client/web: switch to custom fork of gorilla/csrf

This fork removes the dependency on the html/template package, so we should be able to enable the web client on mobile in the near future. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>
cli/set: add printout when web client started
2024-01-09 15:12:22 -08:00 · 2024-01-09 17:31:06 -05:00 · 2024-01-09 14:11:34 -06:00 · 2024-01-09 11:51:08 -08:00 · 2024-01-09 10:30:46 -05:00 · 2024-01-09 14:13:22 +00:00
64 changed files with 2847 additions and 1161 deletions
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -22,17 +22,30 @@ jobs:
      - name: Scan source code for known vulnerabilities
        run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...

-      - uses: ruby/action-slack@v3.2.1
-        with:
-          payload: >
-            {
-              "attachments": [{
-                "title": "${{ job.status }}: ${{ github.workflow }}",
-                "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",
-                "text": "${{ github.repository }}@${{ github.sha }}",
-                "color": "danger"
-              }]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      - name: Post to slack
        if: failure() && github.event_name == 'schedule'
+        uses: slackapi/slack-github-action@v1.24.0
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
+        with:
+          channel-id: 'C05PXRM304B'
+          payload: |
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "Govulncheck failed in ${{ github.repository }}"
+                  },
+                  "accessory": {
+                    "type": "button",
+                    "text": {
+                      "type": "plain_text",
+                      "text": "View results"
+                    },
+                    "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+                  }
+                }
+              ]
+            }
--- a/6
+++ b/6
@@ -18,7 +18,8 @@ updatedeps: ## Update depaware deps
 	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
+		tailscale.com/cmd/derper \
+		tailscale.com/cmd/stund

 depaware: ## Run depaware checks
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
@@ -26,7 +27,8 @@ depaware: ## Run depaware checks
 	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
+		tailscale.com/cmd/derper \
+		tailscale.com/cmd/stund

 buildwindows: ## Build tailscale CLI for windows/amd64
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
--- a/client/web/src/components/app.tsx
+++ b/client/web/src/components/app.tsx
@@ -5,6 +5,7 @@ import React from "react"
 import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
 import LoginToggle from "src/components/login-toggle"
 import DeviceDetailsView from "src/components/views/device-details-view"
+import DisconnectedView from "src/components/views/disconnected-view"
 import HomeView from "src/components/views/home-view"
 import LoginView from "src/components/views/login-view"
 import SSHView from "src/components/views/ssh-view"
@@ -74,9 +75,7 @@ function WebClient({
            />
          </FeatureRoute>
          <Route path="/disconnected">
-            <Card className="mt-8">
-              <EmptyState description="You have been disconnected" />
-            </Card>
+            <DisconnectedView />
          </Route>
          <Route>
            <Card className="mt-8">
--- a/client/web/src/components/views/device-details-view.tsx
+++ b/client/web/src/components/views/device-details-view.tsx
@@ -226,24 +226,22 @@ function DisconnectDialog() {
  return (
    <Dialog
      className="max-w-md"
-      title="Disconnect"
-      trigger={<Button sizeVariant="small">Disconnect…</Button>}
+      title="Log out"
+      trigger={<Button sizeVariant="small">Log out…</Button>}
    >
      <Dialog.Form
        cancelButton
-        submitButton="Disconnect"
+        submitButton="Log out"
        destructive
        onSubmit={() => {
          api({ action: "logout" })
          setLocation("/disconnected")
        }}
      >
-        You are about to disconnect this device from your tailnet. To reconnect,
-        you will be required to re-authenticate this device.
-        <p className="mt-4 text-sm text-text-muted">
-          Your connection to this web interface will end as soon as you click
-          disconnect.
-        </p>
+        Logging out of this device will disconnect it from your tailnet and
+        expire its node key. You won’t be able to use this web interface until
+        you re-authenticate the device from either the Tailscale app or the
+        Tailscale command line interface.
      </Dialog.Form>
    </Dialog>
  )
--- a/client/web/src/components/views/disconnected-view.tsx
+++ b/client/web/src/components/views/disconnected-view.tsx
@@ -0,0 +1,21 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+import React from "react"
+import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
+
+/**
+ * DisconnectedView is rendered after node logout.
+ */
+export default function DisconnectedView() {
+  return (
+    <>
+      <TailscaleIcon className="mx-auto" />
+      <p className="mt-12 text-center text-text-muted">
+        You logged out of this device. To reconnect it you will have to
+        re-authenticate the device from either the Tailscale app or the
+        Tailscale command line interface.
+      </p>
+    </>
+  )
+}
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -22,7 +22,7 @@ import (
 	"sync"
 	"time"

-	"github.com/gorilla/csrf"
+	"github.com/tailscale/csrf"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/clientupdate"
@@ -176,11 +176,12 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 		waitAuthURL: opts.WaitAuthURL,
 	}
 	if opts.PathPrefix != "" {
-		// In enforcePrefix, we add the necessary leading '/'. If we did not
-		// strip 1 or more leading '/'s here, we would end up redirecting
-		// clients to e.g. //example.com (a schema-less URL that points to
-		// another site). See https://github.com/tailscale/corp/issues/16268.
-		s.pathPrefix = strings.TrimLeft(path.Clean(opts.PathPrefix), "/\\")
+		// Enforce that path prefix always has a single leading '/'
+		// so that it is treated as a relative URL path.
+		// We strip multiple leading '/' to prevent schema-less offsite URLs like "//example.com".
+		//
+		// See https://github.com/tailscale/corp/issues/16268.
+		s.pathPrefix = "/" + strings.TrimLeft(path.Clean(opts.PathPrefix), "/\\")
 	}
 	if s.mode == ManageServerMode {
 		if opts.NewAuthURL == nil {
--- a/client/web/web_test.go
+++ b/client/web/web_test.go
@@ -939,36 +939,65 @@ func TestServeAPIAuthMetricLogging(t *testing.T) {
 	}
 }

-func TestNoOffSiteRedirect(t *testing.T) {
-	options := ServerOpts{
-		Mode: LoginServerMode,
-		// Emulate the admin using a --prefix option with leading slashes:
-		PathPrefix: "//evil.example.com/goat",
-		CGIMode:    true,
-	}
-	s, err := NewServer(options)
-	if err != nil {
-		t.Error(err)
-	}
-
+// TestPathPrefix tests that the provided path prefix is normalized correctly.
+// If a leading '/' is missing, one should be added.
+// If multiple leading '/' are present, they should be collapsed to one.
+// Additionally verify that this prevents open redirects when enforcing the path prefix.
+func TestPathPrefix(t *testing.T) {
 	tests := []struct {
 		name         string
-		target       string
-		wantHandled  bool
+		prefix       string
+		wantPrefix   string
 		wantLocation string
 	}{
+		{
+			name:         "no-leading-slash",
+			prefix:       "javascript:alert(1)",
+			wantPrefix:   "/javascript:alert(1)",
+			wantLocation: "/javascript:alert(1)/",
+		},
 		{
 			name:   "2-slashes",
-			target: "http://localhost//evil.example.com/goat",
+			prefix: "//evil.example.com/goat",
 			// We must also get the trailing slash added:
+			wantPrefix:   "/evil.example.com/goat",
 			wantLocation: "/evil.example.com/goat/",
 		},
+		{
+			name:   "absolute-url",
+			prefix: "http://evil.example.com",
+			// We must also get the trailing slash added:
+			wantPrefix:   "/http:/evil.example.com",
+			wantLocation: "/http:/evil.example.com/",
+		},
+		{
+			name:   "double-dot",
+			prefix: "/../.././etc/passwd",
+			// We must also get the trailing slash added:
+			wantPrefix:   "/etc/passwd",
+			wantLocation: "/etc/passwd/",
+		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			options := ServerOpts{
+				Mode:       LoginServerMode,
+				PathPrefix: tt.prefix,
+				CGIMode:    true,
+			}
+			s, err := NewServer(options)
+			if err != nil {
+				t.Error(err)
+			}
+
+			// verify provided prefix was normalized correctly
+			if s.pathPrefix != tt.wantPrefix {
+				t.Errorf("prefix was not normalized correctly; want=%q, got=%q", tt.wantPrefix, s.pathPrefix)
+			}
+
 			s.logf = t.Logf
-			r := httptest.NewRequest(httpm.GET, tt.target, nil)
+			r := httptest.NewRequest(httpm.GET, "http://localhost/", nil)
 			w := httptest.NewRecorder()
 			s.ServeHTTP(w, r)
 			res := w.Result()
@@ -976,7 +1005,7 @@ func TestNoOffSiteRedirect(t *testing.T) {

 			location := w.Header().Get("Location")
 			if location != tt.wantLocation {
-				t.Errorf("request(%q) got wrong location; want=%q, got=%q", tt.target, tt.wantLocation, location)
+				t.Errorf("request got wrong location; want=%q, got=%q", tt.wantLocation, location)
 			}
 		})
 	}
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -48,6 +48,13 @@
 //     ${TS_CERT_DOMAIN}, it will be replaced with the value of the available FQDN.
 //     It cannot be used in conjunction with TS_DEST_IP. The file is watched for changes,
 //     and will be re-applied when it changes.
+//   - EXPERIMENTAL_TS_CONFIGFILE_PATH: if specified, a path to tailscaled
+//     config. If this is set, TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY,
+//     TS_ROUTES, TS_ACCEPT_DNS env vars must not be set. If this is set,
+//     containerboot only runs `tailscaled --config <path-to-this-configfile>`
+//     and not `tailscale up` or `tailscale set`.
+//     The config file contents are currently read once on container start.
+//     NB: This env var is currently experimental and the logic will likely change!
 //
 // When running on Kubernetes, containerboot defaults to storing state in the
 // "tailscale" kube secret. To store state on local disk instead, set
@@ -83,6 +90,7 @@ import (
 	"golang.org/x/sys/unix"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
+	"tailscale.com/ipn/conffile"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/ptr"
@@ -102,39 +110,29 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true

 	cfg := &settings{
-		AuthKey:           defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
-		Hostname:          defaultEnv("TS_HOSTNAME", ""),
-		Routes:            defaultEnvPointer("TS_ROUTES"),
-		ServeConfigPath:   defaultEnv("TS_SERVE_CONFIG", ""),
-		ProxyTo:           defaultEnv("TS_DEST_IP", ""),
-		TailnetTargetIP:   defaultEnv("TS_TAILNET_TARGET_IP", ""),
-		TailnetTargetFQDN: defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
-		DaemonExtraArgs:   defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
-		ExtraArgs:         defaultEnv("TS_EXTRA_ARGS", ""),
-		InKubernetes:      os.Getenv("KUBERNETES_SERVICE_HOST") != "",
-		UserspaceMode:     defaultBool("TS_USERSPACE", true),
-		StateDir:          defaultEnv("TS_STATE_DIR", ""),
-		AcceptDNS:         defaultBool("TS_ACCEPT_DNS", false),
-		KubeSecret:        defaultEnv("TS_KUBE_SECRET", "tailscale"),
-		SOCKSProxyAddr:    defaultEnv("TS_SOCKS5_SERVER", ""),
-		HTTPProxyAddr:     defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
-		Socket:            defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
-		AuthOnce:          defaultBool("TS_AUTH_ONCE", false),
-		Root:              defaultEnv("TS_TEST_ONLY_ROOT", "/"),
+		AuthKey:                  defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
+		Hostname:                 defaultEnv("TS_HOSTNAME", ""),
+		Routes:                   defaultEnvStringPointer("TS_ROUTES"),
+		ServeConfigPath:          defaultEnv("TS_SERVE_CONFIG", ""),
+		ProxyTo:                  defaultEnv("TS_DEST_IP", ""),
+		TailnetTargetIP:          defaultEnv("TS_TAILNET_TARGET_IP", ""),
+		TailnetTargetFQDN:        defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
+		DaemonExtraArgs:          defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
+		ExtraArgs:                defaultEnv("TS_EXTRA_ARGS", ""),
+		InKubernetes:             os.Getenv("KUBERNETES_SERVICE_HOST") != "",
+		UserspaceMode:            defaultBool("TS_USERSPACE", true),
+		StateDir:                 defaultEnv("TS_STATE_DIR", ""),
+		AcceptDNS:                defaultEnvBoolPointer("TS_ACCEPT_DNS"),
+		KubeSecret:               defaultEnv("TS_KUBE_SECRET", "tailscale"),
+		SOCKSProxyAddr:           defaultEnv("TS_SOCKS5_SERVER", ""),
+		HTTPProxyAddr:            defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
+		Socket:                   defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
+		AuthOnce:                 defaultBool("TS_AUTH_ONCE", false),
+		Root:                     defaultEnv("TS_TEST_ONLY_ROOT", "/"),
+		TailscaledConfigFilePath: defaultEnv("EXPERIMENTAL_TS_CONFIGFILE_PATH", ""),
 	}
-
-	if cfg.ProxyTo != "" && cfg.UserspaceMode {
-		log.Fatal("TS_DEST_IP is not supported with TS_USERSPACE")
-	}
-
-	if cfg.TailnetTargetIP != "" && cfg.UserspaceMode {
-		log.Fatal("TS_TAILNET_TARGET_IP is not supported with TS_USERSPACE")
-	}
-	if cfg.TailnetTargetFQDN != "" && cfg.UserspaceMode {
-		log.Fatal("TS_TAILNET_TARGET_FQDN is not supported with TS_USERSPACE")
-	}
-	if cfg.TailnetTargetFQDN != "" && cfg.TailnetTargetIP != "" {
-		log.Fatal("Both TS_TAILNET_TARGET_IP and TS_TAILNET_FQDN cannot be set")
+	if err := cfg.validate(); err != nil {
+		log.Fatalf("invalid configuration: %v", err)
 	}

 	if !cfg.UserspaceMode {
@@ -171,7 +169,7 @@ func main() {
 		}
 		cfg.KubernetesCanPatch = canPatch

-		if cfg.AuthKey == "" {
+		if cfg.AuthKey == "" && !isOneStepConfig(cfg) {
 			key, err := findKeyInKubeSecret(bootCtx, cfg.KubeSecret)
 			if err != nil {
 				log.Fatalf("Getting authkey from kube secret: %v", err)
@@ -253,7 +251,7 @@ func main() {
 		return nil
 	}

-	if !cfg.AuthOnce {
+	if isTwoStepConfigAlwaysAuth(cfg) {
 		if err := authTailscale(); err != nil {
 			log.Fatalf("failed to auth tailscale: %v", err)
 		}
@@ -269,6 +267,13 @@ authLoop:
 		if n.State != nil {
 			switch *n.State {
 			case ipn.NeedsLogin:
+				if isOneStepConfig(cfg) {
+					// This could happen if this is the
+					// first time tailscaled was run for
+					// this device and the auth key was not
+					// passed via the configfile.
+					log.Fatalf("invalid state: tailscaled daemon started with a config file, but tailscale is not logged in: ensure you pass a valid auth key in the config file.")
+				}
 				if err := authTailscale(); err != nil {
 					log.Fatalf("failed to auth tailscale: %v", err)
 				}
@@ -293,7 +298,7 @@ authLoop:
 	ctx, cancel := contextWithExitSignalWatch()
 	defer cancel()

-	if cfg.AuthOnce {
+	if isTwoStepConfigAuthOnce(cfg) {
 		// Now that we are authenticated, we can set/reset any of the
 		// settings that we need to.
 		if err := tailscaleSet(ctx, cfg); err != nil {
@@ -309,7 +314,7 @@ authLoop:
 		}
 	}

-	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && cfg.AuthOnce {
+	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && isTwoStepConfigAuthOnce(cfg) {
 		// We were told to only auth once, so any secret-bound
 		// authkey is no longer needed. We don't strictly need to
 		// wipe it, but it's good hygiene.
@@ -634,6 +639,9 @@ func tailscaledArgs(cfg *settings) []string {
 	if cfg.HTTPProxyAddr != "" {
 		args = append(args, "--outbound-http-proxy-listen="+cfg.HTTPProxyAddr)
 	}
+	if cfg.TailscaledConfigFilePath != "" {
+		args = append(args, "--config="+cfg.TailscaledConfigFilePath)
+	}
 	if cfg.DaemonExtraArgs != "" {
 		args = append(args, strings.Fields(cfg.DaemonExtraArgs)...)
 	}
@@ -644,7 +652,7 @@ func tailscaledArgs(cfg *settings) []string {
 // if TS_AUTH_ONCE is set, only the first time containerboot starts.
 func tailscaleUp(ctx context.Context, cfg *settings) error {
 	args := []string{"--socket=" + cfg.Socket, "up"}
-	if cfg.AcceptDNS {
+	if cfg.AcceptDNS != nil && *cfg.AcceptDNS {
 		args = append(args, "--accept-dns=true")
 	} else {
 		args = append(args, "--accept-dns=false")
@@ -680,7 +688,7 @@ func tailscaleUp(ctx context.Context, cfg *settings) error {
 // node is in Running state and only if TS_AUTH_ONCE is set.
 func tailscaleSet(ctx context.Context, cfg *settings) error {
 	args := []string{"--socket=" + cfg.Socket, "set"}
-	if cfg.AcceptDNS {
+	if cfg.AcceptDNS != nil && *cfg.AcceptDNS {
 		args = append(args, "--accept-dns=true")
 	} else {
 		args = append(args, "--accept-dns=false")
@@ -873,21 +881,46 @@ type settings struct {
 	// TailnetTargetFQDN is an MagicDNS name to which all incoming
 	// non-Tailscale traffic should be proxied. This must be a full Tailnet
 	// node FQDN.
-	TailnetTargetFQDN  string
-	ServeConfigPath    string
-	DaemonExtraArgs    string
-	ExtraArgs          string
-	InKubernetes       bool
-	UserspaceMode      bool
-	StateDir           string
-	AcceptDNS          bool
-	KubeSecret         string
-	SOCKSProxyAddr     string
-	HTTPProxyAddr      string
-	Socket             string
-	AuthOnce           bool
-	Root               string
-	KubernetesCanPatch bool
+	TailnetTargetFQDN        string
+	ServeConfigPath          string
+	DaemonExtraArgs          string
+	ExtraArgs                string
+	InKubernetes             bool
+	UserspaceMode            bool
+	StateDir                 string
+	AcceptDNS                *bool
+	KubeSecret               string
+	SOCKSProxyAddr           string
+	HTTPProxyAddr            string
+	Socket                   string
+	AuthOnce                 bool
+	Root                     string
+	KubernetesCanPatch       bool
+	TailscaledConfigFilePath string
+}
+
+func (s *settings) validate() error {
+	if s.TailscaledConfigFilePath != "" {
+		if _, err := conffile.Load(s.TailscaledConfigFilePath); err != nil {
+			return fmt.Errorf("error validating tailscaled configfile contents: %w", err)
+		}
+	}
+	if s.ProxyTo != "" && s.UserspaceMode {
+		return errors.New("TS_DEST_IP is not supported with TS_USERSPACE")
+	}
+	if s.TailnetTargetIP != "" && s.UserspaceMode {
+		return errors.New("TS_TAILNET_TARGET_IP is not supported with TS_USERSPACE")
+	}
+	if s.TailnetTargetFQDN != "" && s.UserspaceMode {
+		return errors.New("TS_TAILNET_TARGET_FQDN is not supported with TS_USERSPACE")
+	}
+	if s.TailnetTargetFQDN != "" && s.TailnetTargetIP != "" {
+		return errors.New("Both TS_TAILNET_TARGET_IP and TS_TAILNET_FQDN cannot be set")
+	}
+	if s.TailscaledConfigFilePath != "" && (s.AcceptDNS != nil || s.AuthKey != "" || s.Routes != nil || s.ExtraArgs != "" || s.Hostname != "") {
+		return errors.New("EXPERIMENTAL_TS_CONFIGFILE_PATH cannot be set in combination with TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY, TS_ROUTES, TS_ACCEPT_DNS.")
+	}
+	return nil
 }

 // defaultEnv returns the value of the given envvar name, or defVal if
@@ -899,16 +932,28 @@ func defaultEnv(name, defVal string) string {
 	return defVal
 }

-// defaultEnvPointer returns a pointer to the given envvar value if set, else
+// defaultEnvStringPointer returns a pointer to the given envvar value if set, else
 // returns nil. This is useful in cases where we need to distinguish between a
 // variable being set to empty string vs unset.
-func defaultEnvPointer(name string) *string {
+func defaultEnvStringPointer(name string) *string {
 	if v, ok := os.LookupEnv(name); ok {
 		return &v
 	}
 	return nil
 }

+// defaultEnvBoolPointer returns a pointer to the given envvar value if set, else
+// returns nil. This is useful in cases where we need to distinguish between a
+// variable being explicitly set to false vs unset.
+func defaultEnvBoolPointer(name string) *bool {
+	v := os.Getenv(name)
+	ret, err := strconv.ParseBool(v)
+	if err != nil {
+		return nil
+	}
+	return &ret
+}
+
 func defaultEnvs(names []string, defVal string) string {
 	for _, name := range names {
 		if v, ok := os.LookupEnv(name); ok {
@@ -950,3 +995,27 @@ func contextWithExitSignalWatch() (context.Context, func()) {
 	}
 	return ctx, f
 }
+
+// isTwoStepConfigAuthOnce returns true if the Tailscale node should be configured
+// in two steps and login should only happen once.
+// Step 1: run 'tailscaled'
+// Step 2):
+// A) if this is the first time starting this node run 'tailscale up --authkey <authkey> <config opts>'
+// B) if this is not the first time starting this node run 'tailscale set <config opts>'.
+func isTwoStepConfigAuthOnce(cfg *settings) bool {
+	return cfg.AuthOnce && cfg.TailscaledConfigFilePath == ""
+}
+
+// isTwoStepConfigAlwaysAuth returns true if the Tailscale node should be configured
+// in two steps and we should log in every time it starts.
+// Step 1: run 'tailscaled'
+// Step 2): run 'tailscale up --authkey <authkey> <config opts>'
+func isTwoStepConfigAlwaysAuth(cfg *settings) bool {
+	return !cfg.AuthOnce && cfg.TailscaledConfigFilePath == ""
+}
+
+// isOneStepConfig returns true if the Tailscale node should always be ran and
+// configured in a single step by running 'tailscaled <config opts>'
+func isOneStepConfig(cfg *settings) bool {
+	return cfg.TailscaledConfigFilePath != ""
+}
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -52,6 +52,12 @@ func TestContainerBoot(t *testing.T) {
 	}
 	defer kube.Close()

+	tailscaledConf := &ipn.ConfigVAlpha{AuthKey: func(s string) *string { return &s }("foo"), Version: "alpha0"}
+	tailscaledConfBytes, err := json.Marshal(tailscaledConf)
+	if err != nil {
+		t.Fatalf("error unmarshaling tailscaled config: %v", err)
+	}
+
 	dirs := []string{
 		"var/lib",
 		"usr/bin",
@@ -59,6 +65,7 @@ func TestContainerBoot(t *testing.T) {
 		"dev/net",
 		"proc/sys/net/ipv4",
 		"proc/sys/net/ipv6/conf/all",
+		"etc",
 	}
 	for _, path := range dirs {
 		if err := os.MkdirAll(filepath.Join(d, path), 0700); err != nil {
@@ -73,6 +80,7 @@ func TestContainerBoot(t *testing.T) {
 		"dev/net/tun":                           []byte(""),
 		"proc/sys/net/ipv4/ip_forward":          []byte("0"),
 		"proc/sys/net/ipv6/conf/all/forwarding": []byte("0"),
+		"etc/tailscaled":                        tailscaledConfBytes,
 	}
 	resetFiles := func() {
 		for path, content := range files {
@@ -310,7 +318,7 @@ func TestContainerBoot(t *testing.T) {
 			},
 		},
 		{
-			Name: "ingres proxy",
+			Name: "ingress proxy",
 			Env: map[string]string{
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_DEST_IP":   "1.2.3.4",
@@ -629,6 +637,21 @@ func TestContainerBoot(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "experimental tailscaled configfile",
+			Env: map[string]string{
+				"EXPERIMENTAL_TS_CONFIGFILE_PATH": filepath.Join(d, "etc/tailscaled"),
+			},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --config=/etc/tailscaled",
+					},
+				}, {
+					Notify: runningNotify,
+				},
+			},
+		},
 	}

 	for _, test := range tests {
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -105,7 +105,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
        tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
-        tailscale.com/net/stun                                       from tailscale.com/cmd/derper
+        tailscale.com/net/stun                                       from tailscale.com/net/stunserver
+        tailscale.com/net/stunserver                                 from tailscale.com/cmd/derper
   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
@@ -152,6 +153,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
        tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
+        tailscale.com/util/syspolicy                                 from tailscale.com/ipn
        tailscale.com/util/vizerror                                  from tailscale.com/tsweb+
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/derp+
@@ -231,7 +233,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        encoding/pem                                                 from crypto/tls+
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/cmd/derper+
-        flag                                                         from tailscale.com/cmd/derper
+        flag                                                         from tailscale.com/cmd/derper+
        fmt                                                          from compress/flate+
        go/token                                                     from google.golang.org/protobuf/internal/strs
        hash                                                         from crypto+
@@ -262,6 +264,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
        os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+        os/signal                                                    from tailscale.com/cmd/derper
   W    os/user                                                      from tailscale.com/util/winutil
        path                                                         from golang.org/x/crypto/acme/autocert+
        path/filepath                                                from crypto/x509+
@@ -271,7 +274,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        runtime/debug                                                from golang.org/x/crypto/acme+
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
-        runtime/trace                                                from net/http/pprof
+        runtime/trace                                                from net/http/pprof+
        slices                                                       from tailscale.com/ipn/ipnstate+
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
@@ -279,6 +282,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        sync                                                         from compress/flate+
        sync/atomic                                                  from context+
        syscall                                                      from crypto/rand+
+        testing                                                      from tailscale.com/util/syspolicy
        text/tabwriter                                               from runtime/pprof
        time                                                         from compress/gzip+
        unicode                                                      from bytes+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -17,11 +17,12 @@ import (
 	"math"
 	"net"
 	"net/http"
-	"net/netip"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"regexp"
 	"strings"
+	"syscall"
 	"time"

