VERSION.txt: this is v1.8.7

Signed-off-by: David Anderson <danderson@tailscale.com>
cmd/tailscale/web: restrict web access to synology admins.
2021-06-07 13:05:30 -07:00 · 2021-06-04 10:21:56 +05:00 · 2021-06-03 09:48:45 -07:00 · 2021-06-03 09:48:09 -07:00 · 2021-05-27 15:07:12 -07:00 · 2021-05-27 11:04:40 -07:00
109 changed files with 1417 additions and 2999 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -2,7 +2,36 @@
 name: Bug report
 about: Create a bug report
 title: ''
-labels: 'needs-triage'
+labels: ''
 assignees: ''

 ---
+
+<!-- Please note, this template is for definite bugs, not requests for
+support. If you need help with Tailscale, please email
+support@tailscale.com. We don't provide support via Github issues. -->
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Version information:**
+ - Device: [e.g. iPhone X, laptop]
+ - OS: [e.g. Windows, MacOS]
+ - OS version: [e.g. Windows 10, Ubuntu 18.04]
+ - Tailscale version: [e.g. 0.95-0]
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -2,6 +2,25 @@
 name: Feature request
 about: Suggest an idea for this project
 title: ''
-labels: 'needs-triage'
+labels: ''
 assignees: ''
+
 ---
+
+**Is your feature request related to a problem? Please describe.**
+
+A clear and concise description of what the problem is. Ex. I'm always
+frustrated when [...]
+
+**Describe the solution you'd like**
+
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+
+A clear and concise description of any alternative solutions or
+features you've considered.
+
+**Additional context**
+
+Add any other context or screenshots about the feature request here.
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.9.0
+1.8.7
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -112,13 +112,13 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 		return ""
 	}
 	for _, nodeIP := range who.Node.Addresses {
-		if nodeIP.IP().Is4() && nodeIP.IsSingleIP() {
-			return nodeIP.IP().String()
+		if nodeIP.IP.Is4() && nodeIP.IsSingleIP() {
+			return nodeIP.IP.String()
 		}
 	}
 	for _, nodeIP := range who.Node.Addresses {
 		if nodeIP.IsSingleIP() {
-			return nodeIP.IP().String()
+			return nodeIP.IP.String()
 		}
 	}
 	return ""
--- a/cmd/tailscaled/cli/bugreport.go
+++ b/cmd/tailscaled/cli/bugreport.go
--- a/cmd/tailscaled/cli/cli.go
+++ b/cmd/tailscaled/cli/cli.go
--- a/cmd/tailscaled/cli/cli_test.go
+++ b/cmd/tailscaled/cli/cli_test.go
@@ -506,7 +506,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			args: upArgsT{
 				exitNodeIP: "foo",
 			},
-			wantErr: `invalid IP address "foo" for --exit-node: ParseIP("foo"): unable to parse IP`,
+			wantErr: `invalid IP address "foo" for --exit-node: unable to parse IP`,
 		},
 		{
 			name: "error_exit_node_allow_lan_without_exit_node",
--- a/cmd/tailscaled/cli/debug.go
+++ b/cmd/tailscaled/cli/debug.go
--- a/cmd/tailscaled/cli/down.go
+++ b/cmd/tailscaled/cli/down.go
--- a/cmd/tailscaled/cli/file.go
+++ b/cmd/tailscaled/cli/file.go
@@ -194,7 +194,7 @@ func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, lastSe
 	for _, ft := range fts {
 		n := ft.Node
 		for _, a := range n.Addresses {
-			if a.IP() != ip {
+			if a.IP != ip {
 				continue
 			}
 			if n.LastSeen != nil {
@@ -301,7 +301,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 		if detail != "" {
 			detail = "\t" + detail
 		}
-		fmt.Printf("%s\t%s%s\n", n.Addresses[0].IP(), n.ComputedName, detail)
+		fmt.Printf("%s\t%s%s\n", n.Addresses[0].IP, n.ComputedName, detail)
 	}
 	return nil
 }
--- a/cmd/tailscaled/cli/ip.go
+++ b/cmd/tailscaled/cli/ip.go
--- a/cmd/tailscaled/cli/logout.go
+++ b/cmd/tailscaled/cli/logout.go
--- a/cmd/tailscaled/cli/netcheck.go
+++ b/cmd/tailscaled/cli/netcheck.go
--- a/cmd/tailscaled/cli/ping.go
+++ b/cmd/tailscaled/cli/ping.go
@@ -139,9 +139,6 @@ func runPing(ctx context.Context, args []string) error {
 			if !anyPong {
 				return errors.New("no reply")
 			}
-			if pingArgs.untilDirect {
-				return errors.New("direct connection not established")
-			}
 			return nil
 		}
 	}
--- a/cmd/tailscaled/cli/status.go
+++ b/cmd/tailscaled/cli/status.go
--- a/cmd/tailscaled/cli/up.go
+++ b/cmd/tailscaled/cli/up.go
@@ -164,10 +164,10 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		routes = append(routes, r)
 	}
 	sort.Slice(routes, func(i, j int) bool {
-		if routes[i].Bits() != routes[j].Bits() {
-			return routes[i].Bits() < routes[j].Bits()
+		if routes[i].Bits != routes[j].Bits {
+			return routes[i].Bits < routes[j].Bits
 		}
-		return routes[i].IP().Less(routes[j].IP())
+		return routes[i].IP.Less(routes[j].IP)
 	})

 	var exitNodeIP netaddr.IP
@@ -230,7 +230,9 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 			warnf("netfilter=nodivert; add iptables calls to ts-* chains manually.")
 		case "off":
 			prefs.NetfilterMode = preftype.NetfilterOff
-			warnf("netfilter=off; configure iptables yourself.")
+			if defaultNetfilterMode() != "off" {
+				warnf("netfilter=off; configure iptables yourself.")
+			}
 		default:
 			return nil, fmt.Errorf("invalid value --netfilter-mode=%q", upArgs.netfilterMode)
 		}
@@ -266,7 +268,7 @@ func runUp(ctx context.Context, args []string) error {
 	}

 	if distro.Get() == distro.Synology {
-		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
+		notSupported := "not supported on Synology; see https://github.com/tailscale/tailscale/issues/1995"
 		if upArgs.acceptRoutes {
 			return errors.New("--accept-routes is " + notSupported)
 		}
@@ -723,10 +725,10 @@ func fmtFlagValueArg(flagName string, val interface{}) string {
 func hasExitNodeRoutes(rr []netaddr.IPPrefix) bool {
 	var v4, v6 bool
 	for _, r := range rr {
-		if r.Bits() == 0 {
-			if r.IP().Is4() {
+		if r.Bits == 0 {
+			if r.IP.Is4() {
 				v4 = true
-			} else if r.IP().Is6() {
+			} else if r.IP.Is6() {
 				v6 = true
 			}
 		}
@@ -743,7 +745,7 @@ func withoutExitNodes(rr []netaddr.IPPrefix) []netaddr.IPPrefix {
 	}
 	var out []netaddr.IPPrefix
 	for _, r := range rr {
-		if r.Bits() > 0 {
+		if r.Bits > 0 {
 			out = append(out, r)
 		}
 	}
--- a/cmd/tailscaled/cli/version.go
+++ b/cmd/tailscaled/cli/version.go
--- a/cmd/tailscaled/cli/web.css
+++ b/cmd/tailscaled/cli/web.css
--- a/cmd/tailscaled/cli/web.go
+++ b/cmd/tailscaled/cli/web.go
@@ -5,6 +5,7 @@
 package cli

 import (
+	"bufio"
 	"bytes"
 	"context"
 	_ "embed"
@@ -15,11 +16,13 @@ import (
 	"log"
 	"net/http"
 	"net/http/cgi"
+	"os"
 	"os/exec"
 	"runtime"
 	"strings"

 	"github.com/peterbourgon/ff/v2/ffcli"
+	"go4.org/mem"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
@@ -82,17 +85,63 @@ func runWeb(ctx context.Context, args []string) error {
 	return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
 }

-func auth() (string, error) {
+// authorize checks whether the provided user has access to the web UI.
+func authorize(name string) error {
 	if distro.Get() == distro.Synology {
-		cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
-		out, err := cmd.CombinedOutput()
-		if err != nil {
-			return "", fmt.Errorf("auth: %v: %s", err, out)
-		}
-		return string(out), nil
+		return authorizeSynology(name)
 	}
+	return nil
+}

-	return "", nil
+// authorizeSynology checks whether the provided user has access to the web UI
+// by consulting the membership of the "administrators" group.
+func authorizeSynology(name string) error {
+	f, err := os.Open("/etc/group")
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	s := bufio.NewScanner(f)
+	var agLine string
+	for s.Scan() {
+		if !mem.HasPrefix(mem.B(s.Bytes()), mem.S("administrators:")) {
+			continue
+		}
+		agLine = s.Text()
+		break
+	}
+	if err := s.Err(); err != nil {
+		return err
+	}
+	if agLine == "" {
+		return fmt.Errorf("admin group not defined")
+	}
+	agEntry := strings.Split(agLine, ":")
+	if len(agEntry) < 4 {
+		return fmt.Errorf("malformed admin group entry")
+	}
+	agMembers := agEntry[3]
+	for _, m := range strings.Split(agMembers, ",") {
+		if m == name {
+			return nil
+		}
+	}
+	return fmt.Errorf("not a member of administrators group")
+}
+
+// authenticate returns the name of the user accessing the web UI.
+// Note: This is different from a tailscale user, and is typically the local
+// user on the node.
+func authenticate() (string, error) {
+	if distro.Get() != distro.Synology {
+		return "", nil
+	}
+	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("auth: %v: %s", err, out)
+	}
+	return strings.TrimSpace(string(out)), nil
 }

 func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
@@ -198,8 +247,13 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	user, err := auth()
+	user, err := authenticate()
 	if err != nil {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
+		return
+	}
+
+	if err := authorize(user); err != nil {
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
@@ -214,7 +268,8 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		url, err := tailscaleUpForceReauth(r.Context())
 		if err != nil {
-			json.NewEncoder(w).Encode(mi{"error": err})
+			w.WriteHeader(500)
+			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
 		}
 		json.NewEncoder(w).Encode(mi{"url": url})
@@ -320,6 +375,10 @@ func tailscaleUpForceReauth(ctx context.Context) (authURL string, retErr error)
 	})
 	bc.StartLoginInteractive()

+	<-pumpCtx.Done() // wait for authURL or complete failure
+	if authURL == "" && retErr == nil {
+		retErr = pumpCtx.Err()
+	}
 	if authURL == "" && retErr == nil {
 		return "", fmt.Errorf("login failed with no backend error message")
 	}
--- a/cmd/tailscaled/cli/web.html
+++ b/cmd/tailscaled/cli/web.html
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -55,7 +55,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
   L    tailscale.com/util/lineread                                  from tailscale.com/net/interfaces
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli
+        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
--- a/cmd/tailscaled/tailscale.go
+++ b/cmd/tailscaled/tailscale.go
@@ -4,7 +4,7 @@

 // The tailscale command is the Tailscale command-line client. It interacts
 // with the tailscaled node agent.
-package main // import "tailscale.com/cmd/tailscaled"
+package main // import "tailscale.com/cmd/tailscale"

 import (
 	"fmt"
@@ -12,10 +12,10 @@ import (
 	"path/filepath"
 	"strings"

-	"tailscale.com/cmd/tailscaled/cli"
+	"tailscale.com/cmd/tailscale/cli"
 )

-func tailscale_main() {
+func main() {
 	args := os.Args[1:]
 	if name, _ := os.Executable(); strings.HasSuffix(filepath.Base(name), ".cgi") {
 		args = []string{"web", "-cgi"}
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -78,7 +78,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/derp/derpmap                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/disco                                          from tailscale.com/derp+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
-        tailscale.com/internal/deephash                              from tailscale.com/ipn/ipnlocal+
+        tailscale.com/internal/deepprint                             from tailscale.com/ipn/ipnlocal+
        tailscale.com/ipn                                            from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
--- a/cmd/tailscaled/main.go
+++ b/cmd/tailscaled/main.go
@@ -1,16 +0,0 @@
-package main
-
-import (
-	"os"
-	"strings"
-)
-
-func main() {
-	if strings.HasSuffix(os.Args[0], "tailscaled") {
-		tailscaled_main()
-	} else if strings.HasSuffix(os.Args[0], "tailscale") {
-		tailscale_main()
-	} else {
-		panic(os.Args[0])
-	}
-}
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -101,7 +101,7 @@ var subCommands = map[string]*func([]string) error{
 	"debug":                   &debugModeFunc,
 }

-func tailscaled_main() {
+func main() {
 	// We aren't very performance sensitive, and the parts that are
 	// performance sensitive (wireguard) try hard not to do any memory
 	// allocations. So let's be aggressive about garbage collection,
@@ -266,7 +266,7 @@ func run() error {
 			if err != nil {
 				return nil, err
 			}
-			if ns != nil && useNetstackForIP(ipp.IP()) {
+			if ns != nil && useNetstackForIP(ipp.IP) {
 				return ns.DialContextTCP(ctx, addr)
 			}
 			var d net.Dialer
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -576,9 +576,12 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 	c.logf("[v1] sendStatus: %s: %v", who, state)

 	var p *persist.Persist
-	var fin *empty.Message
+	var loginFin, logoutFin *empty.Message
 	if state == StateAuthenticated {
-		fin = new(empty.Message)
+		loginFin = new(empty.Message)
+	}
+	if state == StateNotAuthenticated {
+		logoutFin = new(empty.Message)
 	}
 	if nm != nil && loggedIn && synced {
 		pp := c.direct.GetPersist()
@@ -589,12 +592,13 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		nm = nil
 	}
 	new := Status{
-		LoginFinished: fin,
-		URL:           url,
-		Persist:       p,
-		NetMap:        nm,
-		Hostinfo:      hi,
-		State:         state,
+		LoginFinished:  loginFin,
+		LogoutFinished: logoutFin,
+		URL:            url,
+		Persist:        p,
+		NetMap:         nm,
+		Hostinfo:       hi,
+		State:          state,
 	}
 	if err != nil {
 		new.Err = err.Error()
--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -22,7 +22,7 @@ func fieldsOf(t reflect.Type) (fields []string) {

 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"LoginFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
+	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
 	if have := fieldsOf(reflect.TypeOf(Status{})); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -1091,7 +1091,7 @@ func ipForwardingBroken(routes []netaddr.IPPrefix, state *interfaces.State) bool
 	localIPs := map[netaddr.IP]bool{}
 	for _, addrs := range state.InterfaceIPs {
 		for _, pfx := range addrs {
-			localIPs[pfx.IP()] = true
+			localIPs[pfx.IP] = true
 		}
 	}

@@ -1100,10 +1100,10 @@ func ipForwardingBroken(routes []netaddr.IPPrefix, state *interfaces.State) bool
 		// It's possible to advertise a route to one of the local
 		// machine's local IPs. IP forwarding isn't required for this
 		// to work, so we shouldn't warn for such exports.
-		if r.IsSingleIP() && localIPs[r.IP()] {
+		if r.IsSingleIP() && localIPs[r.IP] {
 			continue
 		}
-		if r.IP().Is4() {
+		if r.IP.Is4() {
 			v4Routes = true
 		} else {
 			v6Routes = true
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -86,7 +86,7 @@ func TestNewDirect(t *testing.T) {
 func fakeEndpoints(ports ...uint16) (ret []tailcfg.Endpoint) {
 	for _, port := range ports {
 		ret = append(ret, tailcfg.Endpoint{
-			Addr: netaddr.IPPortFrom(netaddr.IP{}, port),
+			Addr: netaddr.IPPort{Port: port},
 		})
 	}
 	return
--- a/control/controlclient/status.go
+++ b/control/controlclient/status.go
@@ -64,11 +64,12 @@ func (s State) String() string {
 }

 type Status struct {
-	_             structs.Incomparable
-	LoginFinished *empty.Message // nonempty when login finishes
-	Err           string
-	URL           string             // interactive URL to visit to finish logging in
-	NetMap        *netmap.NetworkMap // server-pushed configuration
+	_              structs.Incomparable
+	LoginFinished  *empty.Message // nonempty when login finishes
+	LogoutFinished *empty.Message // nonempty when logout finishes
+	Err            string
+	URL            string             // interactive URL to visit to finish logging in
+	NetMap         *netmap.NetworkMap // server-pushed configuration

 	// The internal state should not be exposed outside this
 	// package, but we have some automated tests elsewhere that need to
@@ -86,6 +87,7 @@ func (s *Status) Equal(s2 *Status) bool {
 	}
 	return s != nil && s2 != nil &&
 		(s.LoginFinished == nil) == (s2.LoginFinished == nil) &&
+		(s.LogoutFinished == nil) == (s2.LogoutFinished == nil) &&
 		s.Err == s2.Err &&
 		s.URL == s2.URL &&
 		reflect.DeepEqual(s.Persist, s2.Persist) &&
--- a/disco/disco.go
+++ b/disco/disco.go
@@ -147,9 +147,9 @@ const epLength = 16 + 2 // 16 byte IP address + 2 byte port
 func (m *CallMeMaybe) AppendMarshal(b []byte) []byte {
 	ret, p := appendMsgHeader(b, TypeCallMeMaybe, v0, epLength*len(m.MyNumber))
 	for _, ipp := range m.MyNumber {
-		a := ipp.IP().As16()
+		a := ipp.IP.As16()
 		copy(p[:], a[:])
-		binary.BigEndian.PutUint16(p[16:], ipp.Port())
+		binary.BigEndian.PutUint16(p[16:], ipp.Port)
 		p = p[epLength:]
 	}
 	return ret
@@ -164,9 +164,10 @@ func parseCallMeMaybe(ver uint8, p []byte) (m *CallMeMaybe, err error) {
 	for len(p) > 0 {
 		var a [16]byte
 		copy(a[:], p)
-		m.MyNumber = append(m.MyNumber, netaddr.IPPortFrom(
-			netaddr.IPFrom16(a),
-			binary.BigEndian.Uint16(p[16:18])))
+		m.MyNumber = append(m.MyNumber, netaddr.IPPort{
+			IP:   netaddr.IPFrom16(a),
+			Port: binary.BigEndian.Uint16(p[16:18]),
+		})
 		p = p[epLength:]
 	}
 	return m, nil
@@ -186,9 +187,9 @@ const pongLen = 12 + 16 + 2
 func (m *Pong) AppendMarshal(b []byte) []byte {
 	ret, d := appendMsgHeader(b, TypePong, v0, pongLen)
 	d = d[copy(d, m.TxID[:]):]
-	ip16 := m.Src.IP().As16()
+	ip16 := m.Src.IP.As16()
 	d = d[copy(d, ip16[:]):]
-	binary.BigEndian.PutUint16(d, m.Src.Port())
+	binary.BigEndian.PutUint16(d, m.Src.Port)
 	return ret
 }

@@ -200,10 +201,10 @@ func parsePong(ver uint8, p []byte) (m *Pong, err error) {
 	copy(m.TxID[:], p)
 	p = p[12:]

-	srcIP, _ := netaddr.FromStdIP(net.IP(p[:16]))
+	m.Src.IP, _ = netaddr.FromStdIP(net.IP(p[:16]))
 	p = p[16:]
-	port := binary.BigEndian.Uint16(p)
-	m.Src = netaddr.IPPortFrom(srcIP, port)
+
+	m.Src.Port = binary.BigEndian.Uint16(p)
 	return m, nil
 }

--- a/go.mod
+++ b/go.mod
@@ -26,24 +26,23 @@ require (
 	github.com/peterbourgon/ff/v2 v2.0.0
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
-	github.com/tailscale/wireguard-go v0.0.0-20210510192616-d1aa5623121d
+	github.com/tailscale/wireguard-go v0.0.0-20210510175647-030c638da3df
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
 	golang.org/x/crypto v0.0.0-20210317152858-513c2a44f670
-	golang.org/x/net v0.0.0-20210510120150-4163338589ed
+	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210510120138-977fb7262007
+	golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57
 	golang.org/x/term v0.0.0-20210317153231-de623e64d2a6
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
-	golang.org/x/tools v0.1.0
+	golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58
 	golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8
 	gopkg.in/yaml.v2 v2.2.8 // indirect
 	honnef.co/go/tools v0.1.0
-	inet.af/netaddr v0.0.0-20210515010201-ad03edc7c841
+	inet.af/netaddr v0.0.0-20210222205655-a1ec2b7b8c44
 	inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22
 	inet.af/peercred v0.0.0-20210302202138-56e694897155
-	inet.af/wf v0.0.0-20210516214145-a5343001b756
 	rsc.io/goversion v1.2.0
 )

