types/key                                      from tailscale.com/cmd/tailscaled+
        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
-        tailscale.com/types/pad32                                    from tailscale.com/net/tstun+
+        tailscale.com/types/pad32                                    from tailscale.com/derp+
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
        tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
   L    tailscale.com/util/cmpver                                    from tailscale.com/net/dns
     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
-        tailscale.com/util/dnsname                                   from tailscale.com/ipn/ipnstate+
-  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
+        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
+  LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
@@ -166,14 +225,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
-        tailscale.com/util/winutil                                   from tailscale.com/logpolicy+
-        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
+        tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
+        tailscale.com/version                                        from tailscale.com/client/tailscale+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscaled+
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
        tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine+
-        tailscale.com/wgengine/monitor                               from tailscale.com/wgengine+
+        tailscale.com/wgengine/monitor                               from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
@@ -203,13 +262,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
-        golang.org/x/sync/errgroup                                   from tailscale.com/derp+
+        golang.org/x/sync/errgroup                                   from github.com/tailscale/goupnp/httpu+
        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/mdlayher/netlink+
+  LD    golang.org/x/sys/unix                                        from github.com/insomniacslk/dhcp/interfaces+
   W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-   W    golang.org/x/sys/windows/svc                                 from tailscale.com/cmd/tailscaled+
+   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
        golang.org/x/term                                            from tailscale.com/logpolicy
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
@@ -241,7 +300,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/sha256                                                from crypto/tls+
        crypto/sha512                                                from crypto/ecdsa+
        crypto/subtle                                                from crypto/aes+
-        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
+        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
        embed                                                        from tailscale.com/net/dns+
@@ -252,19 +311,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        encoding/hex                                                 from crypto/x509+
        encoding/json                                                from expvar+
        encoding/pem                                                 from crypto/tls+
-        encoding/xml                                                 from github.com/tailscale/goupnp+
+        encoding/xml                                                 from github.com/aws/aws-sdk-go-v2/aws/protocol/xml+
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/derp+
        flag                                                         from tailscale.com/cmd/tailscaled+
        fmt                                                          from compress/flate+
        hash                                                         from crypto+
        hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
+        hash/fnv                                                     from inet.af/netstack/tcpip/network/ipv6+
        hash/maphash                                                 from go4.org/mem
        html                                                         from net/http/pprof+
        io                                                           from bufio+
        io/fs                                                        from crypto/rand+
-        io/ioutil                                                    from github.com/godbus/dbus/v5+
+        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
        log                                                          from expvar+
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
@@ -276,19 +335,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        net                                                          from crypto/tls+
        net/http                                                     from expvar+
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
-        net/http/httputil                                            from tailscale.com/ipn/localapi
+        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
        net/http/internal                                            from net/http+
-        net/http/pprof                                               from tailscale.com/cmd/tailscaled
-        net/textproto                                                from golang.org/x/net/http/httpguts+
+        net/http/pprof                                               from tailscale.com/cmd/tailscaled+
+        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
-        os/exec                                                      from github.com/coreos/go-iptables/iptables+
+        os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
        os/signal                                                    from tailscale.com/cmd/tailscaled+
        os/user                                                      from github.com/godbus/dbus/v5+
-        path                                                         from github.com/godbus/dbus/v5+
+        path                                                         from github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
-        regexp                                                       from github.com/coreos/go-iptables/iptables+
+        regexp                                                       from github.com/aws/aws-sdk-go-v2/internal/endpoints+
        regexp/syntax                                                from regexp
        runtime/debug                                                from github.com/klauspost/compress/zstd+
        runtime/pprof                                                from net/http/pprof+
@@ -302,5 +361,5 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        text/tabwriter                                               from runtime/pprof
        time                                                         from compress/gzip+
        unicode                                                      from bytes+
-        unicode/utf16                                                from encoding/asn1+
+        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
--- a/cmd/tailscaled/proxy.go
+++ b/cmd/tailscaled/proxy.go
@@ -0,0 +1,79 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// HTTP proxy code
+
+package main
+
+import (
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"strings"
+)
+
+// httpProxyHandler returns an HTTP proxy http.Handler using the
+// provided backend dialer.
+func httpProxyHandler(dialer func(ctx context.Context, netw, addr string) (net.Conn, error)) http.Handler {
+	rp := &httputil.ReverseProxy{
+		Director: func(r *http.Request) {}, // no change
+		Transport: &http.Transport{
+			DialContext: dialer,
+		},
+	}
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "CONNECT" {
+			backURL := r.RequestURI
+			if strings.HasPrefix(backURL, "/") || backURL == "*" {
+				http.Error(w, "bogus RequestURI; must be absolute URL or CONNECT", 400)
+				return
+			}
+			rp.ServeHTTP(w, r)
+			return
+		}
+
+		// CONNECT support:
+
+		dst := r.RequestURI
+		c, err := dialer(r.Context(), "tcp", dst)
+		if err != nil {
+			w.Header().Set("Tailscale-Connect-Error", err.Error())
+			http.Error(w, err.Error(), 500)
+			return
+		}
+		defer c.Close()
+
+		cc, ccbuf, err := w.(http.Hijacker).Hijack()
+		if err != nil {
+			http.Error(w, err.Error(), 500)
+			return
+		}
+		defer cc.Close()
+
+		io.WriteString(cc, "HTTP/1.1 200 OK\r\n\r\n")
+
+		var clientSrc io.Reader = ccbuf
+		if ccbuf.Reader.Buffered() == 0 {
+			// In the common case (with no
+			// buffered data), read directly from
+			// the underlying client connection to
+			// save some memory, letting the
+			// bufio.Reader/Writer get GC'ed.
+			clientSrc = cc
+		}
+
+		errc := make(chan error, 1)
+		go func() {
+			_, err := io.Copy(cc, c)
+			errc <- err
+		}()
+		go func() {
+			_, err := io.Copy(c, clientSrc)
+			errc <- err
+		}()
+		<-errc
+	})
+}
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -82,6 +82,7 @@ var args struct {
 	birdSocketPath string
 	verbose        int
 	socksAddr      string // listen address for SOCKS5 server
+	httpProxyAddr  string // listen address for HTTP proxy server
 }

 var (
@@ -110,9 +111,10 @@ func main() {
 	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
 	flag.StringVar(&args.debug, "debug", "", "listen address ([ip]:port) of optional debug server")
 	flag.StringVar(&args.socksAddr, "socks5-server", "", `optional [ip]:port to run a SOCK5 server (e.g. "localhost:1080")`)
+	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
 	flag.Var(flagtype.PortValue(&args.port, 0), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", paths.DefaultTailscaledStateFile(), "path of state file; use 'kube:<secret-name>' to use Kubernetes secrets")
+	flag.StringVar(&args.statepath, "state", paths.DefaultTailscaledStateFile(), "path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
 	flag.BoolVar(&printVersion, "version", false, "print version information and exit")
@@ -278,19 +280,8 @@ func run() error {
 	}
 	pol.Logtail.SetLinkMonitor(linkMon)

-	var socksListener net.Listener
-	if args.socksAddr != "" {
-		var err error
-		socksListener, err = net.Listen("tcp", args.socksAddr)
-		if err != nil {
-			log.Fatalf("SOCKS5 listener: %v", err)
-		}
-		if strings.HasSuffix(args.socksAddr, ":0") {
-			// Log kernel-selected port number so integration tests
-			// can find it portably.
-			log.Printf("SOCKS5 listening on %v", socksListener.Addr())
-		}
-	}
+	socksListener := mustStartTCPListener("SOCKS5", args.socksAddr)
+	httpProxyListener := mustStartTCPListener("HTTP proxy", args.httpProxyAddr)

 	e, useNetstack, err := createEngine(logf, linkMon)
 	if err != nil {
@@ -304,11 +295,19 @@ func run() error {
 		ns = mustStartNetstack(logf, e, onlySubnets)
 	}

-	if socksListener != nil {
+	if socksListener != nil || httpProxyListener != nil {
 		srv := tssocks.NewServer(logger.WithPrefix(logf, "socks5: "), e, ns)
-		go func() {
-			log.Fatalf("SOCKS5 server exited: %v", srv.Serve(socksListener))
-		}()
+		if httpProxyListener != nil {
+			hs := &http.Server{Handler: httpProxyHandler(srv.Dialer)}
+			go func() {
+				log.Fatalf("HTTP proxy exited: %v", hs.Serve(httpProxyListener))
+			}()
+		}
+		if socksListener != nil {
+			go func() {
+				log.Fatalf("SOCKS5 server exited: %v", srv.Serve(socksListener))
+			}()
+		}
 	}

 	e = wgengine.NewWatchdog(e)
@@ -468,3 +467,19 @@ func mustStartNetstack(logf logger.Logf, e wgengine.Engine, onlySubnets bool) *n
 	}
 	return ns
 }
+
+func mustStartTCPListener(name, addr string) net.Listener {
+	if addr == "" {
+		return nil
+	}
+	ln, err := net.Listen("tcp", addr)
+	if err != nil {
+		log.Fatalf("%v listener: %v", name, err)
+	}
+	if strings.HasSuffix(addr, ":0") {
+		// Log kernel-selected port number so integration tests
+		// can find it portably.
+		log.Printf("%v listening on %v", name, ln.Addr())
+	}
+	return ln
+}
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -15,7 +15,7 @@ Restart=on-failure
 RuntimeDirectory=tailscale
 RuntimeDirectoryMode=0755
 StateDirectory=tailscale
-StateDirectoryMode=0750
+StateDirectoryMode=0700
 CacheDirectory=tailscale
 CacheDirectoryMode=0750
 Type=notify
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -34,6 +34,7 @@ import (
 	"tailscale.com/net/dns"
 	"tailscale.com/net/tstun"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/wf"
 	"tailscale.com/wgengine"
@@ -63,6 +64,11 @@ type ipnService struct {
 func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, changes chan<- svc.Status) (bool, uint32) {
 	changes <- svc.Status{State: svc.StartPending}

+	svcAccepts := svc.AcceptStop
+	if winutil.GetRegInteger("FlushDNSOnSessionUnlock", 0) != 0 {
+		svcAccepts |= svc.AcceptSessionChange
+	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 	doneCh := make(chan struct{})
 	go func() {
@@ -71,7 +77,7 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 		ipnserver.BabysitProc(ctx, args, log.Printf)
 	}()

-	changes <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop}
+	changes <- svc.Status{State: svc.Running, Accepts: svcAccepts}

 	for ctx.Err() == nil {
 		select {
@@ -82,6 +88,9 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 				cancel()
 			case svc.Interrogate:
 				changes <- cmd.CurrentStatus
+			case svc.SessionChange:
+				handleSessionChange(cmd)
+				changes <- cmd.CurrentStatus
 			}
 		}
 	}
@@ -264,6 +273,20 @@ func startIPNServer(ctx context.Context, logid string) error {
 	return err
 }

+func handleSessionChange(chgRequest svc.ChangeRequest) {
+	if chgRequest.Cmd != svc.SessionChange || chgRequest.EventType != windows.WTS_SESSION_UNLOCK {
+		return
+	}
+
+	log.Printf("Received WTS_SESSION_UNLOCK event, initiating DNS flush.")
+	go func() {
+		err := dns.Flush()
+		if err != nil {
+			log.Printf("Error flushing DNS on session unlock: %v", err)
+		}
+	}()
+}
+
 var (
 	kernel32           = windows.NewLazySystemDLL("kernel32.dll")
 	getTickCount64Proc = kernel32.NewProc("GetTickCount64")
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -79,7 +79,7 @@ type Direct struct {
 	endpoints     []tailcfg.Endpoint
 	everEndpoints bool   // whether we've ever had non-empty endpoints
 	localPort     uint16 // or zero to mean auto
-	lastPingURL   string // last PingRequest.URL received, for dup suppresion
+	lastPingURL   string // last PingRequest.URL received, for dup suppression
 }

 type Options struct {
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -44,6 +44,7 @@ type mapSession struct {
 	collectServices        bool
 	previousPeers          []*tailcfg.Node // for delta-purposes
 	lastDomain             string
+	lastHealth             []string

 	// netMapBuilding is non-nil during a netmapForResponse call,
 	// containing the value to be returned, once fully populated.
@@ -105,6 +106,9 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	if resp.Domain != "" {
 		ms.lastDomain = resp.Domain
 	}
+	if resp.Health != nil {
+		ms.lastHealth = resp.Health
+	}

 	nm := &netmap.NetworkMap{
 		NodeKey:         tailcfg.NodeKey(ms.privateNodeKey.Public()),
@@ -118,6 +122,7 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		CollectServices: ms.collectServices,
 		DERPMap:         ms.lastDERPMap,
 		Debug:           resp.Debug,
+		ControlHealth:   ms.lastHealth,
 	}
 	ms.netMapBuilding = nm

--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -218,7 +218,7 @@ func TestNetmapForResponse(t *testing.T) {
 		}
 		nm2 := ms.netmapForResponse(&tailcfg.MapResponse{
 			Node:      new(tailcfg.Node),
-			DNSConfig: nil, // implict
+			DNSConfig: nil, // implicit
 		})
 		if !reflect.DeepEqual(nm2.DNS, *someDNSConfig) {
 			t.Fatalf("2nd DNS wrong")
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -19,11 +19,9 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
-	"log"
 	"net"
 	"net/http"
 	"net/url"
-	"os"
 	"strings"
 	"sync"
 	"time"
@@ -430,19 +428,14 @@ func (c *Client) dialRegion(ctx context.Context, reg *tailcfg.DERPRegion) (net.C
 func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 	tlsConf := tlsdial.Config(c.tlsServerName(node), c.TLSConfig)
 	if node != nil {
-		tlsConf.InsecureSkipVerify = node.InsecureForTests
+		if node.InsecureForTests {
+			tlsConf.InsecureSkipVerify = true
+			tlsConf.VerifyConnection = nil
+		}
 		if node.CertName != "" {
 			tlsdial.SetConfigExpectedCert(tlsConf, node.CertName)
 		}
 	}
-	if n := os.Getenv("SSLKEYLOGFILE"); n != "" {
-		f, err := os.OpenFile(n, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
-		if err != nil {
-			log.Fatal(err)
-		}
-		log.Printf("WARNING: writing to SSLKEYLOGFILE %v", n)
-		tlsConf.KeyLogWriter = f
-	}
 	return tls.Client(nc, tlsConf)
 }

--- a/docs/k8s/Dockerfile
+++ b/docs/k8s/Dockerfile
@@ -0,0 +1,7 @@
+# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+FROM ghcr.io/tailscale/tailscale:latest
+COPY run.sh /run.sh
+CMD "/run.sh"
--- a/docs/k8s/Makefile
+++ b/docs/k8s/Makefile
@@ -0,0 +1,34 @@
+# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+ifndef IMAGE_TAG
+  $(error "IMAGE_TAG is not set")
+endif
+
+ROUTES ?= ""
+SA_NAME ?= tailscale
+KUBE_SECRET ?= tailscale
+
+build:
+	@docker build . -t $(IMAGE_TAG)
+
+push: build
+	@docker push $(IMAGE_TAG)
+
+rbac:
+	@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" role.yaml | kubectl apply -f -
+	@sed -e "s;{{SA_NAME}};$(SA_NAME);g" rolebinding.yaml | kubectl apply -f -
+	@sed -e "s;{{SA_NAME}};$(SA_NAME);g" sa.yaml | kubectl apply -f -
+
+sidecar:
+	@kubectl delete -f sidecar.yaml --ignore-not-found --grace-period=0
+	@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | kubectl create -f-
+
+userspace-sidecar:
+	@kubectl delete -f userspace-sidecar.yaml --ignore-not-found --grace-period=0
+	@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" userspace-sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | kubectl create -f-
+
+proxy:
+	@kubectl delete -f proxy.yaml --ignore-not-found --grace-period=0
+	@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" proxy.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | sed -e "s;{{DEST_IP}};$(DEST_IP);g" | kubectl create -f-
--- a/docs/k8s/README.md
+++ b/docs/k8s/README.md
@@ -1,20 +1,110 @@
-# Using Kubernetes Secrets as the state store for Tailscale
-Tailscale supports using Kubernetes Secrets as the state store, however there is some configuration required in order for it to work.
+# Overview
+There are quite a few ways of running Tailscale inside a Kubernetes Cluster, some of the common ones are covered in this doc.
+## Instructions
+### Setup
+1. (Optional) Create the following secret which will automate login.<br>
+   You will need to get an [auth key](https://tailscale.com/kb/1085/auth-keys/) from [Tailscale Admin Console](https://login.tailscale.com/admin/authkeys).<br>
+   If you don't provide the key, you can still authenticate using the url in the logs.