 	"go4.org/mem"
@@ -30,7 +31,7 @@ import (
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/metrics"
-	"tailscale.com/net/stun"
+	"tailscale.com/net/stunserver"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
 	"tailscale.com/util/cmpx"
@@ -59,25 +60,11 @@ var (
 )

 var (
-	stats             = new(metrics.Set)
-	stunDisposition   = &metrics.LabelMap{Label: "disposition"}
-	stunAddrFamily    = &metrics.LabelMap{Label: "family"}
 	tlsRequestVersion = &metrics.LabelMap{Label: "version"}
 	tlsActiveVersion  = &metrics.LabelMap{Label: "version"}
-
-	stunReadError  = stunDisposition.Get("read_error")
-	stunNotSTUN    = stunDisposition.Get("not_stun")
-	stunWriteError = stunDisposition.Get("write_error")
-	stunSuccess    = stunDisposition.Get("success")
-
-	stunIPv4 = stunAddrFamily.Get("ipv4")
-	stunIPv6 = stunAddrFamily.Get("ipv6")
 )

 func init() {
-	stats.Set("counter_requests", stunDisposition)
-	stats.Set("counter_addrfamily", stunAddrFamily)
-	expvar.Publish("stun", stats)
 	expvar.Publish("derper_tls_request_version", tlsRequestVersion)
 	expvar.Publish("gauge_derper_tls_active_version", tlsActiveVersion)
 }
@@ -135,6 +122,9 @@ func writeNewConfig() config {
 func main() {
 	flag.Parse()

+	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
 	if *dev {
 		*addr = ":3340" // above the keys DERP
 		log.Printf("Running in dev mode.")
@@ -146,6 +136,11 @@ func main() {
 		log.Fatalf("invalid server address: %v", err)
 	}

+	if *runSTUN {
+		ss := stunserver.New(ctx)
+		go ss.ListenAndServe(net.JoinHostPort(listenHost, fmt.Sprint(*stunPort)))
+	}
+
 	cfg := loadConfig()

 	serveTLS := tsweb.IsProd443(*addr) || *certMode == "manual"
@@ -221,10 +216,6 @@ func main() {
 	}))
 	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))

-	if *runSTUN {
-		go serveSTUN(listenHost, *stunPort)
-	}
-
 	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
 		Addr:     *addr,
@@ -241,6 +232,10 @@ func main() {
 		ReadTimeout:  30 * time.Second,
 		WriteTimeout: 30 * time.Second,
 	}
+	go func() {
+		<-ctx.Done()
+		httpsrv.Shutdown(ctx)
+	}()

 	if serveTLS {
 		log.Printf("derper: serving on %s with TLS", *addr)
@@ -351,59 +346,6 @@ func probeHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }

-func serveSTUN(host string, port int) {
-	pc, err := net.ListenPacket("udp", net.JoinHostPort(host, fmt.Sprint(port)))
-	if err != nil {
-		log.Fatalf("failed to open STUN listener: %v", err)
-	}
-	log.Printf("running STUN server on %v", pc.LocalAddr())
-	serverSTUNListener(context.Background(), pc.(*net.UDPConn))
-}
-
-func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
-	var buf [64 << 10]byte
-	var (
-		n   int
-		ua  *net.UDPAddr
-		err error
-	)
-	for {
-		n, ua, err = pc.ReadFromUDP(buf[:])
-		if err != nil {
-			if ctx.Err() != nil {
-				return
-			}
-			log.Printf("STUN ReadFrom: %v", err)
-			time.Sleep(time.Second)
-			stunReadError.Add(1)
-			continue
-		}
-		pkt := buf[:n]
-		if !stun.Is(pkt) {
-			stunNotSTUN.Add(1)
-			continue
-		}
-		txid, err := stun.ParseBindingRequest(pkt)
-		if err != nil {
-			stunNotSTUN.Add(1)
-			continue
-		}
-		if ua.IP.To4() != nil {
-			stunIPv4.Add(1)
-		} else {
-			stunIPv6.Add(1)
-		}
-		addr, _ := netip.AddrFromSlice(ua.IP)
-		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(ua.Port)))
-		_, err = pc.WriteTo(res, ua)
-		if err != nil {
-			stunWriteError.Add(1)
-		} else {
-			stunSuccess.Add(1)
-		}
-	}
-}
-
 var validProdHostname = regexp.MustCompile(`^derp([^.]*)\.tailscale\.com\.?$`)

 func prodAutocertHostPolicy(_ context.Context, host string) error {
--- a/cmd/derper/derper_test.go
+++ b/cmd/derper/derper_test.go
@@ -5,13 +5,11 @@ package main

 import (
 	"context"
-	"net"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"

-	"tailscale.com/net/stun"
 	"tailscale.com/tstest/deptest"
 )

@@ -39,38 +37,6 @@ func TestProdAutocertHostPolicy(t *testing.T) {
 	}
 }

-func BenchmarkServerSTUN(b *testing.B) {
-	b.ReportAllocs()
-	pc, err := net.ListenPacket("udp", "127.0.0.1:0")
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer pc.Close()
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	go serverSTUNListener(ctx, pc.(*net.UDPConn))
-	addr := pc.LocalAddr().(*net.UDPAddr)
-
-	var resBuf [1500]byte
-	cc, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.ParseIP("127.0.0.1")})
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	tx := stun.NewTxID()
-	req := stun.Request(tx)
-	for i := 0; i < b.N; i++ {
-		if _, err := cc.WriteToUDP(req, addr); err != nil {
-			b.Fatal(err)
-		}
-		_, _, err := cc.ReadFromUDP(resBuf[:])
-		if err != nil {
-			b.Fatal(err)
-		}
-	}
-
-}
-
 func TestNoContent(t *testing.T) {
 	testCases := []struct {
 		name  string
--- a/cmd/k8s-operator/connector.go
+++ b/cmd/k8s-operator/connector.go
@@ -10,7 +10,6 @@ import (
 	"fmt"
 	"net/netip"
 	"slices"
-	"strings"
 	"sync"
 	"time"

@@ -33,17 +32,15 @@ import (
 )

 const (
-	reasonSubnetRouterCreationFailed    = "SubnetRouterCreationFailed"
-	reasonSubnetRouterCreated           = "SubnetRouterCreated"
-	reasonSubnetRouterCleanupFailed     = "SubnetRouterCleanupFailed"
-	reasonSubnetRouterCleanupInProgress = "SubnetRouterCleanupInProgress"
-	reasonSubnetRouterInvalid           = "SubnetRouterInvalid"
+	reasonConnectorCreationFailed = "ConnectorCreationFailed"

-	messageSubnetRouterCreationFailed = "Failed creating subnet router for routes %s: %v"
-	messageSubnetRouterInvalid        = "Subnet router is invalid: %v"
-	messageSubnetRouterCreated        = "Created subnet router for routes %s"
-	messageSubnetRouterCleanupFailed  = "Failed cleaning up subnet router resources: %v"
-	msgSubnetRouterCleanupInProgress  = "SubnetRouterCleanupInProgress"
+	reasonConnectorCreated           = "ConnectorCreated"
+	reasonConnectorCleanupFailed     = "ConnectorCleanupFailed"
+	reasonConnectorCleanupInProgress = "ConnectorCleanupInProgress"
+	reasonConnectorInvalid           = "ConnectorInvalid"
+
+	messageConnectorCreationFailed = "Failed creating Connector: %v"
+	messageConnectorInvalid        = "Connector is invalid: %v"

 	shortRequeue = time.Second * 5
 )
@@ -61,42 +58,44 @@ type ConnectorReconciler struct {

 	mu sync.Mutex // protects following

-	// subnetRouters tracks the subnet routers managed by this Tailscale
-	// Operator instance.
-	subnetRouters set.Slice[types.UID]
+	subnetRouters set.Slice[types.UID] // for subnet routers gauge
+	exitNodes     set.Slice[types.UID] // for exit nodes gauge
 }

 var (
-	// gaugeIngressResources tracks the number of subnet routers that we're
-	// currently managing.
-	gaugeSubnetRouterResources = clientmetric.NewGauge("k8s_subnet_router_resources")
+	// gaugeConnectorResources tracks the overall number of Connectors currently managed by this operator instance.
+	gaugeConnectorResources = clientmetric.NewGauge("k8s_connector_resources")
+	// gaugeConnectorSubnetRouterResources tracks the number of Connectors managed by this operator instance that are subnet routers.
+	gaugeConnectorSubnetRouterResources = clientmetric.NewGauge("k8s_connector_subnetrouter_resources")
+	// gaugeConnectorExitNodeResources tracks the number of Connectors currently managed by this operator instance that are exit nodes.
+	gaugeConnectorExitNodeResources = clientmetric.NewGauge("k8s_connector_exitnode_resources")
 )

-func (a *ConnectorReconciler) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, err error) {
-	logger := a.logger.With("connector", req.Name)
+func (a *ConnectorReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
+	logger := a.logger.With("Connector", req.Name)
 	logger.Debugf("starting reconcile")
 	defer logger.Debugf("reconcile finished")

 	cn := new(tsapi.Connector)
 	err = a.Get(ctx, req.NamespacedName, cn)
 	if apierrors.IsNotFound(err) {
-		logger.Debugf("connector not found, assuming it was deleted")
+		logger.Debugf("Connector not found, assuming it was deleted")
 		return reconcile.Result{}, nil
 	} else if err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to get tailscale.com Connector: %w", err)
 	}
 	if !cn.DeletionTimestamp.IsZero() {
-		logger.Debugf("connector is being deleted or should not be exposed, cleaning up components")
+		logger.Debugf("Connector is being deleted or should not be exposed, cleaning up resources")
 		ix := xslices.Index(cn.Finalizers, FinalizerName)
 		if ix < 0 {
 			logger.Debugf("no finalizer, nothing to do")
 			return reconcile.Result{}, nil
 		}

-		if done, err := a.maybeCleanupSubnetRouter(ctx, logger, cn); err != nil {
+		if done, err := a.maybeCleanupConnector(ctx, logger, cn); err != nil {
 			return reconcile.Result{}, err
 		} else if !done {
-			logger.Debugf("cleanup not finished, will retry...")
+			logger.Debugf("Connector resource cleanup not yet finished, will retry...")
 			return reconcile.Result{RequeueAfter: shortRequeue}, nil
 		}

@@ -104,93 +103,110 @@ func (a *ConnectorReconciler) Reconcile(ctx context.Context, req reconcile.Reque
 		if err := a.Update(ctx, cn); err != nil {
 			return reconcile.Result{}, err
 		}
-		logger.Infof("connector resources cleaned up")
+		logger.Infof("Connector resources cleaned up")
 		return reconcile.Result{}, nil
 	}

 	oldCnStatus := cn.Status.DeepCopy()
-	defer func() {
-		if cn.Status.SubnetRouter == nil {
-			tsoperator.SetConnectorCondition(cn, tsapi.ConnectorReady, metav1.ConditionUnknown, "", "", cn.Generation, a.clock, logger)
-		} else if cn.Status.SubnetRouter.Ready == metav1.ConditionTrue {
-			tsoperator.SetConnectorCondition(cn, tsapi.ConnectorReady, metav1.ConditionTrue, reasonSubnetRouterCreated, reasonSubnetRouterCreated, cn.Generation, a.clock, logger)
-		} else {
-			tsoperator.SetConnectorCondition(cn, tsapi.ConnectorReady, metav1.ConditionFalse, cn.Status.SubnetRouter.Reason, cn.Status.SubnetRouter.Reason, cn.Generation, a.clock, logger)
-		}
+	setStatus := func(cn *tsapi.Connector, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string) (reconcile.Result, error) {
+		tsoperator.SetConnectorCondition(cn, tsapi.ConnectorReady, status, reason, message, cn.Generation, a.clock, logger)
 		if !apiequality.Semantic.DeepEqual(oldCnStatus, cn.Status) {
-			// an error encountered here should get returned by the Reconcile function
+			// An error encountered here should get returned by the Reconcile function.
 			if updateErr := a.Client.Status().Update(ctx, cn); updateErr != nil {
-				err = updateErr
+				err = errors.Wrap(err, updateErr.Error())
 			}
 		}
-	}()
+		return res, err
+	}

 	if !slices.Contains(cn.Finalizers, FinalizerName) {
 		// This log line is printed exactly once during initial provisioning,
 		// because once the finalizer is in place this block gets skipped. So,
 		// this is a nice place to tell the operator that the high level,
 		// multi-reconcile operation is underway.
-		logger.Infof("ensuring connector is set up")
+		logger.Infof("ensuring Connector is set up")
 		cn.Finalizers = append(cn.Finalizers, FinalizerName)
 		if err := a.Update(ctx, cn); err != nil {
-			err = fmt.Errorf("failed to add finalizer: %w", err)
-			logger.Errorf("error adding finalizer: %v", err)
-			return reconcile.Result{}, err
+			logger.Errorf("error adding finalizer: %w", err)
+			return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionFalse, reasonConnectorCreationFailed, reasonConnectorCreationFailed)
 		}
 	}

-	// A Connector with unset .spec.subnetRouter and unset
-	// cn.spec.subnetRouter.Routes will be rejected at apply time (because
-	// these fields are set as required by our CRD validation). This check
-	// is here for if our CRD validation breaks unnoticed we don't crash the
-	// operator with nil pointer exception.
-	if cn.Spec.SubnetRouter == nil || len(cn.Spec.SubnetRouter.Routes) < 1 {
-		return reconcile.Result{}, nil
+	if err := a.validate(cn); err != nil {
+		logger.Errorf("error validating Connector spec: %w", err)
+		message := fmt.Sprintf(messageConnectorInvalid, err)
+		a.recorder.Eventf(cn, corev1.EventTypeWarning, reasonConnectorInvalid, message)
+		return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionFalse, reasonConnectorInvalid, message)
 	}

-	if err := validateSubnetRouter(*cn.Spec.SubnetRouter); err != nil {
-		msg := fmt.Sprintf(messageSubnetRouterInvalid, err)
-		cn.Status.SubnetRouter = &tsapi.SubnetRouterStatus{
-			Ready:   metav1.ConditionFalse,
-			Reason:  reasonSubnetRouterInvalid,
-			Message: msg,
-		}
-		a.recorder.Eventf(cn, corev1.EventTypeWarning, reasonSubnetRouterInvalid, msg)
-		return reconcile.Result{}, nil
+	if err = a.maybeProvisionConnector(ctx, logger, cn); err != nil {
+		logger.Errorf("error creating Connector resources: %w", err)
+		message := fmt.Sprintf(messageConnectorCreationFailed, err)
+		a.recorder.Eventf(cn, corev1.EventTypeWarning, reasonConnectorCreationFailed, message)
+		return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionFalse, reasonConnectorCreationFailed, message)
 	}

-	var sb strings.Builder
-	sb.WriteString(string(cn.Spec.SubnetRouter.Routes[0]))
-	for _, r := range cn.Spec.SubnetRouter.Routes[1:] {
-		sb.WriteString(fmt.Sprintf(",%s", r))
+	logger.Info("Connector resources synced")
+	cn.Status.IsExitNode = cn.Spec.ExitNode
+	if cn.Spec.SubnetRouter != nil {
+		cn.Status.SubnetRoutes = cn.Spec.SubnetRouter.AdvertiseRoutes.Stringify()
+		return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionTrue, reasonConnectorCreated, reasonConnectorCreated)
 	}
-	cidrsS := sb.String()
-	logger.Debugf("ensuring a subnet router is deployed")
-	err = a.maybeProvisionSubnetRouter(ctx, logger, cn, cidrsS)
-	if err != nil {
-		msg := fmt.Sprintf(messageSubnetRouterCreationFailed, cidrsS, err)
-		cn.Status.SubnetRouter = &tsapi.SubnetRouterStatus{
-			Ready:   metav1.ConditionFalse,
-			Reason:  reasonSubnetRouterCreationFailed,
-			Message: msg,
-		}
-		a.recorder.Eventf(cn, corev1.EventTypeWarning, reasonSubnetRouterCreationFailed, msg)
-		return reconcile.Result{}, err
-	}
-	cn.Status.SubnetRouter = &tsapi.SubnetRouterStatus{
-		Routes:  cidrsS,
-		Ready:   metav1.ConditionTrue,
-		Reason:  reasonSubnetRouterCreated,
-		Message: fmt.Sprintf(messageSubnetRouterCreated, cidrsS),
-	}
-	return reconcile.Result{}, nil
+	cn.Status.SubnetRoutes = ""
+	return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionTrue, reasonConnectorCreated, reasonConnectorCreated)
 }

-func (a *ConnectorReconciler) maybeCleanupSubnetRouter(ctx context.Context, logger *zap.SugaredLogger, cn *tsapi.Connector) (bool, error) {
-	if done, err := a.ssr.Cleanup(ctx, logger, childResourceLabels(cn.Name, a.tsnamespace, "subnetrouter")); err != nil {
-		return false, fmt.Errorf("failed to cleanup: %w", err)
+// maybeProvisionConnector ensures that any new resources required for this
+// Connector instance are deployed to the cluster.
+func (a *ConnectorReconciler) maybeProvisionConnector(ctx context.Context, logger *zap.SugaredLogger, cn *tsapi.Connector) error {
+	hostname := cn.Name + "-connector"
+	if cn.Spec.Hostname != "" {
+		hostname = string(cn.Spec.Hostname)
+	}
+	crl := childResourceLabels(cn.Name, a.tsnamespace, "connector")
+	sts := &tailscaleSTSConfig{
+		ParentResourceName:  cn.Name,
+		ParentResourceUID:   string(cn.UID),
+		Hostname:            hostname,
+		ChildResourceLabels: crl,
+		Tags:                cn.Spec.Tags.Stringify(),
+		Connector: &connector{
+			isExitNode: cn.Spec.ExitNode,
+		},
+	}
+
+	if cn.Spec.SubnetRouter != nil && len(cn.Spec.SubnetRouter.AdvertiseRoutes) > 0 {
+		sts.Connector.routes = cn.Spec.SubnetRouter.AdvertiseRoutes.Stringify()
+	}
+
+	a.mu.Lock()
+	if sts.Connector.isExitNode {
+		a.exitNodes.Add(cn.UID)
+	} else {
+		a.exitNodes.Remove(cn.UID)
+	}
+	if sts.Connector.routes != "" {
+		a.subnetRouters.Add(cn.GetUID())
+	} else {
+		a.subnetRouters.Remove(cn.GetUID())
+	}
+	a.mu.Unlock()
+	gaugeConnectorSubnetRouterResources.Set(int64(a.subnetRouters.Len()))
+	gaugeConnectorExitNodeResources.Set(int64(a.exitNodes.Len()))
+	var connectors set.Slice[types.UID]
+	connectors.AddSlice(a.exitNodes.Slice())
+	connectors.AddSlice(a.subnetRouters.Slice())
+	gaugeConnectorResources.Set(int64(connectors.Len()))
+
+	_, err := a.ssr.Provision(ctx, logger, sts)
+	return err
+}
+
+func (a *ConnectorReconciler) maybeCleanupConnector(ctx context.Context, logger *zap.SugaredLogger, cn *tsapi.Connector) (bool, error) {
+	if done, err := a.ssr.Cleanup(ctx, logger, childResourceLabels(cn.Name, a.tsnamespace, "connector")); err != nil {
+		return false, fmt.Errorf("failed to cleanup Connector resources: %w", err)
 	} else if !done {
-		logger.Debugf("cleanup not done yet, waiting for next reconcile")
+		logger.Debugf("Connector cleanup not done yet, waiting for next reconcile")
 		return false, nil
 	}

@@ -198,44 +214,39 @@ func (a *ConnectorReconciler) maybeCleanupSubnetRouter(ctx context.Context, logg
 	// exactly once at the very end of cleanup, because the final step of
 	// cleanup removes the tailscale finalizer, which will make all future
 	// reconciles exit early.
-	logger.Infof("cleaned up subnet router")
+	logger.Infof("cleaned up Connector resources")
 	a.mu.Lock()
-	defer a.mu.Unlock()
 	a.subnetRouters.Remove(cn.UID)
-	gaugeSubnetRouterResources.Set(int64(a.subnetRouters.Len()))
+	a.exitNodes.Remove(cn.UID)
+	a.mu.Unlock()
+	gaugeConnectorExitNodeResources.Set(int64(a.exitNodes.Len()))
+	gaugeConnectorSubnetRouterResources.Set(int64(a.subnetRouters.Len()))
+	var connectors set.Slice[types.UID]
+	connectors.AddSlice(a.exitNodes.Slice())
+	connectors.AddSlice(a.subnetRouters.Slice())
+	gaugeConnectorResources.Set(int64(connectors.Len()))
 	return true, nil
 }

-// maybeProvisionSubnetRouter maybe deploys subnet router that exposes a subset of cluster cidrs to the tailnet
-func (a *ConnectorReconciler) maybeProvisionSubnetRouter(ctx context.Context, logger *zap.SugaredLogger, cn *tsapi.Connector, cidrs string) error {
-	if cn.Spec.SubnetRouter == nil || len(cn.Spec.SubnetRouter.Routes) < 1 {
+func (a *ConnectorReconciler) validate(cn *tsapi.Connector) error {
+	// Connector fields are already validated at apply time with CEL validation
+	// on custom resource fields. The checks here are a backup in case the
+	// CEL validation breaks without us noticing.
+	if !(cn.Spec.SubnetRouter != nil || cn.Spec.ExitNode) {
+		return errors.New("invalid spec: a Connector must expose subnet routes or act as an exit node (or both)")
+	}
+	if cn.Spec.SubnetRouter == nil {
 		return nil
 	}
-	a.mu.Lock()
-	a.subnetRouters.Add(cn.UID)
-	gaugeSubnetRouterResources.Set(int64(a.subnetRouters.Len()))
-	a.mu.Unlock()
-
-	crl := childResourceLabels(cn.Name, a.tsnamespace, "subnetrouter")
-	hostname := hostnameForSubnetRouter(cn)
-	sts := &tailscaleSTSConfig{
-		ParentResourceName:  cn.Name,
-		ParentResourceUID:   string(cn.UID),
-		Hostname:            hostname,
-		ChildResourceLabels: crl,
-		Routes:              cidrs,
-	}
-	for _, tag := range cn.Spec.SubnetRouter.Tags {
-		sts.Tags = append(sts.Tags, string(tag))
-	}
-
-	_, err := a.ssr.Provision(ctx, logger, sts)
-
-	return err
+	return validateSubnetRouter(cn.Spec.SubnetRouter)
 }
-func validateSubnetRouter(sb tsapi.SubnetRouter) error {
+
+func validateSubnetRouter(sb *tsapi.SubnetRouter) error {
+	if len(sb.AdvertiseRoutes) < 1 {
+		return errors.New("invalid subnet router spec: no routes defined")
+	}
 	var err error
-	for _, route := range sb.Routes {
+	for _, route := range sb.AdvertiseRoutes {
 		pfx, e := netip.ParsePrefix(string(route))
 		if e != nil {
 			err = errors.Wrap(err, fmt.Sprintf("route %s is invalid: %v", route, err))
@@ -247,13 +258,3 @@ func validateSubnetRouter(sb tsapi.SubnetRouter) error {
 	}
 	return err
 }
-
-func hostnameForSubnetRouter(cn *tsapi.Connector) string {
-	if cn.Spec.SubnetRouter == nil {
-		return ""
-	}
-	if cn.Spec.SubnetRouter.Hostname != "" {
-		return string(cn.Spec.SubnetRouter.Hostname)
-	}
-	return cn.Name + "-" + "subnetrouter"
-}
--- a/cmd/k8s-operator/connector_test.go
+++ b/cmd/k8s-operator/connector_test.go
@@ -17,10 +17,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/tstest"
-	"tailscale.com/types/ptr"
 )

 func TestConnector(t *testing.T) {
+	// Create a Connector that defines a Tailscale node that advertises
+	// 10.40.0.0/14 route and acts as an exit node.
 	cn := &tsapi.Connector{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test",
@@ -32,8 +33,9 @@ func TestConnector(t *testing.T) {
 		},
 		Spec: tsapi.ConnectorSpec{
 			SubnetRouter: &tsapi.SubnetRouter{
-				Routes: []tsapi.Route{"10.40.0.0/14"},
+				AdvertiseRoutes: []tsapi.Route{"10.40.0.0/14"},
 			},
+			ExitNode: true,
 		},
 	}
 	fc := fake.NewClientBuilder().
@@ -48,7 +50,6 @@ func TestConnector(t *testing.T) {
 	}

 	cl := tstest.NewClock(tstest.ClockOpts{})
-	// Create a Connector with a subnet router definition
 	cr := &ConnectorReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -63,26 +64,61 @@ func TestConnector(t *testing.T) {
 	}

 	expectReconciled(t, cr, "", "test")
-	fullName, shortName := findGenName(t, fc, "", "test", "subnetrouter")
+	fullName, shortName := findGenName(t, fc, "", "test", "connector")

-	expectEqual(t, fc, expectedSecret(fullName, "", "subnetrouter"))
-	expectEqual(t, fc, expectedConnectorSTS(shortName, fullName, "10.40.0.0/14"))
+	opts := configOpts{
+		stsName:                    shortName,
+		secretName:                 fullName,
+		parentType:                 "connector",
+		hostname:                   "test-connector",
+		shouldUseDeclarativeConfig: true,
+		isExitNode:                 true,
+		subnetRoutes:               "10.40.0.0/14",
+		confFileHash:               "9321660203effb80983eaecc7b5ac5a8c53934926f46e895b9fe295dcfc5a904",
+	}
+	expectEqual(t, fc, expectedSecret(t, opts))
+	expectEqual(t, fc, expectedSTS(opts))

-	// Add another CIDR
+	// Add another route to be advertised.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
-		conn.Spec.SubnetRouter.Routes = []tsapi.Route{"10.40.0.0/14", "10.44.0.0/20"}
+		conn.Spec.SubnetRouter.AdvertiseRoutes = []tsapi.Route{"10.40.0.0/14", "10.44.0.0/20"}
 	})
+	opts.subnetRoutes = "10.40.0.0/14,10.44.0.0/20"
+	opts.confFileHash = "fb6c4daf67425f983985750cd8d6f2beae77e614fcb34176604571f5623d6862"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedConnectorSTS(shortName, fullName, "10.40.0.0/14,10.44.0.0/20"))

-	// Remove a CIDR
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Remove a route.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
-		conn.Spec.SubnetRouter.Routes = []tsapi.Route{"10.44.0.0/20"}
+		conn.Spec.SubnetRouter.AdvertiseRoutes = []tsapi.Route{"10.44.0.0/20"}
 	})
+	opts.subnetRoutes = "10.44.0.0/20"
+	opts.confFileHash = "bacba177bcfe3849065cf6fee53d658a9bb4144197ac5b861727d69ea99742bb"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedConnectorSTS(shortName, fullName, "10.44.0.0/20"))
+	expectEqual(t, fc, expectedSTS(opts))