--- a/go.sum
+++ b/go.sum
@@ -23,7 +23,6 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dvyukov/go-fuzz v0.0.0-20201127111758-49e582c6c23d/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
-github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/frankban/quicktest v1.12.1 h1:P6vQcHwZYgVGIpUzKB5DXzkEeYJppJOStPLuh9aB89c=
@@ -45,6 +44,7 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@@ -70,6 +70,7 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:C
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.10 h1:a/y8CglcM7gLGYmlbP/stPE5sR3hbhFRUjCBfd/0B3I=
 github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -107,7 +108,6 @@ github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3/go.mod h1:85jBQOZwp
 github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
 github.com/peterbourgon/ff/v2 v2.0.0 h1:lx0oYI5qr/FU1xnpNhQ+EZM04gKgn46jyYvGEEqBBbY=
 github.com/peterbourgon/ff/v2 v2.0.0/go.mod h1:xjwr+t+SjWm4L46fcj/D+Ap+6ME7+HqFzaP22pP5Ggk=
-github.com/peterbourgon/ff/v3 v3.0.0/go.mod h1:UILIFjRH5a/ar8TjXYLTkIvSvekZqPm5Eb/qbGk6CT0=
 github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7 h1:+/+DxvQaYifJ+grD4klzrS5y+KJXldn/2YTl5JG+vZ8=
 github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7/go.mod h1:zO8QMzTeZd5cpnIkz/Gn6iK0jDfGicM1nynOkkPIl28=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -129,8 +129,6 @@ github.com/tailscale/wireguard-go v0.0.0-20210429195722-6cd106ab1339 h1:OjLaZ57x
 github.com/tailscale/wireguard-go v0.0.0-20210429195722-6cd106ab1339/go.mod h1:ys4yUmhKncXy1jWP34qUHKipRjl322VVhxoh1Rkfo7c=
 github.com/tailscale/wireguard-go v0.0.0-20210510175647-030c638da3df h1:ekBw6cxmDhXf9YxTmMZh7SPwUh9rnRRnaoX7HFiGobc=
 github.com/tailscale/wireguard-go v0.0.0-20210510175647-030c638da3df/go.mod h1:ys4yUmhKncXy1jWP34qUHKipRjl322VVhxoh1Rkfo7c=
-github.com/tailscale/wireguard-go v0.0.0-20210510192616-d1aa5623121d h1:qJSz1zlpuPLmfACtnj+tAH4g3iasJMBW8dpeFm5f4wg=
-github.com/tailscale/wireguard-go v0.0.0-20210510192616-d1aa5623121d/go.mod h1:ys4yUmhKncXy1jWP34qUHKipRjl322VVhxoh1Rkfo7c=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
 github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
@@ -177,9 +175,8 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxWRVUAQwMI9fVrssnTfw=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210510120150-4163338589ed h1:p9UgmWI9wKpfYmgaV/IZKGdXc5qEK45tDwwwDyjS26I=
-golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -203,35 +200,29 @@ golang.org/x/sys v0.0.0-20201118182958-a01c418693c7/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201218084310-7d0127a74742/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210110051926-789bb1bd4061/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210123111255-9b0068b26619/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210301091718-77cc2087c03b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210316164454-77fc1eacc6aa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 h1:F5Gozwx4I1xtr/sr/8CFbb57iKi3297KFs0QDbGN60A=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007 h1:gG67DSER+11cZvqIMb8S8bt0vZtiN6xWYARwirrOSfE=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210317153231-de623e64d2a6 h1:EC6+IGYTjPpRfv9a2b/6Puw0W+hLtAhkV1tPsXhutqs=
 golang.org/x/term v0.0.0-20210317153231-de623e64d2a6/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba h1:O8mE0/t419eoIwhTFpKVkHiTs/Igowgfkj25AcZrtiE=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200609164405-eb789aa7ce50/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58 h1:1Bs6RVeBFtLZ8Yi1Hk07DiOqzvwLD/4hln4iahvFlag=
 golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -253,22 +244,11 @@ gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.1.0 h1:AWNL1W1i7f0wNZ8VwOKNJ0sliKvOF/adn0EHenfUh+c=
 honnef.co/go/tools v0.1.0/go.mod h1:XtegFAyX/PfluP4921rXU5IkjkqBCDnUq4W8VCIoKvM=
+inet.af/netaddr v0.0.0-20210222205655-a1ec2b7b8c44 h1:p7fX77zWzZMuNdJUhniBsmN1OvFOrW9SOtvgnzqUZX4=
 inet.af/netaddr v0.0.0-20210222205655-a1ec2b7b8c44/go.mod h1:I2i9ONCXRZDnG1+7O8fSuYzjcPxHQXrIfzD/IkR87x4=
-inet.af/netaddr v0.0.0-20210508014949-da1c2a70a83d h1:9tuJMxDV7THGfXWirKBD/v9rbsBC21bHd2eEYsYuIek=
-inet.af/netaddr v0.0.0-20210508014949-da1c2a70a83d/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
-inet.af/netaddr v0.0.0-20210511181906-37180328850c h1:rzDy/tC8LjEdN94+i0Bu22tTo/qE9cvhKyfD0HMU0NU=
-inet.af/netaddr v0.0.0-20210511181906-37180328850c/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
-inet.af/netaddr v0.0.0-20210515010201-ad03edc7c841 h1:2HpK+rC0Arcu98JukIlyVfEaE2OsvtmBFc8rs/2SJYs=
-inet.af/netaddr v0.0.0-20210515010201-ad03edc7c841/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
 inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22 h1:DNtszwGa6w76qlIr+PbPEnlBJdiRV8SaxeigOy0q1gg=
 inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22/go.mod h1:GVx+5OZtbG4TVOW5ilmyRZAZXr1cNwfqUEkTOtWK0PM=
 inet.af/peercred v0.0.0-20210302202138-56e694897155 h1:KojYNEYqDkZ2O3LdyTstR1l13L3ePKTIEM2h7ONkfkE=
 inet.af/peercred v0.0.0-20210302202138-56e694897155/go.mod h1:FjawnflS/udxX+SvpsMgZfdqx2aykOlkISeAsADi5IU=
-inet.af/wf v0.0.0-20210424212123-eaa011a774a4 h1:g1VVXY1xRKoO17aKY3g9KeJxDW0lGx1n2Y+WPSWkOL8=
-inet.af/wf v0.0.0-20210424212123-eaa011a774a4/go.mod h1:56/0QVlZ4NmPRh1QuU2OfrKqjSgt5P39R534gD2JMpQ=
-inet.af/wf v0.0.0-20210515021317-09f8efa8ac30 h1:TLxVVv7rmErJW7l81tbbR2BkOIYBI3YdxbJbEs/HJt8=
-inet.af/wf v0.0.0-20210515021317-09f8efa8ac30/go.mod h1:ViGMZRA6+RA318D7GCncrjv5gHUrPYrNDejjU12tikA=
-inet.af/wf v0.0.0-20210516214145-a5343001b756 h1:muIT3C1rH3/xpvIH8blKkMvhctV7F+OtZqs7kcwHDBQ=
-inet.af/wf v0.0.0-20210516214145-a5343001b756/go.mod h1:ViGMZRA6+RA318D7GCncrjv5gHUrPYrNDejjU12tikA=
 rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=
 rsc.io/goversion v1.2.0/go.mod h1:Eih9y/uIBS3ulggl7KNJ09xGSLcuNaLgmvvqa07sgfo=
--- a/internal/deephash/deephash.go
+++ b/internal/deephash/deephash.go
@@ -1,174 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package deephash hashes a Go value recursively, in a predictable
-// order, without looping.
-package deephash
-
-import (
-	"bufio"
-	"crypto/sha256"
-	"fmt"
-	"reflect"
-
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/wgkey"
-)
-
-func Hash(v ...interface{}) string {
-	h := sha256.New()
-	// 64 matches the chunk size in crypto/sha256/sha256.go
-	b := bufio.NewWriterSize(h, 64)
-	Print(b, v)
-	b.Flush()
-	return fmt.Sprintf("%x", h.Sum(nil))
-}
-
-// UpdateHash sets last to the hash of v and reports whether its value changed.
-func UpdateHash(last *string, v ...interface{}) (changed bool) {
-	sig := Hash(v)
-	if *last != sig {
-		*last = sig
-		return true
-	}
-	return false
-}
-
-func Print(w *bufio.Writer, v ...interface{}) {
-	print(w, reflect.ValueOf(v), make(map[uintptr]bool))
-}
-
-var (
-	netaddrIPType       = reflect.TypeOf(netaddr.IP{})
-	netaddrIPPrefix     = reflect.TypeOf(netaddr.IPPrefix{})
-	wgkeyKeyType        = reflect.TypeOf(wgkey.Key{})
-	wgkeyPrivateType    = reflect.TypeOf(wgkey.Private{})
-	tailcfgDiscoKeyType = reflect.TypeOf(tailcfg.DiscoKey{})
-)
-
-func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool) {
-	if !v.IsValid() {
-		return
-	}
-
-	// Special case some common types.
-	if v.CanInterface() {
-		switch v.Type() {
-		case netaddrIPType:
-			var b []byte
-			var err error
-			if v.CanAddr() {
-				x := v.Addr().Interface().(*netaddr.IP)
-				b, err = x.MarshalText()
-			} else {
-				x := v.Interface().(netaddr.IP)
-				b, err = x.MarshalText()
-			}
-			if err == nil {
-				w.Write(b)
-				return
-			}
-		case netaddrIPPrefix:
-			var b []byte
-			var err error
-			if v.CanAddr() {
-				x := v.Addr().Interface().(*netaddr.IPPrefix)
-				b, err = x.MarshalText()
-			} else {
-				x := v.Interface().(netaddr.IPPrefix)
-				b, err = x.MarshalText()
-			}
-			if err == nil {
-				w.Write(b)
-				return
-			}
-		case wgkeyKeyType:
-			if v.CanAddr() {
-				x := v.Addr().Interface().(*wgkey.Key)
-				w.Write(x[:])
-			} else {
-				x := v.Interface().(wgkey.Key)
-				w.Write(x[:])
-			}
-			return
-		case wgkeyPrivateType:
-			if v.CanAddr() {
-				x := v.Addr().Interface().(*wgkey.Private)
-				w.Write(x[:])
-			} else {
-				x := v.Interface().(wgkey.Private)
-				w.Write(x[:])
-			}
-			return
-		case tailcfgDiscoKeyType:
-			if v.CanAddr() {
-				x := v.Addr().Interface().(*tailcfg.DiscoKey)
-				w.Write(x[:])
-			} else {
-				x := v.Interface().(tailcfg.DiscoKey)
-				w.Write(x[:])
-			}
-			return
-		}
-	}
-
-	// Generic handling.
-	switch v.Kind() {
-	default:
-		panic(fmt.Sprintf("unhandled kind %v for type %v", v.Kind(), v.Type()))
-	case reflect.Ptr:
-		ptr := v.Pointer()
-		if visited[ptr] {
-			return
-		}
-		visited[ptr] = true
-		print(w, v.Elem(), visited)
-		return
-	case reflect.Struct:
-		w.WriteString("struct{\n")
-		for i, n := 0, v.NumField(); i < n; i++ {
-			fmt.Fprintf(w, " [%d]: ", i)
-			print(w, v.Field(i), visited)
-			w.WriteString("\n")
-		}
-		w.WriteString("}\n")
-	case reflect.Slice, reflect.Array:
-		if v.Type().Elem().Kind() == reflect.Uint8 && v.CanInterface() {
-			fmt.Fprintf(w, "%q", v.Interface())
-			return
-		}
-		fmt.Fprintf(w, "[%d]{\n", v.Len())
-		for i, ln := 0, v.Len(); i < ln; i++ {
-			fmt.Fprintf(w, " [%d]: ", i)
-			print(w, v.Index(i), visited)
-			w.WriteString("\n")
-		}
-		w.WriteString("}\n")
-	case reflect.Interface:
-		print(w, v.Elem(), visited)
-	case reflect.Map:
-		sm := newSortedMap(v)
-		fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
-		for i, k := range sm.Key {
-			print(w, k, visited)
-			w.WriteString(": ")
-			print(w, sm.Value[i], visited)
-			w.WriteString("\n")
-		}
-		w.WriteString("}\n")
-	case reflect.String:
-		w.WriteString(v.String())
-	case reflect.Bool:
-		fmt.Fprintf(w, "%v", v.Bool())
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		fmt.Fprintf(w, "%v", v.Int())
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		fmt.Fprintf(w, "%v", v.Uint())
-	case reflect.Float32, reflect.Float64:
-		fmt.Fprintf(w, "%v", v.Float())
-	case reflect.Complex64, reflect.Complex128:
-		fmt.Fprintf(w, "%v", v.Complex())
-	}
-}
--- a/internal/deepprint/deepprint.go
+++ b/internal/deepprint/deepprint.go
@@ -0,0 +1,103 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package deepprint walks a Go value recursively, in a predictable
+// order, without looping, and prints each value out to a given
+// Writer, which is assumed to be a hash.Hash, as this package doesn't
+// format things nicely.
+//
+// This is intended as a lighter version of go-spew, etc. We don't need its
+// features when our writer is just a hash.
+package deepprint
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"io"
+	"reflect"
+)
+
+func Hash(v ...interface{}) string {
+	h := sha256.New()
+	Print(h, v)
+	return fmt.Sprintf("%x", h.Sum(nil))
+}
+
+// UpdateHash sets last to the hash of v and reports whether its value changed.
+func UpdateHash(last *string, v ...interface{}) (changed bool) {
+	sig := Hash(v)
+	if *last != sig {
+		*last = sig
+		return true
+	}
+	return false
+}
+
+func Print(w io.Writer, v ...interface{}) {
+	print(w, reflect.ValueOf(v), make(map[uintptr]bool))
+}
+
+func print(w io.Writer, v reflect.Value, visited map[uintptr]bool) {
+	if !v.IsValid() {
+		return
+	}
+	switch v.Kind() {
+	default:
+		panic(fmt.Sprintf("unhandled kind %v for type %v", v.Kind(), v.Type()))
+	case reflect.Ptr:
+		ptr := v.Pointer()
+		if visited[ptr] {
+			return
+		}
+		visited[ptr] = true
+		print(w, v.Elem(), visited)
+		return
+	case reflect.Struct:
+		fmt.Fprintf(w, "struct{\n")
+		t := v.Type()
+		for i, n := 0, v.NumField(); i < n; i++ {
+			sf := t.Field(i)
+			fmt.Fprintf(w, "%s: ", sf.Name)
+			print(w, v.Field(i), visited)
+			fmt.Fprintf(w, "\n")
+		}
+	case reflect.Slice, reflect.Array:
+		if v.Type().Elem().Kind() == reflect.Uint8 && v.CanInterface() {
+			fmt.Fprintf(w, "%q", v.Interface())
+			return
+		}
+		fmt.Fprintf(w, "[%d]{\n", v.Len())
+		for i, ln := 0, v.Len(); i < ln; i++ {
+			fmt.Fprintf(w, " [%d]: ", i)
+			print(w, v.Index(i), visited)
+			fmt.Fprintf(w, "\n")
+		}
+		fmt.Fprintf(w, "}\n")
+	case reflect.Interface:
+		print(w, v.Elem(), visited)
+	case reflect.Map:
+		sm := newSortedMap(v)
+		fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
+		for i, k := range sm.Key {
+			print(w, k, visited)
+			fmt.Fprintf(w, ": ")
+			print(w, sm.Value[i], visited)
+			fmt.Fprintf(w, "\n")
+		}
+		fmt.Fprintf(w, "}\n")
+
+	case reflect.String:
+		fmt.Fprintf(w, "%s", v.String())
+	case reflect.Bool:
+		fmt.Fprintf(w, "%v", v.Bool())
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		fmt.Fprintf(w, "%v", v.Int())
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		fmt.Fprintf(w, "%v", v.Uint())
+	case reflect.Float32, reflect.Float64:
+		fmt.Fprintf(w, "%v", v.Float())
+	case reflect.Complex64, reflect.Complex128:
+		fmt.Fprintf(w, "%v", v.Complex())
+	}
+}
--- a/internal/deepprint/deepprint_test.go
+++ b/internal/deepprint/deepprint_test.go
@@ -2,14 +2,13 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package deephash
+package deepprint

 import (
+	"bytes"
 	"testing"

 	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/dnsname"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/wgcfg"
 )
@@ -19,6 +18,10 @@ func TestDeepPrint(t *testing.T) {
 	// Mostly we're just testing that we don't panic on handled types.
 	v := getVal()

+	var buf bytes.Buffer
+	Print(&buf, v)
+	t.Logf("Got: %s", buf.Bytes())
+
 	hash1 := Hash(v)
 	t.Logf("hash: %v", hash1)
 	for i := 0; i < 20; i++ {
@@ -33,12 +36,10 @@ func getVal() []interface{} {
 	return []interface{}{
 		&wgcfg.Config{
 			Name:      "foo",
-			Addresses: []netaddr.IPPrefix{netaddr.IPPrefixFrom(netaddr.IPFrom16([16]byte{3: 3}), 5)},
+			Addresses: []netaddr.IPPrefix{{Bits: 5, IP: netaddr.IPFrom16([16]byte{3: 3})}},
 			Peers: []wgcfg.Peer{
 				{
-					Endpoints: wgcfg.Endpoints{
-						IPPorts: wgcfg.NewIPPortSet(netaddr.MustParseIPPort("42.42.42.42:5")),
-					},
+					Endpoints: "foo:5",
 				},
 			},
 		},
@@ -48,25 +49,16 @@ func getVal() []interface{} {
 				netaddr.MustParseIPPrefix("1234::/64"),
 			},
 		},
-		map[dnsname.FQDN][]netaddr.IP{
-			dnsname.FQDN("a."): {netaddr.MustParseIP("1.2.3.4"), netaddr.MustParseIP("4.3.2.1")},
-			dnsname.FQDN("b."): {netaddr.MustParseIP("8.8.8.8"), netaddr.MustParseIP("9.9.9.9")},
-		},
-		map[dnsname.FQDN][]netaddr.IPPort{
-			dnsname.FQDN("a."): {netaddr.MustParseIPPort("1.2.3.4:11"), netaddr.MustParseIPPort("4.3.2.1:22")},
-			dnsname.FQDN("b."): {netaddr.MustParseIPPort("8.8.8.8:11"), netaddr.MustParseIPPort("9.9.9.9:22")},
-		},
-		map[tailcfg.DiscoKey]bool{
-			{1: 1}: true,
-			{1: 2}: false,
+		map[string]string{
+			"key1": "val1",
+			"key2": "val2",
+			"key3": "val3",
+			"key4": "val4",
+			"key5": "val5",
+			"key6": "val6",
+			"key7": "val7",
+			"key8": "val8",
+			"key9": "val9",
 		},
 	}
 }
-
-func BenchmarkHash(b *testing.B) {
-	b.ReportAllocs()
-	v := getVal()
-	for i := 0; i < b.N; i++ {
-		Hash(v)
-	}
-}
--- a/internal/deepprint/fmtsort.go
+++ b/internal/deepprint/fmtsort.go
@@ -10,7 +10,7 @@

 // This is a slightly modified fork of Go's src/internal/fmtsort/sort.go

-package deephash
+package deepprint

 import (
 	"reflect"
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -29,7 +29,7 @@ import (
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/health"
-	"tailscale.com/internal/deephash"
+	"tailscale.com/internal/deepprint"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
@@ -44,11 +44,13 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
+	"tailscale.com/types/preftype"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
@@ -356,14 +358,14 @@ func (b *LocalBackend) populatePeerStatusLocked(sb *ipnstate.StatusBuilder) {
 		var tailAddr4 string
 		var tailscaleIPs = make([]netaddr.IP, 0, len(p.Addresses))
 		for _, addr := range p.Addresses {
-			if addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.IP()) {
-				if addr.IP().Is4() && tailAddr4 == "" {
+			if addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.IP) {
+				if addr.IP.Is4() && tailAddr4 == "" {
 					// The peer struct previously only allowed a single
 					// Tailscale IP address. For compatibility for a few releases starting
 					// with 1.8, keep it pulled out as IPv4-only for a bit.
-					tailAddr4 = addr.IP().String()
+					tailAddr4 = addr.IP.String()
 				}
-				tailscaleIPs = append(tailscaleIPs, addr.IP())
+				tailscaleIPs = append(tailscaleIPs, addr.IP)
 			}
 		}
 		sb.AddPeer(key.Public(p.Key), &ipnstate.PeerStatus{
@@ -390,10 +392,10 @@ func (b *LocalBackend) populatePeerStatusLocked(sb *ipnstate.StatusBuilder) {
 func (b *LocalBackend) WhoIs(ipp netaddr.IPPort) (n *tailcfg.Node, u tailcfg.UserProfile, ok bool) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
-	n, ok = b.nodeByAddr[ipp.IP()]
+	n, ok = b.nodeByAddr[ipp.IP]
 	if !ok {
 		var ip netaddr.IP
-		if ipp.Port() != 0 {
+		if ipp.Port != 0 {
 			ip, ok = b.e.WhoIsIPPort(ipp)
 		}
 		if !ok {
@@ -451,6 +453,13 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	// Lock b once and do only the things that require locking.
 	b.mu.Lock()

+	if st.LogoutFinished != nil {
+		// Since we're logged out now, our netmap cache is invalid.
+		// Since st.NetMap==nil means "netmap is unchanged", there is
+		// no other way to represent this change.
+		b.setNetMapLocked(nil)
+	}
+
 	prefs := b.prefs
 	stateKey := b.stateKey
 	netMap := b.netMap
@@ -552,7 +561,7 @@ func (b *LocalBackend) findExitNodeIDLocked(nm *netmap.NetworkMap) (prefsChanged

 	for _, peer := range nm.Peers {
 		for _, addr := range peer.Addresses {
-			if !addr.IsSingleIP() || addr.IP() != b.prefs.ExitNodeIP {
+			if !addr.IsSingleIP() || addr.IP != b.prefs.ExitNodeIP {
 				continue
 			}
 			// Found the node being referenced, upgrade prefs to
@@ -648,6 +657,12 @@ func (b *LocalBackend) getNewControlClientFunc() clientGen {
 // startIsNoopLocked reports whether a Start call on this LocalBackend
 // with the provided Start Options would be a useless no-op.
 //
+// TODO(apenwarr): we shouldn't need this.
+//  The state machine is now nearly clean enough where it can accept a new
+//  connection while in any state, not just Running, and on any platform.
+//  We'd want to add a few more tests to state_test.go to ensure this continues
+//  to work as expected.
+//
 // b.mu must be held.
 func (b *LocalBackend) startIsNoopLocked(opts ipn.Options) bool {
 	// Options has 5 fields; check all of them:
@@ -701,6 +716,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		b.send(ipn.Notify{
 			State:         &state,
 			NetMap:        nm,
+			Prefs:         b.prefs,
 			LoginFinished: new(empty.Message),
 		})
 		return nil
@@ -891,7 +907,7 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 	}
 	if prefs != nil {
 		for _, r := range prefs.AdvertiseRoutes {
-			if r.Bits() == 0 {
+			if r.Bits == 0 {
 				// When offering a default route to the world, we
 				// filter out locally reachable LANs, so that the
 				// default route effectively appears to be a "guest
@@ -916,7 +932,7 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 	localNets := localNetsB.IPSet()
 	logNets := logNetsB.IPSet()

-	changed := deephash.UpdateHash(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp)
+	changed := deepprint.UpdateHash(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp)
 	if !changed {
 		return
 	}
@@ -959,13 +975,13 @@ var removeFromDefaultRoute = []netaddr.IPPrefix{
 func interfaceRoutes() (ips *netaddr.IPSet, hostIPs []netaddr.IP, err error) {
 	var b netaddr.IPSetBuilder
 	if err := interfaces.ForeachInterfaceAddress(func(_ interfaces.Interface, pfx netaddr.IPPrefix) {
-		if tsaddr.IsTailscaleIP(pfx.IP()) {
+		if tsaddr.IsTailscaleIP(pfx.IP) {
 			return
 		}
 		if pfx.IsSingleIP() {
 			return
 		}
-		hostIPs = append(hostIPs, pfx.IP())
+		hostIPs = append(hostIPs, pfx.IP)
 		b.AddPrefix(pfx)
 	}); err != nil {
 		return nil, nil, err
@@ -1694,9 +1710,46 @@ func (b *LocalBackend) authReconfig() {

 	rcfg := b.routerConfig(cfg, uc)

-	var dcfg dns.Config
+	dcfg := dns.Config{
+		Routes: map[dnsname.FQDN][]netaddr.IPPort{},
+		Hosts:  map[dnsname.FQDN][]netaddr.IP{},
+	}
+
+	// Populate MagicDNS records. We do this unconditionally so that
+	// quad-100 can always respond to MagicDNS queries, even if the OS
+	// isn't configured to make MagicDNS resolution truly
+	// magic. Details in
+	// https://github.com/tailscale/tailscale/issues/1886.
+	set := func(name string, addrs []netaddr.IPPrefix) {
+		if len(addrs) == 0 || name == "" {
+			return
+		}
+		fqdn, err := dnsname.ToFQDN(name)
+		if err != nil {
+			return // TODO: propagate error?
+		}
+		var ips []netaddr.IP
+		for _, addr := range addrs {
+			// Remove IPv6 addresses for now, as we don't
+			// guarantee that the peer node actually can speak
+			// IPv6 correctly.
+			//
+			// https://github.com/tailscale/tailscale/issues/1152
+			// tracks adding the right capability reporting to
+			// enable AAAA in MagicDNS.
+			if addr.IP.Is6() {
+				continue
+			}
+			ips = append(ips, addr.IP)
+		}
+		dcfg.Hosts[fqdn] = ips
+	}
+	dcfg.AuthoritativeSuffixes = magicDNSRootDomains(nm)
+	set(nm.Name, nm.Addresses)
+	for _, peer := range nm.Peers {
+		set(peer.Name, peer.Addresses)
+	}

-	// If CorpDNS is false, dcfg remains the zero value.
 	if uc.CorpDNS {
 		addDefault := func(resolvers []tailcfg.DNSResolver) {
 			for _, resolver := range resolvers {
@@ -1710,9 +1763,6 @@ func (b *LocalBackend) authReconfig() {
 		}

 		addDefault(nm.DNS.Resolvers)
-		if len(nm.DNS.Routes) > 0 {
-			dcfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{}
-		}
 		for suffix, resolvers := range nm.DNS.Routes {
 			fqdn, err := dnsname.ToFQDN(suffix)
 			if err != nil {
@@ -1734,36 +1784,9 @@ func (b *LocalBackend) authReconfig() {
 			}
 			dcfg.SearchDomains = append(dcfg.SearchDomains, fqdn)
 		}
-		set := func(name string, addrs []netaddr.IPPrefix) {
-			if len(addrs) == 0 || name == "" {
-				return
-			}
-			fqdn, err := dnsname.ToFQDN(name)
-			if err != nil {
-				return // TODO: propagate error?
-			}
-			var ips []netaddr.IP
-			for _, addr := range addrs {
-				// Remove IPv6 addresses for now, as we don't
-				// guarantee that the peer node actually can speak
-				// IPv6 correctly.
-				//
-				// https://github.com/tailscale/tailscale/issues/1152
-				// tracks adding the right capability reporting to
-				// enable AAAA in MagicDNS.
-				if addr.IP().Is6() {
-					continue
-				}
-				ips = append(ips, addr.IP())
-			}
-			dcfg.Hosts[fqdn] = ips
-		}
 		if nm.DNS.Proxied { // actually means "enable MagicDNS"
-			dcfg.AuthoritativeSuffixes = magicDNSRootDomains(nm)
-			dcfg.Hosts = map[dnsname.FQDN][]netaddr.IP{}
-			set(nm.Name, nm.Addresses)
-			for _, peer := range nm.Peers {
-				set(peer.Name, peer.Addresses)
+			for _, dom := range dcfg.AuthoritativeSuffixes {
+				dcfg.Routes[dom] = []netaddr.IPPort{netaddr.IPPort{IP: tsaddr.TailscaleServiceIP(), Port: 53}}
 			}
 		}

