Move upnp portmap to separate fn

This isolates the upnp portmapping to another function Signed-off-by: julianknodt <julianknodt@gmail.com>
Enable UPnP portmapping
2021-06-16 22:58:21 -07:00 · 2021-06-16 11:03:24 -07:00 · 2021-06-14 13:40:02 -07:00 · 2021-06-14 12:55:03 -07:00 · 2021-06-11 09:48:38 -07:00 · 2021-06-11 09:41:06 -07:00
149 changed files with 10701 additions and 1668 deletions
--- a/.github/workflows/xe-experimental-vm-test.yml
+++ b/.github/workflows/xe-experimental-vm-test.yml
@@ -0,0 +1,36 @@
+name: "integration-vms"
+
+on:
+  # # NOTE(Xe): uncomment this region when testing the test
+  # pull_request:
+  #   branches:
+  #     - 'main'
+  release:
+    types: [ created ]
+  schedule:
+    # At minute 0 past hour 6 and 18
+    # https://crontab.guru/#00_6,18_*_*_*
+    - cron: '00 6,18 * * *'
+
+jobs:
+  experimental-linux-vm-test:
+    # To set up a new runner, see tstest/integration/vms/runner.nix
+    runs-on: [ self-hosted, linux, vm_integration_test ]
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v1
+
+      - name: Download VM Images
+        run: go test ./tstest/integration/vms -run-vm-tests -run=Download -timeout=60m
+        env:
+          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
+
+      - name: Run VM tests
+        run: go test ./tstest/integration/vms -v -run-vm-tests
+        env:
+          TMPDIR: "/tmp"
+          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
+
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -11,6 +11,36 @@

 set -eu

-eval $(./version/version.sh)
+IFS=".$IFS" read -r major minor patch <VERSION.txt
+git_hash=$(git rev-parse HEAD)
+if ! git diff-index --quiet HEAD; then
+	git_hash="${git_hash}-dirty"
+fi
+base_hash=$(git rev-list --max-count=1 HEAD -- VERSION.txt)
+change_count=$(git rev-list --count HEAD "^$base_hash")
+short_hash=$(echo "$git_hash" | cut -c1-9)

-exec go build -tags xversion -ldflags "-X tailscale.com/version.Long=${VERSION_LONG} -X tailscale.com/version.Short=${VERSION_SHORT} -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" "$@"
+if expr "$minor" : "[0-9]*[13579]$" >/dev/null; then
+	patch="$change_count"
+	change_suffix=""
+elif [ "$change_count" != "0" ]; then
+	change_suffix="-$change_count"
+else
+	change_suffix=""
+fi
+
+long_suffix="$change_suffix-t$short_hash"
+SHORT="$major.$minor.$patch"
+LONG="${SHORT}$long_suffix"
+GIT_HASH="$git_hash"
+
+if [ "$1" = "shellvars" ]; then
+	cat <<EOF
+VERSION_SHORT="$SHORT"
+VERSION_LONG="$LONG"
+VERSION_GIT_HASH="$GIT_HASH"
+EOF
+	exit 0
+fi
+
+exec go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -256,3 +256,25 @@ func Logout(ctx context.Context) error {
 	_, err := send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
 	return err
 }
+
+// SetDNS adds a DNS TXT record for the given domain name, containing
+// the provided TXT value. The intended use case is answering
+// LetsEncrypt/ACME dns-01 challenges.
+//
+// The control plane will only permit SetDNS requests with very
+// specific names and values. The name should be
+// "_acme-challenge." + your node's MagicDNS name. It's expected that
+// clients cache the certs from LetsEncrypt (or whichever CA is
+// providing them) and only request new ones as needed; the control plane
+// rate limits SetDNS requests.
+//
+// This is a low-level interface; it's expected that most Tailscale
+// users use a higher level interface to getting/using TLS
+// certificates.
+func SetDNS(ctx context.Context, name, value string) error {
+	v := url.Values{}
+	v.Set("name", name)
+	v.Set("value", value)
+	_, err := send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
+	return err
+}
--- a/cmd/mkpkg/main.go
+++ b/cmd/mkpkg/main.go
@@ -21,6 +21,9 @@ import (
 // into a map of filePathOnDisk -> filePathInPackage.
 func parseFiles(s string) (map[string]string, error) {
 	ret := map[string]string{}
+	if len(s) == 0 {
+		return ret, nil
+	}
 	for _, f := range strings.Split(s, ",") {
 		fs := strings.Split(f, ":")
 		if len(fs) != 2 {
--- a/cmd/tailscale/cli/auth-redirect.html
+++ b/cmd/tailscale/cli/auth-redirect.html
@@ -0,0 +1,57 @@
+<html>
+<head>
+	<title>Redirecting...</title>
+	<style>
+		html,
+		body {
+			height: 100%;
+		}
+
+		html {
+			background-color: rgb(249, 247, 246);
+			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+			line-height: 1.5;
+			-webkit-text-size-adjust: 100%;
+			-webkit-font-smoothing: antialiased;
+			-moz-osx-font-smoothing: grayscale;
+		}
+
+		body {
+			display: flex;
+			flex-direction: column;
+			align-items: center;
+			justify-content: center;
+		}
+
+		.spinner {
+			margin-bottom: 2rem;
+			border: 4px rgba(112, 110, 109, 0.5) solid;
+			border-left-color: transparent;
+			border-radius: 9999px;
+			width: 4rem;
+			height: 4rem;
+			-webkit-animation: spin 700ms linear infinite;
+      animation: spin 800ms linear infinite;
+		}
+
+		.label {
+			color: rgb(112, 110, 109);
+			padding-left: 0.4rem;
+		}
+
+		@-webkit-keyframes spin {
+			to {
+				transform: rotate(360deg);
+			}
+		}
+
+		@keyframes spin {
+			to {
+				transform: rotate(360deg);
+			}
+		}
+	</style>
+</head> <body>
+	<div class="spinner"></div>
+	<div class="label">Redirecting...</div>
+</body>
--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -97,14 +97,12 @@ func runCp(ctx context.Context, args []string) error {
 		return err
 	}

-	peerAPIBase, lastSeen, isOffline, err := discoverPeerAPIBase(ctx, ip)
+	peerAPIBase, isOffline, err := discoverPeerAPIBase(ctx, ip)
 	if err != nil {
 		return fmt.Errorf("can't send to %s: %v", target, err)
 	}
 	if isOffline {
 		fmt.Fprintf(os.Stderr, "# warning: %s is offline\n", target)
-	} else if !lastSeen.IsZero() && time.Since(lastSeen) > lastSeenOld {
-		fmt.Fprintf(os.Stderr, "# warning: %s last seen %v ago\n", target, time.Since(lastSeen).Round(time.Minute))
 	}

 	if len(files) > 1 {
@@ -182,14 +180,14 @@ func runCp(ctx context.Context, args []string) error {
 	return nil
 }

-func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, lastSeen time.Time, isOffline bool, err error) {
+func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, isOffline bool, err error) {
 	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
-		return "", time.Time{}, false, err
+		return "", false, err
 	}
 	fts, err := tailscale.FileTargets(ctx)
 	if err != nil {
-		return "", time.Time{}, false, err
+		return "", false, err
 	}
 	for _, ft := range fts {
 		n := ft.Node
@@ -197,14 +195,11 @@ func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, lastSe
 			if a.IP() != ip {
 				continue
 			}
-			if n.LastSeen != nil {
-				lastSeen = *n.LastSeen
-			}
 			isOffline = n.Online != nil && !*n.Online
-			return ft.PeerAPIURL, lastSeen, isOffline, nil
+			return ft.PeerAPIURL, isOffline, nil
 		}
 	}
-	return "", time.Time{}, false, fileTargetErrorDetail(ctx, ip)
+	return "", false, fileTargetErrorDetail(ctx, ip)
 }

 // fileTargetErrorDetail returns a non-nil error saying why ip is an
@@ -274,8 +269,6 @@ func (r *slowReader) Read(p []byte) (n int, err error) {
 	return
 }

-const lastSeenOld = 20 * time.Minute
-
 func runCpTargets(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("invalid arguments with --targets")
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -230,7 +230,9 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 			warnf("netfilter=nodivert; add iptables calls to ts-* chains manually.")
 		case "off":
 			prefs.NetfilterMode = preftype.NetfilterOff
-			warnf("netfilter=off; configure iptables yourself.")
+			if defaultNetfilterMode() != "off" {
+				warnf("netfilter=off; configure iptables yourself.")
+			}
 		default:
 			return nil, fmt.Errorf("invalid value --netfilter-mode=%q", upArgs.netfilterMode)
 		}
@@ -266,7 +268,7 @@ func runUp(ctx context.Context, args []string) error {
 	}

 	if distro.Get() == distro.Synology {
-		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
+		notSupported := "not supported on Synology; see https://github.com/tailscale/tailscale/issues/1995"
 		if upArgs.acceptRoutes {
 			return errors.New("--accept-routes is " + notSupported)
 		}
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -9,12 +9,15 @@ import (
 	"context"
 	_ "embed"
 	"encoding/json"
+	"encoding/xml"
 	"flag"
 	"fmt"
 	"html/template"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"net/http/cgi"
+	"net/url"
 	"os/exec"
 	"runtime"
 	"strings"
@@ -24,6 +27,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
+	"tailscale.com/util/groupmember"
 	"tailscale.com/version/distro"
 )

@@ -33,6 +37,9 @@ var webHTML string
 //go:embed web.css
 var webCSS string

+//go:embed auth-redirect.html
+var authenticationRedirectHTML string
+
 var tmpl *template.Template

 func init() {
@@ -82,23 +89,114 @@ func runWeb(ctx context.Context, args []string) error {
 	return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
 }

-func auth() (string, error) {
-	if distro.Get() == distro.Synology {
-		cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
-		out, err := cmd.CombinedOutput()
+// authorize returns the name of the user accessing the web UI after verifying
+// whether the user has access to the web UI. The function will write the
+// error to the provided http.ResponseWriter.
+// Note: This is different from a tailscale user, and is typically the local
+// user on the node.
+func authorize(w http.ResponseWriter, r *http.Request) (string, error) {
+	switch distro.Get() {
+	case distro.Synology:
+		user, err := synoAuthn()
 		if err != nil {
-			return "", fmt.Errorf("auth: %v: %s", err, out)
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return "", err
 		}
-		return string(out), nil
+		if err := authorizeSynology(user); err != nil {
+			http.Error(w, err.Error(), http.StatusForbidden)
+			return "", err
+		}
+		return user, nil
+	case distro.QNAP:
+		user, resp, err := qnapAuthn(r)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return "", err
+		}
+		if resp.IsAdmin == 0 {
+			http.Error(w, err.Error(), http.StatusForbidden)
+			return "", err
+		}
+		return user, nil
 	}
-
 	return "", nil
 }

-func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
-	if distro.Get() != distro.Synology {
-		return false
+// authorizeSynology checks whether the provided user has access to the web UI
+// by consulting the membership of the "administrators" group.
+func authorizeSynology(name string) error {
+	yes, err := groupmember.IsMemberOfGroup("administrators", name)
+	if err != nil {
+		return err
 	}
+	if !yes {
+		return fmt.Errorf("not a member of administrators group")
+	}
+	return nil
+}
+
+type qnapAuthResponse struct {
+	AuthPassed int    `xml:"authPassed"`
+	IsAdmin    int    `xml:"isAdmin"`
+	AuthSID    string `xml:"authSid"`
+	ErrorValue int    `xml:"errorValue"`
+}
+
+func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
+	user, err := r.Cookie("NAS_USER")
+	if err != nil {
+		return "", nil, err
+	}
+	token, err := r.Cookie("qtoken")
+	if err != nil {
+		return "", nil, err
+	}
+	query := url.Values{
+		"qtoken": []string{token.Value},
+		"user":   []string{user.Value},
+	}
+	u := url.URL{
+		Scheme:   r.URL.Scheme,
+		Host:     r.URL.Host,
+		Path:     "/cgi-bin/authLogin.cgi",
+		RawQuery: query.Encode(),
+	}
+	resp, err := http.Get(u.String())
+	if err != nil {
+		return "", nil, err
+	}
+	defer resp.Body.Close()
+	out, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", nil, err
+	}
+	authResp := &qnapAuthResponse{}
+	if err := xml.Unmarshal(out, authResp); err != nil {
+		return "", nil, err
+	}
+	if authResp.AuthPassed == 0 {
+		return "", nil, fmt.Errorf("not authenticated")
+	}
+	return user.Value, authResp, nil
+}
+
+func synoAuthn() (string, error) {
+	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("auth: %v: %s", err, out)
+	}
+	return strings.TrimSpace(string(out)), nil
+}
+
+func authRedirect(w http.ResponseWriter, r *http.Request) bool {
+	if distro.Get() == distro.Synology {
+		return synoTokenRedirect(w, r)
+	}
+	return false
+}
+
+func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
 	if r.Header.Get("X-Syno-Token") != "" {
 		return false
 	}
@@ -132,75 +230,13 @@ req.send(null);
 </body></html>
 `

-const authenticationRedirectHTML = `
-<html>
-<head>
-	<title>Redirecting...</title>
-	<style>
-		html,
-		body {
-			height: 100%;
-		}
-
-		html {
-			background-color: rgb(249, 247, 246);
-			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
-			line-height: 1.5;
-			-webkit-text-size-adjust: 100%;
-			-webkit-font-smoothing: antialiased;
-			-moz-osx-font-smoothing: grayscale;
-		}
-
-		body {
-			display: flex;
-			flex-direction: column;
-			align-items: center;
-			justify-content: center;
-		}
-
-		.spinner {
-			margin-bottom: 2rem;
-			border: 4px rgba(112, 110, 109, 0.5) solid;
-			border-left-color: transparent;
-			border-radius: 9999px;
-			width: 4rem;
-			height: 4rem;
-			-webkit-animation: spin 700ms linear infinite;
-      animation: spin 800ms linear infinite;
-		}
-
-		.label {
-			color: rgb(112, 110, 109);
-			padding-left: 0.4rem;
-		}
-
-		@-webkit-keyframes spin {
-			to {
-				transform: rotate(360deg);
-			}
-		}
-
-		@keyframes spin {
-			to {
-				transform: rotate(360deg);
-			}
-		}
-	</style>
-</head>
-<body>
-	<div class="spinner"></div>
-	<div class="label">Redirecting...</div>
-</body>
-`
-
 func webHandler(w http.ResponseWriter, r *http.Request) {
-	if synoTokenRedirect(w, r) {
+	if authRedirect(w, r) {
 		return
 	}

-	user, err := auth()
+	user, err := authorize(w, r)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}

@@ -214,7 +250,8 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		url, err := tailscaleUpForceReauth(r.Context())
 		if err != nil {
-			json.NewEncoder(w).Encode(mi{"error": err})
+			w.WriteHeader(http.StatusInternalServerError)
+			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
 		}
 		json.NewEncoder(w).Encode(mi{"url": url})
@@ -223,7 +260,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {

 	st, err := tailscale.Status(r.Context())
 	if err != nil {
-		http.Error(w, err.Error(), 500)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}

@@ -241,7 +278,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {

 	buf := new(bytes.Buffer)
 	if err := tmpl.Execute(buf, data); err != nil {
-		http.Error(w, err.Error(), 500)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	w.Write(buf.Bytes())
@@ -320,6 +357,10 @@ func tailscaleUpForceReauth(ctx context.Context) (authURL string, retErr error)
 	})
 	bc.StartLoginInteractive()

+	<-pumpCtx.Done() // wait for authURL or complete failure
+	if authURL == "" && retErr == nil {
+		retErr = pumpCtx.Err()
+	}
 	if authURL == "" && retErr == nil {
 		return "", fmt.Errorf("login failed with no backend error message")
 	}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -1,6 +1,7 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)

-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
+   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
@@ -39,6 +40,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/tempfork/upnp                                  from tailscale.com/tempfork/upnp/dcps/internetgateway2
+        tailscale.com/tempfork/upnp/dcps/internetgateway2            from tailscale.com/net/portmapper
+        tailscale.com/tempfork/upnp/httpu                            from tailscale.com/tempfork/upnp
+        tailscale.com/tempfork/upnp/scpd                             from tailscale.com/tempfork/upnp
+        tailscale.com/tempfork/upnp/soap                             from tailscale.com/tempfork/upnp+
+        tailscale.com/tempfork/upnp/ssdp                             from tailscale.com/tempfork/upnp
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/types/empty                                    from tailscale.com/ipn
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
@@ -48,14 +55,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/ipn+
        tailscale.com/types/wgkey                                    from tailscale.com/types/netmap+
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
+        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
   L    tailscale.com/util/lineread                                  from tailscale.com/net/interfaces
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli
+        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
@@ -75,7 +82,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
-        golang.org/x/sync/errgroup                                   from tailscale.com/derp
+        golang.org/x/sync/errgroup                                   from tailscale.com/derp+
        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
  LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+
@@ -118,13 +125,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        debug/macho                                                  from rsc.io/goversion/version
        debug/pe                                                     from rsc.io/goversion/version
        embed                                                        from tailscale.com/cmd/tailscale/cli
-        encoding                                                     from encoding/json
+        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
        encoding/json                                                from expvar+
        encoding/pem                                                 from crypto/tls+
+        encoding/xml                                                 from tailscale.com/cmd/tailscale/cli+
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/derp+
        flag                                                         from github.com/peterbourgon/ff/v2+
@@ -156,6 +164,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        os                                                           from crypto/rand+
        os/exec                                                      from github.com/toqueteos/webbrowser+
        os/signal                                                    from tailscale.com/cmd/tailscale/cli
+        os/user                                                      from tailscale.com/util/groupmember
        path                                                         from debug/dwarf+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -1,41 +1,43 @@
 tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)

-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
+   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
-   W 💣 github.com/github/certstore                                  from tailscale.com/control/controlclient
        github.com/go-multierror/multierror                          from tailscale.com/wgengine/router+
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
+        github.com/golang/snappy                                     from github.com/klauspost/compress/zstd
        github.com/google/btree                                      from inet.af/netstack/tcpip/header+
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/snappy                         from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink                                  from tailscale.com/wgengine/monitor+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/mdlayher/netlink+
   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
-   W    github.com/pkg/errors                                        from github.com/github/certstore
-     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
-   W 💣 github.com/tailscale/wireguard-go/conn/winrio                from github.com/tailscale/wireguard-go/conn
-     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
-     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
-   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
-        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
-        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
-        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
-        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
-     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
+   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
+   W    github.com/pkg/errors                                        from github.com/tailscale/certstore
+   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
     💣 go4.org/intern                                               from inet.af/netaddr
     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
+     💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
+   W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
+     💣 golang.zx2c4.com/wireguard/device                            from tailscale.com/net/tstun+
+     💣 golang.zx2c4.com/wireguard/ipc                               from golang.zx2c4.com/wireguard/device
+   W 💣 golang.zx2c4.com/wireguard/ipc/winpipe                       from golang.zx2c4.com/wireguard/ipc
+        golang.zx2c4.com/wireguard/ratelimiter                       from golang.zx2c4.com/wireguard/device
+        golang.zx2c4.com/wireguard/replay                            from golang.zx2c4.com/wireguard/device
+        golang.zx2c4.com/wireguard/rwcancel                          from golang.zx2c4.com/wireguard/device+
+        golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device+
+     💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
+   W 💣 golang.zx2c4.com/wireguard/tun/wintun                        from golang.zx2c4.com/wireguard/tun+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        inet.af/netaddr                                              from tailscale.com/control/controlclient+
     💣 inet.af/netstack/gohacks                                     from inet.af/netstack/state/wire+
@@ -69,6 +71,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        inet.af/netstack/tcpip/transport/udp                         from inet.af/netstack/tcpip/adapters/gonet+
        inet.af/netstack/waiter                                      from inet.af/netstack/tcpip+
        inet.af/peercred                                             from tailscale.com/ipn/ipnserver
+   W 💣 inet.af/wf                                                   from tailscale.com/wf
        rsc.io/goversion/version                                     from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
        tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
@@ -115,7 +118,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
-   W 💣 tailscale.com/tempfork/wireguard-windows/firewall            from tailscale.com/cmd/tailscaled
+        tailscale.com/tempfork/upnp                                  from tailscale.com/tempfork/upnp/dcps/internetgateway2
+        tailscale.com/tempfork/upnp/dcps/internetgateway2            from tailscale.com/net/portmapper
+        tailscale.com/tempfork/upnp/httpu                            from tailscale.com/tempfork/upnp
+        tailscale.com/tempfork/upnp/scpd                             from tailscale.com/tempfork/upnp
+        tailscale.com/tempfork/upnp/soap                             from tailscale.com/tempfork/upnp+
+        tailscale.com/tempfork/upnp/ssdp                             from tailscale.com/tempfork/upnp
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
@@ -128,12 +136,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
-        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
        tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
   L    tailscale.com/util/cmpver                                    from tailscale.com/net/dns
        tailscale.com/util/dnsname                                   from tailscale.com/ipn/ipnstate+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
+        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
   L    tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
@@ -143,6 +151,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/winutil                                   from tailscale.com/logpolicy+
        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
        tailscale.com/version/distro                                 from tailscale.com/control/controlclient+
+   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
        tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine+
@@ -154,7 +163,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
@@ -163,7 +172,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/hkdf                                     from crypto/tls
        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -171,15 +180,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2/hpack                                 from net/http
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
-        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
+        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device
+        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
-        golang.org/x/sync/errgroup                                   from tailscale.com/derp
+        golang.org/x/sync/errgroup                                   from tailscale.com/derp+
        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
-   W    golang.org/x/sys/windows                                     from github.com/tailscale/wireguard-go/conn+
+  LD    golang.org/x/sys/unix                                        from github.com/mdlayher/netlink+
+   W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
   W    golang.org/x/sys/windows/svc                                 from tailscale.com/cmd/tailscaled+
   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
@@ -229,6 +238,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        encoding/hex                                                 from crypto/x509+
        encoding/json                                                from expvar+
        encoding/pem                                                 from crypto/tls+
+        encoding/xml                                                 from tailscale.com/tempfork/upnp+
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/derp+
        flag                                                         from tailscale.com/cmd/tailscaled+
--- a/cmd/tailscaled/tailscaled.openrc
+++ b/cmd/tailscaled/tailscaled.openrc
@@ -0,0 +1,23 @@
+#!/sbin/openrc-run
+
+source /etc/default/tailscaled
+
+command="/usr/sbin/tailscaled"
+command_args="--state=/var/lib/tailscale/tailscaled.state --port=$PORT --socket=/var/run/tailscale/tailscaled.sock $FLAGS"
+command_background=true
+pidfile="/run/tailscaled.pid"
+start_stop_daemon_args="-1 /var/log/tailscaled.log -2 /var/log/tailscaled.log"
+
+depend() {
+    need net
+}
+
+start_pre() {
+    mkdir -p /var/run/tailscale
+    mkdir -p /var/lib/tailscale
+    $command --cleanup
+}
+
+stop_post() {
+    $command --cleanup
+}
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -21,7 +21,6 @@ import (
 	"context"
 	"fmt"
 	"log"
-	"net"
 	"os"
 	"time"

@@ -32,9 +31,9 @@ import (
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/tstun"
-	"tailscale.com/tempfork/wireguard-windows/firewall"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
+	"tailscale.com/wf"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
@@ -144,13 +143,13 @@ func beFirewallKillswitch() bool {

 	luid, err := winipcfg.LUIDFromGUID(&guid)
 	if err != nil {
-		log.Fatalf("no interface with GUID %q", guid)
+		log.Fatalf("no interface with GUID %q: %v", guid, err)
 	}

-	noProtection := false
-	var dnsIPs []net.IP // unused in called code.
 	start := time.Now()
-	firewall.EnableFirewall(uint64(luid), noProtection, dnsIPs)
+	if _, err := wf.New(uint64(luid)); err != nil {
+		log.Fatalf("filewall creation failed: %v", err)
+	}
 	log.Printf("killswitch enabled, took %s", time.Since(start))

 	// Block until the monitor goroutine shuts us down.
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -576,9 +576,12 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 	c.logf("[v1] sendStatus: %s: %v", who, state)

 	var p *persist.Persist
-	var fin *empty.Message
+	var loginFin, logoutFin *empty.Message
 	if state == StateAuthenticated {
-		fin = new(empty.Message)
+		loginFin = new(empty.Message)
+	}
+	if state == StateNotAuthenticated {
+		logoutFin = new(empty.Message)
 	}
 	if nm != nil && loggedIn && synced {
 		pp := c.direct.GetPersist()
@@ -589,12 +592,13 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		nm = nil
 	}
 	new := Status{
-		LoginFinished: fin,
-		URL:           url,
-		Persist:       p,
-		NetMap:        nm,
-		Hostinfo:      hi,
-		State:         state,
+		LoginFinished:  loginFin,
+		LogoutFinished: logoutFin,
+		URL:            url,
+		Persist:        p,
+		NetMap:         nm,
+		Hostinfo:       hi,
+		State:          state,
 	}
 	if err != nil {
 		new.Err = err.Error()
@@ -712,3 +716,9 @@ func (c *Auto) TestOnlySetAuthKey(authkey string) {
 func (c *Auto) TestOnlyTimeNow() time.Time {
 	return c.timeNow()
 }
+
+// SetDNS sends the SetDNSRequest request to the control plane server,
+// requesting a DNS record be created or updated.
+func (c *Auto) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
+	return c.direct.SetDNS(ctx, req)
+}
--- a/control/controlclient/client.go
+++ b/control/controlclient/client.go
@@ -74,4 +74,7 @@ type Client interface {
 	// in a separate http request. It has nothing to do with the rest of
 	// the state machine.
 	UpdateEndpoints(localPort uint16, endpoints []tailcfg.Endpoint)
+	// SetDNS sends the SetDNSRequest request to the control plane server,
+	// requesting a DNS record be created or updated.
+	SetDNS(context.Context, *tailcfg.SetDNSRequest) error
 }
--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -22,7 +22,7 @@ func fieldsOf(t reflect.Type) (fields []string) {

 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"LoginFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
+	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
 	if have := fieldsOf(reflect.TypeOf(Status{})); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -32,6 +32,7 @@ import (
 	"golang.org/x/crypto/nacl/box"
 	"inet.af/netaddr"
 	"tailscale.com/health"
+	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/log/logheap"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
@@ -66,6 +67,7 @@ type Direct struct {
 	debugFlags             []string
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
+	pinger                 Pinger

 	mu           sync.Mutex // mutex guards the following fields
 	serverKey    wgkey.Key
@@ -103,6 +105,18 @@ type Options struct {
 	// forwarding works and should not be double-checked by the
 	// controlclient package.
 	SkipIPForwardingCheck bool
+
+	// Pinger optionally specifies the Pinger to use to satisfy
+	// MapResponse.PingRequest queries from the control plane.
+	// If nil, PingRequest queries are not answered.
+	Pinger Pinger
+}
+
+// Pinger is a subset of the wgengine.Engine interface, containing just the Ping method.
+type Pinger interface {
+	// Ping is a request to start a discovery or TSMP ping with the peer handling
+	// the given IP and then call cb with its ping latency & method.
+	Ping(ip netaddr.IP, useTSMP bool, cb func(*ipnstate.PingResult))
 }

 type Decompressor interface {
@@ -165,6 +179,7 @@ func NewDirect(opts Options) (*Direct, error) {
 		keepSharerAndUserSplit: opts.KeepSharerAndUserSplit,
 		linkMon:                opts.LinkMonitor,
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
+		pinger:                 opts.Pinger,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(NewHostinfo())
@@ -1211,3 +1226,50 @@ func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<-
 		}
 	}
 }
+
+// SetDNS sends the SetDNSRequest request to the control plane server,
+// requesting a DNS record be created or updated.
+func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
+	c.mu.Lock()
+	serverKey := c.serverKey
+	c.mu.Unlock()
+
+	if serverKey.IsZero() {
+		return errors.New("zero serverKey")
+	}
+	machinePrivKey, err := c.getMachinePrivKey()
+	if err != nil {
+		return fmt.Errorf("getMachinePrivKey: %w", err)
+	}
+	if machinePrivKey.IsZero() {
+		return errors.New("getMachinePrivKey returned zero key")
+	}
+
+	bodyData, err := encode(req, &serverKey, &machinePrivKey)
+	if err != nil {
+		return err
+	}
+	body := bytes.NewReader(bodyData)
+
+	u := fmt.Sprintf("%s/machine/%s/set-dns", c.serverURL, machinePrivKey.Public().HexString())
+	hreq, err := http.NewRequestWithContext(ctx, "POST", u, body)
+	if err != nil {
+		return err
+	}
+	res, err := c.httpc.Do(hreq)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		msg, _ := ioutil.ReadAll(res.Body)
+		return fmt.Errorf("sign-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
+	}
+	var setDNSRes struct{} // no fields yet
+	if err := decode(res, &setDNSRes, &serverKey, &machinePrivKey); err != nil {
+		c.logf("error decoding SetDNSResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
+		return fmt.Errorf("set-dns-response: %v", err)
+	}
+
+	return nil
+}
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -18,7 +18,7 @@ import (
 	"fmt"
 	"sync"

-	"github.com/github/certstore"
+	"github.com/tailscale/certstore"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/winutil"
--- a/control/controlclient/status.go
+++ b/control/controlclient/status.go
@@ -64,11 +64,12 @@ func (s State) String() string {
 }

 type Status struct {
-	_             structs.Incomparable
-	LoginFinished *empty.Message // nonempty when login finishes
-	Err           string
-	URL           string             // interactive URL to visit to finish logging in
-	NetMap        *netmap.NetworkMap // server-pushed configuration
+	_              structs.Incomparable
+	LoginFinished  *empty.Message // nonempty when login finishes
+	LogoutFinished *empty.Message // nonempty when logout finishes
+	Err            string
+	URL            string             // interactive URL to visit to finish logging in
+	NetMap         *netmap.NetworkMap // server-pushed configuration

 	// The internal state should not be exposed outside this
 	// package, but we have some automated tests elsewhere that need to
@@ -86,6 +87,7 @@ func (s *Status) Equal(s2 *Status) bool {
 	}
 	return s != nil && s2 != nil &&
 		(s.LoginFinished == nil) == (s2.LoginFinished == nil) &&
+		(s.LogoutFinished == nil) == (s2.LogoutFinished == nil) &&
 		s.Err == s2.Err &&
 		s.URL == s2.URL &&
 		reflect.DeepEqual(s.Persist, s2.Persist) &&
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -20,6 +20,7 @@ import (
 	"io"
 	"io/ioutil"
 	"log"
+	"math"
 	"math/big"
 	"math/rand"
 	"os"
@@ -27,6 +28,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"

 	"go4.org/mem"
@@ -120,6 +122,7 @@ type Server struct {
 	multiForwarderCreated    expvar.Int
 	multiForwarderDeleted    expvar.Int
 	removePktForwardOther    expvar.Int
+	avgQueueDuration         *uint64 // In milliseconds; accessed atomically

 	mu          sync.Mutex
 	closed      bool
@@ -182,6 +185,7 @@ func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 		memSys0:              ms.Sys,
 		watchers:             map[*sclient]bool{},
 		sentTo:               map[key.Public]map[key.Public]int64{},
+		avgQueueDuration:     new(uint64),
 	}
 	s.initMetacert()
 	s.packetsRecvDisco = s.packetsRecvByKind.Get("disco")
@@ -611,8 +615,9 @@ func (c *sclient) handleFrameForwardPacket(ft frameType, fl uint32) error {
 	}

 	return c.sendPkt(dst, pkt{
-		bs:  contents,
-		src: srcKey,
+		bs:         contents,
+		enqueuedAt: time.Now(),
+		src:        srcKey,
 	})
 }

@@ -665,8 +670,9 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 	}

 	p := pkt{
-		bs:  contents,
-		src: c.key,
+		bs:         contents,
+		enqueuedAt: time.Now(),
+		src:        c.key,
 	}
 	return c.sendPkt(dst, p)
 }
@@ -696,7 +702,7 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 		}

 		select {
-		case <-dst.sendQueue:
+		case pkt := <-dst.sendQueue:
 			s.packetsDropped.Add(1)
 			s.packetsDroppedQueueHead.Add(1)
 			if verboseDropKeys[dstKey] {
@@ -705,6 +711,7 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 				msg := fmt.Sprintf("tail drop %s -> %s", p.src.ShortString(), dstKey.ShortString())
 				c.s.limitedLogf(msg)
 			}
+			c.recordQueueTime(pkt.enqueuedAt)
 			if debug {
 				c.logf("dropping packet from client %x queue head", dstKey)
 			}
@@ -927,11 +934,13 @@ type pkt struct {
 	// src is the who's the sender of the packet.
 	src key.Public

+	// enqueuedAt is when a packet was put onto a queue before it was sent,
+	// and is used for reporting metrics on the duration of packets in the queue.
+	enqueuedAt time.Time
+
 	// bs is the data packet bytes.
 	// The memory is owned by pkt.
 	bs []byte
-
-	// TODO(danderson): enqueue time, to measure queue latency?
 }

 func (c *sclient) setPreferred(v bool) {
@@ -959,6 +968,25 @@ func (c *sclient) setPreferred(v bool) {
 	}
 }

+// expMovingAverage returns the new moving average given the previous average,
+// a new value, and an alpha decay factor.
+// https://en.wikipedia.org/wiki/Moving_average#Exponential_moving_average
+func expMovingAverage(prev, newValue, alpha float64) float64 {
+	return alpha*newValue + (1-alpha)*prev
+}
+
+// recordQueueTime updates the average queue duration metric after a packet has been sent.
+func (c *sclient) recordQueueTime(enqueuedAt time.Time) {
+	elapsed := float64(time.Since(enqueuedAt).Milliseconds())
+	for {
+		old := atomic.LoadUint64(c.s.avgQueueDuration)
+		newAvg := expMovingAverage(math.Float64frombits(old), elapsed, 0.1)
+		if atomic.CompareAndSwapUint64(c.s.avgQueueDuration, old, math.Float64bits(newAvg)) {
+			break
+		}
+	}
+}
+
 func (c *sclient) sendLoop(ctx context.Context) error {
 	defer func() {
 		// If the sender shuts down unilaterally due to an error, close so
@@ -1002,6 +1030,7 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 			continue
 		case msg := <-c.sendQueue:
 			werr = c.sendPacket(msg.src, msg.bs)
+			c.recordQueueTime(msg.enqueuedAt)
 			continue
 		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
@@ -1025,6 +1054,7 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 			continue
 		case msg := <-c.sendQueue:
 			werr = c.sendPacket(msg.src, msg.bs)
+			c.recordQueueTime(msg.enqueuedAt)
 		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
 		}
@@ -1290,6 +1320,9 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("multiforwarder_created", &s.multiForwarderCreated)
 	m.Set("multiforwarder_deleted", &s.multiForwarderDeleted)
 	m.Set("packet_forwarder_delete_other_value", &s.removePktForwardOther)
+	m.Set("average_queue_duration_ms", expvar.Func(func() interface{} {
+		return math.Float64frombits(atomic.LoadUint64(s.avgQueueDuration))
+	}))
 	var expvarVersion expvar.String
 	expvarVersion.Set(version.Long)
 	m.Set("version", &expvarVersion)
--- a/go.mod
+++ b/go.mod
@@ -3,48 +3,47 @@ module tailscale.com
 go 1.16

 require (
-	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5
-	github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect
-	github.com/coreos/go-iptables v0.4.5
-	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
-	github.com/frankban/quicktest v1.12.1
-	github.com/github/certstore v0.1.0
-	github.com/gliderlabs/ssh v0.2.2
+	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
+	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
+	github.com/aws/aws-sdk-go v1.38.52
+	github.com/coreos/go-iptables v0.6.0
+	github.com/frankban/quicktest v1.13.0
+	github.com/gliderlabs/ssh v0.3.2
 	github.com/go-multierror/multierror v1.0.2
-	github.com/go-ole/go-ole v1.2.4
-	github.com/godbus/dbus/v5 v5.0.3
-	github.com/google/go-cmp v0.5.5
-	github.com/goreleaser/nfpm v1.1.10
-	github.com/jsimonetti/rtnetlink v0.0.0-20210212075122-66c871082f2b
+	github.com/go-ole/go-ole v1.2.5
+	github.com/godbus/dbus/v5 v5.0.4
+	github.com/google/go-cmp v0.5.6
+	github.com/google/goexpect v0.0.0-20210430020637-ab937bf7fd6f
+	github.com/google/uuid v1.1.2
+	github.com/goreleaser/nfpm v1.10.3
+	github.com/jsimonetti/rtnetlink v0.0.0-20210525051524-4cc836578190
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.10.10
+	github.com/klauspost/compress v1.12.2
 	github.com/kr/pty v1.1.8
-	github.com/mdlayher/netlink v1.3.2
-	github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a
-	github.com/miekg/dns v1.1.30
-	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
+	github.com/mdlayher/netlink v1.4.1
+	github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697
+	github.com/miekg/dns v1.1.42
+	github.com/pborman/getopt v1.1.0
 	github.com/peterbourgon/ff/v2 v2.0.0
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pkg/sftp v1.13.0
+	github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
-	github.com/tailscale/wireguard-go v0.0.0-20210510192616-d1aa5623121d
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
-	golang.org/x/crypto v0.0.0-20210317152858-513c2a44f670
-	golang.org/x/net v0.0.0-20210510120150-4163338589ed
+	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
+	golang.org/x/net v0.0.0-20210610132358-84b48f89b13b
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210510120138-977fb7262007
-	golang.org/x/term v0.0.0-20210317153231-de623e64d2a6
+	golang.org/x/sys v0.0.0-20210608053332-aa57babbf139
+	golang.org/x/term v0.0.0-20210503060354-a79de5458b56
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
-	golang.org/x/tools v0.1.0
-	golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8
-	gopkg.in/yaml.v2 v2.2.8 // indirect
-	honnef.co/go/tools v0.1.0
-	inet.af/netaddr v0.0.0-20210515010201-ad03edc7c841
+	golang.org/x/tools v0.1.2
+	golang.zx2c4.com/wireguard v0.0.0-20210525143454-64cb82f2b3f5
+	golang.zx2c4.com/wireguard/windows v0.3.15-0.20210525143335-94c0476d63e3
+	honnef.co/go/tools v0.1.4
+	inet.af/netaddr v0.0.0-20210602152128-50f8686885e3
 	inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22
-	inet.af/peercred v0.0.0-20210302202138-56e694897155
+	inet.af/peercred v0.0.0-20210318190834-4259e17bb763
 	inet.af/wf v0.0.0-20210516214145-a5343001b756
 	rsc.io/goversion v1.2.0
 )
-
-replace github.com/github/certstore => github.com/cyolosecurity/certstore v0.0.0-20200922073901-ece7f1d353c2
--- a/go.sum
+++ b/go.sum
--- a/internal/deephash/deephash.go
+++ b/internal/deephash/deephash.go
@@ -9,26 +9,28 @@ package deephash
 import (
 	"bufio"
 	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
+	"hash"
 	"reflect"
-
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/wgkey"
+	"strconv"
+	"sync"
 )