-	// Delete the Connector
+	// Remove the subnet router.
+	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
+		conn.Spec.SubnetRouter = nil
+	})
+	opts.subnetRoutes = ""
+	opts.confFileHash = "7c421a99128eb80e79a285a82702f19f8f720615542a15bd794858a6275d8079"
+	expectReconciled(t, cr, "", "test")
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Re-add the subnet router.
+	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
+		conn.Spec.SubnetRouter = &tsapi.SubnetRouter{
+			AdvertiseRoutes: []tsapi.Route{"10.44.0.0/20"},
+		}
+	})
+	opts.subnetRoutes = "10.44.0.0/20"
+	opts.confFileHash = "bacba177bcfe3849065cf6fee53d658a9bb4144197ac5b861727d69ea99742bb"
+	expectReconciled(t, cr, "", "test")
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Delete the Connector.
 	if err = fc.Delete(context.Background(), cn); err != nil {
 		t.Fatalf("error deleting Connector: %v", err)
 	}
@@ -93,72 +129,57 @@ func TestConnector(t *testing.T) {
 	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)

-}
-
-func expectedConnectorSTS(stsName, secretName, routes string) *appsv1.StatefulSet {
-	return &appsv1.StatefulSet{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "StatefulSet",
-			APIVersion: "apps/v1",
-		},
+	// Create a Connector that advertises a route and is not an exit node.
+	cn = &tsapi.Connector{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      stsName,
-			Namespace: "operator-ns",
-			Labels: map[string]string{
-				"tailscale.com/managed":              "true",
-				"tailscale.com/parent-resource":      "test",
-				"tailscale.com/parent-resource-ns":   "",
-				"tailscale.com/parent-resource-type": "subnetrouter",
-			},
+			Name: "test",
+			UID:  types.UID("1234-UID"),
 		},
-		Spec: appsv1.StatefulSetSpec{
-			Replicas: ptr.To[int32](1),
-			Selector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{"app": "1234-UID"},
-			},
-			ServiceName: stsName,
-			Template: corev1.PodTemplateSpec{
-				ObjectMeta: metav1.ObjectMeta{
-					DeletionGracePeriodSeconds: ptr.To[int64](10),
-					Labels:                     map[string]string{"app": "1234-UID"},
-					Annotations: map[string]string{
-						"tailscale.com/operator-last-set-hostname": "test-subnetrouter",
-					},
-				},
-				Spec: corev1.PodSpec{
-					ServiceAccountName: "proxies",
-					InitContainers: []corev1.Container{
-						{
-							Name:    "sysctler",
-							Image:   "tailscale/tailscale",
-							Command: []string{"/bin/sh"},
-							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
-							SecurityContext: &corev1.SecurityContext{
-								Privileged: ptr.To(true),
-							},
-						},
-					},
-					Containers: []corev1.Container{
-						{
-							Name:  "tailscale",
-							Image: "tailscale/tailscale",
-							Env: []corev1.EnvVar{
-								{Name: "TS_USERSPACE", Value: "false"},
-								{Name: "TS_AUTH_ONCE", Value: "true"},
-								{Name: "TS_KUBE_SECRET", Value: secretName},
-								{Name: "TS_HOSTNAME", Value: "test-subnetrouter"},
-								{Name: "TS_ROUTES", Value: routes},
-							},
-							SecurityContext: &corev1.SecurityContext{
-								Capabilities: &corev1.Capabilities{
-									Add: []corev1.Capability{"NET_ADMIN"},
-								},
-							},
-							ImagePullPolicy: "Always",
-						},
-					},
-				},
+		TypeMeta: metav1.TypeMeta{
+			Kind:       tsapi.ConnectorKind,
+			APIVersion: "tailscale.io/v1alpha1",
+		},
+		Spec: tsapi.ConnectorSpec{
+			SubnetRouter: &tsapi.SubnetRouter{
+				AdvertiseRoutes: []tsapi.Route{"10.40.0.0/14"},
 			},
 		},
 	}
+	opts.subnetRoutes = "10.44.0.0/14"
+	opts.isExitNode = false
+	mustCreate(t, fc, cn)
+	expectReconciled(t, cr, "", "test")
+	fullName, shortName = findGenName(t, fc, "", "test", "connector")
+
+	opts = configOpts{
+		stsName:                    shortName,
+		secretName:                 fullName,
+		parentType:                 "connector",
+		shouldUseDeclarativeConfig: true,
+		subnetRoutes:               "10.40.0.0/14",
+		hostname:                   "test-connector",
+		confFileHash:               "57d922331890c9b1c8c6ae664394cb254334c551d9cd9db14537b5d9da9fb17e",
+	}
+	expectEqual(t, fc, expectedSecret(t, opts))
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Add an exit node.
+	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
+		conn.Spec.ExitNode = true
+	})
+	opts.isExitNode = true
+	opts.confFileHash = "1499b591fd97a50f0330db6ec09979792c49890cf31f5da5bb6a3f50dba1e77a"
+	expectReconciled(t, cr, "", "test")
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Delete the Connector.
+	if err = fc.Delete(context.Background(), cn); err != nil {
+		t.Fatalf("error deleting Connector: %v", err)
+	}
+
+	expectRequeue(t, cr, "", "test")
+	expectReconciled(t, cr, "", "test")
+
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
 }
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
@@ -16,11 +16,15 @@ spec:
  scope: Cluster
  versions:
    - additionalPrinterColumns:
-        - description: Cluster CIDR ranges exposed to tailnet via subnet router
-          jsonPath: .status.subnetRouter.routes
+        - description: CIDR ranges exposed to tailnet by a subnet router defined via this Connector instance.
+          jsonPath: .status.subnetRoutes
          name: SubnetRoutes
          type: string
-        - description: Status of the components deployed by the connector
+        - description: Whether this Connector instance defines an exit node.
+          jsonPath: .status.isExitNode
+          name: IsExitNode
+          type: string
+        - description: Status of the deployed Connector resources.
          jsonPath: .status.conditions[?(@.type == "ConnectorReady")].reason
          name: Status
          type: string
@@ -40,38 +44,40 @@ spec:
            metadata:
              type: object
            spec:
-              description: Desired state of the Connector resource.
+              description: ConnectorSpec describes the desired Tailscale component.
              type: object
-              required:
-                - subnetRouter
              properties:
+                exitNode:
+                  description: ExitNode defines whether the Connector node should act as a Tailscale exit node. Defaults to false. https://tailscale.com/kb/1103/exit-nodes
+                  type: boolean
+                hostname:
+                  description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
+                  type: string
+                  pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
                subnetRouter:
-                  description: SubnetRouter configures a Tailscale subnet router to be deployed in the cluster. If unset no subnet router will be deployed. https://tailscale.com/kb/1019/subnets/
+                  description: SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
                  type: object
                  required:
-                    - routes
+                    - advertiseRoutes
                  properties:
-                    hostname:
-                      description: Hostname is the tailnet hostname that should be assigned to the subnet router node. If unset hostname is defaulted to <connector name>-subnetrouter. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
-                      type: string
-                      pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
-                    routes:
-                      description: Routes refer to in-cluster CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
+                    advertiseRoutes:
+                      description: AdvertiseRoutes refer to CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
                      type: array
+                      minItems: 1
                      items:
                        type: string
                        format: cidr
-                    tags:
-                      description: Tags that the Tailscale node will be tagged with. If you want the subnet router to be autoapproved, you can configure Tailscale ACLs to autoapprove the subnetrouter's CIDRs for these tags. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes Defaults to tag:k8s. If you specify custom tags here, you must also make tag:k8s-operator owner of the custom tag. See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
-                      type: array
-                      items:
-                        type: string
-                        pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
-                  x-kubernetes-validations:
-                    - rule: has(self.tags) == has(oldSelf.tags)
-                      message: Subnetrouter tags cannot be changed. Delete and redeploy the Connector if you need to change it.
+                tags:
+                  description: Tags that the Tailscale node will be tagged with. Defaults to [tag:k8s]. To autoapprove the subnet routes or exit node defined by a Connector, you can configure Tailscale ACLs to give these tags the necessary permissions. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes. If you specify custom tags here, you must also make the operator an owner of these tags. See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector node has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
+                  type: array
+                  items:
+                    type: string
+                    pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
+              x-kubernetes-validations:
+                - rule: has(self.subnetRouter) || self.exitNode == true
+                  message: A Connector needs to be either an exit node or a subnet router, or both.
            status:
-              description: Status of the Connector. This is set and managed by the Tailscale operator.
+              description: ConnectorStatus describes the status of the Connector. This is set and managed by the Tailscale operator.
              type: object
              properties:
                conditions:
@@ -107,27 +113,12 @@ spec:
                  x-kubernetes-list-map-keys:
                    - type
                  x-kubernetes-list-type: map
-                subnetRouter:
-                  description: SubnetRouter status is the current status of a subnet router
-                  type: object
-                  required:
-                    - message
-                    - ready
-                    - reason
-                    - routes
-                  properties:
-                    message:
-                      description: Message is a more verbose reason for the current subnet router status
-                      type: string
-                    ready:
-                      description: Ready is the ready status of the subnet router
-                      type: string
-                    reason:
-                      description: Reason is the reason for the subnet router status
-                      type: string
-                    routes:
-                      description: Routes are the CIDRs currently exposed via subnet router
-                      type: string
+                isExitNode:
+                  description: IsExitNode is set to true if the Connector acts as an exit node.
+                  type: boolean
+                subnetRoutes:
+                  description: SubnetRoutes are the routes currently exposed to tailnet via this Connector instance.
+                  type: string
      served: true
      storage: true
      subresources:
--- a/cmd/k8s-operator/deploy/examples/connector.yaml
+++ b/cmd/k8s-operator/deploy/examples/connector.yaml
@@ -0,0 +1,19 @@
+# Before applying ensure that the operator owns tag:prod.
+# https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
+# To set up autoapproval set tag:prod as approver for 10.40.0.0/14 route and exit node.
+# Otherwise approve it manually in Machines panel once the
+# ts-prod Tailscale node has been created.
+# See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes
+apiVersion: tailscale.com/v1alpha1
+kind: Connector
+metadata:
+  name: prod
+spec:
+  tags:
+  - "tag:prod"
+  hostname: ts-prod
+  subnetRouter:
+    advertiseRoutes:
+    - "10.40.0.0/14"
+    - "192.168.0.0/14"
+  exitNode: true
--- a/cmd/k8s-operator/deploy/examples/subnetrouter.yaml
+++ b/cmd/k8s-operator/deploy/examples/subnetrouter.yaml
@@ -1,17 +0,0 @@
-# Before applyong this ensure that the operator is owner of tag:subnet.
-# https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
-# To set up autoapproval set tag:subnet as approver for 10.40.0.0/14 route
-# otherwise you will need to approve it manually in control panel once the
-# subnet router has been created.
-# https://tailscale.com/kb/1019/subnets/#advertise-subnet-routes
-apiVersion: tailscale.com/v1alpha1
-kind: Connector
-metadata:
-  name: exposepods
-spec:
-  subnetRouter:
-    routes:
-    - "10.40.0.0/14"
-    tags:
-    - "tag:subnet"
-    hostname: pods-subnetrouter
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -6,24 +6,15 @@
 package main

 import (
-	"context"
 	"fmt"
-	"strings"
-	"sync"
 	"testing"
-	"time"

-	"github.com/google/go-cmp/cmp"
 	"go.uber.org/zap"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/types/ptr"
 )

@@ -67,15 +58,18 @@ func TestLoadBalancerClass(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-
-	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
+	opts := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
 	}
-	expectEqual(t, fc, expectedSTS(o))
+
+	expectEqual(t, fc, expectedSecret(t, opts))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedSTS(opts))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -159,6 +153,7 @@ func TestLoadBalancerClass(t *testing.T) {
 	}
 	expectEqual(t, fc, want)
 }
+
 func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 	fc := fake.NewFakeClient()
 	ft := &fakeTSClient{}
@@ -204,15 +199,17 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-
-	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:              shortName,
+	o := configOpts{
+		stsName:           shortName,
 		secretName:        fullName,
+		namespace:         "default",
+		parentType:        "svc",
 		tailnetTargetFQDN: tailnetTargetFQDN,
 		hostname:          "default-test",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -235,14 +232,8 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 		},
 	}
 	expectEqual(t, fc, want)
-	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
+	expectEqual(t, fc, expectedSecret(t, o))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o = stsOpts{
-		name:              shortName,
-		secretName:        fullName,
-		tailnetTargetFQDN: tailnetTargetFQDN,
-		hostname:          "default-test",
-	}
 	expectEqual(t, fc, expectedSTS(o))

 	// Change the tailscale-target-fqdn annotation which should update the
@@ -272,6 +263,7 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
 }
+
 func TestTailnetTargetIPAnnotation(t *testing.T) {
 	fc := fake.NewFakeClient()
 	ft := &fakeTSClient{}
@@ -317,15 +309,17 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-
-	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:            shortName,
+	o := configOpts{
+		stsName:         shortName,
 		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
 		tailnetTargetIP: tailnetTargetIP,
 		hostname:        "default-test",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -348,14 +342,8 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 		},
 	}
 	expectEqual(t, fc, want)
-	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
+	expectEqual(t, fc, expectedSecret(t, o))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o = stsOpts{
-		name:            shortName,
-		secretName:      fullName,
-		tailnetTargetIP: tailnetTargetIP,
-		hostname:        "default-test",
-	}
 	expectEqual(t, fc, expectedSTS(o))

 	// Change the tailscale-target-ip annotation which should update the
@@ -428,14 +416,17 @@ func TestAnnotations(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-
-	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -533,14 +524,17 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-
-	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))

 	// Normally the Tailscale proxy pod would come up here and write its info
@@ -586,11 +580,6 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o = stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
-	}
 	expectEqual(t, fc, expectedSTS(o))
 	// ... but the service should have a LoadBalancer status.

@@ -666,14 +655,17 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-
-	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))

 	// Normally the Tailscale proxy pod would come up here and write its info
@@ -737,11 +729,6 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o = stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
-	}
 	expectEqual(t, fc, expectedSTS(o))

 	want = &corev1.Service{
@@ -809,14 +796,17 @@ func TestCustomHostname(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-
-	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "reindeer-flotilla",
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "reindeer-flotilla",
+		clusterTargetIP: "10.20.30.40",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -920,11 +910,14 @@ func TestCustomPriorityClassName(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	o := stsOpts{
-		name:              shortName,
+	o := configOpts{
+		stsName:           shortName,
 		secretName:        fullName,
+		namespace:         "default",
+		parentType:        "svc",
 		hostname:          "tailscale-critical",
 		priorityClassName: "custom-priority-class-name",
+		clusterTargetIP:   "10.20.30.40",
 	}

 	expectEqual(t, fc, expectedSTS(o))
@@ -971,12 +964,14 @@ func TestDefaultLoadBalancer(t *testing.T) {

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")

-	// expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
 	}
 	expectEqual(t, fc, expectedSTS(o))
 }
@@ -1022,331 +1017,19 @@ func TestProxyFirewallMode(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	o := stsOpts{
-		name:         shortName,
-		secretName:   fullName,
-		hostname:     "default-test",
-		firewallMode: "nftables",
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		firewallMode:    "nftables",
+		clusterTargetIP: "10.20.30.40",
 	}
 	expectEqual(t, fc, expectedSTS(o))

 }

-func expectedSecret(name, parentNamespace, typ string) *corev1.Secret {
-	return &corev1.Secret{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Secret",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: "operator-ns",
-			Labels: map[string]string{
-				"tailscale.com/managed":              "true",
-				"tailscale.com/parent-resource":      "test",
-				"tailscale.com/parent-resource-ns":   parentNamespace,
-				"tailscale.com/parent-resource-type": typ,
-			},
-		},
-		StringData: map[string]string{
-			"authkey": "secret-authkey",
-		},
-	}
-}
-
-func expectedHeadlessService(name string) *corev1.Service {
-	return &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:         name,
-			GenerateName: "ts-test-",
-			Namespace:    "operator-ns",
-			Labels: map[string]string{
-				"tailscale.com/managed":              "true",
-				"tailscale.com/parent-resource":      "test",
-				"tailscale.com/parent-resource-ns":   "default",
-				"tailscale.com/parent-resource-type": "svc",
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			Selector: map[string]string{
-				"app": "1234-UID",
-			},
-			ClusterIP: "None",
-		},
-	}
-}
-
-func expectedSTS(opts stsOpts) *appsv1.StatefulSet {
-	containerEnv := []corev1.EnvVar{
-		{Name: "TS_USERSPACE", Value: "false"},
-		{Name: "TS_AUTH_ONCE", Value: "true"},
-		{Name: "TS_KUBE_SECRET", Value: opts.secretName},
-		{Name: "TS_HOSTNAME", Value: opts.hostname},
-	}
-	annots := map[string]string{
-		"tailscale.com/operator-last-set-hostname": opts.hostname,
-	}
-	if opts.tailnetTargetIP != "" {
-		annots["tailscale.com/operator-last-set-ts-tailnet-target-ip"] = opts.tailnetTargetIP
-		containerEnv = append(containerEnv, corev1.EnvVar{
-			Name:  "TS_TAILNET_TARGET_IP",
-			Value: opts.tailnetTargetIP,
-		})
-	} else if opts.tailnetTargetFQDN != "" {
-		annots["tailscale.com/operator-last-set-ts-tailnet-target-fqdn"] = opts.tailnetTargetFQDN
-		containerEnv = append(containerEnv, corev1.EnvVar{
-			Name:  "TS_TAILNET_TARGET_FQDN",
-			Value: opts.tailnetTargetFQDN,
-		})
-
-	} else {
-		containerEnv = append(containerEnv, corev1.EnvVar{
-			Name:  "TS_DEST_IP",
-			Value: "10.20.30.40",
-		})
-
-		annots["tailscale.com/operator-last-set-cluster-ip"] = "10.20.30.40"
-
-	}
-	if opts.firewallMode != "" {
-		containerEnv = append(containerEnv, corev1.EnvVar{
-			Name:  "TS_DEBUG_FIREWALL_MODE",
-			Value: opts.firewallMode,
-		})
-	}
-	return &appsv1.StatefulSet{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "StatefulSet",
-			APIVersion: "apps/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      opts.name,
-			Namespace: "operator-ns",
-			Labels: map[string]string{
-				"tailscale.com/managed":              "true",
-				"tailscale.com/parent-resource":      "test",
-				"tailscale.com/parent-resource-ns":   "default",
-				"tailscale.com/parent-resource-type": "svc",
-			},
-		},
-		Spec: appsv1.StatefulSetSpec{
-			Replicas: ptr.To[int32](1),
-			Selector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{"app": "1234-UID"},
-			},
-			ServiceName: opts.name,
-			Template: corev1.PodTemplateSpec{
-				ObjectMeta: metav1.ObjectMeta{
-					Annotations:                annots,
-					DeletionGracePeriodSeconds: ptr.To[int64](10),
-					Labels:                     map[string]string{"app": "1234-UID"},
-				},
-				Spec: corev1.PodSpec{
-					ServiceAccountName: "proxies",
-					PriorityClassName:  opts.priorityClassName,
-					InitContainers: []corev1.Container{
-						{
-							Name:    "sysctler",
-							Image:   "tailscale/tailscale",
-							Command: []string{"/bin/sh"},
-							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
-							SecurityContext: &corev1.SecurityContext{
-								Privileged: ptr.To(true),
-							},
-						},
-					},
-					Containers: []corev1.Container{
-						{
-							Name:  "tailscale",
-							Image: "tailscale/tailscale",
-							Env:   containerEnv,
-							SecurityContext: &corev1.SecurityContext{
-								Capabilities: &corev1.Capabilities{
-									Add: []corev1.Capability{"NET_ADMIN"},
-								},
-							},
-							ImagePullPolicy: "Always",
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func findGenName(t *testing.T, client client.Client, ns, name, typ string) (full, noSuffix string) {
-	t.Helper()
-	labels := map[string]string{
-		LabelManaged:         "true",
-		LabelParentName:      name,
-		LabelParentNamespace: ns,
-		LabelParentType:      typ,
-	}
-	s, err := getSingleObject[corev1.Secret](context.Background(), client, "operator-ns", labels)
-	if err != nil {
-		t.Fatalf("finding secret for %q: %v", name, err)
-	}
-	if s == nil {
-		t.Fatalf("no secret found for %q %s %+#v", name, ns, labels)
-	}
-	return s.GetName(), strings.TrimSuffix(s.GetName(), "-0")
-}
-
-func mustCreate(t *testing.T, client client.Client, obj client.Object) {
-	t.Helper()
-	if err := client.Create(context.Background(), obj); err != nil {
-		t.Fatalf("creating %q: %v", obj.GetName(), err)
-	}
-}
-
-func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); err != nil {
-		t.Fatalf("getting %q: %v", name, err)
-	}
-	update(obj)
-	if err := client.Update(context.Background(), obj); err != nil {
-		t.Fatalf("updating %q: %v", name, err)
-	}
-}
-
-func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); err != nil {
-		t.Fatalf("getting %q: %v", name, err)
-	}
-	update(obj)
-	if err := client.Status().Update(context.Background(), obj); err != nil {
-		t.Fatalf("updating %q: %v", name, err)
-	}
-}
-
-func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
-	t.Helper()
-	got := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      want.GetName(),
-		Namespace: want.GetNamespace(),
-	}, got); err != nil {
-		t.Fatalf("getting %q: %v", want.GetName(), err)
-	}
-	// The resource version changes eagerly whenever the operator does even a
-	// no-op update. Asserting a specific value leads to overly brittle tests,
-	// so just remove it from both got and want.
-	got.SetResourceVersion("")
-	want.SetResourceVersion("")
-	if diff := cmp.Diff(got, want); diff != "" {
-		t.Fatalf("unexpected object (-got +want):\n%s", diff)
-	}
-}
-
-func expectMissing[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); !apierrors.IsNotFound(err) {
-		t.Fatalf("object %s/%s unexpectedly present, wanted missing", ns, name)
-	}
-}
-
-func expectReconciled(t *testing.T, sr reconcile.Reconciler, ns, name string) {
-	t.Helper()
-	req := reconcile.Request{
-		NamespacedName: types.NamespacedName{
-			Namespace: ns,
-			Name:      name,
-		},
-	}
-	res, err := sr.Reconcile(context.Background(), req)
-	if err != nil {
-		t.Fatalf("Reconcile: unexpected error: %v", err)
-	}
-	if res.Requeue {
-		t.Fatalf("unexpected immediate requeue")
-	}
-	if res.RequeueAfter != 0 {
-		t.Fatalf("unexpected timed requeue (%v)", res.RequeueAfter)
-	}
-}
-
-func expectRequeue(t *testing.T, sr reconcile.Reconciler, ns, name string) {
-	t.Helper()
-	req := reconcile.Request{
-		NamespacedName: types.NamespacedName{
-			Name:      name,
-			Namespace: ns,
-		},
-	}
-	res, err := sr.Reconcile(context.Background(), req)
-	if err != nil {
-		t.Fatalf("Reconcile: unexpected error: %v", err)
-	}
-	if res.RequeueAfter == 0 {
-		t.Fatalf("expected timed requeue, got success")
-	}
-}
-
-type stsOpts struct {
-	name              string
-	secretName        string
-	hostname          string
-	priorityClassName string
-	firewallMode      string
-	tailnetTargetIP   string
-	tailnetTargetFQDN string
-}
-
-type fakeTSClient struct {
-	sync.Mutex
-	keyRequests []tailscale.KeyCapabilities
-	deleted     []string
-}
-
-func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error) {
-	c.Lock()
-	defer c.Unlock()
-	c.keyRequests = append(c.keyRequests, caps)
-	k := &tailscale.Key{
-		ID:           "key",
-		Created:      time.Now(),
-		Capabilities: caps,
-	}
-	return "secret-authkey", k, nil
-}
-
-func (c *fakeTSClient) DeleteDevice(ctx context.Context, deviceID string) error {
-	c.Lock()
-	defer c.Unlock()
-	c.deleted = append(c.deleted, deviceID)
-	return nil
-}
-
-func (c *fakeTSClient) KeyRequests() []tailscale.KeyCapabilities {
-	c.Lock()
-	defer c.Unlock()
-	return c.keyRequests
-}
-
-func (c *fakeTSClient) Deleted() []string {
-	c.Lock()
-	defer c.Unlock()
-	return c.deleted
-}
-
 func Test_isMagicDNSName(t *testing.T) {
 	tests := []struct {
 		in   string
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -7,6 +7,7 @@ package main

 import (
 	"context"
+	"crypto/sha256"
 	_ "embed"
 	"encoding/json"
 	"errors"
@@ -26,6 +27,7 @@ import (
 	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
+	"tailscale.com/net/netutil"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/opt"
@@ -54,11 +56,17 @@ const (
 	AnnotationFunnel = "tailscale.com/funnel"

 	// Annotations set by the operator on pods to trigger restarts when the
-	// hostname, IP or FQDN changes.
+	// hostname, IP, FQDN or tailscaled config changes.
 	podAnnotationLastSetClusterIP         = "tailscale.com/operator-last-set-cluster-ip"
 	podAnnotationLastSetHostname          = "tailscale.com/operator-last-set-hostname"
 	podAnnotationLastSetTailnetTargetIP   = "tailscale.com/operator-last-set-ts-tailnet-target-ip"
 	podAnnotationLastSetTailnetTargetFQDN = "tailscale.com/operator-last-set-ts-tailnet-target-fqdn"
+	// podAnnotationLastSetConfigFileHash is sha256 hash of the current tailscaled configuration contents.
+	podAnnotationLastSetConfigFileHash = "tailscale.com/operator-last-set-config-file-hash"
+
+	// tailscaledConfigKey is the name of the key in proxy Secret Data that
+	// holds the tailscaled config contents.
+	tailscaledConfigKey = "tailscaled"
 )

 type tailscaleSTSConfig struct {
@@ -66,22 +74,26 @@ type tailscaleSTSConfig struct {
 	ParentResourceUID   string
 	ChildResourceLabels map[string]string

-	ServeConfig *ipn.ServeConfig
-	// Tailscale target in cluster we are setting up ingress for
-	ClusterTargetIP string
+	ServeConfig     *ipn.ServeConfig
+	ClusterTargetIP string // ingress target

-	// Tailscale IP of a Tailscale service we are setting up egress for
-	TailnetTargetIP string
+	TailnetTargetIP string // egress target IP

-	// Tailscale FQDN of a Tailscale service we are setting up egress for
-	TailnetTargetFQDN string
+	TailnetTargetFQDN string // egress target FQDN

 	Hostname string
 	Tags     []string // if empty, use defaultTags

-	// Routes is a list of CIDRs to pass via --advertise-routes flag
-	// Should only be set if this is config for subnetRouter
-	Routes string
+	// Connector specifies a configuration of a Connector instance if that's
+	// what this StatefulSet should be created for.
+	Connector *connector
+}
+
+type connector struct {
+	// routes is a list of subnet routes that this Connector should expose.
+	routes string
+	// isExitNode defines whether this Connector should act as an exit node.
+	isExitNode bool
 }

 type tailscaleSTSReconciler struct {
@@ -111,16 +123,17 @@ func (a *tailscaleSTSReconciler) IsHTTPSEnabledOnTailnet() bool {
 // up to date.
 func (a *tailscaleSTSReconciler) Provision(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig) (*corev1.Service, error) {
 	// Do full reconcile.
+	// TODO (don't create Service for the Connector)
 	hsvc, err := a.reconcileHeadlessService(ctx, logger, sts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to reconcile headless service: %w", err)
 	}