@@ -1809,7 +1832,10 @@ func parseResolver(cfg tailcfg.DNSResolver) (netaddr.IPPort, error) {
 	if err != nil {
 		return netaddr.IPPort{}, fmt.Errorf("[unexpected] non-IP resolver %q", cfg.Addr)
 	}
-	return netaddr.IPPortFrom(ip, 53), nil
+	return netaddr.IPPort{
+		IP:   ip,
+		Port: 53,
+	}, nil
 }

 // tailscaleVarRoot returns the root directory of Tailscale's writable
@@ -1864,10 +1890,19 @@ func (b *LocalBackend) initPeerAPIListener() {
 	b.mu.Lock()
 	defer b.mu.Unlock()

+	if b.netMap == nil {
+		// We're called from authReconfig which checks that
+		// netMap is non-nil, but if a concurrent Logout,
+		// ResetForClientDisconnect, or Start happens when its
+		// mutex was released, the netMap could be
+		// nil'ed out (Issue 1996). Bail out early here if so.
+		return
+	}
+
 	if len(b.netMap.Addresses) == len(b.peerAPIListeners) {
 		allSame := true
 		for i, pln := range b.peerAPIListeners {
-			if pln.ip != b.netMap.Addresses[i].IP() {
+			if pln.ip != b.netMap.Addresses[i].IP {
 				allSame = false
 				break
 			}
@@ -1912,7 +1947,7 @@ func (b *LocalBackend) initPeerAPIListener() {
 		var err error
 		skipListen := i > 0 && isNetstack
 		if !skipListen {
-			ln, err = ps.listen(a.IP(), b.prevIfState)
+			ln, err = ps.listen(a.IP, b.prevIfState)
 			if err != nil {
 				if runtime.GOOS == "windows" {
 					// Expected for now. See Issue 1620.
@@ -1926,7 +1961,7 @@ func (b *LocalBackend) initPeerAPIListener() {
 		}
 		pln := &peerAPIListener{
 			ps: ps,
-			ip: a.IP(),
+			ip: a.IP,
 			ln: ln, // nil for 2nd+ on netstack
 			lb: b,
 		}
@@ -1935,7 +1970,7 @@ func (b *LocalBackend) initPeerAPIListener() {
 		} else {
 			pln.port = ln.Addr().(*net.TCPAddr).Port
 		}
-		pln.urlStr = "http://" + net.JoinHostPort(a.IP().String(), strconv.Itoa(pln.port))
+		pln.urlStr = "http://" + net.JoinHostPort(a.IP.String(), strconv.Itoa(pln.port))
 		b.logf("peerapi: serving on %s", pln.urlStr)
 		go pln.serve()
 		b.peerAPIListeners = append(b.peerAPIListeners, pln)
@@ -1986,14 +2021,14 @@ func peerRoutes(peers []wgcfg.Peer, cgnatThreshold int) (routes []netaddr.IPPref
 		for _, aip := range peer.AllowedIPs {
 			aip = unmapIPPrefix(aip)
 			// Only add the Tailscale IPv6 ULA once, if we see anybody using part of it.
-			if aip.IP().Is6() && aip.IsSingleIP() && tsULA.Contains(aip.IP()) {
+			if aip.IP.Is6() && aip.IsSingleIP() && tsULA.Contains(aip.IP) {
 				if !didULA {
 					didULA = true
 					routes = append(routes, tsULA)
 				}
 				continue
 			}
-			if aip.IsSingleIP() && cgNAT.Contains(aip.IP()) {
+			if aip.IsSingleIP() && cgNAT.Contains(aip.IP) {
 				cgNATIPs = append(cgNATIPs, aip)
 			} else {
 				routes = append(routes, aip)
@@ -2019,6 +2054,11 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		Routes:           peerRoutes(cfg.Peers, 10_000),
 	}

+	if distro.Get() == distro.Synology {
+		// Issue 1995: we don't use iptables on Synology.
+		rs.NetfilterMode = preftype.NetfilterOff
+	}
+
 	// Sanity check: we expect the control server to program both a v4
 	// and a v6 default route, if default routing is on. Fill in
 	// blackhole routes appropriately if we're missing some. This is
@@ -2060,13 +2100,16 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		}
 	}

-	rs.Routes = append(rs.Routes, netaddr.IPPrefixFrom(tsaddr.TailscaleServiceIP(), 32))
+	rs.Routes = append(rs.Routes, netaddr.IPPrefix{
+		IP:   tsaddr.TailscaleServiceIP(),
+		Bits: 32,
+	})

 	return rs
 }

 func unmapIPPrefix(ipp netaddr.IPPrefix) netaddr.IPPrefix {
-	return netaddr.IPPrefixFrom(ipp.IP().Unmap(), ipp.Bits())
+	return netaddr.IPPrefix{IP: ipp.IP.Unmap(), Bits: ipp.Bits}
 }

 func unmapIPPrefixes(ippsList ...[]netaddr.IPPrefix) (ret []netaddr.IPPrefix) {
@@ -2150,7 +2193,7 @@ func (b *LocalBackend) enterState(newState ipn.State) {
 	case ipn.Running:
 		var addrs []string
 		for _, addr := range b.netMap.Addresses {
-			addrs = append(addrs, addr.IP().String())
+			addrs = append(addrs, addr.IP.String())
 		}
 		systemd.Status("Connected; %s; %s", activeLogin, strings.Join(addrs, " "))
 	default:
@@ -2312,7 +2355,6 @@ func (b *LocalBackend) LogoutSync(ctx context.Context) error {
 func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 	b.mu.Lock()
 	cc := b.cc
-	b.setNetMapLocked(nil)
 	b.mu.Unlock()

 	b.EditPrefs(&ipn.MaskedPrefs{
@@ -2339,10 +2381,6 @@ func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 		cc.StartLogout()
 	}

-	b.mu.Lock()
-	b.setNetMapLocked(nil)
-	b.mu.Unlock()
-
 	b.stateMachine()
 	return err
 }
@@ -2418,7 +2456,7 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	addNode := func(n *tailcfg.Node) {
 		for _, ipp := range n.Addresses {
 			if ipp.IsSingleIP() {
-				b.nodeByAddr[ipp.IP()] = n
+				b.nodeByAddr[ipp.IP] = n
 			}
 		}
 	}
@@ -2570,9 +2608,9 @@ func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {
 			continue
 		}
 		switch {
-		case a.IP().Is4():
+		case a.IP.Is4():
 			have4 = true
-		case a.IP().Is6():
+		case a.IP.Is6():
 			have6 = true
 		}
 	}
@@ -2588,11 +2626,11 @@ func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {
 	var ipp netaddr.IPPort
 	switch {
 	case have4 && p4 != 0:
-		ipp = netaddr.IPPortFrom(nodeIP(peer, netaddr.IP.Is4), p4)
+		ipp = netaddr.IPPort{IP: nodeIP(peer, netaddr.IP.Is4), Port: p4}
 	case have6 && p6 != 0:
-		ipp = netaddr.IPPortFrom(nodeIP(peer, netaddr.IP.Is6), p6)
+		ipp = netaddr.IPPort{IP: nodeIP(peer, netaddr.IP.Is6), Port: p6}
 	}
-	if ipp.IP().IsZero() {
+	if ipp.IP.IsZero() {
 		return ""
 	}
 	return fmt.Sprintf("http://%v", ipp)
@@ -2600,8 +2638,8 @@ func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {

 func nodeIP(n *tailcfg.Node, pred func(netaddr.IP) bool) netaddr.IP {
 	for _, a := range n.Addresses {
-		if a.IsSingleIP() && pred(a.IP()) {
-			return a.IP()
+		if a.IsSingleIP() && pred(a.IP) {
+			return a.IP
 		}
 	}
 	return netaddr.IP{}
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -171,7 +171,7 @@ func TestShrinkDefaultRoute(t *testing.T) {
 			out: []string{
 				"fe80::1",
 				"ff00::1",
-				tsaddr.TailscaleULARange().IP().String(),
+				tsaddr.TailscaleULARange().IP.String(),
 			},
 			localIPFn: func(ip netaddr.IP) bool { return !inRemove(ip) && ip.Is6() },
 		},
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -510,7 +510,7 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 <body>
 <h1>Hello, %s (%v)</h1>
 This is my Tailscale device. Your device is %v.
-`, html.EscapeString(who), h.remoteAddr.IP(), html.EscapeString(h.peerNode.ComputedName))
+`, html.EscapeString(who), h.remoteAddr.IP, html.EscapeString(h.peerNode.ComputedName))

 	if h.isSelf {
 		fmt.Fprintf(w, "<p>You are the owner of this node.\n")
--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -140,6 +140,8 @@ func (cc *mockControl) send(err error, url string, loginFinished bool, nm *netma
 		}
 		if loginFinished {
 			s.LoginFinished = &empty.Message{}
+		} else if url == "" && err == nil && nm == nil {
+			s.LogoutFinished = &empty.Message{}
 		}
 		cc.statusFunc(s)
 	}
@@ -548,10 +550,7 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
 		c.Assert(nn[0].NetMap, qt.Not(qt.IsNil))
-		// BUG: Prefs should be sent too, or the UI could end up in
-		// a bad state. (iOS, the only current user of this feature,
-		// probably wouldn't notice because it happens to not display
-		// any prefs. Maybe exit nodes will look weird?)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
 	}

 	// undo the state hack above.
@@ -563,24 +562,25 @@ func TestStateMachine(t *testing.T) {
 	b.Logout()
 	{
 		nn := notifies.drain(2)
-		// BUG: now is not the time to unpause.
-		c.Assert([]string{"unpause", "StartLogout"}, qt.DeepEquals, cc.getCalls())
+		c.Assert([]string{"pause", "StartLogout"}, qt.DeepEquals, cc.getCalls())
 		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
+		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
 		c.Assert(nn[1].Prefs.LoggedOut, qt.IsTrue)
 		c.Assert(nn[1].Prefs.WantRunning, qt.IsFalse)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		c.Assert(ipn.Stopped, qt.Equals, b.State())
 	}

 	// Let's make the logout succeed.
 	t.Logf("\n\nLogout (async) - succeed")
-	notifies.expect(0)
+	notifies.expect(1)
 	cc.setAuthBlocked(true)
 	cc.send(nil, "", false, nil)
 	{
-		notifies.drain(0)
-		c.Assert(cc.getCalls(), qt.HasLen, 0)
+		nn := notifies.drain(1)
+		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
+		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
 		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
 		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -6,9 +6,7 @@ package ipnserver

 import (
 	"bufio"
-	"bytes"
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -147,7 +145,7 @@ func (s *server) getConnIdentity(c net.Conn) (ci connIdentity, err error) {
 	if err != nil {
 		return ci, fmt.Errorf("parsing local remote: %w", err)
 	}
-	if !la.IP().IsLoopback() || !ra.IP().IsLoopback() {
+	if !la.IP.IsLoopback() || !ra.IP.IsLoopback() {
 		return ci, errors.New("non-loopback connection")
 	}
 	tab, err := netstat.Get()
@@ -253,7 +251,8 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 			return
 		}
 		defer c.Close()
-		bs := ipn.NewBackendServer(logf, nil, jsonNotifier(c, s.logf))
+		serverToClient := func(b []byte) { ipn.WriteMsg(c, b) }
+		bs := ipn.NewBackendServer(logf, nil, serverToClient)
 		_, occupied := err.(inUseOtherUserError)
 		if occupied {
 			bs.SendInUseOtherUserErrorMessage(err.Error())
@@ -568,9 +567,7 @@ func (s *server) setServerModeUserLocked() {
 	}
 }

-var jsonEscapedZero = []byte(`\u0000`)
-
-func (s *server) writeToClients(n ipn.Notify) {
+func (s *server) writeToClients(b []byte) {
 	inServerMode := s.b.InServerMode()

 	s.mu.Lock()
@@ -587,17 +584,8 @@ func (s *server) writeToClients(n ipn.Notify) {
 		}
 	}

-	if len(s.clients) == 0 {
-		// Common case (at least on busy servers): nobody
-		// connected (no GUI, etc), so return before
-		// serializing JSON.
-		return
-	}
-
-	if b, ok := marshalNotify(n, s.logf); ok {
-		for c := range s.clients {
-			ipn.WriteMsg(c, b)
-		}
+	for c := range s.clients {
+		ipn.WriteMsg(c, b)
 	}
 }

@@ -683,7 +671,8 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 			errMsg := err.Error()
 			go func() {
 				defer c.Close()
-				bs := ipn.NewBackendServer(logf, nil, jsonNotifier(c, logf))
+				serverToClient := func(b []byte) { ipn.WriteMsg(c, b) }
+				bs := ipn.NewBackendServer(logf, nil, serverToClient)
 				bs.SendErrorMessage(errMsg)
 				time.Sleep(time.Second)
 			}()
@@ -973,25 +962,3 @@ func peerPid(entries []netstat.Entry, la, ra netaddr.IPPort) int {
 	}
 	return 0
 }
-
-// jsonNotifier returns a notify-writer func that writes ipn.Notify
-// messages to w.
-func jsonNotifier(w io.Writer, logf logger.Logf) func(ipn.Notify) {
-	return func(n ipn.Notify) {
-		if b, ok := marshalNotify(n, logf); ok {
-			ipn.WriteMsg(w, b)
-		}
-	}
-}
-
-func marshalNotify(n ipn.Notify, logf logger.Logf) (b []byte, ok bool) {
-	b, err := json.Marshal(n)
-	if err != nil {
-		logf("ipnserver: [unexpected] error serializing JSON: %v", err)
-		return nil, false
-	}
-	if bytes.Contains(b, jsonEscapedZero) {
-		logf("[unexpected] zero byte in BackendServer.send notify message: %q", b)
-	}
-	return b, true
-}
--- a/ipn/message.go
+++ b/ipn/message.go
@@ -88,9 +88,9 @@ type Command struct {

 type BackendServer struct {
 	logf          logger.Logf
-	b             Backend      // the Backend we are serving up
-	sendNotifyMsg func(Notify) // send a notification message
-	GotQuit       bool         // a Quit command was received
+	b             Backend              // the Backend we are serving up
+	sendNotifyMsg func(jsonMsg []byte) // send a notification message
+	GotQuit       bool                 // a Quit command was received
 }

 // NewBackendServer creates a new BackendServer using b.
@@ -98,13 +98,15 @@ type BackendServer struct {
 // If sendNotifyMsg is non-nil, it additionally sets the Backend's
 // notification callback to call the func with ipn.Notify messages in
 // JSON form. If nil, it does not change the notification callback.
-func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(Notify)) *BackendServer {
+func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(b []byte)) *BackendServer {
 	bs := &BackendServer{
 		logf:          logf,
 		b:             b,
 		sendNotifyMsg: sendNotifyMsg,
 	}
-	if sendNotifyMsg != nil {
+	// b may be nil if the BackendServer is being created just to
+	// encapsulate and send an error message.
+	if sendNotifyMsg != nil && b != nil {
 		b.SetNotifyCallback(bs.send)
 	}
 	return bs
@@ -115,7 +117,14 @@ func (bs *BackendServer) send(n Notify) {
 		return
 	}
 	n.Version = version.Long
-	bs.sendNotifyMsg(n)
+	b, err := json.Marshal(n)
+	if err != nil {
+		log.Fatalf("Failed json.Marshal(notify): %v\n%#v", err, n)
+	}
+	if bytes.Contains(b, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in BackendServer.send notify message: %q", b)
+	}
+	bs.sendNotifyMsg(b)
 }

 func (bs *BackendServer) SendErrorMessage(msg string) {
--- a/ipn/message_test.go
+++ b/ipn/message_test.go
@@ -7,7 +7,6 @@ package ipn
 import (
 	"bytes"
 	"context"
-	"encoding/json"
 	"testing"
 	"time"

@@ -75,11 +74,7 @@ func TestClientServer(t *testing.T) {
 			bc.GotNotifyMsg(b)
 		}
 	}()
-	serverToClient := func(n Notify) {
-		b, err := json.Marshal(n)
-		if err != nil {
-			panic(err.Error())
-		}
+	serverToClient := func(b []byte) {
 		serverToClientCh <- append([]byte{}, b...)
 	}
 	clientToServer := func(b []byte) {
--- a/net/dns/config.go
+++ b/net/dns/config.go
@@ -28,8 +28,11 @@ type Config struct {
 	SearchDomains []dnsname.FQDN
 	// Hosts maps DNS FQDNs to their IPs, which can be a mix of IPv4
 	// and IPv6.
-	// Queries matching entries in Hosts are resolved locally without
-	// recursing off-machine.
+	// Queries matching entries in Hosts are resolved locally by
+	// 100.100.100.100 without leaving the machine.
+	// Adding an entry to Hosts merely creates the record. If you want
+	// it to resolve, you also need to add appropriate routes to
+	// Routes.
 	Hosts map[dnsname.FQDN][]netaddr.IP
 	// AuthoritativeSuffixes is a list of fully-qualified DNS suffixes
 	// for which the in-process Tailscale resolver is authoritative.
@@ -42,7 +45,7 @@ type Config struct {
 // needsAnyResolvers reports whether c requires a resolver to be set
 // at the OS level.
 func (c Config) needsOSResolver() bool {
-	return c.hasDefaultResolvers() || c.hasRoutes() || c.hasHosts()
+	return c.hasDefaultResolvers() || c.hasRoutes()
 }

 func (c Config) hasRoutes() bool {
@@ -52,7 +55,7 @@ func (c Config) hasRoutes() bool {
 // hasDefaultResolversOnly reports whether the only resolvers in c are
 // DefaultResolvers.
 func (c Config) hasDefaultResolversOnly() bool {
-	return c.hasDefaultResolvers() && !c.hasRoutes() && !c.hasHosts()
+	return c.hasDefaultResolvers() && !c.hasRoutes()
 }

 func (c Config) hasDefaultResolvers() bool {
@@ -76,31 +79,11 @@ func (c Config) singleResolverSet() []netaddr.IPPort {
 	return first
 }

-// hasHosts reports whether c requires resolution of MagicDNS hosts or
-// domains.
-func (c Config) hasHosts() bool {
-	return len(c.Hosts) > 0 || len(c.AuthoritativeSuffixes) > 0
-}
-
-// matchDomains returns the list of match suffixes needed by Routes,
-// AuthoritativeSuffixes. Hosts is not considered as we assume that
-// they're covered by AuthoritativeSuffixes for now.
+// matchDomains returns the list of match suffixes needed by Routes.
 func (c Config) matchDomains() []dnsname.FQDN {
-	ret := make([]dnsname.FQDN, 0, len(c.Routes)+len(c.AuthoritativeSuffixes))
-	seen := map[dnsname.FQDN]bool{}
-	for _, suffix := range c.AuthoritativeSuffixes {
-		if seen[suffix] {
-			continue
-		}
-		ret = append(ret, suffix)
-		seen[suffix] = true
-	}
+	ret := make([]dnsname.FQDN, 0, len(c.Routes))
 	for suffix := range c.Routes {
-		if seen[suffix] {
-			continue
-		}
 		ret = append(ret, suffix)
-		seen[suffix] = true
 	}
 	sort.Slice(ret, func(i, j int) bool {
 		return ret[i].WithTrailingDot() < ret[j].WithTrailingDot()
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -6,7 +6,6 @@ package dns

 import (
 	"runtime"
-	"strings"
 	"time"

 	"inet.af/netaddr"
@@ -75,40 +74,51 @@ func (m *Manager) Set(cfg Config) error {

 // compileConfig converts cfg into a quad-100 resolver configuration
 // and an OS-level configuration.
-func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
+func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig, err error) {
+	authDomains := make(map[dnsname.FQDN]bool, len(cfg.AuthoritativeSuffixes))
+	for _, dom := range cfg.AuthoritativeSuffixes {
+		authDomains[dom] = true
+	}
+	addRoutes := func() {
+		for suffix, resolvers := range cfg.Routes {
+			// Don't add resolver routes for authoritative domains,
+			// since they're meant to be authoritatively handled
+			// internally.
+			if authDomains[suffix] {
+				continue
+			}
+			rcfg.Routes[suffix] = resolvers
+		}
+	}
+
+	// The internal resolver always gets MagicDNS hosts and
+	// authoritative suffixes, even if we don't propagate MagicDNS to
+	// the OS.
+	rcfg.Hosts = cfg.Hosts
+	rcfg.LocalDomains = cfg.AuthoritativeSuffixes
+	// Similarly, the OS always gets search paths.
+	ocfg.SearchDomains = cfg.SearchDomains
+
 	// Deal with trivial configs first.
 	switch {
 	case !cfg.needsOSResolver():
 		// Set search domains, but nothing else. This also covers the
 		// case where cfg is entirely zero, in which case these
 		// configs clear all Tailscale DNS settings.
-		return resolver.Config{}, OSConfig{
-			SearchDomains: cfg.SearchDomains,
-		}, nil
+		return rcfg, ocfg, nil
 	case cfg.hasDefaultResolversOnly():
 		// Trivial CorpDNS configuration, just override the OS
 		// resolver.
-		return resolver.Config{}, OSConfig{
-			Nameservers:   toIPsOnly(cfg.DefaultResolvers),
-			SearchDomains: cfg.SearchDomains,
-		}, nil
+		ocfg.Nameservers = toIPsOnly(cfg.DefaultResolvers)
+		return rcfg, ocfg, nil
 	case cfg.hasDefaultResolvers():
 		// Default resolvers plus other stuff always ends up proxying
 		// through quad-100.
-		rcfg := resolver.Config{
-			Routes: map[dnsname.FQDN][]netaddr.IPPort{
-				".": cfg.DefaultResolvers,
-			},
-			Hosts:        cfg.Hosts,
-			LocalDomains: cfg.AuthoritativeSuffixes,
-		}
-		for suffix, resolvers := range cfg.Routes {
-			rcfg.Routes[suffix] = resolvers
-		}
-		ocfg := OSConfig{
-			Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
-			SearchDomains: cfg.SearchDomains,
+		rcfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{
+			".": cfg.DefaultResolvers,
 		}
+		addRoutes()
+		ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
 		return rcfg, ocfg, nil
 	}

@@ -116,8 +126,6 @@ func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 	// configurations. The possible cases don't return directly any
 	// more, because as a final step we have to handle the case where
 	// the OS can't do split DNS.
-	var rcfg resolver.Config
-	var ocfg OSConfig

 	// Workaround for
 	// https://github.com/tailscale/corp/issues/1662. Even though
@@ -135,35 +143,20 @@ func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 	// This bool is used in a couple of places below to implement this
 	// workaround.
 	isWindows := runtime.GOOS == "windows"
-
-	// The windows check is for
-	// . See also below
-	// for further routing workarounds there.
-	if !cfg.hasHosts() && cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
+	if cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
 		// Split DNS configuration requested, where all split domains
 		// go to the same resolvers. We can let the OS do it.
-		return resolver.Config{}, OSConfig{
-			Nameservers:   toIPsOnly(cfg.singleResolverSet()),
-			SearchDomains: cfg.SearchDomains,
-			MatchDomains:  cfg.matchDomains(),
-		}, nil
+		ocfg.Nameservers = toIPsOnly(cfg.singleResolverSet())
+		ocfg.MatchDomains = cfg.matchDomains()
+		return rcfg, ocfg, nil
 	}

 	// Split DNS configuration with either multiple upstream routes,
 	// or routes + MagicDNS, or just MagicDNS, or on an OS that cannot
 	// split-DNS. Install a split config pointing at quad-100.
-	rcfg = resolver.Config{
-		Hosts:        cfg.Hosts,
-		LocalDomains: cfg.AuthoritativeSuffixes,
-		Routes:       map[dnsname.FQDN][]netaddr.IPPort{},
-	}
-	for suffix, resolvers := range cfg.Routes {
-		rcfg.Routes[suffix] = resolvers
-	}
-	ocfg = OSConfig{
-		Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
-		SearchDomains: cfg.SearchDomains,
-	}
+	rcfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{}
+	addRoutes()
+	ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}