-func Hash(v ...interface{}) string {
+func calcHash(v interface{}) string {
 	h := sha256.New()
-	// 64 matches the chunk size in crypto/sha256/sha256.go
-	b := bufio.NewWriterSize(h, 64)
-	Print(b, v)
+	b := bufio.NewWriterSize(h, h.BlockSize())
+	scratch := make([]byte, 0, 128)
+	printTo(b, v, scratch)
 	b.Flush()
-	return fmt.Sprintf("%x", h.Sum(nil))
+	scratch = h.Sum(scratch[:0])
+	hex.Encode(scratch[:cap(scratch)], scratch[:sha256.Size])
+	return string(scratch[:sha256.Size*2])
 }

 // UpdateHash sets last to the hash of v and reports whether its value changed.
 func UpdateHash(last *string, v ...interface{}) (changed bool) {
-	sig := Hash(v)
+	sig := calcHash(v)
 	if *last != sig {
 		*last = sig
 		return true
@@ -36,81 +38,30 @@ func UpdateHash(last *string, v ...interface{}) (changed bool) {
 	return false
 }

-func Print(w *bufio.Writer, v ...interface{}) {
-	print(w, reflect.ValueOf(v), make(map[uintptr]bool))
+func printTo(w *bufio.Writer, v interface{}, scratch []byte) {
+	print(w, reflect.ValueOf(v), make(map[uintptr]bool), scratch)
 }

-var (
-	netaddrIPType       = reflect.TypeOf(netaddr.IP{})
-	netaddrIPPrefix     = reflect.TypeOf(netaddr.IPPrefix{})
-	wgkeyKeyType        = reflect.TypeOf(wgkey.Key{})
-	wgkeyPrivateType    = reflect.TypeOf(wgkey.Private{})
-	tailcfgDiscoKeyType = reflect.TypeOf(tailcfg.DiscoKey{})
-)
+var appenderToType = reflect.TypeOf((*appenderTo)(nil)).Elem()

-func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool) {
+type appenderTo interface {
+	AppendTo([]byte) []byte
+}
+
+// print hashes v into w.
+// It reports whether it was able to do so without hitting a cycle.
+func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
 	if !v.IsValid() {
-		return
+		return true
 	}

-	// Special case some common types.
 	if v.CanInterface() {
-		switch v.Type() {
-		case netaddrIPType:
-			var b []byte
-			var err error
-			if v.CanAddr() {
-				x := v.Addr().Interface().(*netaddr.IP)
-				b, err = x.MarshalText()
-			} else {
-				x := v.Interface().(netaddr.IP)
-				b, err = x.MarshalText()
-			}
-			if err == nil {
-				w.Write(b)
-				return
-			}
-		case netaddrIPPrefix:
-			var b []byte
-			var err error
-			if v.CanAddr() {
-				x := v.Addr().Interface().(*netaddr.IPPrefix)
-				b, err = x.MarshalText()
-			} else {
-				x := v.Interface().(netaddr.IPPrefix)
-				b, err = x.MarshalText()
-			}
-			if err == nil {
-				w.Write(b)
-				return
-			}
-		case wgkeyKeyType:
-			if v.CanAddr() {
-				x := v.Addr().Interface().(*wgkey.Key)
-				w.Write(x[:])
-			} else {
-				x := v.Interface().(wgkey.Key)
-				w.Write(x[:])
-			}
-			return
-		case wgkeyPrivateType:
-			if v.CanAddr() {
-				x := v.Addr().Interface().(*wgkey.Private)
-				w.Write(x[:])
-			} else {
-				x := v.Interface().(wgkey.Private)
-				w.Write(x[:])
-			}
-			return
-		case tailcfgDiscoKeyType:
-			if v.CanAddr() {
-				x := v.Addr().Interface().(*tailcfg.DiscoKey)
-				w.Write(x[:])
-			} else {
-				x := v.Interface().(tailcfg.DiscoKey)
-				w.Write(x[:])
-			}
-			return
+		// Use AppendTo methods, if available and cheap.
+		if v.CanAddr() && v.Type().Implements(appenderToType) {
+			a := v.Addr().Interface().(appenderTo)
+			scratch = a.AppendTo(scratch[:0])
+			w.Write(scratch)
+			return true
 		}
 	}

@@ -121,43 +72,45 @@ func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool) {
 	case reflect.Ptr:
 		ptr := v.Pointer()
 		if visited[ptr] {
-			return
+			return false
 		}
 		visited[ptr] = true
-		print(w, v.Elem(), visited)
-		return
+		return print(w, v.Elem(), visited, scratch)
 	case reflect.Struct:
+		acyclic = true
 		w.WriteString("struct{\n")
 		for i, n := 0, v.NumField(); i < n; i++ {
 			fmt.Fprintf(w, " [%d]: ", i)
-			print(w, v.Field(i), visited)
+			if !print(w, v.Field(i), visited, scratch) {
+				acyclic = false
+			}
 			w.WriteString("\n")
 		}
 		w.WriteString("}\n")
+		return acyclic
 	case reflect.Slice, reflect.Array:
 		if v.Type().Elem().Kind() == reflect.Uint8 && v.CanInterface() {
 			fmt.Fprintf(w, "%q", v.Interface())
-			return
+			return true
 		}
 		fmt.Fprintf(w, "[%d]{\n", v.Len())
+		acyclic = true
 		for i, ln := 0, v.Len(); i < ln; i++ {
 			fmt.Fprintf(w, " [%d]: ", i)
-			print(w, v.Index(i), visited)
+			if !print(w, v.Index(i), visited, scratch) {
+				acyclic = false
+			}
 			w.WriteString("\n")
 		}
 		w.WriteString("}\n")
+		return acyclic
 	case reflect.Interface:
-		print(w, v.Elem(), visited)
+		return print(w, v.Elem(), visited, scratch)
 	case reflect.Map:
-		sm := newSortedMap(v)
-		fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
-		for i, k := range sm.Key {
-			print(w, k, visited)
-			w.WriteString(": ")
-			print(w, sm.Value[i], visited)
-			w.WriteString("\n")
+		if hashMapAcyclic(w, v, visited, scratch) {
+			return true
 		}
-		w.WriteString("}\n")
+		return hashMapFallback(w, v, visited, scratch)
 	case reflect.String:
 		w.WriteString(v.String())
 	case reflect.Bool:
@@ -165,10 +118,109 @@ func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool) {
 	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
 		fmt.Fprintf(w, "%v", v.Int())
 	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		fmt.Fprintf(w, "%v", v.Uint())
+		scratch = strconv.AppendUint(scratch[:0], v.Uint(), 10)
+		w.Write(scratch)
 	case reflect.Float32, reflect.Float64:
 		fmt.Fprintf(w, "%v", v.Float())
 	case reflect.Complex64, reflect.Complex128:
 		fmt.Fprintf(w, "%v", v.Complex())
 	}
+	return true
+}
+
+type mapHasher struct {
+	xbuf [sha256.Size]byte // XOR'ed accumulated buffer
+	ebuf [sha256.Size]byte // scratch buffer
+	s256 hash.Hash         // sha256 hash.Hash
+	bw   *bufio.Writer     // to hasher into ebuf
+	val  valueCache        // re-usable values for map iteration
+	iter *reflect.MapIter  // re-usable map iterator
+}
+
+func (mh *mapHasher) Reset() {
+	for i := range mh.xbuf {
+		mh.xbuf[i] = 0
+	}
+}
+
+func (mh *mapHasher) startEntry() {
+	for i := range mh.ebuf {
+		mh.ebuf[i] = 0
+	}
+	mh.bw.Flush()
+	mh.s256.Reset()
+}
+
+func (mh *mapHasher) endEntry() {
+	mh.bw.Flush()
+	for i, b := range mh.s256.Sum(mh.ebuf[:0]) {
+		mh.xbuf[i] ^= b
+	}
+}
+
+var mapHasherPool = &sync.Pool{
+	New: func() interface{} {
+		mh := new(mapHasher)
+		mh.s256 = sha256.New()
+		mh.bw = bufio.NewWriter(mh.s256)
+		mh.val = make(valueCache)
+		mh.iter = new(reflect.MapIter)
+		return mh
+	},
+}
+
+type valueCache map[reflect.Type]reflect.Value
+
+func (c valueCache) get(t reflect.Type) reflect.Value {
+	v, ok := c[t]
+	if !ok {
+		v = reflect.New(t).Elem()
+		c[t] = v
+	}
+	return v
+}
+
+// hashMapAcyclic is the faster sort-free version of map hashing. If
+// it detects a cycle it returns false and guarantees that nothing was
+// written to w.
+func hashMapAcyclic(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
+	mh := mapHasherPool.Get().(*mapHasher)
+	defer mapHasherPool.Put(mh)
+	mh.Reset()
+	iter := mapIter(mh.iter, v)
+	defer mapIter(mh.iter, reflect.Value{}) // avoid pinning v from mh.iter when we return
+	k := mh.val.get(v.Type().Key())
+	e := mh.val.get(v.Type().Elem())
+	for iter.Next() {
+		key := iterKey(iter, k)
+		val := iterVal(iter, e)
+		mh.startEntry()
+		if !print(mh.bw, key, visited, scratch) {
+			return false
+		}
+		if !print(mh.bw, val, visited, scratch) {
+			return false
+		}
+		mh.endEntry()
+	}
+	w.Write(mh.xbuf[:])
+	return true
+}
+
+func hashMapFallback(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
+	acyclic = true
+	sm := newSortedMap(v)
+	fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
+	for i, k := range sm.Key {
+		if !print(w, k, visited, scratch) {
+			acyclic = false
+		}
+		w.WriteString(": ")
+		if !print(w, sm.Value[i], visited, scratch) {
+			acyclic = false
+		}
+		w.WriteString("\n")
+	}
+	w.WriteString("}\n")
+	return acyclic
 }
--- a/internal/deephash/deephash_test.go
+++ b/internal/deephash/deephash_test.go
@@ -5,6 +5,10 @@
 package deephash

 import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"reflect"
 	"testing"

 	"inet.af/netaddr"
@@ -14,15 +18,15 @@ import (
 	"tailscale.com/wgengine/wgcfg"
 )

-func TestDeepPrint(t *testing.T) {
+func TestDeepHash(t *testing.T) {
 	// v contains the types of values we care about for our current callers.
 	// Mostly we're just testing that we don't panic on handled types.
 	v := getVal()

-	hash1 := Hash(v)
+	hash1 := calcHash(v)
 	t.Logf("hash: %v", hash1)
 	for i := 0; i < 20; i++ {
-		hash2 := Hash(getVal())
+		hash2 := calcHash(getVal())
 		if hash1 != hash2 {
 			t.Error("second hash didn't match")
 		}
@@ -51,14 +55,23 @@ func getVal() []interface{} {
 		map[dnsname.FQDN][]netaddr.IP{
 			dnsname.FQDN("a."): {netaddr.MustParseIP("1.2.3.4"), netaddr.MustParseIP("4.3.2.1")},
 			dnsname.FQDN("b."): {netaddr.MustParseIP("8.8.8.8"), netaddr.MustParseIP("9.9.9.9")},
+			dnsname.FQDN("c."): {netaddr.MustParseIP("6.6.6.6"), netaddr.MustParseIP("7.7.7.7")},
+			dnsname.FQDN("d."): {netaddr.MustParseIP("6.7.6.6"), netaddr.MustParseIP("7.7.7.8")},
+			dnsname.FQDN("e."): {netaddr.MustParseIP("6.8.6.6"), netaddr.MustParseIP("7.7.7.9")},
+			dnsname.FQDN("f."): {netaddr.MustParseIP("6.9.6.6"), netaddr.MustParseIP("7.7.7.0")},
 		},
 		map[dnsname.FQDN][]netaddr.IPPort{
 			dnsname.FQDN("a."): {netaddr.MustParseIPPort("1.2.3.4:11"), netaddr.MustParseIPPort("4.3.2.1:22")},
 			dnsname.FQDN("b."): {netaddr.MustParseIPPort("8.8.8.8:11"), netaddr.MustParseIPPort("9.9.9.9:22")},
+			dnsname.FQDN("c."): {netaddr.MustParseIPPort("8.8.8.8:12"), netaddr.MustParseIPPort("9.9.9.9:23")},
+			dnsname.FQDN("d."): {netaddr.MustParseIPPort("8.8.8.8:13"), netaddr.MustParseIPPort("9.9.9.9:24")},
+			dnsname.FQDN("e."): {netaddr.MustParseIPPort("8.8.8.8:14"), netaddr.MustParseIPPort("9.9.9.9:25")},
 		},
 		map[tailcfg.DiscoKey]bool{
 			{1: 1}: true,
 			{1: 2}: false,
+			{2: 3}: true,
+			{3: 4}: false,
 		},
 	}
 }
@@ -67,6 +80,57 @@ func BenchmarkHash(b *testing.B) {
 	b.ReportAllocs()
 	v := getVal()
 	for i := 0; i < b.N; i++ {
-		Hash(v)
+		calcHash(v)
+	}
+}
+
+func TestHashMapAcyclic(t *testing.T) {
+	m := map[int]string{}
+	for i := 0; i < 100; i++ {
+		m[i] = fmt.Sprint(i)
+	}
+	got := map[string]bool{}
+
+	var buf bytes.Buffer
+	bw := bufio.NewWriter(&buf)
+
+	for i := 0; i < 20; i++ {
+		visited := map[uintptr]bool{}
+		scratch := make([]byte, 0, 64)
+		v := reflect.ValueOf(m)
+		buf.Reset()
+		bw.Reset(&buf)
+		if !hashMapAcyclic(bw, v, visited, scratch) {
+			t.Fatal("returned false")
+		}
+		if got[string(buf.Bytes())] {
+			continue
+		}
+		got[string(buf.Bytes())] = true
+	}
+	if len(got) != 1 {
+		t.Errorf("got %d results; want 1", len(got))
+	}
+}
+
+func BenchmarkHashMapAcyclic(b *testing.B) {
+	b.ReportAllocs()
+	m := map[int]string{}
+	for i := 0; i < 100; i++ {
+		m[i] = fmt.Sprint(i)
+	}
+
+	var buf bytes.Buffer
+	bw := bufio.NewWriter(&buf)
+	visited := map[uintptr]bool{}
+	scratch := make([]byte, 0, 64)
+	v := reflect.ValueOf(m)
+
+	for i := 0; i < b.N; i++ {
+		buf.Reset()
+		bw.Reset(&buf)
+		if !hashMapAcyclic(bw, v, visited, scratch) {
+			b.Fatal("returned false")
+		}
 	}
 }
--- a/internal/deephash/mapiter.go
+++ b/internal/deephash/mapiter.go
@@ -0,0 +1,37 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !tailscale_go
+
+package deephash
+
+import "reflect"
+
+// iterKey returns the current iter key.
+// scratch is a re-usable reflect.Value.
+// iterKey may store the iter key in scratch and return scratch,
+// or it may allocate and return a new reflect.Value.
+func iterKey(iter *reflect.MapIter, _ reflect.Value) reflect.Value {
+	return iter.Key()
+}
+
+// iterVal returns the current iter val.
+// scratch is a re-usable reflect.Value.
+// iterVal may store the iter val in scratch and return scratch,
+// or it may allocate and return a new reflect.Value.
+func iterVal(iter *reflect.MapIter, _ reflect.Value) reflect.Value {
+	return iter.Value()
+}
+
+// mapIter returns a map iterator for mapVal.
+// scratch is a re-usable reflect.MapIter.
+// mapIter may re-use scratch and return it,
+// or it may allocate and return a new *reflect.MapIter.
+// If mapVal is the zero reflect.Value, mapIter may return nil.
+func mapIter(_ *reflect.MapIter, mapVal reflect.Value) *reflect.MapIter {
+	if !mapVal.IsValid() {
+		return nil
+	}
+	return mapVal.MapRange()
+}
--- a/internal/deephash/mapiter_future.go
+++ b/internal/deephash/mapiter_future.go
@@ -0,0 +1,42 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build tailscale_go
+
+package deephash
+
+import "reflect"
+
+// iterKey returns the current iter key.
+// scratch is a re-usable reflect.Value.
+// iterKey may store the iter key in scratch and return scratch,
+// or it may allocate and return a new reflect.Value.
+func iterKey(iter *reflect.MapIter, scratch reflect.Value) reflect.Value {
+	iter.SetKey(scratch)
+	return scratch
+}
+
+// iterVal returns the current iter val.
+// scratch is a re-usable reflect.Value.
+// iterVal may store the iter val in scratch and return scratch,
+// or it may allocate and return a new reflect.Value.
+func iterVal(iter *reflect.MapIter, scratch reflect.Value) reflect.Value {
+	iter.SetValue(scratch)
+	return scratch
+}
+
+// mapIter returns a map iterator for mapVal.
+// scratch is a re-usable reflect.MapIter.
+// mapIter may re-use scratch and return it,
+// or it may allocate and return a new *reflect.MapIter.
+// If mapVal is the zero reflect.Value, mapIter may return nil.
+func mapIter(scratch *reflect.MapIter, mapVal reflect.Value) *reflect.MapIter {
+	scratch.Reset(mapVal) // always Reset, to allow the caller to avoid pinning memory
+	if !mapVal.IsValid() {
+		// Returning scratch would also be OK.
+		// Do this for consistency with the non-optimized version.
+		return nil
+	}
+	return scratch
+}
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -44,11 +44,13 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
+	"tailscale.com/types/preftype"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
@@ -451,6 +453,13 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	// Lock b once and do only the things that require locking.
 	b.mu.Lock()

+	if st.LogoutFinished != nil {
+		// Since we're logged out now, our netmap cache is invalid.
+		// Since st.NetMap==nil means "netmap is unchanged", there is
+		// no other way to represent this change.
+		b.setNetMapLocked(nil)
+	}
+
 	prefs := b.prefs
 	stateKey := b.stateKey
 	netMap := b.netMap
@@ -648,6 +657,12 @@ func (b *LocalBackend) getNewControlClientFunc() clientGen {
 // startIsNoopLocked reports whether a Start call on this LocalBackend
 // with the provided Start Options would be a useless no-op.
 //
+// TODO(apenwarr): we shouldn't need this.
+//  The state machine is now nearly clean enough where it can accept a new
+//  connection while in any state, not just Running, and on any platform.
+//  We'd want to add a few more tests to state_test.go to ensure this continues
+//  to work as expected.
+//
 // b.mu must be held.
 func (b *LocalBackend) startIsNoopLocked(opts ipn.Options) bool {
 	// Options has 5 fields; check all of them:
@@ -701,6 +716,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		b.send(ipn.Notify{
 			State:         &state,
 			NetMap:        nm,
+			Prefs:         b.prefs,
 			LoginFinished: new(empty.Message),
 		})
 		return nil
@@ -913,8 +929,8 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 			}
 		}
 	}
-	localNets := localNetsB.IPSet()
-	logNets := logNetsB.IPSet()
+	localNets, _ := localNetsB.IPSet()
+	logNets, _ := logNetsB.IPSet()

 	changed := deephash.UpdateHash(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp)
 	if !changed {
@@ -971,7 +987,8 @@ func interfaceRoutes() (ips *netaddr.IPSet, hostIPs []netaddr.IP, err error) {
 		return nil, nil, err
 	}

-	return b.IPSet(), hostIPs, nil
+	ipSet, _ := b.IPSet()
+	return ipSet, hostIPs, nil
 }

 // shrinkDefaultRoute returns an IPSet representing the IPs in route,
@@ -1002,7 +1019,7 @@ func shrinkDefaultRoute(route netaddr.IPPrefix) (*netaddr.IPSet, error) {
 	for _, pfx := range removeFromDefaultRoute {
 		b.RemovePrefix(pfx)
 	}
-	return b.IPSet(), nil
+	return b.IPSet()
 }

 // dnsCIDRsEqual determines whether two CIDR lists are equal
@@ -1694,9 +1711,45 @@ func (b *LocalBackend) authReconfig() {

 	rcfg := b.routerConfig(cfg, uc)

-	var dcfg dns.Config
+	dcfg := dns.Config{
+		Routes: map[dnsname.FQDN][]netaddr.IPPort{},
+		Hosts:  map[dnsname.FQDN][]netaddr.IP{},
+	}
+
+	// Populate MagicDNS records. We do this unconditionally so that
+	// quad-100 can always respond to MagicDNS queries, even if the OS
+	// isn't configured to make MagicDNS resolution truly
+	// magic. Details in
+	// https://github.com/tailscale/tailscale/issues/1886.
+	set := func(name string, addrs []netaddr.IPPrefix) {
+		if len(addrs) == 0 || name == "" {
+			return
+		}
+		fqdn, err := dnsname.ToFQDN(name)
+		if err != nil {
+			return // TODO: propagate error?
+		}
+		var ips []netaddr.IP
+		for _, addr := range addrs {
+			// Remove IPv6 addresses for now, as we don't
+			// guarantee that the peer node actually can speak
+			// IPv6 correctly.
+			//
+			// https://github.com/tailscale/tailscale/issues/1152
+			// tracks adding the right capability reporting to
+			// enable AAAA in MagicDNS.
+			if addr.IP().Is6() {
+				continue
+			}
+			ips = append(ips, addr.IP())
+		}
+		dcfg.Hosts[fqdn] = ips
+	}
+	set(nm.Name, nm.Addresses)
+	for _, peer := range nm.Peers {
+		set(peer.Name, peer.Addresses)
+	}

-	// If CorpDNS is false, dcfg remains the zero value.
 	if uc.CorpDNS {
 		addDefault := func(resolvers []tailcfg.DNSResolver) {
 			for _, resolver := range resolvers {
@@ -1710,9 +1763,6 @@ func (b *LocalBackend) authReconfig() {
 		}

 		addDefault(nm.DNS.Resolvers)
-		if len(nm.DNS.Routes) > 0 {
-			dcfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{}
-		}
 		for suffix, resolvers := range nm.DNS.Routes {
 			fqdn, err := dnsname.ToFQDN(suffix)
 			if err != nil {
@@ -1734,36 +1784,9 @@ func (b *LocalBackend) authReconfig() {
 			}
 			dcfg.SearchDomains = append(dcfg.SearchDomains, fqdn)
 		}
-		set := func(name string, addrs []netaddr.IPPrefix) {
-			if len(addrs) == 0 || name == "" {
-				return
-			}
-			fqdn, err := dnsname.ToFQDN(name)
-			if err != nil {
-				return // TODO: propagate error?
-			}
-			var ips []netaddr.IP
-			for _, addr := range addrs {
-				// Remove IPv6 addresses for now, as we don't
-				// guarantee that the peer node actually can speak
-				// IPv6 correctly.
-				//
-				// https://github.com/tailscale/tailscale/issues/1152
-				// tracks adding the right capability reporting to
-				// enable AAAA in MagicDNS.
-				if addr.IP().Is6() {
-					continue
-				}
-				ips = append(ips, addr.IP())
-			}
-			dcfg.Hosts[fqdn] = ips
-		}
 		if nm.DNS.Proxied { // actually means "enable MagicDNS"
-			dcfg.AuthoritativeSuffixes = magicDNSRootDomains(nm)
-			dcfg.Hosts = map[dnsname.FQDN][]netaddr.IP{}
-			set(nm.Name, nm.Addresses)
-			for _, peer := range nm.Peers {
-				set(peer.Name, peer.Addresses)
+			for _, dom := range magicDNSRootDomains(nm) {
+				dcfg.Routes[dom] = nil // resolve internally with dcfg.Hosts
 			}
 		}

@@ -1787,7 +1810,7 @@ func (b *LocalBackend) authReconfig() {
 			//
 			// https://github.com/tailscale/tailscale/issues/1713
 			addDefault(nm.DNS.FallbackResolvers)
-		case len(dcfg.Routes) == 0 && len(dcfg.Hosts) == 0 && len(dcfg.AuthoritativeSuffixes) == 0:
+		case len(dcfg.Routes) == 0:
 			// No settings requiring split DNS, no problem.
 		case version.OS() == "android":
 			// We don't support split DNS at all on Android yet.
@@ -1815,8 +1838,9 @@ func parseResolver(cfg tailcfg.DNSResolver) (netaddr.IPPort, error) {
 // tailscaleVarRoot returns the root directory of Tailscale's writable
 // storage area. (e.g. "/var/lib/tailscale")
 func tailscaleVarRoot() string {
-	if runtime.GOOS == "ios" {
-		dir, _ := paths.IOSSharedDir.Load().(string)
+	switch runtime.GOOS {
+	case "ios", "android":
+		dir, _ := paths.AppSharedDir.Load().(string)
 		return dir
 	}
 	stateFile := paths.DefaultTailscaledStateFile()
@@ -1864,6 +1888,15 @@ func (b *LocalBackend) initPeerAPIListener() {
 	b.mu.Lock()
 	defer b.mu.Unlock()

+	if b.netMap == nil {
+		// We're called from authReconfig which checks that
+		// netMap is non-nil, but if a concurrent Logout,
+		// ResetForClientDisconnect, or Start happens when its
+		// mutex was released, the netMap could be
+		// nil'ed out (Issue 1996). Bail out early here if so.
+		return
+	}
+
 	if len(b.netMap.Addresses) == len(b.peerAPIListeners) {
 		allSame := true
 		for i, pln := range b.peerAPIListeners {
@@ -1920,7 +1953,7 @@ func (b *LocalBackend) initPeerAPIListener() {
 					// ("peerAPIListeners too low").
 					continue
 				}
-				b.logf("[unexpected] peerapi listen(%q) error: %v", a.IP, err)
+				b.logf("[unexpected] peerapi listen(%q) error: %v", a.IP(), err)
 				continue
 			}
 		}
@@ -2019,6 +2052,11 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		Routes:           peerRoutes(cfg.Peers, 10_000),
 	}

+	if distro.Get() == distro.Synology {
+		// Issue 1995: we don't use iptables on Synology.
+		rs.NetfilterMode = preftype.NetfilterOff
+	}
+
 	// Sanity check: we expect the control server to program both a v4
 	// and a v6 default route, if default routing is on. Fill in
 	// blackhole routes appropriately if we're missing some. This is
@@ -2312,7 +2350,6 @@ func (b *LocalBackend) LogoutSync(ctx context.Context) error {
 func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 	b.mu.Lock()
 	cc := b.cc
-	b.setNetMapLocked(nil)
 	b.mu.Unlock()

 	b.EditPrefs(&ipn.MaskedPrefs{
@@ -2339,10 +2376,6 @@ func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 		cc.StartLogout()
 	}

-	b.mu.Lock()
-	b.setNetMapLocked(nil)
-	b.mu.Unlock()
-
 	b.stateMachine()
 	return err
 }
@@ -2544,6 +2577,42 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 	return ret, nil
 }

+// SetDNS adds a DNS record for the given domain name & TXT record
+// value.
+//
+// It's meant for use with dns-01 ACME (LetsEncrypt) challenges.
+//
+// This is the low-level interface. Other layers will provide more
+// friendly options to get HTTPS certs.
+func (b *LocalBackend) SetDNS(ctx context.Context, name, value string) error {
+	req := &tailcfg.SetDNSRequest{
+		Version: 1,
+		Type:    "TXT",
+		Name:    name,
+		Value:   value,
+	}
+
+	b.mu.Lock()
+	cc := b.cc
+	if prefs := b.prefs; prefs != nil {
+		req.NodeKey = tailcfg.NodeKey(prefs.Persist.PrivateNodeKey.Public())
+	}
+	b.mu.Unlock()
+	if cc == nil {
+		return errors.New("not connected")
+	}
+	if req.NodeKey.IsZero() {
+		return errors.New("no nodekey")
+	}
+	if name == "" {
+		return errors.New("missing 'name'")
+	}
+	if value == "" {
+		return errors.New("missing 'value'")
+	}
+	return cc.SetDNS(ctx, req)
+}
+
 func (b *LocalBackend) registerIncomingFile(inf *incomingFile, active bool) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
--- a/ipn/ipnlocal/peerapi_macios_ext.go
+++ b/ipn/ipnlocal/peerapi_macios_ext.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build darwin,redo ios,redo
+// +build darwin,ts_macext ios,ts_macext

 package ipnlocal

--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -140,6 +140,8 @@ func (cc *mockControl) send(err error, url string, loginFinished bool, nm *netma
 		}
 		if loginFinished {
 			s.LoginFinished = &empty.Message{}
+		} else if url == "" && err == nil && nm == nil {
+			s.LogoutFinished = &empty.Message{}
 		}
 		cc.statusFunc(s)
 	}
@@ -246,6 +248,10 @@ func (cc *mockControl) UpdateEndpoints(localPort uint16, endpoints []tailcfg.End
 	cc.called("UpdateEndpoints")
 }

+func (*mockControl) SetDNS(context.Context, *tailcfg.SetDNSRequest) error {
+	panic("unexpected SetDNS call")
+}
+
 // A very precise test of the sequence of function calls generated by
 // ipnlocal.Local into its controlclient instance, and the events it
 // produces upstream into the UI.
@@ -548,10 +554,7 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
 		c.Assert(nn[0].NetMap, qt.Not(qt.IsNil))
-		// BUG: Prefs should be sent too, or the UI could end up in
-		// a bad state. (iOS, the only current user of this feature,
-		// probably wouldn't notice because it happens to not display
-		// any prefs. Maybe exit nodes will look weird?)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
 	}

 	// undo the state hack above.
@@ -563,24 +566,25 @@ func TestStateMachine(t *testing.T) {
 	b.Logout()
 	{
 		nn := notifies.drain(2)
-		// BUG: now is not the time to unpause.
-		c.Assert([]string{"unpause", "StartLogout"}, qt.DeepEquals, cc.getCalls())
+		c.Assert([]string{"pause", "StartLogout"}, qt.DeepEquals, cc.getCalls())
 		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
+		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
 		c.Assert(nn[1].Prefs.LoggedOut, qt.IsTrue)
 		c.Assert(nn[1].Prefs.WantRunning, qt.IsFalse)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		c.Assert(ipn.Stopped, qt.Equals, b.State())
 	}

 	// Let's make the logout succeed.
 	t.Logf("\n\nLogout (async) - succeed")
-	notifies.expect(0)
+	notifies.expect(1)
 	cc.setAuthBlocked(true)
 	cc.send(nil, "", false, nil)
 	{
-		notifies.drain(0)
-		c.Assert(cc.getCalls(), qt.HasLen, 0)
+		nn := notifies.drain(1)
+		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
+		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
 		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
 		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -24,7 +24,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"syscall"
 	"time"

@@ -41,9 +40,11 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/groupmember"
 	"tailscale.com/util/pidowner"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 )

@@ -347,51 +348,32 @@ func isReadonlyConn(ci connIdentity, operatorUID string, logf logger.Logf) bool
 		logf("connection from userid %v; is configured operator", uid)
 		return rw
 	}
-	var adminGroupID string
-	switch runtime.GOOS {
-	case "darwin":
-		adminGroupID = darwinAdminGroupID()
-	default:
-		logf("connection from userid %v; read-only", uid)
+	if yes, err := isLocalAdmin(uid); err != nil {
+		logf("connection from userid %v; read-only; %v", uid, err)
 		return ro
-	}
-	if adminGroupID == "" {
-		logf("connection from userid %v; no system admin group found, read-only", uid)
-		return ro
-	}
-	u, err := user.LookupId(uid)
-	if err != nil {
-		logf("connection from userid %v; failed to look up user; read-only", uid)
-		return ro
-	}
-	gids, err := u.GroupIds()
-	if err != nil {
-		logf("connection from userid %v; failed to look up groups; read-only", uid)
-		return ro
-	}
-	for _, gid := range gids {
-		if gid == adminGroupID {
-			logf("connection from userid %v; is local admin, has access", uid)
-			return rw
-		}
+	} else if yes {
+		logf("connection from userid %v; is local admin, has access", uid)
+		return rw
 	}
 	logf("connection from userid %v; read-only", uid)
 	return ro
 }

-var darwinAdminGroupIDCache atomic.Value // of string
-
-func darwinAdminGroupID() string {
-	s, _ := darwinAdminGroupIDCache.Load().(string)
-	if s != "" {
-		return s
-	}
-	g, err := user.LookupGroup("admin")
+func isLocalAdmin(uid string) (bool, error) {
+	u, err := user.LookupId(uid)
 	if err != nil {
-		return ""
+		return false, err
 	}
-	darwinAdminGroupIDCache.Store(g.Gid)
-	return g.Gid
+	var adminGroup string
+	switch {
+	case runtime.GOOS == "darwin":
+		adminGroup = "admin"
+	case distro.Get() == distro.QNAP:
+		adminGroup = "administrators"
+	default:
+		return false, fmt.Errorf("no system admin group found")
+	}
+	return groupmember.IsMemberOfGroup(adminGroup, u.Username)
 }

 // inUseOtherUserError is the error type for when the server is in use
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -100,6 +100,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveBugReport(w, r)
 	case "/localapi/v0/file-targets":
 		h.serveFileTargets(w, r)
+	case "/localapi/v0/set-dns":
+		h.serveSetDNS(w, r)
 	case "/":
 		io.WriteString(w, "tailscaled\n")
 	default:
@@ -382,6 +384,25 @@ func (h *Handler) serveFilePut(w http.ResponseWriter, r *http.Request) {
 	rp.ServeHTTP(w, outReq)
 }

+func (h *Handler) serveSetDNS(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != "POST" {
+		http.Error(w, "want POST", 400)
+		return
+	}
+	ctx := r.Context()
+	err := h.b.SetDNS(ctx, r.FormValue("name"), r.FormValue("value"))
+	if err != nil {
+		writeErrorJSON(w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(struct{}{})
+}
+
 var dialPeerTransportOnce struct {
 	sync.Once
 	v *http.Transport
--- a/ipn/message.go
+++ b/ipn/message.go
@@ -104,7 +104,9 @@ func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(Notify)) *
 		b:             b,
 		sendNotifyMsg: sendNotifyMsg,
 	}
-	if sendNotifyMsg != nil {
+	// b may be nil if the BackendServer is being created just to
+	// encapsulate and send an error message.
+	if sendNotifyMsg != nil && b != nil {
 		b.SetNotifyCallback(bs.send)
 	}
 	return bs
--- a/ipn/message_test.go
+++ b/ipn/message_test.go
@@ -187,3 +187,17 @@ func TestClientServer(t *testing.T) {
 	})
 	flushUntil(Running)
 }
+
+func TestNilBackend(t *testing.T) {
+	var called *Notify
+	bs := NewBackendServer(t.Logf, nil, func(n Notify) {
+		called = &n
+	})
+	bs.SendErrorMessage("Danger, Will Robinson!")
+	if called == nil {
+		t.Errorf("expect callback to be called, wasn't")
+	}
+	if called.ErrMessage == nil || *called.ErrMessage != "Danger, Will Robinson!" {
+		t.Errorf("callback got wrong error: %v", called.ErrMessage)
+	}
+}
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"os"
 	"strconv"
+	"sync/atomic"
 	"time"

 	"tailscale.com/logtail/backoff"
@@ -72,7 +73,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 	}
 	l := &Logger{
 		stderr:         cfg.Stderr,
-		stderrLevel:    cfg.StderrLevel,
+		stderrLevel:    int64(cfg.StderrLevel),
 		httpc:          cfg.HTTPC,
 		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String(),
 		lowMem:         cfg.LowMemory,
@@ -103,7 +104,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 // logging facilities and uploading to a log server.
 type Logger struct {
 	stderr         io.Writer
-	stderrLevel    int
+	stderrLevel    int64 // accessed atomically
 	httpc          *http.Client
 	url            string
 	lowMem         bool
@@ -125,10 +126,8 @@ type Logger struct {
 // SetVerbosityLevel controls the verbosity level that should be
 // written to stderr. 0 is the default (not verbose). Levels 1 or higher
 // are increasingly verbose.
-//
-// It should not be changed concurrently with log writes.
 func (l *Logger) SetVerbosityLevel(level int) {
-	l.stderrLevel = level
+	atomic.StoreInt64(&l.stderrLevel, int64(level))
 }

 // SetLinkMonitor sets the optional the link monitor.
@@ -514,7 +513,7 @@ func (l *Logger) Write(buf []byte) (int, error) {
 		return 0, nil
 	}
 	level, buf := parseAndRemoveLogLevel(buf)
-	if l.stderr != nil && l.stderr != ioutil.Discard && level <= l.stderrLevel {
+	if l.stderr != nil && l.stderr != ioutil.Discard && int64(level) <= atomic.LoadInt64(&l.stderrLevel) {
 		if buf[len(buf)-1] == '\n' {
 			l.stderr.Write(buf)
 		} else {
--- a/net/dns/config.go
+++ b/net/dns/config.go
@@ -22,27 +22,26 @@ type Config struct {
 	// for queries that fall within that suffix.
 	// If a query doesn't match any entry in Routes, the
 	// DefaultResolvers are used.
+	// A Routes entry with no resolvers means the route should be
+	// authoritatively answered using the contents of Hosts.
 	Routes map[dnsname.FQDN][]netaddr.IPPort
 	// SearchDomains are DNS suffixes to try when expanding
 	// single-label queries.
 	SearchDomains []dnsname.FQDN
 	// Hosts maps DNS FQDNs to their IPs, which can be a mix of IPv4
 	// and IPv6.
-	// Queries matching entries in Hosts are resolved locally without
-	// recursing off-machine.
+	// Queries matching entries in Hosts are resolved locally by
+	// 100.100.100.100 without leaving the machine.
+	// Adding an entry to Hosts merely creates the record. If you want
+	// it to resolve, you also need to add appropriate routes to
+	// Routes.
 	Hosts map[dnsname.FQDN][]netaddr.IP
-	// AuthoritativeSuffixes is a list of fully-qualified DNS suffixes
-	// for which the in-process Tailscale resolver is authoritative.
-	// Queries for names within AuthoritativeSuffixes can only be
-	// fulfilled by entries in Hosts. Queries with no match in Hosts
-	// return NXDOMAIN.
-	AuthoritativeSuffixes []dnsname.FQDN
 }