-**Note: this only works if `tailscaled` runs inside a pod in the cluster.**
-
-1. Create a service account for Tailscale (optional)
-   ```
-   kubectl create -f sa.yaml
+   ```yaml
+   apiVersion: v1
+   kind: Secret
+   metadata:
+     name: tailscale-auth
+   stringData:
+     AUTH_KEY: tskey-...
   ```

-1. Create role and role bindings for the service account
-   ```
-   kubectl create -f role.yaml
-   kubectl create -f rolebinding.yaml
+1. Build and push the container
+
+   ```bash
+   export IMAGE_TAG=tailscale-k8s:latest
+   make push
   ```

-1. Launch `tailscaled` with a Kubernetes Secret as the state store.
+1. Tailscale (v1.16+) supports storing state inside a Kubernetes Secret.
+
+   Configure RBAC to allow the Tailscale pod to read/write the `tailscale` secret.
+   ```bash
+   export SA_NAME=tailscale
+   export KUBE_SECRET=tailscale
+   make rbac
   ```
-   tailscaled --state=kube:tailscale
+
+### Sample Sidecar
+Running as a sidecar allows you to directly expose a Kubernetes pod over Tailscale. This is particularly useful if you do not wish to expose a service on the public internet. This method allows bi-directional connectivty between the pod and other devices on the Tailnet. You can use [ACLs](https://tailscale.com/kb/1018/acls/) to control traffic flow.
+
+1. Create and login to the sample nginx pod with a Tailscale sidecar
+
+   ```bash
+   make sidecar
+   # If not using an auth key, authenticate by grabbing the Login URL here:
+   kubectl logs nginx ts-sidecar
   ```
+
+1. Check if you can to connect to nginx over Tailscale:
+
+   ```bash
+   curl http://nginx
+   ```
+   Or, if you have [MagicDNS](https://tailscale.com/kb/1081/magicdns/) disabled:
+   ```bash
+   curl "http://$(tailscale ip -4 nginx)"
+   ```
+
+#### Userspace Sidecar
+You can also run the sidecar in userspace mode. The obvious benefit is reducing the amount of permissions Tailscale needs to run, the downside is that for outbound connectivity from the pod to the Tailnet you would need to use either the [SOCKS proxy](https://tailscale.com/kb/1112/userspace-networking) or HTTP proxy.
+
+1. Create and login to the sample nginx pod with a Tailscale sidecar
+
+   ```bash
+   make userspace-sidecar
+   # If not using an auth key, authenticate by grabbing the Login URL here:
+   kubectl logs nginx ts-sidecar
+   ```
+
+1. Check if you can to connect to nginx over Tailscale:
+
+   ```bash
+   curl http://nginx
+   ```
+   Or, if you have [MagicDNS](https://tailscale.com/kb/1081/magicdns/) disabled:
+   ```bash
+   curl "http://$(tailscale ip -4 nginx)"
+   ```
+
+### Sample Proxy
+Running a Tailscale proxy allows you to provide inbound connectivity to a Kubernetes Service.
+
+1. Provide the `ClusterIP` of the service you want to reach by either:
+
+   **Creating a new deployment**
+   ```bash
+   kubectl create deployment nginx --image nginx
+   kubectl expose deployment nginx --port 80
+   export DEST_IP="$(kubectl get svc nginx -o=jsonpath='{.spec.clusterIP}')"
+   ```
+   **Using an existing service**
+   ```bash
+   export DEST_IP="$(kubectl get svc <SVC_NAME> -o=jsonpath='{.spec.clusterIP}')"
+   ```
+
+1. Deploy the proxy pod
+
+   ```bash
+   make proxy
+   # If not using an auth key, authenticate by grabbing the Login URL here:
+   kubectl logs proxy
+   ```
+
+1. Check if you can to connect to nginx over Tailscale:
+
+   ```bash
+   curl http://proxy
+   ```
+
+   Or, if you have [MagicDNS](https://tailscale.com/kb/1081/magicdns/) disabled:
+
+   ```bash
+   curl "http://$(tailscale ip -4 proxy)"
+   ```
--- a/docs/k8s/proxy.yaml
+++ b/docs/k8s/proxy.yaml
@@ -0,0 +1,47 @@
+# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: proxy
+spec:
+  serviceAccountName: "{{SA_NAME}}"
+  initContainers:
+    # In order to run as a proxy we need to enable IP Forwarding inside
+    # the container. The `net.ipv4.ip_forward` sysctl is not whitelisted
+    # in Kubelet by default.
+  - name: sysctler
+    image: busybox
+    securityContext:
+      privileged: true
+    command: ["/bin/sh"]
+    args:
+      - -c
+      - sysctl -w net.ipv4.ip_forward=1
+    resources:
+      requests:
+        cpu: 1m
+        memory: 1Mi
+  containers:
+  - name: tailscale
+    imagePullPolicy: Always
+    image: "{{IMAGE_TAG}}"
+    env:
+    # Store the state in a k8s secret
+    - name: KUBE_SECRET
+      value: "{{KUBE_SECRET}}"
+    - name: USERSPACE
+      value: "false"
+    - name: AUTH_KEY
+      valueFrom:
+        secretKeyRef:
+          name: tailscale-auth
+          key: AUTH_KEY
+          optional: true
+    - name: DEST_IP
+      value: "{{DEST_IP}}"
+    securityContext:
+      capabilities:
+        add:
+        - NET_ADMIN
--- a/docs/k8s/role.yaml
+++ b/docs/k8s/role.yaml
@@ -1,10 +1,16 @@
+# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: default
  name: tailscale
 rules:
 - apiGroups: [""] # "" indicates the core API group
-  resourceNames: ["tailscale"]
  resources: ["secrets"]
-  verbs: ["create", "get", "update"]
+  # Create can not be restricted to a resource name.
+  verbs: ["create"]
+- apiGroups: [""] # "" indicates the core API group
+  resourceNames: ["{{KUBE_SECRET}}"]
+  resources: ["secrets"]
+  verbs: ["get", "update"]
--- a/docs/k8s/rolebinding.yaml
+++ b/docs/k8s/rolebinding.yaml
@@ -1,11 +1,13 @@
+# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  namespace: default
  name: tailscale
 subjects:
 - kind: ServiceAccount
-  name: tailscale
+  name: "{{SA_NAME}}"
 roleRef:
  kind: Role
  name: tailscale
--- a/docs/k8s/run.sh
+++ b/docs/k8s/run.sh
@@ -0,0 +1,59 @@
+# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+#! /bin/sh
+
+export PATH=$PATH:/tailscale/bin
+
+AUTH_KEY="${AUTH_KEY:-}"
+ROUTES="${ROUTES:-}"
+DEST_IP="${DEST_IP:-}"
+EXTRA_ARGS="${EXTRA_ARGS:-}"
+USERSPACE="${USERSPACE:-true}"
+KUBE_SECRET="${KUBE_SECRET:-tailscale}"
+
+set -e
+
+TAILSCALED_ARGS="--state=kube:${KUBE_SECRET} --socket=/tmp/tailscaled.sock"
+
+if [[ "${USERSPACE}" == "true" ]]; then
+  if [[ ! -z "${DEST_IP}" ]]; then
+    echo "IP forwarding is not supported in userspace mode"
+    exit 1
+  fi
+  TAILSCALED_ARGS="${TAILSCALED_ARGS} --tun=userspace-networking"
+else
+  if [[ ! -d /dev/net ]]; then
+    mkdir -p /dev/net
+  fi
+
+  if [[ ! -c /dev/net/tun ]]; then
+    mknod /dev/net/tun c 10 200
+  fi
+fi
+
+echo "Starting tailscaled"
+tailscaled ${TAILSCALED_ARGS} &
+PID=$!
+
+UP_ARGS="--accept-dns=false"
+if [[ ! -z "${ROUTES}" ]]; then
+  UP_ARGS="--advertise-routes=${ROUTES} ${UP_ARGS}"
+fi
+if [[ ! -z "${AUTH_KEY}" ]]; then
+  UP_ARGS="--authkey=${AUTH_KEY} ${UP_ARGS}"
+fi
+if [[ ! -z "${EXTRA_ARGS}" ]]; then
+  UP_ARGS="${UP_ARGS} ${EXTRA_ARGS:-}"
+fi
+
+echo "Running tailscale up"
+tailscale --socket=/tmp/tailscaled.sock up ${UP_ARGS}
+
+if [[ ! -z "${DEST_IP}" ]]; then
+  echo "Adding iptables rule for DNAT"
+  iptables -t nat -I PREROUTING -d "$(tailscale ip -4)" -j DNAT --to-destination "${DEST_IP}"
+fi
+
+wait ${PID}
--- a/docs/k8s/sa.yaml
+++ b/docs/k8s/sa.yaml
@@ -1,5 +1,7 @@
+# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: tailscale
-  namespace: default
+  name: {{SA_NAME}}
--- a/docs/k8s/sidecar.yaml
+++ b/docs/k8s/sidecar.yaml
@@ -0,0 +1,31 @@
+# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  serviceAccountName: "{{SA_NAME}}"
+  containers:
+  - name: nginx
+    image: nginx
+  - name: ts-sidecar
+    imagePullPolicy: Always
+    image: "{{IMAGE_TAG}}"
+    env:
+      # Store the state in a k8s secret
+    - name: KUBE_SECRET
+      value: "{{KUBE_SECRET}}"
+    - name: USERSPACE
+      value: "false"
+    - name: AUTH_KEY
+      valueFrom:
+        secretKeyRef:
+          name: tailscale-auth
+          key: AUTH_KEY
+          optional: true
+    securityContext:
+      capabilities:
+        add:
+        - NET_ADMIN
--- a/docs/k8s/userspace-sidecar.yaml
+++ b/docs/k8s/userspace-sidecar.yaml
@@ -0,0 +1,30 @@
+# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  serviceAccountName: "{{SA_NAME}}"
+  containers:
+  - name: nginx
+    image: nginx
+  - name: ts-sidecar
+    imagePullPolicy: Always
+    image: "{{IMAGE_TAG}}"
+    securityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+    env:
+      # Store the state in a k8s secret
+    - name: KUBE_SECRET
+      value: "{{KUBE_SECRET}}"
+    - name: USERSPACE
+      value: "true"
+    - name: AUTH_KEY
+      valueFrom:
+        secretKeyRef:
+          name: tailscale-auth
+          key: AUTH_KEY
+          optional: true
--- a/go.mod
+++ b/go.mod
@@ -3,32 +3,37 @@ module tailscale.com
 go 1.17