 	// If the OS can't do native split-dns, read out the underlying
 	// resolver config and blend it into our config.
@@ -173,28 +166,7 @@ func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 	if !m.os.SupportsSplitDNS() || isWindows {
 		bcfg, err := m.os.GetBaseConfig()
 		if err != nil {
-			// Temporary hack to make OSes where split-DNS isn't fully
-			// implemented yet not completely crap out, but instead
-			// fall back to quad-9 as a hardcoded "backup resolver".
-			//
-			// This codepath currently only triggers when opted into
-			// the split-DNS feature server side, and when at least
-			// one search domain is something within tailscale.com, so
-			// we don't accidentally leak unstable user DNS queries to
-			// quad-9 if we accidentally go down this codepath.
-			canUseHack := false
-			for _, dom := range cfg.SearchDomains {
-				if strings.HasSuffix(dom.WithoutTrailingDot(), ".tailscale.com") {
-					canUseHack = true
-					break
-				}
-			}
-			if !canUseHack {
-				return resolver.Config{}, OSConfig{}, err
-			}
-			bcfg = OSConfig{
-				Nameservers: []netaddr.IP{netaddr.IPv4(9, 9, 9, 9)},
-			}
+			return resolver.Config{}, OSConfig{}, err
 		}
 		rcfg.Routes["."] = toIPPorts(bcfg.Nameservers)
 		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)
@@ -211,7 +183,7 @@ func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 func toIPsOnly(ipps []netaddr.IPPort) (ret []netaddr.IP) {
 	ret = make([]netaddr.IP, 0, len(ipps))
 	for _, ipp := range ipps {
-		ret = append(ret, ipp.IP())
+		ret = append(ret, ipp.IP)
 	}
 	return ret
 }
@@ -219,7 +191,7 @@ func toIPsOnly(ipps []netaddr.IPPort) (ret []netaddr.IP) {
 func toIPPorts(ips []netaddr.IP) (ret []netaddr.IPPort) {
 	ret = make([]netaddr.IPPort, 0, len(ips))
 	for _, ip := range ips {
-		ret = append(ret, netaddr.IPPortFrom(ip, 53))
+		ret = append(ret, netaddr.IPPort{IP: ip, Port: 53})
 	}
 	return ret
 }
--- a/net/dns/manager_test.go
+++ b/net/dns/manager_test.go
@@ -76,6 +76,22 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 		},
+		{
+			// Regression test for https://github.com/tailscale/tailscale/issues/1886
+			name: "hosts-only",
+			in: Config{
+				Hosts: hosts(
+					"dave.ts.com.", "1.2.3.4",
+					"bradfitz.ts.com.", "2.3.4.5"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+			},
+			rs: resolver.Config{
+				Hosts: hosts(
+					"dave.ts.com.", "1.2.3.4",
+					"bradfitz.ts.com.", "2.3.4.5"),
+				LocalDomains: fqdns("ts.com"),
+			},
+		},
 		{
 			name: "corp",
 			in: Config{
@@ -104,6 +120,7 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
+				Routes:           upstreams("ts.com", "100.100.100.100:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -126,6 +143,7 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
+				Routes:           upstreams("ts.com", "100.100.100.100:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -261,6 +279,7 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
+				Routes:                upstreams("ts.com", "100.100.100.100:53"),
 				AuthoritativeSuffixes: fqdns("ts.com"),
 				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
@@ -286,6 +305,7 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
+				Routes:                upstreams("ts.com", "100.100.100.100:53"),
 				AuthoritativeSuffixes: fqdns("ts.com"),
 				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
@@ -333,7 +353,9 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic-split",
 			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2:53"),
+				Routes: upstreams(
+					"corp.com", "2.2.2.2:53",
+					"ts.com", "100.100.100.100:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -368,12 +390,11 @@ func TestManager(t *testing.T) {
 			if err := m.Set(test.in); err != nil {
 				t.Fatalf("m.Set: %v", err)
 			}
-			trIP := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
-			trIPPort := cmp.Transformer("ippStr", func(ipp netaddr.IPPort) string { return ipp.String() })
-			if diff := cmp.Diff(f.OSConfig, test.os, trIP, trIPPort, cmpopts.EquateEmpty()); diff != "" {
+			tr := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
+			if diff := cmp.Diff(f.OSConfig, test.os, tr, cmpopts.EquateEmpty()); diff != "" {
 				t.Errorf("wrong OSConfig (-got+want)\n%s", diff)
 			}
-			if diff := cmp.Diff(f.ResolverConfig, test.rs, trIP, trIPPort, cmpopts.EquateEmpty()); diff != "" {
+			if diff := cmp.Diff(f.ResolverConfig, test.rs, tr, cmpopts.EquateEmpty()); diff != "" {
 				t.Errorf("wrong resolver.Config (-got+want)\n%s", diff)
 			}
 		})
--- a/net/dns/resolver/tsdns_test.go
+++ b/net/dns/resolver/tsdns_test.go
@@ -433,8 +433,8 @@ func TestDelegateCollision(t *testing.T) {
 		qtype dns.Type
 		addr  netaddr.IPPort
 	}{
-		{"test.site.", dns.TypeA, netaddr.IPPortFrom(netaddr.IPv4(1, 1, 1, 1), 1001)},
-		{"test.site.", dns.TypeAAAA, netaddr.IPPortFrom(netaddr.IPv4(1, 1, 1, 1), 1002)},
+		{"test.site.", dns.TypeA, netaddr.IPPort{IP: netaddr.IPv4(1, 1, 1, 1), Port: 1001}},
+		{"test.site.", dns.TypeAAAA, netaddr.IPPort{IP: netaddr.IPv4(1, 1, 1, 1), Port: 1002}},
 	}

 	// packets will have the same dns txid.
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@@ -195,7 +195,7 @@ func ForeachInterface(fn func(Interface, []netaddr.IPPrefix)) error {
 			}
 		}
 		sort.Slice(pfxs, func(i, j int) bool {
-			return pfxs[i].IP().Less(pfxs[j].IP())
+			return pfxs[i].IP.Less(pfxs[j].IP)
 		})
 		fn(Interface{iface}, pfxs)
 	}
@@ -264,7 +264,7 @@ func (s *State) String() string {
 			fmt.Fprintf(&sb, "%s:[", ifName)
 			needSpace := false
 			for _, pfx := range s.InterfaceIPs[ifName] {
-				if !isInterestingIP(pfx.IP()) {
+				if !isInterestingIP(pfx.IP) {
 					continue
 				}
 				if needSpace {
@@ -367,7 +367,7 @@ func (s *State) AnyInterfaceUp() bool {

 func hasTailscaleIP(pfxs []netaddr.IPPrefix) bool {
 	for _, pfx := range pfxs {
-		if tsaddr.IsTailscaleIP(pfx.IP()) {
+		if tsaddr.IsTailscaleIP(pfx.IP) {
 			return true
 		}
 	}
@@ -407,11 +407,11 @@ func GetState() (*State, error) {
 			return
 		}
 		for _, pfx := range pfxs {
-			if pfx.IP().IsLoopback() || pfx.IP().IsLinkLocalUnicast() {
+			if pfx.IP.IsLoopback() || pfx.IP.IsLinkLocalUnicast() {
 				continue
 			}
-			s.HaveV6Global = s.HaveV6Global || isGlobalV6(pfx.IP())
-			s.HaveV4 = s.HaveV4 || pfx.IP().Is4()
+			s.HaveV6Global = s.HaveV6Global || isGlobalV6(pfx.IP)
+			s.HaveV4 = s.HaveV4 || pfx.IP.Is4()
 		}
 	}); err != nil {
 		return nil, err
@@ -447,7 +447,7 @@ func HTTPOfListener(ln net.Listener) string {
 	var goodIP string
 	var privateIP string
 	ForeachInterfaceAddress(func(i Interface, pfx netaddr.IPPrefix) {
-		ip := pfx.IP()
+		ip := pfx.IP
 		if isPrivateIP(ip) {
 			if privateIP == "" {
 				privateIP = ip.String()
@@ -484,7 +484,7 @@ func LikelyHomeRouterIP() (gateway, myIP netaddr.IP, ok bool) {
 		return
 	}
 	ForeachInterfaceAddress(func(i Interface, pfx netaddr.IPPrefix) {
-		ip := pfx.IP()
+		ip := pfx.IP
 		if !i.IsUp() || ip.IsZero() || !myIP.IsZero() {
 			return
 		}
@@ -528,7 +528,7 @@ var (
 // isInterestingIP.
 func anyInterestingIP(pfxs []netaddr.IPPrefix) bool {
 	for _, pfx := range pfxs {
-		if isInterestingIP(pfx.IP()) {
+		if isInterestingIP(pfx.IP) {
 			return true
 		}
 	}
--- a/net/interfaces/interfaces_darwin.go
+++ b/net/interfaces/interfaces_darwin.go
@@ -10,6 +10,7 @@ import (
 	"log"
 	"net"
 	"syscall"
+	"time"

 	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"
@@ -28,9 +29,32 @@ func DefaultRouteInterface() (string, error) {
 	return iface.Name, nil
 }

-// fetchRoutingTable calls route.FetchRIB, fetching NET_RT_DUMP2.
+// fetchRoutingTable is a retry loop around route.FetchRIB, fetching NET_RT_DUMP2.
+//
+// The retry loop is due to a bug in the BSDs (or Go?). See
+// https://github.com/tailscale/tailscale/issues/1345
 func fetchRoutingTable() (rib []byte, err error) {
-	return route.FetchRIB(syscall.AF_UNSPEC, syscall.NET_RT_DUMP2, 0)
+	fails := 0
+	for {
+		rib, err := route.FetchRIB(syscall.AF_UNSPEC, syscall.NET_RT_DUMP2, 0)
+		if err == nil {
+			return rib, nil
+		}
+		fails++
+		if fails < 10 {
+			// Empirically, 1 retry is enough. In a long
+			// stress test while toggling wifi on & off, I
+			// only saw a few occurrences of 2 and one 3.
+			// So 10 should be more plenty.
+			if fails > 5 {
+				time.Sleep(5 * time.Millisecond)
+			}
+			continue
+		}
+		if err != nil {
+			return nil, fmt.Errorf("route.FetchRIB: %w", err)
+		}
+	}
 }

 func DefaultRouteInterfaceIndex() (int, error) {
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -625,7 +625,7 @@ func (rs *reportState) stopTimers() {
 func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netaddr.IPPort, d time.Duration) {
 	var ipPortStr string
 	if ipp != (netaddr.IPPort{}) {
-		ipPortStr = net.JoinHostPort(ipp.IP().String(), fmt.Sprint(ipp.Port()))
+		ipPortStr = net.JoinHostPort(ipp.IP.String(), fmt.Sprint(ipp.Port))
 	}

 	rs.mu.Lock()
@@ -650,13 +650,13 @@ func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netaddr.IPPort
 	}

 	switch {
-	case ipp.IP().Is6():
+	case ipp.IP.Is6():
 		updateLatency(ret.RegionV6Latency, node.RegionID, d)
 		ret.IPv6 = true
 		ret.GlobalV6 = ipPortStr
 		// TODO: track MappingVariesByDestIP for IPv6
 		// too? Would be sad if so, but who knows.
-	case ipp.IP().Is4():
+	case ipp.IP.Is4():
 		updateLatency(ret.RegionV4Latency, node.RegionID, d)
 		ret.IPv4 = true
 		if rs.gotEP4 == "" {
@@ -1172,7 +1172,7 @@ func (c *Client) nodeAddr(ctx context.Context, n *tailcfg.DERPNode, proto probeP
 		if proto == probeIPv6 && ip.Is4() {
 			return nil
 		}
-		return netaddr.IPPortFrom(ip, uint16(port)).UDPAddr()
+		return netaddr.IPPort{IP: ip, Port: uint16(port)}.UDPAddr()
 	}

 	switch proto {
@@ -1182,7 +1182,7 @@ func (c *Client) nodeAddr(ctx context.Context, n *tailcfg.DERPNode, proto probeP
 			if !ip.Is4() {
 				return nil
 			}
-			return netaddr.IPPortFrom(ip, uint16(port)).UDPAddr()
+			return netaddr.IPPort{IP: ip, Port: uint16(port)}.UDPAddr()
 		}
 	case probeIPv6:
 		if n.IPv6 != "" {
@@ -1190,7 +1190,7 @@ func (c *Client) nodeAddr(ctx context.Context, n *tailcfg.DERPNode, proto probeP
 			if !ip.Is6() {
 				return nil
 			}
-			return netaddr.IPPortFrom(ip, uint16(port)).UDPAddr()
+			return netaddr.IPPort{IP: ip, Port: uint16(port)}.UDPAddr()
 		}
 	default:
 		return nil
--- a/net/netstat/netstat_windows.go
+++ b/net/netstat/netstat_windows.go
@@ -157,9 +157,10 @@ func ipport4(addr uint32, port uint16) netaddr.IPPort {
 	if !endian.Big {
 		addr = bits.ReverseBytes32(addr)
 	}
-	return netaddr.IPPortFrom(
-		netaddr.IPv4(byte(addr>>24), byte(addr>>16), byte(addr>>8), byte(addr)),
-		port)
+	return netaddr.IPPort{
+		IP:   netaddr.IPv4(byte(addr>>24), byte(addr>>16), byte(addr>>8), byte(addr)),
+		Port: port,
+	}
 }

 func ipport6(addr [16]byte, scope uint32, port uint16) netaddr.IPPort {
@@ -168,7 +169,10 @@ func ipport6(addr [16]byte, scope uint32, port uint16) netaddr.IPPort {
 		// TODO: something better here?
 		ip = ip.WithZone(fmt.Sprint(scope))
 	}
-	return netaddr.IPPortFrom(ip, port)
+	return netaddr.IPPort{
+		IP:   ip,
+		Port: port,
+	}
 }

 func port(v *uint32) uint16 {
--- a/net/packet/packet.go
+++ b/net/packet/packet.go
@@ -76,8 +76,8 @@ func (p *Parsed) String() string {
 //
 // TODO: make netaddr more efficient in this area, and retire this func.
 func writeIPPort(sb *strbuilder.Builder, ipp netaddr.IPPort) {
-	if ipp.IP().Is4() {
-		raw := ipp.IP().As4()
+	if ipp.IP.Is4() {
+		raw := ipp.IP.As4()
 		sb.WriteUint(uint64(raw[0]))
 		sb.WriteByte('.')
 		sb.WriteUint(uint64(raw[1]))
@@ -88,10 +88,10 @@ func writeIPPort(sb *strbuilder.Builder, ipp netaddr.IPPort) {
 		sb.WriteByte(':')
 	} else {
 		sb.WriteByte('[')
-		sb.WriteString(ipp.IP().String()) // TODO: faster?
+		sb.WriteString(ipp.IP.String()) // TODO: faster?
 		sb.WriteString("]:")
 	}
-	sb.WriteUint(uint64(ipp.Port()))
+	sb.WriteUint(uint64(ipp.Port))
 }

 // Decode extracts data from the packet in b into q.
@@ -142,8 +142,8 @@ func (q *Parsed) decode4(b []byte) {
 	}

 	// If it's valid IPv4, then the IP addresses are valid
-	q.Src = q.Src.WithIP(netaddr.IPv4(b[12], b[13], b[14], b[15]))
-	q.Dst = q.Dst.WithIP(netaddr.IPv4(b[16], b[17], b[18], b[19]))
+	q.Src.IP = netaddr.IPv4(b[12], b[13], b[14], b[15])
+	q.Dst.IP = netaddr.IPv4(b[16], b[17], b[18], b[19])

 	q.subofs = int((b[0] & 0x0F) << 2)
 	if q.subofs > q.length {
@@ -185,8 +185,8 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = unknown
 				return
 			}
-			q.Src = q.Src.WithPort(0)
-			q.Dst = q.Dst.WithPort(0)
+			q.Src.Port = 0
+			q.Dst.Port = 0
 			q.dataofs = q.subofs + icmp4HeaderLength
 			return
 		case ipproto.IGMP:
@@ -198,8 +198,8 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = unknown
 				return
 			}
-			q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-			q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+			q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+			q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 			q.TCPFlags = TCPFlag(sub[13]) & 0x3F
 			headerLength := (sub[12] & 0xF0) >> 2
 			q.dataofs = q.subofs + int(headerLength)
@@ -209,8 +209,8 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = unknown
 				return
 			}
-			q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-			q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+			q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+			q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 			q.dataofs = q.subofs + udpHeaderLength
 			return
 		case ipproto.SCTP:
@@ -218,8 +218,8 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = unknown
 				return
 			}
-			q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-			q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+			q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+			q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 			return
 		case ipproto.TSMP:
 			// Inter-tailscale messages.
@@ -265,10 +265,8 @@ func (q *Parsed) decode6(b []byte) {

 	// okay to ignore `ok` here, because IPs pulled from packets are
 	// always well-formed stdlib IPs.
-	srcIP, _ := netaddr.FromStdIP(net.IP(b[8:24]))
-	dstIP, _ := netaddr.FromStdIP(net.IP(b[24:40]))
-	q.Src = q.Src.WithIP(srcIP)
-	q.Dst = q.Dst.WithIP(dstIP)
+	q.Src.IP, _ = netaddr.FromStdIP(net.IP(b[8:24]))
+	q.Dst.IP, _ = netaddr.FromStdIP(net.IP(b[24:40]))

 	// We don't support any IPv6 extension headers. Don't try to
 	// be clever. Therefore, the IP subprotocol always starts at
@@ -292,16 +290,16 @@ func (q *Parsed) decode6(b []byte) {
 			q.IPProto = unknown
 			return
 		}
-		q.Src = q.Src.WithPort(0)
-		q.Dst = q.Dst.WithPort(0)
+		q.Src.Port = 0
+		q.Dst.Port = 0
 		q.dataofs = q.subofs + icmp6HeaderLength
 	case ipproto.TCP:
 		if len(sub) < tcpHeaderLength {
 			q.IPProto = unknown
 			return
 		}
-		q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-		q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+		q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+		q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 		q.TCPFlags = TCPFlag(sub[13]) & 0x3F
 		headerLength := (sub[12] & 0xF0) >> 2
 		q.dataofs = q.subofs + int(headerLength)
@@ -311,16 +309,16 @@ func (q *Parsed) decode6(b []byte) {
 			q.IPProto = unknown
 			return
 		}
-		q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-		q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+		q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+		q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 		q.dataofs = q.subofs + udpHeaderLength
 	case ipproto.SCTP:
 		if len(sub) < sctpHeaderLength {
 			q.IPProto = unknown
 			return
 		}
-		q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-		q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+		q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+		q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 		return
 	case ipproto.TSMP:
 		// Inter-tailscale messages.
@@ -340,8 +338,8 @@ func (q *Parsed) IP4Header() IP4Header {
 	return IP4Header{
 		IPID:    ipid,
 		IPProto: q.IPProto,
-		Src:     q.Src.IP(),
-		Dst:     q.Dst.IP(),
+		Src:     q.Src.IP,
+		Dst:     q.Dst.IP,
 	}
 }

@@ -353,8 +351,8 @@ func (q *Parsed) IP6Header() IP6Header {
 	return IP6Header{
 		IPID:    ipid,
 		IPProto: q.IPProto,
-		Src:     q.Src.IP(),
-		Dst:     q.Dst.IP(),
+		Src:     q.Src.IP,
+		Dst:     q.Dst.IP,
 	}
 }

@@ -375,8 +373,8 @@ func (q *Parsed) UDP4Header() UDP4Header {
 	}
 	return UDP4Header{
 		IP4Header: q.IP4Header(),
-		SrcPort:   q.Src.Port(),
-		DstPort:   q.Dst.Port(),
+		SrcPort:   q.Src.Port,
+		DstPort:   q.Dst.Port,
 	}
 }

--- a/net/packet/tsmp.go
+++ b/net/packet/tsmp.go
@@ -143,7 +143,7 @@ func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
 	if len(buf) > maxPacketLength {
 		return errLargePacket
 	}
-	if h.Src.IP().Is4() {
+	if h.Src.IP.Is4() {
 		iph := IP4Header{
 			IPProto: ipproto.TSMP,
 			Src:     h.IPSrc,
@@ -151,7 +151,7 @@ func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
 		}
 		iph.Marshal(buf)
 		buf = buf[ip4HeaderLength:]
-	} else if h.Src.IP().Is6() {
+	} else if h.Src.IP.Is6() {
 		iph := IP6Header{
 			IPProto: ipproto.TSMP,
 			Src:     h.IPSrc,
@@ -165,8 +165,8 @@ func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
 	buf[0] = byte(TSMPTypeRejectedConn)
 	buf[1] = byte(h.Proto)
 	buf[2] = byte(h.Reason)
-	binary.BigEndian.PutUint16(buf[3:5], h.Src.Port())
-	binary.BigEndian.PutUint16(buf[5:7], h.Dst.Port())
+	binary.BigEndian.PutUint16(buf[3:5], h.Src.Port)
+	binary.BigEndian.PutUint16(buf[5:7], h.Dst.Port)

 	if h.hasFlags() {
 		var flags byte
@@ -190,10 +190,10 @@ func (pp *Parsed) AsTailscaleRejectedHeader() (h TailscaleRejectedHeader, ok boo
 	h = TailscaleRejectedHeader{
 		Proto:  ipproto.Proto(p[1]),
 		Reason: TailscaleRejectReason(p[2]),
-		IPSrc:  pp.Src.IP(),
-		IPDst:  pp.Dst.IP(),
-		Src:    netaddr.IPPortFrom(pp.Dst.IP(), binary.BigEndian.Uint16(p[3:5])),
-		Dst:    netaddr.IPPortFrom(pp.Src.IP(), binary.BigEndian.Uint16(p[5:7])),
+		IPSrc:  pp.Src.IP,
+		IPDst:  pp.Dst.IP,
+		Src:    netaddr.IPPort{IP: pp.Dst.IP, Port: binary.BigEndian.Uint16(p[3:5])},
+		Dst:    netaddr.IPPort{IP: pp.Src.IP, Port: binary.BigEndian.Uint16(p[5:7])},
 	}
 	if len(p) > 7 {
 		flags := p[7]
--- a/net/portmapper/portmapper.go
+++ b/net/portmapper/portmapper.go
@@ -84,7 +84,7 @@ type pmpMapping struct {

 // externalValid reports whether m.external is valid, with both its IP and Port populated.
 func (m *pmpMapping) externalValid() bool {
-	return !m.external.IP().IsZero() && m.external.Port() != 0
+	return !m.external.IP.IsZero() && m.external.Port != 0
 }

 // release does a best effort fire-and-forget release of the PMP mapping m.
@@ -94,8 +94,8 @@ func (m *pmpMapping) release() {
 		return
 	}
 	defer uc.Close()
-	pkt := buildPMPRequestMappingPacket(m.internal.Port(), m.external.Port(), pmpMapLifetimeDelete)
-	uc.WriteTo(pkt, netaddr.IPPortFrom(m.gw, pmpPort).UDPAddr())
+	pkt := buildPMPRequestMappingPacket(m.internal.Port, m.external.Port, pmpMapLifetimeDelete)
+	uc.WriteTo(pkt, netaddr.IPPort{IP: m.gw, Port: pmpPort}.UDPAddr())
 }

 // NewClient returns a new portmapping client.
@@ -256,7 +256,7 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	localPort := c.localPort
 	m := &pmpMapping{
 		gw:       gw,
-		internal: netaddr.IPPortFrom(myIP, localPort),
+		internal: netaddr.IPPort{IP: myIP, Port: localPort},
 	}

 	// prevPort is the port we had most previously, if any. We try
@@ -271,7 +271,7 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 			return m.external, nil
 		}
 		// The mapping might still be valid, so just try to renew it.
-		prevPort = m.external.Port()
+		prevPort = m.external.Port
 	}

 	// If we just did a Probe (e.g. via netchecker) but didn't
@@ -279,7 +279,7 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	// again. Cuts down latency for most clients.
 	haveRecentPMP := c.sawPMPRecentlyLocked()
 	if haveRecentPMP {
-		m.external = m.external.WithIP(c.pmpPubIP)
+		m.external.IP = c.pmpPubIP
 	}
 	if c.lastProbe.After(now.Add(-5*time.Second)) && !haveRecentPMP {
 		c.mu.Unlock()
@@ -297,11 +297,11 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	uc.SetReadDeadline(time.Now().Add(portMapServiceTimeout))
 	defer closeCloserOnContextDone(ctx, uc)()