 // needsAnyResolvers reports whether c requires a resolver to be set
 // at the OS level.
 func (c Config) needsOSResolver() bool {
-	return c.hasDefaultResolvers() || c.hasRoutes() || c.hasHosts()
+	return c.hasDefaultResolvers() || c.hasRoutes()
 }

 func (c Config) hasRoutes() bool {
@@ -52,7 +51,7 @@ func (c Config) hasRoutes() bool {
 // hasDefaultResolversOnly reports whether the only resolvers in c are
 // DefaultResolvers.
 func (c Config) hasDefaultResolversOnly() bool {
-	return c.hasDefaultResolvers() && !c.hasRoutes() && !c.hasHosts()
+	return c.hasDefaultResolvers() && !c.hasRoutes()
 }

 func (c Config) hasDefaultResolvers() bool {
@@ -63,44 +62,28 @@ func (c Config) hasDefaultResolvers() bool {
 // routes use the same resolvers, or nil if multiple sets of resolvers
 // are specified.
 func (c Config) singleResolverSet() []netaddr.IPPort {
-	var first []netaddr.IPPort
+	var (
+		prev            []netaddr.IPPort
+		prevInitialized bool
+	)
 	for _, resolvers := range c.Routes {
-		if first == nil {
-			first = resolvers
+		if !prevInitialized {
+			prev = resolvers
+			prevInitialized = true
 			continue
 		}
-		if !sameIPPorts(first, resolvers) {
+		if !sameIPPorts(prev, resolvers) {
 			return nil
 		}
 	}
-	return first
+	return prev
 }

-// hasHosts reports whether c requires resolution of MagicDNS hosts or
-// domains.
-func (c Config) hasHosts() bool {
-	return len(c.Hosts) > 0 || len(c.AuthoritativeSuffixes) > 0
-}
-
-// matchDomains returns the list of match suffixes needed by Routes,
-// AuthoritativeSuffixes. Hosts is not considered as we assume that
-// they're covered by AuthoritativeSuffixes for now.
+// matchDomains returns the list of match suffixes needed by Routes.
 func (c Config) matchDomains() []dnsname.FQDN {
-	ret := make([]dnsname.FQDN, 0, len(c.Routes)+len(c.AuthoritativeSuffixes))
-	seen := map[dnsname.FQDN]bool{}
-	for _, suffix := range c.AuthoritativeSuffixes {
-		if seen[suffix] {
-			continue
-		}
-		ret = append(ret, suffix)
-		seen[suffix] = true
-	}
+	ret := make([]dnsname.FQDN, 0, len(c.Routes))
 	for suffix := range c.Routes {
-		if seen[suffix] {
-			continue
-		}
 		ret = append(ret, suffix)
-		seen[suffix] = true
 	}
 	sort.Slice(ret, func(i, j int) bool {
 		return ret[i].WithTrailingDot() < ret[j].WithTrailingDot()
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -6,7 +6,6 @@ package dns

 import (
 	"runtime"
-	"strings"
 	"time"

 	"inet.af/netaddr"
@@ -75,40 +74,40 @@ func (m *Manager) Set(cfg Config) error {

 // compileConfig converts cfg into a quad-100 resolver configuration
 // and an OS-level configuration.
-func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
+func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig, err error) {
+	// The internal resolver always gets MagicDNS hosts and
+	// authoritative suffixes, even if we don't propagate MagicDNS to
+	// the OS.
+	rcfg.Hosts = cfg.Hosts
+	routes := map[dnsname.FQDN][]netaddr.IPPort{} // assigned conditionally to rcfg.Routes below.
+	for suffix, resolvers := range cfg.Routes {
+		if len(resolvers) == 0 {
+			rcfg.LocalDomains = append(rcfg.LocalDomains, suffix)
+		} else {
+			routes[suffix] = resolvers
+		}
+	}
+	// Similarly, the OS always gets search paths.
+	ocfg.SearchDomains = cfg.SearchDomains
+
 	// Deal with trivial configs first.
 	switch {
 	case !cfg.needsOSResolver():
 		// Set search domains, but nothing else. This also covers the
 		// case where cfg is entirely zero, in which case these
 		// configs clear all Tailscale DNS settings.
-		return resolver.Config{}, OSConfig{
-			SearchDomains: cfg.SearchDomains,
-		}, nil
+		return rcfg, ocfg, nil
 	case cfg.hasDefaultResolversOnly():
 		// Trivial CorpDNS configuration, just override the OS
 		// resolver.
-		return resolver.Config{}, OSConfig{
-			Nameservers:   toIPsOnly(cfg.DefaultResolvers),
-			SearchDomains: cfg.SearchDomains,
-		}, nil
+		ocfg.Nameservers = toIPsOnly(cfg.DefaultResolvers)
+		return rcfg, ocfg, nil
 	case cfg.hasDefaultResolvers():
 		// Default resolvers plus other stuff always ends up proxying
 		// through quad-100.
-		rcfg := resolver.Config{
-			Routes: map[dnsname.FQDN][]netaddr.IPPort{
-				".": cfg.DefaultResolvers,
-			},
-			Hosts:        cfg.Hosts,
-			LocalDomains: cfg.AuthoritativeSuffixes,
-		}
-		for suffix, resolvers := range cfg.Routes {
-			rcfg.Routes[suffix] = resolvers
-		}
-		ocfg := OSConfig{
-			Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
-			SearchDomains: cfg.SearchDomains,
-		}
+		rcfg.Routes = routes
+		rcfg.Routes["."] = cfg.DefaultResolvers
+		ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
 		return rcfg, ocfg, nil
 	}

@@ -116,8 +115,6 @@ func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 	// configurations. The possible cases don't return directly any
 	// more, because as a final step we have to handle the case where
 	// the OS can't do split DNS.
-	var rcfg resolver.Config
-	var ocfg OSConfig

 	// Workaround for
 	// https://github.com/tailscale/corp/issues/1662. Even though
@@ -135,35 +132,19 @@ func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 	// This bool is used in a couple of places below to implement this
 	// workaround.
 	isWindows := runtime.GOOS == "windows"
-
-	// The windows check is for
-	// . See also below
-	// for further routing workarounds there.
-	if !cfg.hasHosts() && cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
+	if cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
 		// Split DNS configuration requested, where all split domains
 		// go to the same resolvers. We can let the OS do it.
-		return resolver.Config{}, OSConfig{
-			Nameservers:   toIPsOnly(cfg.singleResolverSet()),
-			SearchDomains: cfg.SearchDomains,
-			MatchDomains:  cfg.matchDomains(),
-		}, nil
+		ocfg.Nameservers = toIPsOnly(cfg.singleResolverSet())
+		ocfg.MatchDomains = cfg.matchDomains()
+		return rcfg, ocfg, nil
 	}

 	// Split DNS configuration with either multiple upstream routes,
 	// or routes + MagicDNS, or just MagicDNS, or on an OS that cannot
 	// split-DNS. Install a split config pointing at quad-100.
-	rcfg = resolver.Config{
-		Hosts:        cfg.Hosts,
-		LocalDomains: cfg.AuthoritativeSuffixes,
-		Routes:       map[dnsname.FQDN][]netaddr.IPPort{},
-	}
-	for suffix, resolvers := range cfg.Routes {
-		rcfg.Routes[suffix] = resolvers
-	}
-	ocfg = OSConfig{
-		Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
-		SearchDomains: cfg.SearchDomains,
-	}
+	rcfg.Routes = routes
+	ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}

 	// If the OS can't do native split-dns, read out the underlying
 	// resolver config and blend it into our config.
@@ -173,28 +154,7 @@ func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 	if !m.os.SupportsSplitDNS() || isWindows {
 		bcfg, err := m.os.GetBaseConfig()
 		if err != nil {
-			// Temporary hack to make OSes where split-DNS isn't fully
-			// implemented yet not completely crap out, but instead
-			// fall back to quad-9 as a hardcoded "backup resolver".
-			//
-			// This codepath currently only triggers when opted into
-			// the split-DNS feature server side, and when at least
-			// one search domain is something within tailscale.com, so
-			// we don't accidentally leak unstable user DNS queries to
-			// quad-9 if we accidentally go down this codepath.
-			canUseHack := false
-			for _, dom := range cfg.SearchDomains {
-				if strings.HasSuffix(dom.WithoutTrailingDot(), ".tailscale.com") {
-					canUseHack = true
-					break
-				}
-			}
-			if !canUseHack {
-				return resolver.Config{}, OSConfig{}, err
-			}
-			bcfg = OSConfig{
-				Nameservers: []netaddr.IP{netaddr.IPv4(9, 9, 9, 9)},
-			}
+			return resolver.Config{}, OSConfig{}, err
 		}
 		rcfg.Routes["."] = toIPPorts(bcfg.Nameservers)
 		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)
--- a/net/dns/manager_linux.go
+++ b/net/dns/manager_linux.go
@@ -5,7 +5,6 @@
 package dns

 import (
-	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -79,6 +78,18 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 		// "unmanaged" interfaces - meaning NM 1.26.6 and later
 		// actively ignore DNS configuration we give it. So, for those
 		// NM versions, we can and must use resolved directly.
+		//
+		// In a perfect world, we'd avoid this by replacing
+		// configuration out from under NM entirely (e.g. using
+		// directManager to overwrite resolv.conf), but in a world
+		// where resolved runs, we need to get correct configuration
+		// into resolved regardless of what's in resolv.conf (because
+		// resolved can also be queried over dbus, or via an NSS
+		// module that bypasses /etc/resolv.conf). Given that we must
+		// get correct configuration into resolved, we have no choice
+		// but to use NM, and accept the loss of IPv6 configuration
+		// that comes with it (see
+		// https://github.com/tailscale/tailscale/issues/1699)
 		old, err := nmVersionOlderThan("1.26.6")
 		if err != nil {
 			// Failed to figure out NM's version, can't make a correct
@@ -93,26 +104,6 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 		return newResolvedManager(logf, interfaceName)
 	case "resolvconf":
 		dbg("rc", "resolvconf")
-		if err := resolvconfSourceIsNM(bs); err == nil {
-			dbg("src-is-nm", "yes")
-			if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err == nil {
-				dbg("nm", "yes")
-				old, err := nmVersionOlderThan("1.26.6")
-				if err != nil {
-					return nil, fmt.Errorf("checking NetworkManager version: %v", err)
-				}
-				if old {
-					dbg("nm-old", "yes")
-					return newNMManager(interfaceName)
-				} else {
-					dbg("nm-old", "no")
-				}
-			} else {
-				dbg("nm", "no")
-			}
-		} else {
-			dbg("src-is-nm", "no")
-		}
 		if _, err := exec.LookPath("resolvconf"); err != nil {
 			dbg("resolvconf", "no")
 			return newDirectManager()
@@ -120,21 +111,19 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 		dbg("resolvconf", "yes")
 		return newResolvconfManager(logf)
 	case "NetworkManager":
+		// You'd think we would use newNMManager somewhere in
+		// here. However, as explained in
+		// https://github.com/tailscale/tailscale/issues/1699 , using
+		// NetworkManager for DNS configuration carries with it the
+		// cost of losing IPv6 configuration on the Tailscale network
+		// interface. So, when we can avoid it, we bypass
+		// NetworkManager by replacing resolv.conf directly.
+		//
+		// If you ever try to put NMManager back here, keep in mind
+		// that versions >=1.26.6 will ignore DNS configuration
+		// anyway, so you still need a fallback path that uses
+		// directManager.
 		dbg("rc", "nm")
-		if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err != nil {
-			dbg("nm", "no")
-			return newDirectManager()
-		}
-		dbg("nm", "yes")
-		old, err := nmVersionOlderThan("1.26.6")
-		if err != nil {
-			return nil, fmt.Errorf("checking NetworkManager version: %v", err)
-		}
-		if old {
-			dbg("nm-old", "yes")
-			return newNMManager(interfaceName)
-		}
-		dbg("nm-old", "no")
 		return newDirectManager()
 	default:
 		dbg("rc", "unknown")
@@ -142,45 +131,6 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 	}
 }

-func resolvconfSourceIsNM(resolvDotConf []byte) error {
-	b := bytes.NewBuffer(resolvDotConf)
-	cfg, err := readResolv(b)
-	if err != nil {
-		return fmt.Errorf("parsing /etc/resolv.conf: %w", err)
-	}
-
-	var (
-		paths = []string{
-			"/etc/resolvconf/run/interface/NetworkManager",
-			"/run/resolvconf/interface/NetworkManager",
-			"/var/run/resolvconf/interface/NetworkManager",
-			"/run/resolvconf/interfaces/NetworkManager",
-			"/var/run/resolvconf/interfaces/NetworkManager",
-		}
-		nmCfg OSConfig
-		found bool
-	)
-	for _, path := range paths {
-		nmCfg, err = readResolvFile(path)
-		if os.IsNotExist(err) {
-			continue
-		} else if err != nil {
-			return err
-		}
-		found = true
-		break
-	}
-	if !found {
-		return errors.New("NetworkManager resolvconf snippet not found")
-	}
-
-	if !nmCfg.Equal(cfg) {
-		return errors.New("NetworkManager config not applied by resolvconf")
-	}
-
-	return nil
-}
-
 func nmVersionOlderThan(want string) (bool, error) {
 	conn, err := dbus.SystemBus()
 	if err != nil {
--- a/net/dns/manager_test.go
+++ b/net/dns/manager_test.go
@@ -76,6 +76,20 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 		},
+		{
+			// Regression test for https://github.com/tailscale/tailscale/issues/1886
+			name: "hosts-only",
+			in: Config{
+				Hosts: hosts(
+					"dave.ts.com.", "1.2.3.4",
+					"bradfitz.ts.com.", "2.3.4.5"),
+			},
+			rs: resolver.Config{
+				Hosts: hosts(
+					"dave.ts.com.", "1.2.3.4",
+					"bradfitz.ts.com.", "2.3.4.5"),
+			},
+		},
 		{
 			name: "corp",
 			in: Config{
@@ -104,10 +118,10 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
+				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
 			},
 			os: OSConfig{
 				Nameservers:   mustIPs("100.100.100.100"),
@@ -126,10 +140,10 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
+				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
 			},
 			split: true,
 			os: OSConfig{
@@ -261,8 +275,8 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
-				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
+				Routes:        upstreams("ts.com", ""),
+				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
 				Nameservers:   mustIPs("8.8.8.8"),
@@ -286,8 +300,8 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
-				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
+				Routes:        upstreams("ts.com", ""),
+				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
 			os: OSConfig{
@@ -305,12 +319,11 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic",
 			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2:53"),
+				Routes: upstreams("corp.com", "2.2.2.2:53", "ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
-				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
+				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
 				Nameservers:   mustIPs("8.8.8.8"),
@@ -333,12 +346,13 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic-split",
 			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2:53"),
+				Routes: upstreams(
+					"corp.com", "2.2.2.2:53",
+					"ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
-				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
+				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
 			os: OSConfig{
@@ -429,7 +443,12 @@ func upstreams(strs ...string) (ret map[dnsname.FQDN][]netaddr.IPPort) {
 	var key dnsname.FQDN
 	ret = map[dnsname.FQDN][]netaddr.IPPort{}
 	for _, s := range strs {
-		if ipp, err := netaddr.ParseIPPort(s); err == nil {
+		if s == "" {
+			if key == "" {
+				panic("IPPort provided before suffix")
+			}
+			ret[key] = nil
+		} else if ipp, err := netaddr.ParseIPPort(s); err == nil {
 			if key == "" {
 				panic("IPPort provided before suffix")
 			}
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -14,6 +14,7 @@ import (
 	"math/rand"
 	"net"
 	"sync"
+	"syscall"
 	"time"

 	dns "golang.org/x/net/dns/dnsmessage"
@@ -193,8 +194,14 @@ func (f *forwarder) recv(conn *fwdConn) {
 			return
 		default:
 		}
-		out := make([]byte, maxResponseBytes)
+		// The 1 extra byte is to detect packet truncation.
+		out := make([]byte, maxResponseBytes+1)
 		n := conn.read(out)
+		var truncated bool
+		if n > maxResponseBytes {
+			n = maxResponseBytes
+			truncated = true
+		}
 		if n == 0 {
 			continue
 		}
@@ -205,6 +212,19 @@ func (f *forwarder) recv(conn *fwdConn) {
 		out = out[:n]
 		txid := getTxID(out)

+		if truncated {
+			const dnsFlagTruncated = 0x200
+			flags := binary.BigEndian.Uint16(out[2:4])
+			flags |= dnsFlagTruncated
+			binary.BigEndian.PutUint16(out[2:4], flags)
+
+			// TODO(#2067): Remove any incomplete records? RFC 1035 section 6.2
+			// states that truncation should head drop so that the authority
+			// section can be preserved if possible. However, the UDP read with
+			// a too-small buffer has already dropped the end, so that's the
+			// best we can do.
+		}
+
 		f.mu.Lock()

 		record, found := f.txMap[txid]
@@ -286,6 +306,8 @@ func (f *forwarder) forward(query packet) error {
 	}
 	f.mu.Unlock()

+	// TODO(#2066): EDNS size clamping
+
 	for _, resolver := range resolvers {
 		f.send(query.bs, resolver)
 	}
@@ -371,6 +393,12 @@ func (c *fwdConn) send(packet []byte, dst netaddr.IPPort) {
 			backOff(err)
 			continue
 		}
+		if errors.Is(err, syscall.EHOSTUNREACH) {
+			// "No route to host." The network stack is fine, but
+			// can't talk to this destination. Not much we can do
+			// about that, don't spam logs.
+			return
+		}
 		if networkIsDown(err) {
 			// Fail.
 			c.logf("send: network is down")
@@ -422,7 +450,7 @@ func (c *fwdConn) read(out []byte) int {
 		c.mu.Unlock()

 		n, _, err := conn.ReadFrom(out)
-		if err == nil {
+		if err == nil || packetWasTruncated(err) {
 			// Success.
 			return n
 		}
--- a/net/dns/resolver/neterr_darwin.go
+++ b/net/dns/resolver/neterr_darwin.go
@@ -23,3 +23,8 @@ func networkIsDown(err error) bool {
 func networkIsUnreachable(err error) bool {
 	return errors.Is(err, networkUnreachable)
 }
+
+// packetWasTruncated returns true if err indicates truncation but the RecvFrom
+// that generated err was otherwise successful. It always returns false on this
+// platform.
+func packetWasTruncated(err error) bool { return false }
--- a/net/dns/resolver/neterr_other.go
+++ b/net/dns/resolver/neterr_other.go
@@ -8,3 +8,8 @@ package resolver

 func networkIsDown(err error) bool        { return false }
 func networkIsUnreachable(err error) bool { return false }
+
+// packetWasTruncated returns true if err indicates truncation but the RecvFrom
+// that generated err was otherwise successful. It always returns false on this
+// platform.
+func packetWasTruncated(err error) bool { return false }
--- a/net/dns/resolver/neterr_windows.go
+++ b/net/dns/resolver/neterr_windows.go
@@ -5,6 +5,7 @@
 package resolver

 import (
+	"errors"
 	"net"
 	"os"

@@ -27,3 +28,16 @@ func networkIsUnreachable(err error) bool {
 	// difference between down and unreachable? Add comments.
 	return false
 }
+
+// packetWasTruncated returns true if err indicates truncation but the RecvFrom
+// that generated err was otherwise successful. On Windows, Go's UDP RecvFrom
+// calls WSARecvFrom which returns the WSAEMSGSIZE error code when the received
+// datagram is larger than the provided buffer. When that happens, both a valid
+// size and an error are returned (as per the partial fix for golang/go#14074).
+// If the WSAEMSGSIZE error is returned, then we ignore the error to get
+// semantics similar to the POSIX operating systems. One caveat is that it
+// appears that the source address is not returned when WSAEMSGSIZE occurs, but
+// we do not currently look at the source address.
+func packetWasTruncated(err error) bool {
+	return errors.Is(err, windows.WSAEMSGSIZE)
+}
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -22,8 +22,10 @@ import (
 	"tailscale.com/wgengine/monitor"
 )

-// maxResponseBytes is the maximum size of a response from a Resolver.
-const maxResponseBytes = 512
+// maxResponseBytes is the maximum size of a response from a Resolver. The
+// actual buffer size will be one larger than this so that we can detect
+// truncation in a platform-agnostic way.
+const maxResponseBytes = 4095

 // queueSize is the maximal number of DNS requests that can await polling.
 // If EnqueueRequest is called when this many requests are already pending,
--- a/net/dns/resolver/tsdns_server_test.go
+++ b/net/dns/resolver/tsdns_server_test.go
@@ -66,6 +66,39 @@ func resolveToIP(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
 	}
 }

+// resolveToTXT returns a handler function which responds to queries of type TXT
+// it receives with the strings in txts.
+func resolveToTXT(txts []string) dns.HandlerFunc {
+	return func(w dns.ResponseWriter, req *dns.Msg) {
+		m := new(dns.Msg)
+		m.SetReply(req)
+
+		if len(req.Question) != 1 {
+			panic("not a single-question request")
+		}
+		question := req.Question[0]
+
+		if question.Qtype != dns.TypeTXT {
+			w.WriteMsg(m)
+			return
+		}
+
+		ans := &dns.TXT{
+			Hdr: dns.RR_Header{
+				Name:   question.Name,
+				Rrtype: dns.TypeTXT,
+				Class:  dns.ClassINET,
+			},
+			Txt: txts,
+		}
+
+		m.Answer = append(m.Answer, ans)
+		if err := w.WriteMsg(m); err != nil {
+			panic(err)
+		}
+	}
+}
+
 var resolveToNXDOMAIN = dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
 	m := new(dns.Msg)
 	m.SetRcode(req, dns.RcodeNameError)
--- a/net/dns/resolver/tsdns_test.go
+++ b/net/dns/resolver/tsdns_test.go
@@ -6,7 +6,9 @@ package resolver

 import (
 	"bytes"
+	"encoding/hex"
 	"errors"
+	"math/rand"
 	"net"
 	"testing"

@@ -44,9 +46,11 @@ func dnspacket(domain dnsname.FQDN, tp dns.Type) []byte {
 }

 type dnsResponse struct {
-	ip    netaddr.IP
-	name  dnsname.FQDN
-	rcode dns.RCode
+	ip        netaddr.IP
+	txt       []string
+	name      dnsname.FQDN
+	rcode     dns.RCode
+	truncated bool
 }

 func unpackResponse(payload []byte) (dnsResponse, error) {
@@ -67,6 +71,16 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 		return response, nil
 	}

+	response.truncated = h.Truncated
+	if response.truncated {
+		// TODO(#2067): Ideally, answer processing should still succeed when
+		// dealing with a truncated message, but currently when we truncate
+		// a packet, it's caused by the buffer being too small and usually that
+		// means the data runs out mid-record. dns.Parser does not like it when
+		// that happens. We can improve this by trimming off incomplete records.
+		return response, nil
+	}
+
 	err = parser.SkipAllQuestions()
 	if err != nil {
 		return response, err
@@ -90,6 +104,12 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 			return response, err
 		}
 		response.ip = netaddr.IPv6Raw(res.AAAA)
+	case dns.TypeTXT:
+		res, err := parser.TXTResource()
+		if err != nil {
+			return response, err
+		}
+		response.txt = res.TXT
 	case dns.TypeNS:
 		res, err := parser.NSResource()
 		if err != nil {
@@ -269,6 +289,32 @@ func ipv6Works() bool {
 	return true
 }

+func generateTXT(size int, source rand.Source) []string {
+	const sizePerTXT = 120
+
+	if size%2 != 0 {
+		panic("even lengths only")
+	}
+
+	rng := rand.New(source)
+
+	txts := make([]string, 0, size/sizePerTXT+1)
+
+	raw := make([]byte, sizePerTXT/2)
+
+	rem := size
+	for ; rem > sizePerTXT; rem -= sizePerTXT {
+		rng.Read(raw)
+		txts = append(txts, hex.EncodeToString(raw))
+	}
+	if rem > 0 {
+		rng.Read(raw[:rem/2])
+		txts = append(txts, hex.EncodeToString(raw[:rem/2]))
+	}
+
+	return txts
+}
+
 func TestDelegate(t *testing.T) {
 	tstest.ResourceCheck(t)

@@ -276,13 +322,43 @@ func TestDelegate(t *testing.T) {
 		t.Skip("skipping test that requires localhost IPv6")
 	}

+	randSource := rand.NewSource(4)
+
+	// smallTXT does not require EDNS
+	smallTXT := generateTXT(300, randSource)
+
+	// medTXT and largeTXT are responses that require EDNS but we would like to
+	// support these sizes of response without truncation because they are
+	// moderately common.
+	medTXT := generateTXT(1200, randSource)
+	largeTXT := generateTXT(4000, randSource)
+
+	// xlargeTXT is slightly above the maximum response size that we support,
+	// so there should be truncation.
+	xlargeTXT := generateTXT(5000, randSource)
+
+	// hugeTXT is significantly larger than any typical MTU and will require
+	// significant fragmentation. For buffer management reasons, we do not
+	// intend to handle responses this large, so there should be truncation.
+	hugeTXT := generateTXT(64000, randSource)
+
 	v4server := serveDNS(t, "127.0.0.1:0",
 		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."),
-		"nxdomain.site.", resolveToNXDOMAIN)
+		"nxdomain.site.", resolveToNXDOMAIN,
+		"small.txt.", resolveToTXT(smallTXT),
+		"med.txt.", resolveToTXT(medTXT),
+		"large.txt.", resolveToTXT(largeTXT),
+		"xlarge.txt.", resolveToTXT(xlargeTXT),
+		"huge.txt.", resolveToTXT(hugeTXT))
 	defer v4server.Shutdown()
 	v6server := serveDNS(t, "[::1]:0",
 		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."),
-		"nxdomain.site.", resolveToNXDOMAIN)
+		"nxdomain.site.", resolveToNXDOMAIN,
+		"small.txt.", resolveToTXT(smallTXT),
+		"med.txt.", resolveToTXT(medTXT),
+		"large.txt.", resolveToTXT(largeTXT),
+		"xlarge.txt.", resolveToTXT(xlargeTXT),
+		"huge.txt.", resolveToTXT(hugeTXT))
 	defer v6server.Shutdown()

 	r := New(t.Logf, nil)
@@ -322,6 +398,31 @@ func TestDelegate(t *testing.T) {
 			dnspacket("nxdomain.site.", dns.TypeA),
 			dnsResponse{rcode: dns.RCodeNameError},
 		},
+		{
+			"smalltxt",
+			dnspacket("small.txt.", dns.TypeTXT),
+			dnsResponse{txt: smallTXT, rcode: dns.RCodeSuccess},
+		},
+		{
+			"medtxt",
+			dnspacket("med.txt.", dns.TypeTXT),
+			dnsResponse{txt: medTXT, rcode: dns.RCodeSuccess},
+		},
+		{
+			"largetxt",
+			dnspacket("large.txt.", dns.TypeTXT),
+			dnsResponse{txt: largeTXT, rcode: dns.RCodeSuccess},
+		},
+		{
+			"xlargetxt",
+			dnspacket("xlarge.txt.", dns.TypeTXT),
+			dnsResponse{rcode: dns.RCodeSuccess, truncated: true},
+		},
+		{
+			"hugetxt",
+			dnspacket("huge.txt.", dns.TypeTXT),
+			dnsResponse{rcode: dns.RCodeSuccess, truncated: true},
+		},
 	}

 	for _, tt := range tests {
@@ -345,6 +446,15 @@ func TestDelegate(t *testing.T) {
 			if response.name != tt.response.name {
 				t.Errorf("name = %v; want %v", response.name, tt.response.name)
 			}
+			if len(response.txt) != len(tt.response.txt) {
+				t.Errorf("%v txt records, want %v txt records", len(response.txt), len(tt.response.txt))
+			} else {
+				for i := range response.txt {
+					if response.txt[i] != tt.response.txt[i] {
+						t.Errorf("txt record %v is %s, want %s", i, response.txt[i], tt.response.txt[i])
+					}
+				}
+			}
 		})
 	}
 }
--- a/net/interfaces/interfaces_default_route_test.go
+++ b/net/interfaces/interfaces_default_route_test.go
@@ -2,15 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build linux,!redo
+// +build linux darwin,!ts_macext

 package interfaces

 import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
 	"testing"
 )

@@ -23,64 +19,3 @@ func TestDefaultRouteInterface(t *testing.T) {
 	}
 	t.Logf("got %q", v)
 }
-
-// test the specific /proc/net/route path as found on Google Cloud Run instances
-func TestGoogleCloudRunDefaultRouteInterface(t *testing.T) {
-	dir := t.TempDir()
-	savedProcNetRoutePath := procNetRoutePath
-	defer func() { procNetRoutePath = savedProcNetRoutePath }()
-	procNetRoutePath = filepath.Join(dir, "CloudRun")
-	buf := []byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n" +
-		"eth0\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n" +
-		"eth1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n")
-	err := ioutil.WriteFile(procNetRoutePath, buf, 0644)
-	if err != nil {
-		t.Fatal(err)
-	}
-	got, err := DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if got != "eth1" {
-		t.Fatalf("got %s, want eth1", got)
-	}
-}
-
-// we read chunks of /proc/net/route at a time, test that files longer than the chunk
-// size can be handled.
-func TestExtremelyLongProcNetRoute(t *testing.T) {
-	dir := t.TempDir()
-	savedProcNetRoutePath := procNetRoutePath
-	defer func() { procNetRoutePath = savedProcNetRoutePath }()
-	procNetRoutePath = filepath.Join(dir, "VeryLong")
-	f, err := os.Create(procNetRoutePath)
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, err = f.Write([]byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for n := 0; n <= 1000; n++ {
-		line := fmt.Sprintf("eth%d\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n", n)
-		_, err := f.Write([]byte(line))
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-	_, err = f.Write([]byte("tokenring1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	got, err := DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if got != "tokenring1" {
-		t.Fatalf("got %q, want tokenring1", got)
-	}
-}
--- a/net/interfaces/interfaces_linux_test.go
+++ b/net/interfaces/interfaces_linux_test.go
@@ -4,7 +4,74 @@

 package interfaces

-import "testing"
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// test the specific /proc/net/route path as found on Google Cloud Run instances
+func TestGoogleCloudRunDefaultRouteInterface(t *testing.T) {
+	dir := t.TempDir()
+	savedProcNetRoutePath := procNetRoutePath
+	defer func() { procNetRoutePath = savedProcNetRoutePath }()
+	procNetRoutePath = filepath.Join(dir, "CloudRun")
+	buf := []byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n" +
+		"eth0\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n" +
+		"eth1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n")
+	err := ioutil.WriteFile(procNetRoutePath, buf, 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+	got, err := DefaultRouteInterface()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if got != "eth1" {
+		t.Fatalf("got %s, want eth1", got)
+	}
+}
+
+// we read chunks of /proc/net/route at a time, test that files longer than the chunk
+// size can be handled.
+func TestExtremelyLongProcNetRoute(t *testing.T) {
+	dir := t.TempDir()
+	savedProcNetRoutePath := procNetRoutePath
+	defer func() { procNetRoutePath = savedProcNetRoutePath }()
+	procNetRoutePath = filepath.Join(dir, "VeryLong")
+	f, err := os.Create(procNetRoutePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = f.Write([]byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for n := 0; n <= 1000; n++ {
+		line := fmt.Sprintf("eth%d\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n", n)
+		_, err := f.Write([]byte(line))
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	_, err = f.Write([]byte("tokenring1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	got, err := DefaultRouteInterface()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if got != "tokenring1" {
+		t.Fatalf("got %q, want tokenring1", got)
+	}
+}

 func BenchmarkDefaultRouteInterface(b *testing.B) {
 	b.ReportAllocs()
--- a/net/netns/netns_darwin_tailscaled.go
+++ b/net/netns/netns_darwin_tailscaled.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build darwin,!redo
+// +build darwin,!ts_macext

 package netns

--- a/net/netns/netns_default.go
+++ b/net/netns/netns_default.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build !linux,!windows,!darwin darwin,redo
+// +build !linux,!windows,!darwin darwin,ts_macext

 package netns

--- a/net/packet/packet.go
+++ b/net/packet/packet.go
@@ -12,7 +12,6 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/types/ipproto"
-	"tailscale.com/types/strbuilder"
 )

 const unknown = ipproto.Unknown
@@ -62,36 +61,17 @@ func (p *Parsed) String() string {
 		return "Unknown{???}"
 	}

-	sb := strbuilder.Get()
-	sb.WriteString(p.IPProto.String())
-	sb.WriteByte('{')
-	writeIPPort(sb, p.Src)
-	sb.WriteString(" > ")
-	writeIPPort(sb, p.Dst)
-	sb.WriteByte('}')
-	return sb.String()
-}
-
-// writeIPPort writes ipp.String() into sb, with fewer allocations.
-//
-// TODO: make netaddr more efficient in this area, and retire this func.
-func writeIPPort(sb *strbuilder.Builder, ipp netaddr.IPPort) {
-	if ipp.IP().Is4() {
-		raw := ipp.IP().As4()
-		sb.WriteUint(uint64(raw[0]))
-		sb.WriteByte('.')
-		sb.WriteUint(uint64(raw[1]))
-		sb.WriteByte('.')
-		sb.WriteUint(uint64(raw[2]))
-		sb.WriteByte('.')
-		sb.WriteUint(uint64(raw[3]))
-		sb.WriteByte(':')
-	} else {
-		sb.WriteByte('[')
-		sb.WriteString(ipp.IP().String()) // TODO: faster?
-		sb.WriteString("]:")
-	}
-	sb.WriteUint(uint64(ipp.Port()))
+	// max is the maximum reasonable length of the string we are constructing.
+	// It's OK to overshoot, as the temp buffer is allocated on the stack.
+	const max = len("ICMPv6{[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%enp5s0]:65535 > [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%enp5s0]:65535}")
+	b := make([]byte, 0, max)
+	b = append(b, p.IPProto.String()...)
+	b = append(b, '{')
+	b = p.Src.AppendTo(b)
+	b = append(b, ' ', '>', ' ')
+	b = p.Dst.AppendTo(b)
+	b = append(b, '}')
+	return string(b)
 }

 // Decode extracts data from the packet in b into q.
--- a/net/packet/packet_test.go
+++ b/net/packet/packet_test.go
@@ -378,11 +378,9 @@ func TestParsedString(t *testing.T) {
 		})
 	}

-	var sink string
 	allocs := testing.AllocsPerRun(1000, func() {
-		sink = tests[0].qdecode.String()
+		sinkString = tests[0].qdecode.String()
 	})
-	_ = sink
 	if allocs != 1 {
 		t.Errorf("allocs = %v; want 1", allocs)
 	}
@@ -532,3 +530,33 @@ func TestMarshalResponse(t *testing.T) {
 		})
 	}
 }
+
+var sinkString string
+
+func BenchmarkString(b *testing.B) {
+	benches := []struct {
+		name string
+		buf  []byte
+	}{
+		{"tcp4", tcp4PacketBuffer},
+		{"tcp6", tcp6RequestBuffer},
+		{"udp4", udp4RequestBuffer},
+		{"udp6", udp6RequestBuffer},
+		{"icmp4", icmp4RequestBuffer},
+		{"icmp6", icmp6PacketBuffer},
+		{"igmp", igmpPacketBuffer},
+		{"unknown", unknownPacketBuffer},
+	}
+
+	for _, bench := range benches {
+		b.Run(bench.name, func(b *testing.B) {
+			b.ReportAllocs()
+			var p Parsed
+			p.Decode(bench.buf)
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				sinkString = p.String()
+			}
+		})
+	}
+}
--- a/net/portmapper/portmapper.go
+++ b/net/portmapper/portmapper.go
@@ -17,7 +17,6 @@ import (
 	"sync"
 	"time"

-	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netns"
@@ -57,18 +56,31 @@ type Client struct {
 	pmpPubIPTime time.Time  // time pmpPubIP last verified
 	pmpLastEpoch uint32

-	pcpSawTime  time.Time // time we last saw PCP was available
-	uPnPSawTime time.Time // time we last saw UPnP was available
+	localPort uint16

-	localPort  uint16
-	pmpMapping *pmpMapping // non-nil if we have a PMP mapping
+	mapping // non-nil if we have a mapping
+
+	// Prober is this portmappers stateful mechanism for detecting when portmapping services are
+	// available on the current network. It is exposed so that clients can pause or stop probing.
+	// In order to create a prober, either call `Probe()` or `NewProber()`, which will populate
+	// this field.
+	*Prober
+}
+
+// Mapping represents a created port-mapping over some protocol.  It specifies a lease duration,
+// how to release the mapping, and whether the map is still valid.
+type mapping interface {
+	isCurrent() bool
+	release()
+	validUntil() time.Time
+	externalIPPort() netaddr.IPPort
 }

 // HaveMapping reports whether we have a current valid mapping.
 func (c *Client) HaveMapping() bool {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	return c.pmpMapping != nil && c.pmpMapping.useUntil.After(time.Now())
+	return c.mapping != nil && c.mapping.isCurrent()
 }

 // pmpMapping is an already-created PMP mapping.
@@ -87,6 +99,10 @@ func (m *pmpMapping) externalValid() bool {
 	return !m.external.IP().IsZero() && m.external.Port() != 0
 }