 require (
+	filippo.io/mkcert v1.4.3
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/aws/aws-sdk-go v1.38.52
+	github.com/aws/aws-sdk-go-v2 v1.9.2
+	github.com/aws/aws-sdk-go-v2/config v1.8.3
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.12.0
 	github.com/coreos/go-iptables v0.6.0
-	github.com/creack/pty v1.1.9
+	github.com/creack/pty v1.1.16
 	github.com/dave/jennifer v1.4.1
-	github.com/frankban/quicktest v1.13.0
-	github.com/gliderlabs/ssh v0.3.2
+	github.com/frankban/quicktest v1.13.1
+	github.com/gliderlabs/ssh v0.3.3
 	github.com/go-multierror/multierror v1.0.2
-	github.com/go-ole/go-ole v1.2.5
-	github.com/godbus/dbus/v5 v5.0.4
+	github.com/go-ole/go-ole v1.2.6-0.20210915003542-8b1f7f90f6b1
+	github.com/godbus/dbus/v5 v5.0.5
 	github.com/google/go-cmp v0.5.6
-	github.com/google/uuid v1.1.2
+	github.com/google/uuid v1.3.0
 	github.com/goreleaser/nfpm v1.10.3
 	github.com/iancoleman/strcase v0.2.0
 	github.com/insomniacslk/dhcp v0.0.0-20210621130208-1cac67f12b1e
 	github.com/jsimonetti/rtnetlink v0.0.0-20210525051524-4cc836578190
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.12.2
+	github.com/klauspost/compress v1.13.6
 	github.com/mdlayher/netlink v1.4.1
 	github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697
-	github.com/miekg/dns v1.1.42
+	github.com/miekg/dns v1.1.43
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/pborman/getopt v1.1.0
 	github.com/peterbourgon/ff/v3 v3.1.0
-	github.com/pkg/sftp v1.13.0
+	github.com/pkg/sftp v1.13.4
+	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
@@ -38,15 +43,15 @@ require (
 	github.com/toqueteos/webbrowser v1.2.0
 	github.com/ulikunitz/xz v0.5.10 // indirect
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
-	golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e
-	golang.org/x/net v0.0.0-20210614182718-04defd469f4e
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
+	golang.org/x/net v0.0.0-20210927181540-4e4d966f7476
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2
+	golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6
 	golang.org/x/term v0.0.0-20210503060354-a79de5458b56
 	golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6
-	golang.org/x/tools v0.1.2
-	golang.zx2c4.com/wireguard v0.0.0-20210624150102-15b24b6179e0
-	golang.zx2c4.com/wireguard/windows v0.3.16
+	golang.org/x/tools v0.1.7
+	golang.zx2c4.com/wireguard v0.0.0-20211012062646-82d2aa87aa62
+	golang.zx2c4.com/wireguard/windows v0.4.10
 	honnef.co/go/tools v0.2.1
 	inet.af/netaddr v0.0.0-20210721214506-ce7a8ad02cc1
 	inet.af/netstack v0.0.0-20210622165351-29b14ebc044e
@@ -64,6 +69,13 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
 	github.com/Microsoft/go-winio v0.4.16 // indirect
 	github.com/OpenPeeDeeP/depguard v1.0.1 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.4.3 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.6.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.2.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.3.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.4.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.7.2 // indirect
+	github.com/aws/smithy-go v1.8.0 // indirect
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
 	github.com/bombsimon/wsl/v3 v3.1.0 // indirect
 	github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e // indirect
@@ -87,7 +99,6 @@ require (
 	github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/flock v0.8.0 // indirect
-	github.com/golang/snappy v0.0.3 // indirect
 	github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2 // indirect
 	github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect
 	github.com/golangci/errcheck v0.0.0-20181223084120-ef45e06d44b6 // indirect
@@ -122,7 +133,7 @@ require (
 	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
 	github.com/kisielk/gotool v1.0.0 // indirect
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/kr/pretty v0.2.1 // indirect
+	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/kunwardeep/paralleltest v1.0.2 // indirect
 	github.com/kyoh86/exportloopref v0.1.8 // indirect
@@ -150,6 +161,7 @@ require (
 	github.com/polyfloyd/go-errorlint v0.0.0-20201127212506-19bd8db6546f // indirect
 	github.com/quasilyte/go-ruleguard v0.2.1 // indirect
 	github.com/quasilyte/regex/syntax v0.0.0-20200805063351-8f842688393c // indirect
+	github.com/rogpeppe/go-internal v1.6.2 // indirect
 	github.com/ryancurrah/gomodguard v1.1.0 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.3.0 // indirect
 	github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b // indirect
@@ -167,7 +179,7 @@ require (
 	github.com/spf13/viper v1.7.1 // indirect
 	github.com/ssgreg/nlreturn/v2 v2.1.0 // indirect
 	github.com/stretchr/objx v0.3.0 // indirect
-	github.com/stretchr/testify v1.6.1 // indirect
+	github.com/stretchr/testify v1.7.0 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
 	github.com/tdakkota/asciicheck v0.0.0-20200416200610-e657995f937b // indirect
 	github.com/tetafro/godot v1.3.2 // indirect
@@ -182,14 +194,16 @@ require (
 	go4.org/intern v0.0.0-20210108033219-3eb7198706b2 // indirect
 	go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222180813-1025295fd063 // indirect
 	golang.org/x/mod v0.4.2 // indirect
-	golang.org/x/text v0.3.7-0.20210524175448-3115f89c4b99 // indirect
+	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
+	howett.net/plist v0.0.0-20181124034731-591f970eefbb // indirect
 	mvdan.cc/gofumpt v0.0.0-20201129102820-5c11c50e9475 // indirect
 	mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect
 	mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect
 	mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.0.0-20180114231543-2291e8f0f237 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -14,6 +14,8 @@ cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqCl
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+filippo.io/mkcert v1.4.3 h1:axpnmtrZMM8u5Hf4N3UXxboGemMOV+Tn+e+pkHM6E3o=
+filippo.io/mkcert v1.4.3/go.mod h1:64ke566uBwAQcdK3vRDABgsgVHqrfORPTw6YytZCTxk=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
@@ -57,6 +59,26 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.38.52 h1:7NKcUyTG/CyDX835kq04DDNe8vXaJhbGW8ThemHb18A=
 github.com/aws/aws-sdk-go v1.38.52/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
+github.com/aws/aws-sdk-go-v2 v1.9.2 h1:dUFQcMNZMLON4BOe273pl0filK9RqyQMhCK/6xssL6s=
+github.com/aws/aws-sdk-go-v2 v1.9.2/go.mod h1:cK/D0BBs0b/oWPIcX/Z/obahJK1TT7IPVjy53i/mX/4=
+github.com/aws/aws-sdk-go-v2/config v1.8.3 h1:o5583X4qUfuRrOGOgmOcDgvr5gJVSu57NK08cWAhIDk=
+github.com/aws/aws-sdk-go-v2/config v1.8.3/go.mod h1:4AEiLtAb8kLs7vgw2ZV3p2VZ1+hBavOc84hqxVNpCyw=
+github.com/aws/aws-sdk-go-v2/credentials v1.4.3 h1:LTdD5QhK073MpElh9umLLP97wxphkgVC/OjQaEbBwZA=
+github.com/aws/aws-sdk-go-v2/credentials v1.4.3/go.mod h1:FNNC6nQZQUuyhq5aE5c7ata8o9e4ECGmS4lAXC7o1mQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.6.0 h1:9tfxW/icbSu98C2pcNynm5jmDwU3/741F11688B6QnU=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.6.0/go.mod h1:gqlclDEZp4aqJOancXK6TN24aKhT0W0Ae9MHk3wzTMM=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.2.4 h1:leSJ6vCqtPpTmBIgE7044B1wql1E4n//McF+mEgNrYg=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.2.4/go.mod h1:ZcBrrI3zBKlhGFNYWvju0I3TR93I7YIgAfy82Fh4lcQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.3.2 h1:r7jel2aa4d9Duys7wEmWqDd5ebpC9w6Kxu6wIjjp18E=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.3.2/go.mod h1:72HRZDLMtmVQiLG2tLfQcaWLCssELvGl+Zf2WVxMmR8=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.12.0 h1:zJfVytawApwhwjDq3tbuzuLjNKQvrhdPM+II2MQDRTI=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.12.0/go.mod h1:m3cb1hedrft0oYmueH0CkBgRdiwczuKRXPr0tilSpz4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.4.2 h1:pZwkxZbspdqRGzddDB92bkZBoB7lg85sMRE7OqdB3V0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.4.2/go.mod h1:NBvT9R1MEF+Ud6ApJKM0G+IkPchKS7p7c2YPKwHmBOk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.7.2 h1:ol2Y5DWqnJeKqNd8th7JWzBtqu63xpOfs1Is+n1t8/4=
+github.com/aws/aws-sdk-go-v2/service/sts v1.7.2/go.mod h1:8EzeIqfWt2wWT4rJVu3f21TfrhJ8AEMzVybRNSb/b4g=
+github.com/aws/smithy-go v1.8.0 h1:AEwwwXQZtUwP5Mz506FeXXrKBe0jA8gVM+1gEcSRooc=
+github.com/aws/smithy-go v1.8.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
@@ -80,8 +102,9 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/creack/pty v1.1.9 h1:uDmaGzcdjhF4i/plgjmEsriH11Y0o7RKapEf/LDaM3w=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.16 h1:vfetlOf3A+9YKggibynnX9mnFjuSVvkRj+IWpcTSLEQ=
+github.com/creack/pty v1.1.16/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/daixiang0/gci v0.2.4/go.mod h1:+AV8KmHTGxxwp/pY84TLQfFKp2vuKXXJVzF3kD/hfR4=
 github.com/daixiang0/gci v0.2.7 h1:bosLNficubzJZICsVzxuyNc6oAbdz0zcqLG2G/RxtY4=
 github.com/daixiang0/gci v0.2.7/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc=
@@ -104,8 +127,8 @@ github.com/fatih/color v1.10.0 h1:s36xzo75JdqLaaWoiEHk767eHiwo0598uUxyfiPkDsg=
 github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
-github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk=
-github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU=
+github.com/frankban/quicktest v1.13.1 h1:xVm/f9seEhZFL9+n5kv5XLrGwy6elc4V9v/XFY2vmd8=
+github.com/frankban/quicktest v1.13.1/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -113,8 +136,8 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
 github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
-github.com/gliderlabs/ssh v0.3.2 h1:gcfd1Aj/9RQxvygu4l3sak711f/5+VOwBw9C/7+N4EI=
-github.com/gliderlabs/ssh v0.3.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/gliderlabs/ssh v0.3.3 h1:mBQ8NiOgDkINJrZtoizkC3nDNYgSaWtxyem6S2XHBtA=
+github.com/gliderlabs/ssh v0.3.3/go.mod h1:ZSS+CUoKHDrqVakTfTWUlKSr9MtMFkC4UvtQKD7O914=
 github.com/go-critic/go-critic v0.5.2 h1:3RJdgf6u4NZUumoP8nzbqiiNT8e1tC2Oc7jlgqre/IA=
 github.com/go-critic/go-critic v0.5.2/go.mod h1:cc0+HvdE3lFpqLecgqMaJcvWWH77sLdBp+wLGPM1Yyo=
 github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4=
@@ -132,8 +155,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
 github.com/go-multierror/multierror v1.0.2 h1:AwsKbEXkmf49ajdFJgcFXqSG0aLo0HEyAE9zk9JguJo=
 github.com/go-multierror/multierror v1.0.2/go.mod h1:U7SZR/D9jHgt2nkSj8XcbCWdmVM2igraCHQ3HC1HiKY=
 github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
-github.com/go-ole/go-ole v1.2.5 h1:t4MGB5xEDZvXI+0rMjjsfBsD7yAgp/s9ZDkL1JndXwY=
-github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-ole/go-ole v1.2.6-0.20210915003542-8b1f7f90f6b1 h1:4dntyT+x6QTOSCIrgczbQ+ockAEha0cfxD5Wi0iCzjY=
+github.com/go-ole/go-ole v1.2.6-0.20210915003542-8b1f7f90f6b1/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-toolsmith/astcast v1.0.0 h1:JojxlmI6STnFVG9yOImLeGREv8W2ocNUM+iOhR6jE7g=
@@ -158,8 +181,8 @@ github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b h1:khEcpUM4yFcxg4
 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
-github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.0.5 h1:9Eg0XUhQxtkV8ykTMKtMMYY72g4NgxtRq4jgh4Ih5YM=
+github.com/godbus/dbus/v5 v5.0.5/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.8.0 h1:MSdYClljsF3PbENUUEx85nkWfJSGfzYI9yEBZOJz6CY=
 github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -182,8 +205,6 @@ github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrU
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA=
-github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2 h1:23T5iq8rbUYlhpt5DB4XJkc6BU31uODLD1o1gKvZmD0=
 github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4=
 github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9uMCefW1WDie15eSP/4MssdenaM=
@@ -239,8 +260,9 @@ github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm4
 github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1 h1:BRIy5qQZKSC/nthA5ueW547F73BV5hMoIoxhPfhxa3k=
 github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1/go.mod h1:+y9lKiqDhR4zkLl+V9h4q0rdyrYVsWWm6LLCQP33DIk=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gookit/color v1.3.1/go.mod h1:R3ogXq2B9rTbXoSHJ1HyUVAZ3poOJHpd9nQmyGZsfvQ=
@@ -342,16 +364,17 @@ github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.11.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8=
-github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
+github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc=
+github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -409,8 +432,8 @@ github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697/go.mod h1:HtjVsQ
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00 h1:qEtkL8n1DAHpi5/AOgAckwGQUlMe4+jhL/GMt+GKIks=
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/XV68LkQKYzKhIo/WW7j3Zi0YRAz/BOoanUc=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/miekg/dns v1.1.42 h1:gWGe42RGaIqXQZ+r3WUGEKBEtvPHY2SXo4dqixDNxuY=
-github.com/miekg/dns v1.1.42/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
+github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
+github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
@@ -477,8 +500,8 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
-github.com/pkg/sftp v1.13.0 h1:Riw6pgOKK41foc1I1Uu03CjvbLZDXeGpInycM4shXoI=
-github.com/pkg/sftp v1.13.0/go.mod h1:41g+FIPlQUTDCveupEmEA65IoiQFrtgCeDopC4ajGIM=
+github.com/pkg/sftp v1.13.4 h1:Lb0RYJCmgUcBgZosfoi9Y9sbl6+LJgOIgk/2Y4YjMFg=
+github.com/pkg/sftp v1.13.4/go.mod h1:LzqnAvaD5TWeNBsZpfKxSYn1MbjWwOsCIAFFJbpIsK8=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/polyfloyd/go-errorlint v0.0.0-20201006195004-351e25ade6e3/go.mod h1:wi9BfjxjF/bwiZ701TzmfKu6UKC357IOAtNr0Td0Lvw=
@@ -505,6 +528,7 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.5.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.6.2 h1:aIihoIOHCiLZHxyoNQ+ABL4NKhFTgKLBdMLyEAh98m0=
 github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryancurrah/gomodguard v1.1.0 h1:DWbye9KyMgytn8uYpuHkwf0RHqAYO6Ay/D0TbCpPtVU=
@@ -532,6 +556,8 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
+github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
@@ -570,8 +596,9 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3 h1:fEubocuQkrlcuYeXelhYq/YcKvVVe1Ah7saQEtj98Mo=
@@ -628,7 +655,7 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/ziutek/telnet v0.0.0-20180329124119-c3b780dc415b/go.mod h1:IZpXDfkJ6tWD3PhBK5YzgQT+xJWh7OsdwiG8hA2MkO4=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -656,10 +683,12 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI=
+golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -724,10 +753,11 @@ golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
-golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210903162142-ad29c8ab022f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210927181540-4e4d966f7476 h1:s5hu7bTnLKswvidgtqc4GwsW83m9LZu8UAqzmWOZtI4=
+golang.org/x/net v0.0.0-20210927181540-4e4d966f7476/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -796,15 +826,16 @@ golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210301091718-77cc2087c03b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 h1:c8PlLMqBbOHoqtjteWm5/kbe6rNY2pbRfbIMVnepueo=
-golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6 h1:foEbQz/B0Oz6YIqu/69kfXPYeFQAuuMYFkjaqXzl5Wo=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210503060354-a79de5458b56 h1:b8jxX3zqjpqb2LklXPzKSGJhzyxCOZSz8ncv8Nv+y7w=
@@ -815,8 +846,8 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7-0.20210524175448-3115f89c4b99 h1:ZEXtoJu1S0ie/EmdYnjY3CqaCCZxnldL+K1ftMITD2Q=
-golang.org/x/text v0.3.7-0.20210524175448-3115f89c4b99/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6 h1:Vv0JUPWTyeqUq42B2WJ1FeIDjjvGKoA2Ss+Ts0lAVbs=
@@ -872,20 +903,22 @@ golang.org/x/tools v0.0.0-20201011145850-ed2f50202694/go.mod h1:z6u4i615ZeAfBE4X
 golang.org/x/tools v0.0.0-20201013201025-64a9e34f3752/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/tools v0.0.0-20201118003311-bd56c0adb394/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201121010211-780cb80bd7fb/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201124202034-299f270db459/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.2 h1:kRBLX7v7Af8W7Gdbbc908OJcdgtK8bOz9Uaj8/F1ACA=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.7 h1:6j8CgantCy3yc8JGBqkDLMKWqZ0RDU2g1HVgacojGWQ=
+golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/wireguard v0.0.0-20210624150102-15b24b6179e0 h1:qINUmOnDCCF7i14oomDDkGmlda7BSDTGfge77/aqdfk=
-golang.zx2c4.com/wireguard v0.0.0-20210624150102-15b24b6179e0/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
-golang.zx2c4.com/wireguard/windows v0.3.16 h1:S42i0kp3SFHZm1mMFTtiU3OnEQJ0GRVOVlMkBhSDTZI=
-golang.zx2c4.com/wireguard/windows v0.3.16/go.mod h1:f80rkFY2CKQklps1GHE15k/M4Tq78aofbr1iQM5MTVY=
+golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
+golang.zx2c4.com/wireguard v0.0.0-20211012062646-82d2aa87aa62 h1:c39XZipaMOiSSqTCpqJmYgnzscTBGLFPgMmGvubmZ6E=
+golang.zx2c4.com/wireguard v0.0.0-20211012062646-82d2aa87aa62/go.mod h1:id8Oh3eCCmpj9uVGWVjsUAl6UPX5ysMLzu6QxJU2UOU=
+golang.zx2c4.com/wireguard/windows v0.4.10 h1:HmjzJnb+G4NCdX+sfjsQlsxGPuYaThxRbZUZFLyR0/s=
+golang.zx2c4.com/wireguard/windows v0.4.10/go.mod h1:v7w/8FC48tTBm1IzScDVPEEb0/GjLta+T0ybpP9UWRg=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -953,6 +986,8 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.6/go.mod h1:pyyisuGw24ruLjrr1ddx39WE0y9OooInRzEYLhQB2YY=
 honnef.co/go/tools v0.2.1 h1:/EPr//+UMMXwMTkXvCCoaJDq8cpjMO80Ou+L4PDo2mY=
 honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
+howett.net/plist v0.0.0-20181124034731-591f970eefbb h1:jhnBjNi9UFpfpl8YZhA9CrOqpnJdvzuiHsl/dnxl11M=
+howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0=
 inet.af/netaddr v0.0.0-20210515010201-ad03edc7c841/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
 inet.af/netaddr v0.0.0-20210721214506-ce7a8ad02cc1 h1:mxmfTV6kjXTlFqqFETnG9FQZzNFc6AKunZVAgQ3b7WA=
 inet.af/netaddr v0.0.0-20210721214506-ce7a8ad02cc1/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
@@ -972,3 +1007,5 @@ mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jC
 mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7 h1:kAREL6MPwpsk1/PQPFD3Eg7WAQR5mPTWZJaBiG5LDbY=
 mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7/go.mod h1:HGC5lll35J70Y5v7vCGb9oLhHoScFwkHDJm/05RdSTc=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20180114231543-2291e8f0f237 h1:iAEkCBPbRaflBgZ7o9gjVUuWuvWeV4sytFWg9o+Pj2k=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20180114231543-2291e8f0f237/go.mod h1:/xvNRWUqm0+/ZMiF4EX00vrSCMsE4/NHb+Pt3freEeQ=
--- a/health/health.go
+++ b/health/health.go
@@ -40,6 +40,7 @@ var (
 	ipnWantRunning          bool
 	anyInterfaceUp          = true // until told otherwise
 	udp4Unbound             bool
+	controlHealth           []string
 )