-	secretName, err := a.createOrGetSecret(ctx, logger, sts, hsvc)
+	secretName, tsConfigHash, err := a.createOrGetSecret(ctx, logger, sts, hsvc)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create or get API key secret: %w", err)
 	}
-	_, err = a.reconcileSTS(ctx, logger, sts, hsvc, secretName)
+	_, err = a.reconcileSTS(ctx, logger, sts, hsvc, secretName, tsConfigHash)
 	if err != nil {
 		return nil, fmt.Errorf("failed to reconcile statefulset: %w", err)
 	}
@@ -234,7 +247,7 @@ func (a *tailscaleSTSReconciler) reconcileHeadlessService(ctx context.Context, l
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, hsvc, func(svc *corev1.Service) { svc.Spec = hsvc.Spec })
 }

-func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *zap.SugaredLogger, stsC *tailscaleSTSConfig, hsvc *corev1.Service) (string, error) {
+func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *zap.SugaredLogger, stsC *tailscaleSTSConfig, hsvc *corev1.Service) (string, string, error) {
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			// Hardcode a -0 suffix so that in future, if we support
@@ -250,22 +263,25 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 		logger.Debugf("secret %s/%s already exists", secret.GetNamespace(), secret.GetName())
 		orig = secret.DeepCopy()
 	} else if !apierrors.IsNotFound(err) {
-		return "", err
+		return "", "", err
 	}

+	var (
+		authKey, hash string
+	)
 	if orig == nil {
 		// Secret doesn't exist yet, create one. Initially it contains
 		// only the Tailscale authkey, but once Tailscale starts it'll
 		// also store the daemon state.
 		sts, err := getSingleObject[appsv1.StatefulSet](ctx, a.Client, a.operatorNamespace, stsC.ChildResourceLabels)
 		if err != nil {
-			return "", err
+			return "", "", err
 		}
 		if sts != nil {
 			// StatefulSet exists, so we have already created the secret.
 			// If the secret is missing, they should delete the StatefulSet.
 			logger.Errorf("Tailscale proxy secret doesn't exist, but the corresponding StatefulSet %s/%s already does. Something is wrong, please delete the StatefulSet.", sts.GetNamespace(), sts.GetName())
-			return "", nil
+			return "", "", nil
 		}
 		// Create API Key secret which is going to be used by the statefulset
 		// to authenticate with Tailscale.
@@ -274,30 +290,42 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 		if len(tags) == 0 {
 			tags = a.defaultTags
 		}
-		authKey, err := a.newAuthKey(ctx, tags)
+		authKey, err = a.newAuthKey(ctx, tags)
 		if err != nil {
-			return "", err
+			return "", "", err
 		}
-
+	}
+	if !shouldDoTailscaledDeclarativeConfig(stsC) && authKey != "" {
 		mak.Set(&secret.StringData, "authkey", authKey)
 	}
+	if shouldDoTailscaledDeclarativeConfig(stsC) {
+		confFileBytes, h, err := tailscaledConfig(stsC, authKey, orig)
+		if err != nil {
+			return "", "", fmt.Errorf("error creating tailscaled config: %w", err)
+		}
+		hash = h
+		mak.Set(&secret.StringData, tailscaledConfigKey, string(confFileBytes))
+	}
 	if stsC.ServeConfig != nil {
 		j, err := json.Marshal(stsC.ServeConfig)
 		if err != nil {
-			return "", err
+			return "", "", err
 		}
 		mak.Set(&secret.StringData, "serve-config", string(j))
 	}
+
 	if orig != nil {
+		logger.Debugf("patching existing state Secret with values %s", secret.Data[tailscaledConfigKey])
 		if err := a.Patch(ctx, secret, client.MergeFrom(orig)); err != nil {
-			return "", err
+			return "", "", err
 		}
 	} else {
+		logger.Debugf("creating new state Secret with authkey %s", secret.Data[tailscaledConfigKey])
 		if err := a.Create(ctx, secret); err != nil {
-			return "", err
+			return "", "", err
 		}
 	}
-	return secret.Name, nil
+	return secret.Name, hash, nil
 }

 // DeviceInfo returns the device ID and hostname for the Tailscale device
@@ -325,7 +353,6 @@ func (a *tailscaleSTSReconciler) DeviceInfo(ctx context.Context, childLabels map
 			return "", "", nil, err
 		}
 	}
-
 	return id, hostname, ips, nil
 }

@@ -353,7 +380,7 @@ var proxyYaml []byte
 //go:embed deploy/manifests/userspace-proxy.yaml
 var userspaceProxyYaml []byte

-func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig, headlessSvc *corev1.Service, authKeySecret string) (*appsv1.StatefulSet, error) {
+func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig, headlessSvc *corev1.Service, proxySecret, tsConfigHash string) (*appsv1.StatefulSet, error) {
 	var ss appsv1.StatefulSet
 	if sts.ServeConfig != nil {
 		if err := yaml.Unmarshal(userspaceProxyYaml, &ss); err != nil {
@@ -373,30 +400,90 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 	}
 	container := &ss.Spec.Template.Spec.Containers[0]
 	container.Image = a.proxyImage
+	ss.ObjectMeta = metav1.ObjectMeta{
+		Name:      headlessSvc.Name,
+		Namespace: a.operatorNamespace,
+		Labels:    sts.ChildResourceLabels,
+	}
+	ss.Spec.ServiceName = headlessSvc.Name
+	ss.Spec.Selector = &metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			"app": sts.ParentResourceUID,
+		},
+	}
+	mak.Set(&ss.Spec.Template.Labels, "app", sts.ParentResourceUID)
+
+	// Generic containerboot configuration options.
 	container.Env = append(container.Env,
 		corev1.EnvVar{
 			Name:  "TS_KUBE_SECRET",
-			Value: authKeySecret,
+			Value: proxySecret,
 		},
-		corev1.EnvVar{
+	)
+	if !shouldDoTailscaledDeclarativeConfig(sts) {
+		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_HOSTNAME",
 			Value: sts.Hostname,
 		})
+		// containerboot currently doesn't have a way to re-read the hostname/ip as
+		// it is passed via an environment variable. So we need to restart the
+		// container when the value changes. We do this by adding an annotation to
+		// the pod template that contains the last value we set.
+		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetHostname, sts.Hostname)
+	}
+	// Configure containeboot to run tailscaled with a configfile read from the state Secret.
+	if shouldDoTailscaledDeclarativeConfig(sts) {
+		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetConfigFileHash, tsConfigHash)
+		ss.Spec.Template.Spec.Volumes = append(ss.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: "tailscaledconfig",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: proxySecret,
+					Items: []corev1.KeyToPath{{
+						Key:  tailscaledConfigKey,
+						Path: tailscaledConfigKey,
+					}},
+				},
+			},
+		})
+		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
+			Name:      "tailscaledconfig",
+			ReadOnly:  true,
+			MountPath: "/etc/tsconfig",
+		})
+		container.Env = append(container.Env, corev1.EnvVar{
+			Name:  "EXPERIMENTAL_TS_CONFIGFILE_PATH",
+			Value: "/etc/tsconfig/tailscaled",
+		})
+	}
+
+	if a.tsFirewallMode != "" {
+		container.Env = append(container.Env, corev1.EnvVar{
+			Name:  "TS_DEBUG_FIREWALL_MODE",
+			Value: a.tsFirewallMode,
+		})
+	}
+	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
+
+	// Ingress/egress proxy configuration options.
 	if sts.ClusterTargetIP != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_DEST_IP",
 			Value: sts.ClusterTargetIP,
 		})
+		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetClusterIP, sts.ClusterTargetIP)
 	} else if sts.TailnetTargetIP != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_TAILNET_TARGET_IP",
 			Value: sts.TailnetTargetIP,
 		})
+		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetTailnetTargetIP, sts.TailnetTargetIP)
 	} else if sts.TailnetTargetFQDN != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_TAILNET_TARGET_FQDN",
 			Value: sts.TailnetTargetFQDN,
 		})
+		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetTailnetTargetFQDN, sts.TailnetTargetFQDN)
 	} else if sts.ServeConfig != nil {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_SERVE_CONFIG",
@@ -411,7 +498,7 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 			Name: "serve-config",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: authKeySecret,
+					SecretName: proxySecret,
 					Items: []corev1.KeyToPath{{
 						Key:  "serve-config",
 						Path: "serve-config",
@@ -419,56 +506,48 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 				},
 			},
 		})
-	} else if len(sts.Routes) > 0 {
-		container.Env = append(container.Env, corev1.EnvVar{
-			Name:  "TS_ROUTES",
-			Value: sts.Routes,
-		})
-
 	}
-	if a.tsFirewallMode != "" {
-		container.Env = append(container.Env, corev1.EnvVar{
-			Name:  "TS_DEBUG_FIREWALL_MODE",
-			Value: a.tsFirewallMode,
-		},
-		)
-	}
-	ss.ObjectMeta = metav1.ObjectMeta{
-		Name:      headlessSvc.Name,
-		Namespace: a.operatorNamespace,
-		Labels:    sts.ChildResourceLabels,
-	}
-	ss.Spec.ServiceName = headlessSvc.Name
-	ss.Spec.Selector = &metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": sts.ParentResourceUID,
-		},
-	}
-
-	// containerboot currently doesn't have a way to re-read the hostname/ip as
-	// it is passed via an environment variable. So we need to restart the
-	// container when the value changes. We do this by adding an annotation to
-	// the pod template that contains the last value we set.
-	ss.Spec.Template.Annotations = map[string]string{
-		podAnnotationLastSetHostname: sts.Hostname,
-	}
-	if sts.ClusterTargetIP != "" {
-		ss.Spec.Template.Annotations[podAnnotationLastSetClusterIP] = sts.ClusterTargetIP
-	}
-	if sts.TailnetTargetIP != "" {
-		ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetIP] = sts.TailnetTargetIP
-	}
-	if sts.TailnetTargetFQDN != "" {
-		ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetFQDN] = sts.TailnetTargetFQDN
-	}
-	ss.Spec.Template.Labels = map[string]string{
-		"app": sts.ParentResourceUID,
-	}
-	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
 	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
 }

+// tailscaledConfig takes a proxy config, a newly generated auth key if
+// generated and a Secret with the previous proxy state and auth key and
+// produces returns tailscaled configuration and a hash of that configuration.
+func tailscaledConfig(stsC *tailscaleSTSConfig, newAuthkey string, oldSecret *corev1.Secret) ([]byte, string, error) {
+	conf := ipn.ConfigVAlpha{
+		Version:   "alpha0",
+		AcceptDNS: "false",
+		Locked:    "false",
+		Hostname:  &stsC.Hostname,
+	}
+	if stsC.Connector != nil {
+		routes, err := netutil.CalcAdvertiseRoutes(stsC.Connector.routes, stsC.Connector.isExitNode)
+		if err != nil {
+			return nil, "", fmt.Errorf("error calculating routes: %w", err)
+		}
+		conf.AdvertiseRoutes = routes
+	}
+	if newAuthkey != "" {
+		conf.AuthKey = &newAuthkey
+	} else if oldSecret != nil && len(oldSecret.Data[tailscaledConfigKey]) > 0 { // write to StringData, read from Data as StringData is write-only
+		origConf := &ipn.ConfigVAlpha{}
+		if err := json.Unmarshal([]byte(oldSecret.Data[tailscaledConfigKey]), origConf); err != nil {
+			return nil, "", fmt.Errorf("error unmarshaling previous tailscaled config: %w", err)
+		}
+		conf.AuthKey = origConf.AuthKey
+	}
+	confFileBytes, err := json.Marshal(conf)
+	if err != nil {
+		return nil, "", fmt.Errorf("error marshaling tailscaled config : %w", err)
+	}
+	hash, err := hashBytes(confFileBytes)
+	if err != nil {
+		return nil, "", fmt.Errorf("error calculating config hash: %w", err)
+	}
+	return confFileBytes, hash, nil
+}
+
 // ptrObject is a type constraint for pointer types that implement
 // client.Object.
 type ptrObject[T any] interface {
@@ -476,6 +555,24 @@ type ptrObject[T any] interface {
 	*T
 }

+// hashBytes produces a hash for the provided bytes that is the same across
+// different invocations of this code. We do not use the
+// tailscale.com/deephash.Hash here because that produces a different hash for
+// the same value in different tailscale builds. The hash we are producing here
+// is used to determine if the container running the Connector Tailscale node
+// needs to be restarted. The container does not need restarting when the only
+// thing that changed is operator version (the hash is also exposed to users via
+// an annotation and might be confusing if it changes without the config having
+// changed).
+func hashBytes(b []byte) (string, error) {
+	h := sha256.New()
+	_, err := h.Write(b)
+	if err != nil {
+		return "", fmt.Errorf("error calculating hash: %w", err)
+	}
+	return fmt.Sprintf("%x", h.Sum(nil)), nil
+}
+
 // createOrUpdate adds obj to the k8s cluster, unless the object already exists,
 // in which case update is called to make changes to it. If update is nil, the
 // existing object is returned unmodified.
@@ -579,3 +676,10 @@ func nameForService(svc *corev1.Service) (string, error) {
 func isValidFirewallMode(m string) bool {
 	return m == "auto" || m == "nftables" || m == "iptables"
 }
+
+// shouldDoTailscaledDeclarativeConfig determines whether the proxy instance
+// should be configured to run tailscaled only with a all config opts passed to
+// tailscaled.
+func shouldDoTailscaledDeclarativeConfig(stsC *tailscaleSTSConfig) bool {
+	return stsC.Connector != nil
+}
--- a/cmd/k8s-operator/testutils_test.go
+++ b/cmd/k8s-operator/testutils_test.go
@@ -0,0 +1,411 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"net/netip"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn"
+	"tailscale.com/types/ptr"
+	"tailscale.com/util/mak"
+)
+
+// confgOpts contains configuration options for creating cluster resources for
+// Tailscale proxies.
+type configOpts struct {
+	stsName                    string
+	secretName                 string
+	hostname                   string
+	namespace                  string
+	parentType                 string
+	priorityClassName          string
+	firewallMode               string
+	tailnetTargetIP            string
+	tailnetTargetFQDN          string
+	clusterTargetIP            string
+	subnetRoutes               string
+	isExitNode                 bool
+	shouldUseDeclarativeConfig bool // tailscaled in proxy should be configured using config file
+	confFileHash               string
+}
+
+func expectedSTS(opts configOpts) *appsv1.StatefulSet {
+	tsContainer := corev1.Container{
+		Name:  "tailscale",
+		Image: "tailscale/tailscale",
+		Env: []corev1.EnvVar{
+			{Name: "TS_USERSPACE", Value: "false"},
+			{Name: "TS_AUTH_ONCE", Value: "true"},
+			{Name: "TS_KUBE_SECRET", Value: opts.secretName},
+		},
+		SecurityContext: &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{"NET_ADMIN"},
+			},
+		},
+		ImagePullPolicy: "Always",
+	}
+	annots := make(map[string]string)
+	var volumes []corev1.Volume
+	if opts.shouldUseDeclarativeConfig {
+		volumes = []corev1.Volume{
+			{
+				Name: "tailscaledconfig",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: opts.secretName,
+						Items: []corev1.KeyToPath{
+							{
+								Key:  "tailscaled",
+								Path: "tailscaled",
+							},
+						},
+					},
+				},
+			},
+		}
+		tsContainer.VolumeMounts = []corev1.VolumeMount{{
+			Name:      "tailscaledconfig",
+			ReadOnly:  true,
+			MountPath: "/etc/tsconfig",
+		}}
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "EXPERIMENTAL_TS_CONFIGFILE_PATH",
+			Value: "/etc/tsconfig/tailscaled",
+		})
+		annots["tailscale.com/operator-last-set-config-file-hash"] = opts.confFileHash
+	} else {
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{Name: "TS_HOSTNAME", Value: opts.hostname})
+		annots["tailscale.com/operator-last-set-hostname"] = opts.hostname
+	}
+	if opts.firewallMode != "" {
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "TS_DEBUG_FIREWALL_MODE",
+			Value: opts.firewallMode,
+		})
+	}
+	if opts.tailnetTargetIP != "" {
+		annots["tailscale.com/operator-last-set-ts-tailnet-target-ip"] = opts.tailnetTargetIP
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "TS_TAILNET_TARGET_IP",
+			Value: opts.tailnetTargetIP,
+		})
+	} else if opts.tailnetTargetFQDN != "" {
+		annots["tailscale.com/operator-last-set-ts-tailnet-target-fqdn"] = opts.tailnetTargetFQDN
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "TS_TAILNET_TARGET_FQDN",
+			Value: opts.tailnetTargetFQDN,
+		})
+
+	} else if opts.clusterTargetIP != "" {
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "TS_DEST_IP",
+			Value: opts.clusterTargetIP,
+		})
+		annots["tailscale.com/operator-last-set-cluster-ip"] = opts.clusterTargetIP
+	}
+	return &appsv1.StatefulSet{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "StatefulSet",
+			APIVersion: "apps/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      opts.stsName,
+			Namespace: "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   opts.namespace,
+				"tailscale.com/parent-resource-type": opts.parentType,
+			},
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Replicas: ptr.To[int32](1),
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"app": "1234-UID"},
+			},
+			ServiceName: opts.stsName,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations:                annots,
+					DeletionGracePeriodSeconds: ptr.To[int64](10),
+					Labels:                     map[string]string{"app": "1234-UID"},
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: "proxies",
+					PriorityClassName:  opts.priorityClassName,
+					InitContainers: []corev1.Container{
+						{
+							Name:    "sysctler",
+							Image:   "tailscale/tailscale",
+							Command: []string{"/bin/sh"},
+							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
+							SecurityContext: &corev1.SecurityContext{
+								Privileged: ptr.To(true),
+							},
+						},
+					},
+					Containers: []corev1.Container{tsContainer},
+					Volumes:    volumes,
+				},
+			},
+		},
+	}
+}
+
+func expectedHeadlessService(name string) *corev1.Service {
+	return &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:         name,
+			GenerateName: "ts-test-",
+			Namespace:    "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   "default",
+				"tailscale.com/parent-resource-type": "svc",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			Selector: map[string]string{
+				"app": "1234-UID",
+			},
+			ClusterIP: "None",
+		},
+	}
+}
+
+func expectedSecret(t *testing.T, opts configOpts) *corev1.Secret {
+	t.Helper()
+	labels := map[string]string{
+		"tailscale.com/managed":              "true",
+		"tailscale.com/parent-resource":      "test",
+		"tailscale.com/parent-resource-type": opts.parentType,
+	}
+	s := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Secret",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      opts.secretName,
+			Namespace: "operator-ns",
+		},
+	}
+	if !opts.shouldUseDeclarativeConfig {
+		mak.Set(&s.StringData, "authkey", "secret-authkey")
+		labels["tailscale.com/parent-resource-ns"] = opts.namespace
+	} else {
+		conf := &ipn.ConfigVAlpha{
+			Version:   "alpha0",
+			AcceptDNS: "false",
+			Hostname:  &opts.hostname,
+			Locked:    "false",
+			AuthKey:   ptr.To("secret-authkey"),
+		}
+		var routes []netip.Prefix
+		if opts.subnetRoutes != "" || opts.isExitNode {
+			r := opts.subnetRoutes
+			if opts.isExitNode {
+				r = "0.0.0.0/0,::/0," + r
+			}
+			for _, rr := range strings.Split(r, ",") {
+				prefix, err := netip.ParsePrefix(rr)
+				if err != nil {
+					t.Fatal(err)
+				}
+				routes = append(routes, prefix)
+			}
+		}
+		conf.AdvertiseRoutes = routes
+		b, err := json.Marshal(conf)
+		if err != nil {
+			t.Fatalf("error marshalling tailscaled config")
+		}
+		mak.Set(&s.StringData, "tailscaled", string(b))
+		labels["tailscale.com/parent-resource-ns"] = "" // Connector is cluster scoped
+	}
+	s.Labels = labels
+	return s
+}
+
+func findGenName(t *testing.T, client client.Client, ns, name, typ string) (full, noSuffix string) {
+	t.Helper()
+	labels := map[string]string{
+		LabelManaged:         "true",
+		LabelParentName:      name,
+		LabelParentNamespace: ns,
+		LabelParentType:      typ,
+	}
+	s, err := getSingleObject[corev1.Secret](context.Background(), client, "operator-ns", labels)
+	if err != nil {
+		t.Fatalf("finding secret for %q: %v", name, err)
+	}
+	if s == nil {
+		t.Fatalf("no secret found for %q %s %+#v", name, ns, labels)
+	}
+	return s.GetName(), strings.TrimSuffix(s.GetName(), "-0")
+}
+
+func mustCreate(t *testing.T, client client.Client, obj client.Object) {
+	t.Helper()
+	if err := client.Create(context.Background(), obj); err != nil {
+		t.Fatalf("creating %q: %v", obj.GetName(), err)
+	}
+}
+
+func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); err != nil {
+		t.Fatalf("getting %q: %v", name, err)
+	}
+	update(obj)
+	if err := client.Update(context.Background(), obj); err != nil {
+		t.Fatalf("updating %q: %v", name, err)
+	}
+}
+
+func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); err != nil {
+		t.Fatalf("getting %q: %v", name, err)
+	}
+	update(obj)
+	if err := client.Status().Update(context.Background(), obj); err != nil {
+		t.Fatalf("updating %q: %v", name, err)
+	}
+}
+
+func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
+	t.Helper()
+	got := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      want.GetName(),
+		Namespace: want.GetNamespace(),
+	}, got); err != nil {
+		t.Fatalf("getting %q: %v", want.GetName(), err)
+	}
+	// The resource version changes eagerly whenever the operator does even a
+	// no-op update. Asserting a specific value leads to overly brittle tests,
+	// so just remove it from both got and want.
+	got.SetResourceVersion("")
+	want.SetResourceVersion("")
+	if diff := cmp.Diff(got, want); diff != "" {
+		t.Fatalf("unexpected object (-got +want):\n%s", diff)
+	}
+}
+
+func expectMissing[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); !apierrors.IsNotFound(err) {
+		t.Fatalf("object %s/%s unexpectedly present, wanted missing", ns, name)
+	}
+}
+
+func expectReconciled(t *testing.T, sr reconcile.Reconciler, ns, name string) {
+	t.Helper()
+	req := reconcile.Request{
+		NamespacedName: types.NamespacedName{
+			Namespace: ns,
+			Name:      name,
+		},
+	}
+	res, err := sr.Reconcile(context.Background(), req)
+	if err != nil {
+		t.Fatalf("Reconcile: unexpected error: %v", err)
+	}
+	if res.Requeue {
+		t.Fatalf("unexpected immediate requeue")
+	}
+	if res.RequeueAfter != 0 {
+		t.Fatalf("unexpected timed requeue (%v)", res.RequeueAfter)
+	}
+}
+
+func expectRequeue(t *testing.T, sr reconcile.Reconciler, ns, name string) {
+	t.Helper()
+	req := reconcile.Request{
+		NamespacedName: types.NamespacedName{
+			Name:      name,
+			Namespace: ns,
+		},
+	}
+	res, err := sr.Reconcile(context.Background(), req)
+	if err != nil {
+		t.Fatalf("Reconcile: unexpected error: %v", err)
+	}
+	if res.RequeueAfter == 0 {
+		t.Fatalf("expected timed requeue, got success")
+	}
+}
+
+type fakeTSClient struct {
+	sync.Mutex
+	keyRequests []tailscale.KeyCapabilities
+	deleted     []string
+}
+
+func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error) {
+	c.Lock()
+	defer c.Unlock()
+	c.keyRequests = append(c.keyRequests, caps)
+	k := &tailscale.Key{
+		ID:           "key",
+		Created:      time.Now(),
+		Capabilities: caps,
+	}
+	return "secret-authkey", k, nil
+}
+
+func (c *fakeTSClient) DeleteDevice(ctx context.Context, deviceID string) error {
+	c.Lock()
+	defer c.Unlock()
+	c.deleted = append(c.deleted, deviceID)
+	return nil
+}
+
+func (c *fakeTSClient) KeyRequests() []tailscale.KeyCapabilities {
+	c.Lock()
+	defer c.Unlock()
+	return c.keyRequests
+}
+
+func (c *fakeTSClient) Deleted() []string {
+	c.Lock()
+	defer c.Unlock()
+	return c.deleted
+}
--- a/cmd/stund/depaware.txt
+++ b/cmd/stund/depaware.txt
@@ -0,0 +1,190 @@
+tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depaware)
+
+        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
+     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
+        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil
+        github.com/google/uuid                                       from tailscale.com/tsweb
+        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
+     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
+        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
+        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
+        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
+  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
+  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
+  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
+     💣 go4.org/mem                                                  from tailscale.com/metrics+
+        go4.org/netipx                                               from tailscale.com/net/tsaddr
+        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
+        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
+        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
+        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
+        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
+        google.golang.org/protobuf/internal/encoding/text            from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/errors                   from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/filedesc                 from google.golang.org/protobuf/internal/encoding/tag+
+        google.golang.org/protobuf/internal/filetype                 from google.golang.org/protobuf/runtime/protoimpl
+        google.golang.org/protobuf/internal/flags                    from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/genid                    from google.golang.org/protobuf/encoding/prototext+
+     💣 google.golang.org/protobuf/internal/impl                     from google.golang.org/protobuf/internal/filetype+
+        google.golang.org/protobuf/internal/order                    from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/pragma                   from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
+     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
+        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
+     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
+        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
+        tailscale.com                                                from tailscale.com/version
+        tailscale.com/envknob                                        from tailscale.com/tsweb+
+        tailscale.com/metrics                                        from tailscale.com/net/stunserver+
+        tailscale.com/net/netaddr                                    from tailscale.com/net/tsaddr
+        tailscale.com/net/stun                                       from tailscale.com/net/stunserver
+        tailscale.com/net/stunserver                                 from tailscale.com/cmd/stund
+        tailscale.com/net/tsaddr                                     from tailscale.com/tsweb
+        tailscale.com/tailcfg                                        from tailscale.com/version
+        tailscale.com/tsweb                                          from tailscale.com/cmd/stund
+        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
+        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
+        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
+        tailscale.com/types/ipproto                                  from tailscale.com/tailcfg
+        tailscale.com/types/key                                      from tailscale.com/tailcfg
+        tailscale.com/types/lazy                                     from tailscale.com/version+
+        tailscale.com/types/logger                                   from tailscale.com/tsweb
+        tailscale.com/types/opt                                      from tailscale.com/envknob+
+        tailscale.com/types/ptr                                      from tailscale.com/tailcfg
+        tailscale.com/types/structs                                  from tailscale.com/tailcfg+
+        tailscale.com/types/tkatype                                  from tailscale.com/tailcfg+
+        tailscale.com/types/views                                    from tailscale.com/net/tsaddr+
+        tailscale.com/util/cmpx                                      from tailscale.com/tailcfg+
+   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
+        tailscale.com/util/dnsname                                   from tailscale.com/tailcfg
+        tailscale.com/util/lineread                                  from tailscale.com/version/distro
+        tailscale.com/util/nocasemaps                                from tailscale.com/types/ipproto
+        tailscale.com/util/slicesx                                   from tailscale.com/tailcfg
+        tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
+        tailscale.com/version                                        from tailscale.com/envknob+
+        tailscale.com/version/distro                                 from tailscale.com/envknob
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
+        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
+        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
+        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/hkdf                                     from crypto/tls
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
+        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/net/dns/dnsmessage                              from net
+        golang.org/x/net/http/httpguts                               from net/http
+        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+   D    golang.org/x/net/route                                       from net
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
+  LD    golang.org/x/sys/unix                                        from github.com/prometheus/procfs+
+   W    golang.org/x/sys/windows                                     from github.com/prometheus/client_golang/prometheus
+        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
+        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
+        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
+        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
+        bufio                                                        from compress/flate+
+        bytes                                                        from bufio+
+        cmp                                                          from slices
+        compress/flate                                               from compress/gzip
+        compress/gzip                                                from github.com/golang/protobuf/proto+
+        container/list                                               from crypto/tls+
+        context                                                      from crypto/tls+
+        crypto                                                       from crypto/ecdh+
+        crypto/aes                                                   from crypto/ecdsa+
+        crypto/cipher                                                from crypto/aes+
+        crypto/des                                                   from crypto/tls+
+        crypto/dsa                                                   from crypto/x509
+        crypto/ecdh                                                  from crypto/ecdsa+
+        crypto/ecdsa                                                 from crypto/tls+
+        crypto/ed25519                                               from crypto/tls+
+        crypto/elliptic                                              from crypto/ecdsa+
+        crypto/hmac                                                  from crypto/tls+
+        crypto/md5                                                   from crypto/tls+
+        crypto/rand                                                  from crypto/ed25519+
+        crypto/rc4                                                   from crypto/tls
+        crypto/rsa                                                   from crypto/tls+
+        crypto/sha1                                                  from crypto/tls+
+        crypto/sha256                                                from crypto/tls+
+        crypto/sha512                                                from crypto/ecdsa+
+        crypto/subtle                                                from crypto/aes+
+        crypto/tls                                                   from net/http+
+        crypto/x509                                                  from crypto/tls
+        crypto/x509/pkix                                             from crypto/x509
+        database/sql/driver                                          from github.com/google/uuid
+        embed                                                        from crypto/internal/nistec+
+        encoding                                                     from encoding/json+
+        encoding/asn1                                                from crypto/x509+
+        encoding/base64                                              from encoding/json+
+        encoding/binary                                              from compress/gzip+
+        encoding/hex                                                 from crypto/x509+
+        encoding/json                                                from expvar+
+        encoding/pem                                                 from crypto/tls+
+        errors                                                       from bufio+
+        expvar                                                       from github.com/prometheus/client_golang/prometheus+
+        flag                                                         from tailscale.com/cmd/stund
+        fmt                                                          from compress/flate+
+        go/token                                                     from google.golang.org/protobuf/internal/strs
+        hash                                                         from crypto+
+        hash/crc32                                                   from compress/gzip+
+        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
+        hash/maphash                                                 from go4.org/mem
+        html                                                         from net/http/pprof+
+        io                                                           from bufio+
+        io/fs                                                        from crypto/x509+
+        io/ioutil                                                    from github.com/golang/protobuf/proto+
+        log                                                          from expvar+
+        log/internal                                                 from log
+        maps                                                         from tailscale.com/tailcfg+
+        math                                                         from compress/flate+
+        math/big                                                     from crypto/dsa+
+        math/bits                                                    from compress/flate+
+        math/rand                                                    from math/big+
+        mime                                                         from github.com/prometheus/common/expfmt+
+        mime/multipart                                               from net/http
+        mime/quotedprintable                                         from mime/multipart
+        net                                                          from crypto/tls+
+        net/http                                                     from expvar+
+        net/http/httptrace                                           from net/http
+        net/http/internal                                            from net/http
+        net/http/pprof                                               from tailscale.com/tsweb+
+        net/netip                                                    from go4.org/netipx+
+        net/textproto                                                from golang.org/x/net/http/httpguts+
+        net/url                                                      from crypto/x509+
+        os                                                           from crypto/rand+
+        os/signal                                                    from tailscale.com/cmd/stund
+        path                                                         from github.com/prometheus/client_golang/prometheus/internal+
+        path/filepath                                                from crypto/x509+
+        reflect                                                      from crypto/x509+
+        regexp                                                       from github.com/prometheus/client_golang/prometheus/internal+
+        regexp/syntax                                                from regexp
+        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
+        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
+        runtime/pprof                                                from net/http/pprof
+        runtime/trace                                                from net/http/pprof
+        slices                                                       from tailscale.com/metrics+
+        sort                                                         from compress/flate+
+        strconv                                                      from compress/flate+
+        strings                                                      from bufio+
+        sync                                                         from compress/flate+
+        sync/atomic                                                  from context+
+        syscall                                                      from crypto/rand+
+        text/tabwriter                                               from runtime/pprof
+        time                                                         from compress/gzip+
+        unicode                                                      from bytes+
+        unicode/utf16                                                from crypto/x509+
+        unicode/utf8                                                 from bufio+
--- a/cmd/stund/stund.go
+++ b/cmd/stund/stund.go
@@ -0,0 +1,48 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// The stund binary is a standalone STUN server.
+package main
+
+import (
+	"context"
+	"flag"
+	"io"
+	"log"
+	"net/http"
+	"os/signal"
+	"syscall"
+
+	"tailscale.com/net/stunserver"
+	"tailscale.com/tsweb"
+)
+
+var (
+	stunAddr = flag.String("stun", ":3478", "UDP address on which to start the STUN server")
+	httpAddr = flag.String("http", ":3479", "address on which to start the debug http server")
+)
+
+func main() {
+	flag.Parse()
+
+	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	log.Printf("HTTP server listening on %s", *httpAddr)
+	go http.ListenAndServe(*httpAddr, mux())
+
+	s := stunserver.New(ctx)
+	if err := s.ListenAndServe(*stunAddr); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func mux() *http.ServeMux {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		io.WriteString(w, "<h1>stund</h1><a href=/debug>/debug</a>")
+	})
+	debug := tsweb.Debugger(mux)
+	debug.KV("stun_addr", *stunAddr)
+	return mux
+}
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -718,6 +718,24 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "via_route_good_16_bit",
+			goos: "linux",
+			args: upArgsT{
+				advertiseRoutes: "fd7a:115c:a1e0:b1a::aabb:10.0.0.0/112",
+				netfilterMode:   "off",
+			},
+			want: &ipn.Prefs{
+				WantRunning: true,
+				NoSNAT:      true,
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("fd7a:115c:a1e0:b1a::aabb:10.0.0.0/112"),
+				},
+				AutoUpdate: ipn.AutoUpdatePrefs{
+					Check: true,
+				},
+			},
+		},
 		{
 			name: "via_route_short_prefix",
 			goos: "linux",
@@ -734,7 +752,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				advertiseRoutes: "fd7a:115c:a1e0:b1a:1234:5678::/112",
 				netfilterMode:   "off",
 			},
-			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xff or less",
+			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xffff or less",
 		},
 	}
 	for _, tt := range tests {
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -274,6 +274,16 @@ var debugCmd = &ffcli.Command{
 			Exec:      runPeerEndpointChanges,
 			ShortHelp: "prints debug information about a peer's endpoint changes",
 		},
+		{
+			Name:      "dial-types",
+			Exec:      runDebugDialTypes,
+			ShortHelp: "prints debug information about connecting to a given host or IP",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("dial-types")
+				fs.StringVar(&debugDialTypesArgs.network, "network", "tcp", `network type to dial ("tcp", "udp", etc.)`)
+				return fs
+			})(),
+		},
 	},
 }