+func (p *pmpMapping) isCurrent() bool                { return p.useUntil.After(time.Now()) }
+func (p *pmpMapping) validUntil() time.Time          { return p.useUntil }
+func (p *pmpMapping) externalIPPort() netaddr.IPPort { return p.external }
+
 // release does a best effort fire-and-forget release of the PMP mapping m.
 func (m *pmpMapping) release() {
 	uc, err := netns.Listener().ListenPacket(context.Background(), "udp4", ":0")
@@ -119,8 +135,8 @@ func (c *Client) SetGatewayLookupFunc(f func() (gw, myIP netaddr.IP, ok bool)) {
 // comes back.
 func (c *Client) NoteNetworkDown() {
 	c.mu.Lock()
-	defer c.mu.Unlock()
 	c.invalidateMappingsLocked(false)
+	c.mu.Unlock()
 }

 func (c *Client) Close() error {
@@ -154,7 +170,6 @@ func (c *Client) gatewayAndSelfIP() (gw, myIP netaddr.IP, ok bool) {
 		gw = netaddr.IP{}
 		myIP = netaddr.IP{}
 	}
-
 	c.mu.Lock()
 	defer c.mu.Unlock()

@@ -167,16 +182,14 @@ func (c *Client) gatewayAndSelfIP() (gw, myIP netaddr.IP, ok bool) {
 }

 func (c *Client) invalidateMappingsLocked(releaseOld bool) {
-	if c.pmpMapping != nil {
+	if c.mapping != nil {
 		if releaseOld {
-			c.pmpMapping.release()
+			c.mapping.release()
 		}
-		c.pmpMapping = nil
+		c.mapping = nil
 	}
 	c.pmpPubIP = netaddr.IP{}
 	c.pmpPubIPTime = time.Time{}
-	c.pcpSawTime = time.Time{}
-	c.uPnPSawTime = time.Time{}
 }

 func (c *Client) sawPMPRecently() bool {
@@ -190,15 +203,19 @@ func (c *Client) sawPMPRecentlyLocked() bool {
 }

 func (c *Client) sawPCPRecently() bool {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	return c.pcpSawTime.After(time.Now().Add(-trustServiceStillAvailableDuration))
+	if c.Prober == nil {
+		return false
+	}
+	present, _ := c.Prober.PCP.PresentCurrent()
+	return present
 }

 func (c *Client) sawUPnPRecently() bool {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	return c.uPnPSawTime.After(time.Now().Add(-trustServiceStillAvailableDuration))
+	if c.Prober == nil {
+		return false
+	}
+	present, _ := c.Prober.UPnP.PresentCurrent()
+	return present
 }

 // closeCloserOnContextDone starts a new goroutine to call c.Close
@@ -241,6 +258,11 @@ var (
 	ErrGatewayNotFound       = errors.New("failed to look up gateway address")
 )

+// Probe starts a periodic probe and blocks until the first result of probing.
+func (c *Client) Probe(ctx context.Context) (ProbeResult, error) {
+	return c.NewProber(ctx).StatusBlock()
+}
+
 // CreateOrGetMapping either creates a new mapping or returns a cached
 // valid one.
 //
@@ -254,9 +276,10 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor

 	c.mu.Lock()
 	localPort := c.localPort
+	internalAddr := netaddr.IPPortFrom(myIP, localPort)
 	m := &pmpMapping{
 		gw:       gw,
-		internal: netaddr.IPPortFrom(myIP, localPort),
+		internal: internalAddr,
 	}

 	// prevPort is the port we had most previously, if any. We try
@@ -265,13 +288,13 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor

 	// Do we have an existing mapping that's valid?
 	now := time.Now()
-	if m := c.pmpMapping; m != nil {
-		if now.Before(m.useUntil) {
+	if m := c.mapping; m != nil {
+		if now.Before(m.validUntil()) {
 			defer c.mu.Unlock()
-			return m.external, nil
+			return m.externalIPPort(), nil
 		}
 		// The mapping might still be valid, so just try to renew it.
-		prevPort = m.external.Port()
+		prevPort = m.externalIPPort().Port()
 	}

 	// If we just did a Probe (e.g. via netchecker) but didn't
@@ -281,11 +304,11 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	if haveRecentPMP {
 		m.external = m.external.WithIP(c.pmpPubIP)
 	}
+
 	if c.lastProbe.After(now.Add(-5*time.Second)) && !haveRecentPMP {
 		c.mu.Unlock()
 		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
 	}
-
 	c.mu.Unlock()

 	uc, err := netns.Listener().ListenPacket(ctx, "udp4", ":0")
@@ -320,7 +343,8 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 			if ctx.Err() == context.Canceled {
 				return netaddr.IPPort{}, err
 			}
-			return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+			// switch to trying UPnP
+			break
 		}
 		srcu := srci.(*net.UDPAddr)
 		src, ok := netaddr.FromStdAddr(srcu.IP, srcu.Port, srcu.Zone)
@@ -351,10 +375,12 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 		if m.externalValid() {
 			c.mu.Lock()
 			defer c.mu.Unlock()
-			c.pmpMapping = m
+			c.mapping = m
 			return m.external, nil
 		}
 	}
+
+	return c.getUPnPPortMapping(ctx, gw, internalAddr, prevPort)
 }

 type pmpResultCode uint16
@@ -439,121 +465,6 @@ type ProbeResult struct {
 	UPnP bool
 }

-// Probe returns a summary of which port mapping services are
-// available on the network.
-//
-// If a probe has run recently and there haven't been any network changes since,
-// the returned result might be server from the Client's cache, without
-// sending any network traffic.
-func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) {
-	gw, myIP, ok := c.gatewayAndSelfIP()
-	if !ok {
-		return res, ErrGatewayNotFound
-	}
-	defer func() {
-		if err == nil {
-			c.mu.Lock()
-			defer c.mu.Unlock()
-			c.lastProbe = time.Now()
-		}
-	}()
-
-	uc, err := netns.Listener().ListenPacket(context.Background(), "udp4", ":0")
-	if err != nil {
-		c.logf("ProbePCP: %v", err)
-		return res, err
-	}
-	defer uc.Close()
-	ctx, cancel := context.WithTimeout(ctx, 250*time.Millisecond)
-	defer cancel()
-	defer closeCloserOnContextDone(ctx, uc)()
-
-	pcpAddr := netaddr.IPPortFrom(gw, pcpPort).UDPAddr()
-	pmpAddr := netaddr.IPPortFrom(gw, pmpPort).UDPAddr()
-	upnpAddr := netaddr.IPPortFrom(gw, upnpPort).UDPAddr()
-
-	// Don't send probes to services that we recently learned (for
-	// the same gw/myIP) are available. See
-	// https://github.com/tailscale/tailscale/issues/1001
-	if c.sawPMPRecently() {
-		res.PMP = true
-	} else {
-		uc.WriteTo(pmpReqExternalAddrPacket, pmpAddr)
-	}
-	if c.sawPCPRecently() {
-		res.PCP = true
-	} else {
-		uc.WriteTo(pcpAnnounceRequest(myIP), pcpAddr)
-	}
-	if c.sawUPnPRecently() {
-		res.UPnP = true
-	} else {
-		uc.WriteTo(uPnPPacket, upnpAddr)
-	}
-
-	buf := make([]byte, 1500)
-	pcpHeard := false // true when we get any PCP response
-	for {
-		if pcpHeard && res.PMP && res.UPnP {
-			// Nothing more to discover.
-			return res, nil
-		}
-		n, addr, err := uc.ReadFrom(buf)
-		if err != nil {
-			if ctx.Err() == context.DeadlineExceeded {
-				err = nil
-			}
-			return res, err
-		}
-		port := addr.(*net.UDPAddr).Port
-		switch port {
-		case upnpPort:
-			if mem.Contains(mem.B(buf[:n]), mem.S(":InternetGatewayDevice:")) {
-				res.UPnP = true
-				c.mu.Lock()
-				c.uPnPSawTime = time.Now()
-				c.mu.Unlock()
-			}
-		case pcpPort: // same as pmpPort
-			if pres, ok := parsePCPResponse(buf[:n]); ok {
-				if pres.OpCode == pcpOpReply|pcpOpAnnounce {
-					pcpHeard = true
-					c.mu.Lock()
-					c.pcpSawTime = time.Now()
-					c.mu.Unlock()
-					switch pres.ResultCode {
-					case pcpCodeOK:
-						c.logf("Got PCP response: epoch: %v", pres.Epoch)
-						res.PCP = true
-						continue
-					case pcpCodeNotAuthorized:
-						// A PCP service is running, but refuses to
-						// provide port mapping services.
-						res.PCP = false
-						continue
-					default:
-						// Fall through to unexpected log line.
-					}
-				}
-				c.logf("unexpected PCP probe response: %+v", pres)
-			}
-			if pres, ok := parsePMPResponse(buf[:n]); ok {
-				if pres.OpCode == pmpOpReply|pmpOpMapPublicAddr && pres.ResultCode == pmpCodeOK {
-					c.logf("Got PMP response; IP: %v, epoch: %v", pres.PublicAddr, pres.SecondsSinceEpoch)
-					res.PMP = true
-					c.mu.Lock()
-					c.pmpPubIP = pres.PublicAddr
-					c.pmpPubIPTime = time.Now()
-					c.pmpLastEpoch = pres.SecondsSinceEpoch
-					c.mu.Unlock()
-					continue
-				}
-				c.logf("unexpected PMP probe response: %+v", pres)
-			}
-		}
-	}
-}
-
 const (
 	pcpVersion = 2
 	pcpPort    = 5351
@@ -627,14 +538,4 @@ func parsePCPResponse(b []byte) (res pcpResponse, ok bool) {
 	return res, true
 }

-const (
-	upnpPort = 1900
-)
-
-var uPnPPacket = []byte("M-SEARCH * HTTP/1.1\r\n" +
-	"HOST: 239.255.255.250:1900\r\n" +
-	"ST: ssdp:all\r\n" +
-	"MAN: \"ssdp:discover\"\r\n" +
-	"MX: 2\r\n\r\n")
-
 var pmpReqExternalAddrPacket = []byte{0, 0} // version 0, opcode 0 = "Public address request"
--- a/net/portmapper/portmapper_test.go
+++ b/net/portmapper/portmapper_test.go
@@ -32,12 +32,13 @@ func TestClientProbe(t *testing.T) {
 		t.Skip("skipping test without HIT_NETWORK=1")
 	}
 	c := NewClient(t.Logf)
-	for i := 0; i < 2; i++ {
+	c.NewProber(context.Background())
+	for i := 0; i < 30; i++ {
 		if i > 0 {
 			time.Sleep(100 * time.Millisecond)
 		}
-		res, err := c.Probe(context.Background())
-		t.Logf("Got: %+v, %v", res, err)
+		res, err := c.Prober.CurrentStatus()
+		t.Logf("Got(t=%dms): %+v, %v", i*100, res, err)
 	}
 }

--- a/net/portmapper/probe.go
+++ b/net/portmapper/probe.go
@@ -0,0 +1,337 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+package portmapper
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"inet.af/netaddr"
+	"tailscale.com/net/netns"
+)
+
+// Prober periodically pings the network and checks for port-mapping services.
+type Prober struct {
+	// pause signals the probe to either pause temporarily (true), or stop entirely (false)
+	// to restart the probe, send another pause to it.
+	pause chan<- bool
+
+	// Each of the SubResults below is intended to expose whether a specific service is available
+	// for use on a client, and the most recent seen time. Should not be modified externally, and
+	// will be periodically updated.
+
+	// PMP stores the result of probing pmp services and is populated by prober.
+	PMP ProbeSubResult
+	// PCP stores the result of probing pcp services and is populated by prober.
+	PCP ProbeSubResult
+
+	// upnpClient is a reused upnpClient for probing upnp results.
+	upnpClient upnpClient
+	// PCP stores the result of probing pcp services and is populated by prober.
+	UPnP ProbeSubResult
+}
+
+// NewProber creates a new prober for a given client.
+func (c *Client) NewProber(ctx context.Context) *Prober {
+	if c.Prober != nil {
+		return c.Prober
+	}
+	pause := make(chan bool)
+	p := &Prober{
+		pause: pause,
+
+		PMP:  NewProbeSubResult(),
+		PCP:  NewProbeSubResult(),
+		UPnP: NewProbeSubResult(),
+	}
+	c.Prober = p
+
+	go func() {
+		for {
+			pmpCtx, cancel := context.WithTimeout(ctx, portMapServiceTimeout)
+			hasPCP, hasPMP, err := c.probePMPAndPCP(pmpCtx)
+			if err != nil {
+				if ctx.Err() == context.DeadlineExceeded {
+					err = nil
+					// the global context has passed, exit cleanly
+					cancel()
+					return
+				}
+				if pmpCtx.Err() == context.DeadlineExceeded {
+					err = nil
+				}
+			}
+			cancel()
+			p.PMP.Set(hasPMP, err)
+			p.PCP.Set(hasPCP, err)
+
+			t := time.NewTimer(trustServiceStillAvailableDuration * 3 / 4)
+
+			select {
+			case should_pause := <-pause:
+				if !should_pause {
+					t.Stop()
+					return
+				}
+				restart := <-pause
+				if !restart {
+					t.Stop()
+					return
+				}
+			case <-t.C: // break through and retry the connection
+			}
+		}
+	}()
+
+	go func() {
+		// Do not timeout on getting an initial client, as we can reuse it so paying an initial cost
+		// is fine.
+		upnpClient, err := getUPnPClient(ctx)
+		if upnpClient == nil || err != nil {
+			p.UPnP.Set(false, err)
+			return
+		}
+		p.upnpClient = upnpClient
+		defer func() {
+			// unset client when no longer using it.
+			p.upnpClient = nil
+			upnpClient.RequestTermination(context.Background())
+		}()
+		// TODO maybe do something fancy/dynamic with more delay (exponential back-off)
+		for {
+			upnpCtx, cancel := context.WithTimeout(ctx, portMapServiceTimeout*5)
+			retries := 0
+			hasUPnP := false
+			const num_connect_retries = 5
+			for retries < num_connect_retries {
+				status, _, _, statusErr := p.upnpClient.GetStatusInfo(upnpCtx)
+				if statusErr != nil {
+					err = statusErr
+					break
+				}
+				hasUPnP = hasUPnP || status == "Connected"
+				if status == "Disconnected" {
+					upnpClient.RequestConnection(upnpCtx)
+				}
+				retries += 1
+			}
+			// need to manually check these since GetStatusInfo doesn't take a context
+			if ctx.Err() == context.DeadlineExceeded {
+				err = nil
+				// the global context has passed, exit cleanly
+				cancel()
+				return
+			}
+			if upnpCtx.Err() == context.DeadlineExceeded {
+				err = nil
+			}
+			cancel()
+			p.UPnP.Set(hasUPnP, err)
+
+			t := time.NewTimer(trustServiceStillAvailableDuration * 3 / 4)
+
+			select {
+			case should_pause := <-pause:
+				if !should_pause {
+					t.Stop()
+					return
+				}
+				restart := <-pause
+				if !restart {
+					t.Stop()
+					return
+				}
+			case <-t.C: // break through and retry the connection
+			}
+		}
+	}()
+
+	return p
+}
+
+// Stop gracefully turns the Prober off, completing the current probes before exiting.
+func (p *Prober) Stop() { close(p.pause) }
+
+// Pauses the prober if currently running, or starts if it was previously paused.
+func (p *Prober) Toggle() { p.pause <- true }
+
+// CurrentStatus returns the current results of the prober, regardless of whether they have
+// completed or not.
+func (p *Prober) CurrentStatus() (res ProbeResult, err error) {
+	hasPMP, errPMP := p.PMP.PresentCurrent()
+	res.PMP = hasPMP
+	err = errPMP
+
+	hasUPnP, errUPnP := p.UPnP.PresentCurrent()
+	res.UPnP = hasUPnP
+	if err == nil {
+		err = errUPnP
+	}
+
+	hasPCP, errPCP := p.PCP.PresentCurrent()
+	res.PCP = hasPCP
+	if err == nil {
+		err = errPCP
+	}
+	return
+}
+
+// Blocks until the current probe gets any result.
+func (p *Prober) StatusBlock() (res ProbeResult, err error) {
+	hasPMP, errPMP := p.PMP.PresentBlock()
+	res.PMP = hasPMP
+	err = errPMP
+
+	hasUPnP, errUPnP := p.UPnP.PresentBlock()
+	res.UPnP = hasUPnP
+	if err == nil {
+		err = errUPnP
+	}
+
+	hasPCP, errPCP := p.PCP.PresentBlock()
+	res.PCP = hasPCP
+	if err == nil {
+		err = errPCP
+	}
+	return
+}
+
+// ProbeSubResult is a result for a single probing service.
+type ProbeSubResult struct {
+	cond *sync.Cond
+	// If this probe has finished, regardless of success or failure
+	completed bool
+
+	// whether or not this feature is present
+	present bool
+	// most recent error
+	err error
+
+	// Time we last saw the service to be available.
+	sawTime time.Time
+}
+
+func NewProbeSubResult() ProbeSubResult {
+	return ProbeSubResult{
+		cond: &sync.Cond{
+			L: &sync.Mutex{},
+		},
+	}
+}
+
+// PresentBlock blocks until the probe completes, then returns the result.
+func (psr *ProbeSubResult) PresentBlock() (bool, error) {
+	psr.cond.L.Lock()
+	defer psr.cond.L.Unlock()
+	for !psr.completed {
+		psr.cond.Wait()
+	}
+	return psr.present, psr.err
+}
+
+// PresentCurrent returns the current state, regardless whether or not the probe has completed.
+func (psr *ProbeSubResult) PresentCurrent() (bool, error) {
+	psr.cond.L.Lock()
+	defer psr.cond.L.Unlock()
+	present := psr.present && psr.sawTime.After(time.Now().Add(-trustServiceStillAvailableDuration))
+	return present, psr.err
+}
+
+// Assigns the result of the probe and any error seen, signalling to any items waiting for this
+// result that it is now available.
+func (psr *ProbeSubResult) Set(present bool, err error) {
+	saw := time.Now()
+	psr.cond.L.Lock()
+	psr.sawTime = saw
+	psr.completed = true
+	psr.err = err
+	psr.present = present
+	psr.cond.L.Unlock()
+
+	psr.cond.Broadcast()
+}
+
+func (c *Client) probePMPAndPCP(ctx context.Context) (pcp bool, pmp bool, err error) {
+	gw, myIP, ok := c.gatewayAndSelfIP()
+	if !ok {
+		return false, false, ErrGatewayNotFound
+	}
+
+	uc, err := netns.Listener().ListenPacket(ctx, "udp4", ":0")
+	if err != nil {
+		c.logf("ProbePCP/PMP: %v", err)
+		return false, false, err
+	}
+	defer uc.Close()
+	defer closeCloserOnContextDone(ctx, uc)()
+
+	pcpAddr := netaddr.IPPortFrom(gw, pcpPort).UDPAddr()
+	pmpAddr := netaddr.IPPortFrom(gw, pmpPort).UDPAddr()
+
+	// Don't send probes to services that we recently learned (for
+	// the same gw/myIP) are available. See
+	// https://github.com/tailscale/tailscale/issues/1001
+	if c.sawPMPRecently() {
+		pmp = true
+	} else {
+		uc.WriteTo(pmpReqExternalAddrPacket, pmpAddr)
+	}
+	if c.sawPCPRecently() {
+		pcp = true
+	} else {
+		uc.WriteTo(pcpAnnounceRequest(myIP), pcpAddr)
+	}
+
+	buf := make([]byte, 1500)
+	pcpHeard := false // true when we get any PCP response
+	for {
+		if pcpHeard && pmp {
+			// Nothing more to discover.
+			return
+		}
+		n, _, err := uc.ReadFrom(buf)
+		if err != nil {
+			if ctx.Err() == context.DeadlineExceeded {
+				err = nil
+			}
+			return pcp, pmp, err
+		}
+		if pres, ok := parsePCPResponse(buf[:n]); ok {
+			if pres.OpCode == pcpOpReply|pcpOpAnnounce {
+				pcpHeard = true
+				//c.mu.Lock()
+				//c.pcpSawTime = time.Now()
+				//c.mu.Unlock()
+				switch pres.ResultCode {
+				case pcpCodeOK:
+					c.logf("Got PCP response: epoch: %v", pres.Epoch)
+					pcp = true
+					continue
+				case pcpCodeNotAuthorized:
+					// A PCP service is running, but refuses to
+					// provide port mapping services.
+					pcp = false
+					continue
+				default:
+					// Fall through to unexpected log line.
+				}
+			}
+			c.logf("unexpected PCP probe response: %+v", pres)
+		}
+		if pres, ok := parsePMPResponse(buf[:n]); ok {
+			if pres.OpCode == pmpOpReply|pmpOpMapPublicAddr && pres.ResultCode == pmpCodeOK {
+				c.logf("Got PMP response; IP: %v, epoch: %v", pres.PublicAddr, pres.SecondsSinceEpoch)
+				pmp = true
+				c.mu.Lock()
+				c.pmpPubIP = pres.PublicAddr
+				c.pmpPubIPTime = time.Now()
+				c.pmpLastEpoch = pres.SecondsSinceEpoch
+				c.mu.Unlock()
+				continue
+			}
+			c.logf("unexpected PMP probe response: %+v", pres)
+		}
+	}
+}
--- a/net/portmapper/probe_test.go
+++ b/net/portmapper/probe_test.go
@@ -0,0 +1,26 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package portmapper
+
+import (
+	"context"
+	"os"
+	"strconv"
+	"testing"
+	"time"
+)
+
+func TestClientProber(t *testing.T) {
+	if v, _ := strconv.ParseBool(os.Getenv("HIT_NETWORK")); !v {
+		t.Skip("skipping test without HIT_NETWORK=1")
+	}
+	c := NewClient(t.Logf)
+	ctx := context.Background()
+	prober := c.NewProber(ctx)
+	time.Sleep(3 * time.Second)
+	prober.Stop()
+	res, err := prober.CurrentStatus()
+	t.Logf("Got: %+v, %v", res, err)
+}
--- a/net/portmapper/upnp.go
+++ b/net/portmapper/upnp.go
@@ -0,0 +1,202 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+package portmapper
+
+import (
+	"context"
+	"time"
+
+	"golang.org/x/sync/errgroup"
+	"inet.af/netaddr"
+	"tailscale.com/tempfork/upnp/dcps/internetgateway2"
+)
+
+type upnpMapping struct {
+	gw       netaddr.IP
+	external netaddr.IPPort
+	internal netaddr.IPPort
+	useUntil time.Time
+	client   upnpClient
+}
+
+func (u *upnpMapping) isCurrent() bool                { return u.useUntil.After(time.Now()) }
+func (u *upnpMapping) validUntil() time.Time          { return u.useUntil }
+func (u *upnpMapping) externalIPPort() netaddr.IPPort { return u.external }
+func (u *upnpMapping) release() {
+	u.client.DeletePortMapping(context.Background(), "", u.external.Port(), "udp")
+}
+
+type upnpClient interface {
+	// http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf
+	// Implicitly assume that the calls for all these are uniform, which might be a dangerous
+	// assumption.
+	AddPortMapping(
+		ctx context.Context,
+		newRemoteHost string,
+		newExternalPort uint16,
+		newProtocol string,
+		newInternalPort uint16,
+		newInternalClient string,
+		newEnabled bool,
+		newPortMappingDescription string,
+		newLeaseDuration uint32,
+	) (err error)
+
+	DeletePortMapping(ctx context.Context, newRemoteHost string, newExternalPort uint16, newProtocol string) error
+	GetStatusInfo(ctx context.Context) (status string, lastErr string, uptime uint32, err error)
+	GetExternalIPAddress(ctx context.Context) (externalIPAddress string, err error)
+
+	RequestTermination(ctx context.Context) error
+	RequestConnection(ctx context.Context) error
+}
+
+// addAnyPortMapping abstracts over different UPnP client connections, calling the available
+// AddAnyPortMapping call if available, otherwise defaulting to the old behavior of calling
+// AddPortMapping with port = 0 to specify a wildcard port.
+func addAnyPortMapping(
+	ctx context.Context,
+	upnp upnpClient,
+	newRemoteHost string,
+	newExternalPort uint16,
+	newProtocol string,
+	newInternalPort uint16,
+	newInternalClient string,
+	newEnabled bool,
+	newPortMappingDescription string,
+	newLeaseDuration uint32,
+) (newPort uint16, err error) {
+	if upnp, ok := upnp.(*internetgateway2.WANIPConnection2); ok {
+		return upnp.AddAnyPortMapping(
+			ctx,
+			newRemoteHost,
+			newExternalPort,
+			newProtocol,
+			newInternalPort,
+			newInternalClient,
+			newEnabled,
+			newPortMappingDescription,
+			newLeaseDuration,
+		)
+	}
+	err = upnp.AddPortMapping(
+		ctx,
+		newRemoteHost,
+		newExternalPort,
+		newProtocol,
+		newInternalPort,
+		newInternalClient,
+		newEnabled,
+		newPortMappingDescription,
+		newLeaseDuration,
+	)
+	return newInternalPort, err
+}
+
+// getUPnPClients gets a client for interfacing with UPnP, ignoring the underlying protocol for
+// now.
+// Adapted from https://github.com/huin/goupnp/blob/master/GUIDE.md.
+func getUPnPClient(ctx context.Context) (upnpClient, error) {
+	tasks, _ := errgroup.WithContext(ctx)
+	// Attempt to connect over the multiple available connection types.
+	var ip1Clients []*internetgateway2.WANIPConnection1
+	tasks.Go(func() error {
+		var err error
+		ip1Clients, _, err = internetgateway2.NewWANIPConnection1Clients()
+		return err
+	})
+	var ip2Clients []*internetgateway2.WANIPConnection2
+	tasks.Go(func() error {
+		var err error
+		ip2Clients, _, err = internetgateway2.NewWANIPConnection2Clients()
+		return err
+	})
+	var ppp1Clients []*internetgateway2.WANPPPConnection1
+	tasks.Go(func() error {
+		var err error
+		ppp1Clients, _, err = internetgateway2.NewWANPPPConnection1Clients()
+		return err
+	})
+
+	err := tasks.Wait()
+
+	switch {
+	case len(ip2Clients) > 0:
+		return ip2Clients[0], nil
+	case len(ip1Clients) > 0:
+		return ip1Clients[0], nil
+	case len(ppp1Clients) > 0:
+		return ppp1Clients[0], nil
+	default:
+		// Didn't get any outputs, report if there was an error or nil if
+		// just no clients.
+		return nil, err
+	}
+}
+
+// getUPnPPortMapping will attempt to create a port-mapping over the UPnP protocol. On success,
+// it will return the externally exposed IP and port. Otherwise, it will return a zeroed IP and
+// port and an error.
+func (c *Client) getUPnPPortMapping(ctx context.Context, gw netaddr.IP, internal netaddr.IPPort,
+	prevPort uint16) (external netaddr.IPPort, err error) {
+	// If did not see UPnP within the past 5 seconds then bail
+	haveRecentUPnP := c.sawUPnPRecently()
+	now := time.Now()
+	if c.lastProbe.After(now.Add(-5*time.Second)) && !haveRecentUPnP {
+		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+	}
+	// Otherwise try a uPnP mapping if PMP did not work
+	mpnp := &upnpMapping{
+		gw:       gw,
+		internal: internal,
+	}
+
+	var client upnpClient
+	c.mu.Lock()
+	oldMapping, ok := c.mapping.(*upnpMapping)
+	c.mu.Unlock()
+	if ok && oldMapping != nil {
+		client = oldMapping.client
+	} else if c.Prober != nil && c.Prober.upnpClient != nil {
+		client = c.Prober.upnpClient
+	} else {
+		client, err = getUPnPClient(ctx)
+		if err != nil {
+			return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+		}
+	}
+	if client == nil {
+		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+	}
+
+	var newPort uint16
+	newPort, err = addAnyPortMapping(
+		ctx, client,
+		"", prevPort, "UDP", internal.Port(), internal.IP().String(), true,
+		// string below is just a name for reporting on device.
+		"tailscale-portmap", pmpMapLifetimeSec,
+	)
+	if err != nil {
+		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+	}
+	// TODO cache this ip somewhere?
+	extIP, err := client.GetExternalIPAddress(ctx)
+	if err != nil {
+		// TODO this doesn't seem right
+		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+	}
+	externalIP, err := netaddr.ParseIP(extIP)
+	if err != nil {
+		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+	}
+
+	mpnp.external = netaddr.IPPortFrom(externalIP, newPort)
+	d := time.Duration(pmpMapLifetimeSec) * time.Second / 2
+	mpnp.useUntil = time.Now().Add(d)
+	mpnp.client = client
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.mapping = mpnp
+	c.localPort = newPort
+	return mpnp.external, nil
+}
--- a/net/tsaddr/tsaddr.go
+++ b/net/tsaddr/tsaddr.go
@@ -41,12 +41,9 @@ var (
 // TailscaleServiceIP returns the listen address of services
 // provided by Tailscale itself such as the MagicDNS proxy.
 func TailscaleServiceIP() netaddr.IP {
-	serviceIP.Do(func() { mustIP(&serviceIP.v, "100.100.100.100") })
-	return serviceIP.v
+	return netaddr.IPv4(100, 100, 100, 100) // "100.100.100.100" for those grepping
 }

-var serviceIP onceIP
-
 // IsTailscaleIP reports whether ip is an IP address in a range that
 // Tailscale assigns from.
 func IsTailscaleIP(ip netaddr.IP) bool {
@@ -126,19 +123,6 @@ type oncePrefix struct {
 	v netaddr.IPPrefix
 }

-func mustIP(v *netaddr.IP, ip string) {
-	var err error
-	*v, err = netaddr.ParseIP(ip)
-	if err != nil {
-		panic(err)
-	}
-}
-
-type onceIP struct {
-	sync.Once
-	v netaddr.IP
-}
-
 // NewContainsIPFunc returns a func that reports whether ip is in addrs.
 //
 // It's optimized for the cases of addrs being empty and addrs
--- a/net/tsaddr/tsaddr_test.go
+++ b/net/tsaddr/tsaddr_test.go
@@ -93,3 +93,11 @@ func TestNewContainsIPFunc(t *testing.T) {
 		t.Fatal("bad")
 	}
 }
+
+var sinkIP netaddr.IP
+
+func BenchmarkTailscaleServiceAddr(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		sinkIP = TailscaleServiceIP()
+	}
+}
--- a/net/tstun/fake.go
+++ b/net/tstun/fake.go
@@ -8,7 +8,7 @@ import (
 	"io"
 	"os"

-	"github.com/tailscale/wireguard-go/tun"
+	"golang.zx2c4.com/wireguard/tun"
 )

 type fakeTUN struct {
--- a/net/tstun/ifstatus_noop.go
+++ b/net/tstun/ifstatus_noop.go
@@ -9,7 +9,7 @@ package tstun
 import (
 	"time"

-	"github.com/tailscale/wireguard-go/tun"
+	"golang.zx2c4.com/wireguard/tun"
 	"tailscale.com/types/logger"
 )

--- a/net/tstun/ifstatus_windows.go
+++ b/net/tstun/ifstatus_windows.go
@@ -9,7 +9,7 @@ import (
 	"sync"
 	"time"

-	"github.com/tailscale/wireguard-go/tun"
+	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/types/logger"
 )
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -11,27 +11,34 @@ import (
 	"os"
 	"os/exec"
 	"runtime"
+	"strconv"
 	"time"

-	"github.com/tailscale/wireguard-go/tun"
+	"golang.zx2c4.com/wireguard/tun"
 	"tailscale.com/types/logger"
 	"tailscale.com/version/distro"
 )

-// minimalMTU is the MTU we set on tailscale's TUN
-// interface. wireguard-go defaults to 1420 bytes, which only works if
-// the "outer" MTU is 1500 bytes. This breaks on DSL connections
-// (typically 1492 MTU) and on GCE (1460 MTU?!).
+// tunMTU is the MTU we set on tailscale's TUN interface. wireguard-go
+// defaults to 1420 bytes, which only works if the "outer" MTU is 1500
+// bytes. This breaks on DSL connections (typically 1492 MTU) and on
+// GCE (1460 MTU?!).
 //
 // 1280 is the smallest MTU allowed for IPv6, which is a sensible
 // "probably works everywhere" setting until we develop proper PMTU
 // discovery.
-const minimalMTU = 1280
+var tunMTU = 1280
+
+func init() {
+	if mtu, _ := strconv.Atoi(os.Getenv("TS_DEBUG_MTU")); mtu != 0 {
+		tunMTU = mtu
+	}
+}

 // New returns a tun.Device for the requested device name, along with
 // the OS-dependent name that was allocated to the device.
 func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
-	dev, err := tun.CreateTUN(tunName, minimalMTU)
+	dev, err := tun.CreateTUN(tunName, tunMTU)
 	if err != nil {
 		return nil, "", err
 	}
--- a/net/tstun/tun_notwindows.go
+++ b/net/tstun/tun_notwindows.go
@@ -6,7 +6,7 @@

 package tstun

-import "github.com/tailscale/wireguard-go/tun"
+import "golang.zx2c4.com/wireguard/tun"

 func interfaceName(dev tun.Device) (string, error) {
 	return dev.Name()
--- a/net/tstun/tun_windows.go
+++ b/net/tstun/tun_windows.go
@@ -5,9 +5,9 @@
 package tstun

 import (
-	"github.com/tailscale/wireguard-go/tun"
-	"github.com/tailscale/wireguard-go/tun/wintun"
 	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/tun"
+	"golang.zx2c4.com/wireguard/tun/wintun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )

--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -14,8 +14,8 @@ import (
 	"sync/atomic"
 	"time"

-	"github.com/tailscale/wireguard-go/device"
-	"github.com/tailscale/wireguard-go/tun"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
 	"inet.af/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
--- a/net/tstun/wrap_test.go
+++ b/net/tstun/wrap_test.go
@@ -14,7 +14,7 @@ import (
 	"testing"
 	"unsafe"