 // Subsystem is the name of a subsystem whose health can be monitored.
@@ -141,6 +142,13 @@ func setLocked(key Subsystem, err error) {
 	}
 }

+func SetControlHealth(problems []string) {
+	mu.Lock()
+	defer mu.Unlock()
+	controlHealth = problems
+	selfCheckLocked()
+}
+
 // GotStreamedMapResponse notes that we got a tailcfg.MapResponse
 // message in streaming mode, even if it's just a keep-alive message.
 func GotStreamedMapResponse() {
@@ -318,6 +326,9 @@ func overallErrorLocked() error {
 	for regionID, problem := range derpRegionHealthProblem {
 		errs = append(errs, fmt.Errorf("derp%d: %v", regionID, problem))
 	}
+	for _, s := range controlHealth {
+		errs = append(errs, errors.New(s))
+	}
 	if e := fakeErrForTesting; len(errs) == 0 && e != "" {
 		return errors.New(e)
 	}
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -20,28 +20,37 @@ import (
 	"tailscale.com/version"
 )

-var osVersion func() string // non-nil on some platforms
-
 // New returns a partially populated Hostinfo for the current host.
 func New() *tailcfg.Hostinfo {
 	hostname, _ := os.Hostname()
 	hostname = dnsname.FirstLabel(hostname)
-	var osv string
-	if osVersion != nil {
-		osv = osVersion()
-	}
 	return &tailcfg.Hostinfo{
 		IPNVersion:  version.Long,
 		Hostname:    hostname,
 		OS:          version.OS(),
-		OSVersion:   osv,
+		OSVersion:   getOSVersion(),
 		Package:     packageType(),
 		GoArch:      runtime.GOARCH,
 		DeviceModel: deviceModel(),
 	}
 }

+var osVersion func() string // non-nil on some platforms
+
+func getOSVersion() string {
+	if s, _ := osVersionAtomic.Load().(string); s != "" {
+		return s
+	}
+	if osVersion != nil {
+		return osVersion()
+	}
+	return ""
+}
+
 func packageType() string {
+	if v, _ := packagingType.Load().(string); v != "" {
+		return v
+	}
 	switch runtime.GOOS {
 	case "windows":
 		if _, err := os.Stat(`C:\ProgramData\chocolatey\lib\tailscale`); err == nil {
@@ -86,11 +95,23 @@ func GetEnvType() EnvType {
 	return e
 }

-var deviceModelAtomic atomic.Value // of string
+var (
+	deviceModelAtomic atomic.Value // of string
+	osVersionAtomic   atomic.Value // of string
+	packagingType     atomic.Value // of string
+)

 // SetDeviceModel sets the device model for use in Hostinfo updates.
 func SetDeviceModel(model string) { deviceModelAtomic.Store(model) }

+// SetOSVersion sets the OS version.
+func SetOSVersion(v string) { osVersionAtomic.Store(v) }
+
+// SetPackage sets the packaging type for the app.
+// This is currently (2021-10-05) only used by Android,
+// set to "nogoogle" for the F-Droid build.
+func SetPackage(v string) { packagingType.Store(v) }
+
 func deviceModel() string {
 	s, _ := deviceModelAtomic.Load().(string)
 	return s
--- a/hostinfo/hostinfo_linux.go
+++ b/hostinfo/hostinfo_linux.go
@@ -22,13 +22,30 @@ import (
 func init() {
 	osVersion = osVersionLinux

-	if v, _ := os.ReadFile("/sys/firmware/devicetree/base/model"); len(v) > 0 {
-		// Look up "Raspberry Pi 4 Model B Rev 1.2",
-		// etc. Usually set on ARM SBCs.
-		SetDeviceModel(strings.Trim(string(v), "\x00\r\n\t "))
+	if v := linuxDeviceModel(); v != "" {
+		SetDeviceModel(v)
 	}
 }

+func linuxDeviceModel() string {
+	for _, path := range []string{
+		// First try the Synology-specific location.
+		// Example: "DS916+-j"
+		"/proc/sys/kernel/syno_hw_version",
+
+		// Otherwise, try the Devicetree model, usually set on
+		// ARM SBCs, etc.
+		// Example: "Raspberry Pi 4 Model B Rev 1.2"
+		"/sys/firmware/devicetree/base/model", // Raspberry Pi 4 Model B Rev 1.2"
+	} {
+		b, _ := os.ReadFile(path)
+		if s := strings.Trim(string(b), "\x00\r\n\t "); s != "" {
+			return s
+		}
+	}
+	return ""
+}
+
 func osVersionLinux() string {
 	dist := distro.Get()
 	propFile := "/etc/os-release"
--- a/ipn/ipnlocal/dnsconfig_test.go
+++ b/ipn/ipnlocal/dnsconfig_test.go
@@ -86,6 +86,40 @@ func TestDNSConfigForNetmap(t *testing.T) {
 				},
 			},
 		},
+		{
+			// An ephemeral node with only an IPv6 address
+			// should get IPv6 records for all its peers,
+			// even if they have IPv4.
+			name: "v6_only_self",
+			nm: &netmap.NetworkMap{
+				Name:      "myname.net",
+				Addresses: ipps("fe75::1"),
+				Peers: []*tailcfg.Node{
+					{
+						Name:      "peera.net",
+						Addresses: ipps("100.102.0.1", "100.102.0.2", "fe75::1001"),
+					},
+					{
+						Name:      "b.net",
+						Addresses: ipps("100.102.0.1", "100.102.0.2", "fe75::2"),
+					},
+					{
+						Name:      "v6-only.net",
+						Addresses: ipps("fe75::3"), // no IPv4, so we don't ignore IPv6
+					},
+				},
+			},
+			prefs: &ipn.Prefs{},
+			want: &dns.Config{
+				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
+				Hosts: map[dnsname.FQDN][]netaddr.IP{
+					"b.net.":       ips("fe75::2"),
+					"myname.net.":  ips("fe75::1"),
+					"peera.net.":   ips("fe75::1001"),
+					"v6-only.net.": ips("fe75::3"),
+				},
+			},
+		},
 		{
 			name: "extra_records",
 			nm: &netmap.NetworkMap{
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -1419,6 +1419,26 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err
 	if err != nil {
 		return fmt.Errorf("PrefsFromBytes: %v", err)
 	}
+
+	// On mobile platforms, ignore any old stored preferences for
+	// https://login.tailscale.com as the control server that
+	// would override the new default of controlplane.tailscale.com.
+	// This makes sure that mobile clients go through the new
+	// frontends where we're (2021-10-02) doing battery
+	// optimization work ahead of turning down the old backends.
+	// TODO(bradfitz): make this the default for all platforms
+	// later. But mobile is a relatively small chunk (compared to
+	// Linux, Windows, macOS) and moving mobile early for battery
+	// gains is nice.
+	switch runtime.GOOS {
+	case "android", "ios":
+		if b.prefs != nil && b.prefs.ControlURL != "" &&
+			b.prefs.ControlURL != ipn.DefaultControlURL &&
+			ipn.IsLoginServerSynonym(b.prefs.ControlURL) {
+			b.prefs.ControlURL = ""
+		}
+	}
+
 	b.logf("backend prefs for %q: %s", key, b.prefs.Pretty())
 	return nil
 }
@@ -1797,6 +1817,10 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 		Hosts:  map[dnsname.FQDN][]netaddr.IP{},
 	}

+	// selfV6Only is whether we only have IPv6 addresses ourselves.
+	selfV6Only := tsaddr.PrefixesContainsFunc(nm.Addresses, tsaddr.PrefixIs6) &&
+		!tsaddr.PrefixesContainsFunc(nm.Addresses, tsaddr.PrefixIs4)
+
 	// Populate MagicDNS records. We do this unconditionally so that
 	// quad-100 can always respond to MagicDNS queries, even if the OS
 	// isn't configured to make MagicDNS resolution truly
@@ -1810,12 +1834,19 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 		if err != nil {
 			return // TODO: propagate error?
 		}
-		have4 := tsaddr.PrefixesContainsFunc(addrs, func(p netaddr.IPPrefix) bool { return p.IP().Is4() })
+		have4 := tsaddr.PrefixesContainsFunc(addrs, tsaddr.PrefixIs4)
 		var ips []netaddr.IP
 		for _, addr := range addrs {
-			// Remove IPv6 addresses for now, as we don't
-			// guarantee that the peer node actually can speak
-			// IPv6 correctly.
+			if selfV6Only {
+				if addr.IP().Is6() {
+					ips = append(ips, addr.IP())
+				}
+				continue
+			}
+			// If this node has an IPv4 address, then
+			// remove peers' IPv6 addresses for now, as we
+			// don't guarantee that the peer node actually
+			// can speak IPv6 correctly.
 			//
 			// https://github.com/tailscale/tailscale/issues/1152
 			// tracks adding the right capability reporting to
@@ -1935,14 +1966,29 @@ func normalizeResolver(cfg dnstype.Resolver) dnstype.Resolver {
 	return cfg
 }

-// tailscaleVarRoot returns the root directory of Tailscale's writable
+// TailscaleVarRoot returns the root directory of Tailscale's writable
 // storage area. (e.g. "/var/lib/tailscale")
-func tailscaleVarRoot() string {
+//
+// It returns an empty string if there's no configured or discovered
+// location.
+func (b *LocalBackend) TailscaleVarRoot() string {
 	switch runtime.GOOS {
 	case "ios", "android":
 		dir, _ := paths.AppSharedDir.Load().(string)
 		return dir
 	}
+	// Temporary (2021-09-27) transitional fix for #2927 (Synology
+	// cert dir) on the way towards a more complete fix
+	// (#2932). It fixes any case where the state file is provided
+	// to tailscaled explicitly when it's not in the default
+	// location.
+	if fs, ok := b.store.(*ipn.FileStore); ok {
+		if fp := fs.Path(); fp != "" {
+			if dir := filepath.Dir(fp); strings.EqualFold(filepath.Base(dir), "tailscale") {
+				return dir
+			}
+		}
+	}
 	stateFile := paths.DefaultTailscaledStateFile()
 	if stateFile == "" {
 		return ""
@@ -1954,7 +2000,7 @@ func (b *LocalBackend) fileRootLocked(uid tailcfg.UserID) string {
 	if v := b.directFileRoot; v != "" {
 		return v
 	}
-	varRoot := tailscaleVarRoot()
+	varRoot := b.TailscaleVarRoot()
 	if varRoot == "" {
 		b.logf("peerapi disabled; no state directory")
 		return ""
@@ -2229,24 +2275,6 @@ func applyPrefsToHostinfo(hi *tailcfg.Hostinfo, prefs *ipn.Prefs) {
 	if h := prefs.Hostname; h != "" {
 		hi.Hostname = h
 	}
-	if v := prefs.OSVersion; v != "" {
-		hi.OSVersion = v
-
-		// The Android app annotates when Google Play Services
-		// aren't available by tacking on a string to the
-		// OSVersion. Promote that to the Hostinfo.Package
-		// field instead, rather than adding a new pref, as
-		// this applyPrefsToHostinfo mechanism is mostly
-		// abused currently. TODO(bradfitz): instead let
-		// frontends update Hostinfo, without using Prefs.
-		if runtime.GOOS == "android" && strings.HasSuffix(v, " [nogoogle]") {
-			hi.Package = "nogoogle"
-			hi.OSVersion = strings.TrimSuffix(v, " [nogoogle]")
-		}
-	}
-	if m := prefs.DeviceModel; m != "" {
-		hi.DeviceModel = m
-	}
 	hi.RoutableIPs = append(prefs.AdvertiseRoutes[:0:0], prefs.AdvertiseRoutes...)
 	hi.RequestTags = append(prefs.AdvertiseTags[:0:0], prefs.AdvertiseTags...)
 	hi.ShieldsUp = prefs.ShieldsUp
@@ -2548,6 +2576,12 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	}
 	b.maybePauseControlClientLocked()

+	if nm != nil {
+		health.SetControlHealth(nm.ControlHealth)
+	} else {
+		health.SetControlHealth(nil)
+	}
+
 	// Determine if file sharing is enabled
 	fs := hasCapability(nm, tailcfg.CapabilityFileSharing)
 	if fs != b.capFileSharing {
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -20,6 +20,7 @@ import (
 	"os/exec"
 	"os/signal"
 	"os/user"
+	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
@@ -34,9 +35,11 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/localapi"
+	"tailscale.com/ipn/store/aws"
 	"tailscale.com/log/filelogger"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/netstat"
+	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
@@ -581,6 +584,28 @@ func (s *server) writeToClients(n ipn.Notify) {
 	}
 }

+// tryWindowsAppDataMigration attempts to copy the Windows state file
+// from its old location to the new location. (Issue 2856)
+//
+// Tailscale 1.14 and before stored state under %LocalAppData%
+// (usually "C:\WINDOWS\system32\config\systemprofile\AppData\Local"
+// when tailscaled.exe is running as a non-user system service).
+// However it is frequently cleared for almost any reason: Windows
+// updates, System Restore, even various System Cleaner utilities.
+//
+// Returns a string of the path to use for the state file.
+// This will be a fallback %LocalAppData% path if migration fails,
+// a %ProgramData% path otherwise.
+func tryWindowsAppDataMigration(logf logger.Logf, path string) string {
+	if path != paths.DefaultTailscaledStateFile() {
+		// If they're specifying a non-default path, just trust that they know
+		// what they are doing.
+		return path
+	}
+	oldFile := filepath.Join(os.Getenv("LocalAppData"), "Tailscale", "server-state.conf")
+	return paths.TryConfigFileMigration(logf, oldFile, path)
+}
+
 // Run runs a Tailscale backend service.
 // The getEngine func is called repeatedly, once per connection, until it returns an engine successfully.
 func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (wgengine.Engine, error), opts Options) error {
@@ -599,7 +624,7 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 		resetOnZero:  !opts.SurviveDisconnects,
 	}

-	// When the context is closed or when we return, whichever is first, close our listner
+	// When the context is closed or when we return, whichever is first, close our listener
 	// and all open connections.
 	go func() {
 		select {
@@ -614,23 +639,33 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	var store ipn.StateStore
 	if opts.StatePath != "" {
 		const kubePrefix = "kube:"
+		const arnPrefix = "arn:"
+		path := opts.StatePath
 		switch {
-		case strings.HasPrefix(opts.StatePath, kubePrefix):
-			secretName := strings.TrimPrefix(opts.StatePath, kubePrefix)
+		case strings.HasPrefix(path, kubePrefix):
+			secretName := strings.TrimPrefix(path, kubePrefix)
 			store, err = ipn.NewKubeStore(secretName)
 			if err != nil {
 				return fmt.Errorf("ipn.NewKubeStore(%q): %v", secretName, err)
 			}
-		default:
-			store, err = ipn.NewFileStore(opts.StatePath)
+		case strings.HasPrefix(path, arnPrefix):
+			store, err = aws.NewStore(path)
 			if err != nil {
-				return fmt.Errorf("ipn.NewFileStore(%q): %v", opts.StatePath, err)
+				return fmt.Errorf("aws.NewStore(%q): %v", path, err)
+			}
+		default:
+			if runtime.GOOS == "windows" {
+				path = tryWindowsAppDataMigration(logf, path)
+			}
+			store, err = ipn.NewFileStore(path)
+			if err != nil {
+				return fmt.Errorf("ipn.NewFileStore(%q): %v", path, err)
 			}
 		}
 		if opts.AutostartStateKey == "" {
 			autoStartKey, err := store.ReadState(ipn.ServerModeStartKey)
 			if err != nil && err != ipn.ErrStateNotExist {
-				return fmt.Errorf("calling ReadState on %s: %w", opts.StatePath, err)
+				return fmt.Errorf("calling ReadState on %s: %w", path, err)
 			}
 			key := string(autoStartKey)
 			if strings.HasPrefix(key, "user-") {
--- a/ipn/localapi/cert.go
+++ b/ipn/localapi/cert.go
@@ -36,7 +36,6 @@ import (