@@ -683,8 +693,8 @@ func runVia(ctx context.Context, args []string) error {
 		if err != nil {
 			return fmt.Errorf("invalid site-id %q; must be decimal or hex with 0x prefix", args[0])
 		}
-		if siteID > 0xff {
-			return fmt.Errorf("site-id values over 255 are currently reserved")
+		if siteID > 0xffff {
+			return fmt.Errorf("site-id values over 65535 are currently reserved")
 		}
 		ipp, err := netip.ParsePrefix(args[1])
 		if err != nil {
@@ -1015,3 +1025,61 @@ func debugControlKnobs(ctx context.Context, args []string) error {
 	e.Encode(v)
 	return nil
 }
+
+var debugDialTypesArgs struct {
+	network string
+}
+
+func runDebugDialTypes(ctx context.Context, args []string) error {
+	st, err := localClient.Status(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		printf("%s\n", description)
+		os.Exit(1)
+	}
+
+	if len(args) != 2 || args[0] == "" || args[1] == "" {
+		return errors.New("usage: dial-types <hostname-or-IP> <port>")
+	}
+
+	port, err := strconv.ParseUint(args[1], 10, 16)
+	if err != nil {
+		return fmt.Errorf("invalid port %q: %w", args[1], err)
+	}
+
+	hostOrIP := args[0]
+	ip, _, err := tailscaleIPFromArg(ctx, hostOrIP)
+	if err != nil {
+		return err
+	}
+	if ip != hostOrIP {
+		log.Printf("lookup %q => %q", hostOrIP, ip)
+	}
+
+	qparams := make(url.Values)
+	qparams.Set("ip", ip)
+	qparams.Set("port", strconv.FormatUint(port, 10))
+	qparams.Set("network", debugDialTypesArgs.network)
+
+	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/debug-dial-types?"+qparams.Encode(), nil)
+	if err != nil {
+		return err
+	}
+
+	resp, err := localClient.DoLocalRequest(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("%s", body)
+	return nil
+}
--- a/cmd/tailscale/cli/set.go
+++ b/cmd/tailscale/cli/set.go
@@ -12,6 +12,7 @@ import (
 	"os/exec"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/web"
 	"tailscale.com/clientupdate"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netutil"
@@ -193,7 +194,15 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 	}

 	_, err = localClient.EditPrefs(ctx, maskedPrefs)
-	return err
+	if err != nil {
+		return err
+	}
+
+	if setArgs.runWebClient && len(st.TailscaleIPs) > 0 {
+		printf("\nWeb interface now running at %s:%d", st.TailscaleIPs[0], web.ListenPort)
+	}
+
+	return nil
 }

 // calcAdvertiseRoutesForSet returns the new value for Prefs.AdvertiseRoutes based on the
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -19,8 +19,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/google/uuid                                       from tailscale.com/util/quarantine+
-        github.com/gorilla/csrf                                      from tailscale.com/client/web
-        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
+        github.com/gorilla/securecookie                              from github.com/tailscale/csrf
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
@@ -38,10 +37,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
        github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
        github.com/peterbourgon/ff/v3/internal                       from github.com/peterbourgon/ff/v3
-        github.com/pkg/errors                                        from github.com/gorilla/csrf
        github.com/skip2/go-qrcode                                   from tailscale.com/cmd/tailscale/cli
        github.com/skip2/go-qrcode/bitset                            from github.com/skip2/go-qrcode+
        github.com/skip2/go-qrcode/reedsolomon                       from github.com/skip2/go-qrcode
+        github.com/tailscale/csrf                                    from tailscale.com/client/web
   W 💣 github.com/tailscale/go-winio                                from tailscale.com/safesocket
   W 💣 github.com/tailscale/go-winio/internal/fs                    from github.com/tailscale/go-winio
   W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
@@ -157,6 +156,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache+
        tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
+        tailscale.com/util/syspolicy                                 from tailscale.com/ipn
        tailscale.com/util/testenv                                   from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/truncate                                  from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/vizerror                                  from tailscale.com/types/ipproto+
@@ -259,8 +259,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        hash/adler32                                                 from compress/zlib
        hash/crc32                                                   from compress/gzip+
        hash/maphash                                                 from go4.org/mem
-        html                                                         from tailscale.com/ipn/ipnstate+
-        html/template                                                from github.com/gorilla/csrf
+        html                                                         from tailscale.com/ipn/ipnstate
        image                                                        from github.com/skip2/go-qrcode+
        image/color                                                  from github.com/skip2/go-qrcode+
        image/png                                                    from github.com/skip2/go-qrcode
@@ -290,12 +289,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        os/exec                                                      from github.com/toqueteos/webbrowser+
        os/signal                                                    from tailscale.com/cmd/tailscale/cli
        os/user                                                      from tailscale.com/util/groupmember+
-        path                                                         from html/template+
+        path                                                         from archive/tar+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/tailscale/goupnp/httpu+
        regexp/syntax                                                from regexp
        runtime/debug                                                from tailscale.com/util/singleflight+
+        runtime/trace                                                from testing
        slices                                                       from tailscale.com/cmd/tailscale/cli+
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
@@ -303,9 +303,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        sync                                                         from compress/flate+
        sync/atomic                                                  from context+
        syscall                                                      from crypto/rand+
+        testing                                                      from tailscale.com/util/syspolicy
        text/tabwriter                                               from github.com/peterbourgon/ff/v3/ffcli+
-        text/template                                                from html/template
-        text/template/parse                                          from html/template+
        time                                                         from compress/gzip+
        unicode                                                      from bytes+
        unicode/utf16                                                from encoding/asn1+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -95,8 +95,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/google/uuid                                       from tailscale.com/clientupdate
-        github.com/gorilla/csrf                                      from tailscale.com/client/web
-        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
+        github.com/gorilla/securecookie                              from github.com/tailscale/csrf
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
   L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
@@ -130,11 +129,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/pierrec/lz4/v4/internal/lz4errors                 from github.com/pierrec/lz4/v4+
   L    github.com/pierrec/lz4/v4/internal/lz4stream                 from github.com/pierrec/lz4/v4
   L    github.com/pierrec/lz4/v4/internal/xxh32                     from github.com/pierrec/lz4/v4/internal/lz4stream
-        github.com/pkg/errors                                        from github.com/gorilla/csrf
  LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
  LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
   L 💣 github.com/safchain/ethtool                                  from tailscale.com/net/netkernelconf
   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
+        github.com/tailscale/csrf                                    from tailscale.com/client/web
   W 💣 github.com/tailscale/go-winio                                from tailscale.com/safesocket
   W 💣 github.com/tailscale/go-winio/internal/fs                    from github.com/tailscale/go-winio
   W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
@@ -494,7 +493,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
        hash/maphash                                                 from go4.org/mem
        html                                                         from tailscale.com/ipn/ipnlocal+
-        html/template                                                from github.com/gorilla/csrf
        io                                                           from bufio+
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from github.com/godbus/dbus/v5+
@@ -540,8 +538,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        syscall                                                      from crypto/rand+
        testing                                                      from tailscale.com/util/syspolicy
        text/tabwriter                                               from runtime/pprof
-        text/template                                                from html/template
-        text/template/parse                                          from html/template+
        time                                                         from compress/gzip+
        unicode                                                      from bytes+
        unicode/utf16                                                from crypto/x509+
--- a/cmd/tailscaled/taildrop.go
+++ b/cmd/tailscaled/taildrop.go
@@ -27,7 +27,6 @@ func configureTaildrop(logf logger.Logf, lb *ipnlocal.LocalBackend) {
 		} else {
 			logf("%s Taildrop: using %v", dg, path)
 			lb.SetDirectFileRoot(path)
-			lb.SetDirectFileDoFinalRename(true)
 		}
 	}

--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -511,7 +511,13 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 			return ok
 		}
 		dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
-			return ns.DialContextTCP(ctx, dst)
+			// Note: don't just return ns.DialContextTCP or we'll
+			// return an interface containing a nil pointer.
+			tcpConn, err := ns.DialContextTCP(ctx, dst)
+			if err != nil {
+				return nil, err
+			}
+			return tcpConn, nil
 		}
 	}
 	if socksListener != nil || httpProxyListener != nil {
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -1044,7 +1044,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap

 		var resp tailcfg.MapResponse
 		if err := c.decodeMsg(msg, &resp, machinePrivKey); err != nil {
-			vlogf("netmap: decode error: %v")
+			vlogf("netmap: decode error: %v", err)
 			return err
 		}
 		watchdogTimer.Stop()
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -87,6 +87,7 @@ type mapSession struct {
 	lastPopBrowserURL      string
 	lastTKAInfo            *tailcfg.TKAInfo
 	lastNetmapSummary      string // from NetworkMap.VeryConcise
+	lastMaxExpiry          time.Duration
 }

 // newMapSession returns a mostly unconfigured new mapSession.
@@ -319,6 +320,9 @@ func (ms *mapSession) updateStateFromResponse(resp *tailcfg.MapResponse) {
 	if resp.TKAInfo != nil {
 		ms.lastTKAInfo = resp.TKAInfo
 	}
+	if resp.MaxKeyDuration > 0 {
+		ms.lastMaxExpiry = resp.MaxKeyDuration
+	}
 }

 var (
@@ -763,6 +767,7 @@ func (ms *mapSession) netmap() *netmap.NetworkMap {
 		DERPMap:           ms.lastDERPMap,
 		ControlHealth:     ms.lastHealth,
 		TKAEnabled:        ms.lastTKAInfo != nil && !ms.lastTKAInfo.Disabled,
+		MaxKeyDuration:    ms.lastMaxExpiry,
 	}

 	if ms.lastTKAInfo != nil && ms.lastTKAInfo.Head != "" {
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@@ -64,6 +64,11 @@ type Knobs struct {
 	// LinuxForceNfTables is whether the node should use nftables for Linux
 	// netfiltering, unless overridden by the user.
 	LinuxForceNfTables atomic.Bool
+
+	// SeamlessKeyRenewal is whether to enable the alpha functionality of
+	// renewing node keys without breaking connections.
+	// http://go/seamless-key-renewal
+	SeamlessKeyRenewal atomic.Bool
 }

 // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self
@@ -89,6 +94,7 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 		silentDisco                   = has(tailcfg.NodeAttrSilentDisco)
 		forceIPTables                 = has(tailcfg.NodeAttrLinuxMustUseIPTables)
 		forceNfTables                 = has(tailcfg.NodeAttrLinuxMustUseNfTables)
+		seamlessKeyRenewal            = has(tailcfg.NodeAttrSeamlessKeyRenewal)
 	)

 	if has(tailcfg.NodeAttrOneCGNATEnable) {
@@ -109,6 +115,7 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 	k.SilentDisco.Store(silentDisco)
 	k.LinuxForceIPTables.Store(forceIPTables)
 	k.LinuxForceNfTables.Store(forceNfTables)
+	k.SeamlessKeyRenewal.Store(seamlessKeyRenewal)
 }