-	pmpAddr := netaddr.IPPortFrom(gw, pmpPort)
+	pmpAddr := netaddr.IPPort{IP: gw, Port: pmpPort}
 	pmpAddru := pmpAddr.UDPAddr()

 	// Ask for our external address if needed.
-	if m.external.IP().IsZero() {
+	if m.external.IP.IsZero() {
 		if _, err := uc.WriteTo(pmpReqExternalAddrPacket, pmpAddru); err != nil {
 			return netaddr.IPPort{}, err
 		}
@@ -337,10 +337,10 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 				return netaddr.IPPort{}, NoMappingError{fmt.Errorf("PMP response Op=0x%x,Res=0x%x", pres.OpCode, pres.ResultCode)}
 			}
 			if pres.OpCode == pmpOpReply|pmpOpMapPublicAddr {
-				m.external = m.external.WithIP(pres.PublicAddr)
+				m.external.IP = pres.PublicAddr
 			}
 			if pres.OpCode == pmpOpReply|pmpOpMapUDP {
-				m.external = m.external.WithPort(pres.ExternalPort)
+				m.external.Port = pres.ExternalPort
 				d := time.Duration(pres.MappingValidSeconds) * time.Second
 				d /= 2 // renew in half the time
 				m.useUntil = time.Now().Add(d)
@@ -468,9 +468,9 @@ func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) {
 	defer cancel()
 	defer closeCloserOnContextDone(ctx, uc)()

-	pcpAddr := netaddr.IPPortFrom(gw, pcpPort).UDPAddr()
-	pmpAddr := netaddr.IPPortFrom(gw, pmpPort).UDPAddr()
-	upnpAddr := netaddr.IPPortFrom(gw, upnpPort).UDPAddr()
+	pcpAddr := netaddr.IPPort{IP: gw, Port: pcpPort}.UDPAddr()
+	pmpAddr := netaddr.IPPort{IP: gw, Port: pmpPort}.UDPAddr()
+	upnpAddr := netaddr.IPPort{IP: gw, Port: upnpPort}.UDPAddr()

 	// Don't send probes to services that we recently learned (for
 	// the same gw/myIP) are available. See
--- a/net/tsaddr/tsaddr.go
+++ b/net/tsaddr/tsaddr.go
@@ -92,7 +92,7 @@ func TailscaleEphemeral6Range() netaddr.IPPrefix {
 // Currently used to work around a Windows limitation when programming
 // IPv6 routes in corner cases.
 func Tailscale4To6Placeholder() netaddr.IP {
-	return Tailscale4To6Range().IP()
+	return Tailscale4To6Range().IP
 }

 // Tailscale4To6 returns a Tailscale IPv6 address that maps 1:1 to the
@@ -102,7 +102,7 @@ func Tailscale4To6(ipv4 netaddr.IP) netaddr.IP {
 	if !ipv4.Is4() || !IsTailscaleIP(ipv4) {
 		return netaddr.IP{}
 	}
-	ret := Tailscale4To6Range().IP().As16()
+	ret := Tailscale4To6Range().IP.As16()
 	v4 := ipv4.As4()
 	copy(ret[13:], v4[1:])
 	return netaddr.IPFrom16(ret)
@@ -172,16 +172,16 @@ func NewContainsIPFunc(addrs []netaddr.IPPrefix) func(ip netaddr.IP) bool {
 	// Fast paths for 1 and 2 IPs:
 	if len(addrs) == 1 {
 		a := addrs[0]
-		return func(ip netaddr.IP) bool { return ip == a.IP() }
+		return func(ip netaddr.IP) bool { return ip == a.IP }
 	}
 	if len(addrs) == 2 {
 		a, b := addrs[0], addrs[1]
-		return func(ip netaddr.IP) bool { return ip == a.IP() || ip == b.IP() }
+		return func(ip netaddr.IP) bool { return ip == a.IP || ip == b.IP }
 	}
 	// General case:
 	m := map[netaddr.IP]bool{}
 	for _, a := range addrs {
-		m[a.IP()] = true
+		m[a.IP] = true
 	}
 	return func(ip netaddr.IP) bool { return m[ip] }
 }
--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -352,7 +352,7 @@ func (t *Wrapper) Read(buf []byte, offset int) (int, error) {
 	p.Decode(buf[offset : offset+n])

 	if m, ok := t.destIPActivity.Load().(map[netaddr.IP]func()); ok {
-		if fn := m[p.Dst.IP()]; fn != nil {
+		if fn := m[p.Dst.IP]; fn != nil {
 			fn()
 		}
 	}
@@ -412,7 +412,7 @@ func (t *Wrapper) filterIn(buf []byte) filter.Response {
 		p.IPProto == ipproto.TCP &&
 		p.TCPFlags&packet.TCPSyn != 0 &&
 		t.PeerAPIPort != nil {
-		if port, ok := t.PeerAPIPort(p.Dst.IP()); ok && port == p.Dst.Port() {
+		if port, ok := t.PeerAPIPort(p.Dst.IP); ok && port == p.Dst.Port {
 			outcome = filter.Accept
 		}
 	}
@@ -425,8 +425,8 @@ func (t *Wrapper) filterIn(buf []byte) filter.Response {
 		// can show them a rejection history with reasons.
 		if p.IPVersion == 4 && p.IPProto == ipproto.TCP && p.TCPFlags&packet.TCPSyn != 0 && !t.disableTSMPRejected {
 			rj := packet.TailscaleRejectedHeader{
-				IPSrc:  p.Dst.IP(),
-				IPDst:  p.Src.IP(),
+				IPSrc:  p.Dst.IP,
+				IPDst:  p.Src.IP,
 				Src:    p.Src,
 				Dst:    p.Dst,
 				Proto:  p.IPProto,
@@ -536,7 +536,7 @@ func (t *Wrapper) injectOutboundPong(pp *packet.Parsed, req packet.TSMPPingReque
 		Data: req.Data,
 	}
 	if t.PeerAPIPort != nil {
-		pong.PeerAPIPort, _ = t.PeerAPIPort(pp.Dst.IP())
+		pong.PeerAPIPort, _ = t.PeerAPIPort(pp.Dst.IP)
 	}
 	switch pp.IPVersion {
 	case 4:
--- a/net/tstun/wrap_test.go
+++ b/net/tstun/wrap_test.go
@@ -82,7 +82,7 @@ func nets(nets ...string) (ret []netaddr.IPPrefix) {
 			if ip.Is6() {
 				bits = 128
 			}
-			ret = append(ret, netaddr.IPPrefixFrom(ip, bits))
+			ret = append(ret, netaddr.IPPrefix{IP: ip, Bits: bits})
 		} else {
 			pfx, err := netaddr.ParseIPPrefix(s)
 			if err != nil {
--- a/paths/paths.go
+++ b/paths/paths.go
@@ -11,6 +11,8 @@ import (
 	"path/filepath"
 	"runtime"
 	"sync/atomic"
+
+	"tailscale.com/version/distro"
 )

 // IOSSharedDir is a string set by the iOS app on start
@@ -26,11 +28,15 @@ func DefaultTailscaledSocket() string {
 	if runtime.GOOS == "darwin" {
 		return "/var/run/tailscaled.socket"
 	}
-	if runtime.GOOS == "linux" {
-		// TODO(crawshaw): does this path change with DSM7?
-		const synologySock = "/volume1/@appstore/Tailscale/var/tailscaled.sock" // SYNOPKG_PKGDEST in scripts/installer
-		if fi, err := os.Stat(filepath.Dir(synologySock)); err == nil && fi.IsDir() {
-			return synologySock
+	if distro.Get() == distro.Synology {
+		// TODO(maisem): be smarter about this. We can parse /etc/VERSION.
+		const dsm6Sock = "/var/packages/Tailscale/etc/tailscaled.sock"
+		const dsm7Sock = "/var/packages/Tailscale/var/tailscaled.sock"
+		if fi, err := os.Stat(dsm6Sock); err == nil && !fi.IsDir() {
+			return dsm6Sock
+		}
+		if fi, err := os.Stat(dsm7Sock); err == nil && !fi.IsDir() {
+			return dsm7Sock
 		}
 	}
 	if fi, err := os.Stat("/var/run"); err == nil && fi.IsDir() {
--- a/scripts/installer.sh
+++ b/scripts/installer.sh
@@ -1,399 +0,0 @@
-#!/bin/sh
-# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-#
-# This script detects the current operating system, and installs
-# Tailscale according to that OS's conventions.
-
-set -eu
-
-# All the code is wrapped in a main function that gets called at the
-# bottom of the file, so that a truncated partial download doesn't end
-# up executing half a script.
-main() {
-	# Step 1: detect the current linux distro, version, and packaging system.
-	#
-	# We rely on a combination of 'uname' and /etc/os-release to find
-	# an OS name and version, and from there work out what
-	# installation method we should be using.
-	#
-	# The end result of this step is that the following three
-	# variables are populated, if detection was successful.
-	OS=""
-	VERSION=""
-	PACKAGETYPE=""
-
-	if [ -f /etc/os-release ]; then
-		# /etc/os-release populates a number of shell variables. We care about the following:
-		#  - ID: the short name of the OS (e.g. "debian", "freebsd")
-		#  - VERSION_ID: the numeric release version for the OS, if any (e.g. "18.04")
-		#  - VERSION_CODENAME: the codename of the OS release, if any (e.g. "buster")
-		. /etc/os-release
-		case "$ID" in
-			ubuntu)
-				OS="$ID"
-				VERSION="$VERSION_CODENAME"
-				PACKAGETYPE="apt"
-				;;
-			debian)
-				OS="$ID"
-				VERSION="$VERSION_CODENAME"
-				PACKAGETYPE="apt"
-				;;
-			raspbian)
-				OS="$ID"
-				VERSION="$VERSION_CODENAME"
-				PACKAGETYPE="apt"
-				;;
-			centos)
-				OS="$ID"
-				VERSION="$VERSION_ID"
-				PACKAGETYPE="dnf"
-				if [ "$VERSION" = "7" ]; then
-					PACKAGETYPE="yum"
-				fi
-				;;
-			rhel)
-				OS="$ID"
-				VERSION="$(echo "$VERSION_ID" | cut -f1 -d.)"
-				PACKAGETYPE="dnf"
-				;;
-			fedora)
-				OS="$ID"
-				VERSION=""
-				PACKAGETYPE="dnf"
-				;;
-			amzn)
-				OS="amazon-linux"
-				VERSION="$VERSION_ID"
-				PACKAGETYPE="yum"
-				;;
-			opensuse-leap)
-				OS="opensuse"
-				VERSION="leap/$VERSION_ID"
-				PACKAGETYPE="zypper"
-				;;
-			opensuse-tumbleweed)
-				OS="opensuse"
-				VERSION="tumbleweed"
-				PACKAGETYPE="zypper"
-				;;
- 			arch)
-				OS="$ID"
-				VERSION="" # rolling release
-				PACKAGETYPE="pacman"
-				;;
-			manjaro)
-				OS="$ID"
-				VERSION="" # rolling release
-				PACKAGETYPE="pacman"
-				;;
-			alpine)
-				OS="$ID"
-				VERSION="$VERSION_ID"
-				PACKAGETYPE="apk"
-				;;
-			nixos)
-				echo "Please add Tailscale to your NixOS configuration directly:"
-				echo
-				echo "services.tailscale.enable = true;"
-				exit 1
-				;;
-			void)
-				OS="$ID"
-				VERSION="" # rolling release
-				PACKAGETYPE="xbps"
-				;;
-			gentoo)
-				OS="$ID"
-				VERSION="" # rolling release
-				PACKAGETYPE="emerge"
-				;;
-			freebsd)
-				OS="$ID"
-				VERSION="$(echo "$VERSION_ID" | cut -f1 -d.)"
-				PACKAGETYPE="pkg"
-				;;
-			# TODO: wsl?
-			# TODO: synology? qnap?
-		esac
-	fi
-
-	# If we failed to detect something through os-release, consult
-	# uname and try to infer things from that.
-	if [ -z "$OS" ]; then
-		if type uname >/dev/null 2>&1; then
-			case "$(uname)" in
-				FreeBSD)
-					# FreeBSD before 12.2 doesn't have
-					# /etc/os-release, so we wouldn't have found it in
-					# the os-release probing above.
-					OS="freebsd"
-					VERSION="$(freebsd-version | cut -f1 -d.)"
-					PACKAGETYPE="pkg"
-					;;
-				OpenBSD)
-					OS="openbsd"
-					VERSION="$(uname -r)"
-					PACKAGETYPE=""
-					;;
-				Darwin)
-					OS="macos"
-					VERSION="$(sw_vers -productVersion | cut -f1-2 -d.)"
-					PACKAGETYPE="appstore"
-					;;
-				Linux)
-					OS="other-linux"
-					VERSION=""
-					PACKAGETYPE=""
-					;;
-			esac
-		fi
-	fi
-
-	# Step 2: having detected an OS we support, is it one of the
-	# versions we support?
-	OS_UNSUPPORTED=
-	case "$OS" in
-		ubuntu)
-			if [ "$VERSION" != "xenial" ] && \
-			   [ "$VERSION" != "bionic" ] && \
-			   [ "$VERSION" != "eoan" ] && \
-			   [ "$VERSION" != "focal" ] && \
-			   [ "$VERSION" != "groovy" ] && \
-			   [ "$VERSION" != "hirsute" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		debian)
-			if [ "$VERSION" != "stretch" ] && \
-			   [ "$VERSION" != "buster" ] && \
-			   [ "$VERSION" != "bullseye" ] && \
-			   [ "$VERSION" != "sid" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		raspbian)
-			if [ "$VERSION" != "buster" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		centos)
-			if [ "$VERSION" != "7" ] && \
-			   [ "$VERSION" != "8" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		rhel)
-			if [ "$VERSION" != "8" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		amazon-linux)
-			if [ "$VERSION" != "2" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		opensuse)
-			if [ "$VERSION" != "leap/15.1" ] && \
-			   [ "$VERSION" != "leap/15.2" ] && \
-			   [ "$VERSION" != "tumbleweed" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-			;;
-		arch)
-			# Rolling release, no version checking needed.
-			;;
-		manjaro)
-			# Rolling release, no version checking needed.
-			;;
-		alpine)
-			# All versions supported, no version checking needed.
-			# TODO: is that true? When was tailscale packaged?
-			;;
-		void)
-			# Rolling release, no version checking needed.
-			;;
-		gentoo)
-			# Rolling release, no version checking needed.
-			;;
-		freebsd)
-			if [ "$VERSION" != "12" ] && \
-			   [ "$VERSION" != "13" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-			;;
-		openbsd)
-			OS_UNSUPPORTED=1
-			;;
-		macos)
-			# We delegate macOS installation to the app store, it will
-			# perform version checks for us.
-			;;
-		other-linux)
-			OS_UNSUPPORTED=1
-			;;
-		*)
-			OS_UNSUPPORTED=1
-			;;
-	esac
-	if [ "$OS_UNSUPPORTED" = "1" ]; then
-		case "$OS" in
-			other-linux)
-				echo "Couldn't determine what kind of Linux is running."
-				echo "You could try the static binaries at:"
-				echo "https://pkgs.tailscale.com/stable/#static"
-				;;
-			"")
-				echo "Couldn't determine what operating system you're running."
-				;;
-			*)
-				echo "$OS $VERSION isn't supported by this script yet."
-				;;
-		esac
-		echo
-		echo "If you'd like us to support your system better, please email support@tailscale.com"
-		echo "and tell us what OS you're running."
-		echo
-		echo "Please include the following information we gathered from your system:"
-		echo
-		echo "OS=$OS"
-		echo "VERSION=$VERSION"
-		echo "PACKAGETYPE=$PACKAGETYPE"
-		if type uname >/dev/null 2>&1; then
-			echo "UNAME=$(uname -a)"
-		else
-			echo "UNAME="
-		fi
-		echo
-		if [ -f /etc/os-release ]; then
-			cat /etc/os-release
-		else
-			echo "No /etc/os-release"
-		fi
-		exit 1
-	fi
-
-	# Step 3: work out if we can run privileged commands, and if so,
-	# how.
-	CAN_ROOT=
-	SUDO=
-	if [ "$(id -u)" = 0 ]; then
-		CAN_ROOT=1
-		SUDO=""
-	elif type sudo >/dev/null; then
-		CAN_ROOT=1
-		SUDO="sudo"
-	elif type doas >/dev/null; then
-		CAN_ROOT=1
-		SUDO="doas"
-	fi
-	if [ "$CAN_ROOT" != "1" ]; then
-		echo "This installer needs to run commands as root."
-		echo "We tried looking for 'sudo' and 'doas', but couldn't find them."
-		echo "Either re-run this script as root, or set up sudo/doas."
-		exit 1
-	fi
-
-
-	# Step 4: run the installation.
-	echo "Installing Tailscale for $OS $VERSION, using method $PACKAGETYPE"
-	case "$PACKAGETYPE" in
-		apt)
-			# Ideally we want to use curl, but on some installs we
-			# only have wget. Detect and use what's available.
-			CURL=
-			if type curl >/dev/null; then
-				CURL="curl -fsSL"
-			elif type wget >/dev/null; then
-				CURL="wget -q -O-"
-			fi
-			if [ -z "$CURL" ]; then
-				echo "The installer needs either curl or wget to download files."
-				echo "Please install either curl or wget to proceed."
-				exit 1
-			fi
-
-			# TODO: use newfangled per-repo signature scheme
-			set -x
-			$CURL "https://pkgs.tailscale.com/stable/$OS/$VERSION.gpg" | $SUDO apt-key add -
-			$CURL "https://pkgs.tailscale.com/stable/$OS/$VERSION.list" | $SUDO tee /etc/apt/sources.list.d/tailscale.list
-			$SUDO apt-get update
-			$SUDO apt-get install tailscale
-			set +x
-		;;
-		yum)
-			set -x
-			$SUDO yum install yum-utils
-			$SUDO yum-config-manager --add-repo "https://pkgs.tailscale.com/stable/$OS/$VERSION/tailscale.repo"
-			$SUDO yum install tailscale
-			$SUDO systemctl enable --now tailscaled
-			set +x
-		;;
-		dnf)
-			set -x
-			$SUDO dnf config-manager --add-repo "https://pkgs.tailscale.com/stable/$OS/$VERSION/tailscale.repo"
-			$SUDO dnf install tailscale
-			$SUDO systemctl enable --now tailscaled
-			set +x
-		;;
-		zypper)
-			set -x
-			$SUDO zypper ar -g -r "https://pkgs.tailscale.com/stable/$OS/$VERSION/tailscale.repo"
-			$SUDO zypper ref
-			$SUDO zypper in tailscale
-			$SUDO systemctl enable --now tailscaled
-			set +x
-			;;
-		pacman)
-			set -x
-			$SUDO pacman -S tailscale
-			$SUDO systemctl enable --now tailscaled
-			set +x
-			;;
-		apk)
-			set -x
-			$SUDO apk add tailscale
-			$SUDO rc-update add tailscale
-			set +x
-			;;
-		xbps)
-			set -x
-			$SUDO xbps-install tailscale
-			set +x
-			;;
-		emerge)
-			set -x
-			$SUDO emerge net-vpn/tailscale
-			set +x
-			;;
-		appstore)
-			set -x
-			open "https://apps.apple.com/us/app/tailscale/id1475387142"
-			set +x
-			;;
-		*)
-			echo "unexpected: unknown package type $PACKAGETYPE"
-			exit 1
-			;;
-	esac
-
-	echo "Installation complete! Log in to start using Tailscale by running:"
-	echo
-	if [ -z "$SUDO" ]; then
-		echo "tailscale up"
-	else
-		echo "$SUDO tailscale up"
-	fi
-}
-
-main
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -7,7 +7,7 @@ package tailcfg
 //go:generate go run tailscale.com/cmd/cloner --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse --clonefunc=true --output=tailcfg_clone.go

 import (
-	"encoding/hex"
+	"bytes"
 	"errors"
 	"fmt"
 	"reflect"
@@ -679,7 +679,7 @@ func (et EndpointType) String() string {

 // Endpoint is an endpoint IPPort and an associated type.
 // It doesn't currently go over the wire as is but is instead
-// broken up into two parallel slices in MapRequest, for compatibility
+// broken up into two parallel slices in MapReqeust, for compatibility
 // reasons. But this type is used in the codebase.
 type Endpoint struct {
 	Addr netaddr.IPPort
@@ -1027,10 +1027,9 @@ func (k MachineKey) HexString() string                { return fmt.Sprintf("%x",
 func (k *MachineKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "mkey:", text) }

 func keyMarshalText(prefix string, k [32]byte) []byte {
-	buf := make([]byte, len(prefix)+64)
-	copy(buf, prefix)
-	hex.Encode(buf[len(prefix):], k[:])
-	return buf
+	buf := bytes.NewBuffer(make([]byte, 0, len(prefix)+64))
+	fmt.Fprintf(buf, "%s%x", prefix, k[:])
+	return buf.Bytes()
 }