-	"github.com/tailscale/wireguard-go/tun/tuntest"
+	"golang.zx2c4.com/wireguard/tun/tuntest"
 	"inet.af/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
@@ -146,7 +146,8 @@ func setfilter(logf logger.Logf, tun *Wrapper) {
 	}
 	var sb netaddr.IPSetBuilder
 	sb.AddPrefix(netaddr.MustParseIPPrefix("1.2.0.0/16"))
-	tun.SetFilter(filter.New(matches, sb.IPSet(), sb.IPSet(), nil, logf))
+	ipSet, _ := sb.IPSet()
+	tun.SetFilter(filter.New(matches, ipSet, ipSet, nil, logf))
 }

 func newChannelTUN(logf logger.Logf, secure bool) (*tuntest.ChannelTUN, *Wrapper) {
--- a/packages/deb/deb.go
+++ b/packages/deb/deb.go
@@ -0,0 +1,184 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package deb extracts metadata from Debian packages.
+package deb
+
+import (
+	"archive/tar"
+	"bufio"
+	"bytes"
+	"compress/gzip"
+	"crypto/md5"
+	"crypto/sha1"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+)
+
+// Info is the Debian package metadata needed to integrate the package
+// into a repository.
+type Info struct {
+	// Version is the version of the package, as reported by dpkg.
+	Version string
+	// Arch is the Debian CPU architecture the package is for.
+	Arch string
+	// Control is the entire contents of the package's control file,
+	// with leading and trailing whitespace removed.
+	Control []byte
+	// MD5 is the MD5 hash of the package file.
+	MD5 []byte
+	// SHA1 is the SHA1 hash of the package file.
+	SHA1 []byte
+	// SHA256 is the SHA256 hash of the package file.
+	SHA256 []byte
+}
+
+// ReadFile returns Debian package metadata from the .deb file at path.
+func ReadFile(path string) (*Info, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	return Read(f)
+}
+
+// Read returns Debian package metadata from the .deb file in r.
+func Read(r io.Reader) (*Info, error) {
+	b := bufio.NewReader(r)
+
+	m5, s1, s256 := md5.New(), sha1.New(), sha256.New()
+	summers := io.MultiWriter(m5, s1, s256)
+	r = io.TeeReader(b, summers)
+
+	t, err := findControlTar(r)
+	if err != nil {
+		return nil, fmt.Errorf("searching for control.tar.gz: %w", err)
+	}
+
+	control, err := findControlFile(t)
+	if err != nil {
+		return nil, fmt.Errorf("searching for control file in control.tar.gz: %w", err)
+	}
+
+	arch, version, err := findArchAndVersion(control)
+	if err != nil {
+		return nil, fmt.Errorf("extracting version and architecture from control file: %w", err)
+	}
+
+	// Exhaust the remainder of r, so that the summers see the entire file.
+	if _, err := io.Copy(ioutil.Discard, r); err != nil {
+		return nil, fmt.Errorf("hashing file: %w", err)
+	}
+
+	return &Info{
+		Version: version,
+		Arch:    arch,
+		Control: control,
+		MD5:     m5.Sum(nil),
+		SHA1:    s1.Sum(nil),
+		SHA256:  s256.Sum(nil),
+	}, nil
+}
+
+// findControlTar reads r as an `ar` archive, finds a tarball named
+// `control.tar.gz` within, and returns a reader for that file.
+func findControlTar(r io.Reader) (tarReader io.Reader, err error) {
+	var magic [8]byte
+	if _, err := io.ReadFull(r, magic[:]); err != nil {
+		return nil, fmt.Errorf("reading ar magic: %w", err)
+	}
+	if string(magic[:]) != "!<arch>\n" {
+		return nil, fmt.Errorf("not an ar file (bad magic %q)", magic)
+	}
+
+	for {
+		var hdr [60]byte
+		if _, err := io.ReadFull(r, hdr[:]); err != nil {
+			return nil, fmt.Errorf("reading file header: %w", err)
+		}
+		filename := strings.TrimSpace(string(hdr[:16]))
+		size, err := strconv.ParseInt(strings.TrimSpace(string(hdr[48:58])), 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("reading size of file %q: %w", filename, err)
+		}
+		if filename == "control.tar.gz" {
+			return io.LimitReader(r, size), nil
+		}
+
+		// files in ar are padded out to 2 bytes.
+		if size%2 == 1 {
+			size++
+		}
+		if _, err := io.CopyN(ioutil.Discard, r, size); err != nil {
+			return nil, fmt.Errorf("seeking past file %q: %w", filename, err)
+		}
+	}
+}
+
+// findControlFile reads r as a tar.gz archive, finds a file named
+// `control` within, and returns its contents.
+func findControlFile(r io.Reader) (control []byte, err error) {
+	gz, err := gzip.NewReader(r)
+	if err != nil {
+		return nil, fmt.Errorf("decompressing control.tar.gz: %w", err)
+	}
+	defer gz.Close()
+
+	tr := tar.NewReader(gz)
+	for {
+		hdr, err := tr.Next()
+		if err != nil {
+			if errors.Is(err, io.EOF) {
+				return nil, errors.New("EOF while looking for control file in control.tar.gz")
+			}
+			return nil, fmt.Errorf("reading tar header: %w", err)
+		}
+
+		if filepath.Clean(hdr.Name) != "control" {
+			continue
+		}
+
+		// Found control file
+		break
+	}
+
+	bs, err := ioutil.ReadAll(tr)
+	if err != nil {
+		return nil, fmt.Errorf("reading control file: %w", err)
+	}
+
+	return bytes.TrimSpace(bs), nil
+}
+
+var (
+	archKey    = []byte("Architecture:")
+	versionKey = []byte("Version:")
+)
+
+// findArchAndVersion extracts the architecture and version strings
+// from the given control file.
+func findArchAndVersion(control []byte) (arch string, version string, err error) {
+	b := bytes.NewBuffer(control)
+	for {
+		l, err := b.ReadBytes('\n')
+		if err != nil {
+			return "", "", err
+		}
+		if bytes.HasPrefix(l, archKey) {
+			arch = string(bytes.TrimSpace(l[len(archKey):]))
+		} else if bytes.HasPrefix(l, versionKey) {
+			version = string(bytes.TrimSpace(l[len(versionKey):]))
+		}
+		if arch != "" && version != "" {
+			return arch, version, nil
+		}
+	}
+}
--- a/packages/deb/deb_test.go
+++ b/packages/deb/deb_test.go
@@ -0,0 +1,202 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package deb
+
+import (
+	"bytes"
+	"crypto/md5"
+	"crypto/sha1"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"hash"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/goreleaser/nfpm"
+	_ "github.com/goreleaser/nfpm/deb"
+)
+
+func TestDebInfo(t *testing.T) {
+	tests := []struct {
+		name    string
+		in      []byte
+		want    *Info
+		wantErr bool
+	}{
+		{
+			name: "simple",
+			in:   mkTestDeb("1.2.3", "amd64"),
+			want: &Info{
+				Version: "1.2.3",
+				Arch:    "amd64",
+				Control: mkControl(
+					"Package", "tailscale",
+					"Version", "1.2.3",
+					"Section", "net",
+					"Priority", "extra",
+					"Architecture", "amd64",
+					"Installed-Size", "0",
+					"Description", "test package"),
+			},
+		},
+		{
+			name: "arm64",
+			in:   mkTestDeb("1.2.3", "arm64"),
+			want: &Info{
+				Version: "1.2.3",
+				Arch:    "arm64",
+				Control: mkControl(
+					"Package", "tailscale",
+					"Version", "1.2.3",
+					"Section", "net",
+					"Priority", "extra",
+					"Architecture", "arm64",
+					"Installed-Size", "0",
+					"Description", "test package"),
+			},
+		},
+		{
+			name: "unstable",
+			in:   mkTestDeb("1.7.25", "amd64"),
+			want: &Info{
+				Version: "1.7.25",
+				Arch:    "amd64",
+				Control: mkControl(
+					"Package", "tailscale",
+					"Version", "1.7.25",
+					"Section", "net",
+					"Priority", "extra",
+					"Architecture", "amd64",
+					"Installed-Size", "0",
+					"Description", "test package"),
+			},
+		},
+
+		// These truncation tests assume the structure of a .deb
+		// package, which is as follows:
+		//  magic: 8 bytes
+		//  file header: 60 bytes, before each file blob
+		//
+		// The first file in a .deb ar is "debian-binary", which is 4
+		// bytes long and consists of "2.0\n".
+		// The second file is control.tar.gz, which is what we care
+		// about introspecting for metadata.
+		// The final file is data.tar.gz, which we don't care about.
+		//
+		// The first file in control.tar.gz is the "control" file we
+		// want to read for metadata.
+		{
+			name:    "truncated_ar_magic",
+			in:      mkTestDeb("1.7.25", "amd64")[:4],
+			wantErr: true,
+		},
+		{
+			name:    "truncated_ar_header",
+			in:      mkTestDeb("1.7.25", "amd64")[:30],
+			wantErr: true,
+		},
+		{
+			name: "missing_control_tgz",
+			// Truncate right after the "debian-binary" file, which
+			// makes the file a valid 1-file archive that's missing
+			// control.tar.gz.
+			in:      mkTestDeb("1.7.25", "amd64")[:72],
+			wantErr: true,
+		},
+		{
+			name:    "truncated_tgz",
+			in:      mkTestDeb("1.7.25", "amd64")[:172],
+			wantErr: true,
+		},
+	}
+
+	for _, test := range tests {
+		// mkTestDeb returns non-deterministic output due to
+		// timestamps embedded in the package file, so compute the
+		// wanted hashes on the fly here.
+		if test.want != nil {
+			test.want.MD5 = mkHash(test.in, md5.New)
+			test.want.SHA1 = mkHash(test.in, sha1.New)
+			test.want.SHA256 = mkHash(test.in, sha256.New)
+		}
+
+		t.Run(test.name, func(t *testing.T) {
+			b := bytes.NewBuffer(test.in)
+			got, err := Read(b)
+			if err != nil {
+				if test.wantErr {
+					t.Logf("got expected error: %v", err)
+					return
+				}
+				t.Fatalf("reading deb info: %v", err)
+			}
+			if diff := diff(got, test.want); diff != "" {
+				t.Fatalf("parsed info diff (-got+want):\n%s", diff)
+			}
+		})
+	}
+}
+
+func diff(got, want interface{}) string {
+	matchField := func(name string) func(p cmp.Path) bool {
+		return func(p cmp.Path) bool {
+			if len(p) != 3 {
+				return false
+			}
+			return p[2].String() == "."+name
+		}
+	}
+	toLines := cmp.Transformer("lines", func(b []byte) []string { return strings.Split(string(b), "\n") })
+	toHex := cmp.Transformer("hex", func(b []byte) string { return hex.EncodeToString(b) })
+	return cmp.Diff(got, want,
+		cmp.FilterPath(matchField("Control"), toLines),
+		cmp.FilterPath(matchField("MD5"), toHex),
+		cmp.FilterPath(matchField("SHA1"), toHex),
+		cmp.FilterPath(matchField("SHA256"), toHex))
+}
+
+func mkTestDeb(version, arch string) []byte {
+	info := nfpm.WithDefaults(&nfpm.Info{
+		Name:        "tailscale",
+		Description: "test package",
+		Arch:        arch,
+		Platform:    "linux",
+		Version:     version,
+		Section:     "net",
+		Priority:    "extra",
+	})
+
+	pkg, err := nfpm.Get("deb")
+	if err != nil {
+		panic(fmt.Sprintf("getting deb packager: %v", err))
+	}
+
+	var b bytes.Buffer
+	if err := pkg.Package(info, &b); err != nil {
+		panic(fmt.Sprintf("creating deb package: %v", err))
+	}
+
+	return b.Bytes()
+}
+
+func mkControl(fs ...string) []byte {
+	if len(fs)%2 != 0 {
+		panic("odd number of control file fields")
+	}
+	var b bytes.Buffer
+	for i := 0; i < len(fs); i = i + 2 {
+		k, v := fs[i], fs[i+1]
+		fmt.Fprintf(&b, "%s: %s\n", k, v)
+	}
+	return bytes.TrimSpace(b.Bytes())
+}
+
+func mkHash(b []byte, hasher func() hash.Hash) []byte {
+	h := hasher()
+	h.Write(b)
+	return h.Sum(nil)
+}
--- a/paths/paths.go
+++ b/paths/paths.go
@@ -11,11 +11,13 @@ import (
 	"path/filepath"
 	"runtime"
 	"sync/atomic"
+
+	"tailscale.com/version/distro"
 )

-// IOSSharedDir is a string set by the iOS app on start
+// AppSharedDir is a string set by the iOS or Android app on start
 // containing a directory we can read/write in.
-var IOSSharedDir atomic.Value
+var AppSharedDir atomic.Value

 // DefaultTailscaledSocket returns the path to the tailscaled Unix socket
 // or the empty string if there's no reasonable default.
@@ -26,11 +28,15 @@ func DefaultTailscaledSocket() string {
 	if runtime.GOOS == "darwin" {
 		return "/var/run/tailscaled.socket"
 	}
-	if runtime.GOOS == "linux" {
-		// TODO(crawshaw): does this path change with DSM7?
-		const synologySock = "/volume1/@appstore/Tailscale/var/tailscaled.sock" // SYNOPKG_PKGDEST in scripts/installer
-		if fi, err := os.Stat(filepath.Dir(synologySock)); err == nil && fi.IsDir() {
-			return synologySock
+	if distro.Get() == distro.Synology {
+		// TODO(maisem): be smarter about this. We can parse /etc/VERSION.
+		const dsm6Sock = "/var/packages/Tailscale/etc/tailscaled.sock"
+		const dsm7Sock = "/var/packages/Tailscale/var/tailscaled.sock"
+		if fi, err := os.Stat(dsm6Sock); err == nil && !fi.IsDir() {
+			return dsm6Sock
+		}
+		if fi, err := os.Stat(dsm7Sock); err == nil && !fi.IsDir() {
+			return dsm7Sock
 		}
 	}
 	if fi, err := os.Stat("/var/run"); err == nil && fi.IsDir() {
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -42,7 +42,8 @@ import (
 //    17: 2021-04-18: MapResponse.Domain empty means unchanged
 //    18: 2021-04-19: MapResponse.Node nil means unchanged (all fields now omitempty)
 //    19: 2021-04-21: MapResponse.Debug.SleepSeconds
-const CurrentMapRequestVersion = 19
+//    20: 2021-06-11: MapResponse.LastSeen used even less (https://github.com/tailscale/tailscale/issues/2107)
+const CurrentMapRequestVersion = 20

 type StableID string

@@ -1026,11 +1027,16 @@ func (k MachineKey) MarshalText() ([]byte, error)     { return keyMarshalText("m
 func (k MachineKey) HexString() string                { return fmt.Sprintf("%x", k[:]) }
 func (k *MachineKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "mkey:", text) }

-func keyMarshalText(prefix string, k [32]byte) []byte {
-	buf := make([]byte, len(prefix)+64)
+func appendKey(base []byte, prefix string, k [32]byte) []byte {
+	ret := append(base, make([]byte, len(prefix)+64)...)
+	buf := ret[len(base):]
 	copy(buf, prefix)
 	hex.Encode(buf[len(prefix):], k[:])
-	return buf
+	return ret
+}
+
+func keyMarshalText(prefix string, k [32]byte) []byte {
+	return appendKey(nil, prefix, k)
 }

 func keyUnmarshalText(dst []byte, prefix string, text []byte) error {
@@ -1061,6 +1067,7 @@ func (k DiscoKey) String() string                   { return fmt.Sprintf("discok
 func (k DiscoKey) MarshalText() ([]byte, error)     { return keyMarshalText("discokey:", k), nil }
 func (k *DiscoKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "discokey:", text) }
 func (k DiscoKey) ShortString() string              { return fmt.Sprintf("d:%x", k[:8]) }
+func (k DiscoKey) AppendTo(b []byte) []byte         { return appendKey(b, "discokey:", k) }

 // IsZero reports whether k is the zero value.
 func (k DiscoKey) IsZero() bool { return k == DiscoKey{} }
@@ -1168,3 +1175,31 @@ const (
 	CapabilityFileSharing = "https://tailscale.com/cap/file-sharing"
 	CapabilityAdmin       = "https://tailscale.com/cap/is-admin"
 )
+
+// SetDNSRequest is a request to add a DNS record.
+//
+// This is used for ACME DNS-01 challenges (so people can use
+// LetsEncrypt, etc).
+//
+// The request is encoded to JSON, encrypted with golang.org/x/crypto/nacl/box,
+// using the local machine key, and sent to:
+//	https://login.tailscale.com/machine/<mkey hex>/set-dns
+type SetDNSRequest struct {
+	// Version indicates what level of SetDNSRequest functionality
+	// the client understands. Currently this type only has
+	// one version; this field should always be 1 for now.
+	Version int
+
+	// NodeKey is the client's current node key.
+	NodeKey NodeKey
+
+	// Name is the domain name for which to create a record.
+	Name string
+
+	// Type is the DNS record type. For ACME DNS-01 challenges, it
+	// should be "TXT".
+	Type string
+
+	// Value is the value to add.
+	Value string
+}
--- a/tailcfg/tailcfg_test.go
+++ b/tailcfg/tailcfg_test.go
@@ -14,6 +14,7 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/types/wgkey"
+	"tailscale.com/version"
 )