 	"golang.org/x/crypto/acme"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/paths"
 	"tailscale.com/types/logger"
 )

@@ -53,11 +52,11 @@ var (
 )

 func (h *Handler) certDir() (string, error) {
-	base := paths.DefaultTailscaledStateFile()
-	if base == "" {
-		return "", errors.New("no default DefaultTailscaledStateFile")
+	d := h.b.TailscaleVarRoot()
+	if d == "" {
+		return "", errors.New("no TailscaleVarRoot")
 	}
-	full := filepath.Join(filepath.Dir(base), "certs")
+	full := filepath.Join(d, "certs")
 	if err := os.MkdirAll(full, 0700); err != nil {
 		return "", err
 	}
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -28,6 +28,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/netknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
@@ -94,6 +95,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveWhoIs(w, r)
 	case "/localapi/v0/goroutines":
 		h.serveGoroutines(w, r)
+	case "/localapi/v0/profile":
+		h.serveProfile(w, r)
 	case "/localapi/v0/status":
 		h.serveStatus(w, r)
 	case "/localapi/v0/logout":
@@ -181,6 +184,24 @@ func (h *Handler) serveGoroutines(w http.ResponseWriter, r *http.Request) {
 	w.Write(buf)
 }

+// serveProfileFunc is the implementation of Handler.serveProfile, after auth,
+// for platforms where we want to link it in.
+var serveProfileFunc func(http.ResponseWriter, *http.Request)
+
+func (h *Handler) serveProfile(w http.ResponseWriter, r *http.Request) {
+	// Require write access out of paranoia that the profile dump
+	// might contain something sensitive.
+	if !h.PermitWrite {
+		http.Error(w, "profile access denied", http.StatusForbidden)
+		return
+	}
+	if serveProfileFunc == nil {
+		http.Error(w, "not implemented on this platform", http.StatusServiceUnavailable)
+		return
+	}
+	serveProfileFunc(w, r)
+}
+
 func (h *Handler) serveCheckIPForwarding(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitRead {
 		http.Error(w, "IP forwarding check access denied", http.StatusForbidden)
@@ -433,7 +454,7 @@ func getDialPeerTransport(b *ipnlocal.LocalBackend) *http.Transport {
 		t.Dial = nil
 		dialer := net.Dialer{
 			Timeout:   30 * time.Second,
-			KeepAlive: 30 * time.Second,
+			KeepAlive: netknob.PlatformTCPKeepAlive(),
 			Control:   b.PeerDialControlFunc(),
 		}
 		t.DialContext = dialer.DialContext
--- a/ipn/localapi/profile.go
+++ b/ipn/localapi/profile.go
@@ -0,0 +1,30 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !ios && !android
+// +build !ios,!android
+
+// We don't include it on mobile where we're more memory constrained and
+// there's no CLI to get at the results anyway.
+
+package localapi
+
+import (
+	"net/http"
+	"net/http/pprof"
+)
+
+func init() {
+	serveProfileFunc = serveProfile
+}
+
+func serveProfile(w http.ResponseWriter, r *http.Request) {
+	name := r.FormValue("name")
+	switch name {
+	case "profile":
+		pprof.Profile(w, r)
+	default:
+		pprof.Handler(name).ServeHTTP(w, r)
+	}
+}
--- a/ipn/message.go
+++ b/ipn/message.go
@@ -260,10 +260,10 @@ func (bc *BackendClient) send(cmd Command) {
 	cmd.Version = version.Long
 	b, err := json.Marshal(cmd)
 	if err != nil {
-		log.Fatalf("Failed json.Marshal(cmd): %v\n%#v\n", err, cmd)
+		log.Fatalf("Failed json.Marshal(cmd): %v\n", err)
 	}
 	if bytes.Contains(b, jsonEscapedZero) {
-		log.Printf("[unexpected] zero byte in BackendClient.send command: %q", b)
+		log.Printf("[unexpected] zero byte in BackendClient.send command")
 	}
 	bc.sendCommandMsg(b)
 }
--- a/ipn/policy/policy.go
+++ b/ipn/policy/policy.go
@@ -36,7 +36,7 @@ func IsInterestingService(s tailcfg.Service, os string) bool {
 		5900,  // vnc
 		32400, // plex

-		// And now some arbitary HTTP dev server ports:
+		// And now some arbitrary HTTP dev server ports:
 		// Eventually we'll remove this and make all ports
 		// work, once we nicely filter away noisy system
 		// ports.
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -127,12 +127,6 @@ type Prefs struct {
 	// not set, os.Hostname is used.
 	Hostname string

-	// OSVersion overrides tailcfg.Hostinfo's OSVersion.
-	OSVersion string
-
-	// DeviceModel overrides tailcfg.Hostinfo's DeviceModel.
-	DeviceModel string
-
 	// NotepadURLs is a debugging setting that opens OAuth URLs in
 	// notepad.exe on Windows, rather than loading them in a browser.
 	//
@@ -204,8 +198,6 @@ type MaskedPrefs struct {
 	ShieldsUpSet              bool `json:",omitempty"`
 	AdvertiseTagsSet          bool `json:",omitempty"`
 	HostnameSet               bool `json:",omitempty"`
-	OSVersionSet              bool `json:",omitempty"`
-	DeviceModelSet            bool `json:",omitempty"`
 	NotepadURLsSet            bool `json:",omitempty"`
 	ForceDaemonSet            bool `json:",omitempty"`
 	AdvertiseRoutesSet        bool `json:",omitempty"`
@@ -242,6 +234,20 @@ func (m *MaskedPrefs) Pretty() string {
 	mt := mv.Type()
 	mpv := reflect.ValueOf(&m.Prefs).Elem()
 	first := true
+
+	format := func(v reflect.Value) string {
+		switch v.Type().Kind() {
+		case reflect.String:
+			return "%s=%q"
+		case reflect.Slice:
+			// []string
+			if v.Type().Elem().Kind() == reflect.String {
+				return "%s=%q"
+			}
+		}
+		return "%s=%v"
+	}
+
 	for i := 1; i < mt.NumField(); i++ {
 		name := mt.Field(i).Name
 		if mv.Field(i).Bool() {
@@ -249,9 +255,10 @@ func (m *MaskedPrefs) Pretty() string {
 				sb.WriteString(" ")
 			}
 			first = false
-			fmt.Fprintf(&sb, "%s=%#v",
+			f := mpv.Field(i - 1)
+			fmt.Fprintf(&sb, format(f),
 				strings.TrimSuffix(name, "Set"),
-				mpv.Field(i-1).Interface())
+				f.Interface())
 		}
 	}
 	sb.WriteString("}")
@@ -349,8 +356,6 @@ func (p *Prefs) Equals(p2 *Prefs) bool {
 		p.NetfilterMode == p2.NetfilterMode &&
 		p.OperatorUser == p2.OperatorUser &&
 		p.Hostname == p2.Hostname &&
-		p.OSVersion == p2.OSVersion &&
-		p.DeviceModel == p2.DeviceModel &&
 		p.ForceDaemon == p2.ForceDaemon &&
 		compareIPNets(p.AdvertiseRoutes, p2.AdvertiseRoutes) &&
 		compareStrings(p.AdvertiseTags, p2.AdvertiseTags) &&
--- a/ipn/prefs_clone.go
+++ b/ipn/prefs_clone.go
@@ -45,8 +45,6 @@ var _PrefsCloneNeedsRegeneration = Prefs(struct {
 	ShieldsUp              bool
 	AdvertiseTags          []string
 	Hostname               string
-	OSVersion              string
-	DeviceModel            string
 	NotepadURLs            bool
 	ForceDaemon            bool
 	AdvertiseRoutes        []netaddr.IPPrefix
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -46,8 +46,6 @@ func TestPrefsEqual(t *testing.T) {
 		"ShieldsUp",
 		"AdvertiseTags",
 		"Hostname",
-		"OSVersion",
-		"DeviceModel",
 		"NotepadURLs",
 		"ForceDaemon",
 		"AdvertiseRoutes",
@@ -562,8 +560,8 @@ func TestPrefsApplyEdits(t *testing.T) {
 			},
 			edit: &MaskedPrefs{
 				Prefs: Prefs{
-					Hostname:    "bar",
-					DeviceModel: "ignore-this", // not set
+					Hostname:     "bar",
+					OperatorUser: "ignore-this", // not set
 				},
 				HostnameSet: true,
 			},
@@ -576,15 +574,15 @@ func TestPrefsApplyEdits(t *testing.T) {
 			prefs: &Prefs{},
 			edit: &MaskedPrefs{
 				Prefs: Prefs{
-					Hostname:    "bar",
-					DeviceModel: "galaxybrain",
+					Hostname:     "bar",
+					OperatorUser: "galaxybrain",
 				},
-				HostnameSet:    true,
-				DeviceModelSet: true,
+				HostnameSet:     true,
+				OperatorUserSet: true,
 			},
 			want: &Prefs{
-				Hostname:    "bar",
-				DeviceModel: "galaxybrain",
+				Hostname:     "bar",
+				OperatorUser: "galaxybrain",
 			},
 		},
 	}
@@ -614,15 +612,30 @@ func TestMaskedPrefsPretty(t *testing.T) {
 			m: &MaskedPrefs{
 				Prefs: Prefs{
 					Hostname:         "bar",
-					DeviceModel:      "galaxybrain",
+					OperatorUser:     "galaxybrain",
 					AllowSingleHosts: true,
 					RouteAll:         false,
+					ExitNodeID:       "foo",
+					AdvertiseTags:    []string{"tag:foo", "tag:bar"},
+					NetfilterMode:    preftype.NetfilterNoDivert,
 				},
-				RouteAllSet:    true,
-				HostnameSet:    true,
-				DeviceModelSet: true,
+				RouteAllSet:      true,
+				HostnameSet:      true,
+				OperatorUserSet:  true,
+				ExitNodeIDSet:    true,
+				AdvertiseTagsSet: true,
+				NetfilterModeSet: true,
 			},
-			want: `MaskedPrefs{RouteAll=false Hostname="bar" DeviceModel="galaxybrain"}`,
+			want: `MaskedPrefs{RouteAll=false ExitNodeID="foo" AdvertiseTags=["tag:foo" "tag:bar"] Hostname="bar" NetfilterMode=nodivert OperatorUser="galaxybrain"}`,
+		},
+		{
+			m: &MaskedPrefs{
+				Prefs: Prefs{
+					ExitNodeIP: netaddr.IPv4(100, 102, 104, 105),
+				},
+				ExitNodeIPSet: true,
+			},
+			want: `MaskedPrefs{ExitNodeIP=100.102.104.105}`,
 		},
 	}
 	for i, tt := range tests {
--- a/ipn/store.go
+++ b/ipn/store.go
@@ -19,6 +19,7 @@ import (

 	"tailscale.com/atomicfile"
 	"tailscale.com/kube"
+	"tailscale.com/paths"
 )

 // ErrStateNotExist is returned by StateStore.ReadState when the
@@ -157,6 +158,26 @@ func (s *MemoryStore) WriteState(id StateKey, bs []byte) error {
 	return nil
 }

+// LoadFromJSON attempts to unmarshal json content into the
+// in-memory cache.
+func (s *MemoryStore) LoadFromJSON(data []byte) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return json.Unmarshal(data, &s.cache)
+}
+
+// ExportToJSON exports the content of the cache to
+// JSON formatted []byte.
+func (s *MemoryStore) ExportToJSON() ([]byte, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if len(s.cache) == 0 {
+		// Avoid "null" serialization.
+		return []byte("{}"), nil
+	}
+	return json.MarshalIndent(s.cache, "", "  ")
+}
+
 // FileStore is a StateStore that uses a JSON file for persistence.
 type FileStore struct {
 	path string
@@ -165,10 +186,18 @@ type FileStore struct {
 	cache map[StateKey][]byte
 }

+// Path returns the path that NewFileStore was called with.
+func (s *FileStore) Path() string { return s.path }
+
 func (s *FileStore) String() string { return fmt.Sprintf("FileStore(%q)", s.path) }

 // NewFileStore returns a new file store that persists to path.
 func NewFileStore(path string) (*FileStore, error) {
+	// We unconditionally call this to ensure that our perms are correct
+	if err := paths.MkStateDir(filepath.Dir(path)); err != nil {
+		return nil, fmt.Errorf("creating state directory: %w", err)
+	}
+
 	bs, err := ioutil.ReadFile(path)