 func keyUnmarshalText(dst []byte, prefix string, text []byte) error {
--- a/tailcfg/tailcfg_test.go
+++ b/tailcfg/tailcfg_test.go
@@ -518,13 +518,3 @@ func TestEndpointTypeMarshal(t *testing.T) {
 		t.Errorf("got %s; want %s", got, want)
 	}
 }
-
-var sinkBytes []byte
-
-func BenchmarkKeyMarshalText(b *testing.B) {
-	b.ReportAllocs()
-	var k [32]byte
-	for i := 0; i < b.N; i++ {
-		sinkBytes = keyMarshalText("prefix", k)
-	}
-}
--- a/tsnet/example/tshello/tshello.go
+++ b/tsnet/example/tshello/tshello.go
@@ -1,43 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The tshello server demonstrates how to use Tailscale as a library.
-package main
-
-import (
-	"fmt"
-	"html"
-	"log"
-	"net/http"
-	"strings"
-
-	"tailscale.com/tsnet"
-)
-
-func main() {
-	s := new(tsnet.Server)
-	ln, err := s.Listen("tcp", ":80")
-	if err != nil {
-		log.Fatal(err)
-	}
-	log.Fatal(http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		who, ok := s.WhoIs(r.RemoteAddr)
-		if !ok {
-			http.Error(w, "WhoIs failed", 500)
-			return
-		}
-		fmt.Fprintf(w, "<html><body><h1>Hello, world!</h1>\n")
-		fmt.Fprintf(w, "<p>You are <b>%s</b> from <b>%s</b> (%s)</p>",
-			html.EscapeString(who.UserProfile.LoginName),
-			html.EscapeString(firstLabel(who.Node.ComputedName)),
-			r.RemoteAddr)
-	})))
-}
-
-func firstLabel(s string) string {
-	if i := strings.Index(s, "."); i != -1 {
-		return s[:i]
-	}
-	return s
-}
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -1,274 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package tsnet provides Tailscale as a library.
-//
-// It is an experimental work in progress.
-package tsnet
-
-import (
-	"errors"
-	"fmt"
-	"log"
-	"net"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"inet.af/netaddr"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/control/controlclient"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnlocal"
-	"tailscale.com/smallzstd"
-	"tailscale.com/types/logger"
-	"tailscale.com/wgengine"
-	"tailscale.com/wgengine/monitor"
-	"tailscale.com/wgengine/netstack"
-)
-
-// Server is an embedded Tailscale server.
-//
-// Its exported fields may be changed until the first call to Listen.
-type Server struct {
-	// Dir specifies the name of the directory to use for
-	// state. If empty, a directory is selected automatically
-	// under os.UserConfigDir (https://golang.org/pkg/os/#UserConfigDir).
-	// based on the name of the binary.
-	Dir string
-
-	// Hostname is the hostname to present to the control server.
-	// If empty, the binary name is used.l
-	Hostname string
-
-	// Logf, if non-nil, specifies the logger to use. By default,
-	// log.Printf is used.
-	Logf logger.Logf
-
-	initOnce sync.Once
-	initErr  error
-	lb       *ipnlocal.LocalBackend
-	// the state directory
-	dir      string
-	hostname string
-
-	mu        sync.Mutex
-	listeners map[listenKey]*listener
-}
-
-// WhoIs reports the node and user who owns the node with the given
-// address. The addr may be an ip:port (as from an
-// http.Request.RemoteAddr) or just an IP address.
-func (s *Server) WhoIs(addr string) (w *apitype.WhoIsResponse, ok bool) {
-	ipp, err := netaddr.ParseIPPort(addr)
-	if err != nil {
-		ip, err := netaddr.ParseIP(addr)
-		if err != nil {
-			return nil, false
-		}
-		ipp = ipp.WithIP(ip)
-	}
-	n, up, ok := s.lb.WhoIs(ipp)
-	if !ok {
-		return nil, false
-	}
-	return &apitype.WhoIsResponse{
-		Node:        n,
-		UserProfile: &up,
-	}, true
-}
-
-func (s *Server) doInit() {
-	if err := s.start(); err != nil {
-		s.initErr = fmt.Errorf("tsnet: %w", err)
-	}
-}
-
-func (s *Server) start() error {
-	if v, _ := strconv.ParseBool(os.Getenv("TAILSCALE_USE_WIP_CODE")); !v {
-		return errors.New("code disabled without environment variable TAILSCALE_USE_WIP_CODE set true")
-	}
-
-	exe, err := os.Executable()
-	if err != nil {
-		return err
-	}
-	prog := strings.TrimSuffix(strings.ToLower(filepath.Base(exe)), ".exe")
-
-	s.hostname = s.Hostname
-	if s.hostname == "" {
-		s.hostname = prog
-	}
-
-	s.dir = s.Dir
-	if s.dir == "" {
-		confDir, err := os.UserConfigDir()
-		if err != nil {
-			return err
-		}
-		s.dir = filepath.Join(confDir, "tslib-"+prog)
-		if err := os.MkdirAll(s.dir, 0700); err != nil {
-			return err
-		}
-	}
-	if fi, err := os.Stat(s.dir); err != nil {
-		return err
-	} else if !fi.IsDir() {
-		return fmt.Errorf("%v is not a directory", s.dir)
-	}
-
-	logf := s.Logf
-	if logf == nil {
-		logf = log.Printf
-	}
-
-	// TODO(bradfitz): start logtail? don't use filch, perhaps?
-	// only upload plumbed Logf?
-
-	linkMon, err := monitor.New(logf)
-	if err != nil {
-		return err
-	}
-
-	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
-		ListenPort:  0,
-		LinkMonitor: linkMon,
-	})
-	if err != nil {
-		return err
-	}
-
-	tunDev, magicConn, ok := eng.(wgengine.InternalsGetter).GetInternals()
-	if !ok {
-		return fmt.Errorf("%T is not a wgengine.InternalsGetter", eng)
-	}
-
-	ns, err := netstack.Create(logf, tunDev, eng, magicConn, false)
-	if err != nil {
-		return fmt.Errorf("netstack.Create: %w", err)
-	}
-	ns.ForwardTCPIn = s.forwardTCP
-	if err := ns.Start(); err != nil {
-		return fmt.Errorf("failed to start netstack: %w", err)
-	}
-
-	statePath := filepath.Join(s.dir, "tailscaled.state")
-	store, err := ipn.NewFileStore(statePath)
-	if err != nil {
-		return err
-	}
-	logid := "tslib-TODO"
-
-	lb, err := ipnlocal.NewLocalBackend(logf, logid, store, eng)
-	if err != nil {
-		return fmt.Errorf("NewLocalBackend: %v", err)
-	}
-	s.lb = lb
-	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
-		return smallzstd.NewDecoder(nil)
-	})
-	prefs := ipn.NewPrefs()
-	prefs.Hostname = s.hostname
-	prefs.WantRunning = true
-	err = lb.Start(ipn.Options{
-		StateKey:    ipn.GlobalDaemonStateKey,
-		UpdatePrefs: prefs,
-	})
-	if err != nil {
-		return fmt.Errorf("starting backend: %w", err)
-	}
-	if os.Getenv("TS_LOGIN") == "1" {
-		s.lb.StartLoginInteractive()
-	}
-	return nil
-}
-
-func (s *Server) forwardTCP(c net.Conn, port uint16) {
-	s.mu.Lock()
-	ln, ok := s.listeners[listenKey{"tcp", "", fmt.Sprint(port)}]
-	s.mu.Unlock()
-	if !ok {
-		c.Close()
-		return
-	}
-	t := time.NewTimer(time.Second)
-	defer t.Stop()
-	select {
-	case ln.conn <- c:
-	case <-t.C:
-		c.Close()
-	}
-}
-
-func (s *Server) Listen(network, addr string) (net.Listener, error) {
-	host, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		return nil, fmt.Errorf("tsnet: %w", err)
-	}
-
-	s.initOnce.Do(s.doInit)
-	if s.initErr != nil {
-		return nil, s.initErr
-	}
-
-	key := listenKey{network, host, port}
-	ln := &listener{
-		s:    s,
-		key:  key,
-		addr: addr,
-
-		conn: make(chan net.Conn),
-	}
-	s.mu.Lock()
-	if s.listeners == nil {
-		s.listeners = map[listenKey]*listener{}
-	}
-	if _, ok := s.listeners[key]; ok {
-		s.mu.Unlock()
-		return nil, fmt.Errorf("tsnet: listener already open for %s, %s", network, addr)
-	}
-	s.listeners[key] = ln
-	s.mu.Unlock()
-	return ln, nil
-}
-
-type listenKey struct {
-	network string
-	host    string
-	port    string
-}
-
-type listener struct {
-	s    *Server
-	key  listenKey
-	addr string
-	conn chan net.Conn
-}
-
-func (ln *listener) Accept() (net.Conn, error) {
-	c, ok := <-ln.conn
-	if !ok {
-		return nil, fmt.Errorf("tsnet: %w", net.ErrClosed)
-	}
-	return c, nil
-}
-
-func (ln *listener) Addr() net.Addr { return addr{ln} }
-func (ln *listener) Close() error {
-	ln.s.mu.Lock()
-	defer ln.s.mu.Unlock()
-	if v, ok := ln.s.listeners[ln.key]; ok && v == ln {
-		delete(ln.s.listeners, ln.key)
-		close(ln.conn)
-	}
-	return nil
-}
-
-type addr struct{ ln *listener }
-
-func (a addr) Network() string { return a.ln.key.network }
-func (a addr) String() string  { return a.ln.addr }
--- a/tstest/integration/integration_test.go
+++ b/tstest/integration/integration_test.go
@@ -10,8 +10,6 @@ import (
 	crand "crypto/rand"
 	"crypto/tls"
 	"encoding/json"
-	"errors"
-	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -23,7 +21,6 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
-	"regexp"
 	"runtime"
 	"strings"
 	"sync"
@@ -44,11 +41,8 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/nettype"
-	"tailscale.com/version"
 )

-var verbose = flag.Bool("verbose", false, "verbose debug logs")
-
 var mainError atomic.Value // of error

 func TestMain(m *testing.M) {
@@ -63,8 +57,11 @@ func TestMain(m *testing.M) {
 	os.Exit(0)
 }

-func TestOneNodeUp_NoAuth(t *testing.T) {
-	t.Parallel()
+func TestIntegration(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("not tested/working on Windows yet")
+	}
+
 	bins := buildTestBinaries(t)

 	env := newTestEnv(t, bins)
@@ -72,8 +69,8 @@ func TestOneNodeUp_NoAuth(t *testing.T) {

 	n1 := newTestNode(t, env)

-	d1 := n1.StartDaemon(t)
-	defer d1.Kill()
+	dcmd := n1.StartDaemon(t)
+	defer dcmd.Process.Kill()

 	n1.AwaitListening(t)

@@ -90,110 +87,44 @@ func TestOneNodeUp_NoAuth(t *testing.T) {
 		t.Error(err)
 	}

-	n1.MustUp()
+	t.Logf("Running up --login-server=%s ...", env.ControlServer.URL)
+	if err := n1.Tailscale("up", "--login-server="+env.ControlServer.URL).Run(); err != nil {
+		t.Fatalf("up: %v", err)
+	}

 	if d, _ := time.ParseDuration(os.Getenv("TS_POST_UP_SLEEP")); d > 0 {
 		t.Logf("Sleeping for %v to give 'up' time to misbehave (https://github.com/tailscale/tailscale/issues/1840) ...", d)
 		time.Sleep(d)
 	}

-	t.Logf("Got IP: %v", n1.AwaitIP(t))
-	n1.AwaitRunning(t)
-
-	d1.MustCleanShutdown(t)
-
-	t.Logf("number of HTTP logcatcher requests: %v", env.LogCatcher.numRequests())
-}
-
-func TestOneNodeUp_Auth(t *testing.T) {
-	t.Parallel()
-	bins := buildTestBinaries(t)
-
-	env := newTestEnv(t, bins)
-	defer env.Close()
-	env.Control.RequireAuth = true
-
-	n1 := newTestNode(t, env)
-	d1 := n1.StartDaemon(t)
-	defer d1.Kill()
-
-	n1.AwaitListening(t)
-
-	st := n1.MustStatus(t)
-	t.Logf("Status: %s", st.BackendState)
-
-	t.Logf("Running up --login-server=%s ...", env.ControlServer.URL)
-
-	cmd := n1.Tailscale("up", "--login-server="+env.ControlServer.URL)
-	var authCountAtomic int32
-	cmd.Stdout = &authURLParserWriter{fn: func(urlStr string) error {
-		if env.Control.CompleteAuth(urlStr) {
-			atomic.AddInt32(&authCountAtomic, 1)
-			t.Logf("completed auth path %s", urlStr)
-			return nil
-		}
-		err := fmt.Errorf("Failed to complete auth path to %q", urlStr)
-		t.Log(err)
-		return err
-	}}
-	cmd.Stderr = cmd.Stdout
-	if err := cmd.Run(); err != nil {
-		t.Fatalf("up: %v", err)
-	}
-	t.Logf("Got IP: %v", n1.AwaitIP(t))
-
-	n1.AwaitRunning(t)
-
-	if n := atomic.LoadInt32(&authCountAtomic); n != 1 {
-		t.Errorf("Auth URLs completed = %d; want 1", n)
-	}
-
-	d1.MustCleanShutdown(t)
-
-}
-
-func TestTwoNodes(t *testing.T) {
-	t.Parallel()
-	bins := buildTestBinaries(t)
-
-	env := newTestEnv(t, bins)
-	defer env.Close()
-
-	// Create two nodes:
-	n1 := newTestNode(t, env)
-	d1 := n1.StartDaemon(t)
-	defer d1.Kill()
-
-	n2 := newTestNode(t, env)
-	d2 := n2.StartDaemon(t)
-	defer d2.Kill()
-
-	n1.AwaitListening(t)
-	n2.AwaitListening(t)
-	n1.MustUp()
-	n2.MustUp()
-	n1.AwaitRunning(t)
-	n2.AwaitRunning(t)
-
-	if err := tstest.WaitFor(2*time.Second, func() error {
-		st := n1.MustStatus(t)
-		if len(st.Peer) == 0 {
-			return errors.New("no peers")
-		}
-		if len(st.Peer) > 1 {
-			return fmt.Errorf("got %d peers; want 1", len(st.Peer))
-		}
-		peer := st.Peer[st.Peers()[0]]
-		if peer.ID == st.Self.ID {
-			return errors.New("peer is self")
+	var ip string
+	if err := tstest.WaitFor(20*time.Second, func() error {
+		out, err := n1.Tailscale("ip").Output()
+		if err != nil {
+			return err
 		}
+		ip = string(out)
 		return nil
 	}); err != nil {
 		t.Error(err)
 	}
+	t.Logf("Got IP: %v", ip)

-	d1.MustCleanShutdown(t)
-	d2.MustCleanShutdown(t)
+	dcmd.Process.Signal(os.Interrupt)
+
+	ps, err := dcmd.Process.Wait()
+	if err != nil {
+		t.Fatalf("tailscaled Wait: %v", err)
+	}
+	if ps.ExitCode() != 0 {
+		t.Errorf("tailscaled ExitCode = %d; want 0", ps.ExitCode())
+	}
+
+	t.Logf("number of HTTP logcatcher requests: %v", env.LogCatcher.numRequests())
+	if err := env.TrafficTrap.Err(); err != nil {
+		t.Errorf("traffic trap: %v", err)
+		t.Logf("logs: %s", env.LogCatcher.logsString())
+	}
 }

 // testBinaries are the paths to a tailscaled and tailscale binary.
@@ -208,18 +139,16 @@ type testBinaries struct {
 // if they fail to compile.
 func buildTestBinaries(t testing.TB) *testBinaries {
 	td := t.TempDir()
-	build(t, td, "tailscale.com/cmd/tailscaled", "tailscale.com/cmd/tailscale")
 	return &testBinaries{
 		dir:    td,
-		daemon: filepath.Join(td, "tailscaled"+exe()),
-		cli:    filepath.Join(td, "tailscale"+exe()),
+		daemon: build(t, td, "tailscale.com/cmd/tailscaled"),
+		cli:    build(t, td, "tailscale.com/cmd/tailscale"),
 	}
 }

 // testEnv contains the test environment (set of servers) used by one
 // or more nodes.
 type testEnv struct {
-	t        testing.TB
 	Binaries *testBinaries

 	LogCatcher       *logCatcher
@@ -239,9 +168,6 @@ type testEnv struct {
 //
 // Call Close to shut everything down.
 func newTestEnv(t testing.TB, bins *testBinaries) *testEnv {
-	if runtime.GOOS == "windows" {
-		t.Skip("not tested/working on Windows yet")
-	}
 	derpMap, derpShutdown := runDERPAndStun(t, logger.Discard)
 	logc := new(logCatcher)
 	control := &testcontrol.Server{
@@ -249,7 +175,6 @@ func newTestEnv(t testing.TB, bins *testBinaries) *testEnv {
 	}
 	trafficTrap := new(trafficTrap)
 	e := &testEnv{
-		t:                 t,
 		Binaries:          bins,
 		LogCatcher:        logc,
 		LogCatcherServer:  httptest.NewServer(logc),
@@ -259,16 +184,10 @@ func newTestEnv(t testing.TB, bins *testBinaries) *testEnv {
 		TrafficTrapServer: httptest.NewServer(trafficTrap),
 		derpShutdown:      derpShutdown,
 	}
-	e.Control.BaseURL = e.ControlServer.URL
 	return e
 }

 func (e *testEnv) Close() error {
-	if err := e.TrafficTrap.Err(); err != nil {
-		e.t.Errorf("traffic trap: %v", err)
-		e.t.Logf("logs: %s", e.LogCatcher.logsString())
-	}
-
 	e.LogCatcherServer.Close()
 	e.TrafficTrapServer.Close()
 	e.ControlServer.Close()
@@ -299,28 +218,9 @@ func newTestNode(t *testing.T, env *testEnv) *testNode {
 	}
 }

-type Daemon struct {
-	Process *os.Process
-}
-
-func (d *Daemon) Kill() {
-	d.Process.Kill()
-}
-
-func (d *Daemon) MustCleanShutdown(t testing.TB) {
-	d.Process.Signal(os.Interrupt)
-	ps, err := d.Process.Wait()
-	if err != nil {
-		t.Fatalf("tailscaled Wait: %v", err)
-	}
-	if ps.ExitCode() != 0 {
-		t.Errorf("tailscaled ExitCode = %d; want 0", ps.ExitCode())
-	}
-}
-
 // StartDaemon starts the node's tailscaled, failing if it fails to
 // start.
-func (n *testNode) StartDaemon(t testing.TB) *Daemon {
+func (n *testNode) StartDaemon(t testing.TB) *exec.Cmd {
 	cmd := exec.Command(n.env.Binaries.daemon,
 		"--tun=userspace-networking",
 		"--state="+n.stateFile,
@@ -334,17 +234,7 @@ func (n *testNode) StartDaemon(t testing.TB) *Daemon {
 	if err := cmd.Start(); err != nil {
 		t.Fatalf("starting tailscaled: %v", err)
 	}
-	return &Daemon{
-		Process: cmd.Process,
-	}
-}
-
-func (n *testNode) MustUp() {
-	t := n.env.t
-	t.Logf("Running up --login-server=%s ...", n.env.ControlServer.URL)
-	if err := n.Tailscale("up", "--login-server="+n.env.ControlServer.URL).Run(); err != nil {
-		t.Fatalf("up: %v", err)
-	}
+	return cmd
 }

 // AwaitListening waits for the tailscaled to be serving local clients
@@ -362,40 +252,6 @@ func (n *testNode) AwaitListening(t testing.TB) {
 	}
 }

-func (n *testNode) AwaitIP(t testing.TB) (ips string) {
-	t.Helper()
-	if err := tstest.WaitFor(20*time.Second, func() error {
-		out, err := n.Tailscale("ip").Output()
-		if err != nil {
-			return err
-		}
-		ips = string(out)
-		return nil
-	}); err != nil {
-		t.Fatalf("awaiting an IP address: %v", err)
-	}
-	if ips == "" {
-		t.Fatalf("returned IP address was blank")
-	}
-	return ips
-}
-
-func (n *testNode) AwaitRunning(t testing.TB) {
-	t.Helper()
-	if err := tstest.WaitFor(20*time.Second, func() error {
-		st, err := n.Status()
-		if err != nil {
-			return err
-		}
-		if st.BackendState != "Running" {
-			return fmt.Errorf("in state %q", st.BackendState)
-		}
-		return nil
-	}); err != nil {
-		t.Fatalf("failure/timeout waiting for transition to Running status: %v", err)
-	}
-}
-
 // Tailscale returns a command that runs the tailscale CLI with the provided arguments.
 // It does not start the process.
 func (n *testNode) Tailscale(arg ...string) *exec.Cmd {
@@ -405,23 +261,15 @@ func (n *testNode) Tailscale(arg ...string) *exec.Cmd {
 	return cmd
 }

-func (n *testNode) Status() (*ipnstate.Status, error) {
+func (n *testNode) MustStatus(tb testing.TB) *ipnstate.Status {
+	tb.Helper()
 	out, err := n.Tailscale("status", "--json").CombinedOutput()
 	if err != nil {
-		return nil, fmt.Errorf("running tailscale status: %v, %s", err, out)
+		tb.Fatalf("getting status: %v, %s", err, out)
 	}
 	st := new(ipnstate.Status)
 	if err := json.Unmarshal(out, st); err != nil {
-		return nil, fmt.Errorf("decoding tailscale status JSON: %w", err)
-	}
-	return st, nil
-}
-
-func (n *testNode) MustStatus(tb testing.TB) *ipnstate.Status {
-	tb.Helper()
-	st, err := n.Status()
-	if err != nil {
-		tb.Fatal(err)
+		tb.Fatalf("parsing status json: %v, from: %s", err, out)
 	}
 	return st
 }
@@ -443,44 +291,21 @@ func findGo(t testing.TB) string {
 	} else if !fi.Mode().IsRegular() {
 		t.Fatalf("%v is unexpected %v", goBin, fi.Mode())
 	}
+	t.Logf("using go binary %v", goBin)
 	return goBin
 }

-// buildMu limits our use of "go build" to one at a time, so we don't
-// fight Go's built-in caching trying to do the same build concurrently.
-var buildMu sync.Mutex
-
-func build(t testing.TB, outDir string, targets ...string) {
-	buildMu.Lock()
-	defer buildMu.Unlock()
-
-	t0 := time.Now()
-	defer func() { t.Logf("built %s in %v", targets, time.Since(t0).Round(time.Millisecond)) }()
-
-	goBin := findGo(t)
-	cmd := exec.Command(goBin, "install")
-	if version.IsRace() {
-		cmd.Args = append(cmd.Args, "-race")
+func build(t testing.TB, outDir, target string) string {
+	exe := ""
+	if runtime.GOOS == "windows" {
+		exe = ".exe"
 	}
-	cmd.Args = append(cmd.Args, targets...)
-	cmd.Env = append(os.Environ(), "GOARCH="+runtime.GOARCH, "GOBIN="+outDir)
-	errOut, err := cmd.CombinedOutput()
-	if err == nil {
-		return
+	bin := filepath.Join(outDir, path.Base(target)) + exe
+	errOut, err := exec.Command(findGo(t), "build", "-o", bin, target).CombinedOutput()
+	if err != nil {
+		t.Fatalf("failed to build %v: %v, %s", target, err, errOut)
 	}
-	if strings.Contains(string(errOut), "when GOBIN is set") {
-		// Fallback slow path for cross-compiled binaries.
-		for _, target := range targets {
-			outFile := filepath.Join(outDir, path.Base(target)+exe())
-			cmd := exec.Command(goBin, "build", "-o", outFile, target)
-			cmd.Env = append(os.Environ(), "GOARCH="+runtime.GOARCH)
-			if errOut, err := cmd.CombinedOutput(); err != nil {
-				t.Fatalf("failed to build %v with %v: %v, %s", target, goBin, err, errOut)
-			}
-		}
-		return
-	}
-	t.Fatalf("failed to build %v with %v: %v, %s", targets, goBin, err, errOut)
+	return bin
 }

 // logCatcher is a minimal logcatcher for the logtail upload client.
@@ -553,9 +378,6 @@ func (lc *logCatcher) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	} else {
 		for _, ent := range jreq {
 			fmt.Fprintf(&lc.buf, "%s\n", strings.TrimSpace(ent.Text))
-			if *verbose {
-				fmt.Fprintf(os.Stderr, "%s\n", strings.TrimSpace(ent.Text))
-			}
 		}
 	}
 	w.WriteHeader(200) // must have no content, but not a 204
@@ -632,23 +454,3 @@ func runDERPAndStun(t testing.TB, logf logger.Logf) (derpMap *tailcfg.DERPMap, c

 	return m, cleanup
 }
-
-type authURLParserWriter struct {
-	buf bytes.Buffer
-	fn  func(urlStr string) error
-}
-
-var authURLRx = regexp.MustCompile(`(https?://\S+/auth/\S+)`)
-
-func (w *authURLParserWriter) Write(p []byte) (n int, err error) {
-	n, err = w.buf.Write(p)
-	m := authURLRx.FindSubmatch(w.buf.Bytes())
-	if m != nil {
-		urlStr := string(m[1])
-		w.buf.Reset() // so it's not matched again
-		if err := w.fn(urlStr); err != nil {
-			return 0, err
-		}
-	}
-	return n, err
-}
--- a/tstest/integration/testcontrol/testcontrol.go
+++ b/tstest/integration/testcontrol/testcontrol.go
@@ -17,8 +17,6 @@ import (
 	"log"
 	"math/rand"
 	"net/http"
-	"net/url"
-	"sort"
 	"strings"
 	"sync"
 	"time"
@@ -36,43 +34,19 @@ import (
 // Server is a control plane server. Its zero value is ready for use.
 // Everything is stored in-memory in one tailnet.
 type Server struct {
-	Logf        logger.Logf      // nil means to use the log package
-	DERPMap     *tailcfg.DERPMap // nil means to use prod DERP map
-	RequireAuth bool
-	BaseURL     string // must be set to e.g. "http://127.0.0.1:1234" with no trailing URL
-	Verbose     bool
+	Logf    logger.Logf      // nil means to use the log package
+	DERPMap *tailcfg.DERPMap // nil means to use prod DERP map

 	initMuxOnce sync.Once
 	mux         *http.ServeMux

-	mu            sync.Mutex
-	pubKey        wgkey.Key
-	privKey       wgkey.Private
-	nodes         map[tailcfg.NodeKey]*tailcfg.Node
-	users         map[tailcfg.NodeKey]*tailcfg.User
-	logins        map[tailcfg.NodeKey]*tailcfg.Login
-	updates       map[tailcfg.NodeID]chan updateType
-	authPath      map[string]*AuthPath
-	nodeKeyAuthed map[tailcfg.NodeKey]bool // key => true once authenticated
-}
-
-type AuthPath struct {
-	nodeKey tailcfg.NodeKey
-
-	closeOnce sync.Once
-	ch        chan struct{}
-	success   bool
-}
-
-func (ap *AuthPath) completeSuccessfully() {
-	ap.success = true
-	close(ap.ch)
-}
-
-// CompleteSuccessfully completes the login path successfully, as if
-// the user did the whole auth dance.
-func (ap *AuthPath) CompleteSuccessfully() {
-	ap.closeOnce.Do(ap.completeSuccessfully)
+	mu      sync.Mutex
+	pubKey  wgkey.Key
+	privKey wgkey.Private
+	nodes   map[tailcfg.NodeKey]*tailcfg.Node
+	users   map[tailcfg.NodeKey]*tailcfg.User
+	logins  map[tailcfg.NodeKey]*tailcfg.Login
+	updates map[tailcfg.NodeID]chan updateType
 }

 func (s *Server) logf(format string, a ...interface{}) {
@@ -168,18 +142,6 @@ func (s *Server) Node(nodeKey tailcfg.NodeKey) *tailcfg.Node {
 	return s.nodes[nodeKey].Clone()
 }