 func fieldsOf(t reflect.Type) (fields []string) {
@@ -528,3 +529,25 @@ func BenchmarkKeyMarshalText(b *testing.B) {
 		sinkBytes = keyMarshalText("prefix", k)
 	}
 }
+
+func TestAppendKeyAllocs(t *testing.T) {
+	if version.IsRace() {
+		t.Skip("skipping in race detector") // append(b, make([]byte, N)...) not optimized in compiler with race
+	}
+	var k [32]byte
+	n := int(testing.AllocsPerRun(1000, func() {
+		sinkBytes = keyMarshalText("prefix", k)
+	}))
+	if n != 1 {
+		t.Fatalf("allocs = %v; want 1", n)
+	}
+}
+
+func TestDiscoKeyAppend(t *testing.T) {
+	d := DiscoKey{1: 1, 2: 2}
+	got := string(d.AppendTo([]byte("foo")))
+	want := "foodiscokey:0001020000000000000000000000000000000000000000000000000000000000"
+	if got != want {
+		t.Errorf("got %q; want %q", got, want)
+	}
+}
--- a/tempfork/upnp/LICENSE
+++ b/tempfork/upnp/LICENSE
@@ -0,0 +1,23 @@
+Copyright (c) 2013, John Beisley <johnbeisleyuk@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice, this
+  list of conditions and the following disclaimer in the documentation and/or
+  other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/tempfork/upnp/README.md
+++ b/tempfork/upnp/README.md
@@ -0,0 +1,46 @@
+goupnp is a UPnP client library for Go
+
+## Installation
+
+Run `go get -u github.com/huin/goupnp`.
+
+## Documentation
+
+See [GUIDE.md](GUIDE.md) for a quick start on the most common use case for this
+library.
+
+Supported DCPs (you probably want to start with one of these):
+
+- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) av1](https://godoc.org/github.com/huin/goupnp/dcps/av1) - Client for UPnP Device Control Protocol MediaServer v1 and MediaRenderer v1.
+- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) internetgateway1](https://godoc.org/github.com/huin/goupnp/dcps/internetgateway1) - Client for UPnP Device Control Protocol Internet Gateway Device v1.
+- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) internetgateway2](https://godoc.org/github.com/huin/goupnp/dcps/internetgateway2) - Client for UPnP Device Control Protocol Internet Gateway Device v2.
+
+Core components:
+
+- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) (goupnp)](https://godoc.org/github.com/huin/goupnp) core library - contains datastructures and utilities typically used by the implemented DCPs.
+- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) httpu](https://godoc.org/github.com/huin/goupnp/httpu) HTTPU implementation, underlies SSDP.
+- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) ssdp](https://godoc.org/github.com/huin/goupnp/ssdp) SSDP client implementation (simple service discovery protocol) - used to discover UPnP services on a network.
+- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) soap](https://godoc.org/github.com/huin/goupnp/soap) SOAP client implementation (simple object access protocol) - used to communicate with discovered services.
+
+## Regenerating dcps generated source code:
+
+1. Build code generator:
+
+   `go get -u github.com/huin/goupnp/cmd/goupnpdcpgen`
+
+2. Regenerate the code:
+
+   `go generate ./...`
+
+## Supporting additional UPnP devices and services:
+
+Supporting additional services is, in the trivial case, simply a matter of
+adding the service to the `dcpMetadata` whitelist in `cmd/goupnpdcpgen/metadata.go`,
+regenerating the source code (see above), and committing that source code.
+
+However, it would be helpful if anyone needing such a service could test the
+service against the service they have, and then reporting any trouble
+encountered as an [issue on this
+project](https://github.com/huin/goupnp/issues/new). If it just works, then
+please report at least minimal working functionality as an issue, and
+optionally contribute the metadata upstream.
--- a/tempfork/upnp/cmd/goupnpdcpgen/codetemplate.go
+++ b/tempfork/upnp/cmd/goupnpdcpgen/codetemplate.go
@@ -0,0 +1,154 @@
+package main
+
+import (
+	"html/template"
+)
+
+var packageTmpl = template.Must(template.New("package").Parse(`{{$name := .Metadata.Name}}
+// Client for UPnP Device Control Protocol {{.Metadata.OfficialName}}.
+// {{if .Metadata.DocURL}}
+// This DCP is documented in detail at: {{.Metadata.DocURL}}{{end}}
+//
+// Typically, use one of the New* functions to create clients for services.
+package {{$name}}
+
+// ***********************************************************
+// GENERATED FILE - DO NOT EDIT BY HAND. See README.md
+// ***********************************************************
+
+import (
+  "context"
+	"net/url"
+	"time"
+
+	"tailscale.com/tempfork/upnp"
+	"tailscale.com/tempfork/upnp/soap"
+)
+
+// Hack to avoid Go complaining if time isn't used.
+var _ time.Time
+
+// Device URNs:
+const ({{range .DeviceTypes}}
+	{{.Const}} = "{{.URN}}"{{end}}
+)
+
+// Service URNs:
+const ({{range .ServiceTypes}}
+	{{.Const}} = "{{.URN}}"{{end}}
+)
+
+{{range .Services}}
+{{$srv := .}}
+{{$srvIdent := printf "%s%s" .Name .Version}}
+
+// {{$srvIdent}} is a client for UPnP SOAP service with URN "{{.URN}}". See
+// goupnp.ServiceClient, which contains RootDevice and Service attributes which
+// are provided for informational value.
+type {{$srvIdent}} struct {
+	goupnp.ServiceClient
+}
+
+// New{{$srvIdent}}Clients discovers instances of the service on the network,
+// and returns clients to any that are found. errors will contain an error for
+// any devices that replied but which could not be queried, and err will be set
+// if the discovery process failed outright.
+//
+// This is a typical entry calling point into this package.
+func New{{$srvIdent}}Clients() (clients []*{{$srvIdent}}, errors []error, err error) {
+	var genericClients []goupnp.ServiceClient
+	if genericClients, errors, err = goupnp.NewServiceClients({{$srv.Const}}); err != nil {
+		return
+	}
+	clients = new{{$srvIdent}}ClientsFromGenericClients(genericClients)
+	return
+}
+
+// New{{$srvIdent}}ClientsByURL discovers instances of the service at the given
+// URL, and returns clients to any that are found. An error is returned if
+// there was an error probing the service.
+//
+// This is a typical entry calling point into this package when reusing an
+// previously discovered service URL.
+func New{{$srvIdent}}ClientsByURL(loc *url.URL) ([]*{{$srvIdent}}, error) {
+	genericClients, err := goupnp.NewServiceClientsByURL(loc, {{$srv.Const}})
+	if err != nil {
+		return nil, err
+	}
+	return new{{$srvIdent}}ClientsFromGenericClients(genericClients), nil
+}
+
+// New{{$srvIdent}}ClientsFromRootDevice discovers instances of the service in
+// a given root device, and returns clients to any that are found. An error is
+// returned if there was not at least one instance of the service within the
+// device. The location parameter is simply assigned to the Location attribute
+// of the wrapped ServiceClient(s).
+//
+// This is a typical entry calling point into this package when reusing an
+// previously discovered root device.
+func New{{$srvIdent}}ClientsFromRootDevice(rootDevice *goupnp.RootDevice, loc *url.URL) ([]*{{$srvIdent}}, error) {
+	genericClients, err := goupnp.NewServiceClientsFromRootDevice(rootDevice, loc, {{$srv.Const}})
+	if err != nil {
+		return nil, err
+	}
+	return new{{$srvIdent}}ClientsFromGenericClients(genericClients), nil
+}
+
+func new{{$srvIdent}}ClientsFromGenericClients(genericClients []goupnp.ServiceClient) []*{{$srvIdent}} {
+	clients := make([]*{{$srvIdent}}, len(genericClients))
+	for i := range genericClients {
+		clients[i] = &{{$srvIdent}}{genericClients[i]}
+	}
+	return clients
+}
+
+{{range .SCPD.Actions}}{{/* loops over *SCPDWithURN values */}}
+
+{{$winargs := $srv.WrapArguments .InputArguments}}
+{{$woutargs := $srv.WrapArguments .OutputArguments}}
+{{if $winargs.HasDoc}}
+//
+// Arguments:{{range $winargs}}{{if .HasDoc}}
+//
+// * {{.Name}}: {{.Document}}{{end}}{{end}}{{end}}
+{{if $woutargs.HasDoc}}
+//
+// Return values:{{range $woutargs}}{{if .HasDoc}}
+//
+// * {{.Name}}: {{.Document}}{{end}}{{end}}{{end}}
+func (client *{{$srvIdent}}) {{.Name}}(ctx context.Context, {{range $winargs -}}
+{{.AsParameter}}, {{end -}}
+) ({{range $woutargs -}}
+{{.AsParameter}}, {{end}} err error) {
+	// Request structure.
+	request := {{if $winargs}}&{{template "argstruct" $winargs}}{{"{}"}}{{else}}{{"interface{}(nil)"}}{{end}}
+	// BEGIN Marshal arguments into request.
+{{range $winargs}}
+	if request.{{.Name}}, err = {{.Marshal}}; err != nil {
+		return
+	}{{end}}
+	// END Marshal arguments into request.
+
+	// Response structure.
+	response := {{if $woutargs}}&{{template "argstruct" $woutargs}}{{"{}"}}{{else}}{{"interface{}(nil)"}}{{end}}
+
+	// Perform the SOAP call.
+	if err = client.SOAPClient.PerformAction(ctx, {{$srv.URNParts.Const}}, "{{.Name}}", request, response); err != nil {
+		return
+	}
+
+	// BEGIN Unmarshal arguments from response.
+{{range $woutargs}}
+	if {{.Name}}, err = {{.Unmarshal "response"}}; err != nil {
+		return
+	}{{end}}
+	// END Unmarshal arguments from response.
+	return
+}
+{{end}}
+{{end}}
+
+{{define "argstruct"}}struct {{"{"}}
+{{range .}}{{.Name}} string
+{{end}}{{"}"}}{{end}}
+`))
--- a/tempfork/upnp/cmd/goupnpdcpgen/dcp.go
+++ b/tempfork/upnp/cmd/goupnpdcpgen/dcp.go
@@ -0,0 +1,265 @@
+package main
+
+import (
+	"archive/zip"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"strings"
+
+	"tailscale.com/tempfork/upnp"
+	"tailscale.com/tempfork/upnp/scpd"
+)
+
+// DCP collects together information about a UPnP Device Control Protocol.
+type DCP struct {
+	Metadata     DCPMetadata
+	DeviceTypes  map[string]*URNParts
+	ServiceTypes map[string]*URNParts
+	Services     []SCPDWithURN
+}
+
+func newDCP(metadata DCPMetadata) *DCP {
+	return &DCP{
+		Metadata:     metadata,
+		DeviceTypes:  make(map[string]*URNParts),
+		ServiceTypes: make(map[string]*URNParts),
+	}
+}
+
+func (dcp *DCP) processZipFile(filename string) error {
+	archive, err := zip.OpenReader(filename)
+	if err != nil {
+		return fmt.Errorf("error reading zip file %q: %v", filename, err)
+	}
+	defer archive.Close()
+	for _, deviceFile := range globFiles("*/device/*.xml", archive) {
+		if err := dcp.processDeviceFile(deviceFile); err != nil {
+			return err
+		}
+	}
+	for _, scpdFile := range globFiles("*/service/*.xml", archive) {
+		if err := dcp.processSCPDFile(scpdFile); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (dcp *DCP) processDeviceFile(file *zip.File) error {
+	var device goupnp.Device
+	if err := unmarshalXmlFile(file, &device); err != nil {
+		return fmt.Errorf("error decoding device XML from file %q: %v", file.Name, err)
+	}
+	var mainErr error
+	device.VisitDevices(func(d *goupnp.Device) {
+		t := strings.TrimSpace(d.DeviceType)
+		if t != "" {
+			u, err := extractURNParts(t, deviceURNPrefix)
+			if err != nil {
+				mainErr = err
+			}
+			dcp.DeviceTypes[t] = u
+		}
+	})
+	device.VisitServices(func(s *goupnp.Service) {
+		u, err := extractURNParts(s.ServiceType, serviceURNPrefix)
+		if err != nil {
+			mainErr = err
+		}
+		dcp.ServiceTypes[s.ServiceType] = u
+	})
+	return mainErr
+}
+
+func (dcp *DCP) writeCode(outFile string, useGofmt bool) error {
+	packageFile, err := os.Create(outFile)
+	if err != nil {
+		return err
+	}
+	var output io.WriteCloser = packageFile
+	if useGofmt {
+		if output, err = NewGofmtWriteCloser(output); err != nil {
+			packageFile.Close()
+			return err
+		}
+	}
+	if err = packageTmpl.Execute(output, dcp); err != nil {
+		output.Close()
+		return err
+	}
+	return output.Close()
+}
+
+func (dcp *DCP) processSCPDFile(file *zip.File) error {
+	scpd := new(scpd.SCPD)
+	if err := unmarshalXmlFile(file, scpd); err != nil {
+		return fmt.Errorf("error decoding SCPD XML from file %q: %v", file.Name, err)
+	}
+	scpd.Clean()
+	urnParts, err := urnPartsFromSCPDFilename(file.Name)
+	if err != nil {
+		return fmt.Errorf("could not recognize SCPD filename %q: %v", file.Name, err)
+	}
+	dcp.Services = append(dcp.Services, SCPDWithURN{
+		URNParts: urnParts,
+		SCPD:     scpd,
+	})
+	return nil
+}
+
+type SCPDWithURN struct {
+	*URNParts
+	SCPD *scpd.SCPD
+}
+
+func (s *SCPDWithURN) WrapArguments(args []*scpd.Argument) (argumentWrapperList, error) {
+	wrappedArgs := make(argumentWrapperList, len(args))
+	for i, arg := range args {
+		wa, err := s.wrapArgument(arg)
+		if err != nil {
+			return nil, err
+		}
+		wrappedArgs[i] = wa
+	}
+	return wrappedArgs, nil
+}
+
+func (s *SCPDWithURN) wrapArgument(arg *scpd.Argument) (*argumentWrapper, error) {
+	relVar := s.SCPD.GetStateVariable(arg.RelatedStateVariable)
+	if relVar == nil {
+		return nil, fmt.Errorf("no such state variable: %q, for argument %q", arg.RelatedStateVariable, arg.Name)
+	}
+	cnv, ok := typeConvs[relVar.DataType.Name]
+	if !ok {
+		return nil, fmt.Errorf("unknown data type: %q, for state variable %q, for argument %q", relVar.DataType.Type, arg.RelatedStateVariable, arg.Name)
+	}
+	return &argumentWrapper{
+		Argument: *arg,
+		relVar:   relVar,
+		conv:     cnv,
+	}, nil
+}
+
+type argumentWrapper struct {
+	scpd.Argument
+	relVar *scpd.StateVariable
+	conv   conv
+}
+
+func (arg *argumentWrapper) AsParameter() string {
+	return fmt.Sprintf("%s %s", arg.Name, arg.conv.ExtType)
+}
+
+func (arg *argumentWrapper) HasDoc() bool {
+	rng := arg.relVar.AllowedValueRange
+	return ((rng != nil && (rng.Minimum != "" || rng.Maximum != "" || rng.Step != "")) ||
+		len(arg.relVar.AllowedValues) > 0)
+}
+
+func (arg *argumentWrapper) Document() string {
+	relVar := arg.relVar
+	if rng := relVar.AllowedValueRange; rng != nil {
+		var parts []string
+		if rng.Minimum != "" {
+			parts = append(parts, fmt.Sprintf("minimum=%s", rng.Minimum))
+		}
+		if rng.Maximum != "" {
+			parts = append(parts, fmt.Sprintf("maximum=%s", rng.Maximum))
+		}
+		if rng.Step != "" {
+			parts = append(parts, fmt.Sprintf("step=%s", rng.Step))
+		}
+		return "allowed value range: " + strings.Join(parts, ", ")
+	}
+	if len(relVar.AllowedValues) != 0 {
+		return "allowed values: " + strings.Join(relVar.AllowedValues, ", ")
+	}
+	return ""
+}
+
+func (arg *argumentWrapper) Marshal() string {
+	return fmt.Sprintf("soap.Marshal%s(%s)", arg.conv.FuncSuffix, arg.Name)
+}
+
+func (arg *argumentWrapper) Unmarshal(objVar string) string {
+	return fmt.Sprintf("soap.Unmarshal%s(%s.%s)", arg.conv.FuncSuffix, objVar, arg.Name)
+}
+
+type argumentWrapperList []*argumentWrapper
+
+func (args argumentWrapperList) HasDoc() bool {
+	for _, arg := range args {
+		if arg.HasDoc() {
+			return true
+		}
+	}
+	return false
+}
+
+type URNParts struct {
+	URN     string
+	Name    string
+	Version string
+}
+
+func (u *URNParts) Const() string {
+	return fmt.Sprintf("URN_%s_%s", u.Name, u.Version)
+}
+
+// extractURNParts extracts the name and version from a URN string.
+func extractURNParts(urn, expectedPrefix string) (*URNParts, error) {
+	if !strings.HasPrefix(urn, expectedPrefix) {
+		return nil, fmt.Errorf("%q does not have expected prefix %q", urn, expectedPrefix)
+	}
+	parts := strings.SplitN(strings.TrimPrefix(urn, expectedPrefix), ":", 2)
+	if len(parts) != 2 {
+		return nil, fmt.Errorf("%q does not have a name and version", urn)
+	}
+	name, version := parts[0], parts[1]
+	return &URNParts{urn, name, version}, nil
+}
+
+// Taken from: https://github.com/huin/goutil/blob/master/codegen/gofmt.go
+// License: https://github.com/huin/goutil/blob/master/LICENSE
+// NewGofmtWriteCloser returns an io.WriteCloser that filters what is written
+// to it through gofmt. It must be closed for this process to be completed, an
+// error from Close can be due to syntax errors in the source that has been
+// written.
+type goFmtWriteCloser struct {
+	output io.WriteCloser
+	stdin  io.WriteCloser
+	gofmt  *exec.Cmd
+}
+
+func NewGofmtWriteCloser(output io.WriteCloser) (io.WriteCloser, error) {
+	gofmt := exec.Command("gofmt")
+	gofmt.Stdout = output
+	gofmt.Stderr = os.Stderr
+	stdin, err := gofmt.StdinPipe()
+	if err != nil {
+		return nil, err
+	}
+	if err = gofmt.Start(); err != nil {
+		return nil, err
+	}
+	return &goFmtWriteCloser{
+		output: output,
+		stdin:  stdin,
+		gofmt:  gofmt,
+	}, nil
+}
+
+func (gwc *goFmtWriteCloser) Write(p []byte) (int, error) {
+	return gwc.stdin.Write(p)
+}
+
+func (gwc *goFmtWriteCloser) Close() error {
+	gwc.stdin.Close()
+	if err := gwc.output.Close(); err != nil {
+		gwc.gofmt.Wait()
+		return err
+	}
+	return gwc.gofmt.Wait()
+}
--- a/tempfork/upnp/cmd/goupnpdcpgen/fileutil.go
+++ b/tempfork/upnp/cmd/goupnpdcpgen/fileutil.go
@@ -0,0 +1,88 @@
+package main
+
+import (
+	"archive/zip"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"regexp"
+)
+
+func acquireFile(specFilename string, xmlSpecURL string) error {
+	if f, err := os.Open(specFilename); err != nil {
+		if !os.IsNotExist(err) {
+			return err
+		}
+	} else {
+		f.Close()
+		return nil
+	}
+
+	resp, err := http.Get(xmlSpecURL)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("could not download spec %q from %q: %s",
+			specFilename, xmlSpecURL, resp.Status)
+	}
+
+	tmpFilename := specFilename + ".download"
+	w, err := os.Create(tmpFilename)
+	if err != nil {
+		return err
+	}
+	defer w.Close()
+
+	_, err = io.Copy(w, resp.Body)
+	if err != nil {
+		return err
+	}
+
+	return os.Rename(tmpFilename, specFilename)
+}
+
+func globFiles(pattern string, archive *zip.ReadCloser) []*zip.File {
+	var files []*zip.File
+	for _, f := range archive.File {
+		if matched, err := path.Match(pattern, f.Name); err != nil {
+			// This shouldn't happen - all patterns are hard-coded, errors in them
+			// are a programming error.
+			panic(err)
+		} else if matched {
+			files = append(files, f)
+		}
+	}
+	return files
+}
+
+func unmarshalXmlFile(file *zip.File, data interface{}) error {
+	r, err := file.Open()
+	if err != nil {
+		return err
+	}
+	decoder := xml.NewDecoder(r)
+	defer r.Close()
+	return decoder.Decode(data)
+}
+
+var scpdFilenameRe = regexp.MustCompile(
+	`.*/([a-zA-Z0-9]+)([0-9]+)\.xml`)
+
+func urnPartsFromSCPDFilename(filename string) (*URNParts, error) {
+	parts := scpdFilenameRe.FindStringSubmatch(filename)
+	if len(parts) != 3 {
+		return nil, fmt.Errorf("SCPD filename %q does not have expected number of parts", filename)
+	}
+	name, version := parts[1], parts[2]
+	return &URNParts{
+		URN:     serviceURNPrefix + name + ":" + version,
+		Name:    name,
+		Version: version,
+	}, nil
+}
--- a/tempfork/upnp/cmd/goupnpdcpgen/goupnpdcpgen.go
+++ b/tempfork/upnp/cmd/goupnpdcpgen/goupnpdcpgen.go
@@ -0,0 +1,64 @@
+// Command to generate DCP package source from the XML specification.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+)
+
+var (
+	deviceURNPrefix  = "urn:schemas-upnp-org:device:"
+	serviceURNPrefix = "urn:schemas-upnp-org:service:"
+)
+
+func main() {
+	var (
+		dcpName  = flag.String("dcp_name", "", "Name of the DCP to generate.")
+		specsDir = flag.String("specs_dir", ".", "Path to the specification storage directory. "+
+			"This is used to find (and download if not present) the specification ZIP files.")
+		useGofmt = flag.Bool("gofmt", true, "Pass the generated code through gofmt. "+
+			"Disable this if debugging code generation and needing to see the generated code "+
+			"prior to being passed through gofmt.")
+	)
+	flag.Parse()
+
+	if err := run(*dcpName, *specsDir, *useGofmt); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func run(dcpName, specsDir string, useGofmt bool) error {
+	if err := os.MkdirAll(specsDir, os.ModePerm); err != nil {
+		return fmt.Errorf("could not create specs-dir %q: %v", specsDir, err)
+	}
+
+	for _, d := range dcpMetadata {
+		if d.Name != dcpName {
+			continue
+		}
+		specFilename := filepath.Join(specsDir, d.Name+".zip")
+		err := acquireFile(specFilename, d.XMLSpecURL)
+		if err != nil {
+			return fmt.Errorf("could not acquire spec for %s: %v", d.Name, err)
+		}
+		dcp := newDCP(d)
+		if err := dcp.processZipFile(specFilename); err != nil {
+			return fmt.Errorf("error processing spec for %s in file %q: %v", d.Name, specFilename, err)
+		}
+		for i, hack := range d.Hacks {
+			if err := hack(dcp); err != nil {
+				return fmt.Errorf("error with Hack[%d] for %s: %v", i, d.Name, err)
+			}
+		}
+		if err := dcp.writeCode(d.Name+".go", useGofmt); err != nil {
+			return fmt.Errorf("error writing package %q: %v", dcp.Metadata.Name, err)
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("could not find DCP with name %q", dcpName)
+}
--- a/tempfork/upnp/cmd/goupnpdcpgen/metadata.go
+++ b/tempfork/upnp/cmd/goupnpdcpgen/metadata.go
@@ -0,0 +1,83 @@
+package main
+
+// DCP contains extra metadata to use when generating DCP source files.
+type DCPMetadata struct {
+	Name         string // What to name the Go DCP package.
+	OfficialName string // Official name for the DCP.
+	DocURL       string // Optional - URL for further documentation about the DCP.
+	XMLSpecURL   string // Where to download the XML spec from.
+	// Any special-case functions to run against the DCP before writing it out.
+	Hacks []DCPHackFn
+}
+
+var dcpMetadata = []DCPMetadata{
+	{
+		Name:         "internetgateway2",
+		OfficialName: "Internet Gateway Device v2",
+		DocURL:       "http://upnp.org/specs/gw/UPnP-gw-InternetGatewayDevice-v2-Device.pdf",
+		XMLSpecURL:   "http://upnp.org/specs/gw/UPnP-gw-IGD-Testfiles-20110224.zip",
+		Hacks: []DCPHackFn{
+			func(dcp *DCP) error {
+				missingURN := "urn:schemas-upnp-org:service:WANIPv6FirewallControl:1"
+				if _, ok := dcp.ServiceTypes[missingURN]; ok {
+					return nil
+				}
+				urnParts, err := extractURNParts(missingURN, serviceURNPrefix)
+				if err != nil {
+					return err
+				}
+				dcp.ServiceTypes[missingURN] = urnParts
+				return nil
+			}, totalBytesHack,
+			func(dcp *DCP) error {
+				// omit certain device types that we do not need
+				var allowedServices = map[string]bool{
+					"urn:schemas-upnp-org:service:WANIPConnection:1":  true,
+					"urn:schemas-upnp-org:service:WANIPConnection:2":  true,
+					"urn:schemas-upnp-org:service:WANPPPConnection:1": true,
+				}
+				var allowedParts = map[string]bool{
+					"WANIPConnection":  true,
+					"WANPPPConnection": true,
+				}
+				for service := range dcp.ServiceTypes {
+					if _, ok := allowedServices[service]; ok {
+						continue
+					}
+					delete(dcp.ServiceTypes, service)
+				}
+				var permitted []SCPDWithURN
+				for _, v := range dcp.Services {
+					if _, ok := allowedParts[v.URNParts.Name]; ok {
+						permitted = append(permitted, v)
+						continue
+					}
+				}
+				dcp.Services = permitted
+				return nil
+			},
+		},
+	},
+}
+
+func totalBytesHack(dcp *DCP) error {
+	for _, service := range dcp.Services {
+		if service.URN == "urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1" {
+			variables := service.SCPD.StateVariables
+			for key, variable := range variables {
+				varName := variable.Name
+				if varName == "TotalBytesSent" || varName == "TotalBytesReceived" {
+					// Fix size of total bytes which is by default ui4 or maximum 4 GiB.
+					variable.DataType.Name = "ui8"
+					variables[key] = variable
+				}
+			}
+
+			break
+		}
+	}
+
+	return nil
+}
+
+type DCPHackFn func(*DCP) error
--- a/tempfork/upnp/cmd/goupnpdcpgen/typemap.go
+++ b/tempfork/upnp/cmd/goupnpdcpgen/typemap.go
@@ -0,0 +1,35 @@
+package main
+
+type conv struct {
+	FuncSuffix string
+	ExtType    string
+}
+
+// typeConvs maps from a SOAP type (e.g "fixed.14.4") to the function name
+// suffix inside the soap module (e.g "Fixed14_4") and the Go type.
+var typeConvs = map[string]conv{
+	"ui1":         {"Ui1", "uint8"},
+	"ui2":         {"Ui2", "uint16"},
+	"ui4":         {"Ui4", "uint32"},
+	"ui8":         {"Ui8", "uint64"},
+	"i1":          {"I1", "int8"},
+	"i2":          {"I2", "int16"},
+	"i4":          {"I4", "int32"},
+	"int":         {"Int", "int64"},
+	"r4":          {"R4", "float32"},
+	"r8":          {"R8", "float64"},
+	"number":      {"R8", "float64"}, // Alias for r8.
+	"fixed.14.4":  {"Fixed14_4", "float64"},
+	"float":       {"R8", "float64"},
+	"char":        {"Char", "rune"},
+	"string":      {"String", "string"},
+	"date":        {"Date", "time.Time"},
+	"dateTime":    {"DateTime", "time.Time"},
+	"dateTime.tz": {"DateTimeTz", "time.Time"},
+	"time":        {"TimeOfDay", "soap.TimeOfDay"},
+	"time.tz":     {"TimeOfDayTz", "soap.TimeOfDay"},
+	"boolean":     {"Boolean", "bool"},
+	"bin.base64":  {"BinBase64", "[]byte"},
+	"bin.hex":     {"BinHex", "[]byte"},
+	"uri":         {"URI", "*url.URL"},
+}
--- a/tempfork/upnp/dcps/internetgateway2/.gitignore
+++ b/tempfork/upnp/dcps/internetgateway2/.gitignore
@@ -0,0 +1 @@
+*.zip
--- a/tempfork/upnp/dcps/internetgateway2/gen.go
+++ b/tempfork/upnp/dcps/internetgateway2/gen.go
@@ -0,0 +1,2 @@
+//go:generate goupnpdcpgen -dcp_name internetgateway2
+package internetgateway2
--- a/tempfork/upnp/dcps/internetgateway2/internetgateway2.go
+++ b/tempfork/upnp/dcps/internetgateway2/internetgateway2.go
--- a/tempfork/upnp/device.go
+++ b/tempfork/upnp/device.go
@@ -0,0 +1,190 @@
+// This file contains XML structures for communicating with UPnP devices.
+
+package goupnp
+
+import (
+	"encoding/xml"
+	"errors"
+	"fmt"
+	"net/url"
+
+	"tailscale.com/tempfork/upnp/scpd"
+	"tailscale.com/tempfork/upnp/soap"
+)
+
+const (
+	DeviceXMLNamespace = "urn:schemas-upnp-org:device-1-0"
+)
+
+// RootDevice is the device description as described by section 2.3 "Device
+// description" in
+// http://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf
+type RootDevice struct {
+	XMLName     xml.Name    `xml:"root"`
+	SpecVersion SpecVersion `xml:"specVersion"`
+	URLBase     url.URL     `xml:"-"`
+	URLBaseStr  string      `xml:"URLBase"`
+	Device      Device      `xml:"device"`
+}
+
+// SetURLBase sets the URLBase for the RootDevice and its underlying components.
+func (root *RootDevice) SetURLBase(urlBase *url.URL) {
+	root.URLBase = *urlBase
+	root.URLBaseStr = urlBase.String()
+	root.Device.SetURLBase(urlBase)
+}
+
+// SpecVersion is part of a RootDevice, describes the version of the
+// specification that the data adheres to.
+type SpecVersion struct {
+	Major int32 `xml:"major"`
+	Minor int32 `xml:"minor"`
+}
+
+// Device is a UPnP device. It can have child devices.
+type Device struct {
+	DeviceType       string    `xml:"deviceType"`
+	FriendlyName     string    `xml:"friendlyName"`
+	Manufacturer     string    `xml:"manufacturer"`
+	ManufacturerURL  URLField  `xml:"manufacturerURL"`
+	ModelDescription string    `xml:"modelDescription"`
+	ModelName        string    `xml:"modelName"`
+	ModelNumber      string    `xml:"modelNumber"`
+	ModelURL         URLField  `xml:"modelURL"`
+	SerialNumber     string    `xml:"serialNumber"`
+	UDN              string    `xml:"UDN"`
+	UPC              string    `xml:"UPC,omitempty"`
+	Icons            []Icon    `xml:"iconList>icon,omitempty"`
+	Services         []Service `xml:"serviceList>service,omitempty"`
+	Devices          []Device  `xml:"deviceList>device,omitempty"`
+
+	// Extra observed elements:
+	PresentationURL URLField `xml:"presentationURL"`
+}
+
+// VisitDevices calls visitor for the device, and all its descendent devices.
+func (device *Device) VisitDevices(visitor func(*Device)) {
+	visitor(device)
+	for i := range device.Devices {
+		device.Devices[i].VisitDevices(visitor)
+	}
+}
+
+// VisitServices calls visitor for all Services under the device and all its
+// descendent devices.
+func (device *Device) VisitServices(visitor func(*Service)) {
+	device.VisitDevices(func(d *Device) {
+		for i := range d.Services {
+			visitor(&d.Services[i])
+		}
+	})
+}
+
+// FindService finds all (if any) Services under the device and its descendents
+// that have the given ServiceType.
+func (device *Device) FindService(serviceType string) []*Service {
+	var services []*Service
+	device.VisitServices(func(s *Service) {
+		if s.ServiceType == serviceType {
+			services = append(services, s)
+		}
+	})
+	return services
+}
+
+// SetURLBase sets the URLBase for the Device and its underlying components.
+func (device *Device) SetURLBase(urlBase *url.URL) {
+	device.ManufacturerURL.SetURLBase(urlBase)
+	device.ModelURL.SetURLBase(urlBase)
+	device.PresentationURL.SetURLBase(urlBase)
+	for i := range device.Icons {
+		device.Icons[i].SetURLBase(urlBase)
+	}
+	for i := range device.Services {
+		device.Services[i].SetURLBase(urlBase)
+	}
+	for i := range device.Devices {
+		device.Devices[i].SetURLBase(urlBase)
+	}
+}
+
+func (device *Device) String() string {
+	return fmt.Sprintf("Device ID %s : %s (%s)", device.UDN, device.DeviceType, device.FriendlyName)
+}
+
+// Icon is a representative image that a device might include in its
+// description.
+type Icon struct {
+	Mimetype string   `xml:"mimetype"`
+	Width    int32    `xml:"width"`
+	Height   int32    `xml:"height"`
+	Depth    int32    `xml:"depth"`
+	URL      URLField `xml:"url"`
+}
+
+// SetURLBase sets the URLBase for the Icon.
+func (icon *Icon) SetURLBase(url *url.URL) {
+	icon.URL.SetURLBase(url)
+}
+
+// Service is a service provided by a UPnP Device.
+type Service struct {
+	ServiceType string   `xml:"serviceType"`
+	ServiceId   string   `xml:"serviceId"`
+	SCPDURL     URLField `xml:"SCPDURL"`
+	ControlURL  URLField `xml:"controlURL"`
+	EventSubURL URLField `xml:"eventSubURL"`
+}
+
+// SetURLBase sets the URLBase for the Service.
+func (srv *Service) SetURLBase(urlBase *url.URL) {
+	srv.SCPDURL.SetURLBase(urlBase)
+	srv.ControlURL.SetURLBase(urlBase)
+	srv.EventSubURL.SetURLBase(urlBase)
+}
+
+func (srv *Service) String() string {
+	return fmt.Sprintf("Service ID %s : %s", srv.ServiceId, srv.ServiceType)
+}
+
+// RequestSCPD requests the SCPD (soap actions and state variables description)
+// for the service.
+func (srv *Service) RequestSCPD() (*scpd.SCPD, error) {
+	if !srv.SCPDURL.Ok {
+		return nil, errors.New("bad/missing SCPD URL, or no URLBase has been set")
+	}
+	s := new(scpd.SCPD)
+	if err := requestXml(srv.SCPDURL.URL.String(), scpd.SCPDXMLNamespace, s); err != nil {
+		return nil, err
+	}
+	return s, nil
+}
+
+// RequestSCDP is for compatibility only, prefer RequestSCPD. This was a
+// misspelling of RequestSCDP.
+func (srv *Service) RequestSCDP() (*scpd.SCPD, error) {
+	return srv.RequestSCPD()
+}
+
+func (srv *Service) NewSOAPClient() *soap.SOAPClient {
+	return soap.NewSOAPClient(srv.ControlURL.URL)
+}
+
+// URLField is a URL that is part of a device description.
+type URLField struct {
+	URL url.URL `xml:"-"`
+	Ok  bool    `xml:"-"`
+	Str string  `xml:",chardata"`
+}
+
+func (uf *URLField) SetURLBase(urlBase *url.URL) {
+	refUrl, err := url.Parse(uf.Str)
+	if err != nil {
+		uf.URL = url.URL{}
+		uf.Ok = false
+		return
+	}
+
+	uf.URL = *urlBase.ResolveReference(refUrl)
+	uf.Ok = true
+}
--- a/tempfork/upnp/goupnp.go
+++ b/tempfork/upnp/goupnp.go
@@ -0,0 +1,146 @@
+// goupnp is an implementation of a client for various UPnP services.
+//
+// For most uses, it is recommended to use the code-generated packages under
+// github.com/huin/goupnp/dcps. Example use is shown at
+// http://godoc.org/github.com/huin/goupnp/example
+//
+// A commonly used client is internetgateway1.WANPPPConnection1:
+// http://godoc.org/github.com/huin/goupnp/dcps/internetgateway1#WANPPPConnection1
+//
+// Currently only a couple of schemas have code generated for them from the
+// UPnP example XML specifications. Not all methods will work on these clients,
+// because the generated stubs contain the full set of specified methods from
+// the XML specifications, and the discovered services will likely support a
+// subset of those methods.
+package goupnp
+
+import (
+	"encoding/xml"
+	"fmt"
+	"net/http"
+	"net/url"
+	"time"
+
+	"tailscale.com/tempfork/upnp/ssdp"
+)
+
+// ContextError is an error that wraps an error with some context information.
+type ContextError struct {
+	Context string
+	Err     error
+}
+
+func ctxError(err error, msg string) ContextError {
+	return ContextError{
+		Context: msg,
+		Err:     err,
+	}
+}
+
+func ctxErrorf(err error, msg string, args ...interface{}) ContextError {
+	return ContextError{
+		Context: fmt.Sprintf(msg, args...),
+		Err:     err,
+	}
+}
+
+func (err ContextError) Error() string {
+	return fmt.Sprintf("%s: %v", err.Context, err.Err)
+}
+
+// MaybeRootDevice contains either a RootDevice or an error.
+type MaybeRootDevice struct {
+	// Identifier of the device.
+	USN string
+
+	// Set iff Err == nil.
+	Root *RootDevice
+
+	// The location the device was discovered at. This can be used with
+	// DeviceByURL, assuming the device is still present. A location represents
+	// the discovery of a device, regardless of if there was an error probing it.
+	Location *url.URL
+
+	// Any error encountered probing a discovered device.
+	Err error
+}
+
+// DiscoverDevices attempts to find targets of the given type. This is
+// typically the entry-point for this package. searchTarget is typically a URN
+// in the form "urn:schemas-upnp-org:device:..." or
+// "urn:schemas-upnp-org:service:...". A single error is returned for errors
+// while attempting to send the query. An error or RootDevice is returned for
+// each discovered RootDevice.
+func DiscoverDevices(searchTarget string) ([]MaybeRootDevice, error) {
+	hc, hcCleanup, err := httpuClient()
+	if err != nil {
+		return nil, err
+	}
+	defer hcCleanup()
+	responses, err := ssdp.SSDPRawSearch(hc, string(searchTarget), 2, 3)
+	if err != nil {
+		return nil, err
+	}
+
+	results := make([]MaybeRootDevice, len(responses))
+	for i, response := range responses {
+		maybe := &results[i]
+		maybe.USN = response.Header.Get("USN")
+		loc, err := response.Location()
+		if err != nil {
+			maybe.Err = ContextError{"unexpected bad location from search", err}
+			continue
+		}
+		maybe.Location = loc
+		if root, err := DeviceByURL(loc); err != nil {
+			maybe.Err = err
+		} else {
+			maybe.Root = root
+		}
+	}
+
+	return results, nil
+}
+
+func DeviceByURL(loc *url.URL) (*RootDevice, error) {
+	locStr := loc.String()
+	root := new(RootDevice)
+	if err := requestXml(locStr, DeviceXMLNamespace, root); err != nil {
+		return nil, ContextError{fmt.Sprintf("error requesting root device details from %q", locStr), err}
+	}
+	var urlBaseStr string
+	if root.URLBaseStr != "" {
+		urlBaseStr = root.URLBaseStr
+	} else {
+		urlBaseStr = locStr
+	}
+	urlBase, err := url.Parse(urlBaseStr)
+	if err != nil {
+		return nil, ContextError{fmt.Sprintf("error parsing location URL %q", locStr), err}
+	}
+	root.SetURLBase(urlBase)
+	return root, nil
+}
+
+func requestXml(url string, defaultSpace string, doc interface{}) error {
+	timeout := time.Duration(3 * time.Second)
+	client := http.Client{
+		Timeout: timeout,
+	}
+	resp, err := client.Get(url)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return fmt.Errorf("goupnp: got response status %s from %q",
+			resp.Status, url)
+	}
+
+	decoder := xml.NewDecoder(resp.Body)
+	decoder.DefaultSpace = defaultSpace
+	//decoder.CharsetReader = charset.NewReaderLabel
+
+	return decoder.Decode(doc)
+}
--- a/tempfork/upnp/httpu/httpu.go
+++ b/tempfork/upnp/httpu/httpu.go
@@ -0,0 +1,151 @@
+package httpu
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+	"sync"
+	"time"
+)
+
+// ClientInterface is the general interface provided to perform HTTP-over-UDP
+// requests.
+type ClientInterface interface {
+	// Do performs a request. The timeout is how long to wait for before returning
+	// the responses that were received. An error is only returned for failing to
+	// send the request. Failures in receipt simply do not add to the resulting
+	// responses.
+	Do(
+		req *http.Request,
+		timeout time.Duration,
+		numSends int,
+	) ([]*http.Response, error)
+}
+
+// HTTPUClient is a client for dealing with HTTPU (HTTP over UDP). Its typical
+// function is for HTTPMU, and particularly SSDP.
+type HTTPUClient struct {
+	connLock sync.Mutex // Protects use of conn.
+	conn     net.PacketConn
+}
+
+var _ ClientInterface = &HTTPUClient{}
+
+// NewHTTPUClient creates a new HTTPUClient, opening up a new UDP socket for the
+// purpose.
+func NewHTTPUClient() (*HTTPUClient, error) {
+	conn, err := net.ListenPacket("udp", ":0")
+	if err != nil {
+		return nil, err
+	}
+	return &HTTPUClient{conn: conn}, nil
+}
+
+// NewHTTPUClientAddr creates a new HTTPUClient which will broadcast packets
+// from the specified address, opening up a new UDP socket for the purpose
+func NewHTTPUClientAddr(addr string) (*HTTPUClient, error) {
+	ip := net.ParseIP(addr)
+	if ip == nil {
+		return nil, errors.New("invalid listening address")
+	}
+	conn, err := net.ListenPacket("udp", ip.String()+":0")
+	if err != nil {
+		return nil, err
+	}
+	return &HTTPUClient{conn: conn}, nil
+}
+
+// Close shuts down the client. The client will no longer be useful following
+// this.
+func (httpu *HTTPUClient) Close() error {
+	httpu.connLock.Lock()
+	defer httpu.connLock.Unlock()
+	return httpu.conn.Close()
+}
+
+// Do implements ClientInterface.Do.
+//
+// Note that at present only one concurrent connection will happen per
+// HTTPUClient.
+func (httpu *HTTPUClient) Do(
+	req *http.Request,
+	timeout time.Duration,
+	numSends int,
+) ([]*http.Response, error) {
+	httpu.connLock.Lock()
+	defer httpu.connLock.Unlock()
+
+	// Create the request. This is a subset of what http.Request.Write does
+	// deliberately to avoid creating extra fields which may confuse some
+	// devices.
+	var requestBuf bytes.Buffer
+	method := req.Method
+	if method == "" {
+		method = "GET"
+	}
+	if _, err := fmt.Fprintf(&requestBuf, "%s %s HTTP/1.1\r\n", method, req.URL.RequestURI()); err != nil {
+		return nil, err
+	}
+	if err := req.Header.Write(&requestBuf); err != nil {
+		return nil, err
+	}
+	if _, err := requestBuf.Write([]byte{'\r', '\n'}); err != nil {
+		return nil, err
+	}
+
+	destAddr, err := net.ResolveUDPAddr("udp", req.Host)
+	if err != nil {
+		return nil, err
+	}
+	if err = httpu.conn.SetDeadline(time.Now().Add(timeout)); err != nil {
+		return nil, err
+	}
+
+	// Send request.
+	for i := 0; i < numSends; i++ {
+		if n, err := httpu.conn.WriteTo(requestBuf.Bytes(), destAddr); err != nil {
+			return nil, err
+		} else if n < len(requestBuf.Bytes()) {
+			return nil, fmt.Errorf("httpu: wrote %d bytes rather than full %d in request",
+				n, len(requestBuf.Bytes()))
+		}
+		time.Sleep(5 * time.Millisecond)
+	}
+
+	// Await responses until timeout.
+	var responses []*http.Response
+	responseBytes := make([]byte, 2048)
+	for {
+		// 2048 bytes should be sufficient for most networks.
+		n, _, err := httpu.conn.ReadFrom(responseBytes)
+		if err != nil {
+			if err, ok := err.(net.Error); ok {
+				if err.Timeout() {
+					break
+				}
+				if err.Temporary() {
+					// Sleep in case this is a persistent error to avoid pegging CPU until deadline.
+					time.Sleep(10 * time.Millisecond)
+					continue
+				}
+			}
+			return nil, err
+		}
+
+		// Parse response.
+		response, err := http.ReadResponse(bufio.NewReader(bytes.NewBuffer(responseBytes[:n])), req)
+		if err != nil {
+			log.Printf("httpu: error while parsing response: %v", err)
+			continue
+		}
+
+		responses = append(responses, response)
+	}
+
+	// Timeout reached - return discovered responses.
+	return responses, nil
+}
--- a/tempfork/upnp/httpu/multiclient.go
+++ b/tempfork/upnp/httpu/multiclient.go
@@ -0,0 +1,70 @@
+package httpu
+
+import (
+	"net/http"
+	"time"
+
+	"golang.org/x/sync/errgroup"
+)
+
+// MultiClient dispatches requests out to all the delegated clients.
+type MultiClient struct {
+	// The HTTPU clients to delegate to.
+	delegates []ClientInterface
+}
+
+var _ ClientInterface = &MultiClient{}
+
+// NewMultiClient creates a new MultiClient that delegates to all the given
+// clients.
+func NewMultiClient(delegates []ClientInterface) *MultiClient {
+	return &MultiClient{
+		delegates: delegates,
+	}
+}
+
+// Do implements ClientInterface.Do.
+func (mc *MultiClient) Do(
+	req *http.Request,
+	timeout time.Duration,
+	numSends int,
+) ([]*http.Response, error) {
+	tasks := &errgroup.Group{}
+
+	results := make(chan []*http.Response)
+	tasks.Go(func() error {
+		defer close(results)
+		return mc.sendRequests(results, req, timeout, numSends)
+	})
+
+	var responses []*http.Response
+	tasks.Go(func() error {
+		for rs := range results {
+			responses = append(responses, rs...)
+		}
+		return nil
+	})
+
+	return responses, tasks.Wait()
+}
+
+func (mc *MultiClient) sendRequests(
+	results chan<- []*http.Response,
+	req *http.Request,
+	timeout time.Duration,
+	numSends int,
+) error {
+	tasks := &errgroup.Group{}
+	for _, d := range mc.delegates {
+		d := d // copy for closure
+		tasks.Go(func() error {
+			responses, err := d.Do(req, timeout, numSends)
+			if err != nil {
+				return err
+			}
+			results <- responses
+			return nil
+		})
+	}
+	return tasks.Wait()
+}
--- a/tempfork/upnp/httpu/serve.go
+++ b/tempfork/upnp/httpu/serve.go
@@ -0,0 +1,108 @@
+package httpu
+
+import (
+	"bufio"
+	"bytes"
+	"log"
+	"net"
+	"net/http"
+	"regexp"
+)
+
+const (
+	DefaultMaxMessageBytes = 2048
+)
+
+var (
+	trailingWhitespaceRx = regexp.MustCompile(" +\r\n")
+	crlf                 = []byte("\r\n")
+)
+
+// Handler is the interface by which received HTTPU messages are passed to
+// handling code.
+type Handler interface {
+	// ServeMessage is called for each HTTPU message received. peerAddr contains
+	// the address that the message was received from.
+	ServeMessage(r *http.Request)
+}
+
+// HandlerFunc is a function-to-Handler adapter.
+type HandlerFunc func(r *http.Request)
+
+func (f HandlerFunc) ServeMessage(r *http.Request) {
+	f(r)
+}
+
+// A Server defines parameters for running an HTTPU server.
+type Server struct {
+	Addr            string         // UDP address to listen on
+	Multicast       bool           // Should listen for multicast?
+	Interface       *net.Interface // Network interface to listen on for multicast, nil for default multicast interface
+	Handler         Handler        // handler to invoke
+	MaxMessageBytes int            // maximum number of bytes to read from a packet, DefaultMaxMessageBytes if 0
+}
+
+// ListenAndServe listens on the UDP network address srv.Addr. If srv.Multicast
+// is true, then a multicast UDP listener will be used on srv.Interface (or
+// default interface if nil).
+func (srv *Server) ListenAndServe() error {
+	var err error
+
+	var addr *net.UDPAddr
+	if addr, err = net.ResolveUDPAddr("udp", srv.Addr); err != nil {
+		log.Fatal(err)
+	}
+
+	var conn net.PacketConn
+	if srv.Multicast {
+		if conn, err = net.ListenMulticastUDP("udp", srv.Interface, addr); err != nil {
+			return err
+		}
+	} else {
+		if conn, err = net.ListenUDP("udp", addr); err != nil {
+			return err
+		}
+	}
+
+	return srv.Serve(conn)
+}
+
+// Serve messages received on the given packet listener to the srv.Handler.
+func (srv *Server) Serve(l net.PacketConn) error {
+	maxMessageBytes := DefaultMaxMessageBytes
+	if srv.MaxMessageBytes != 0 {
+		maxMessageBytes = srv.MaxMessageBytes
+	}
+	for {
+		buf := make([]byte, maxMessageBytes)
+		n, peerAddr, err := l.ReadFrom(buf)
+		if err != nil {
+			return err
+		}
+		buf = buf[:n]
+
+		go func(buf []byte, peerAddr net.Addr) {
+			// At least one router's UPnP implementation has added a trailing space
+			// after "HTTP/1.1" - trim it.
+			buf = trailingWhitespaceRx.ReplaceAllLiteral(buf, crlf)
+
+			req, err := http.ReadRequest(bufio.NewReader(bytes.NewBuffer(buf)))
+			if err != nil {
+				log.Printf("httpu: Failed to parse request: %v", err)
+				return
+			}
+			req.RemoteAddr = peerAddr.String()
+			srv.Handler.ServeMessage(req)
+			// No need to call req.Body.Close - underlying reader is bytes.Buffer.
+		}(buf, peerAddr)
+	}
+}
+
+// Serve messages received on the given packet listener to the given handler.
+func Serve(l net.PacketConn, handler Handler) error {
+	srv := Server{
+		Handler:         handler,
+		MaxMessageBytes: DefaultMaxMessageBytes,
+	}
+	return srv.Serve(l)
+}
--- a/tempfork/upnp/makefile
+++ b/tempfork/upnp/makefile
@@ -0,0 +1,4 @@
+generate:
+	cd dcps/internetgateway2 && \
+	go run ../../cmd/goupnpdcpgen/. -dcp_name internetgateway2
+
--- a/tempfork/upnp/network.go
+++ b/tempfork/upnp/network.go
@@ -0,0 +1,75 @@
+package goupnp
+
+import (
+	"io"
+	"net"
+
+	"tailscale.com/tempfork/upnp/httpu"
+)
+
+// httpuClient creates a HTTPU client that multiplexes to all multicast-capable
+// IPv4 addresses on the host. Returns a function to clean up once the client is
+// no longer required.
+func httpuClient() (httpu.ClientInterface, func(), error) {
+	addrs, err := localIPv4MCastAddrs()
+	if err != nil {
+		return nil, nil, ctxError(err, "requesting host IPv4 addresses")
+	}
+
+	closers := make([]io.Closer, 0, len(addrs))
+	delegates := make([]httpu.ClientInterface, 0, len(addrs))
+	for _, addr := range addrs {
+		c, err := httpu.NewHTTPUClientAddr(addr)
+		if err != nil {
+			return nil, nil, ctxErrorf(err,
+				"creating HTTPU client for address %s", addr)
+		}
+		closers = append(closers, c)
+		delegates = append(delegates, c)
+	}
+
+	closer := func() {
+		for _, c := range closers {
+			c.Close()
+		}
+	}
+
+	return httpu.NewMultiClient(delegates), closer, nil
+}
+
+// localIPv4MCastAddrs returns the set of IPv4 addresses on multicast-able
+// network interfaces.
+func localIPv4MCastAddrs() ([]string, error) {
+	ifaces, err := net.Interfaces()
+	if err != nil {
+		return nil, ctxError(err, "requesting host interfaces")
+	}
+
+	// Find the set of addresses to listen on.
+	var addrs []string
+	for _, iface := range ifaces {
+		if iface.Flags&net.FlagMulticast == 0 || iface.Flags&net.FlagLoopback != 0 || iface.Flags&net.FlagUp == 0 {
+			// Does not support multicast or is a loopback address.
+			continue
+		}
+		ifaceAddrs, err := iface.Addrs()
+		if err != nil {
+			return nil, ctxErrorf(err,
+				"finding addresses on interface %s", iface.Name)
+		}
+		for _, netAddr := range ifaceAddrs {
+			addr, ok := netAddr.(*net.IPNet)
+			if !ok {
+				// Not an IPNet address.
+				continue
+			}
+			if addr.IP.To4() == nil {
+				// Not IPv4.
+				continue
+			}
+			addrs = append(addrs, addr.IP.String())
+		}
+	}
+
+	return addrs, nil
+}
--- a/tempfork/upnp/scpd/scpd.go
+++ b/tempfork/upnp/scpd/scpd.go
@@ -0,0 +1,167 @@
+package scpd
+
+import (
+	"encoding/xml"
+	"strings"
+)
+
+const (
+	SCPDXMLNamespace = "urn:schemas-upnp-org:service-1-0"
+)
+
+func cleanWhitespace(s *string) {
+	*s = strings.TrimSpace(*s)
+}
+
+// SCPD is the service description as described by section 2.5 "Service
+// description" in
+// http://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf
+type SCPD struct {
+	XMLName        xml.Name        `xml:"scpd"`
+	ConfigId       string          `xml:"configId,attr"`
+	SpecVersion    SpecVersion     `xml:"specVersion"`
+	Actions        []Action        `xml:"actionList>action"`
+	StateVariables []StateVariable `xml:"serviceStateTable>stateVariable"`
+}
+
+// Clean attempts to remove stray whitespace etc. in the structure. It seems
+// unfortunately common for stray whitespace to be present in SCPD documents,
+// this method attempts to make it easy to clean them out.
+func (scpd *SCPD) Clean() {
+	cleanWhitespace(&scpd.ConfigId)
+	for i := range scpd.Actions {
+		scpd.Actions[i].clean()
+	}
+	for i := range scpd.StateVariables {
+		scpd.StateVariables[i].clean()
+	}
+}
+
+func (scpd *SCPD) GetStateVariable(variable string) *StateVariable {
+	for i := range scpd.StateVariables {
+		v := &scpd.StateVariables[i]
+		if v.Name == variable {
+			return v
+		}
+	}
+	return nil
+}
+
+func (scpd *SCPD) GetAction(action string) *Action {
+	for i := range scpd.Actions {
+		a := &scpd.Actions[i]
+		if a.Name == action {
+			return a
+		}
+	}
+	return nil
+}
+
+// SpecVersion is part of a SCPD document, describes the version of the
+// specification that the data adheres to.
+type SpecVersion struct {
+	Major int32 `xml:"major"`
+	Minor int32 `xml:"minor"`
+}
+
+type Action struct {
+	Name      string     `xml:"name"`
+	Arguments []Argument `xml:"argumentList>argument"`
+}
+
+func (action *Action) clean() {
+	cleanWhitespace(&action.Name)
+	for i := range action.Arguments {
+		action.Arguments[i].clean()
+	}
+}
+
+func (action *Action) InputArguments() []*Argument {
+	var result []*Argument
+	for i := range action.Arguments {
+		arg := &action.Arguments[i]
+		if arg.IsInput() {
+			result = append(result, arg)
+		}
+	}
+	return result
+}
+
+func (action *Action) OutputArguments() []*Argument {
+	var result []*Argument
+	for i := range action.Arguments {
+		arg := &action.Arguments[i]
+		if arg.IsOutput() {
+			result = append(result, arg)
+		}
+	}
+	return result
+}
+
+type Argument struct {
+	Name                 string `xml:"name"`
+	Direction            string `xml:"direction"`            // in|out
+	RelatedStateVariable string `xml:"relatedStateVariable"` // ?
+	Retval               string `xml:"retval"`               // ?
+}
+
+func (arg *Argument) clean() {
+	cleanWhitespace(&arg.Name)
+	cleanWhitespace(&arg.Direction)
+	cleanWhitespace(&arg.RelatedStateVariable)
+	cleanWhitespace(&arg.Retval)
+}
+
+func (arg *Argument) IsInput() bool {
+	return arg.Direction == "in"
+}
+
+func (arg *Argument) IsOutput() bool {
+	return arg.Direction == "out"
+}
+
+type StateVariable struct {
+	Name              string             `xml:"name"`
+	SendEvents        string             `xml:"sendEvents,attr"` // yes|no
+	Multicast         string             `xml:"multicast,attr"`  // yes|no
+	DataType          DataType           `xml:"dataType"`
+	DefaultValue      string             `xml:"defaultValue"`
+	AllowedValueRange *AllowedValueRange `xml:"allowedValueRange"`
+	AllowedValues     []string           `xml:"allowedValueList>allowedValue"`
+}
+
+func (v *StateVariable) clean() {
+	cleanWhitespace(&v.Name)
+	cleanWhitespace(&v.SendEvents)
+	cleanWhitespace(&v.Multicast)
+	v.DataType.clean()
+	cleanWhitespace(&v.DefaultValue)
+	if v.AllowedValueRange != nil {
+		v.AllowedValueRange.clean()
+	}
+	for i := range v.AllowedValues {
+		cleanWhitespace(&v.AllowedValues[i])
+	}
+}
+
+type AllowedValueRange struct {
+	Minimum string `xml:"minimum"`
+	Maximum string `xml:"maximum"`
+	Step    string `xml:"step"`
+}
+
+func (r *AllowedValueRange) clean() {
+	cleanWhitespace(&r.Minimum)
+	cleanWhitespace(&r.Maximum)
+	cleanWhitespace(&r.Step)
+}
+
+type DataType struct {
+	Name string `xml:",chardata"`
+	Type string `xml:"type,attr"`
+}
+
+func (dt *DataType) clean() {
+	cleanWhitespace(&dt.Name)
+	cleanWhitespace(&dt.Type)
+}
--- a/tempfork/upnp/service_client.go
+++ b/tempfork/upnp/service_client.go
@@ -0,0 +1,88 @@
+package goupnp
+
+import (
+	"fmt"
+	"net/url"
+
+	"tailscale.com/tempfork/upnp/soap"
+)
+
+// ServiceClient is a SOAP client, root device and the service for the SOAP
+// client rolled into one value. The root device, location, and service are
+// intended to be informational. Location can be used to later recreate a
+// ServiceClient with NewServiceClientByURL if the service is still present;
+// bypassing the discovery process.
+type ServiceClient struct {
+	SOAPClient *soap.SOAPClient
+	RootDevice *RootDevice
+	Location   *url.URL
+	Service    *Service
+}
+