 	// Treat an empty file as a missing file.
@@ -182,7 +211,6 @@ func NewFileStore(path string) (*FileStore, error) {
 		if os.IsNotExist(err) {
 			// Write out an initial file, to verify that we can write
 			// to the path.
-			os.MkdirAll(filepath.Dir(path), 0755) // best effort
 			if err = atomicfile.WriteFile(path, []byte("{}"), 0600); err != nil {
 				return nil, err
 			}
--- a/ipn/store/aws/store_aws.go
+++ b/ipn/store/aws/store_aws.go
@@ -0,0 +1,175 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux
+// +build linux
+
+// Package aws contains an AWS SSM StateStore implementation.
+package aws
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"regexp"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	ssmTypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
+	"tailscale.com/ipn"
+)
+
+const (
+	parameterNameRxStr = `^parameter/(.*)`
+)
+
+var parameterNameRx = regexp.MustCompile(parameterNameRxStr)
+
+// awsSSMClient is an interface allowing us to mock the couple of
+// API calls we are leveraging with the AWSStore provider
+type awsSSMClient interface {
+	GetParameter(ctx context.Context,
+		params *ssm.GetParameterInput,
+		optFns ...func(*ssm.Options)) (*ssm.GetParameterOutput, error)
+
+	PutParameter(ctx context.Context,
+		params *ssm.PutParameterInput,
+		optFns ...func(*ssm.Options)) (*ssm.PutParameterOutput, error)
+}
+
+// store is a store which leverages AWS SSM parameter store
+// to persist the state
+type awsStore struct {
+	ssmClient awsSSMClient
+	ssmARN    arn.ARN
+
+	memory ipn.MemoryStore
+}
+
+// NewStore returns a new ipn.StateStore using the AWS SSM storage
+// location given by ssmARN.
+func NewStore(ssmARN string) (ipn.StateStore, error) {
+	return newStore(ssmARN, nil)
+}
+
+// newStore is NewStore, but for tests. If client is non-nil, it's
+// used instead of making one.
+func newStore(ssmARN string, client awsSSMClient) (ipn.StateStore, error) {
+	s := &awsStore{
+		ssmClient: client,
+	}
+
+	var err error
+
+	// Parse the ARN
+	if s.ssmARN, err = arn.Parse(ssmARN); err != nil {
+		return nil, fmt.Errorf("unable to parse the ARN correctly: %v", err)
+	}
+
+	// Validate the ARN corresponds to the SSM service
+	if s.ssmARN.Service != "ssm" {
+		return nil, fmt.Errorf("invalid service %q, expected 'ssm'", s.ssmARN.Service)
+	}
+
+	// Validate the ARN corresponds to a parameter store resource
+	if !parameterNameRx.MatchString(s.ssmARN.Resource) {
+		return nil, fmt.Errorf("invalid resource %q, expected to match %v", s.ssmARN.Resource, parameterNameRxStr)
+	}
+
+	if s.ssmClient == nil {
+		var cfg aws.Config
+		if cfg, err = config.LoadDefaultConfig(
+			context.TODO(),
+			config.WithRegion(s.ssmARN.Region),
+		); err != nil {
+			return nil, err
+		}
+		s.ssmClient = ssm.NewFromConfig(cfg)
+	}
+
+	// Hydrate cache with the potentially current state
+	if err := s.LoadState(); err != nil {
+		return nil, err
+	}
+	return s, nil
+
+}
+
+// LoadState attempts to read the state from AWS SSM parameter store key.
+func (s *awsStore) LoadState() error {
+	param, err := s.ssmClient.GetParameter(
+		context.TODO(),
+		&ssm.GetParameterInput{
+			Name:           aws.String(s.ParameterName()),
+			WithDecryption: true,
+		},
+	)
+
+	if err != nil {
+		var pnf *ssmTypes.ParameterNotFound
+		if errors.As(err, &pnf) {
+			// Create the parameter as it does not exist yet
+			// and return directly as it is defacto empty
+			return s.persistState()
+		}
+		return err
+	}
+
+	// Load the content in-memory
+	return s.memory.LoadFromJSON([]byte(*param.Parameter.Value))
+}
+
+// ParameterName returns the parameter name extracted from
+// the provided ARN
+func (s *awsStore) ParameterName() (name string) {
+	values := parameterNameRx.FindStringSubmatch(s.ssmARN.Resource)
+	if len(values) == 2 {
+		name = values[1]
+	}
+	return
+}
+
+// String returns the awsStore and the ARN of the SSM parameter store
+// configured to store the state
+func (s *awsStore) String() string { return fmt.Sprintf("awsStore(%q)", s.ssmARN.String()) }
+
+// ReadState implements the Store interface.
+func (s *awsStore) ReadState(id ipn.StateKey) (bs []byte, err error) {
+	return s.memory.ReadState(id)
+}
+
+// WriteState implements the Store interface.
+func (s *awsStore) WriteState(id ipn.StateKey, bs []byte) (err error) {
+	// Write the state in-memory
+	if err = s.memory.WriteState(id, bs); err != nil {
+		return
+	}
+
+	// Persist the state in AWS SSM parameter store
+	return s.persistState()
+}
+
+// PersistState saves the states into the AWS SSM parameter store
+func (s *awsStore) persistState() error {
+	// Generate JSON from in-memory cache
+	bs, err := s.memory.ExportToJSON()
+	if err != nil {
+		return err
+	}
+
+	// Store in AWS SSM parameter store
+	_, err = s.ssmClient.PutParameter(
+		context.TODO(),
+		&ssm.PutParameterInput{
+			Name:      aws.String(s.ParameterName()),
+			Value:     aws.String(string(bs)),
+			Overwrite: true,
+			Tier:      ssmTypes.ParameterTierStandard,
+			Type:      ssmTypes.ParameterTypeSecureString,
+		},
+	)
+	return err
+}
--- a/ipn/store/aws/store_aws_stub.go
+++ b/ipn/store/aws/store_aws_stub.go
@@ -0,0 +1,19 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !linux
+// +build !linux
+
+package aws
+
+import (
+	"fmt"
+	"runtime"
+
+	"tailscale.com/ipn"
+)
+
+func NewStore(string) (ipn.StateStore, error) {
+	return nil, fmt.Errorf("AWS store is not supported on %v", runtime.GOOS)
+}
--- a/ipn/store/aws/store_aws_test.go
+++ b/ipn/store/aws/store_aws_test.go
@@ -0,0 +1,166 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux
+// +build linux
+
+package aws
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	ssmTypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
+	"tailscale.com/ipn"
+	"tailscale.com/tstest"
+)
+
+type mockedAWSSSMClient struct {
+	value string
+}
+
+func (sp *mockedAWSSSMClient) GetParameter(_ context.Context, input *ssm.GetParameterInput, _ ...func(*ssm.Options)) (*ssm.GetParameterOutput, error) {
+	output := new(ssm.GetParameterOutput)
+	if sp.value == "" {
+		return output, &ssmTypes.ParameterNotFound{}
+	}
+
+	output.Parameter = &ssmTypes.Parameter{
+		Value: aws.String(sp.value),
+	}
+
+	return output, nil
+}
+
+func (sp *mockedAWSSSMClient) PutParameter(_ context.Context, input *ssm.PutParameterInput, _ ...func(*ssm.Options)) (*ssm.PutParameterOutput, error) {
+	sp.value = *input.Value
+	return new(ssm.PutParameterOutput), nil
+}
+
+func TestAWSStoreString(t *testing.T) {
+	store := &awsStore{
+		ssmARN: arn.ARN{
+			Service:   "ssm",
+			Region:    "eu-west-1",
+			AccountID: "123456789",
+			Resource:  "parameter/foo",
+		},
+	}
+	want := "awsStore(\"arn::ssm:eu-west-1:123456789:parameter/foo\")"
+	if got := store.String(); got != want {
+		t.Errorf("AWSStore.String = %q; want %q", got, want)
+	}
+}
+
+func TestNewAWSStore(t *testing.T) {
+	tstest.PanicOnLog()
+
+	mc := &mockedAWSSSMClient{}
+	storeParameterARN := arn.ARN{
+		Service:   "ssm",
+		Region:    "eu-west-1",
+		AccountID: "123456789",
+		Resource:  "parameter/foo",
+	}
+
+	s, err := newStore(storeParameterARN.String(), mc)
+	if err != nil {
+		t.Fatalf("creating aws store failed: %v", err)
+	}
+	testStoreSemantics(t, s)
+
+	// Build a brand new file store and check that both IDs written
+	// above are still there.
+	s2, err := newStore(storeParameterARN.String(), mc)
+	if err != nil {
+		t.Fatalf("creating second aws store failed: %v", err)
+	}
+	store2 := s.(*awsStore)
+
+	// This is specific to the test, with the non-mocked API, LoadState() should
+	// have been already called and successful as no err is returned from NewAWSStore()
+	s2.(*awsStore).LoadState()
+
+	expected := map[ipn.StateKey]string{
+		"foo": "bar",
+		"baz": "quux",
+	}
+	for id, want := range expected {
+		bs, err := store2.ReadState(id)
+		if err != nil {
+			t.Errorf("reading %q (2nd store): %v", id, err)
+		}
+		if string(bs) != want {
+			t.Errorf("reading %q (2nd store): got %q, want %q", id, string(bs), want)
+		}
+	}
+}
+
+func testStoreSemantics(t *testing.T, store ipn.StateStore) {
+	t.Helper()
+
+	tests := []struct {
+		// if true, data is data to write. If false, data is expected
+		// output of read.
+		write bool
+		id    ipn.StateKey
+		data  string
+		// If write=false, true if we expect a not-exist error.
+		notExists bool
+	}{
+		{
+			id:        "foo",
+			notExists: true,
+		},
+		{
+			write: true,
+			id:    "foo",
+			data:  "bar",
+		},
+		{
+			id:   "foo",
+			data: "bar",
+		},
+		{
+			id:        "baz",
+			notExists: true,
+		},
+		{
+			write: true,
+			id:    "baz",
+			data:  "quux",
+		},
+		{
+			id:   "foo",
+			data: "bar",
+		},
+		{
+			id:   "baz",
+			data: "quux",
+		},
+	}
+
+	for _, test := range tests {
+		if test.write {
+			if err := store.WriteState(test.id, []byte(test.data)); err != nil {
+				t.Errorf("writing %q to %q: %v", test.data, test.id, err)
+			}
+		} else {
+			bs, err := store.ReadState(test.id)
+			if err != nil {
+				if test.notExists && err == ipn.ErrStateNotExist {
+					continue
+				}
+				t.Errorf("reading %q: %v", test.id, err)
+				continue
+			}
+			if string(bs) != test.data {
+				t.Errorf("reading %q: got %q, want %q", test.id, string(bs), test.data)
+			}
+		}
+	}
+}
--- a/ipn/store_test.go
+++ b/ipn/store_test.go
@@ -5,8 +5,7 @@
 package ipn

 import (
-	"io/ioutil"
-	"os"
+	"path/filepath"
 	"testing"

 	"tailscale.com/tstest"
@@ -87,15 +86,8 @@ func TestMemoryStore(t *testing.T) {
 func TestFileStore(t *testing.T) {
 	tstest.PanicOnLog()

-	f, err := ioutil.TempFile("", "test_ipn_store")
-	if err != nil {
-		t.Fatal(err)
-	}
-	path := f.Name()
-	f.Close()
-	if err := os.Remove(path); err != nil {
-		t.Fatal(err)
-	}
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test-file-store.conf")

 	store, err := NewFileStore(path)
 	if err != nil {
@@ -115,13 +107,14 @@ func TestFileStore(t *testing.T) {
 		"foo": "bar",
 		"baz": "quux",
 	}
-	for id, want := range expected {
-		bs, err := store.ReadState(id)
+	for key, want := range expected {
+		bs, err := store.ReadState(key)
 		if err != nil {
-			t.Errorf("reading %q (2nd store): %v", id, err)
+			t.Errorf("reading %q (2nd store): %v", key, err)
+			continue
 		}
 		if string(bs) != want {
-			t.Errorf("reading %q (2nd store): got %q, want %q", id, string(bs), want)
+			t.Errorf("reading %q (2nd store): got %q, want %q", key, bs, want)
 		}
 	}
 }
--- a/log/filelogger/log.go
+++ b/log/filelogger/log.go
@@ -36,7 +36,7 @@ func New(fileBasePrefix, logID string, logf logger.Logf) logger.Logf {
 	if logf == nil {
 		panic("nil logf")
 	}
-	dir := filepath.Join(os.Getenv("LocalAppData"), "Tailscale", "Logs")
+	dir := filepath.Join(os.Getenv("ProgramData"), "Tailscale", "Logs")

 	if err := os.MkdirAll(dir, 0700); err != nil {
 		log.Printf("failed to create local log directory; not writing logs to disk: %v", err)
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -31,6 +31,7 @@ import (
 	"tailscale.com/atomicfile"
 	"tailscale.com/logtail"
 	"tailscale.com/logtail/filch"
+	"tailscale.com/net/netknob"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
@@ -135,12 +136,33 @@ func logsDir(logf logger.Logf) string {
 		}
 	}

-	// STATE_DIRECTORY is set by systemd 240+ but we support older
-	// systems-d. For example, Ubuntu 18.04 (Bionic Beaver) is 237.
-	systemdStateDir := os.Getenv("STATE_DIRECTORY")
-	if systemdStateDir != "" {
-		logf("logpolicy: using $STATE_DIRECTORY, %q", systemdStateDir)
-		return systemdStateDir
+	switch runtime.GOOS {
+	case "windows":
+		if version.CmdName() == "tailscaled" {
+			// In the common case, when tailscaled is run as the Local System (as a service),
+			// we want to use %ProgramData% (C:\ProgramData\Tailscale), aside the
+			// system state config with the machine key, etc. But if that directory's
+			// not accessible, then it's probably because the user is running tailscaled
+			// as a regular user (perhaps in userspace-networking/SOCK5 mode) and we should
+			// just use the %LocalAppData% instead. In a user context, %LocalAppData% isn't
+			// subject to random deletions from Windows system updates.
+			dir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
+			if winProgramDataAccessible(dir) {
+				logf("logpolicy: using dir %v", dir)
+				return dir
+			}
+		}
+		dir := filepath.Join(os.Getenv("LocalAppData"), "Tailscale")
+		logf("logpolicy: using LocalAppData dir %v", dir)
+		return dir
+	case "linux":
+		// STATE_DIRECTORY is set by systemd 240+ but we support older
+		// systems-d. For example, Ubuntu 18.04 (Bionic Beaver) is 237.
+		systemdStateDir := os.Getenv("STATE_DIRECTORY")
+		if systemdStateDir != "" {
+			logf("logpolicy: using $STATE_DIRECTORY, %q", systemdStateDir)
+			return systemdStateDir
+		}
 	}

 	// Default to e.g. /var/lib/tailscale or /var/db/tailscale on Unix.
@@ -191,6 +213,23 @@ func redirectStderrToLogPanics() bool {
 	return runningUnderSystemd() || os.Getenv("TS_PLEASE_PANIC") != ""
 }

+// winProgramDataAccessible reports whether the directory (assumed to
+// be a Windows %ProgramData% directory) is accessible to the current
+// process. It's created if needed.
+func winProgramDataAccessible(dir string) bool {
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		// TODO: windows ACLs
+		return false
+	}
+	// The C:\ProgramData\Tailscale directory should be locked down
+	// by with ACLs to only be readable by the local system so a
+	// regular user shouldn't be able to do this operation:
+	if _, err := os.ReadDir(dir); err != nil {
+		return false
+	}
+	return true
+}
+
 // tryFixLogStateLocation is a temporary fixup for
 // https://github.com/tailscale/tailscale/issues/247 . We accidentally
 // wrote logging state files to /, and then later to $CACHE_DIRECTORY
@@ -199,7 +238,7 @@ func redirectStderrToLogPanics() bool {
 //
 // If log state for cmdname exists in / or $CACHE_DIRECTORY, and no
 // log state for that command exists in dir, then the log state is
-// moved from whereever it does exist, into dir. Leftover logs state
+// moved from wherever it does exist, into dir. Leftover logs state
 // in / and $CACHE_DIRECTORY is deleted.
 func tryFixLogStateLocation(dir, cmdname string) {
 	switch runtime.GOOS {
@@ -372,14 +411,44 @@ func New(collection string) *Policy {

 	cfgPath := filepath.Join(dir, fmt.Sprintf("%s.log.conf", cmdName))

-	// The Windows service previously ran as tailscale-ipn.exe, so
-	// let's keep using that log base name if it exists.
-	if runtime.GOOS == "windows" && cmdName == "tailscaled" {
-		const oldCmdName = "tailscale-ipn"
-		oldPath := filepath.Join(dir, oldCmdName+".log.conf")
-		if fi, err := os.Stat(oldPath); err == nil && fi.Mode().IsRegular() {
-			cfgPath = oldPath
-			cmdName = oldCmdName
+	if runtime.GOOS == "windows" {
+		switch cmdName {
+		case "tailscaled":
+			// Tailscale 1.14 and before stored state under %LocalAppData%
+			// (usually "C:\WINDOWS\system32\config\systemprofile\AppData\Local"
+			// when tailscaled.exe is running as a non-user system service).
+			// However it is frequently cleared for almost any reason: Windows
+			// updates, System Restore, even various System Cleaner utilities.
+			//
+			// The Windows service previously ran as tailscale-ipn.exe, so
+			// machines which ran very old versions might still have their
+			// log conf named %LocalAppData%\tailscale-ipn.log.conf
+			//
+			// Machines which started using Tailscale more recently will have
+			// %LocalAppData%\tailscaled.log.conf
+			//
+			// Attempt to migrate the log conf to C:\ProgramData\Tailscale
+			oldDir := filepath.Join(os.Getenv("LocalAppData"), "Tailscale")
+
+			oldPath := filepath.Join(oldDir, "tailscaled.log.conf")
+			if fi, err := os.Stat(oldPath); err != nil || !fi.Mode().IsRegular() {
+				// *Only* if tailscaled.log.conf does not exist,
+				// check for tailscale-ipn.log.conf
+				oldPathOldCmd := filepath.Join(oldDir, "tailscale-ipn.log.conf")
+				if fi, err := os.Stat(oldPathOldCmd); err == nil && fi.Mode().IsRegular() {
+					oldPath = oldPathOldCmd
+				}
+			}
+
+			cfgPath = paths.TryConfigFileMigration(earlyLogf, oldPath, cfgPath)
+		case "tailscale-ipn":
+			for _, oldBase := range []string{"wg64.log.conf", "wg32.log.conf"} {
+				oldConf := filepath.Join(dir, oldBase)
+				if fi, err := os.Stat(oldConf); err == nil && fi.Mode().IsRegular() {
+					cfgPath = paths.TryConfigFileMigration(earlyLogf, oldConf, cfgPath)
+					break
+				}
+			}
 		}
 	}