 // AsDebugJSON returns k as something that can be marshalled with json.Marshal
@@ -130,5 +137,6 @@ func (k *Knobs) AsDebugJSON() map[string]any {
 		"SilentDisco":                   k.SilentDisco.Load(),
 		"LinuxForceIPTables":            k.LinuxForceIPTables.Load(),
 		"LinuxForceNfTables":            k.LinuxForceNfTables.Load(),
+		"SeamlessKeyRenewal":            k.SeamlessKeyRenewal.Load(),
 	}
 }
--- a/docs/windows/policy/en-US/tailscale.adml
+++ b/docs/windows/policy/en-US/tailscale.adml
@@ -0,0 +1,222 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policyDefinitionResources revision="1.0" schemaVersion="1.0"
+                           xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
+    <displayName>Tailscale</displayName>
+    <description>A set of policies that enforces particular settings in the Tailscale Windows client.</description>
+    <resources>
+        <stringTable>
+            <string id="TAILSCALE_PRODUCT">Tailscale</string>
+            <string id="SINCE_V1_22">Tailscale version 1.22.0 and later</string>
+            <string id="SINCE_V1_26">Tailscale version 1.26.0 and later</string>
+            <string id="SINCE_V1_50">Tailscale version 1.50.0 and later</string>
+            <string id="SINCE_V1_52">Tailscale version 1.52.0 and later</string>
+            <string id="SINCE_V1_56">Tailscale version 1.56.0 and later</string>
+            <string id="PARTIAL_FULL_SINCE_V1_56">Tailscale version 1.56.0 and later (full support), some earlier versions (partial support)</string>
+            <string id="SINCE_V1_58">Tailscale version 1.58.0 and later</string>
+            <string id="Tailscale_Category">Tailscale</string>
+            <string id="UI_Category">UI customization</string>
+            <string id="Settings_Category">Settings</string>
+            <string id="LoginURL">Require using a specific Tailscale coordination server</string>
+            <string id="LoginURL_Help"><![CDATA[This policy can be used to require the use of a particular Tailscale coordination server.
+See https://tailscale.com/kb/1315/mdm-keys#set-a-custom-control-server-url for more details.
+
+If you configure this policy, set it to the URL of your coordination server, beginning with https:// and ending with no trailing slash. If blank or "https://controlplane.tailscale.com", the default coordination server will be required.
+
+If you disable this policy, the Tailscale SaaS coordination server will be used by default, but a non-standard Tailscale coordination server can be configured using the CLI.]]></string>
+            <string id="LogTarget">Require using a specific Tailscale log server</string>
+            <string id="LogTarget_Help"><![CDATA[This policy can be used to require the use of a non-standard log server.
+Please note that using a non-standard log server will limit Tailscale Support's ability to diagnose problems.
+
+If you configure this policy, set it to the URL of your log server, beginning with https:// and ending with no trailing slash. If blank or "https://log.tailscale.io", the default log server will be used.
+
+If you disable this policy, the Tailscale standard log server will be used by default, but a non-standard Tailscale log server can be configured using the TS_LOG_TARGET environment variable.]]></string>
+            <string id="Tailnet">Specify which Tailnet should be used for Login</string>
+            <string id="Tailnet_Help"><![CDATA[This policy can be used to suggest or require a specific tailnet when opening the login page.
+See https://tailscale.com/kb/1315/mdm-keys#set-a-suggested-or-required-tailnet for more details.
+
+To suggest a tailnet at login time, set this to the name of the tailnet, as shown in the top-left of the admin panel, such as "example.com". That tailnet's SSO button will be shown prominently, along with the option to select a different tailnet.
+
+To require logging in to a particular tailnet, add the "required:" prefix, such as "required:example.com". The result is similar to the suggested tailnet but there will be no option to choose a different tailnet.
+
+If you configure this policy, set it to the name of the tailnet, possibly with the "required:" prefix, as described above.
+
+If you disable this policy, the standard login page will be used.]]></string>
+            <string id="ExitNodeID">Require using a specific Exit Node</string>
+            <string id="ExitNodeID_Help"><![CDATA[This policy can be used to require always using the specified Exit Node whenever the Tailscale client is connected.
+See https://tailscale.com/kb/1315/mdm-keys#force-an-exit-node-to-always-be-used and https://tailscale.com/kb/1103/exit-nodes for more details.
+
+If you enable this policy, set it to the ID of an exit node. The ID is visible on the Machines page of the admin console, or can be queried using the Tailscale API. If the specified exit node is unavailable, this device will have no Internet access unless Tailscale is disconnected.
+
+If you disable this policy or supply an empty exit node ID, then usage of exit nodes will be disallowed.
+
+If you do not configure this policy, no exit node will be used by default but an exit node (if one is available and permitted by ACLs) can be chosen by the user if desired.]]></string>
+            <string id="AllowIncomingConnections">Allow incoming connections</string>
+            <string id="AllowIncomingConnections_Help"><![CDATA[This policy can be used to require that the Allow Incoming Connections setting is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#set-whether-to-allow-incoming-connections and https://tailscale.com/kb/1072/client-preferences#allow-incoming-connections for more details.
+
+If you enable this policy, then Allow Incoming Connections is always enabled and the menu option is hidden.
+
+If you disable this policy, then Allow Incoming Connections is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Allow Incoming Connections depends on what is selected in the Preferences submenu.]]></string>
+            <string id="UnattendedMode">Run Tailscale in Unattended Mode</string>
+            <string id="UnattendedMode_Help"><![CDATA[This policy can be used to require that the Run Unattended setting is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#set-unattended-mode and https://tailscale.com/kb/1088/run-unattended for more details.
+
+If you enable this policy, then Run Unattended is always enabled and the menu option is hidden.
+
+If you disable this policy, then Run Unattended is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Run Unattended depends on what is selected in the Preferences submenu.]]></string>
+            <string id="ExitNodeAllowLANAccess">Allow Local Network Access when an Exit Node is in use</string>
+            <string id="ExitNodeAllowLANAccess_Help"><![CDATA[This policy can be used to require that the Allow Local Network Access setting is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#toggle-local-network-access-when-an-exit-node-is-in-use and https://tailscale.com/kb/1103/exit-nodes#step-4-use-the-exit-node for more details.
+
+If you enable this policy, then Allow Local Network Access is always enabled and the menu option is hidden.
+
+If you disable this policy, then Allow Local Network Access is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Allow Local Network Access depends on what is selected in the Exit Node submenu.]]></string>
+            <string id="UseTailscaleDNSSettings">Use Tailscale DNS Settings</string>
+            <string id="UseTailscaleDNSSettings_Help"><![CDATA[This policy can be used to require that Use Tailscale DNS is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#set-whether-the-device-uses-tailscale-dns-settings for more details.
+
+If you enable this policy, then Use Tailscale DNS is always enabled and the menu option is hidden.
+
+If you disable this policy, then Use Tailscale DNS is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Use Tailscale DNS depends on what is selected in the Preferences submenu.]]></string>
+            <string id="UseTailscaleSubnets">Use Tailscale Subnets</string>
+            <string id="UseTailscaleSubnets_Help"><![CDATA[This policy can be used to require that Use Tailscale Subnets is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#set-whether-the-device-accepts-tailscale-subnets or https://tailscale.com/kb/1019/subnets for more details.
+
+If you enable this policy, then Use Tailscale Subnets is always enabled and the menu option is hidden.
+
+If you disable this policy, then Use Tailscale Subnets is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Use Tailscale Subnets depends on what is selected in the Preferences submenu.]]></string>
+            <string id="InstallUpdates">Automatically install updates</string>
+            <string id="InstallUpdates_Help"><![CDATA[This policy can be used to require that Automatically Install Updates is configured a certain way.
+See https://tailscale.com/kb/1067/update#auto-updates for more details.
+
+If you enable this policy, then Automatically Install Updates is always enabled and the menu option is hidden.
+
+If you disable this policy, then Automatically Install Updates is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Automatically Install Updates depends on what is selected in the Preferences submenu.]]></string>
+            <string id="AdvertiseExitNode">Run Tailscale as an Exit Node</string>
+            <string id="AdvertiseExitNode_Help"><![CDATA[This policy can be used to require that Run Exit Node is configured a certain way.
+See https://tailscale.com/kb/1103/exit-nodes for more details.
+
+If you enable this policy, then Run Exit Node is always enabled and the menu option is hidden.
+
+If you disable this policy, then Run Exit Node is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Run Exit Node depends on what is selected in the Exit Node submenu.]]></string>
+            <string id="AdminPanel">Show the "Admin Panel" menu item</string>
+            <string id="AdminPanel_Help"><![CDATA[This policy can be used to show or hide the Admin Console item in the Tailscale Menu.
+
+If you enable or don't configure this policy, the Admin Console item will be shown in the Tailscale menu when available.
+
+If you disable this policy, the Admin Console item will always be hidden from the Tailscale menu.]]></string>
+            <string id="NetworkDevices">Show the "Network Devices" submenu</string>
+            <string id="NetworkDevices_Help"><![CDATA[This policy can be used to show or hide the Network Devices submenu in the Tailscale Menu.
+
+If you enable or don't configure this policy, the Network Devices submenu will be shown in the Tailscale menu.
+
+If you disable this policy, the Network Devices submenu will be hidden from the Tailscale menu. This does not affect other devices' visibility in the CLI.]]></string>
+            <string id="TestMenu">Show the "Debug" submenu</string>
+            <string id="TestMenu_Help"><![CDATA[This policy can be used to show or hide the Debug submenu of the Tailscale menu.
+See https://tailscale.com/kb/1315/mdm-keys#hide-the-debug-menu for more details.
+
+If you enable or don't configure this policy, the Debug submenu will be shown in the Tailscale menu when opened while holding Ctrl.
+
+If you disable this policy, the Debug submenu will be hidden from the Tailscale menu.]]></string>
+            <string id="UpdateMenu">Show the "Update Available" menu item</string>
+            <string id="UpdateMenu_Help"><![CDATA[This policy can be used to show or hide the Update Available item in the Tailscale Menu.
+See https://tailscale.com/kb/1315/mdm-keys#hide-the-update-menu for more details.
+
+If you enable or don't configure this policy, the Update Available item will be shown in the Tailscale menu when there is an update.
+
+If you disable this policy, the Update Available item will be hidden from the Tailscale menu.]]></string>
+            <string id="RunExitNode">Show the "Run Exit Node" menu item</string>
+            <string id="RunExitNode_Help"><![CDATA[This policy can be used to show or hide the Run Exit Node item in the Exit Node submenu.
+See https://tailscale.com/kb/1315/mdm-keys#hide-the-run-as-exit-node-menu-item for more details.
+This does not affect using the CLI to enable or disable advertising an exit node. If you wish to enable or disable this feature, see the Run Exit Node policy in the Settings category.
+
+If you enable or don't configure this policy, the Run Exit Node item will be shown in the Exit Node submenu.
+
+If you disable this policy, the Run Exit Node item will be hidden from the Exit Node submenu.]]></string>
+            <string id="PreferencesMenu">Show the "Preferences" submenu</string>
+            <string id="PreferencesMenu_Help"><![CDATA[This policy can be used to show or hide the Preferences submenu of the Tailscale menu.
+See https://tailscale.com/kb/1315/mdm-keys#hide-the-preferences-menu for more details.
+This does not affect using the CLI to modify that menu's preferences. If you wish to control those, look at the policies in the Settings category.
+
+If you enable or don't configure this policy, the Preferences submenu will be shown in the Tailscale menu.
+
+If you disable this policy, the Preferences submenu will be hidden from the Tailscale menu.]]></string>
+            <string id="ExitNodesPicker">Show the "Exit Node" submenu</string>
+            <string id="ExitNodesPicker_Help"><![CDATA[This policy can be used to show or hide the Exit Node submenu of the Tailscale menu.
+See https://tailscale.com/kb/1315/mdm-keys#hide-the-exit-node-picker for more details.
+This does not affect using the CLI to select or stop using an exit node. If you wish to control exit node usage, look at the "Require using a specific Exit Node" policy in the Settings category.
+
+If you enable or don't configure this policy, the Exit Node submenu will be shown in the Tailscale menu.
+
+If you disable this policy, the Exit Node submenu will be hidden from the Tailscale menu.]]></string>
+            <string id="KeyExpirationNoticeTime">Specify a custom key expiration notification time</string>
+            <string id="KeyExpirationNoticeTime_Help"><![CDATA[This policy can be used to configure how soon the notification appears before key expiry.
+See https://tailscale.com/kb/1315/mdm-keys#set-the-key-expiration-notice-period for more details.
+
+Time intervals must be specified as a Go Duration: for example, 24h, 5h25m30s. Time units larger than hours are unsupported.
+
+If you enable this policy and supply a valid time interval, the key expiry notification will begin to display when the current key has less than that amount of time remaining.
+
+If you disable or don't configure this policy, the default time period will be used (as of Tailscale 1.56, this is 24 hours).]]></string>
+            <string id="LogSCMInteractions">Log extra details about service events</string>
+            <string id="LogSCMInteractions_Help"><![CDATA[This policy can be used to enable additional logging related to Service Control Manager for debugging purposes.
+This should only be enabled if recommended by Tailscale Support.
+
+If you enable this policy, additional logging will be enabled for SCM events.
+
+If you disable or don't configure this policy, the normal amount of logging occurs.]]></string>
+            <string id="FlushDNSOnSessionUnlock">Flush the DNS cache on session unlock</string>
+            <string id="FlushDNSOnSessionUnlock_Help"><![CDATA[This policy can be used to enable additional DNS cache flushing for debugging purposes.
+This should only be enabled if recommended by Tailscale Support.
+
+If you enable this policy, the DNS cache will be flushed on session unlock in addition to when the DNS cache would normally be flushed.
+
+If you disable or don't configure this policy, the DNS cache is managed normally.]]></string>
+            <string id="PostureChecking">Collect data for posture checking</string>
+            <string id="PostureChecking_Help"><![CDATA[This policy can be used to require that the Posture Checking setting is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#enable-gathering-device-posture-data and https://tailscale.com/kb/1326/device-identity for more details.
+
+If you enable this policy, then data collection is always enabled.
+
+If you disable this policy, then data collection is always disabled.
+
+If you do not configure this policy, then data collection depends on if it has been enabled from the CLI (as of Tailscale 1.56), it may be present in the GUI in later versions.]]></string>
+        </stringTable>
+        <presentationTable>
+            <presentation id="LoginURL">
+                <textBox refId="LoginURLPrompt">
+                    <label>Coordination server</label>
+                </textBox>
+            </presentation>
+            <presentation id="LogTarget">
+                <textBox refId="LogTargetPrompt">
+                    <label>Log server</label>
+                </textBox>
+            </presentation>
+            <presentation id="Tailnet">
+                <textBox refId="TailnetPrompt">
+                    <label>Tailnet</label>
+                </textBox>
+            </presentation>
+            <presentation id="ExitNodeID">
+                <textBox refId="ExitNodeIDPrompt">
+                    <label>Exit Node</label>
+                </textBox>
+            </presentation>
+        </presentationTable>
+    </resources>
+</policyDefinitionResources>
--- a/docs/windows/policy/tailscale.admx
+++ b/docs/windows/policy/tailscale.admx
@@ -0,0 +1,256 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyDefinitions revision="1.0" schemaVersion="1.0"
+                   xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
+  <policyNamespaces>
+    <target prefix="tailscale" namespace="Tailscale.Policies" />
+  </policyNamespaces>
+  <resources minRequiredRevision="1.0" />
+
+  <supportedOn>
+    <products>
+      <product name="TAILSCALE_PRODUCT" displayName="$(string.TAILSCALE_PRODUCT)">
+        <majorVersion name="TAILSCALE_V1" displayName="$(string.TAILSCALE_PRODUCT)" versionIndex="1" />
+      </product>
+    </products>
+
+    <definitions>
+      <definition name="SINCE_V1_22"
+                  displayName="$(string.SINCE_V1_22)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="SINCE_V1_26"
+                  displayName="$(string.SINCE_V1_26)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="SINCE_V1_50"
+                  displayName="$(string.SINCE_V1_50)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="SINCE_V1_52"
+                  displayName="$(string.SINCE_V1_52)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="PARTIAL_FULL_SINCE_V1_56"
+                  displayName="$(string.PARTIAL_FULL_SINCE_V1_56)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="SINCE_V1_56"
+                  displayName="$(string.SINCE_V1_56)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="SINCE_V1_58"
+                  displayName="$(string.SINCE_V1_58)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+    </definitions>
+  </supportedOn>
+  <categories>
+    <category name="Top_Category" displayName="$(string.Tailscale_Category)" />
+    <category name="UI_Category" displayName="$(string.UI_Category)">
+      <parentCategory ref="Top_Category" />
+    </category>
+    <category name="Settings_Category" displayName="$(string.Settings_Category)">
+      <parentCategory ref="Top_Category" />
+    </category>
+  </categories>
+  <policies>
+    <policy name="LoginURL" class="Machine" displayName="$(string.LoginURL)" explainText="$(string.LoginURL_Help)" presentation="$(presentation.LoginURL)" key="Software\Policies\Tailscale">
+      <parentCategory ref="Top_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <elements>
+        <text id="LoginURLPrompt" valueName="LoginURL" required="true" />
+      </elements>
+    </policy>
+    <policy name="LogTarget" class="Machine" displayName="$(string.LogTarget)" explainText="$(string.LogTarget_Help)" presentation="$(presentation.LogTarget)" key="Software\Policies\Tailscale">
+      <parentCategory ref="Top_Category" />
+      <supportedOn ref="SINCE_V1_58" />
+      <elements>
+        <text id="LogTargetPrompt" valueName="LogTarget" required="true" />
+      </elements>
+    </policy>
+    <policy name="Tailnet" class="Machine" displayName="$(string.Tailnet)" explainText="$(string.Tailnet_Help)" presentation="$(presentation.Tailnet)" key="Software\Policies\Tailscale">
+      <parentCategory ref="Top_Category" />
+      <supportedOn ref="SINCE_V1_52" />
+      <elements>
+        <text id="TailnetPrompt" valueName="Tailnet" required="true" />
+      </elements>
+    </policy>
+    <policy name="ExitNodeID" class="Machine" displayName="$(string.ExitNodeID)" explainText="$(string.ExitNodeID_Help)" presentation="$(presentation.ExitNodeID)" key="Software\Policies\Tailscale">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="SINCE_V1_56" />
+      <elements>
+        <text id="ExitNodeIDPrompt" valueName="ExitNodeID" required="true" />
+      </elements>
+    </policy>
+    <policy name="AllowIncomingConnections" class="Machine" displayName="$(string.AllowIncomingConnections)" explainText="$(string.AllowIncomingConnections_Help)" key="Software\Policies\Tailscale" valueName="AllowIncomingConnections">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="UnattendedMode" class="Machine" displayName="$(string.UnattendedMode)" explainText="$(string.UnattendedMode_Help)" key="Software\Policies\Tailscale" valueName="UnattendedMode">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="ExitNodeAllowLANAccess" class="Machine" displayName="$(string.ExitNodeAllowLANAccess)" explainText="$(string.ExitNodeAllowLANAccess_Help)" key="Software\Policies\Tailscale" valueName="ExitNodeAllowLANAccess">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="UseTailscaleDNSSettings" class="Machine" displayName="$(string.UseTailscaleDNSSettings)" explainText="$(string.UseTailscaleDNSSettings_Help)" key="Software\Policies\Tailscale" valueName="UseTailscaleDNSSettings">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="UseTailscaleSubnets" class="Machine" displayName="$(string.UseTailscaleSubnets)" explainText="$(string.UseTailscaleSubnets_Help)" key="Software\Policies\Tailscale" valueName="UseTailscaleSubnets">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="InstallUpdates" class="Machine" displayName="$(string.InstallUpdates)" explainText="$(string.InstallUpdates_Help)" key="Software\Policies\Tailscale" valueName="InstallUpdates">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="AdvertiseExitNode" class="Machine" displayName="$(string.AdvertiseExitNode)" explainText="$(string.AdvertiseExitNode_Help)" key="Software\Policies\Tailscale" valueName="AdvertiseExitNode">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="PostureChecking" class="Machine" displayName="$(string.PostureChecking)" explainText="$(string.PostureChecking_Help)" key="Software\Policies\Tailscale" valueName="PostureChecking">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="LogSCMInteractions" class="Machine" displayName="$(string.LogSCMInteractions)" explainText="$(string.LogSCMInteractions_Help)" key="Software\Policies\Tailscale" valueName="LogSCMInteractions">
+      <parentCategory ref="Top_Category" />
+      <supportedOn ref="SINCE_V1_26" />
+      <enabledValue>
+        <decimal value="1" />
+      </enabledValue>
+      <disabledValue>
+        <decimal value="0" />
+      </disabledValue>
+    </policy>
+    <policy name="FlushDNSOnSessionUnlock" class="Machine" displayName="$(string.FlushDNSOnSessionUnlock)" explainText="$(string.FlushDNSOnSessionUnlock_Help)" key="Software\Policies\Tailscale" valueName="FlushDNSOnSessionUnlock">
+      <parentCategory ref="Top_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <decimal value="1" />
+      </enabledValue>
+      <disabledValue>
+        <decimal value="0" />
+      </disabledValue>
+    </policy>
+    <policy name="AdminPanel" class="Machine" displayName="$(string.AdminPanel)" explainText="$(string.AdminPanel_Help)" key="Software\Policies\Tailscale" valueName="AdminPanel">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="NetworkDevices" class="Machine" displayName="$(string.NetworkDevices)" explainText="$(string.NetworkDevices_Help)" key="Software\Policies\Tailscale" valueName="NetworkDevices">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="TestMenu" class="Machine" displayName="$(string.TestMenu)" explainText="$(string.TestMenu_Help)" key="Software\Policies\Tailscale" valueName="TestMenu">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="UpdateMenu" class="Machine" displayName="$(string.UpdateMenu)" explainText="$(string.UpdateMenu_Help)" key="Software\Policies\Tailscale" valueName="UpdateMenu">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="RunExitNode" class="Machine" displayName="$(string.RunExitNode)" explainText="$(string.RunExitNode_Help)" key="Software\Policies\Tailscale" valueName="RunExitNode">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="PreferencesMenu" class="Machine" displayName="$(string.PreferencesMenu)" explainText="$(string.PreferencesMenu_Help)" key="Software\Policies\Tailscale" valueName="PreferencesMenu">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="ExitNodesPicker" class="Machine" displayName="$(string.ExitNodesPicker)" explainText="$(string.ExitNodesPicker_Help)" key="Software\Policies\Tailscale" valueName="ExitNodesPicker">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+  </policies>
+</policyDefinitions>
--- a/go.mod
+++ b/go.mod
@@ -61,6 +61,7 @@ require (
 	github.com/safchain/ethtool v0.3.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e
+	github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
 	github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e
@@ -114,7 +115,7 @@ require (
 	github.com/dave/brenda v1.1.0 // indirect
 	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
-	github.com/gorilla/securecookie v1.1.1 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
 )

 require (
@@ -224,7 +225,6 @@ require (
 	github.com/gordonklaus/ineffassign v0.0.0-20230107090616-13ace0543b28 // indirect
 	github.com/goreleaser/chglog v0.5.0 // indirect
 	github.com/goreleaser/fileglob v1.3.0 // indirect
-	github.com/gorilla/csrf v1.7.1
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
 	github.com/gostaticanalysis/comment v1.4.2 // indirect
 	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -496,10 +496,8 @@ github.com/goreleaser/fileglob v1.3.0 h1:/X6J7U8lbDpQtBvGcwwPS6OpzkNVlVEsFUVRx9+
 github.com/goreleaser/fileglob v1.3.0/go.mod h1:Jx6BoXv3mbYkEzwm9THo7xbr5egkAraxkGorbJb4RxU=
 github.com/goreleaser/nfpm/v2 v2.33.1 h1:EkdAzZyVhAI9JC1vjmjjbmnNzyH1J6Cu4JCsA7YcQuc=
 github.com/goreleaser/nfpm/v2 v2.33.1/go.mod h1:8wwWWvJWmn84xo/Sqiv0aMvEGTHlHZTXTEuVSgQpkIM=
-github.com/gorilla/csrf v1.7.1 h1:Ir3o2c1/Uzj6FBxMlAUB6SivgVMy1ONXwYgXn+/aHPE=
-github.com/gorilla/csrf v1.7.1/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -882,6 +880,8 @@ github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c h1:+aPplB
 github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c/go.mod h1:SbErYREK7xXdsRiigaQiQkI9McGRzYMvlKYaP3Nimdk=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
+github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16 h1:ALxSJ4KoXENNx1f3L+LD/QuY/FpWadzAMtWIa1Po+jk=
+github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16/go.mod h1:DkNNZmUscMpGHYJVVqyAqMVY6goWltxvnDSMKuDsxlU=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HPjrSuJYEkdZ+0ItmGQAQ75cRHIiftIyE=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
--- a/ipn/backend.go
+++ b/ipn/backend.go
@@ -175,6 +175,7 @@ type PartialFile struct {
 	// in-progress '*.partial' file's path when the peerapi isn't
 	// being used; see LocalBackend.SetDirectFileRoot.
 	PartialPath string `json:",omitempty"`
+	FinalPath   string `json:",omitempty"`

 	// Done is set in "direct" mode when the partial file has been
 	// closed and is ready for the caller to rename away the
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -265,9 +265,8 @@ type LocalBackend struct {
 	// It's also used on several NAS platforms (Synology, TrueNAS, etc)
 	// but in that case DoFinalRename is also set true, which moves the
 	// *.partial file to its final name on completion.
-	directFileRoot          string
-	directFileDoFinalRename bool // false on macOS, true on several NAS platforms
-	componentLogUntil       map[string]componentLogState
+	directFileRoot    string
+	componentLogUntil map[string]componentLogState
 	// c2nUpdateStatus is the status of c2n-triggered client update.
 	c2nUpdateStatus     updateStatus
 	currentUser         ipnauth.WindowsToken
@@ -540,17 +539,6 @@ func (b *LocalBackend) SetDirectFileRoot(dir string) {
 	b.directFileRoot = dir
 }

-// SetDirectFileDoFinalRename sets whether the peerapi file server should rename
-// a received "name.partial" file to "name" when the download is complete.
-//
-// This only applies when SetDirectFileRoot is non-empty.
-// The default is false.
-func (b *LocalBackend) SetDirectFileDoFinalRename(v bool) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.directFileDoFinalRename = v
-}
-
 // ReloadConfig reloads the backend's config from disk.
 //
 // It returns (false, nil) if not running in declarative mode, (true, nil) on
@@ -1074,9 +1062,11 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
 		b.blockEngineUpdates(false)
 	}

-	if st.LoginFinished() && wasBlocked {
-		// Auth completed, unblock the engine
-		b.blockEngineUpdates(false)
+	if st.LoginFinished() && (wasBlocked || b.seamlessRenewalEnabled()) {
+		if wasBlocked {
+			// Auth completed, unblock the engine
+			b.blockEngineUpdates(false)
+		}
 		b.authReconfig()
 		b.send(ipn.Notify{LoginFinished: &empty.Message{}})
 	}
@@ -1108,7 +1098,7 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
 		b.authURL = st.URL
 		b.authURLSticky = st.URL
 	}
-	if wasBlocked && st.LoginFinished() {
+	if (wasBlocked || b.seamlessRenewalEnabled()) && st.LoginFinished() {
 		// Interactive login finished successfully (URL visited).
 		// After an interactive login, the user always wants
 		// WantRunning.
@@ -2456,8 +2446,10 @@ func (b *LocalBackend) popBrowserAuthNow() {

 	b.logf("popBrowserAuthNow: url=%v", url != "")

-	b.blockEngineUpdates(true)
-	b.stopEngineAndWait()
+	if !b.seamlessRenewalEnabled() {
+		b.blockEngineUpdates(true)
+		b.stopEngineAndWait()
+	}
 	b.tellClientToBrowseToURL(url)
 	if b.State() == ipn.Running {
 		b.enterState(ipn.Starting)
@@ -3873,13 +3865,12 @@ func (b *LocalBackend) initPeerAPIListener() {
 	ps := &peerAPIServer{
 		b: b,
 		taildrop: taildrop.ManagerOptions{
-			Logf:             b.logf,
-			Clock:            tstime.DefaultClock{Clock: b.clock},
-			State:            b.store,
-			Dir:              fileRoot,
-			DirectFileMode:   b.directFileRoot != "",
-			AvoidFinalRename: !b.directFileDoFinalRename,
-			SendFileNotify:   b.sendFileNotify,
+			Logf:           b.logf,
+			Clock:          tstime.DefaultClock{Clock: b.clock},
+			State:          b.store,
+			Dir:            fileRoot,
+			DirectFileMode: b.directFileRoot != "",
+			SendFileNotify: b.sendFileNotify,
 		}.New(),
 	}
 	if dm, ok := b.sys.DNSManager.GetOK(); ok {
@@ -4176,6 +4167,9 @@ func (b *LocalBackend) enterStateLockedOnEntry(newState ipn.State) {
 	switch newState {
 	case ipn.NeedsLogin:
 		systemd.Status("Needs login: %s", authURL)
+		if b.seamlessRenewalEnabled() {
+			break
+		}
 		b.blockEngineUpdates(true)
 		fallthrough
 	case ipn.Stopped:
@@ -5801,6 +5795,14 @@ func (b *LocalBackend) AdvertiseRoute(ipp netip.Prefix) error {
 	return err
 }

+// seamlessRenewalEnabled reports whether seamless key renewals are enabled
+// (i.e. we saw our self node with the SeamlessKeyRenewal attr in a netmap).
+// This enables beta functionality of renewing node keys without breaking
+// connections.
+func (b *LocalBackend) seamlessRenewalEnabled() bool {
+	return b.ControlKnobs().SeamlessKeyRenewal.Load()
+}
+
 var (
 	disallowedAddrs = []netip.Addr{
 		netip.MustParseAddr("::1"),
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -80,6 +80,7 @@ var handler = map[string]localAPIHandler{
 	"component-debug-logging":     (*Handler).serveComponentDebugLogging,
 	"debug":                       (*Handler).serveDebug,
 	"debug-derp-region":           (*Handler).serveDebugDERPRegion,
+	"debug-dial-types":            (*Handler).serveDebugDialTypes,
 	"debug-packet-filter-matches": (*Handler).serveDebugPacketFilterMatches,
 	"debug-packet-filter-rules":   (*Handler).serveDebugPacketFilterRules,
 	"debug-portmap":               (*Handler).serveDebugPortmap,
@@ -840,6 +841,76 @@ func (h *Handler) serveComponentDebugLogging(w http.ResponseWriter, r *http.Requ
 	json.NewEncoder(w).Encode(res)
 }

+func (h *Handler) serveDebugDialTypes(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "debug-dial-types access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != httpm.POST {
+		http.Error(w, "only POST allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	ip := r.FormValue("ip")
+	port := r.FormValue("port")
+	network := r.FormValue("network")
+
+	addr := ip + ":" + port
+	if _, err := netip.ParseAddrPort(addr); err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		fmt.Fprintf(w, "invalid address %q: %v", addr, err)
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	var bareDialer net.Dialer
+
+	dialer := h.b.Dialer()
+
+	var peerDialer net.Dialer
+	peerDialer.Control = dialer.PeerDialControlFunc()
+
+	// Kick off a dial with each available dialer in parallel.
+	dialers := []struct {
+		name string
+		dial func(context.Context, string, string) (net.Conn, error)
+	}{
+		{"SystemDial", dialer.SystemDial},
+		{"UserDial", dialer.UserDial},
+		{"PeerDial", peerDialer.DialContext},
+		{"BareDial", bareDialer.DialContext},
+	}
+	type result struct {
+		name string
+		conn net.Conn
+		err  error
+	}
+	results := make(chan result, len(dialers))
+
+	var wg sync.WaitGroup
+	for _, dialer := range dialers {
+		dialer := dialer // loop capture
+
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			conn, err := dialer.dial(ctx, network, addr)
+			results <- result{dialer.name, conn, err}
+		}()
+	}
+
+	wg.Wait()
+	for i := 0; i < len(dialers); i++ {
+		res := <-results
+		fmt.Fprintf(w, "[%s] connected=%v err=%v\n", res.name, res.conn != nil, res.err)
+		if res.conn != nil {
+			res.conn.Close()
+		}
+	}
+}
+
 // servePprofFunc is the implementation of Handler.servePprof, after auth,
 // for platforms where we want to link it in.
 var servePprofFunc func(http.ResponseWriter, *http.Request)
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -26,6 +26,7 @@ import (
 	"tailscale.com/types/preftype"
 	"tailscale.com/types/views"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/util/syspolicy"
 )

 // DefaultControlURL is the URL base of the control plane
@@ -637,11 +638,16 @@ func (p PrefsView) ControlURLOrDefault() string {
 // If not configured, or if the configured value is a legacy name equivalent to
 // the default, then DefaultControlURL is returned instead.
 func (p *Prefs) ControlURLOrDefault() string {
-	if p.ControlURL != "" {
-		if p.ControlURL != DefaultControlURL && IsLoginServerSynonym(p.ControlURL) {
+	controlURL, err := syspolicy.GetString(syspolicy.ControlURL, p.ControlURL)
+	if err != nil {
+		controlURL = p.ControlURL
+	}
+
+	if controlURL != "" {
+		if controlURL != DefaultControlURL && IsLoginServerSynonym(controlURL) {
 			return DefaultControlURL
 		}
-		return p.ControlURL
+		return controlURL
 	}
 	return DefaultControlURL
 }
--- a/k8s-operator/apis/v1alpha1/types_connector.go
+++ b/k8s-operator/apis/v1alpha1/types_connector.go
@@ -6,6 +6,9 @@
 package v1alpha1

 import (
+	"fmt"
+	"strings"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