+// NewServiceClients discovers services, and returns clients for them. err will
+// report any error with the discovery process (blocking any device/service
+// discovery), errors reports errors on a per-root-device basis.
+func NewServiceClients(searchTarget string) (clients []ServiceClient, errors []error, err error) {
+	var maybeRootDevices []MaybeRootDevice
+	if maybeRootDevices, err = DiscoverDevices(searchTarget); err != nil {
+		return
+	}
+
+	clients = make([]ServiceClient, 0, len(maybeRootDevices))
+
+	for _, maybeRootDevice := range maybeRootDevices {
+		if maybeRootDevice.Err != nil {
+			errors = append(errors, maybeRootDevice.Err)
+			continue
+		}
+
+		deviceClients, err := NewServiceClientsFromRootDevice(maybeRootDevice.Root, maybeRootDevice.Location, searchTarget)
+		if err != nil {
+			errors = append(errors, err)
+			continue
+		}
+		clients = append(clients, deviceClients...)
+	}
+
+	return
+}
+
+// NewServiceClientsByURL creates client(s) for the given service URN, for a
+// root device at the given URL.
+func NewServiceClientsByURL(loc *url.URL, searchTarget string) ([]ServiceClient, error) {
+	rootDevice, err := DeviceByURL(loc)
+	if err != nil {
+		return nil, err
+	}
+	return NewServiceClientsFromRootDevice(rootDevice, loc, searchTarget)
+}
+
+// NewServiceClientsFromDevice creates client(s) for the given service URN, in
+// a given root device. The loc parameter is simply assigned to the
+// Location attribute of the returned ServiceClient(s).
+func NewServiceClientsFromRootDevice(rootDevice *RootDevice, loc *url.URL, searchTarget string) ([]ServiceClient, error) {
+	device := &rootDevice.Device
+	srvs := device.FindService(searchTarget)
+	if len(srvs) == 0 {
+		return nil, fmt.Errorf("goupnp: service %q not found within device %q (UDN=%q)",
+			searchTarget, device.FriendlyName, device.UDN)
+	}
+
+	clients := make([]ServiceClient, 0, len(srvs))
+	for _, srv := range srvs {
+		clients = append(clients, ServiceClient{
+			SOAPClient: srv.NewSOAPClient(),
+			RootDevice: rootDevice,
+			Location:   loc,
+			Service:    srv,
+		})
+	}
+	return clients, nil
+}
+
+// GetServiceClient returns the ServiceClient itself. This is provided so that the
+// service client attributes can be accessed via an interface method on a
+// wrapping type.
+func (client *ServiceClient) GetServiceClient() *ServiceClient {
+	return client
+}
--- a/tempfork/upnp/soap/soap.go
+++ b/tempfork/upnp/soap/soap.go
@@ -0,0 +1,200 @@
+// Definition for the SOAP structure required for UPnP's SOAP usage.
+
+package soap
+
+import (
+	"bytes"
+	"context"
+	"encoding/xml"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"reflect"
+	"regexp"
+)
+
+const (
+	soapEncodingStyle = "http://schemas.xmlsoap.org/soap/encoding/"
+	soapPrefix        = xml.Header + `<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body>`
+	soapSuffix        = `</s:Body></s:Envelope>`
+)
+
+type SOAPClient struct {
+	EndpointURL url.URL
+	HTTPClient  http.Client
+}
+
+func NewSOAPClient(endpointURL url.URL) *SOAPClient {
+	return &SOAPClient{
+		EndpointURL: endpointURL,
+	}
+}
+
+// PerformSOAPAction makes a SOAP request, with the given action.
+// inAction and outAction must both be pointers to structs with string fields
+// only.
+func (client *SOAPClient) PerformAction(ctx context.Context, actionNamespace, actionName string, inAction interface{}, outAction interface{}) error {
+	requestBytes, err := encodeRequestAction(actionNamespace, actionName, inAction)
+	if err != nil {
+		return err
+	}
+
+	req := &http.Request{
+		Method: "POST",
+		URL:    &client.EndpointURL,
+		Header: http.Header{
+			"SOAPACTION":   []string{`"` + actionNamespace + "#" + actionName + `"`},
+			"CONTENT-TYPE": []string{"text/xml; charset=\"utf-8\""},
+		},
+		Body: ioutil.NopCloser(bytes.NewBuffer(requestBytes)),
+		// Set ContentLength to avoid chunked encoding - some servers might not support it.
+		ContentLength: int64(len(requestBytes)),
+	}
+
+	response, err := client.HTTPClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return fmt.Errorf("goupnp: error performing SOAP HTTP request: %v", err)
+	}
+	defer response.Body.Close()
+	if response.StatusCode != 200 && response.ContentLength == 0 {
+		return fmt.Errorf("goupnp: SOAP request got HTTP %s", response.Status)
+	}
+
+	responseEnv := newSOAPEnvelope()
+	decoder := xml.NewDecoder(response.Body)
+	if err := decoder.Decode(responseEnv); err != nil {
+		return fmt.Errorf("goupnp: error decoding response body: %v", err)
+	}
+
+	if responseEnv.Body.Fault != nil {
+		return responseEnv.Body.Fault
+	} else if response.StatusCode != 200 {
+		return fmt.Errorf("goupnp: SOAP request got HTTP %s", response.Status)
+	}
+
+	if outAction != nil {
+		if err := xml.Unmarshal(responseEnv.Body.RawAction, outAction); err != nil {
+			return fmt.Errorf("goupnp: error unmarshalling out action: %v, %v", err, responseEnv.Body.RawAction)
+		}
+	}
+
+	return nil
+}
+
+// newSOAPAction creates a soapEnvelope with the given action and arguments.
+func newSOAPEnvelope() *soapEnvelope {
+	return &soapEnvelope{
+		EncodingStyle: soapEncodingStyle,
+	}
+}
+
+// encodeRequestAction is a hacky way to create an encoded SOAP envelope
+// containing the given action. Experiments with one router have shown that it
+// 500s for requests where the outer default xmlns is set to the SOAP
+// namespace, and then reassigning the default namespace within that to the
+// service namespace. Hand-coding the outer XML to work-around this.
+func encodeRequestAction(actionNamespace, actionName string, inAction interface{}) ([]byte, error) {
+	requestBuf := new(bytes.Buffer)
+	requestBuf.WriteString(soapPrefix)
+	requestBuf.WriteString(`<u:`)
+	xml.EscapeText(requestBuf, []byte(actionName))
+	requestBuf.WriteString(` xmlns:u="`)
+	xml.EscapeText(requestBuf, []byte(actionNamespace))
+	requestBuf.WriteString(`">`)
+	if inAction != nil {
+		if err := encodeRequestArgs(requestBuf, inAction); err != nil {
+			return nil, err
+		}
+	}
+	requestBuf.WriteString(`</u:`)
+	xml.EscapeText(requestBuf, []byte(actionName))
+	requestBuf.WriteString(`>`)
+	requestBuf.WriteString(soapSuffix)
+	return requestBuf.Bytes(), nil
+}
+
+func encodeRequestArgs(w *bytes.Buffer, inAction interface{}) error {
+	in := reflect.Indirect(reflect.ValueOf(inAction))
+	if in.Kind() != reflect.Struct {
+		return fmt.Errorf("goupnp: SOAP inAction is not a struct but of type %v", in.Type())
+	}
+	enc := xml.NewEncoder(w)
+	nFields := in.NumField()
+	inType := in.Type()
+	for i := 0; i < nFields; i++ {
+		field := inType.Field(i)
+		argName := field.Name
+		if nameOverride := field.Tag.Get("soap"); nameOverride != "" {
+			argName = nameOverride
+		}
+		value := in.Field(i)
+		if value.Kind() != reflect.String {
+			return fmt.Errorf("goupnp: SOAP arg %q is not of type string, but of type %v", argName, value.Type())
+		}
+		elem := xml.StartElement{Name: xml.Name{Space: "", Local: argName}, Attr: nil}
+		if err := enc.EncodeToken(elem); err != nil {
+			return fmt.Errorf("goupnp: error encoding start element for SOAP arg %q: %v", argName, err)
+		}
+		if err := enc.Flush(); err != nil {
+			return fmt.Errorf("goupnp: error flushing start element for SOAP arg %q: %v", argName, err)
+		}
+		if _, err := w.Write([]byte(escapeXMLText(value.Interface().(string)))); err != nil {
+			return fmt.Errorf("goupnp: error writing value for SOAP arg %q: %v", argName, err)
+		}
+		if err := enc.EncodeToken(elem.End()); err != nil {
+			return fmt.Errorf("goupnp: error encoding end element for SOAP arg %q: %v", argName, err)
+		}
+	}
+	enc.Flush()
+	return nil
+}
+
+var xmlCharRx = regexp.MustCompile("[<>&]")
+
+// escapeXMLText is used by generated code to escape text in XML, but only
+// escaping the characters `<`, `>`, and `&`.
+//
+// This is provided in order to work around SOAP server implementations that
+// fail to decode XML correctly, specifically failing to decode `"`, `'`. Note
+// that this can only be safely used for injecting into XML text, but not into
+// attributes or other contexts.
+func escapeXMLText(s string) string {
+	return xmlCharRx.ReplaceAllStringFunc(s, replaceEntity)
+}
+
+func replaceEntity(s string) string {
+	switch s {
+	case "<":
+		return "&lt;"
+	case ">":
+		return "&gt;"
+	case "&":
+		return "&amp;"
+	}
+	return s
+}
+
+type soapEnvelope struct {
+	XMLName       xml.Name `xml:"http://schemas.xmlsoap.org/soap/envelope/ Envelope"`
+	EncodingStyle string   `xml:"http://schemas.xmlsoap.org/soap/envelope/ encodingStyle,attr"`
+	Body          soapBody `xml:"http://schemas.xmlsoap.org/soap/envelope/ Body"`
+}
+
+type soapBody struct {
+	Fault     *SOAPFaultError `xml:"Fault"`
+	RawAction []byte          `xml:",innerxml"`
+}
+
+// SOAPFaultError implements error, and contains SOAP fault information.
+type SOAPFaultError struct {
+	FaultCode   string `xml:"faultCode"`
+	FaultString string `xml:"faultString"`
+	Detail      struct {
+		Raw []byte `xml:",innerxml"`
+	} `xml:"detail"`
+}
+
+func (err *SOAPFaultError) Error() string {
+	return fmt.Sprintf("SOAP fault: %s", err.FaultString)
+}
--- a/tempfork/upnp/soap/soap_test.go
+++ b/tempfork/upnp/soap/soap_test.go
@@ -0,0 +1,111 @@
+package soap
+
+import (
+	"bytes"
+	"context"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"reflect"
+	"testing"
+)
+
+type capturingRoundTripper struct {
+	err         error
+	resp        *http.Response
+	capturedReq *http.Request
+}
+
+func (rt *capturingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	rt.capturedReq = req
+	return rt.resp, rt.err
+}
+
+func TestActionInputs(t *testing.T) {
+	t.Parallel()
+	url, err := url.Parse("http://example.com/soap")
+	if err != nil {
+		t.Fatal(err)
+	}
+	rt := &capturingRoundTripper{
+		err: nil,
+		resp: &http.Response{
+			StatusCode: 200,
+			Body: ioutil.NopCloser(bytes.NewBufferString(`
+				<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
+					<s:Body>
+						<u:myactionResponse xmlns:u="mynamespace">
+							<A>valueA</A>
+							<B>valueB</B>
+						</u:myactionResponse>
+					</s:Body>
+				</s:Envelope>
+			`)),
+		},
+	}
+	client := SOAPClient{
+		EndpointURL: *url,
+		HTTPClient: http.Client{
+			Transport: rt,
+		},
+	}
+
+	type In struct {
+		Foo string
+		Bar string `soap:"bar"`
+		Baz string
+	}
+	type Out struct {
+		A string
+		B string
+	}
+	in := In{"foo", "bar", "quoted=\"baz\""}
+	gotOut := Out{}
+	err = client.PerformAction(context.Background(), "mynamespace", "myaction", &in, &gotOut)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	wantBody := (soapPrefix +
+		`<u:myaction xmlns:u="mynamespace">` +
+		`<Foo>foo</Foo>` +
+		`<bar>bar</bar>` +
+		`<Baz>quoted="baz"</Baz>` +
+		`</u:myaction>` +
+		soapSuffix)
+	body, err := ioutil.ReadAll(rt.capturedReq.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	gotBody := string(body)
+	if wantBody != gotBody {
+		t.Errorf("Bad request body\nwant: %q\n got: %q", wantBody, gotBody)
+	}
+
+	wantOut := Out{"valueA", "valueB"}
+	if !reflect.DeepEqual(wantOut, gotOut) {
+		t.Errorf("Bad output\nwant: %+v\n got: %+v", wantOut, gotOut)
+	}
+}
+
+func TestEscapeXMLText(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		input string
+		want  string
+	}{
+		{"", ""},
+		{"abc123", "abc123"},
+		{"<foo>&", "&lt;foo&gt;&amp;"},
+		{"\"foo'", "\"foo'"},
+	}
+	for _, test := range tests {
+		test := test
+		t.Run(test.input, func(t *testing.T) {
+			got := escapeXMLText(test.input)
+			if got != test.want {
+				t.Errorf("want %q, got %q", test.want, got)
+			}
+		})
+	}
+}
--- a/tempfork/upnp/soap/types.go
+++ b/tempfork/upnp/soap/types.go
@@ -0,0 +1,526 @@
+package soap
+
+import (
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"net/url"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+	"unicode/utf8"
+)
+
+var (
+	// localLoc acts like time.Local for this package, but is faked out by the
+	// unit tests to ensure that things stay constant (especially when running
+	// this test in a place where local time is UTC which might mask bugs).
+	localLoc = time.Local
+)
+
+func MarshalUi1(v uint8) (string, error) {
+	return strconv.FormatUint(uint64(v), 10), nil
+}
+
+func UnmarshalUi1(s string) (uint8, error) {
+	v, err := strconv.ParseUint(s, 10, 8)
+	return uint8(v), err
+}
+
+func MarshalUi2(v uint16) (string, error) {
+	return strconv.FormatUint(uint64(v), 10), nil
+}
+
+func UnmarshalUi2(s string) (uint16, error) {
+	v, err := strconv.ParseUint(s, 10, 16)
+	return uint16(v), err
+}
+
+func MarshalUi4(v uint32) (string, error) {
+	return strconv.FormatUint(uint64(v), 10), nil
+}
+
+func UnmarshalUi4(s string) (uint32, error) {
+	v, err := strconv.ParseUint(s, 10, 32)
+	return uint32(v), err
+}
+
+func MarshalUi8(v uint64) (string, error) {
+	return strconv.FormatUint(v, 10), nil
+}
+
+func UnmarshalUi8(s string) (uint64, error) {
+	v, err := strconv.ParseUint(s, 10, 64)
+	return uint64(v), err
+}
+
+func MarshalI1(v int8) (string, error) {
+	return strconv.FormatInt(int64(v), 10), nil
+}
+
+func UnmarshalI1(s string) (int8, error) {
+	v, err := strconv.ParseInt(s, 10, 8)
+	return int8(v), err
+}
+
+func MarshalI2(v int16) (string, error) {
+	return strconv.FormatInt(int64(v), 10), nil
+}
+
+func UnmarshalI2(s string) (int16, error) {
+	v, err := strconv.ParseInt(s, 10, 16)
+	return int16(v), err
+}
+
+func MarshalI4(v int32) (string, error) {
+	return strconv.FormatInt(int64(v), 10), nil
+}
+
+func UnmarshalI4(s string) (int32, error) {
+	v, err := strconv.ParseInt(s, 10, 32)
+	return int32(v), err
+}
+
+func MarshalInt(v int64) (string, error) {
+	return strconv.FormatInt(v, 10), nil
+}
+
+func UnmarshalInt(s string) (int64, error) {
+	return strconv.ParseInt(s, 10, 64)
+}
+
+func MarshalR4(v float32) (string, error) {
+	return strconv.FormatFloat(float64(v), 'G', -1, 32), nil
+}
+
+func UnmarshalR4(s string) (float32, error) {
+	v, err := strconv.ParseFloat(s, 32)
+	return float32(v), err
+}
+
+func MarshalR8(v float64) (string, error) {
+	return strconv.FormatFloat(v, 'G', -1, 64), nil
+}
+
+func UnmarshalR8(s string) (float64, error) {
+	v, err := strconv.ParseFloat(s, 64)
+	return float64(v), err
+}
+
+// MarshalFixed14_4 marshals float64 to SOAP "fixed.14.4" type.
+func MarshalFixed14_4(v float64) (string, error) {
+	if v >= 1e14 || v <= -1e14 {
+		return "", fmt.Errorf("soap fixed14.4: value %v out of bounds", v)
+	}
+	return strconv.FormatFloat(v, 'f', 4, 64), nil
+}
+
+// UnmarshalFixed14_4 unmarshals float64 from SOAP "fixed.14.4" type.
+func UnmarshalFixed14_4(s string) (float64, error) {
+	v, err := strconv.ParseFloat(s, 64)
+	if err != nil {
+		return 0, err
+	}
+	if v >= 1e14 || v <= -1e14 {
+		return 0, fmt.Errorf("soap fixed14.4: value %q out of bounds", s)
+	}
+	return v, nil
+}
+
+// MarshalChar marshals rune to SOAP "char" type.
+func MarshalChar(v rune) (string, error) {
+	if v == 0 {
+		return "", errors.New("soap char: rune 0 is not allowed")
+	}
+	return string(v), nil
+}
+
+// UnmarshalChar unmarshals rune from SOAP "char" type.
+func UnmarshalChar(s string) (rune, error) {
+	if len(s) == 0 {
+		return 0, errors.New("soap char: got empty string")
+	}
+	r, n := utf8.DecodeRune([]byte(s))
+	if n != len(s) {
+		return 0, fmt.Errorf("soap char: value %q is not a single rune", s)
+	}
+	return r, nil
+}
+
+func MarshalString(v string) (string, error) {
+	return v, nil
+}
+
+func UnmarshalString(v string) (string, error) {
+	return v, nil
+}
+
+func parseInt(s string, err *error) int {
+	v, parseErr := strconv.ParseInt(s, 10, 64)
+	if parseErr != nil {
+		*err = parseErr
+	}
+	return int(v)
+}
+
+var dateRegexps = []*regexp.Regexp{
+	// yyyy[-mm[-dd]]
+	regexp.MustCompile(`^(\d{4})(?:-(\d{2})(?:-(\d{2}))?)?$`),
+	// yyyy[mm[dd]]
+	regexp.MustCompile(`^(\d{4})(?:(\d{2})(?:(\d{2}))?)?$`),
+}
+
+func parseDateParts(s string) (year, month, day int, err error) {
+	var parts []string
+	for _, re := range dateRegexps {
+		parts = re.FindStringSubmatch(s)
+		if parts != nil {
+			break
+		}
+	}
+	if parts == nil {
+		err = fmt.Errorf("soap date: value %q is not in a recognized ISO8601 date format", s)
+		return
+	}
+
+	year = parseInt(parts[1], &err)
+	month = 1
+	day = 1
+	if len(parts[2]) != 0 {
+		month = parseInt(parts[2], &err)
+		if len(parts[3]) != 0 {
+			day = parseInt(parts[3], &err)
+		}
+	}
+
+	if err != nil {
+		err = fmt.Errorf("soap date: %q: %v", s, err)
+	}
+
+	return
+}
+
+var timeRegexps = []*regexp.Regexp{
+	// hh[:mm[:ss]]
+	regexp.MustCompile(`^(\d{2})(?::(\d{2})(?::(\d{2}))?)?$`),
+	// hh[mm[ss]]
+	regexp.MustCompile(`^(\d{2})(?:(\d{2})(?:(\d{2}))?)?$`),
+}
+
+func parseTimeParts(s string) (hour, minute, second int, err error) {
+	var parts []string
+	for _, re := range timeRegexps {
+		parts = re.FindStringSubmatch(s)
+		if parts != nil {
+			break
+		}
+	}
+	if parts == nil {
+		err = fmt.Errorf("soap time: value %q is not in ISO8601 time format", s)
+		return
+	}
+
+	hour = parseInt(parts[1], &err)
+	if len(parts[2]) != 0 {
+		minute = parseInt(parts[2], &err)
+		if len(parts[3]) != 0 {
+			second = parseInt(parts[3], &err)
+		}
+	}
+
+	if err != nil {
+		err = fmt.Errorf("soap time: %q: %v", s, err)
+	}
+
+	return
+}
+
+// (+|-)hh[[:]mm]
+var timezoneRegexp = regexp.MustCompile(`^([+-])(\d{2})(?::?(\d{2}))?$`)
+
+func parseTimezone(s string) (offset int, err error) {
+	if s == "Z" {
+		return 0, nil
+	}
+	parts := timezoneRegexp.FindStringSubmatch(s)
+	if parts == nil {
+		err = fmt.Errorf("soap timezone: value %q is not in ISO8601 timezone format", s)
+		return
+	}
+
+	offset = parseInt(parts[2], &err) * 3600
+	if len(parts[3]) != 0 {
+		offset += parseInt(parts[3], &err) * 60
+	}
+	if parts[1] == "-" {
+		offset = -offset
+	}
+
+	if err != nil {
+		err = fmt.Errorf("soap timezone: %q: %v", s, err)
+	}
+
+	return
+}
+
+var completeDateTimeZoneRegexp = regexp.MustCompile(`^([^T]+)(?:T([^-+Z]+)(.+)?)?$`)
+
+// splitCompleteDateTimeZone splits date, time and timezone apart from an
+// ISO8601 string. It does not ensure that the contents of each part are
+// correct, it merely splits on certain delimiters.
+// e.g "2010-09-08T12:15:10+0700" => "2010-09-08", "12:15:10", "+0700".
+// Timezone can only be present if time is also present.
+func splitCompleteDateTimeZone(s string) (dateStr, timeStr, zoneStr string, err error) {
+	parts := completeDateTimeZoneRegexp.FindStringSubmatch(s)
+	if parts == nil {
+		err = fmt.Errorf("soap date/time/zone: value %q is not in ISO8601 datetime format", s)
+		return
+	}
+	dateStr = parts[1]
+	timeStr = parts[2]
+	zoneStr = parts[3]
+	return
+}
+
+// MarshalDate marshals time.Time to SOAP "date" type. Note that this converts
+// to local time, and discards the time-of-day components.
+func MarshalDate(v time.Time) (string, error) {
+	return v.In(localLoc).Format("2006-01-02"), nil
+}
+
+// UnmarshalDate unmarshals time.Time from SOAP "date" type. This outputs the
+// date as midnight in the local time zone.
+func UnmarshalDate(s string) (time.Time, error) {
+	year, month, day, err := parseDateParts(s)
+	if err != nil {
+		return time.Time{}, err
+	}
+	return time.Date(year, time.Month(month), day, 0, 0, 0, 0, localLoc), nil
+}
+
+// TimeOfDay is used in cases where SOAP "time" or "time.tz" is used.
+type TimeOfDay struct {
+	// Duration of time since midnight.
+	FromMidnight time.Duration
+
+	// Set to true if Offset is specified. If false, then the timezone is
+	// unspecified (and by ISO8601 - implies some "local" time).
+	HasOffset bool
+
+	// Offset is non-zero only if time.tz is used. It is otherwise ignored. If
+	// non-zero, then it is regarded as a UTC offset in seconds. Note that the
+	// sub-minutes is ignored by the marshal function.
+	Offset int
+}
+
+// MarshalTimeOfDay marshals TimeOfDay to the "time" type.
+func MarshalTimeOfDay(v TimeOfDay) (string, error) {
+	d := int64(v.FromMidnight / time.Second)
+	hour := d / 3600
+	d = d % 3600
+	minute := d / 60
+	second := d % 60
+
+	return fmt.Sprintf("%02d:%02d:%02d", hour, minute, second), nil
+}
+
+// UnmarshalTimeOfDay unmarshals TimeOfDay from the "time" type.
+func UnmarshalTimeOfDay(s string) (TimeOfDay, error) {
+	t, err := UnmarshalTimeOfDayTz(s)
+	if err != nil {
+		return TimeOfDay{}, err
+	} else if t.HasOffset {
+		return TimeOfDay{}, fmt.Errorf("soap time: value %q contains unexpected timezone", s)
+	}
+	return t, nil
+}
+
+// MarshalTimeOfDayTz marshals TimeOfDay to the "time.tz" type.
+func MarshalTimeOfDayTz(v TimeOfDay) (string, error) {
+	d := int64(v.FromMidnight / time.Second)
+	hour := d / 3600
+	d = d % 3600
+	minute := d / 60
+	second := d % 60
+
+	tz := ""
+	if v.HasOffset {
+		if v.Offset == 0 {
+			tz = "Z"
+		} else {
+			offsetMins := v.Offset / 60
+			sign := '+'
+			if offsetMins < 1 {
+				offsetMins = -offsetMins
+				sign = '-'
+			}
+			tz = fmt.Sprintf("%c%02d:%02d", sign, offsetMins/60, offsetMins%60)
+		}
+	}
+
+	return fmt.Sprintf("%02d:%02d:%02d%s", hour, minute, second, tz), nil
+}
+
+// UnmarshalTimeOfDayTz unmarshals TimeOfDay from the "time.tz" type.
+func UnmarshalTimeOfDayTz(s string) (tod TimeOfDay, err error) {
+	zoneIndex := strings.IndexAny(s, "Z+-")
+	var timePart string
+	var hasOffset bool
+	var offset int
+	if zoneIndex == -1 {
+		hasOffset = false
+		timePart = s
+	} else {
+		hasOffset = true
+		timePart = s[:zoneIndex]
+		if offset, err = parseTimezone(s[zoneIndex:]); err != nil {
+			return
+		}
+	}
+
+	hour, minute, second, err := parseTimeParts(timePart)
+	if err != nil {
+		return
+	}
+
+	fromMidnight := time.Duration(hour*3600+minute*60+second) * time.Second
+
+	// ISO8601 special case - values up to 24:00:00 are allowed, so using
+	// strictly greater-than for the maximum value.
+	if fromMidnight > 24*time.Hour || minute >= 60 || second >= 60 {
+		return TimeOfDay{}, fmt.Errorf("soap time.tz: value %q has value(s) out of range", s)
+	}
+
+	return TimeOfDay{
+		FromMidnight: time.Duration(hour*3600+minute*60+second) * time.Second,
+		HasOffset:    hasOffset,
+		Offset:       offset,
+	}, nil
+}
+
+// MarshalDateTime marshals time.Time to SOAP "dateTime" type. Note that this
+// converts to local time.
+func MarshalDateTime(v time.Time) (string, error) {
+	return v.In(localLoc).Format("2006-01-02T15:04:05"), nil
+}
+
+// UnmarshalDateTime unmarshals time.Time from the SOAP "dateTime" type. This
+// returns a value in the local timezone.
+func UnmarshalDateTime(s string) (result time.Time, err error) {
+	dateStr, timeStr, zoneStr, err := splitCompleteDateTimeZone(s)
+	if err != nil {
+		return
+	}
+
+	if len(zoneStr) != 0 {
+		err = fmt.Errorf("soap datetime: unexpected timezone in %q", s)
+		return
+	}
+
+	year, month, day, err := parseDateParts(dateStr)
+	if err != nil {
+		return
+	}
+
+	var hour, minute, second int
+	if len(timeStr) != 0 {
+		hour, minute, second, err = parseTimeParts(timeStr)
+		if err != nil {
+			return
+		}
+	}
+
+	result = time.Date(year, time.Month(month), day, hour, minute, second, 0, localLoc)
+	return
+}
+
+// MarshalDateTimeTz marshals time.Time to SOAP "dateTime.tz" type.
+func MarshalDateTimeTz(v time.Time) (string, error) {
+	return v.Format("2006-01-02T15:04:05-07:00"), nil
+}
+
+// UnmarshalDateTimeTz unmarshals time.Time from the SOAP "dateTime.tz" type.
+// This returns a value in the local timezone when the timezone is unspecified.
+func UnmarshalDateTimeTz(s string) (result time.Time, err error) {
+	dateStr, timeStr, zoneStr, err := splitCompleteDateTimeZone(s)
+	if err != nil {
+		return
+	}
+
+	year, month, day, err := parseDateParts(dateStr)
+	if err != nil {
+		return
+	}
+
+	var hour, minute, second int
+	var location *time.Location = localLoc
+	if len(timeStr) != 0 {
+		hour, minute, second, err = parseTimeParts(timeStr)
+		if err != nil {
+			return
+		}
+		if len(zoneStr) != 0 {
+			var offset int
+			offset, err = parseTimezone(zoneStr)
+			if offset == 0 {
+				location = time.UTC
+			} else {
+				location = time.FixedZone("", offset)
+			}
+		}
+	}
+
+	result = time.Date(year, time.Month(month), day, hour, minute, second, 0, location)
+	return
+}
+
+// MarshalBoolean marshals bool to SOAP "boolean" type.
+func MarshalBoolean(v bool) (string, error) {
+	if v {
+		return "1", nil
+	}
+	return "0", nil
+}
+
+// UnmarshalBoolean unmarshals bool from the SOAP "boolean" type.
+func UnmarshalBoolean(s string) (bool, error) {
+	switch s {
+	case "0", "false", "no":
+		return false, nil
+	case "1", "true", "yes":
+		return true, nil
+	}
+	return false, fmt.Errorf("soap boolean: %q is not a valid boolean value", s)
+}
+
+// MarshalBinBase64 marshals []byte to SOAP "bin.base64" type.
+func MarshalBinBase64(v []byte) (string, error) {
+	return base64.StdEncoding.EncodeToString(v), nil
+}
+
+// UnmarshalBinBase64 unmarshals []byte from the SOAP "bin.base64" type.
+func UnmarshalBinBase64(s string) ([]byte, error) {
+	return base64.StdEncoding.DecodeString(s)
+}
+
+// MarshalBinHex marshals []byte to SOAP "bin.hex" type.
+func MarshalBinHex(v []byte) (string, error) {
+	return hex.EncodeToString(v), nil
+}
+
+// UnmarshalBinHex unmarshals []byte from the SOAP "bin.hex" type.
+func UnmarshalBinHex(s string) ([]byte, error) {
+	return hex.DecodeString(s)
+}
+
+// MarshalURI marshals *url.URL to SOAP "uri" type.
+func MarshalURI(v *url.URL) (string, error) {
+	return v.String(), nil
+}
+
+// UnmarshalURI unmarshals *url.URL from the SOAP "uri" type.
+func UnmarshalURI(s string) (*url.URL, error) {
+	return url.Parse(s)
+}
--- a/tempfork/upnp/soap/types_test.go
+++ b/tempfork/upnp/soap/types_test.go
@@ -0,0 +1,497 @@
+package soap
+
+import (
+	"bytes"
+	"math"
+	"net/url"
+	"testing"
+	"time"
+)
+
+type convTest interface {
+	Marshal() (string, error)
+	Unmarshal(string) (interface{}, error)
+	Equal(result interface{}) bool
+}
+
+// duper is an interface that convTest values may optionally also implement to
+// generate another convTest for a value in an otherwise identical testCase.
+type duper interface {
+	Dupe(tag string) []convTest
+}
+
+type testCase struct {
+	value            convTest
+	str              string
+	wantMarshalErr   bool
+	wantUnmarshalErr bool
+	noMarshal        bool
+	noUnMarshal      bool
+	tag              string
+}
+
+type Ui1Test uint8
+
+func (v Ui1Test) Marshal() (string, error) {
+	return MarshalUi1(uint8(v))
+}
+func (v Ui1Test) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalUi1(s)
+}
+func (v Ui1Test) Equal(result interface{}) bool {
+	return uint8(v) == result.(uint8)
+}
+func (v Ui1Test) Dupe(tag string) []convTest {
+	if tag == "dupe" {
+		return []convTest{
+			Ui2Test(v),
+			Ui4Test(v),
+		}
+	}
+	return nil
+}
+
+type Ui2Test uint16
+
+func (v Ui2Test) Marshal() (string, error) {
+	return MarshalUi2(uint16(v))
+}
+func (v Ui2Test) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalUi2(s)
+}
+func (v Ui2Test) Equal(result interface{}) bool {
+	return uint16(v) == result.(uint16)
+}
+
+type Ui4Test uint32
+
+func (v Ui4Test) Marshal() (string, error) {
+	return MarshalUi4(uint32(v))
+}
+func (v Ui4Test) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalUi4(s)
+}
+func (v Ui4Test) Equal(result interface{}) bool {
+	return uint32(v) == result.(uint32)
+}
+
+type I1Test int8
+
+func (v I1Test) Marshal() (string, error) {
+	return MarshalI1(int8(v))
+}
+func (v I1Test) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalI1(s)
+}
+func (v I1Test) Equal(result interface{}) bool {
+	return int8(v) == result.(int8)
+}
+func (v I1Test) Dupe(tag string) []convTest {
+	if tag == "dupe" {
+		return []convTest{
+			I2Test(v),
+			I4Test(v),
+		}
+	}
+	return nil
+}
+
+type I2Test int16
+
+func (v I2Test) Marshal() (string, error) {
+	return MarshalI2(int16(v))
+}
+func (v I2Test) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalI2(s)
+}
+func (v I2Test) Equal(result interface{}) bool {
+	return int16(v) == result.(int16)
+}
+
+type I4Test int32
+
+func (v I4Test) Marshal() (string, error) {
+	return MarshalI4(int32(v))
+}
+func (v I4Test) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalI4(s)
+}
+func (v I4Test) Equal(result interface{}) bool {
+	return int32(v) == result.(int32)
+}
+
+type IntTest int64
+
+func (v IntTest) Marshal() (string, error) {
+	return MarshalInt(int64(v))
+}
+func (v IntTest) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalInt(s)
+}
+func (v IntTest) Equal(result interface{}) bool {
+	return int64(v) == result.(int64)
+}
+
+type Fixed14_4Test float64
+
+func (v Fixed14_4Test) Marshal() (string, error) {
+	return MarshalFixed14_4(float64(v))
+}
+func (v Fixed14_4Test) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalFixed14_4(s)
+}
+func (v Fixed14_4Test) Equal(result interface{}) bool {
+	return math.Abs(float64(v)-result.(float64)) < 0.001
+}
+
+type CharTest rune
+
+func (v CharTest) Marshal() (string, error) {
+	return MarshalChar(rune(v))
+}
+func (v CharTest) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalChar(s)
+}
+func (v CharTest) Equal(result interface{}) bool {
+	return rune(v) == result.(rune)
+}
+
+type DateTest struct{ time.Time }
+
+func (v DateTest) Marshal() (string, error) {
+	return MarshalDate(time.Time(v.Time))
+}
+func (v DateTest) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalDate(s)
+}
+func (v DateTest) Equal(result interface{}) bool {
+	return v.Time.Equal(result.(time.Time))
+}
+func (v DateTest) Dupe(tag string) []convTest {
+	if tag != "no:dateTime" {
+		return []convTest{DateTimeTest(v)}
+	}
+	return nil
+}
+
+type TimeOfDayTest struct {
+	TimeOfDay
+}
+
+func (v TimeOfDayTest) Marshal() (string, error) {
+	return MarshalTimeOfDay(v.TimeOfDay)
+}
+func (v TimeOfDayTest) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalTimeOfDay(s)
+}
+func (v TimeOfDayTest) Equal(result interface{}) bool {
+	return v.TimeOfDay == result.(TimeOfDay)
+}
+func (v TimeOfDayTest) Dupe(tag string) []convTest {
+	if tag != "no:time.tz" {
+		return []convTest{TimeOfDayTzTest(v)}
+	}
+	return nil
+}
+
+type TimeOfDayTzTest struct {
+	TimeOfDay
+}
+
+func (v TimeOfDayTzTest) Marshal() (string, error) {
+	return MarshalTimeOfDayTz(v.TimeOfDay)
+}
+func (v TimeOfDayTzTest) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalTimeOfDayTz(s)
+}
+func (v TimeOfDayTzTest) Equal(result interface{}) bool {
+	return v.TimeOfDay == result.(TimeOfDay)
+}
+
+type DateTimeTest struct{ time.Time }
+
+func (v DateTimeTest) Marshal() (string, error) {
+	return MarshalDateTime(time.Time(v.Time))
+}
+func (v DateTimeTest) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalDateTime(s)
+}
+func (v DateTimeTest) Equal(result interface{}) bool {
+	return v.Time.Equal(result.(time.Time))
+}
+func (v DateTimeTest) Dupe(tag string) []convTest {
+	if tag != "no:dateTime.tz" {
+		return []convTest{DateTimeTzTest(v)}
+	}
+	return nil
+}
+
+type DateTimeTzTest struct{ time.Time }
+
+func (v DateTimeTzTest) Marshal() (string, error) {
+	return MarshalDateTimeTz(time.Time(v.Time))
+}
+func (v DateTimeTzTest) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalDateTimeTz(s)
+}
+func (v DateTimeTzTest) Equal(result interface{}) bool {
+	return v.Time.Equal(result.(time.Time))
+}
+
+type BooleanTest bool
+
+func (v BooleanTest) Marshal() (string, error) {
+	return MarshalBoolean(bool(v))
+}
+func (v BooleanTest) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalBoolean(s)
+}
+func (v BooleanTest) Equal(result interface{}) bool {
+	return bool(v) == result.(bool)
+}
+
+type BinBase64Test []byte
+
+func (v BinBase64Test) Marshal() (string, error) {
+	return MarshalBinBase64([]byte(v))
+}
+func (v BinBase64Test) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalBinBase64(s)
+}
+func (v BinBase64Test) Equal(result interface{}) bool {
+	return bytes.Equal([]byte(v), result.([]byte))
+}
+
+type BinHexTest []byte
+
+func (v BinHexTest) Marshal() (string, error) {
+	return MarshalBinHex([]byte(v))
+}
+func (v BinHexTest) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalBinHex(s)
+}
+func (v BinHexTest) Equal(result interface{}) bool {
+	return bytes.Equal([]byte(v), result.([]byte))
+}
+
+type URITest struct{ URL *url.URL }
+
+func (v URITest) Marshal() (string, error) {
+	return MarshalURI(v.URL)
+}
+func (v URITest) Unmarshal(s string) (interface{}, error) {
+	return UnmarshalURI(s)
+}
+func (v URITest) Equal(result interface{}) bool {
+	return v.URL.String() == result.(*url.URL).String()
+}
+
+func Test(t *testing.T) {
+	const time010203 time.Duration = (1*3600 + 2*60 + 3) * time.Second
+	const time0102 time.Duration = (1*3600 + 2*60) * time.Second
+	const time01 time.Duration = (1 * 3600) * time.Second
+	const time235959 time.Duration = (23*3600 + 59*60 + 59) * time.Second
+
+	// Fake out the local time for the implementation.
+	localLoc = time.FixedZone("Fake/Local", 6*3600)
+	defer func() {
+		localLoc = time.Local
+	}()
+
+	tests := []testCase{
+		// ui1
+		{str: "", value: Ui1Test(0), wantUnmarshalErr: true, noMarshal: true, tag: "dupe"},
+		{str: " ", value: Ui1Test(0), wantUnmarshalErr: true, noMarshal: true, tag: "dupe"},
+		{str: "abc", value: Ui1Test(0), wantUnmarshalErr: true, noMarshal: true, tag: "dupe"},
+		{str: "-1", value: Ui1Test(0), wantUnmarshalErr: true, noMarshal: true, tag: "dupe"},
+		{str: "0", value: Ui1Test(0), tag: "dupe"},
+		{str: "1", value: Ui1Test(1), tag: "dupe"},
+		{str: "255", value: Ui1Test(255), tag: "dupe"},
+		{str: "256", value: Ui1Test(0), wantUnmarshalErr: true, noMarshal: true},
+
+		// ui2
+		{str: "65535", value: Ui2Test(65535)},
+		{str: "65536", value: Ui2Test(0), wantUnmarshalErr: true, noMarshal: true},
+
+		// ui4
+		{str: "4294967295", value: Ui4Test(4294967295)},
+		{str: "4294967296", value: Ui4Test(0), wantUnmarshalErr: true, noMarshal: true},
+
+		// i1
+		{str: "", value: I1Test(0), wantUnmarshalErr: true, noMarshal: true, tag: "dupe"},
+		{str: " ", value: I1Test(0), wantUnmarshalErr: true, noMarshal: true, tag: "dupe"},
+		{str: "abc", value: I1Test(0), wantUnmarshalErr: true, noMarshal: true, tag: "dupe"},
+		{str: "0", value: I1Test(0), tag: "dupe"},
+		{str: "-1", value: I1Test(-1), tag: "dupe"},
+		{str: "127", value: I1Test(127), tag: "dupe"},
+		{str: "-128", value: I1Test(-128), tag: "dupe"},
+		{str: "128", value: I1Test(0), wantUnmarshalErr: true, noMarshal: true},
+		{str: "-129", value: I1Test(0), wantUnmarshalErr: true, noMarshal: true},
+
+		// i2
+		{str: "32767", value: I2Test(32767)},
+		{str: "-32768", value: I2Test(-32768)},
+		{str: "32768", value: I2Test(0), wantUnmarshalErr: true, noMarshal: true},
+		{str: "-32769", value: I2Test(0), wantUnmarshalErr: true, noMarshal: true},
+
+		// i4
+		{str: "2147483647", value: I4Test(2147483647)},
+		{str: "-2147483648", value: I4Test(-2147483648)},
+		{str: "2147483648", value: I4Test(0), wantUnmarshalErr: true, noMarshal: true},
+		{str: "-2147483649", value: I4Test(0), wantUnmarshalErr: true, noMarshal: true},
+
+		// int
+		{str: "9223372036854775807", value: IntTest(9223372036854775807)},
+		{str: "-9223372036854775808", value: IntTest(-9223372036854775808)},
+		{str: "9223372036854775808", value: IntTest(0), wantUnmarshalErr: true, noMarshal: true},
+		{str: "-9223372036854775809", value: IntTest(0), wantUnmarshalErr: true, noMarshal: true},
+
+		// fixed.14.4
+		{str: "0.0000", value: Fixed14_4Test(0)},
+		{str: "1.0000", value: Fixed14_4Test(1)},
+		{str: "1.2346", value: Fixed14_4Test(1.23456)},
+		{str: "-1.0000", value: Fixed14_4Test(-1)},
+		{str: "-1.2346", value: Fixed14_4Test(-1.23456)},
+		{str: "10000000000000.0000", value: Fixed14_4Test(1e13)},
+		{str: "100000000000000.0000", value: Fixed14_4Test(1e14), wantMarshalErr: true, wantUnmarshalErr: true},
+		{str: "-10000000000000.0000", value: Fixed14_4Test(-1e13)},
+		{str: "-100000000000000.0000", value: Fixed14_4Test(-1e14), wantMarshalErr: true, wantUnmarshalErr: true},
+
+		// char
+		{str: "a", value: CharTest('a')},
+		{str: "z", value: CharTest('z')},
+		{str: "\u1234", value: CharTest(0x1234)},
+		{str: "aa", value: CharTest(0), wantMarshalErr: true, wantUnmarshalErr: true},
+		{str: "", value: CharTest(0), wantMarshalErr: true, wantUnmarshalErr: true},
+
+		// date
+		{str: "2013-10-08", value: DateTest{time.Date(2013, 10, 8, 0, 0, 0, 0, localLoc)}, tag: "no:dateTime"},
+		{str: "20131008", value: DateTest{time.Date(2013, 10, 8, 0, 0, 0, 0, localLoc)}, noMarshal: true, tag: "no:dateTime"},
+		{str: "2013-10-08T10:30:50", value: DateTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:dateTime"},
+		{str: "2013-10-08T10:30:50Z", value: DateTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:dateTime"},
+		{str: "", value: DateTest{}, wantMarshalErr: true, wantUnmarshalErr: true, noMarshal: true},
+		{str: "-1", value: DateTest{}, wantUnmarshalErr: true, noMarshal: true},
+
+		// time
+		{str: "00:00:00", value: TimeOfDayTest{TimeOfDay{FromMidnight: 0}}},
+		{str: "000000", value: TimeOfDayTest{TimeOfDay{FromMidnight: 0}}, noMarshal: true},
+		{str: "24:00:00", value: TimeOfDayTest{TimeOfDay{FromMidnight: 24 * time.Hour}}, noMarshal: true}, // ISO8601 special case
+		{str: "24:01:00", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true},
+		{str: "24:00:01", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true},
+		{str: "25:00:00", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true},
+		{str: "00:60:00", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true},
+		{str: "00:00:60", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true},
+		{str: "01:02:03", value: TimeOfDayTest{TimeOfDay{FromMidnight: time010203}}},
+		{str: "010203", value: TimeOfDayTest{TimeOfDay{FromMidnight: time010203}}, noMarshal: true},
+		{str: "23:59:59", value: TimeOfDayTest{TimeOfDay{FromMidnight: time235959}}},
+		{str: "235959", value: TimeOfDayTest{TimeOfDay{FromMidnight: time235959}}, noMarshal: true},
+		{str: "01:02", value: TimeOfDayTest{TimeOfDay{FromMidnight: time0102}}, noMarshal: true},
+		{str: "0102", value: TimeOfDayTest{TimeOfDay{FromMidnight: time0102}}, noMarshal: true},
+		{str: "01", value: TimeOfDayTest{TimeOfDay{FromMidnight: time01}}, noMarshal: true},
+		{str: "foo 01:02:03", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+		{str: "foo\n01:02:03", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+		{str: "01:02:03 foo", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+		{str: "01:02:03\nfoo", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+		{str: "01:02:03Z", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+		{str: "01:02:03+01", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+		{str: "01:02:03+01:23", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+		{str: "01:02:03+0123", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+		{str: "01:02:03-01", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+		{str: "01:02:03-01:23", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+		{str: "01:02:03-0123", value: TimeOfDayTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:time.tz"},
+
+		// time.tz
+		{str: "24:00:01", value: TimeOfDayTzTest{}, wantUnmarshalErr: true, noMarshal: true},
+		{str: "01Z", value: TimeOfDayTzTest{TimeOfDay{time01, true, 0}}, noMarshal: true},
+		{str: "01:02:03Z", value: TimeOfDayTzTest{TimeOfDay{time010203, true, 0}}},
+		{str: "01+01", value: TimeOfDayTzTest{TimeOfDay{time01, true, 3600}}, noMarshal: true},
+		{str: "01:02:03+01", value: TimeOfDayTzTest{TimeOfDay{time010203, true, 3600}}, noMarshal: true},
+		{str: "01:02:03+01:23", value: TimeOfDayTzTest{TimeOfDay{time010203, true, 3600 + 23*60}}},
+		{str: "01:02:03+0123", value: TimeOfDayTzTest{TimeOfDay{time010203, true, 3600 + 23*60}}, noMarshal: true},
+		{str: "01:02:03-01", value: TimeOfDayTzTest{TimeOfDay{time010203, true, -3600}}, noMarshal: true},
+		{str: "01:02:03-01:23", value: TimeOfDayTzTest{TimeOfDay{time010203, true, -(3600 + 23*60)}}},
+		{str: "01:02:03-0123", value: TimeOfDayTzTest{TimeOfDay{time010203, true, -(3600 + 23*60)}}, noMarshal: true},
+
+		// dateTime
+		{str: "2013-10-08T00:00:00", value: DateTimeTest{time.Date(2013, 10, 8, 0, 0, 0, 0, localLoc)}, tag: "no:dateTime.tz"},
+		{str: "20131008", value: DateTimeTest{time.Date(2013, 10, 8, 0, 0, 0, 0, localLoc)}, noMarshal: true},
+		{str: "2013-10-08T10:30:50", value: DateTimeTest{time.Date(2013, 10, 8, 10, 30, 50, 0, localLoc)}, tag: "no:dateTime.tz"},
+		{str: "2013-10-08T10:30:50T", value: DateTimeTest{}, wantUnmarshalErr: true, noMarshal: true},
+		{str: "2013-10-08T10:30:50+01", value: DateTimeTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:dateTime.tz"},
+		{str: "2013-10-08T10:30:50+01:23", value: DateTimeTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:dateTime.tz"},
+		{str: "2013-10-08T10:30:50+0123", value: DateTimeTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:dateTime.tz"},
+		{str: "2013-10-08T10:30:50-01", value: DateTimeTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:dateTime.tz"},
+		{str: "2013-10-08T10:30:50-01:23", value: DateTimeTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:dateTime.tz"},
+		{str: "2013-10-08T10:30:50-0123", value: DateTimeTest{}, wantUnmarshalErr: true, noMarshal: true, tag: "no:dateTime.tz"},
+
+		// dateTime.tz
+		{str: "2013-10-08T10:30:50", value: DateTimeTzTest{time.Date(2013, 10, 8, 10, 30, 50, 0, localLoc)}, noMarshal: true},
+		{str: "2013-10-08T10:30:50+01", value: DateTimeTzTest{time.Date(2013, 10, 8, 10, 30, 50, 0, time.FixedZone("+01:00", 3600))}, noMarshal: true},
+		{str: "2013-10-08T10:30:50+01:23", value: DateTimeTzTest{time.Date(2013, 10, 8, 10, 30, 50, 0, time.FixedZone("+01:23", 3600+23*60))}},
+		{str: "2013-10-08T10:30:50+0123", value: DateTimeTzTest{time.Date(2013, 10, 8, 10, 30, 50, 0, time.FixedZone("+01:23", 3600+23*60))}, noMarshal: true},
+		{str: "2013-10-08T10:30:50-01", value: DateTimeTzTest{time.Date(2013, 10, 8, 10, 30, 50, 0, time.FixedZone("-01:00", -3600))}, noMarshal: true},
+		{str: "2013-10-08T10:30:50-01:23", value: DateTimeTzTest{time.Date(2013, 10, 8, 10, 30, 50, 0, time.FixedZone("-01:23", -(3600+23*60)))}},
+		{str: "2013-10-08T10:30:50-0123", value: DateTimeTzTest{time.Date(2013, 10, 8, 10, 30, 50, 0, time.FixedZone("-01:23", -(3600+23*60)))}, noMarshal: true},
+
+		// boolean
+		{str: "0", value: BooleanTest(false)},
+		{str: "1", value: BooleanTest(true)},
+		{str: "false", value: BooleanTest(false), noMarshal: true},
+		{str: "true", value: BooleanTest(true), noMarshal: true},
+		{str: "no", value: BooleanTest(false), noMarshal: true},
+		{str: "yes", value: BooleanTest(true), noMarshal: true},
+		{str: "", value: BooleanTest(false), noMarshal: true, wantUnmarshalErr: true},
+		{str: "other", value: BooleanTest(false), noMarshal: true, wantUnmarshalErr: true},
+		{str: "2", value: BooleanTest(false), noMarshal: true, wantUnmarshalErr: true},
+		{str: "-1", value: BooleanTest(false), noMarshal: true, wantUnmarshalErr: true},
+
+		// bin.base64
+		{str: "", value: BinBase64Test{}},
+		{str: "YQ==", value: BinBase64Test("a")},
+		{str: "TG9uZ2VyIFN0cmluZy4=", value: BinBase64Test("Longer String.")},
+		{str: "TG9uZ2VyIEFsaWduZWQu", value: BinBase64Test("Longer Aligned.")},
+
+		// bin.hex
+		{str: "", value: BinHexTest{}},
+		{str: "61", value: BinHexTest("a")},
+		{str: "4c6f6e67657220537472696e672e", value: BinHexTest("Longer String.")},
+		{str: "4C6F6E67657220537472696E672E", value: BinHexTest("Longer String."), noMarshal: true},
+
+		// uri
+		{str: "http://example.com/path", value: URITest{&url.URL{Scheme: "http", Host: "example.com", Path: "/path"}}},
+	}
+
+	// Generate extra test cases from convTests that implement duper.
+	var extras []testCase
+	for i := range tests {
+		if duper, ok := tests[i].value.(duper); ok {
+			dupes := duper.Dupe(tests[i].tag)
+			for _, duped := range dupes {
+				dupedCase := testCase(tests[i])
+				dupedCase.value = duped
+				extras = append(extras, dupedCase)
+			}
+		}
+	}
+	tests = append(tests, extras...)
+
+	for _, test := range tests {
+		if test.noMarshal {
+		} else if resultStr, err := test.value.Marshal(); err != nil && !test.wantMarshalErr {
+			t.Errorf("For %T marshal %v, want %q, got error: %v", test.value, test.value, test.str, err)
+		} else if err == nil && test.wantMarshalErr {
+			t.Errorf("For %T marshal %v, want error, got %q", test.value, test.value, resultStr)
+		} else if err == nil && resultStr != test.str {
+			t.Errorf("For %T marshal %v, want %q, got %q", test.value, test.value, test.str, resultStr)
+		}
+
+		if test.noUnMarshal {
+		} else if resultValue, err := test.value.Unmarshal(test.str); err != nil && !test.wantUnmarshalErr {
+			t.Errorf("For %T unmarshal %q, want %v, got error: %v", test.value, test.str, test.value, err)
+		} else if err == nil && test.wantUnmarshalErr {
+			t.Errorf("For %T unmarshal %q, want error, got %v", test.value, test.str, resultValue)
+		} else if err == nil && !test.value.Equal(resultValue) {
+			t.Errorf("For %T unmarshal %q, want %v, got %v", test.value, test.str, test.value, resultValue)
+		}
+	}
+}
--- a/tempfork/upnp/ssdp/ssdp.go
+++ b/tempfork/upnp/ssdp/ssdp.go
@@ -0,0 +1,102 @@
+package ssdp
+
+import (
+	"errors"
+	"log"
+	"net/http"
+	"net/url"
+	"strconv"
+	"time"
+)
+
+const (
+	ssdpDiscover   = `"ssdp:discover"`
+	ntsAlive       = `ssdp:alive`
+	ntsByebye      = `ssdp:byebye`
+	ntsUpdate      = `ssdp:update`
+	ssdpUDP4Addr   = "239.255.255.250:1900"
+	ssdpSearchPort = 1900
+	methodSearch   = "M-SEARCH"
+	methodNotify   = "NOTIFY"
+
+	// SSDPAll is a value for searchTarget that searches for all devices and services.
+	SSDPAll = "ssdp:all"
+	// UPNPRootDevice is a value for searchTarget that searches for all root devices.
+	UPNPRootDevice = "upnp:rootdevice"
+)
+
+// HTTPUClient is the interface required to perform HTTP-over-UDP requests.
+type HTTPUClient interface {
+	Do(
+		req *http.Request,
+		timeout time.Duration,
+		numSends int,
+	) ([]*http.Response, error)
+}
+
+// SSDPRawSearch performs a fairly raw SSDP search request, and returns the
+// unique response(s) that it receives. Each response has the requested
+// searchTarget, a USN, and a valid location. maxWaitSeconds states how long to
+// wait for responses in seconds, and must be a minimum of 1 (the
+// implementation waits an additional 100ms for responses to arrive), 2 is a
+// reasonable value for this. numSends is the number of requests to send - 3 is
+// a reasonable value for this.
+func SSDPRawSearch(
+	httpu HTTPUClient,
+	searchTarget string,
+	maxWaitSeconds int,
+	numSends int,
+) ([]*http.Response, error) {
+	if maxWaitSeconds < 1 {
+		return nil, errors.New("ssdp: maxWaitSeconds must be >= 1")
+	}
+
+	req := http.Request{
+		Method: methodSearch,
+		// TODO: Support both IPv4 and IPv6.
+		Host: ssdpUDP4Addr,
+		URL:  &url.URL{Opaque: "*"},
+		Header: http.Header{
+			// Putting headers in here avoids them being title-cased.
+			// (The UPnP discovery protocol uses case-sensitive headers)
+			"HOST": []string{ssdpUDP4Addr},
+			"MX":   []string{strconv.FormatInt(int64(maxWaitSeconds), 10)},
+			"MAN":  []string{ssdpDiscover},
+			"ST":   []string{searchTarget},
+		},
+	}
+	allResponses, err := httpu.Do(&req, time.Duration(maxWaitSeconds)*time.Second+100*time.Millisecond, numSends)
+	if err != nil {
+		return nil, err
+	}
+
+	isExactSearch := searchTarget != SSDPAll && searchTarget != UPNPRootDevice
+
+	seenUSNs := make(map[string]bool)
+	var responses []*http.Response
+	for _, response := range allResponses {
+		if response.StatusCode != 200 {
+			log.Printf("ssdp: got response status code %q in search response", response.Status)
+			continue
+		}
+		if st := response.Header.Get("ST"); isExactSearch && st != searchTarget {
+			continue
+		}
+		usn := response.Header.Get("USN")
+		if usn == "" {
+			// Empty/missing USN in search response - using location instead.
+			location, err := response.Location()
+			if err != nil {
+				// No usable location in search response - discard.
+				continue
+			}
+			usn = location.String()
+		}
+		if _, alreadySeen := seenUSNs[usn]; !alreadySeen {
+			seenUSNs[usn] = true
+			responses = append(responses, response)
+		}
+	}
+
+	return responses, nil
+}
--- a/tstest/integration/integration.go
+++ b/tstest/integration/integration.go
@@ -0,0 +1,100 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package integration contains Tailscale integration tests.
+//
+// This package is considered internal and the public API is subject
+// to change without notice.
+package integration
+
+import (
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"tailscale.com/version"
+)
+
+// Binaries are the paths to a tailscaled and tailscale binary.
+// These can be shared by multiple nodes.
+type Binaries struct {
+	Dir    string // temp dir for tailscale & tailscaled
+	Daemon string // tailscaled
+	CLI    string // tailscale
+}
+
+// BuildTestBinaries builds tailscale and tailscaled, failing the test
+// if they fail to compile.
+func BuildTestBinaries(t testing.TB) *Binaries {
+	td := t.TempDir()
+	build(t, td, "tailscale.com/cmd/tailscaled", "tailscale.com/cmd/tailscale")
+	return &Binaries{
+		Dir:    td,
+		Daemon: filepath.Join(td, "tailscaled"+exe()),
+		CLI:    filepath.Join(td, "tailscale"+exe()),
+	}
+}
+
+// buildMu limits our use of "go build" to one at a time, so we don't
+// fight Go's built-in caching trying to do the same build concurrently.
+var buildMu sync.Mutex
+
+func build(t testing.TB, outDir string, targets ...string) {
+	buildMu.Lock()
+	defer buildMu.Unlock()
+
+	t0 := time.Now()
+	defer func() { t.Logf("built %s in %v", targets, time.Since(t0).Round(time.Millisecond)) }()
+
+	goBin := findGo(t)
+	cmd := exec.Command(goBin, "install")
+	if version.IsRace() {
+		cmd.Args = append(cmd.Args, "-race")
+	}
+	cmd.Args = append(cmd.Args, targets...)
+	cmd.Env = append(os.Environ(), "GOARCH="+runtime.GOARCH, "GOBIN="+outDir)
+	errOut, err := cmd.CombinedOutput()
+	if err == nil {
+		return
+	}
+	if strings.Contains(string(errOut), "when GOBIN is set") {
+		// Fallback slow path for cross-compiled binaries.
+		for _, target := range targets {
+			outFile := filepath.Join(outDir, path.Base(target)+exe())
+			cmd := exec.Command(goBin, "build", "-o", outFile, target)
+			cmd.Env = append(os.Environ(), "GOARCH="+runtime.GOARCH)
+			if errOut, err := cmd.CombinedOutput(); err != nil {
+				t.Fatalf("failed to build %v with %v: %v, %s", target, goBin, err, errOut)
+			}
+		}
+		return
+	}
+	t.Fatalf("failed to build %v with %v: %v, %s", targets, goBin, err, errOut)
+}
+
+func findGo(t testing.TB) string {
+	goBin := filepath.Join(runtime.GOROOT(), "bin", "go"+exe())
+	if fi, err := os.Stat(goBin); err != nil {
+		if os.IsNotExist(err) {
+			t.Fatalf("failed to find go at %v", goBin)
+		}
+		t.Fatalf("looking for go binary: %v", err)
+	} else if !fi.Mode().IsRegular() {
+		t.Fatalf("%v is unexpected %v", goBin, fi.Mode())
+	}
+	return goBin
+}
+
+func exe() string {
+	if runtime.GOOS == "windows" {
+		return ".exe"
+	}
+	return ""
+}
--- a/tstest/integration/integration_test.go
+++ b/tstest/integration/integration_test.go
@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// Package integration contains Tailscale integration tests.
 package integration