@@ -514,7 +583,7 @@ func newLogtailTransport(host string) *http.Transport {
 	tr.DialContext = func(ctx context.Context, netw, addr string) (net.Conn, error) {
 		nd := netns.FromDialer(&net.Dialer{
 			Timeout:   30 * time.Second,
-			KeepAlive: 30 * time.Second,
+			KeepAlive: netknob.PlatformTCPKeepAlive(),
 		})
 		t0 := time.Now()
 		c, err := nd.DialContext(ctx, netw, addr)
--- a/net/dns/flush_default.go
+++ b/net/dns/flush_default.go
@@ -0,0 +1,12 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !windows
+// +build !windows
+
+package dns
+
+func flushCaches() error {
+	return nil
+}
--- a/net/dns/flush_windows.go
+++ b/net/dns/flush_windows.go
@@ -9,11 +9,20 @@ import (
 	"os/exec"
 )

-// Flush clears the local resolver cache.
-func Flush() error {
+func flushCaches() error {
 	out, err := exec.Command("ipconfig", "/flushdns").CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("%v (output: %s)", err, out)
 	}
 	return nil
 }
+
+// Flush clears the local resolver cache.
+//
+// Only Windows has a public dns.Flush, needed in router_windows.go. Other
+// platforms like Linux need a different flush implementation depending on
+// the DNS manager. There is a FlushCaches method on the manager which
+// can be used on all platforms.
+func Flush() error {
+	return flushCaches()
+}
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -212,6 +212,10 @@ func (m *Manager) Down() error {
 	return nil
 }

+func (m *Manager) FlushCaches() error {
+	return flushCaches()
+}
+
 // Cleanup restores the system DNS configuration to its original state
 // in case the Tailscale daemon terminated without closing the router.
 // No other state needs to be instantiated before this runs.
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -74,6 +74,15 @@ func getTxID(packet []byte) txid {
 	return txid(dnsid)
 }

+func getRCode(packet []byte) dns.RCode {
+	if len(packet) < headerBytes {
+		// treat invalid packets as a refusal
+		return dns.RCode(5)
+	}
+	// get bottom 4 bits of 3rd byte
+	return dns.RCode(packet[3] & 0x0F)
+}
+
 // clampEDNSSize attempts to limit the maximum EDNS response size. This is not
 // an exhaustive solution, instead only easy cases are currently handled in the
 // interest of speed and reduced complexity. Only OPT records at the very end of
@@ -455,6 +464,12 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 	if txid != fq.txid {
 		return nil, errors.New("txid doesn't match")
 	}
+	rcode := getRCode(out)
+	// don't forward transient errors back to the client when the server fails
+	if rcode == dns.RCodeServerFailure {
+		f.logf("recv: response code indicating server failure: %d", rcode)
+		return nil, errors.New("response code indicates server issue")
+	}

 	if truncated {
 		const dnsFlagTruncated = 0x200
@@ -518,6 +533,15 @@ func (f *forwarder) forward(query packet) error {
 		return err
 	}

+	// Drop DNS service discovery spam, primarily for battery life
+	// on mobile.  Things like Spotify on iOS generate this traffic,
+	// when browsing for LAN devices.  But even when filtering this
+	// out, playing on Sonos still works.
+	if hasRDNSBonjourPrefix(domain) {
+		f.logf("[v1] dropping %q", domain)
+		return nil
+	}
+
 	clampEDNSSize(query.bs, maxResponseBytes)

 	resolvers := f.resolvers(domain)
@@ -712,4 +736,10 @@ func init() {
 	addDoH("149.112.112.112", "https://dns.quad9.net/dns-query")
 	addDoH("2620:fe::fe", "https://dns.quad9.net/dns-query")
 	addDoH("2620:fe::fe:9", "https://dns.quad9.net/dns-query")
+
+	// Quad9 -DNSSEC
+	addDoH("9.9.9.10", "https://dns10.quad9.net/dns-query")
+	addDoH("149.112.112.10", "https://dns10.quad9.net/dns-query")
+	addDoH("2620:fe::10", "https://dns10.quad9.net/dns-query")
+	addDoH("2620:fe::fe:10", "https://dns10.quad9.net/dns-query")
 }
--- a/net/dns/resolver/forwarder_test.go
+++ b/net/dns/resolver/forwarder_test.go
@@ -12,6 +12,7 @@ import (
 	"testing"
 	"time"

+	dns "golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/types/dnstype"
 )

@@ -97,3 +98,45 @@ func TestResolversWithDelays(t *testing.T) {
 	}

 }
+
+func TestGetRCode(t *testing.T) {
+	tests := []struct {
+		name   string
+		packet []byte
+		want   dns.RCode
+	}{
+		{
+			name:   "empty",
+			packet: []byte{},
+			want:   dns.RCode(5),
+		},
+		{
+			name:   "too-short",
+			packet: []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+			want:   dns.RCode(5),
+		},
+		{
+			name:   "noerror",
+			packet: []byte{0xC4, 0xFE, 0x81, 0xA0, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01},
+			want:   dns.RCode(0),
+		},
+		{
+			name:   "refused",
+			packet: []byte{0xee, 0xa1, 0x81, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
+			want:   dns.RCode(5),
+		},
+		{
+			name:   "nxdomain",
+			packet: []byte{0x34, 0xf4, 0x81, 0x83, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01},
+			want:   dns.RCode(3),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := getRCode(tt.packet)
+			if got != tt.want {
+				t.Errorf("got %d; want %d", got, tt.want)
+			}
+		})
+	}
+}
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -217,7 +217,7 @@ type ForwardLinkSelector interface {
 // linkMon optionally specifies a link monitor to use for socket rebinding.
 func New(logf logger.Logf, linkMon *monitor.Mon, linkSel ForwardLinkSelector) *Resolver {
 	r := &Resolver{
-		logf:      logger.WithPrefix(logf, "dns: "),
+		logf:      logger.WithPrefix(logf, "resolver: "),
 		linkMon:   linkMon,
 		responses: make(chan packet),
 		errors:    make(chan error),
@@ -598,11 +598,6 @@ const (
 //  dr._dns-sd._udp.<domain>.
 //  lb._dns-sd._udp.<domain>.
 func hasRDNSBonjourPrefix(name dnsname.FQDN) bool {
-	// Even the shortest name containing a Bonjour prefix is long,
-	// so check length (cheap) and bail early if possible.
-	if len(name) < len("*._dns-sd._udp.0.0.0.0.in-addr.arpa.") {
-		return false
-	}
 	s := name.WithTrailingDot()
 	dot := strings.IndexByte(s, '.')
 	if dot == -1 {
--- a/net/dns/resolver/tsdns_server_test.go
+++ b/net/dns/resolver/tsdns_server_test.go
@@ -20,7 +20,7 @@ import (
 // resolveToIP returns a handler function which responds
 // to queries of type A it receives with an A record containing ipv4,
 // to queries of type AAAA with an AAAA record containing ipv6,
-// to queries of type NS with an NS record containg name.
+// to queries of type NS with an NS record containing name.
 func resolveToIP(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
 	return func(w dns.ResponseWriter, req *dns.Msg) {
 		m := new(dns.Msg)
@@ -71,7 +71,7 @@ func resolveToIP(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
 // by lowercasing the question and answer names, and responds
 // to queries of type A it receives with an A record containing ipv4,
 // to queries of type AAAA with an AAAA record containing ipv6,
-// to queries of type NS with an NS record containg name.
+// to queries of type NS with an NS record containing name.
 func resolveToIPLowercase(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
 	return func(w dns.ResponseWriter, req *dns.Msg) {
 		m := new(dns.Msg)
--- a/net/dns/resolver/tsdns_test.go
+++ b/net/dns/resolver/tsdns_test.go
@@ -985,6 +985,7 @@ func TestTrimRDNSBonjourPrefix(t *testing.T) {
 		{"lb._dns-sd._udp.0.10.20.172.in-addr.arpa.", true},
 		{"qq._dns-sd._udp.0.10.20.172.in-addr.arpa.", false},
 		{"0.10.20.172.in-addr.arpa.", false},
+		{"lb._dns-sd._udp.ts-dns.test.", true},
 	}

 	for _, test := range tests {
--- a/net/dnsfallback/dnsfallback.go
+++ b/net/dnsfallback/dnsfallback.go
@@ -23,6 +23,7 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/net/netns"
+	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 )
@@ -95,6 +96,7 @@ func bootstrapDNSMap(ctx context.Context, serverName string, serverIP netaddr.IP
 	tr.DialContext = func(ctx context.Context, netw, addr string) (net.Conn, error) {
 		return dialer.DialContext(ctx, "tcp", net.JoinHostPort(serverIP.String(), "443"))
 	}
+	tr.TLSClientConfig = tlsdial.Config(serverName, tr.TLSClientConfig)
 	c := &http.Client{Transport: tr}
 	req, err := http.NewRequestWithContext(ctx, "GET", "https://"+serverName+"/bootstrap-dns?q="+url.QueryEscape(queryName), nil)
 	if err != nil {
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@@ -28,7 +28,7 @@ var LoginEndpointForProxyDetermination = "https://controlplane.tailscale.com/"
 // If none is found, all zero values are returned.
 // A non-nil error is only returned on a problem listing the system interfaces.
 func Tailscale() ([]netaddr.IP, *net.Interface, error) {
-	ifs, err := net.Interfaces()
+	ifs, err := netInterfaces()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -50,7 +50,7 @@ func Tailscale() ([]netaddr.IP, *net.Interface, error) {
 			}
 		}
 		if len(tsIPs) > 0 {
-			return tsIPs, &iface, nil
+			return tsIPs, iface.Interface, nil
 		}
 	}
 	return nil, nil, nil
@@ -87,20 +87,20 @@ func isProblematicInterface(nif *net.Interface) bool {
 // know of environments where these are used with NAT to provide connectivity.
 func LocalAddresses() (regular, loopback []netaddr.IP, err error) {
 	// TODO(crawshaw): don't serve interface addresses that we are routing
-	ifaces, err := net.Interfaces()
+	ifaces, err := netInterfaces()
 	if err != nil {
 		return nil, nil, err
 	}
 	var regular4, regular6, linklocal4, ula6 []netaddr.IP
-	for i := range ifaces {
-		iface := &ifaces[i]
-		if !isUp(iface) || isProblematicInterface(iface) {
+	for _, iface := range ifaces {
+		stdIf := iface.Interface
+		if !isUp(stdIf) || isProblematicInterface(stdIf) {
 			// Skip down interfaces and ones that are
 			// problematic that we don't want to try to
 			// send Tailscale traffic over.
 			continue
 		}
-		ifcIsLoopback := isLoopback(iface)
+		ifcIsLoopback := isLoopback(stdIf)

 		addrs, err := iface.Addrs()
 		if err != nil {
@@ -171,21 +171,27 @@ func sortIPs(s []netaddr.IP) {
 // Interface is a wrapper around Go's net.Interface with some extra methods.
 type Interface struct {
 	*net.Interface
+	AltAddrs []net.Addr // if non-nil, returned by Addrs
 }

 func (i Interface) IsLoopback() bool { return isLoopback(i.Interface) }
 func (i Interface) IsUp() bool       { return isUp(i.Interface) }
+func (i Interface) Addrs() ([]net.Addr, error) {
+	if i.AltAddrs != nil {
+		return i.AltAddrs, nil
+	}
+	return i.Interface.Addrs()
+}

 // ForeachInterfaceAddress calls fn for each interface's address on
 // the machine. The IPPrefix's IP is the IP address assigned to the
 // interface, and Bits are the subnet mask.
 func ForeachInterfaceAddress(fn func(Interface, netaddr.IPPrefix)) error {
-	ifaces, err := net.Interfaces()
+	ifaces, err := netInterfaces()
 	if err != nil {
 		return err
 	}
-	for i := range ifaces {
-		iface := &ifaces[i]
+	for _, iface := range ifaces {
 		addrs, err := iface.Addrs()
 		if err != nil {
 			return err
@@ -194,7 +200,7 @@ func ForeachInterfaceAddress(fn func(Interface, netaddr.IPPrefix)) error {
 			switch v := a.(type) {
 			case *net.IPNet:
 				if pfx, ok := netaddr.FromStdIPNet(v); ok {
-					fn(Interface{iface}, pfx)
+					fn(iface, pfx)
 				}
 			}
 		}
@@ -206,12 +212,11 @@ func ForeachInterfaceAddress(fn func(Interface, netaddr.IPPrefix)) error {
 // all its addresses. The IPPrefix's IP is the IP address assigned to
 // the interface, and Bits are the subnet mask.
 func ForeachInterface(fn func(Interface, []netaddr.IPPrefix)) error {
-	ifaces, err := net.Interfaces()
+	ifaces, err := netInterfaces()
 	if err != nil {
 		return err
 	}
-	for i := range ifaces {
-		iface := &ifaces[i]
+	for _, iface := range ifaces {
 		addrs, err := iface.Addrs()
 		if err != nil {
 			return err
@@ -228,7 +233,7 @@ func ForeachInterface(fn func(Interface, []netaddr.IPPrefix)) error {
 		sort.Slice(pfxs, func(i, j int) bool {
 			return pfxs[i].IP().Less(pfxs[j].IP())
 		})
-		fn(Interface{iface}, pfxs)
+		fn(iface, pfxs)
 	}
 	return nil
 }
@@ -575,3 +580,31 @@ func isInterestingIP(ip netaddr.IP) bool {
 	}
 	return true
 }
+
+var altNetInterfaces func() ([]Interface, error)
+
+// RegisterInterfaceGetter sets the function that's used to query
+// the system network interfaces.
+func RegisterInterfaceGetter(getInterfaces func() ([]Interface, error)) {
+	altNetInterfaces = getInterfaces
+}
+
+// netInterfaces is a wrapper around the standard library's net.Interfaces
+// that returns a []*Interface instead of a []net.Interface.
+// It exists because Android SDK 30 no longer permits Go's net.Interfaces
+// to work (Issue 2293); this wrapper lets us the Android app register
+// an alternate implementation.
+func netInterfaces() ([]Interface, error) {
+	if altNetInterfaces != nil {
+		return altNetInterfaces()
+	}
+	ifs, err := net.Interfaces()
+	if err != nil {
+		return nil, err
+	}
+	ret := make([]Interface, len(ifs))
+	for i := range ifs {
+		ret[i].Interface = &ifs[i]
+	}
+	return ret, nil
+}
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -69,11 +69,20 @@ const (
 )

 type Report struct {
-	UDP                   bool     // UDP works
-	IPv6                  bool     // IPv6 works
-	IPv4                  bool     // IPv4 works
-	MappingVariesByDestIP opt.Bool // for IPv4
-	HairPinning           opt.Bool // for IPv4
+	UDP         bool // a UDP STUN round trip completed
+	IPv6        bool // an IPv6 STUN round trip completed
+	IPv4        bool // an IPv4 STUN round trip completed
+	IPv6CanSend bool // an IPv6 packet was able to be sent
+	IPv4CanSend bool // an IPv4 packet was able to be sent
+
+	// MappingVariesByDestIP is whether STUN results depend which
+	// STUN server you're talking to (on IPv4).
+	MappingVariesByDestIP opt.Bool
+
+	// HairPinning is whether the router supports communicating
+	// between two local devices through the NATted public IP address
+	// (on IPv4).
+	HairPinning opt.Bool

 	// UPnP is whether UPnP appears present on the LAN.
 	// Empty means not checked.
@@ -695,7 +704,12 @@ func (rs *reportState) probePortMapServices() {

 	res, err := rs.c.PortMapper.Probe(context.Background())
 	if err != nil {
-		rs.c.logf("probePortMapServices: %v", err)
+		if !errors.Is(err, portmapper.ErrGatewayRange) {
+			// "skipping portmap; gateway range likely lacks support"
+			// is not very useful, and too spammy on cloud systems.
+			// If there are other errors, we want to log those.
+			rs.c.logf("probePortMapServices: %v", err)
+		}
 		return
 	}