-func (s *Server) AllNodes() (nodes []*tailcfg.Node) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for _, n := range s.nodes {
-		nodes = append(nodes, n.Clone())
-	}
-	sort.Slice(nodes, func(i, j int) bool {
-		return nodes[i].StableID < nodes[j].StableID
-	})
-	return nodes
-}
-
 func (s *Server) getUser(nodeKey tailcfg.NodeKey) (*tailcfg.User, *tailcfg.Login) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -216,56 +178,6 @@ func (s *Server) getUser(nodeKey tailcfg.NodeKey) (*tailcfg.User, *tailcfg.Login
 	return user, login
 }

-// authPathDone returns a close-only struct that's closed when the
-// authPath ("/auth/XXXXXX") has authenticated.
-func (s *Server) authPathDone(authPath string) <-chan struct{} {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if a, ok := s.authPath[authPath]; ok {
-		return a.ch
-	}
-	return nil
-}
-
-func (s *Server) addAuthPath(authPath string, nodeKey tailcfg.NodeKey) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.authPath == nil {
-		s.authPath = map[string]*AuthPath{}
-	}
-	s.authPath[authPath] = &AuthPath{
-		ch:      make(chan struct{}),
-		nodeKey: nodeKey,
-	}
-}
-
-// CompleteAuth marks the provided path or URL (containing
-// "/auth/...")  as successfully authenticated, unblocking any
-// requests blocked on that in serveRegister.
-func (s *Server) CompleteAuth(authPathOrURL string) bool {
-	i := strings.Index(authPathOrURL, "/auth/")
-	if i == -1 {
-		return false
-	}
-	authPath := authPathOrURL[i:]
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	ap, ok := s.authPath[authPath]
-	if !ok {
-		return false
-	}
-	if ap.nodeKey.IsZero() {
-		panic("zero AuthPath.NodeKey")
-	}
-	if s.nodeKeyAuthed == nil {
-		s.nodeKeyAuthed = map[tailcfg.NodeKey]bool{}
-	}
-	s.nodeKeyAuthed[ap.nodeKey] = true
-	ap.CompleteSuccessfully()
-	return true
-}
-
 func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey tailcfg.MachineKey) {
 	var req tailcfg.RegisterRequest
 	if err := s.decode(mkey, r.Body, &req); err != nil {
@@ -277,65 +189,28 @@ func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey tail
 	if req.NodeKey.IsZero() {
 		panic("serveRegister: request has zero node key")
 	}
-	if s.Verbose {
-		j, _ := json.MarshalIndent(req, "", "\t")
-		log.Printf("Got %T: %s", req, j)
-	}
-
-	// If this is a followup request, wait until interactive followup URL visit complete.
-	if req.Followup != "" {
-		followupURL, err := url.Parse(req.Followup)
-		if err != nil {
-			panic(err)
-		}
-		doneCh := s.authPathDone(followupURL.Path)
-		select {
-		case <-r.Context().Done():
-			return
-		case <-doneCh:
-		}
-		// TODO(bradfitz): support a side test API to mark an
-		// auth as failued so we can send an error response in
-		// some follow-ups? For now all are successes.
-	}

 	user, login := s.getUser(req.NodeKey)
 	s.mu.Lock()
 	if s.nodes == nil {
 		s.nodes = map[tailcfg.NodeKey]*tailcfg.Node{}
 	}
-
-	machineAuthorized := true // TODO: add Server.RequireMachineAuth
-
 	s.nodes[req.NodeKey] = &tailcfg.Node{
 		ID:                tailcfg.NodeID(user.ID),
 		StableID:          tailcfg.StableNodeID(fmt.Sprintf("TESTCTRL%08x", int(user.ID))),
 		User:              user.ID,
 		Machine:           mkey,
 		Key:               req.NodeKey,
-		MachineAuthorized: machineAuthorized,
-	}
-	requireAuth := s.RequireAuth
-	if requireAuth && s.nodeKeyAuthed[req.NodeKey] {
-		requireAuth = false
+		MachineAuthorized: true,
 	}
 	s.mu.Unlock()

-	authURL := ""
-	if requireAuth {
-		randHex := make([]byte, 10)
-		crand.Read(randHex)
-		authPath := fmt.Sprintf("/auth/%x", randHex)
-		s.addAuthPath(authPath, req.NodeKey)
-		authURL = s.BaseURL + authPath
-	}
-
 	res, err := s.encode(mkey, false, tailcfg.RegisterResponse{
 		User:              *user,
 		Login:             *login,
 		NodeKeyExpired:    false,
-		MachineAuthorized: machineAuthorized,
-		AuthURL:           authURL,
+		MachineAuthorized: true,
+		AuthURL:           "", // all good; TODO(bradfitz): add ways to not start all good.
 	})
 	if err != nil {
 		go panic(fmt.Sprintf("serveRegister: encode: %v", err))
@@ -379,21 +254,6 @@ func sendUpdate(dst chan<- updateType, updateType updateType) {
 	}
 }

-func (s *Server) UpdateNode(n *tailcfg.Node) (peersToUpdate []tailcfg.NodeID) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if n.Key.IsZero() {
-		panic("zero nodekey")
-	}
-	s.nodes[n.Key] = n.Clone()
-	for _, n2 := range s.nodes {
-		if n.ID != n2.ID {
-			peersToUpdate = append(peersToUpdate, n2.ID)
-		}
-	}
-	return peersToUpdate
-}
-
 func (s *Server) serveMap(w http.ResponseWriter, r *http.Request, mkey tailcfg.MachineKey) {
 	ctx := r.Context()

@@ -419,8 +279,10 @@ func (s *Server) serveMap(w http.ResponseWriter, r *http.Request, mkey tailcfg.M
 	if !req.ReadOnly {
 		endpoints := filterInvalidIPv6Endpoints(req.Endpoints)
 		node.Endpoints = endpoints
-		node.DiscoKey = req.DiscoKey
-		peersToUpdate = s.UpdateNode(node)
+		// TODO: more
+		// TODO: register node,
+		//s.UpdateEndpoint(mkey, req.NodeKey,
+		// XXX
 	}

 	nodeID := node.ID
@@ -527,12 +389,6 @@ func (s *Server) MapResponse(req *tailcfg.MapRequest) (res *tailcfg.MapResponse,
 		CollectServices: "true",
 		PacketFilter:    tailcfg.FilterAllowAll,
 	}
-	for _, p := range s.AllNodes() {
-		if p.StableID != node.StableID {
-			res.Peers = append(res.Peers, p)
-		}
-	}
-
 	res.Node.Addresses = []netaddr.IPPrefix{
 		netaddr.MustParseIPPrefix(fmt.Sprintf("100.64.%d.%d/32", uint8(node.ID>>8), uint8(node.ID))),
 	}
@@ -650,7 +506,7 @@ func keepClientEndpoint(ep string) bool {
 		// the incoming JSON response.
 		return false
 	}
-	ip := ipp.IP()
+	ip := ipp.IP
 	if ip.Zone() != "" {
 		return false
 	}
--- a/tstest/natlab/firewall.go
+++ b/tstest/natlab/firewall.go
@@ -52,7 +52,7 @@ func (s FirewallType) key(src, dst netaddr.IPPort) fwKey {
 	switch s {
 	case EndpointIndependentFirewall:
 	case AddressDependentFirewall:
-		k.dst = k.dst.WithIP(dst.IP())
+		k.dst.IP = dst.IP
 	case AddressAndPortDependentFirewall:
 		k.dst = dst
 	default:
--- a/tstest/natlab/nat.go
+++ b/tstest/natlab/nat.go
@@ -62,7 +62,7 @@ func (t NATType) key(src, dst netaddr.IPPort) natKey {
 	switch t {
 	case EndpointIndependentNAT:
 	case AddressDependentNAT:
-		k.dst = k.dst.WithIP(dst.IP())
+		k.dst.IP = dst.IP
 	case AddressAndPortDependentNAT:
 		k.dst = dst
 	default:
@@ -171,7 +171,7 @@ func (n *SNAT44) HandleIn(p *Packet, iif *Interface) *Packet {
 func (n *SNAT44) HandleForward(p *Packet, iif, oif *Interface) *Packet {
 	switch {
 	case oif == n.ExternalInterface:
-		if p.Src.IP() == oif.V4() {
+		if p.Src.IP == oif.V4() {
 			// Packet already NATed and is just retraversing Forward,
 			// don't touch it again.
 			return p
@@ -237,7 +237,10 @@ func (n *SNAT44) allocateMappedPort() (net.PacketConn, netaddr.IPPort) {
 	if err != nil {
 		panic(fmt.Sprintf("ran out of NAT ports: %v", err))
 	}
-	addr := netaddr.IPPortFrom(ip, uint16(pc.LocalAddr().(*net.UDPAddr).Port))
+	addr := netaddr.IPPort{
+		IP:   ip,
+		Port: uint16(pc.LocalAddr().(*net.UDPAddr).Port),
+	}
 	return pc, addr
 }

--- a/tstest/natlab/natlab.go
+++ b/tstest/natlab/natlab.go
@@ -138,7 +138,7 @@ func (n *Network) allocIPv4(iface *Interface) netaddr.IP {
 		return netaddr.IP{}
 	}
 	if n.lastV4.IsZero() {
-		n.lastV4 = n.Prefix4.IP()
+		n.lastV4 = n.Prefix4.IP
 	}
 	a := n.lastV4.As16()
 	addOne(&a, 15)
@@ -157,7 +157,7 @@ func (n *Network) allocIPv6(iface *Interface) netaddr.IP {
 		return netaddr.IP{}
 	}
 	if n.lastV6.IsZero() {
-		n.lastV6 = n.Prefix6.IP()
+		n.lastV6 = n.Prefix6.IP
 	}
 	a := n.lastV6.As16()
 	addOne(&a, 15)
@@ -183,15 +183,15 @@ func (n *Network) write(p *Packet) (num int, err error) {

 	n.mu.Lock()
 	defer n.mu.Unlock()
-	iface, ok := n.machine[p.Dst.IP()]
+	iface, ok := n.machine[p.Dst.IP]
 	if !ok {
 		// If the destination is within the network's authoritative
 		// range, no route to host.
-		if p.Dst.IP().Is4() && n.Prefix4.Contains(p.Dst.IP()) {
+		if p.Dst.IP.Is4() && n.Prefix4.Contains(p.Dst.IP) {
 			p.Trace("no route to %v", p.Dst.IP)
 			return len(p.Payload), nil
 		}
-		if p.Dst.IP().Is6() && n.Prefix6.Contains(p.Dst.IP()) {
+		if p.Dst.IP.Is6() && n.Prefix6.Contains(p.Dst.IP) {
 			p.Trace("no route to %v", p.Dst.IP)
 			return len(p.Payload), nil
 		}
@@ -363,7 +363,7 @@ func (m *Machine) isLocalIP(ip netaddr.IP) bool {
 func (m *Machine) deliverIncomingPacket(p *Packet, iface *Interface) {
 	p.setLocator("mach=%s if=%s", m.Name, iface.name)

-	if m.isLocalIP(p.Dst.IP()) {
+	if m.isLocalIP(p.Dst.IP) {
 		m.deliverLocalPacket(p, iface)
 	} else {
 		m.forwardPacket(p, iface)
@@ -391,13 +391,13 @@ func (m *Machine) deliverLocalPacket(p *Packet, iface *Interface) {
 	defer m.mu.Unlock()

 	conns := m.conns4
-	if p.Dst.IP().Is6() {
+	if p.Dst.IP.Is6() {
 		conns = m.conns6
 	}
 	possibleDsts := []netaddr.IPPort{
 		p.Dst,
-		netaddr.IPPortFrom(v6unspec, p.Dst.Port()),
-		netaddr.IPPortFrom(v4unspec, p.Dst.Port()),
+		netaddr.IPPort{IP: v6unspec, Port: p.Dst.Port},
+		netaddr.IPPort{IP: v4unspec, Port: p.Dst.Port},
 	}
 	for _, dest := range possibleDsts {
 		c, ok := conns[dest]
@@ -417,7 +417,7 @@ func (m *Machine) deliverLocalPacket(p *Packet, iface *Interface) {
 }

 func (m *Machine) forwardPacket(p *Packet, iif *Interface) {
-	oif, err := m.interfaceForIP(p.Dst.IP())
+	oif, err := m.interfaceForIP(p.Dst.IP)
 	if err != nil {
 		p.Trace("%v", err)
 		return
@@ -501,7 +501,7 @@ func (m *Machine) Attach(interfaceName string, n *Network) *Interface {
 		}
 	}
 	sort.Slice(m.routes, func(i, j int) bool {
-		return m.routes[i].prefix.Bits() > m.routes[j].prefix.Bits()
+		return m.routes[i].prefix.Bits > m.routes[j].prefix.Bits
 	})

 	return f
@@ -515,33 +515,33 @@ var (
 func (m *Machine) writePacket(p *Packet) (n int, err error) {
 	p.setLocator("mach=%s", m.Name)

-	iface, err := m.interfaceForIP(p.Dst.IP())
+	iface, err := m.interfaceForIP(p.Dst.IP)
 	if err != nil {
 		p.Trace("%v", err)
 		return 0, err
 	}
-	origSrcIP := p.Src.IP()
+	origSrcIP := p.Src.IP
 	switch {
-	case p.Src.IP() == v4unspec:
+	case p.Src.IP == v4unspec:
 		p.Trace("assigning srcIP=%s", iface.V4())
-		p.Src = p.Src.WithIP(iface.V4())
-	case p.Src.IP() == v6unspec:
+		p.Src.IP = iface.V4()
+	case p.Src.IP == v6unspec:
 		// v6unspec in Go means "any src, but match address families"
-		if p.Dst.IP().Is6() {
+		if p.Dst.IP.Is6() {
 			p.Trace("assigning srcIP=%s", iface.V6())
-			p.Src = p.Src.WithIP(iface.V6())
-		} else if p.Dst.IP().Is4() {
+			p.Src.IP = iface.V6()
+		} else if p.Dst.IP.Is4() {
 			p.Trace("assigning srcIP=%s", iface.V4())
-			p.Src = p.Src.WithIP(iface.V4())
+			p.Src.IP = iface.V4()
 		}
 	default:
-		if !iface.Contains(p.Src.IP()) {
-			err := fmt.Errorf("can't send to %v with src %v on interface %v", p.Dst.IP(), p.Src.IP(), iface)
+		if !iface.Contains(p.Src.IP) {
+			err := fmt.Errorf("can't send to %v with src %v on interface %v", p.Dst.IP, p.Src.IP, iface)
 			p.Trace("%v", err)
 			return 0, err
 		}
 	}
-	if p.Src.IP().IsZero() {
+	if p.Src.IP.IsZero() {
 		err := fmt.Errorf("no matching address for address family for %v", origSrcIP)
 		p.Trace("%v", err)
 		return 0, err
@@ -602,12 +602,12 @@ func (m *Machine) pickEphemPort() (port uint16, err error) {

 func (m *Machine) portInUseLocked(port uint16) bool {
 	for ipp := range m.conns4 {
-		if ipp.Port() == port {
+		if ipp.Port == port {
 			return true
 		}
 	}
 	for ipp := range m.conns6 {
-		if ipp.Port() == port {
+		if ipp.Port == port {
 			return true
 		}
 	}
@@ -617,7 +617,7 @@ func (m *Machine) portInUseLocked(port uint16) bool {
 func (m *Machine) registerConn4(c *conn) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
-	if c.ipp.IP().Is6() && c.ipp.IP() != v6unspec {
+	if c.ipp.IP.Is6() && c.ipp.IP != v6unspec {
 		return fmt.Errorf("registerConn4 got IPv6 %s", c.ipp)
 	}
 	return registerConn(&m.conns4, c)
@@ -632,7 +632,7 @@ func (m *Machine) unregisterConn4(c *conn) {
 func (m *Machine) registerConn6(c *conn) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
-	if c.ipp.IP().Is4() {
+	if c.ipp.IP.Is4() {
 		return fmt.Errorf("registerConn6 got IPv4 %s", c.ipp)
 	}
 	return registerConn(&m.conns6, c)
@@ -707,7 +707,7 @@ func (m *Machine) ListenPacket(ctx context.Context, network, address string) (ne
 			return nil, nil
 		}
 	}
-	ipp := netaddr.IPPortFrom(ip, port)
+	ipp := netaddr.IPPort{IP: ip, Port: port}

 	c := &conn{
 		m:   m,
--- a/tstest/natlab/natlab_test.go
+++ b/tstest/natlab/natlab_test.go
@@ -49,8 +49,8 @@ func TestSendPacket(t *testing.T) {
 	ifFoo := foo.Attach("eth0", internet)
 	ifBar := bar.Attach("enp0s1", internet)

-	fooAddr := netaddr.IPPortFrom(ifFoo.V4(), 123)
-	barAddr := netaddr.IPPortFrom(ifBar.V4(), 456)
+	fooAddr := netaddr.IPPort{IP: ifFoo.V4(), Port: 123}
+	barAddr := netaddr.IPPort{IP: ifBar.V4(), Port: 456}

 	ctx := context.Background()
 	fooPC, err := foo.ListenPacket(ctx, "udp4", fooAddr.String())
@@ -111,10 +111,10 @@ func TestMultiNetwork(t *testing.T) {
 		t.Fatal(err)
 	}

-	clientAddr := netaddr.IPPortFrom(ifClient.V4(), 123)
-	natLANAddr := netaddr.IPPortFrom(ifNATLAN.V4(), 456)
-	natWANAddr := netaddr.IPPortFrom(ifNATWAN.V4(), 456)
-	serverAddr := netaddr.IPPortFrom(ifServer.V4(), 789)
+	clientAddr := netaddr.IPPort{IP: ifClient.V4(), Port: 123}
+	natLANAddr := netaddr.IPPort{IP: ifNATLAN.V4(), Port: 456}
+	natWANAddr := netaddr.IPPort{IP: ifNATWAN.V4(), Port: 456}
+	serverAddr := netaddr.IPPort{IP: ifServer.V4(), Port: 789}

 	const msg1, msg2 = "hello", "world"
 	if _, err := natPC.WriteTo([]byte(msg1), clientAddr.UDPAddr()); err != nil {
@@ -154,8 +154,8 @@ type trivialNAT struct {
 }

 func (n *trivialNAT) HandleIn(p *Packet, iface *Interface) *Packet {
-	if iface == n.wanIf && p.Dst.IP() == n.wanIf.V4() {
-		p.Dst = p.Dst.WithIP(n.clientIP)
+	if iface == n.wanIf && p.Dst.IP == n.wanIf.V4() {
+		p.Dst.IP = n.clientIP
 	}
 	return p
 }
@@ -167,13 +167,13 @@ func (n trivialNAT) HandleOut(p *Packet, iface *Interface) *Packet {
 func (n *trivialNAT) HandleForward(p *Packet, iif, oif *Interface) *Packet {
 	// Outbound from LAN -> apply NAT, continue
 	if iif == n.lanIf && oif == n.wanIf {
-		if p.Src.IP() == n.clientIP {
-			p.Src = p.Src.WithIP(n.wanIf.V4())
+		if p.Src.IP == n.clientIP {
+			p.Src.IP = n.wanIf.V4()
 		}
 		return p
 	}
 	// Return traffic to LAN, allow if right dst.
-	if iif == n.wanIf && oif == n.lanIf && p.Dst.IP() == n.clientIP {
+	if iif == n.wanIf && oif == n.lanIf && p.Dst.IP == n.clientIP {
 		return p
 	}
 	// Else drop.
@@ -216,7 +216,7 @@ func TestPacketHandler(t *testing.T) {
 	}

 	const msg = "some message"
-	serverAddr := netaddr.IPPortFrom(ifServer.V4(), 456)
+	serverAddr := netaddr.IPPort{IP: ifServer.V4(), Port: 456}
 	if _, err := clientPC.WriteTo([]byte(msg), serverAddr.UDPAddr()); err != nil {
 		t.Fatal(err)
 	}
@@ -230,7 +230,7 @@ func TestPacketHandler(t *testing.T) {
 	if string(buf) != msg {
 		t.Errorf("read %q; want %q", buf, msg)
 	}
-	mappedAddr := netaddr.IPPortFrom(ifNATWAN.V4(), 123)
+	mappedAddr := netaddr.IPPort{IP: ifNATWAN.V4(), Port: 123}
 	if addr.String() != mappedAddr.String() {
 		t.Errorf("addr = %q; want %q", addr, mappedAddr)
 	}
--- a/types/netmap/netmap_test.go
+++ b/types/netmap/netmap_test.go
@@ -250,7 +250,7 @@ func TestConciseDiffFrom(t *testing.T) {
 						DERP:       "127.3.3.40:2",
 						Endpoints:  []string{"192.168.0.100:41641", "1.1.1.1:41641"},
 						DiscoKey:   testDiscoKey("f00f00f00f"),
-						AllowedIPs: []netaddr.IPPrefix{netaddr.IPPrefixFrom(netaddr.IPv4(100, 102, 103, 104), 32)},
+						AllowedIPs: []netaddr.IPPrefix{{IP: netaddr.IPv4(100, 102, 103, 104), Bits: 32}},
 					},
 				},
 			},
@@ -263,7 +263,7 @@ func TestConciseDiffFrom(t *testing.T) {
 						DERP:       "127.3.3.40:2",
 						Endpoints:  []string{"192.168.0.100:41641", "1.1.1.1:41641"},
 						DiscoKey:   testDiscoKey("ba4ba4ba4b"),
-						AllowedIPs: []netaddr.IPPrefix{netaddr.IPPrefixFrom(netaddr.IPv4(100, 102, 103, 104), 32)},
+						AllowedIPs: []netaddr.IPPrefix{{IP: netaddr.IPv4(100, 102, 103, 104), Bits: 32}},
 					},
 				},
 			},
--- a/types/wgkey/key.go
+++ b/types/wgkey/key.go
@@ -78,16 +78,8 @@ func (k Key) HexString() string { return hex.EncodeToString(k[:]) }
 func (k Key) Equal(k2 Key) bool { return subtle.ConstantTimeCompare(k[:], k2[:]) == 1 }

 func (k *Key) ShortString() string {
-	// The goal here is to generate "[" + base64.StdEncoding.EncodeToString(k[:])[:5] + "]".
-	// Since we only care about the first 5 characters, it suffices to encode the first 4 bytes of k.
-	// Encoding those 4 bytes requires 8 bytes.
-	// Make dst have size 9, to fit the leading '[' plus those 8 bytes.
-	// We slice the unused ones away at the end.
-	dst := make([]byte, 9)
-	dst[0] = '['
-	base64.StdEncoding.Encode(dst[1:], k[:4])
-	dst[6] = ']'
-	return string(dst[:7])
+	long := k.Base64()
+	return "[" + long[0:5] + "]"
 }

 func (k *Key) IsZero() bool {
@@ -114,10 +106,11 @@ func (k *Key) UnmarshalJSON(b []byte) error {
 		return errors.New("wgkey.Key: UnmarshalJSON not given a string")
 	}
 	b = b[1 : len(b)-1]
-	if len(b) != 2*Size {
-		return fmt.Errorf("wgkey.Key: UnmarshalJSON input wrong size: %d", len(b))
+	key, err := ParseHex(string(b))
+	if err != nil {
+		return fmt.Errorf("wgkey.Key: UnmarshalJSON: %v", err)
 	}
-	hex.Decode(k[:], b)
+	copy(k[:], key[:])
 	return nil
 }