@@ -17,17 +20,19 @@ var ConnectorKind = "Connector"
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:scope=Cluster,shortName=cn
-// +kubebuilder:printcolumn:name="SubnetRoutes",type="string",JSONPath=`.status.subnetRouter.routes`,description="Cluster CIDR ranges exposed to tailnet via subnet router"
-// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=`.status.conditions[?(@.type == "ConnectorReady")].reason`,description="Status of the components deployed by the connector"
+// +kubebuilder:printcolumn:name="SubnetRoutes",type="string",JSONPath=`.status.subnetRoutes`,description="CIDR ranges exposed to tailnet by a subnet router defined via this Connector instance."
+// +kubebuilder:printcolumn:name="IsExitNode",type="string",JSONPath=`.status.isExitNode`,description="Whether this Connector instance defines an exit node."
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=`.status.conditions[?(@.type == "ConnectorReady")].reason`,description="Status of the deployed Connector resources."

 type Connector struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

-	// Desired state of the Connector resource.
+	// ConnectorSpec describes the desired Tailscale component.
 	Spec ConnectorSpec `json:"spec"`

-	// Status of the Connector. This is set and managed by the Tailscale operator.
+	// ConnectorStatus describes the status of the Connector. This is set
+	// and managed by the Tailscale operator.
 	// +optional
 	Status ConnectorStatus `json:"status"`
 }
@@ -41,40 +46,73 @@ type ConnectorList struct {
 	Items []Connector `json:"items"`
 }

-// ConnectorSpec defines the desired state of a ConnectorSpec.
+// ConnectorSpec describes a Tailscale node to be deployed in the cluster.
+// +kubebuilder:validation:XValidation:rule="has(self.subnetRouter) || self.exitNode == true",message="A Connector needs to be either an exit node or a subnet router, or both."
 type ConnectorSpec struct {
-	// SubnetRouter configures a Tailscale subnet router to be deployed in
-	// the cluster. If unset no subnet router will be deployed.
+	// Tags that the Tailscale node will be tagged with.
+	// Defaults to [tag:k8s].
+	// To autoapprove the subnet routes or exit node defined by a Connector,
+	// you can configure Tailscale ACLs to give these tags the necessary
+	// permissions.
+	// See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes.
+	// If you specify custom tags here, you must also make the operator an owner of these tags.
+	// See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
+	// Tags cannot be changed once a Connector node has been created.
+	// Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
+	// +optional
+	Tags Tags `json:"tags,omitempty"`
+	// Hostname is the tailnet hostname that should be assigned to the
+	// Connector node. If unset, hostname defaults to <connector
+	// name>-connector. Hostname can contain lower case letters, numbers and
+	// dashes, it must not start or end with a dash and must be between 2
+	// and 63 characters long.
+	// +optional
+	Hostname Hostname `json:"hostname,omitempty"`
+	// SubnetRouter defines subnet routes that the Connector node should
+	// expose to tailnet. If unset, none are exposed.
 	// https://tailscale.com/kb/1019/subnets/
+	// +optional
 	SubnetRouter *SubnetRouter `json:"subnetRouter"`
+	// ExitNode defines whether the Connector node should act as a
+	// Tailscale exit node. Defaults to false.
+	// https://tailscale.com/kb/1103/exit-nodes
+	// +optional
+	ExitNode bool `json:"exitNode"`
 }

-// SubnetRouter describes a subnet router.
-// +kubebuilder:validation:XValidation:rule="has(self.tags) == has(oldSelf.tags)",message="Subnetrouter tags cannot be changed. Delete and redeploy the Connector if you need to change it."
+// SubnetRouter defines subnet routes that should be exposed to tailnet via a
+// Connector node.
 type SubnetRouter struct {
-	// Routes refer to in-cluster CIDRs that the subnet router should make
+	// AdvertiseRoutes refer to CIDRs that the subnet router should make
 	// available. Route values must be strings that represent a valid IPv4
 	// or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes.
 	// https://tailscale.com/kb/1201/4via6-subnets/
-	Routes []Route `json:"routes"`
-	// Tags that the Tailscale node will be tagged with. If you want the
-	// subnet router to be autoapproved, you can configure Tailscale ACLs to
-	// autoapprove the subnetrouter's CIDRs for these tags.
-	// See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes
-	// Defaults to tag:k8s.
-	// If you specify custom tags here, you must also make tag:k8s-operator owner of the custom tag.
-	// See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
-	// Tags cannot be changed once a Connector has been created.
-	// Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
-	// +optional
-	Tags []Tag `json:"tags,omitempty"`
-	// Hostname is the tailnet hostname that should be assigned to the
-	// subnet router node. If unset hostname is defaulted to <connector
-	// name>-subnetrouter. Hostname can contain lower case letters, numbers
-	// and dashes, it must not start or end with a dash and must be between
-	// 2 and 63 characters long.
-	// +optional
-	Hostname Hostname `json:"hostname,omitempty"`
+	AdvertiseRoutes Routes `json:"advertiseRoutes"`
+}
+
+type Tags []Tag
+
+func (tags Tags) Stringify() []string {
+	stringTags := make([]string, len(tags))
+	for i, t := range tags {
+		stringTags[i] = string(t)
+	}
+	return stringTags
+}
+
+// +kubebuilder:validation:MinItems=1
+type Routes []Route
+
+func (routes Routes) Stringify() string {
+	if len(routes) < 1 {
+		return ""
+	}
+	var sb strings.Builder
+	sb.WriteString(string(routes[0]))
+	for _, r := range routes[1:] {
+		sb.WriteString(fmt.Sprintf(",%s", r))
+	}
+	return sb.String()
 }

 // +kubebuilder:validation:Type=string
@@ -91,28 +129,19 @@ type Hostname string

 // ConnectorStatus defines the observed state of the Connector.
 type ConnectorStatus struct {
-
 	// List of status conditions to indicate the status of the Connector.
 	// Known condition types are `ConnectorReady`.
 	// +listType=map
 	// +listMapKey=type
 	// +optional
 	Conditions []ConnectorCondition `json:"conditions"`
-	// SubnetRouter status is the current status of a subnet router
+	// SubnetRoutes are the routes currently exposed to tailnet via this
+	// Connector instance.
 	// +optional
-	SubnetRouter *SubnetRouterStatus `json:"subnetRouter"`
-}
-
-// SubnetRouter status is the current status of a subnet router if deployed
-type SubnetRouterStatus struct {
-	// Routes are the CIDRs currently exposed via subnet router
-	Routes string `json:"routes"`
-	// Ready is the ready status of the subnet router
-	Ready metav1.ConditionStatus `json:"ready"`
-	// Reason is the reason for the subnet router status
-	Reason string `json:"reason"`
-	// Message is a more verbose reason for the current subnet router status
-	Message string `json:"message"`
+	SubnetRoutes string `json:"subnetRoutes"`
+	// IsExitNode is set to true if the Connector acts as an exit node.
+	// +optional
+	IsExitNode bool `json:"isExitNode"`
 }

 // ConnectorCondition contains condition information for a Connector.
@@ -147,7 +176,7 @@ type ConnectorCondition struct {
 	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
 }

-// ConnectorConditionType represents a Connector condition type
+// ConnectorConditionType represents a Connector condition type.
 type ConnectorConditionType string

 const (
--- a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
+++ b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
@@ -92,6 +92,11 @@ func (in *ConnectorList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectorSpec) DeepCopyInto(out *ConnectorSpec) {
 	*out = *in
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(Tags, len(*in))
+		copy(*out, *in)
+	}
 	if in.SubnetRouter != nil {
 		in, out := &in.SubnetRouter, &out.SubnetRouter
 		*out = new(SubnetRouter)
@@ -119,11 +124,6 @@ func (in *ConnectorStatus) DeepCopyInto(out *ConnectorStatus) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.SubnetRouter != nil {
-		in, out := &in.SubnetRouter, &out.SubnetRouter
-		*out = new(SubnetRouterStatus)
-		**out = **in
-	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectorStatus.
@@ -137,16 +137,30 @@ func (in *ConnectorStatus) DeepCopy() *ConnectorStatus {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SubnetRouter) DeepCopyInto(out *SubnetRouter) {
-	*out = *in
-	if in.Routes != nil {
-		in, out := &in.Routes, &out.Routes
-		*out = make([]Route, len(*in))
+func (in Routes) DeepCopyInto(out *Routes) {
+	{
+		in := &in
+		*out = make(Routes, len(*in))
 		copy(*out, *in)
 	}
-	if in.Tags != nil {
-		in, out := &in.Tags, &out.Tags
-		*out = make([]Tag, len(*in))
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Routes.
+func (in Routes) DeepCopy() Routes {
+	if in == nil {
+		return nil
+	}
+	out := new(Routes)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubnetRouter) DeepCopyInto(out *SubnetRouter) {
+	*out = *in
+	if in.AdvertiseRoutes != nil {
+		in, out := &in.AdvertiseRoutes, &out.AdvertiseRoutes
+		*out = make(Routes, len(*in))
 		copy(*out, *in)
 	}
 }
@@ -162,16 +176,20 @@ func (in *SubnetRouter) DeepCopy() *SubnetRouter {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SubnetRouterStatus) DeepCopyInto(out *SubnetRouterStatus) {
-	*out = *in
+func (in Tags) DeepCopyInto(out *Tags) {
+	{
+		in := &in
+		*out = make(Tags, len(*in))
+		copy(*out, *in)
+	}
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubnetRouterStatus.
-func (in *SubnetRouterStatus) DeepCopy() *SubnetRouterStatus {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tags.
+func (in Tags) DeepCopy() Tags {
 	if in == nil {
 		return nil
 	}
-	out := new(SubnetRouterStatus)
+	out := new(Tags)
 	in.DeepCopyInto(out)
-	return out
+	return *out
 }
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -41,9 +41,9 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
 - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.3.2/LICENSE.md))
 - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -53,9 +53,9 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
 - [github.com/kballard/go-shellquote](https://pkg.go.dev/github.com/kballard/go-shellquote) ([MIT](https://github.com/kballard/go-shellquote/blob/95032a82bc51/LICENSE))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
 - [github.com/kr/fs](https://pkg.go.dev/github.com/kr/fs) ([BSD-3-Clause](https://github.com/kr/fs/blob/v0.1.0/LICENSE))
 - [github.com/mattn/go-colorable](https://pkg.go.dev/github.com/mattn/go-colorable) ([MIT](https://github.com/mattn/go-colorable/blob/v0.1.13/LICENSE))
@@ -77,7 +77,7 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
 - [github.com/tailscale/hujson](https://pkg.go.dev/github.com/tailscale/hujson) ([BSD-3-Clause](https://github.com/tailscale/hujson/blob/20486734a56a/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/3a45625fe806/LICENSE))
+ - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/a4fa669015b2/LICENSE))
 - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/cc193a0b3272/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
 - [github.com/toqueteos/webbrowser](https://pkg.go.dev/github.com/toqueteos/webbrowser) ([MIT](https://github.com/toqueteos/webbrowser/blob/v1.2.0/LICENSE.md))
--- a/licenses/windows.md
+++ b/licenses/windows.md
@@ -13,8 +13,23 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/alexbrainman/sspi](https://pkg.go.dev/github.com/alexbrainman/sspi) ([BSD-3-Clause](https://github.com/alexbrainman/sspi/blob/1a75b4708caa/LICENSE))
 - [github.com/apenwarr/fixconsole](https://pkg.go.dev/github.com/apenwarr/fixconsole) ([Apache-2.0](https://github.com/apenwarr/fixconsole/blob/5a9f6489cc29/LICENSE))
 - [github.com/apenwarr/w32](https://pkg.go.dev/github.com/apenwarr/w32) ([BSD-3-Clause](https://github.com/apenwarr/w32/blob/aa00fece76ab/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.21.0/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.42/config/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.13.40/credentials/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.13.11/feature/ec2/imds/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.41/internal/configsources/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.35/internal/endpoints/v2/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.43/internal/ini/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.21.0/internal/sync/singleflight/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.9.35/service/internal/presigned-url/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.38.0/service/ssm/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.14.1/service/sso/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.17.1/service/ssooidc/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.22.0/service/sts/LICENSE.txt))
+ - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.14.2/LICENSE))
+ - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.14.2/internal/sync/singleflight/LICENSE))
 - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.7.0/LICENSE))
- - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/e994401fc077/LICENSE))
+ - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/65927751e9eb/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.5.0/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
@@ -22,11 +37,12 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.1/LICENSE))
 - [github.com/gregjones/httpcache](https://pkg.go.dev/github.com/gregjones/httpcache) ([MIT](https://github.com/gregjones/httpcache/blob/901d90724c79/LICENSE.txt))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.1.0/LICENSE))
+ - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
 - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.5.0/LICENSE.md))
 - [github.com/miekg/dns](https://pkg.go.dev/github.com/miekg/dns) ([BSD-3-Clause](https://github.com/miekg/dns/blob/v1.1.56/LICENSE))
@@ -36,8 +52,8 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
 - [github.com/tailscale/go-winio](https://pkg.go.dev/github.com/tailscale/go-winio) ([MIT](https://github.com/tailscale/go-winio/blob/c4f33415bf55/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/dff4ed649e49/LICENSE))
- - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/84569fd814a9/LICENSE))
+ - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/95b7e17614b9/LICENSE))
+ - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/d2e5cdeed6dc/LICENSE))
 - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.2.1/LICENSE))
 - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/v1.2.1-beta.2/LICENSE))
 - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/v0.0.4/LICENSE))
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -460,6 +460,10 @@ func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client,
 var (
 	verboseDNSForward = envknob.RegisterBool("TS_DEBUG_DNS_FORWARD_SEND")
 	skipTCPRetry      = envknob.RegisterBool("TS_DNS_FORWARD_SKIP_TCP_RETRY")
+
+	// For correlating log messages in the send() function; only used when
+	// verboseDNSForward() is true.
+	forwarderCount atomic.Uint64
 )

 // send sends packet to dst. It is best effort.
@@ -467,9 +471,10 @@ var (
 // send expects the reply to have the same txid as txidOut.
 func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) (ret []byte, err error) {
 	if verboseDNSForward() {
-		f.logf("forwarder.send(%q) ...", rr.name.Addr)
+		id := forwarderCount.Add(1)
+		f.logf("forwarder.send(%q) [%d] ...", rr.name.Addr, id)
 		defer func() {
-			f.logf("forwarder.send(%q) = %v, %v", rr.name.Addr, len(ret), err)
+			f.logf("forwarder.send(%q) [%d] = %v, %v", rr.name.Addr, id, len(ret), err)
 		}()
 	}
 	if strings.HasPrefix(rr.name.Addr, "http://") {
--- a/net/interfaces/defaultroute_bsd.go
+++ b/net/interfaces/defaultroute_bsd.go
@@ -0,0 +1,26 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Common code for FreeBSD and Darwin. This might also work on other
+// BSD systems (e.g. OpenBSD) but has not been tested.
+// Not used on iOS. See defaultroute_ios.go.
+
+//go:build !ios && (darwin || freebsd)
+
+package interfaces
+
+import "net"
+
+func defaultRoute() (d DefaultRouteDetails, err error) {
+	idx, err := DefaultRouteInterfaceIndex()
+	if err != nil {
+		return d, err
+	}
+	iface, err := net.InterfaceByIndex(idx)
+	if err != nil {
+		return d, err
+	}
+	d.InterfaceName = iface.Name
+	d.InterfaceIndex = idx
+	return d, nil
+}
--- a/net/interfaces/defaultroute_ios.go
+++ b/net/interfaces/defaultroute_ios.go
@@ -0,0 +1,108 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build ios
+
+package interfaces
+
+import (
+	"log"
+
+	"tailscale.com/syncs"
+)
+
+var (
+	lastKnownDefaultRouteIfName syncs.AtomicValue[string]
+)
+
+// UpdateLastKnownDefaultRouteInterface is called by ipn-go-bridge in the iOS app when
+// our NWPathMonitor instance detects a network path transition.
+func UpdateLastKnownDefaultRouteInterface(ifName string) {
+	if ifName == "" {
+		return
+	}
+	lastKnownDefaultRouteIfName.Store(ifName)
+	log.Printf("defaultroute_ios: update from Swift, ifName = %s", ifName)
+}
+
+func defaultRoute() (d DefaultRouteDetails, err error) {
+	// We cannot rely on the delegated interface data on iOS. The NetworkExtension framework
+	// seems to set the delegate interface only once, upon the *creation* of the VPN tunnel.
+	// If a network transition (e.g. from Wi-Fi to Cellular) happens while the tunnel is
+	// connected, it will be ignored and we will still try to set Wi-Fi as the default route
+	// because the delegated interface is not updated by the NetworkExtension framework.
+	//
+	// We work around this on the Swift side with a NWPathMonitor instance that observes
+	// the interface name of the first currently satisfied network path. Our Swift code will
+	// call into `UpdateLastKnownDefaultRouteInterface`, so we can rely on that when it is set.
+	//
+	// If for any reason the Swift machinery didn't work and we don't get any updates, here
+	// we also have some fallback logic: we try finding a hardcoded Wi-Fi interface called en0.
+	// If en0 is down, we fall back to cellular (pdp_ip0) as a last resort. This doesn't handle
+	// all edge cases like USB-Ethernet adapters or multiple Ethernet interfaces, but is good
+	// enough to ensure connectivity isn't broken.
+
+	// Start by getting all available interfaces.
+	interfaces, err := netInterfaces()
+	if err != nil {
+		log.Printf("defaultroute_ios: could not get interfaces: %v", err)
+		return d, ErrNoGatewayIndexFound
+	}
+
+	getInterfaceByName := func(name string) *Interface {
+		for _, ifc := range interfaces {
+			if ifc.Name != name {
+				continue
+			}
+
+			if !ifc.IsUp() {
+				log.Println("defaultroute_ios: %s is down", name)
+				return nil
+			}
+
+			addrs, _ := ifc.Addrs()
+			if len(addrs) == 0 {
+				log.Println("defaultroute_ios: %s has no addresses", name)
+				return nil
+			}
+			return &ifc
+		}
+		return nil
+	}
+
+	// Did Swift set lastKnownDefaultRouteInterface? If so, we should use it and don't bother
+	// with anything else. However, for sanity, do check whether Swift gave us with an interface
+	// that exists, is up, and has an address.
+	if swiftIfName := lastKnownDefaultRouteIfName.Load(); swiftIfName != "" {
+		ifc := getInterfaceByName(swiftIfName)
+		if ifc != nil {
+			log.Printf("defaultroute_ios: using %s (provided by Swift)", ifc.Name)
+			d.InterfaceName = ifc.Name
+			d.InterfaceIndex = ifc.Index
+			return d, nil
+		}
+	}
+
+	// Start of our fallback logic if Swift didn't give us an interface name, or gave us an invalid
+	// one.
+	// We start by attempting to use the Wi-Fi interface, which on iPhone is always called en0.
+	enZeroIf := getInterfaceByName("en0")
+	if enZeroIf != nil {
+		log.Println("defaultroute_ios: using en0 (fallback)")
+		d.InterfaceName = enZeroIf.Name
+		d.InterfaceIndex = enZeroIf.Index
+		return d, nil
+	}
+
+	// Did it not work? Let's try with Cellular (pdp_ip0).
+	cellIf := getInterfaceByName("pdp_ip0")
+	if cellIf != nil {
+		log.Println("defaultroute_ios: using pdp_ip0 (fallback)")
+		d.InterfaceName = cellIf.Name
+		d.InterfaceIndex = cellIf.Index
+		return d, nil
+	}
+
+	log.Println("defaultroute_ios: no running interfaces available")
+	return d, ErrNoGatewayIndexFound
+}
--- a/net/interfaces/interfaces_bsd.go
+++ b/net/interfaces/interfaces_bsd.go
@@ -12,7 +12,6 @@ import (
 	"errors"
 	"fmt"
 	"log"
-	"net"
 	"net/netip"
 	"syscall"

@@ -21,20 +20,6 @@ import (
 	"tailscale.com/net/netaddr"
 )

-func defaultRoute() (d DefaultRouteDetails, err error) {
-	idx, err := DefaultRouteInterfaceIndex()
-	if err != nil {
-		return d, err
-	}
-	iface, err := net.InterfaceByIndex(idx)
-	if err != nil {
-		return d, err
-	}
-	d.InterfaceName = iface.Name
-	d.InterfaceIndex = idx
-	return d, nil
-}
-
 // ErrNoGatewayIndexFound is returned by DefaultRouteInterfaceIndex when no
 // default route is found.
 var ErrNoGatewayIndexFound = errors.New("no gateway index found")
--- a/net/netutil/routes.go
+++ b/net/netutil/routes.go
@@ -29,11 +29,12 @@ func validateViaPrefix(ipp netip.Prefix) error {
 	// The first 64 bits of a are the via prefix.
 	// The next 32 bits are the "site ID".
 	// The last 32 bits are the IPv4.
-	// For now, we reserve the top 3 bytes of the site ID,
-	// and only allow users to use site IDs 0-255.
+	//
+	// We used to only allow advertising site IDs from 0-255, but we have
+	// since relaxed this (as of 2024-01) to allow IDs from 0-65535.
 	siteID := binary.BigEndian.Uint32(a[8:12])
-	if siteID > 0xFF {
-		return fmt.Errorf("route %v contains invalid site ID %08x; must be 0xff or less", ipp, siteID)
+	if siteID > 0xFFFF {
+		return fmt.Errorf("route %v contains invalid site ID %08x; must be 0xffff or less", ipp, siteID)
 	}
 	return nil
 }
--- a/net/stunserver/stunserver.go
+++ b/net/stunserver/stunserver.go
@@ -0,0 +1,126 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package stunserver implements a STUN server. The package publishes a number of stats
+// to expvar under the top level label "stun". Logs are sent to the standard log package.
+package stunserver
+
+import (
+	"context"
+	"errors"
+	"expvar"
+	"io"
+	"log"
+	"net"
+	"net/netip"
+	"time"
+
+	"tailscale.com/metrics"
+	"tailscale.com/net/stun"
+)
+
+var (
+	stats           = new(metrics.Set)
+	stunDisposition = &metrics.LabelMap{Label: "disposition"}
+	stunAddrFamily  = &metrics.LabelMap{Label: "family"}
+	stunReadError   = stunDisposition.Get("read_error")
+	stunNotSTUN     = stunDisposition.Get("not_stun")
+	stunWriteError  = stunDisposition.Get("write_error")
+	stunSuccess     = stunDisposition.Get("success")
+
+	stunIPv4 = stunAddrFamily.Get("ipv4")
+	stunIPv6 = stunAddrFamily.Get("ipv6")
+)
+
+func init() {
+	stats.Set("counter_requests", stunDisposition)
+	stats.Set("counter_addrfamily", stunAddrFamily)
+	expvar.Publish("stun", stats)
+}
+
+type STUNServer struct {
+	ctx context.Context // ctx signals service shutdown
+	pc  *net.UDPConn    // pc is the UDP listener
+}
+
+// New creates a new STUN server. The server is shutdown when ctx is done.
+func New(ctx context.Context) *STUNServer {
+	return &STUNServer{ctx: ctx}
+}
+
+// Listen binds the listen socket for the server at listenAddr.
+func (s *STUNServer) Listen(listenAddr string) error {
+	uaddr, err := net.ResolveUDPAddr("udp", listenAddr)
+	if err != nil {
+		return err
+	}
+	s.pc, err = net.ListenUDP("udp", uaddr)
+	if err != nil {
+		return err
+	}
+	log.Printf("STUN server listening on %v", s.LocalAddr())
+	// close the listener on shutdown in order to break out of the read loop
+	go func() {
+		<-s.ctx.Done()
+		s.pc.Close()
+	}()
+	return nil
+}
+
+// Serve starts serving responses to STUN requests. Listen must be called before Serve.
+func (s *STUNServer) Serve() error {
+	var buf [64 << 10]byte
+	var (
+		n   int
+		ua  *net.UDPAddr
+		err error
+	)
+	for {
+		n, ua, err = s.pc.ReadFromUDP(buf[:])
+		if err != nil {
+			if errors.Is(err, io.EOF) || errors.Is(err, net.ErrClosed) {
+				return nil
+			}
+			log.Printf("STUN ReadFrom: %v", err)
+			time.Sleep(time.Second)
+			stunReadError.Add(1)
+			continue
+		}
+		pkt := buf[:n]
+		if !stun.Is(pkt) {
+			stunNotSTUN.Add(1)
+			continue
+		}
+		txid, err := stun.ParseBindingRequest(pkt)
+		if err != nil {
+			stunNotSTUN.Add(1)
+			continue
+		}
+		if ua.IP.To4() != nil {
+			stunIPv4.Add(1)
+		} else {
+			stunIPv6.Add(1)
+		}
+		addr, _ := netip.AddrFromSlice(ua.IP)
+		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(ua.Port)))
+		_, err = s.pc.WriteTo(res, ua)
+		if err != nil {
+			stunWriteError.Add(1)
+		} else {
+			stunSuccess.Add(1)
+		}
+	}
+}
+
+// ListenAndServe starts the STUN server on listenAddr.
+func (s *STUNServer) ListenAndServe(listenAddr string) error {
+	if err := s.Listen(listenAddr); err != nil {
+		return err
+	}
+	return s.Serve()
+}
+
+// LocalAddr returns the local address of the STUN server. It must not be called before ListenAndServe.
+func (s *STUNServer) LocalAddr() net.Addr {
+	return s.pc.LocalAddr()
+}
--- a/net/stunserver/stunserver_test.go
+++ b/net/stunserver/stunserver_test.go
@@ -0,0 +1,88 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package stunserver
+
+import (
+	"context"
+	"net"
+	"sync"
+	"testing"
+	"time"
+
+	"tailscale.com/net/stun"
+	"tailscale.com/util/must"
+)
+
+func TestSTUNServer(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	s := New(ctx)
+	must.Do(s.Listen("localhost:0"))
+	var w sync.WaitGroup
+	w.Add(1)
+	var serveErr error
+	go func() {
+		defer w.Done()
+		serveErr = s.Serve()
+	}()
+
+	c := must.Get(net.DialUDP("udp", nil, s.LocalAddr().(*net.UDPAddr)))
+	defer c.Close()
+	c.SetDeadline(time.Now().Add(5 * time.Second))
+	txid := stun.NewTxID()
+	_, err := c.Write(stun.Request(txid))
+	if err != nil {
+		t.Fatalf("failed to write STUN request: %v", err)
+	}
+	var buf [64 << 10]byte
+	n, err := c.Read(buf[:])
+	if err != nil {
+		t.Fatalf("failed to read STUN response: %v", err)
+	}
+	if !stun.Is(buf[:n]) {
+		t.Fatalf("response is not STUN")
+	}
+	tid, _, err := stun.ParseResponse(buf[:n])
+	if err != nil {
+		t.Fatalf("failed to parse STUN response: %v", err)
+	}
+	if tid != txid {
+		t.Fatalf("STUN response has wrong transaction ID; got %d, want %d", tid, txid)
+	}
+
+	cancel()
+	w.Wait()
+	if serveErr != nil {
+		t.Fatalf("failed to listen and serve: %v", serveErr)
+	}
+}
+
+func BenchmarkServerSTUN(b *testing.B) {
+	b.ReportAllocs()
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	s := New(ctx)
+	s.Listen("localhost:0")
+	go s.Serve()
+	addr := s.LocalAddr().(*net.UDPAddr)
+
+	var resBuf [1500]byte
+	cc, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.ParseIP("127.0.0.1")})
+	if err != nil {
+		b.Fatal(err)
+	}
+
+	tx := stun.NewTxID()
+	req := stun.Request(tx)
+	for i := 0; i < b.N; i++ {
+		if _, err := cc.WriteToUDP(req, addr); err != nil {
+			b.Fatal(err)
+		}
+		_, _, err := cc.ReadFromUDP(resBuf[:])
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+}
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -254,7 +254,7 @@ func (c *conn) vlogf(format string, args ...any) {