@@ -1142,9 +1156,19 @@ func (rs *reportState) runProbe(ctx context.Context, dm *tailcfg.DERPMap, probe

 	switch probe.proto {
 	case probeIPv4:
-		rs.pc4.WriteTo(req, addr)
+		n, err := rs.pc4.WriteTo(req, addr)
+		if n == len(req) && err == nil {
+			rs.mu.Lock()
+			rs.report.IPv4CanSend = true
+			rs.mu.Unlock()
+		}
 	case probeIPv6:
-		rs.pc6.WriteTo(req, addr)
+		n, err := rs.pc6.WriteTo(req, addr)
+		if n == len(req) && err == nil {
+			rs.mu.Lock()
+			rs.report.IPv6CanSend = true
+			rs.mu.Unlock()
+		}
 	default:
 		panic("bad probe proto " + fmt.Sprint(probe.proto))
 	}
--- a/net/netcheck/netcheck_test.go
+++ b/net/netcheck/netcheck_test.go
@@ -100,11 +100,18 @@ func TestWorksWhenUDPBlocked(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	want := newReport()
 	r.UPnP = ""
 	r.PMP = ""
 	r.PCP = ""

+	want := newReport()
+
+	// The IPv4CanSend flag gets set differently across platforms.
+	// On Windows this test detects false, while on Linux detects true.
+	// That's not relevant to this test, so just accept what we're
+	// given.
+	want.IPv4CanSend = r.IPv4CanSend
+
 	if !reflect.DeepEqual(r, want) {
 		t.Errorf("mismatch\n got: %+v\nwant: %+v\n", r, want)
 	}
--- a/net/netknob/netknob.go
+++ b/net/netknob/netknob.go
@@ -0,0 +1,30 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package netknob has Tailscale network knobs.
+package netknob
+
+import (
+	"runtime"
+	"time"
+)
+
+// PlatformTCPKeepAlive returns the default net.Dialer.KeepAlive
+// value for the current runtime.GOOS.
+func PlatformTCPKeepAlive() time.Duration {
+	switch runtime.GOOS {
+	case "ios", "android":
+		// Disable TCP keep-alives on mobile platforms.
+		// See https://github.com/golang/go/issues/48622.
+		//
+		// TODO(bradfitz): in 1.17.x, try disabling TCP
+		// keep-alives on for all platforms.
+		return -1
+	}
+
+	// Otherwise, default to 30 seconds, which is mostly what we
+	// used to do. In some places we used the zero value, which Go
+	// defaults to 15 seconds. But 30 seconds is fine.
+	return 30 * time.Second
+}
--- a/net/netns/netns.go
+++ b/net/netns/netns.go
@@ -19,6 +19,7 @@ import (
 	"net"

 	"inet.af/netaddr"
+	"tailscale.com/net/netknob"
 	"tailscale.com/syncs"
 )

@@ -45,7 +46,9 @@ func Listener() *net.ListenConfig {
 // namespace that doesn't route back into Tailscale. It also handles
 // using a SOCKS if configured in the environment with ALL_PROXY.
 func NewDialer() Dialer {
-	return FromDialer(new(net.Dialer))
+	return FromDialer(&net.Dialer{
+		KeepAlive: netknob.PlatformTCPKeepAlive(),
+	})
 }

 // FromDialer returns sets d.Control as necessary to run in a logical
--- a/net/speedtest/speedtest_server.go
+++ b/net/speedtest/speedtest_server.go
@@ -107,7 +107,7 @@ SpeedTestLoop:
 			case nil:
 				// successful read
 			default:
-				return nil, fmt.Errorf("unexpected error has occured: %w", err)
+				return nil, fmt.Errorf("unexpected error has occurred: %w", err)
 			}
 		} else {
 			// Need to change the data a little bit, to avoid any compression.
--- a/net/tlsdial/deps_test.go
+++ b/net/tlsdial/deps_test.go
@@ -0,0 +1,10 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build for_go_mod_tidy_only
+// +build for_go_mod_tidy_only
+
+package tlsdial
+
+import _ "filippo.io/mkcert"
--- a/net/tlsdial/tlsdial.go
+++ b/net/tlsdial/tlsdial.go
@@ -15,9 +15,24 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
+	"log"
+	"os"
+	"strconv"
+	"sync"
+	"sync/atomic"
 	"time"
 )

+var counterFallbackOK int32 // atomic
+
+// If SSLKEYLOGFILE is set, it's a file to which we write our TLS private keys
+// in a way that WireShark can read.
+//
+// See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
+var sslKeyLogFile = os.Getenv("SSLKEYLOGFILE")
+
+var debug, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_TLS_DIAL"))
+
 // Config returns a tls.Config for connecting to a server.
 // If base is non-nil, it's cloned as the base config before
 // being configured and returned.
@@ -30,11 +45,65 @@ func Config(host string, base *tls.Config) *tls.Config {
 	}
 	conf.ServerName = host

+	if n := sslKeyLogFile; n != "" {
+		f, err := os.OpenFile(n, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
+		if err != nil {
+			log.Fatal(err)
+		}
+		log.Printf("WARNING: writing to SSLKEYLOGFILE %v", n)
+		conf.KeyLogWriter = f
+	}
+
+	if conf.InsecureSkipVerify {
+		panic("unexpected base.InsecureSkipVerify")
+	}
+	if conf.VerifyConnection != nil {
+		panic("unexpected base.VerifyConnection")
+	}
+
+	// Set InsecureSkipVerify to prevent crypto/tls from doing its
+	// own cert verification, as do the same work that it'd do
+	// (with the baked-in fallback root) in the VerifyConnection hook.
+	conf.InsecureSkipVerify = true
+	conf.VerifyConnection = func(cs tls.ConnectionState) error {
+		// First try doing x509 verification with the system's
+		// root CA pool.
+		opts := x509.VerifyOptions{
+			DNSName:       cs.ServerName,
+			Intermediates: x509.NewCertPool(),
+		}
+		for _, cert := range cs.PeerCertificates[1:] {
+			opts.Intermediates.AddCert(cert)
+		}
+		_, errSys := cs.PeerCertificates[0].Verify(opts)
+		if debug {
+			log.Printf("tlsdial(sys %q): %v", host, errSys)
+		}
+		if errSys == nil {
+			return nil
+		}
+
+		// If that failed, because the system's CA roots are old
+		// or broken, fall back to trying LetsEncrypt at least.
+		opts.Roots = bakedInRoots()
+		_, err := cs.PeerCertificates[0].Verify(opts)
+		if debug {
+			log.Printf("tlsdial(bake %q): %v", host, err)
+		}
+		if err == nil {
+			atomic.AddInt32(&counterFallbackOK, 1)
+			return nil
+		}
+		return errSys
+	}
 	return conf
 }

 // SetConfigExpectedCert modifies c to expect and verify that the server returns
 // a certificate for the provided certDNSName.
+//
+// This is for user-configurable client-side domain fronting support,
+// where we send one SNI value but validate a different cert.
 func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 	if c.ServerName == certDNSName {
 		return
@@ -50,6 +119,7 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 	// own cert verification, but do the same work that it'd do
 	// (but using certDNSName) in the VerifyPeerCertificate hook.
 	c.InsecureSkipVerify = true
+	c.VerifyConnection = nil
 	c.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
 		if len(rawCerts) == 0 {
 			return errors.New("no certs presented")
@@ -70,7 +140,102 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
 		}
+		_, errSys := certs[0].Verify(opts)
+		if debug {
+			log.Printf("tlsdial(sys %q/%q): %v", c.ServerName, certDNSName, errSys)
+		}
+		if errSys == nil {
+			return nil
+		}
+		opts.Roots = bakedInRoots()
 		_, err := certs[0].Verify(opts)
-		return err
+		if debug {
+			log.Printf("tlsdial(bake %q/%q): %v", c.ServerName, certDNSName, err)
+		}
+		if err == nil {
+			return nil
+		}
+		return errSys
 	}
 }
+
+/*
+letsEncryptX1 is the LetsEncrypt X1 root:
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
+        Validity
+            Not Before: Jun  4 11:04:38 2015 GMT
+            Not After : Jun  4 11:04:38 2035 GMT
+        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+
+We bake it into the binary as a fallback verification root,
+in case the system we're running on doesn't have it.
+(Tailscale runs on some ancient devices.)
+
+To test that this code is working on Debian/Ubuntu:
+
+$ sudo mv /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt{,.old}
+$ sudo update-ca-certificates
+
+Then restart tailscaled. To also test dnsfallback's use of it, nuke
+your /etc/resolv.conf and it should still start & run fine.
+
+*/
+const letsEncryptX1 = `
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
+`
+
+var bakedInRootsOnce struct {
+	sync.Once
+	p *x509.CertPool
+}
+
+func bakedInRoots() *x509.CertPool {
+	bakedInRootsOnce.Do(func() {
+		p := x509.NewCertPool()
+		if !p.AppendCertsFromPEM([]byte(letsEncryptX1)) {
+			panic("bogus PEM")
+		}
+		bakedInRootsOnce.p = p
+	})
+	return bakedInRootsOnce.p
+}
--- a/net/tlsdial/tlsdial_test.go
+++ b/net/tlsdial/tlsdial_test.go
@@ -0,0 +1,131 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tlsdial
+
+import (
+	"crypto/x509"
+	"io"
+	"net"
+	"net/http"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"reflect"
+	"runtime"
+	"sync/atomic"
+	"testing"
+)
+
+func resetOnce() {
+	rv := reflect.ValueOf(&bakedInRootsOnce).Elem()
+	rv.Set(reflect.Zero(rv.Type()))
+}
+
+func TestBakedInRoots(t *testing.T) {
+	resetOnce()
+	p := bakedInRoots()
+	got := p.Subjects()
+	if len(got) != 1 {
+		t.Errorf("subjects = %v; want 1", len(got))
+	}
+}
+
+func TestFallbackRootWorks(t *testing.T) {
+	defer resetOnce()
+
+	const debug = false
+	if runtime.GOOS != "linux" {
+		t.Skip("test assumes Linux")
+	}
+	d := t.TempDir()
+	crtFile := filepath.Join(d, "tlsdial.test.crt")
+	keyFile := filepath.Join(d, "tlsdial.test.key")
+	caFile := filepath.Join(d, "rootCA.pem")
+	cmd := exec.Command(filepath.Join(runtime.GOROOT(), "bin", "go"),
+		"run", "filippo.io/mkcert",
+		"--cert-file="+crtFile,
+		"--key-file="+keyFile,
+		"tlsdial.test")
+	cmd.Env = append(os.Environ(), "CAROOT="+d)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("mkcert: %v, %s", err, out)
+	}
+	if debug {
+		t.Logf("Ran: %s", out)
+		dents, err := os.ReadDir(d)
+		if err != nil {
+			t.Fatal(err)
+		}
+		for _, de := range dents {
+			t.Logf(" - %v", de)
+		}
+	}
+
+	caPEM, err := os.ReadFile(caFile)
+	if err != nil {
+		t.Fatal(err)
+	}
+	resetOnce()
+	bakedInRootsOnce.Do(func() {
+		p := x509.NewCertPool()
+		if !p.AppendCertsFromPEM(caPEM) {
+			t.Fatal("failed to add")
+		}
+		bakedInRootsOnce.p = p
+	})
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer ln.Close()
+	if debug {
+		t.Logf("listener running at %v", ln.Addr())
+	}
+	done := make(chan struct{})
+	defer close(done)
+
+	errc := make(chan error, 1)
+	go func() {
+		err := http.ServeTLS(ln, http.HandlerFunc(sayHi), crtFile, keyFile)
+		select {
+		case <-done:
+			return
+		default:
+			t.Logf("ServeTLS: %v", err)
+			errc <- err
+		}
+	}()
+
+	tr := &http.Transport{
+		Dial: func(network, addr string) (net.Conn, error) {
+			return net.Dial("tcp", ln.Addr().String())
+		},
+		DisableKeepAlives: true, // for test cleanup ease
+	}
+	tr.TLSClientConfig = Config("tlsdial.test", tr.TLSClientConfig)
+	c := &http.Client{Transport: tr}
+
+	ctr0 := atomic.LoadInt32(&counterFallbackOK)
+
+	res, err := c.Get("https://tlsdial.test/")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		t.Fatal(res.Status)
+	}
+
+	ctrDelta := atomic.LoadInt32(&counterFallbackOK) - ctr0
+	if ctrDelta != 1 {
+		t.Errorf("fallback root success count = %d; want 1", ctrDelta)
+	}
+}
+
+func sayHi(w http.ResponseWriter, r *http.Request) {
+	io.WriteString(w, "hi")
+}
--- a/net/tsaddr/tsaddr.go
+++ b/net/tsaddr/tsaddr.go
@@ -185,3 +185,9 @@ func IPsContainsFunc(ips []netaddr.IP, f func(netaddr.IP) bool) bool {
 	}
 	return false
 }
+
+// PrefixIs4 reports whether p is an IPv4 prefix.
+func PrefixIs4(p netaddr.IPPrefix) bool { return p.IP().Is4() }
+
+// PrefixIs6 reports whether p is an IPv6 prefix.
+func PrefixIs6(p netaddr.IPPrefix) bool { return p.IP().Is6() }
--- a/net/tstun/tun_windows.go
+++ b/net/tstun/tun_windows.go
@@ -7,16 +7,11 @@ package tstun
 import (
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/tun/wintun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )

 func init() {
-	var err error
-	tun.WintunPool, err = wintun.MakePool("Tailscale")
-	if err != nil {
-		panic(err)
-	}
+	tun.WintunTunnelType = "Tailscale"
 	guid, err := windows.GUIDFromString("{37217669-42da-4657-a55b-0d995d328250}")
 	if err != nil {
 		panic(err)
--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -413,6 +413,16 @@ func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
 		return filter.DropSilently // don't pass on to OS; already handled
 	}

+	// Issue 1526 workaround: if we sent disco packets over
+	// Tailscale from ourselves, then drop them, as that shouldn't
+	// happen unless a networking stack is confused, as it seems
+	// macOS in Network Extension mode might be.
+	if p.IPProto == ipproto.UDP && // disco is over UDP; avoid isSelfDisco call for TCP/etc
+		t.isSelfDisco(p) {
+		t.logf("[unexpected] received self disco out packet over tstun; dropping")
+		return filter.DropSilently
+	}
+
 	if t.PreFilterOut != nil {
 		if res := t.PreFilterOut(p, t); res.IsDrop() {
 			return res
@@ -517,7 +527,7 @@ func (t *Wrapper) filterIn(buf []byte) filter.Response {
 	// macOS in Network Extension mode might be.
 	if p.IPProto == ipproto.UDP && // disco is over UDP; avoid isSelfDisco call for TCP/etc
 		t.isSelfDisco(p) {
-		t.logf("[unexpected] received self disco package over tstun; dropping")
+		t.logf("[unexpected] received self disco in packet over tstun; dropping")
 		return filter.DropSilently
 	}

--- a/net/tstun/wrap_test.go
+++ b/net/tstun/wrap_test.go
@@ -514,7 +514,18 @@ func TestFilterDiscoLoop(t *testing.T) {
 	if got != filter.DropSilently {
 		t.Errorf("got %v; want DropSilently", got)
 	}
-	if got, want := memLog.String(), "[unexpected] received self disco package over tstun; dropping\n"; got != want {
+	if got, want := memLog.String(), "[unexpected] received self disco in packet over tstun; dropping\n"; got != want {
+		t.Errorf("log output mismatch\n got: %q\nwant: %q\n", got, want)
+	}
+
+	memLog.Reset()
+	pp := new(packet.Parsed)
+	pp.Decode(pkt)
+	got = tw.filterOut(pp)
+	if got != filter.DropSilently {
+		t.Errorf("got %v; want DropSilently", got)
+	}
+	if got, want := memLog.String(), "[unexpected] received self disco out packet over tstun; dropping\n"; got != want {
 		t.Errorf("log output mismatch\n got: %q\nwant: %q\n", got, want)
 	}
 }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .15.0
 .17.0