 import (
 	"bytes"
+	"context"
 	crand "crypto/rand"
 	"crypto/tls"
 	"encoding/json"
@@ -21,7 +21,6 @@ import (
 	"net/http/httptest"
 	"os"
 	"os/exec"
-	"path"
 	"path/filepath"
 	"regexp"
 	"runtime"
@@ -44,14 +43,17 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/nettype"
-	"tailscale.com/version"
 )

-var verbose = flag.Bool("verbose", false, "verbose debug logs")
+var (
+	verboseLogCatcher = flag.Bool("verbose-log-catcher", false, "verbose log catcher logging")
+	verboseTailscaled = flag.Bool("verbose-tailscaled", false, "verbose tailscaled logging")
+)

 var mainError atomic.Value // of error

 func TestMain(m *testing.M) {
+	flag.Parse()
 	v := m.Run()
 	if v != 0 {
 		os.Exit(v)
@@ -65,7 +67,7 @@ func TestMain(m *testing.M) {

 func TestOneNodeUp_NoAuth(t *testing.T) {
 	t.Parallel()
-	bins := buildTestBinaries(t)
+	bins := BuildTestBinaries(t)

 	env := newTestEnv(t, bins)
 	defer env.Close()
@@ -107,7 +109,7 @@ func TestOneNodeUp_NoAuth(t *testing.T) {

 func TestOneNodeUp_Auth(t *testing.T) {
 	t.Parallel()
-	bins := buildTestBinaries(t)
+	bins := BuildTestBinaries(t)

 	env := newTestEnv(t, bins)
 	defer env.Close()
@@ -154,7 +156,7 @@ func TestOneNodeUp_Auth(t *testing.T) {

 func TestTwoNodes(t *testing.T) {
 	t.Parallel()
-	bins := buildTestBinaries(t)
+	bins := BuildTestBinaries(t)

 	env := newTestEnv(t, bins)
 	defer env.Close()
@@ -196,23 +198,85 @@ func TestTwoNodes(t *testing.T) {
 	d2.MustCleanShutdown(t)
 }

-// testBinaries are the paths to a tailscaled and tailscale binary.
-// These can be shared by multiple nodes.
-type testBinaries struct {
-	dir    string // temp dir for tailscale & tailscaled
-	daemon string // tailscaled
-	cli    string // tailscale
+func TestNodeAddressIPFields(t *testing.T) {
+	t.Parallel()
+	bins := BuildTestBinaries(t)
+
+	env := newTestEnv(t, bins)
+	defer env.Close()
+
+	n1 := newTestNode(t, env)
+	d1 := n1.StartDaemon(t)
+	defer d1.Kill()
+
+	n1.AwaitListening(t)
+	n1.MustUp()
+	n1.AwaitRunning(t)
+
+	testNodes := env.Control.AllNodes()
+
+	if len(testNodes) != 1 {
+		t.Errorf("Expected %d nodes, got %d", 1, len(testNodes))
+	}
+	node := testNodes[0]
+	if len(node.Addresses) == 0 {
+		t.Errorf("Empty Addresses field in node")
+	}
+	if len(node.AllowedIPs) == 0 {
+		t.Errorf("Empty AllowedIPs field in node")
+	}
+
+	d1.MustCleanShutdown(t)
 }

-// buildTestBinaries builds tailscale and tailscaled, failing the test
-// if they fail to compile.
-func buildTestBinaries(t testing.TB) *testBinaries {
-	td := t.TempDir()
-	build(t, td, "tailscale.com/cmd/tailscaled", "tailscale.com/cmd/tailscale")
-	return &testBinaries{
-		dir:    td,
-		daemon: filepath.Join(td, "tailscaled"+exe()),
-		cli:    filepath.Join(td, "tailscale"+exe()),
+func TestAddPingRequest(t *testing.T) {
+	t.Parallel()
+	bins := BuildTestBinaries(t)
+
+	env := newTestEnv(t, bins)
+	defer env.Close()
+
+	n1 := newTestNode(t, env)
+	d1 := n1.StartDaemon(t)
+	defer d1.Kill()
+
+	n1.AwaitListening(t)
+	n1.MustUp()
+	n1.AwaitRunning(t)
+
+	gotPing := make(chan bool, 1)
+	waitPing := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gotPing <- true
+	}))
+	defer waitPing.Close()
+
+	nodes := env.Control.AllNodes()
+	if len(nodes) != 1 {
+		t.Fatalf("expected 1 node, got %d nodes", len(nodes))
+	}
+
+	nodeKey := nodes[0].Key
+	for i := 0; i < 10; i++ {
+		t.Logf("ping %v ...", i)
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		if err := env.Control.AwaitNodeInMapRequest(ctx, nodeKey); err != nil {
+			t.Fatal(err)
+		}
+		cancel()
+		pr := &tailcfg.PingRequest{URL: fmt.Sprintf("%s/ping-%d", waitPing.URL, i), Log: true}
+		ok := env.Control.AddPingRequest(nodeKey, pr)
+		if !ok {
+			t.Fatalf("no node found with NodeKey %v in AddPingRequest", nodeKey)
+		}
+
+		// Wait for PingRequest to come back
+		pingTimeout := time.NewTimer(2 * time.Second)
+		select {
+		case <-gotPing:
+			pingTimeout.Stop()
+		case <-pingTimeout.C:
+			t.Fatal("didn't get PingRequest from tailscaled")
+		}
 	}
 }

@@ -220,7 +284,7 @@ func buildTestBinaries(t testing.TB) *testBinaries {
 // or more nodes.
 type testEnv struct {
 	t        testing.TB
-	Binaries *testBinaries
+	Binaries *Binaries

 	LogCatcher       *logCatcher
 	LogCatcherServer *httptest.Server
@@ -238,7 +302,7 @@ type testEnv struct {
 // environment.
 //
 // Call Close to shut everything down.
-func newTestEnv(t testing.TB, bins *testBinaries) *testEnv {
+func newTestEnv(t testing.TB, bins *Binaries) *testEnv {
 	if runtime.GOOS == "windows" {
 		t.Skip("not tested/working on Windows yet")
 	}
@@ -321,7 +385,7 @@ func (d *Daemon) MustCleanShutdown(t testing.TB) {
 // StartDaemon starts the node's tailscaled, failing if it fails to
 // start.
 func (n *testNode) StartDaemon(t testing.TB) *Daemon {
-	cmd := exec.Command(n.env.Binaries.daemon,
+	cmd := exec.Command(n.env.Binaries.Daemon,
 		"--tun=userspace-networking",
 		"--state="+n.stateFile,
 		"--socket="+n.sockFile,
@@ -331,6 +395,10 @@ func (n *testNode) StartDaemon(t testing.TB) *Daemon {
 		"HTTP_PROXY="+n.env.TrafficTrapServer.URL,
 		"HTTPS_PROXY="+n.env.TrafficTrapServer.URL,
 	)
+	if *verboseTailscaled {
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stdout
+	}
 	if err := cmd.Start(); err != nil {
 		t.Fatalf("starting tailscaled: %v", err)
 	}
@@ -399,7 +467,7 @@ func (n *testNode) AwaitRunning(t testing.TB) {
 // Tailscale returns a command that runs the tailscale CLI with the provided arguments.
 // It does not start the process.
 func (n *testNode) Tailscale(arg ...string) *exec.Cmd {
-	cmd := exec.Command(n.env.Binaries.cli, "--socket="+n.sockFile)
+	cmd := exec.Command(n.env.Binaries.CLI, "--socket="+n.sockFile)
 	cmd.Args = append(cmd.Args, arg...)
 	cmd.Dir = n.dir
 	return cmd
@@ -426,63 +494,6 @@ func (n *testNode) MustStatus(tb testing.TB) *ipnstate.Status {
 	return st
 }

-func exe() string {
-	if runtime.GOOS == "windows" {
-		return ".exe"
-	}
-	return ""
-}
-
-func findGo(t testing.TB) string {
-	goBin := filepath.Join(runtime.GOROOT(), "bin", "go"+exe())
-	if fi, err := os.Stat(goBin); err != nil {
-		if os.IsNotExist(err) {
-			t.Fatalf("failed to find go at %v", goBin)
-		}
-		t.Fatalf("looking for go binary: %v", err)
-	} else if !fi.Mode().IsRegular() {
-		t.Fatalf("%v is unexpected %v", goBin, fi.Mode())
-	}
-	return goBin
-}
-
-// buildMu limits our use of "go build" to one at a time, so we don't
-// fight Go's built-in caching trying to do the same build concurrently.
-var buildMu sync.Mutex
-
-func build(t testing.TB, outDir string, targets ...string) {
-	buildMu.Lock()
-	defer buildMu.Unlock()
-
-	t0 := time.Now()
-	defer func() { t.Logf("built %s in %v", targets, time.Since(t0).Round(time.Millisecond)) }()
-
-	goBin := findGo(t)
-	cmd := exec.Command(goBin, "install")
-	if version.IsRace() {
-		cmd.Args = append(cmd.Args, "-race")
-	}
-	cmd.Args = append(cmd.Args, targets...)
-	cmd.Env = append(os.Environ(), "GOARCH="+runtime.GOARCH, "GOBIN="+outDir)
-	errOut, err := cmd.CombinedOutput()
-	if err == nil {
-		return
-	}
-	if strings.Contains(string(errOut), "when GOBIN is set") {
-		// Fallback slow path for cross-compiled binaries.
-		for _, target := range targets {
-			outFile := filepath.Join(outDir, path.Base(target)+exe())
-			cmd := exec.Command(goBin, "build", "-o", outFile, target)
-			cmd.Env = append(os.Environ(), "GOARCH="+runtime.GOARCH)
-			if errOut, err := cmd.CombinedOutput(); err != nil {
-				t.Fatalf("failed to build %v with %v: %v, %s", target, goBin, err, errOut)
-			}
-		}
-		return
-	}
-	t.Fatalf("failed to build %v with %v: %v, %s", targets, goBin, err, errOut)
-}
-
 // logCatcher is a minimal logcatcher for the logtail upload client.
 type logCatcher struct {
 	mu     sync.Mutex
@@ -553,7 +564,7 @@ func (lc *logCatcher) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	} else {
 		for _, ent := range jreq {
 			fmt.Fprintf(&lc.buf, "%s\n", strings.TrimSpace(ent.Text))
-			if *verbose {
+			if *verboseLogCatcher {
 				fmt.Fprintf(os.Stderr, "%s\n", strings.TrimSpace(ent.Text))
 			}
 		}
--- a/tstest/integration/testcontrol/testcontrol.go
+++ b/tstest/integration/testcontrol/testcontrol.go
@@ -7,6 +7,7 @@ package testcontrol

 import (
 	"bytes"
+	"context"
 	crand "crypto/rand"
 	"encoding/binary"
 	"encoding/json"
@@ -46,6 +47,7 @@ type Server struct {
 	mux         *http.ServeMux

 	mu            sync.Mutex
+	cond          *sync.Cond // lazily initialized by condLocked
 	pubKey        wgkey.Key
 	privKey       wgkey.Private
 	nodes         map[tailcfg.NodeKey]*tailcfg.Node
@@ -54,6 +56,79 @@ type Server struct {
 	updates       map[tailcfg.NodeID]chan updateType
 	authPath      map[string]*AuthPath
 	nodeKeyAuthed map[tailcfg.NodeKey]bool // key => true once authenticated
+	pingReqsToAdd map[tailcfg.NodeKey]*tailcfg.PingRequest
+}
+
+// NumNodes returns the number of nodes in the testcontrol server.
+//
+// This is useful when connecting a bunch of virtual machines to a testcontrol
+// server to see how many of them connected successfully.
+func (s *Server) NumNodes() int {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	return len(s.nodes)
+}
+
+// condLocked lazily initializes and returns s.cond.
+// s.mu must be held.
+func (s *Server) condLocked() *sync.Cond {
+	if s.cond == nil {
+		s.cond = sync.NewCond(&s.mu)
+	}
+	return s.cond
+}
+
+// AwaitNodeInMapRequest waits for node k to be stuck in a map poll.
+// It returns an error if and only if the context is done first.
+func (s *Server) AwaitNodeInMapRequest(ctx context.Context, k tailcfg.NodeKey) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	cond := s.condLocked()
+
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-done:
+		case <-ctx.Done():
+			cond.Broadcast()
+		}
+	}()
+
+	for {
+		node := s.nodeLocked(k)
+		if node == nil {
+			return errors.New("unknown node key")
+		}
+		if _, ok := s.updates[node.ID]; ok {
+			return nil
+		}
+		cond.Wait()
+		if err := ctx.Err(); err != nil {
+			return err
+		}
+	}
+}
+
+// AddPingRequest sends the ping pr to nodeKeyDst. It reports whether it did so. That is,
+// it reports whether nodeKeyDst was connected.
+func (s *Server) AddPingRequest(nodeKeyDst tailcfg.NodeKey, pr *tailcfg.PingRequest) bool {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.pingReqsToAdd == nil {
+		s.pingReqsToAdd = map[tailcfg.NodeKey]*tailcfg.PingRequest{}
+	}
+	// Now send the update to the channel
+	node := s.nodeLocked(nodeKeyDst)
+	if node == nil {
+		return false
+	}
+
+	s.pingReqsToAdd[nodeKeyDst] = pr
+	nodeID := node.ID
+	oldUpdatesCh := s.updates[nodeID]
+	return sendUpdate(oldUpdatesCh, updateDebugInjection)
 }

 type AuthPath struct {
@@ -165,6 +240,13 @@ func (s *Server) serveMachine(w http.ResponseWriter, r *http.Request) {
 func (s *Server) Node(nodeKey tailcfg.NodeKey) *tailcfg.Node {
 	s.mu.Lock()
 	defer s.mu.Unlock()
+	return s.nodeLocked(nodeKey)
+}
+
+// nodeLocked returns the node for nodeKey. It's always nil or cloned memory.
+//
+// s.mu must be held.
+func (s *Server) nodeLocked(nodeKey tailcfg.NodeKey) *tailcfg.Node {
 	return s.nodes[nodeKey].Clone()
 }

@@ -307,6 +389,10 @@ func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey tail

 	machineAuthorized := true // TODO: add Server.RequireMachineAuth

+	allowedIPs := []netaddr.IPPrefix{
+		netaddr.MustParseIPPrefix(fmt.Sprintf("100.64.%d.%d/32", uint8(tailcfg.NodeID(user.ID)>>8), uint8(tailcfg.NodeID(user.ID)))),
+	}
+
 	s.nodes[req.NodeKey] = &tailcfg.Node{
 		ID:                tailcfg.NodeID(user.ID),
 		StableID:          tailcfg.StableNodeID(fmt.Sprintf("TESTCTRL%08x", int(user.ID))),
@@ -314,6 +400,8 @@ func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey tail
 		Machine:           mkey,
 		Key:               req.NodeKey,
 		MachineAuthorized: machineAuthorized,
+		Addresses:         allowedIPs,
+		AllowedIPs:        allowedIPs,
 	}
 	requireAuth := s.RequireAuth
 	if requireAuth && s.nodeKeyAuthed[req.NodeKey] {
@@ -356,6 +444,9 @@ const (
 	// via a lite endpoint update. These ones are never dup-suppressed,
 	// as the client is expecting an answer regardless.
 	updateSelfChanged
+
+	// updateDebugInjection is an update used for PingRequests
+	updateDebugInjection
 )

 func (s *Server) updateLocked(source string, peers []tailcfg.NodeID) {
@@ -365,17 +456,19 @@ func (s *Server) updateLocked(source string, peers []tailcfg.NodeID) {
 }

 // sendUpdate sends updateType to dst if dst is non-nil and
-// has capacity.
-func sendUpdate(dst chan<- updateType, updateType updateType) {
+// has capacity. It reports whether a value was sent.
+func sendUpdate(dst chan<- updateType, updateType updateType) bool {
 	if dst == nil {
-		return
+		return false
 	}
 	// The dst channel has a buffer size of 1.
 	// If we fail to insert an update into the buffer that
 	// means there is already an update pending.
 	select {
 	case dst <- updateType:
+		return true
 	default:
+		return false
 	}
 }

@@ -440,6 +533,7 @@ func (s *Server) serveMap(w http.ResponseWriter, r *http.Request, mkey tailcfg.M
 		sendUpdate(oldUpdatesCh, updateSelfChanged)
 	}
 	s.updateLocked("serveMap", peersToUpdate)
+	s.condLocked().Broadcast()
 	s.mu.Unlock()

 	// ReadOnly implies no streaming, as it doesn't
@@ -537,6 +631,14 @@ func (s *Server) MapResponse(req *tailcfg.MapRequest) (res *tailcfg.MapResponse,
 		netaddr.MustParseIPPrefix(fmt.Sprintf("100.64.%d.%d/32", uint8(node.ID>>8), uint8(node.ID))),
 	}
 	res.Node.AllowedIPs = res.Node.Addresses
+
+	// Consume the PingRequest while protected by mutex if it exists
+	s.mu.Lock()
+	if pr, ok := s.pingReqsToAdd[node.Key]; ok {
+		res.PingRequest = pr
+		delete(s.pingReqsToAdd, node.Key)
+	}
+	s.mu.Unlock()
 	return res, nil
 }

--- a/tstest/integration/vms/README.md
+++ b/tstest/integration/vms/README.md
@@ -0,0 +1,98 @@
+# End-to-End VM-based Integration Testing
+
+This test spins up a bunch of common linux distributions and then tries to get
+them to connect to a
+[`testcontrol`](https://pkg.go.dev/tailscale.com/tstest/integration/testcontrol)
+server.
+
+## Running
+
+This test currently only runs on Linux.
+
+This test depends on the following command line tools:
+
+- [qemu](https://www.qemu.org/)
+- [cdrkit](https://en.wikipedia.org/wiki/Cdrkit)
+- [openssh](https://www.openssh.com/)
+
+This test also requires the following:
+
+- about 10 GB of temporary storage
+- about 10 GB of cached VM images
+- at least 4 GB of ram for virtual machines
+- hardware virtualization support
+  ([KVM](https://www.linux-kvm.org/page/Main_Page)) enabled in the BIOS
+- the `kvm` module to be loaded (`modprobe kvm`)
+- the user running these tests must have access to `/dev/kvm` (being in the
+  `kvm` group should suffice)
+
+This optionally requires an AWS profile to be configured at the [default
+path](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).
+The S3 bucket is set so that the requester pays. Please keep this in mind when
+running these tests on your machine. If you are uncomfortable with the cost from
+downloading from S3, you should pass the `-no-s3` flag to disable downloads from
+S3. However keep in mind that some distributions do not use stable URLs for each
+individual image artifact, so there may be spurious test failures as a result.
+
+If you are using [Nix](https://nixos.org), you can run all of the tests with the
+correct command line tools using this command:
+
+```console
+$ nix-shell -p openssh -p go -p qemu -p cdrkit --run "go test . --run-vm-tests --v --timeout 30m"
+```
+
+Keep the timeout high for the first run, especially if you are not downloading
+VM images from S3. The mirrors we pull images from have download rate limits and
+will take a while to download.
+
+Because of the hardware requirements of this test, this test will not run
+without the `--run-vm-tests` flag set.
+
+## Other Fun Flags
+
+This test's behavior is customized with command line flags.
+
+### Don't Download Images From S3
+
+If you pass the `-no-s3` flag to `go test`, the S3 step will be skipped in favor
+of downloading the images directly from upstream sources, which may cause the
+test to fail in odd places.
+
+### Distribution Picking
+
+This test runs on a large number of distributions. By default it tries to run
+everything, which may or may not be ideal for you. If you only want to test a
+subset of distributions, you can use the `--distro-regex` flag to match a subset
+of distributions using a [regular expression](https://golang.org/pkg/regexp/)
+such as like this:
+
+```console
+$ go test -run-vm-tests -distro-regex centos
+```
+
+This would run all tests on all versions of CentOS.
+
+```console
+$ go test -run-vm-tests -distro-regex '(debian|ubuntu)'
+```
+
+This would run all tests on all versions of Debian and Ubuntu.
+
+### Ram Limiting
+
+This test uses a lot of memory. In order to avoid making machines run out of
+memory running this test, a semaphore is used to limit how many megabytes of ram
+are being used at once. By default this semaphore is set to 4096 MB of ram
+(about 4 gigabytes). You can customize this with the `--ram-limit` flag:
+
+```console
+$ go test --run-vm-tests --ram-limit 2048
+$ go test --run-vm-tests --ram-limit 65536
+```
+
+The first example will set the limit to 2048 MB of ram (about 2 gigabytes). The
+second example will set the limit to 65536 MB of ram (about 65 gigabytes).
+Please be careful with this flag, improper usage of it is known to cause the
+Linux out-of-memory killer to engage. Try to keep it within 50-75% of your
+machine's available ram (there is some overhead involved with the
+virtualization) to be on the safe side.
--- a/tstest/integration/vms/doc.go
+++ b/tstest/integration/vms/doc.go
@@ -0,0 +1,7 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package vms does VM-based integration/functional tests by using
+// qemu and a bank of pre-made VM images.
+package vms
--- a/Show More
+++ b/Show More