 // isAuthorized walks through the action chain and returns nil if the connection
 // is authorized. If the connection is not authorized, it returns
-// gossh.ErrDenied. If the action chain resolution fails, it returns the
+// errDenied. If the action chain resolution fails, it returns the
 // resolution error.
 func (c *conn) isAuthorized(ctx ssh.Context) error {
 	action := c.currentAction
@@ -266,7 +266,7 @@ func (c *conn) isAuthorized(ctx ssh.Context) error {
 			return nil
 		}
 		if action.Reject || action.HoldAndDelegate == "" {
-			return gossh.ErrDenied
+			return errDenied
 		}
 		var err error
 		action, err = c.resolveNextAction(ctx)
@@ -281,6 +281,10 @@ func (c *conn) isAuthorized(ctx ssh.Context) error {
 	}
 }

+// errDenied is returned by auth callbacks when a connection is denied by the
+// policy.
+var errDenied = errors.New("ssh: access denied")
+
 // errPubKeyRequired is returned by NoClientAuthCallback to make the client
 // resort to public-key auth; not user visible.
 var errPubKeyRequired = errors.New("ssh publickey required")
@@ -293,7 +297,7 @@ var errPubKeyRequired = errors.New("ssh publickey required")
 // starting it afresh). It returns an error if the policy evaluation fails, or
 // if the decision is "reject"
 //
-// It either returns nil (accept) or errPubKeyRequired or gossh.ErrDenied
+// It either returns nil (accept) or errPubKeyRequired or errDenied
 // (reject). The errors may be wrapped.
 func (c *conn) NoClientAuthCallback(ctx ssh.Context) error {
 	if c.insecureSkipTailscaleAuth {
@@ -360,18 +364,18 @@ func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error {
 // pubKey. It returns nil if the matching policy action is Accept or
 // HoldAndDelegate. If pubKey is nil, there was no policy match but there is a
 // policy that might match a public key it returns errPubKeyRequired. Otherwise,
-// it returns gossh.ErrDenied.
+// it returns errDenied.
 func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error {
 	if err := c.setInfo(ctx); err != nil {
 		c.logf("failed to get conninfo: %v", err)
-		return gossh.ErrDenied
+		return errDenied
 	}
 	a, localUser, err := c.evaluatePolicy(pubKey)
 	if err != nil {
 		if pubKey == nil && c.havePubKeyPolicy() {
 			return errPubKeyRequired
 		}
-		return fmt.Errorf("%w: %v", gossh.ErrDenied, err)
+		return fmt.Errorf("%w: %v", errDenied, err)
 	}
 	c.action0 = a
 	c.currentAction = a
@@ -402,10 +406,10 @@ func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error {
 	}
 	if a.Reject {
 		c.finalAction = a
-		return gossh.ErrDenied
+		return errDenied
 	}
 	// Shouldn't get here, but:
-	return gossh.ErrDenied
+	return errDenied
 }

 // ServerConfig implements ssh.ServerConfigCallback.
@@ -423,7 +427,7 @@ func (srv *server) newConn() (*conn, error) {
 		// Stop accepting new connections.
 		// Connections in the auth phase are handled in handleConnPostSSHAuth.
 		// Existing sessions are terminated by Shutdown.
-		return nil, gossh.ErrDenied
+		return nil, errDenied
 	}
 	srv.mu.Unlock()
 	c := &conn{srv: srv}
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -124,7 +124,9 @@ type CapabilityVersion int
 //   - 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
 //   - 82: 2023-12-01: Client understands NodeAttrLinuxMustUseIPTables, NodeAttrLinuxMustUseNfTables, c2n /netfilter-kind
 //   - 83: 2023-12-18: Client understands DefaultAutoUpdate
-const CurrentCapabilityVersion CapabilityVersion = 83
+//   - 84: 2024-01-04: Client understands SeamlessKeyRenewal
+//   - 85: 2024-01-05: Client understands MaxKeyDuration
+const CurrentCapabilityVersion CapabilityVersion = 85

 type StableID string

@@ -1885,6 +1887,10 @@ type MapResponse struct {
 	// auto-update setting doesn't change if the tailnet admin flips the
 	// default after the node registered.
 	DefaultAutoUpdate opt.Bool `json:",omitempty"`
+
+	// MaxKeyDuration describes the MaxKeyDuration setting for the tailnet.
+	// If zero, the value is unchanged.
+	MaxKeyDuration time.Duration `json:",omitempty"`
 }

 // ClientVersion is information about the latest client version that's available
@@ -2190,6 +2196,10 @@ const (
 	// netfilter management.
 	// This cannot be set simultaneously with NodeAttrLinuxMustUseIPTables.
 	NodeAttrLinuxMustUseNfTables NodeCapability = "linux-netfilter?v=nftables"
+
+	// NodeAttrSeamlessKeyRenewal makes clients enable beta functionality
+	// of renewing node keys without breaking connections.
+	NodeAttrSeamlessKeyRenewal NodeCapability = "seamless-key-renewal"
 )

 // SetDNSRequest is a request to add a DNS record.
--- a/taildrop/resume.go
+++ b/taildrop/resume.go
@@ -64,9 +64,6 @@ func (m *Manager) PartialFiles(id ClientID) (ret []string, err error) {
 	if m == nil || m.opts.Dir == "" {
 		return nil, ErrNoTaildrop
 	}
-	if m.opts.DirectFileMode && m.opts.AvoidFinalRename {
-		return nil, nil // resuming is not supported for users that peek at our file structure
-	}

 	suffix := id.partialSuffix()
 	if err := rangeDir(m.opts.Dir, func(de fs.DirEntry) bool {
@@ -90,9 +87,6 @@ func (m *Manager) HashPartialFile(id ClientID, baseName string) (next func() (Bl
 	}
 	noopNext := func() (BlockChecksum, error) { return BlockChecksum{}, io.EOF }
 	noopClose := func() error { return nil }
-	if m.opts.DirectFileMode && m.opts.AvoidFinalRename {
-		return noopNext, noopClose, nil // resuming is not supported for users that peek at our file structure
-	}

 	dstFile, err := joinDir(m.opts.Dir, baseName)
 	if err != nil {
--- a/taildrop/send.go
+++ b/taildrop/send.go
@@ -31,6 +31,7 @@ type incomingFile struct {
 	w              io.Writer // underlying writer
 	sendFileNotify func()    // called when done
 	partialPath    string    // non-empty in direct mode
+	finalPath      string    // not used in direct mode

 	mu         sync.Mutex
 	copied     int64
@@ -92,13 +93,6 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len
 		return err
 	}

-	avoidPartialRename := m.opts.DirectFileMode && m.opts.AvoidFinalRename
-	if avoidPartialRename {
-		// Users using AvoidFinalRename are depending on the exact filename
-		// of the partial files. So avoid injecting the id into it.
-		id = ""
-	}
-
 	// Check whether there is an in-progress transfer for the file.
 	partialPath := dstPath + id.partialSuffix()
 	inFileKey := incomingFileKey{id, baseName}
@@ -111,6 +105,7 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len
 		}
 		if m.opts.DirectFileMode {
 			inFile.partialPath = partialPath
+			inFile.finalPath = dstPath
 		}
 		return inFile
 	})
@@ -128,10 +123,6 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len
 	defer func() {
 		f.Close() // best-effort to cleanup dangling file handles
 		if err != nil {
-			if avoidPartialRename {
-				os.Remove(partialPath) // best-effort
-				return
-			}
 			m.deleter.Insert(filepath.Base(partialPath)) // mark partial file for eventual deletion
 		}
 	}()
@@ -179,16 +170,9 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len
 	}
 	fileLength := offset + copyLength

-	// Return early for avoidPartialRename since users of AvoidFinalRename
-	// are depending on the exact naming of partial files.
-	if avoidPartialRename {
-		inFile.mu.Lock()
-		inFile.done = true
-		inFile.mu.Unlock()
-		m.totalReceived.Add(1)
-		m.opts.SendFileNotify()
-		return fileLength, nil
-	}
+	inFile.mu.Lock()
+	inFile.done = true
+	inFile.mu.Unlock()

 	// File has been successfully received, rename the partial file
 	// to the final destination filename. If a file of that name already exists,
@@ -221,6 +205,10 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len
 		}

 		// Avoid the final rename if a destination file has the same contents.
+		//
+		// Note: this is best effort and copying files from iOS from the Media Library
+		// results in processing on the iOS side which means the size and shas of the
+		// same file can be different.
 		if dstLength == fileLength {
 			partialSum, err := computePartialSum()
 			if err != nil {
@@ -240,6 +228,7 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len

 		// Choose a new destination filename and try again.
 		dstPath = NextFilename(dstPath)
+		inFile.finalPath = dstPath
 	}
 	if maxRetries <= 0 {
 		return 0, errors.New("too many retries trying to rename partial file")
--- a/taildrop/taildrop.go
+++ b/taildrop/taildrop.go
@@ -90,15 +90,6 @@ type ManagerOptions struct {
 	// copy them out, and then delete them.
 	DirectFileMode bool

-	// AvoidFinalRename specifies whether in DirectFileMode
-	// we should avoid renaming "foo.jpg.partial" to "foo.jpg" after reception.
-	//
-	// TODO(joetsai,rhea): Delete this. This is currently depended upon
-	// in the Apple platforms since it violates the abstraction layer
-	// and directly assumes how taildrop represents partial files.
-	// Right now, file resumption does not work on Apple.
-	AvoidFinalRename bool
-
 	// SendFileNotify is called periodically while a file is actively
 	// receiving the contents for the file. There is a final call
 	// to the function when reception completes.
@@ -169,7 +160,7 @@ func validFilenameRune(r rune) bool {
 		// sent.
 		return false
 	}
-	return unicode.IsPrint(r)
+	return unicode.IsGraphic(r)
 }

 func isPartialOrDeleted(s string) bool {
@@ -244,6 +235,7 @@ func (m *Manager) IncomingFiles() []ipn.PartialFile {
 			DeclaredSize: f.size,
 			Received:     f.copied,
 			PartialPath:  f.partialPath,
+			FinalPath:    f.finalPath,
 			Done:         f.done,
 		})
 		return true
--- a/taildrop/taildrop_test.go
+++ b/taildrop/taildrop_test.go
@@ -55,6 +55,7 @@ func TestNextFilename(t *testing.T) {
 		{"my song.mp3", "my song (1).mp3", "my song (2).mp3"},
 		{"archive.7z", "archive (1).7z", "archive (2).7z"},
 		{"foo/bar/fizz", "foo/bar/fizz (1)", "foo/bar/fizz (2)"},
+		{"新完全マスター　N2　文法.pdf", "新完全マスター　N2　文法 (1).pdf", "新完全マスター　N2　文法 (2).pdf"},
 	}

 	for _, tt := range tests {
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -546,7 +546,13 @@ func (s *Server) start() (reterr error) {
 		return ok
 	}
 	s.dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
-		return ns.DialContextTCP(ctx, dst)
+		// Note: don't just return ns.DialContextTCP or we'll
+		// return an interface containing a nil pointer.
+		tcpConn, err := ns.DialContextTCP(ctx, dst)
+		if err != nil {
+			return nil, err
+		}
+		return tcpConn, nil
 	}

 	if s.Store == nil {
--- a/tstest/integration/integration_test.go
+++ b/tstest/integration/integration_test.go
@@ -29,6 +29,7 @@ import (
 	"time"

 	"go4.org/mem"
+	"tailscale.com/clientupdate"
 	"tailscale.com/cmd/testwrapper/flakytest"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
@@ -41,6 +42,7 @@ import (
 	"tailscale.com/tstest/integration/testcontrol"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/must"
 	"tailscale.com/util/rands"
@@ -872,6 +874,99 @@ func TestLogoutRemovesAllPeers(t *testing.T) {
 	wantNode0PeerCount(expectedPeers) // all existing peers and the new node
 }

+func TestAutoUpdateDefaults(t *testing.T) {
+	if !clientupdate.CanAutoUpdate() {
+		t.Skip("auto-updates not supported on this platform")
+	}
+	tstest.Shard(t)
+	tstest.Parallel(t)
+	env := newTestEnv(t)
+
+	checkDefault := func(n *testNode, want bool) error {
+		enabled, ok := n.diskPrefs().AutoUpdate.Apply.Get()
+		if !ok {
+			return fmt.Errorf("auto-update for node is unset, should be set as %v", want)
+		}
+		if enabled != want {
+			return fmt.Errorf("auto-update for node is %v, should be set as %v", enabled, want)
+		}
+		return nil
+	}
+
+	sendAndCheckDefault := func(t *testing.T, n *testNode, send, want bool) {
+		t.Helper()
+		if !env.Control.AddRawMapResponse(n.MustStatus().Self.PublicKey, &tailcfg.MapResponse{
+			DefaultAutoUpdate: opt.NewBool(send),
+		}) {
+			t.Fatal("failed to send MapResponse to node")
+		}
+		if err := tstest.WaitFor(2*time.Second, func() error {
+			return checkDefault(n, want)
+		}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	tests := []struct {
+		desc string
+		run  func(t *testing.T, n *testNode)
+	}{
+		{
+			desc: "tailnet-default-false",
+			run: func(t *testing.T, n *testNode) {
+				// First received default "false".
+				sendAndCheckDefault(t, n, false, false)
+				// Should not be changed even if sent "true" later.
+				sendAndCheckDefault(t, n, true, false)
+				// But can be changed explicitly by the user.
+				if out, err := n.Tailscale("set", "--auto-update").CombinedOutput(); err != nil {
+					t.Fatalf("failed to enable auto-update on node: %v\noutput: %s", err, out)
+				}
+				sendAndCheckDefault(t, n, false, true)
+			},
+		},
+		{
+			desc: "tailnet-default-true",
+			run: func(t *testing.T, n *testNode) {
+				// First received default "true".
+				sendAndCheckDefault(t, n, true, true)
+				// Should not be changed even if sent "false" later.
+				sendAndCheckDefault(t, n, false, true)
+				// But can be changed explicitly by the user.
+				if out, err := n.Tailscale("set", "--auto-update=false").CombinedOutput(); err != nil {
+					t.Fatalf("failed to disable auto-update on node: %v\noutput: %s", err, out)
+				}
+				sendAndCheckDefault(t, n, true, false)
+			},
+		},
+		{
+			desc: "user-sets-first",
+			run: func(t *testing.T, n *testNode) {
+				// User sets auto-update first, before receiving defaults.
+				if out, err := n.Tailscale("set", "--auto-update=false").CombinedOutput(); err != nil {
+					t.Fatalf("failed to disable auto-update on node: %v\noutput: %s", err, out)
+				}
+				// Defaults sent from control should be ignored.
+				sendAndCheckDefault(t, n, true, false)
+				sendAndCheckDefault(t, n, false, false)
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.desc, func(t *testing.T) {
+			n := newTestNode(t, env)
+			d := n.StartDaemon()
+			defer d.MustCleanShutdown(t)
+
+			n.AwaitResponding()
+			n.MustUp()
+			n.AwaitRunning()
+
+			tt.run(t, n)
+		})
+	}
+}
+
 // testEnv contains the test environment (set of servers) used by one
 // or more nodes.
 type testEnv struct {
--- a/types/netmap/netmap.go
+++ b/types/netmap/netmap.go
@@ -75,6 +75,9 @@ type NetworkMap struct {
 	DomainAuditLogID string

 	UserProfiles map[tailcfg.UserID]tailcfg.UserProfile
+
+	// MaxKeyDuration describes the MaxKeyDuration setting for the tailnet.
+	MaxKeyDuration time.Duration
 }

 // User returns nm.SelfNode.User if nm.SelfNode is non-nil, otherwise it returns
--- a/types/netmap/nodemut.go
+++ b/types/netmap/nodemut.go
@@ -177,5 +177,6 @@ func mapResponseContainsNonPatchFields(res *tailcfg.MapResponse) bool {
 		// function is called, so it should never be set anyway. But for
 		// completedness, and for tests, check it too:
 		res.PeersChanged != nil ||
-		res.DefaultAutoUpdate != ""
+		res.DefaultAutoUpdate != "" ||
+		res.MaxKeyDuration > 0
 }
--- a/types/netmap/nodemut_test.go
+++ b/types/netmap/nodemut_test.go
@@ -32,7 +32,7 @@ func TestMapResponseContainsNonPatchFields(t *testing.T) {
 			}
 			return reflect.ValueOf("foo").Convert(t)
 		case reflect.Int64:
-			return reflect.ValueOf(int64(1))
+			return reflect.ValueOf(int64(1)).Convert(t)
 		case reflect.Slice:
 			return reflect.MakeSlice(t, 1, 1)
 		case reflect.Ptr:
--- a/util/winutil/restartmgr_windows.go
+++ b/util/winutil/restartmgr_windows.go
@@ -23,7 +23,12 @@ import (
 )

 var (
+	// ErrDefunctProcess is returned by (*UniqueProcess).AsRestartableProcess
+	// when the process no longer exists.
 	ErrDefunctProcess        = errors.New("process is defunct")
+	// ErrProcessNotRestartable is returned by (*UniqueProcess).AsRestartableProcess
+	// when the process has previously indicated that it must not be restarted
+	// during a patch/upgrade.
 	ErrProcessNotRestartable = errors.New("process is not restartable")
 )
Author	SHA1	Message	Date
Will Norris	4f1db73444	client/web: switch to custom fork of gorilla/csrf This fork removes the dependency on the html/template package, so we should be able to enable the web client on mobile in the near future. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	2024-01-09 15:12:22 -08:00
Sonia Appasamy	ea9c7f991a	cli/set: add printout when web client started Prints a helpful message with the web UI's address when running tailscale set --webclient. Updates tailscale/corp#16345 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	2024-01-09 17:31:06 -05:00
Rhea Ghosh	4ce33c9758	taildrop: remove breaking abstraction layers for apple (#10728 ) Removes the avoidFinalRename logic and all associated code as it is no longer required by the Apple clients. Enables resume logic to be usable for Apple clients. Fixes tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	2024-01-09 14:11:34 -06:00
Andrew Lytvynov	7df9af2f5c	.github/workflows/govulncheck: migrate to a Github App (#10793 ) Send failures to a new channel using a github app token instead of webhook URL. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2024-01-09 11:51:08 -08:00
Andrew Dunham	20f3f706a4	net/netutil: allow 16-bit 4via6 site IDs The prefix has space for 32-bit site IDs, but the validateViaPrefix function would previously have disallowed site IDs greater than 255. Fixes tailscale/corp#16470 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4cdb0711dafb577fae72d86c4014cf623fa538ef	2024-01-09 10:30:46 -05:00
Irbe Krumina	05093ea7d9	cmd/k8s-operator,k8s-operator: allow the operator to deploy exit nodes via Connector custom resource (#10724 ) cmd/k8s-operator/deploy/crds,k8s-operator/apis/v1alpha1: allow to define an exit node via Connector CR. Make it possible to define an exit node to be deployed to a Kubernetes cluster via Connector Custom resource. Also changes to Connector API so that one Connector corresponds to one Tailnet node that can be either a subnet router or an exit node or both. The Kubernetes operator parses Connector custom resource and, if .spec.isExitNode is set, configures that Tailscale node deployed for that connector as an exit node. Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com>	2024-01-09 14:13:22 +00:00
James Tucker	953fa80c6f	cmd/{derper,stund},net/stunserver: add standalone stun server Add a standalone server for STUN that can be hosted independently of the derper, and factor that back into the derper. Fixes #8434 Closes #8435 Closes #10745 Signed-off-by: James Tucker <james@tailscale.com>	2024-01-08 16:22:33 -08:00
Will Norris	569b91417f	client/web: ensure path prefix has a leading slash This is simply an extra check to prevent hypothetical issues if a prefix such as `--prefix="javascript:alert(1)"` was provided. This isn't really necessary since the prefix is a configuration flag provided by the device owner, not user input. But it does enforce that we are always interpreting the provided value as a path relative to the root. Fixes: tailscale/corp#16268 Signed-off-by: Will Norris <will@tailscale.com>	2024-01-08 12:04:02 -08:00
License Updater	e26ee6952f	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	2024-01-08 11:49:52 -08:00
License Updater	7b113a2d06	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	2024-01-08 11:47:47 -08:00
Andrew Lytvynov	d96e0a553f	tstest/integration: add tests for auto-update defaulting behavior (#10763 ) Updates #16244 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2024-01-08 09:32:18 -08:00
Sonia Appasamy	55d302b48e	client/web: rename Disconnect to Log out For consistency w/ the CLI command. And to be more accurate to what is actually happening on this action - node key is expired. Also updates the disconnected view shown after logout. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	2024-01-08 12:28:03 -05:00
Irbe Krumina	133699284e	cmd/containerboot: add EXPERIMENTAL_TS_CONFIGFILE_PATH env var to allow passing tailscaled config in a file (#10759 ) * cmd/containerboot: optionally configure tailscaled with a configfile. If EXPERIMENTAL_TS_CONFIGFILE_PATH env var is set, only run tailscaled with the provided config file. Do not run 'tailscale up' or 'tailscale set'. * cmd/containerboot: store containerboot accept_dns val in bool pointer So that we can distinguish between the value being set to false explicitly bs being unset. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2024-01-08 16:14:06 +00:00
Adrian Dewhurst	c05c4bdce4	ipn: apply ControlURL policy before login Unlike most prefs, the ControlURL policy needs to take effect before login. This resolves an issue where on first start, even when the ControlURL policy is set, it will generate a login URL to the Tailscale SaaS server. Updates tailscale/coral#118 Fixes #10736 Change-Id: I6da2a521f64028c15dbb6ac8175839fc3cc4e858 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	2024-01-05 19:58:01 -05:00
Adrian Dewhurst	d50303bef7	docs: add Windows administrative template To make setting Windows policies easier, this adds ADMX policy descriptions. Fixes #6495 Updates ENG-2515 Change-Id: If4613c9d8ec734afec8bd781575e24b4aef9bb73 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	2024-01-05 19:44:19 -05:00
Andrew Dunham	35c303227a	net/dns/resolver: add ID to verbose logs in forwarder To make it easier to correlate the starting/ending log messages. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I2802d53ad98e19bc8914bc58f8c04d4443227b26	2024-01-05 15:25:49 -05:00
Rhea Ghosh	dbe70962b1	taildrop: Allow category Z unicode characters (#10750 ) This will expand the unicode character categories that we allow for valid filenames to go from "L, M, N, P, S, and the ASCII space character" to "L, M, N, P, S, Zs" Fixes #10105 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	2024-01-05 12:53:24 -06:00
Andrew Dunham	d3574a350f	cmd/tailscale, ipn/ipnlocal: add 'debug dial-types' command This command allows observing whether a given dialer ("SystemDial", "UserDial", etc.) will successfully obtain a connection to a provided host, from inside tailscaled itself. This is intended to help debug a variety of issues from subnet routers to split DNS setups. Updates #9619 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie01ebb5469d3e287eac633ff656783960f697b84	2024-01-05 13:42:59 -05:00
Aaron Klotz	aed2cfec4e	util/winutil: add some missing docs to restartmgr errors Just a quick #cleanup. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2024-01-05 10:12:08 -08:00
Andrew Dunham	46bdbb3878	cmd/tailscaled, tsnet: don't return an interface containing a nil pointer This tripped me up when I was testing something and wrote: if conn != nil { conn.Close() } In netstack mode, when an error occurred we were getting a non-nil error and a non-nil interface that contained a nil pointer. Instead, just return a nil interface value. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id9ef3dd24529e0e8c53adc60ed914c31fbb10cc4	2024-01-05 11:44:17 -05:00
Andrew Lytvynov	29e98e18f8	ssh/tailssh: use a local error instead of gossh.ErrDenied (#10743 ) ErrDenied was added in [our fork of x/crypto/ssh](`acc6f8fe8d`) to short-circuit auth attempts once one fails. In the case of our callbacks, this error is returned when SSH policy check determines that a connection should not be allowed. Both `NoClientAuthCallback` and `PublicKeyHandler` check the policy and will fail anyway. The `fakePasswordHandler` returns true only if `NoClientAuthCallback` succeeds the policy check, so it checks it indirectly too. The difference here is that a client might attempt all 2-3 auth methods instead of just `none` but will fail to authenticate regardless. Updates #8593 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2024-01-05 08:02:42 -08:00
James 'zofrex' Sanderson	124dc10261	controlclient,tailcfg,types: expose MaxKeyDuration via localapi (#10401 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	2024-01-05 12:06:12 +00:00
Andrea Gottardo	d9aeb30281	net/interfaces: handle iOS network transitions (#10680 ) Updates #8022 Updates #6075 On iOS, we currently rely on delegated interface information to figure out the default route interface. The NetworkExtension framework in iOS seems to set the delegate interface only once, upon the creation of the VPN tunnel. If a network transition (e.g. from Wi-Fi to Cellular) happens while the tunnel is connected, it will be ignored and we will still try to set Wi-Fi as the default route because the delegated interface is not getting updated as connectivity transitions. Here we work around this on the Swift side with a NWPathMonitor instance that observes the interface name of the first currently satisfied network path. Our Swift code will call into `UpdateLastKnownDefaultRouteInterface`, so we can rely on that when it is set. If for any reason the Swift machinery didn't work and we don't get any updates, here we also have some fallback logic: we try finding a hardcoded Wi-Fi interface called en0. If en0 is down, we fall back to cellular (pdp_ip0) as a last resort. This doesn't handle all edge cases like USB-Ethernet adapters or multiple Ethernet interfaces, but it is good enough to ensure connectivity isn't broken. I tested this on iPhones and iPads running iOS 17.1 and it appears to work. Switching between different cellular plans on a dual SIM configuration also works (the interface name remains pdp_ip0). Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	2024-01-04 09:40:18 -08:00
James 'zofrex' Sanderson	10c595d962	ipn/ipnlocal: refresh node key without blocking if cap enabled (#10529 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	2024-01-04 17:29:04 +00:00