--- a/types/wgkey/key_test.go
+++ b/types/wgkey/key_test.go
@@ -156,28 +156,3 @@ func BenchmarkMarshalJSON(b *testing.B) {
 		}
 	}
 }
-
-func BenchmarkUnmarshalJSON(b *testing.B) {
-	b.ReportAllocs()
-	var k Key
-	buf, err := k.MarshalJSON()
-	if err != nil {
-		b.Fatal(err)
-	}
-	for i := 0; i < b.N; i++ {
-		err := k.UnmarshalJSON(buf)
-		if err != nil {
-			b.Fatal(err)
-		}
-	}
-}
-
-var sinkString string
-
-func BenchmarkShortString(b *testing.B) {
-	b.ReportAllocs()
-	var k Key
-	for i := 0; i < b.N; i++ {
-		sinkString = k.ShortString()
-	}
-}
--- a/util/dnsname/dnsname.go
+++ b/util/dnsname/dnsname.go
@@ -48,21 +48,6 @@ func ToFQDN(s string) (FQDN, error) {
 	return FQDN(s + "."), nil
 }

-func validLabel(s string) bool {
-	if len(s) == 0 || len(s) > maxLabelLength {
-		return false
-	}
-	if !isalphanum(s[0]) || !isalphanum(s[len(s)-1]) {
-		return false
-	}
-	for i := 1; i < len(s)-1; i++ {
-		if !isalphanum(s[i]) && s[i] != '-' {
-			return false
-		}
-	}
-	return true
-}
-
 // WithTrailingDot returns f as a string, with a trailing dot.
 func (f FQDN) WithTrailingDot() string {
 	return string(f)
@@ -120,23 +105,30 @@ func isValidFQDN(s string) bool {
 			continue
 		}
 		label := s[st:i]
-		if len(label) == 0 || len(label) > maxLabelLength {
+		if !validLabel(label) {
 			return false
 		}
-		if !isalphanum(label[0]) || !isalphanum(label[len(label)-1]) {
-			return false
-		}
-		for j := 1; j < len(label)-1; j++ {
-			if !isalphanum(label[j]) && label[j] != '-' {
-				return false
-			}
-		}
 		st = i + 1
 	}

 	return true
 }

+func validLabel(s string) bool {
+	// You might be tempted to do further validation of the
+	// contents of labels here, based on the hostname rules in RFC
+	// 1123. However, DNS labels are not always subject to
+	// hostname rules. In general, they can contain any non-zero
+	// byte sequence, even though in practice a more restricted
+	// set is used.
+	//
+	// See https://github.com/tailscale/tailscale/issues/2024 for more.
+	if len(s) == 0 || len(s) > maxLabelLength {
+		return false
+	}
+	return true
+}
+
 // SanitizeLabel takes a string intended to be a DNS name label
 // and turns it into a valid name label according to RFC 1035.
 func SanitizeLabel(label string) string {
--- a/util/dnsname/dnsname_test.go
+++ b/util/dnsname/dnsname_test.go
@@ -24,6 +24,7 @@ func TestFQDN(t *testing.T) {
 		{".foo.com", "foo.com.", false, 2},
 		{"com", "com.", false, 1},
 		{"www.tailscale.com", "www.tailscale.com.", false, 3},
+		{"_ssh._tcp.tailscale.com", "_ssh._tcp.tailscale.com.", false, 4},
 		{"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", "", true, 0},
 		{strings.Repeat("aaaaa.", 60) + "com", "", true, 0},
 		{"foo..com", "", true, 0},
--- a/version/race.go
+++ b/version/race.go
@@ -1,11 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build race
-
-package version
-
-// IsRace reports whether the current binary was built with the Go
-// race detector enabled.
-func IsRace() bool { return true }
--- a/version/race_off.go
+++ b/version/race_off.go
@@ -1,11 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !race
-
-package version
-
-// IsRace reports whether the current binary was built with the Go
-// race detector enabled.
-func IsRace() bool { return false }
--- a/wf/firewall.go
+++ b/wf/firewall.go
@@ -1,510 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build windows
-
-package wf
-
-import (
-	"fmt"
-	"os"
-
-	"golang.org/x/sys/windows"
-	"inet.af/netaddr"
-	"inet.af/wf"
-)
-
-// Known addresses.
-var (
-	linkLocalRange           = netaddr.MustParseIPPrefix("ff80::/10")
-	linkLocalDHCPMulticast   = netaddr.MustParseIP("ff02::1:2")
-	siteLocalDHCPMulticast   = netaddr.MustParseIP("ff05::1:3")
-	linkLocalRouterMulticast = netaddr.MustParseIP("ff02::2")
-)
-
-type direction int
-
-const (
-	directionInbound direction = iota
-	directionOutbound
-	directionBoth
-)
-
-type protocol int
-
-const (
-	protocolV4 protocol = iota
-	protocolV6
-	protocolAll
-)
-
-// getLayers returns the wf.LayerIDs where the rules should be added based
-// on the protocol and direction.
-func (p protocol) getLayers(d direction) []wf.LayerID {
-	var layers []wf.LayerID
-	if p == protocolAll || p == protocolV4 {
-		if d == directionBoth || d == directionInbound {
-			layers = append(layers, wf.LayerALEAuthRecvAcceptV4)
-		}
-		if d == directionBoth || d == directionOutbound {
-			layers = append(layers, wf.LayerALEAuthConnectV4)
-		}
-	}
-	if p == protocolAll || p == protocolV6 {
-		if d == directionBoth || d == directionInbound {
-			layers = append(layers, wf.LayerALEAuthRecvAcceptV6)
-		}
-		if d == directionBoth || d == directionOutbound {
-			layers = append(layers, wf.LayerALEAuthConnectV6)
-		}
-	}
-	return layers
-}
-
-func ruleName(action wf.Action, l wf.LayerID, name string) string {
-	switch l {
-	case wf.LayerALEAuthConnectV4:
-		return fmt.Sprintf("%s outbound %s (IPv4)", action, name)
-	case wf.LayerALEAuthConnectV6:
-		return fmt.Sprintf("%s outbound %s (IPv6)", action, name)
-	case wf.LayerALEAuthRecvAcceptV4:
-		return fmt.Sprintf("%s inbound %s (IPv4)", action, name)
-	case wf.LayerALEAuthRecvAcceptV6:
-		return fmt.Sprintf("%s inbound %s (IPv6)", action, name)
-	}
-	return ""
-}
-
-// Firewall uses the Windows Filtering Platform to implement a network firewall.
-type Firewall struct {
-	luid       uint64
-	providerID wf.ProviderID
-	sublayerID wf.SublayerID
-	session    *wf.Session
-
-	permittedRoutes map[netaddr.IPPrefix][]*wf.Rule
-}
-
-// New returns a new Firewall for the provdied interface ID.
-func New(luid uint64) (*Firewall, error) {
-	session, err := wf.New(&wf.Options{
-		Name:    "Tailscale firewall",
-		Dynamic: true,
-	})
-	if err != nil {
-		return nil, err
-	}
-	wguid, err := windows.GenerateGUID()
-	if err != nil {
-		return nil, err
-	}
-	providerID := wf.ProviderID(wguid)
-	if err := session.AddProvider(&wf.Provider{
-		ID:   providerID,
-		Name: "Tailscale provider",
-	}); err != nil {
-		return nil, err
-	}
-	wguid, err = windows.GenerateGUID()
-	if err != nil {
-		return nil, err
-	}
-	sublayerID := wf.SublayerID(wguid)
-	if err := session.AddSublayer(&wf.Sublayer{
-		ID:     sublayerID,
-		Name:   "Tailscale permissive and blocking filters",
-		Weight: 0,
-	}); err != nil {
-		return nil, err
-	}
-	f := &Firewall{
-		luid:            luid,
-		session:         session,
-		providerID:      providerID,
-		sublayerID:      sublayerID,
-		permittedRoutes: make(map[netaddr.IPPrefix][]*wf.Rule),
-	}
-	if err := f.enable(); err != nil {
-		return nil, err
-	}
-	return f, nil
-}
-
-type weight uint64
-
-const (
-	weightTailscaleTraffic weight = 15
-	weightKnownTraffic     weight = 12
-	weightCatchAll         weight = 0
-)
-
-func (f *Firewall) enable() error {
-	if err := f.permitTailscaleService(weightTailscaleTraffic); err != nil {
-		return fmt.Errorf("permitTailscaleService failed: %w", err)
-	}
-
-	if err := f.permitTunInterface(weightTailscaleTraffic); err != nil {
-		return fmt.Errorf("permitTunInterface failed: %w", err)
-	}
-
-	if err := f.permitDNS(weightTailscaleTraffic); err != nil {
-		return fmt.Errorf("permitDNS failed: %w", err)
-	}
-
-	if err := f.permitLoopback(weightKnownTraffic); err != nil {
-		return fmt.Errorf("permitLoopback failed: %w", err)
-	}
-
-	if err := f.permitDHCPv4(weightKnownTraffic); err != nil {
-		return fmt.Errorf("permitDHCPv4 failed: %w", err)
-	}
-
-	if err := f.permitDHCPv6(weightKnownTraffic); err != nil {
-		return fmt.Errorf("permitDHCPv6 failed: %w", err)
-	}
-
-	if err := f.permitNDP(weightKnownTraffic); err != nil {
-		return fmt.Errorf("permitNDP failed: %w", err)
-	}
-
-	/* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3.
-	 *  In other words, if somebody complains, try enabling it. For now, keep it off.
-	 * TODO(maisem): implement this.
-	err = permitHyperV(session, baseObjects, weightKnownTraffic)
-	if err != nil {
-		return wrapErr(err)
-	}
-	*/
-
-	if err := f.blockAll(weightCatchAll); err != nil {
-		return fmt.Errorf("blockAll failed: %w", err)
-	}
-	return nil
-}
-
-// UpdatedPermittedRoutes adds rules to allow incoming and outgoing connections
-// from the provided prefixes. It will also remove rules for routes that were
-// previously added but have been removed.
-func (f *Firewall) UpdatePermittedRoutes(newRoutes []netaddr.IPPrefix) error {
-	var routesToAdd []netaddr.IPPrefix
-	routeMap := make(map[netaddr.IPPrefix]bool)
-	for _, r := range newRoutes {
-		routeMap[r] = true
-		if _, ok := f.permittedRoutes[r]; !ok {
-			routesToAdd = append(routesToAdd, r)
-		}
-	}
-	var routesToRemove []netaddr.IPPrefix
-	for r := range f.permittedRoutes {
-		if !routeMap[r] {
-			routesToRemove = append(routesToRemove, r)
-		}
-	}
-	for _, r := range routesToRemove {
-		for _, rule := range f.permittedRoutes[r] {
-			if err := f.session.DeleteRule(rule.ID); err != nil {
-				return err
-			}
-		}
-		delete(f.permittedRoutes, r)
-	}
-	for _, r := range routesToAdd {
-		conditions := []*wf.Match{
-			{
-				Field: wf.FieldIPRemoteAddress,
-				Op:    wf.MatchTypeEqual,
-				Value: r,
-			},
-		}
-		var p protocol
-		if r.IP().Is4() {
-			p = protocolV4
-		} else {
-			p = protocolV6
-		}
-		rules, err := f.addRules("local route", weightKnownTraffic, conditions, wf.ActionPermit, p, directionBoth)
-		if err != nil {
-			return err
-		}
-		f.permittedRoutes[r] = rules
-	}
-	return nil
-}
-
-func (f *Firewall) newRule(name string, w weight, layer wf.LayerID, conditions []*wf.Match, action wf.Action) (*wf.Rule, error) {
-	id, err := windows.GenerateGUID()
-	if err != nil {
-		return nil, err
-	}
-	return &wf.Rule{
-		Name:       ruleName(action, layer, name),
-		ID:         wf.RuleID(id),
-		Provider:   f.providerID,
-		Sublayer:   f.sublayerID,
-		Layer:      layer,
-		Weight:     uint64(w),
-		Conditions: conditions,
-		Action:     action,
-	}, nil
-}
-
-func (f *Firewall) addRules(name string, w weight, conditions []*wf.Match, action wf.Action, p protocol, d direction) ([]*wf.Rule, error) {
-	var rules []*wf.Rule
-	for _, l := range p.getLayers(d) {
-		r, err := f.newRule(name, w, l, conditions, action)
-		if err != nil {
-			return nil, err
-		}
-		if err := f.session.AddRule(r); err != nil {
-			return nil, err
-		}
-		rules = append(rules, r)
-	}
-	return rules, nil
-}
-
-func (f *Firewall) blockAll(w weight) error {
-	_, err := f.addRules("all", w, nil, wf.ActionBlock, protocolAll, directionBoth)
-	return err
-}
-
-func (f *Firewall) permitNDP(w weight) error {
-	// These are aliased according to:
-	// https://social.msdn.microsoft.com/Forums/azure/en-US/eb2aa3cd-5f1c-4461-af86-61e7d43ccc23/filtering-icmp-by-type-code?forum=wfp
-	fieldICMPType := wf.FieldIPLocalPort
-	fieldICMPCode := wf.FieldIPRemotePort
-
-	var icmpConditions = func(t, c uint16, remoteAddress interface{}) []*wf.Match {
-		conditions := []*wf.Match{
-			{
-				Field: wf.FieldIPProtocol,
-				Op:    wf.MatchTypeEqual,
-				Value: wf.IPProtoICMPV6,
-			},
-			{
-				Field: fieldICMPType,
-				Op:    wf.MatchTypeEqual,
-				Value: t,
-			},
-			{
-				Field: fieldICMPCode,
-				Op:    wf.MatchTypeEqual,
-				Value: c,
-			},
-		}
-		if remoteAddress != nil {
-			conditions = append(conditions, &wf.Match{
-				Field: wf.FieldIPRemoteAddress,
-				Op:    wf.MatchTypeEqual,
-				Value: linkLocalRouterMulticast,
-			})
-		}
-		return conditions
-	}
-	/* TODO: actually handle the hop limit somehow! The rules should vaguely be:
-	 *  - icmpv6 133: must be outgoing, dst must be FF02::2/128, hop limit must be 255
-	 *  - icmpv6 134: must be incoming, src must be FE80::/10, hop limit must be 255
-	 *  - icmpv6 135: either incoming or outgoing, hop limit must be 255
-	 *  - icmpv6 136: either incoming or outgoing, hop limit must be 255
-	 *  - icmpv6 137: must be incoming, src must be FE80::/10, hop limit must be 255
-	 */
-
-	//
-	// Router Solicitation Message
-	// ICMP type 133, code 0. Outgoing.
-	//
-	conditions := icmpConditions(133, 0, linkLocalRouterMulticast)
-	if _, err := f.addRules("NDP type 133", w, conditions, wf.ActionPermit, protocolV6, directionOutbound); err != nil {
-		return err
-	}
-
-	//
-	// Router Advertisement Message
-	// ICMP type 134, code 0. Incoming.
-	//
-	conditions = icmpConditions(134, 0, linkLocalRange)
-	if _, err := f.addRules("NDP type 134", w, conditions, wf.ActionPermit, protocolV6, directionInbound); err != nil {
-		return err
-	}
-
-	//
-	// Neighbor Solicitation Message
-	// ICMP type 135, code 0. Bi-directional.
-	//
-	conditions = icmpConditions(135, 0, nil)
-	if _, err := f.addRules("NDP type 135", w, conditions, wf.ActionPermit, protocolV6, directionBoth); err != nil {
-		return err
-	}
-
-	//
-	// Neighbor Advertisement Message
-	// ICMP type 136, code 0. Bi-directional.
-	//
-	conditions = icmpConditions(136, 0, nil)
-	if _, err := f.addRules("NDP type 136", w, conditions, wf.ActionPermit, protocolV6, directionBoth); err != nil {
-		return err
-	}
-
-	//
-	// Redirect Message
-	// ICMP type 137, code 0. Incoming.
-	//
-	conditions = icmpConditions(137, 0, linkLocalRange)
-	if _, err := f.addRules("NDP type 137", w, conditions, wf.ActionPermit, protocolV6, directionInbound); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (f *Firewall) permitDHCPv6(w weight) error {
-	var dhcpConditions = func(remoteAddrs ...interface{}) []*wf.Match {
-		conditions := []*wf.Match{
-			{
-				Field: wf.FieldIPProtocol,
-				Op:    wf.MatchTypeEqual,
-				Value: wf.IPProtoUDP,
-			},
-			{
-				Field: wf.FieldIPLocalAddress,
-				Op:    wf.MatchTypeEqual,
-				Value: linkLocalRange,
-			},
-			{
-				Field: wf.FieldIPLocalPort,
-				Op:    wf.MatchTypeEqual,
-				Value: uint16(546),
-			},
-			{
-				Field: wf.FieldIPRemotePort,
-				Op:    wf.MatchTypeEqual,
-				Value: uint16(547),
-			},
-		}
-		for _, a := range remoteAddrs {
-			conditions = append(conditions, &wf.Match{
-				Field: wf.FieldIPRemoteAddress,
-				Op:    wf.MatchTypeEqual,
-				Value: a,
-			})
-		}
-		return conditions
-	}
-	conditions := dhcpConditions(linkLocalDHCPMulticast, siteLocalDHCPMulticast)
-	if _, err := f.addRules("DHCP request", w, conditions, wf.ActionPermit, protocolV6, directionOutbound); err != nil {
-		return err
-	}
-	conditions = dhcpConditions(linkLocalRange)
-	if _, err := f.addRules("DHCP response", w, conditions, wf.ActionPermit, protocolV6, directionInbound); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (f *Firewall) permitDHCPv4(w weight) error {
-	var dhcpConditions = func(remoteAddrs ...interface{}) []*wf.Match {
-		conditions := []*wf.Match{
-			{
-				Field: wf.FieldIPProtocol,
-				Op:    wf.MatchTypeEqual,
-				Value: wf.IPProtoUDP,
-			},
-			{
-				Field: wf.FieldIPLocalPort,
-				Op:    wf.MatchTypeEqual,
-				Value: uint16(68),
-			},
-			{
-				Field: wf.FieldIPRemotePort,
-				Op:    wf.MatchTypeEqual,
-				Value: uint16(67),
-			},
-		}
-		for _, a := range remoteAddrs {
-			conditions = append(conditions, &wf.Match{
-				Field: wf.FieldIPRemoteAddress,
-				Op:    wf.MatchTypeEqual,
-				Value: a,
-			})
-		}
-		return conditions
-	}
-	conditions := dhcpConditions(netaddr.IPv4(255, 255, 255, 255))
-	if _, err := f.addRules("DHCP request", w, conditions, wf.ActionPermit, protocolV4, directionOutbound); err != nil {
-		return err
-	}
-
-	conditions = dhcpConditions()
-	if _, err := f.addRules("DHCP response", w, conditions, wf.ActionPermit, protocolV4, directionInbound); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (f *Firewall) permitTunInterface(w weight) error {
-	condition := []*wf.Match{
-		{
-			Field: wf.FieldIPLocalInterface,
-			Op:    wf.MatchTypeEqual,
-			Value: f.luid,
-		},
-	}
-	_, err := f.addRules("on TUN", w, condition, wf.ActionPermit, protocolAll, directionBoth)
-	return err
-}
-
-func (f *Firewall) permitLoopback(w weight) error {
-	condition := []*wf.Match{
-		{
-			Field: wf.FieldFlags,
-			Op:    wf.MatchTypeEqual,
-			Value: wf.ConditionFlagIsLoopback,
-		},
-	}
-	_, err := f.addRules("on loopback", w, condition, wf.ActionPermit, protocolAll, directionBoth)
-	return err
-}
-
-func (f *Firewall) permitDNS(w weight) error {
-	conditions := []*wf.Match{
-		{
-			Field: wf.FieldIPRemotePort,
-			Op:    wf.MatchTypeEqual,
-			Value: uint16(53),
-		},
-		// Repeat the condition type for logical OR.
-		{
-			Field: wf.FieldIPProtocol,
-			Op:    wf.MatchTypeEqual,
-			Value: wf.IPProtoUDP,
-		},
-		{
-			Field: wf.FieldIPProtocol,
-			Op:    wf.MatchTypeEqual,
-			Value: wf.IPProtoTCP,
-		},
-	}
-	_, err := f.addRules("DNS", w, conditions, wf.ActionPermit, protocolAll, directionBoth)
-	return err
-}
-
-func (f *Firewall) permitTailscaleService(w weight) error {
-	currentFile, err := os.Executable()
-	if err != nil {
-		return err
-	}
-
-	appID, err := wf.AppID(currentFile)
-	if err != nil {
-		return fmt.Errorf("could not get app id for %q: %w", currentFile, err)
-	}
-	conditions := []*wf.Match{
-		{
-			Field: wf.FieldALEAppID,
-			Op:    wf.MatchTypeEqual,
-			Value: appID,
-		},
-	}
-	_, err = f.addRules("unrestricted traffic for Tailscale service", w, conditions, wf.ActionPermit, protocolAll, directionBoth)
-	return err
-}
--- a/wgengine/bench/bench.go
+++ b/wgengine/bench/bench.go
@@ -80,14 +80,14 @@ func main() {

 	// tx=134236 rx=133166 (1070 = 0.80% loss) (1088.9 Mbits/sec)
 	case 101:
-		setupWGTest(nil, logf, traf, Addr1, Addr2)
+		setupWGTest(logf, traf, Addr1, Addr2)

 	default:
 		log.Fatalf("provide a valid test number (0..n)")
 	}

 	logf("initialized ok.")
-	traf.Start(Addr1.IP(), Addr2.IP(), PayloadSize+ICMPMinSize, 0)
+	traf.Start(Addr1.IP, Addr2.IP, PayloadSize+ICMPMinSize, 0)

 	var cur, prev Snapshot
 	var pps int64
--- a/wgengine/bench/bench_test.go
+++ b/wgengine/bench/bench_test.go
@@ -43,7 +43,7 @@ func BenchmarkBatchTCP(b *testing.B) {

 func BenchmarkWireGuardTest(b *testing.B) {
 	run(b, func(logf logger.Logf, traf *TrafficGen) {
-		setupWGTest(b, logf, traf, Addr1, Addr2)
+		setupWGTest(logf, traf, Addr1, Addr2)
 	})
 }

@@ -78,7 +78,7 @@ func runOnce(b *testing.B, setup SetupFunc, payload int) {
 	logf("initialized. (n=%v)", b.N)
 	b.SetBytes(int64(payload))

-	traf.Start(Addr1.IP(), Addr2.IP(), payload, int64(b.N))
+	traf.Start(Addr1.IP, Addr2.IP, payload, int64(b.N))

 	var cur, prev Snapshot
 	var pps int64
--- a/wgengine/bench/trafficgen.go
+++ b/wgengine/bench/trafficgen.go
@@ -180,7 +180,6 @@ func (t *TrafficGen) Generate(b []byte, ofs int) int {
 // GotPacket processes a packet that came back on the receive side.
 func (t *TrafficGen) GotPacket(b []byte, ofs int) {
 	t.mu.Lock()
-	defer t.mu.Unlock()

 	s := &t.cur
 	seq := int64(binary.BigEndian.Uint64(
@@ -204,6 +203,9 @@ func (t *TrafficGen) GotPacket(b []byte, ofs int) {

 	f := t.onFirstPacket
 	t.onFirstPacket = nil
+
+	t.mu.Unlock()
+
 	if f != nil {
 		f()
 	}
--- a/wgengine/bench/wg.go
+++ b/wgengine/bench/wg.go
@@ -5,12 +5,11 @@
 package main

 import (
-	"errors"
 	"io"
 	"log"
 	"os"
+	"strings"
 	"sync"
-	"testing"

 	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
@@ -26,7 +25,7 @@ import (
 	"tailscale.com/wgengine/wgcfg"
 )

-func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netaddr.IPPrefix) {
+func setupWGTest(logf logger.Logf, traf *TrafficGen, a1, a2 netaddr.IPPrefix) {
 	l1 := logger.WithPrefix(logf, "e1: ")
 	k1, err := wgkey.NewPrivate()
 	if err != nil {
@@ -50,9 +49,6 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
 	if err != nil {
 		log.Fatalf("e1 init: %v", err)
 	}
-	if b != nil {
-		b.Cleanup(e1.Close)
-	}

 	l2 := logger.WithPrefix(logf, "e2: ")
 	k2, err := wgkey.NewPrivate()
@@ -77,9 +73,6 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
 	if err != nil {
 		log.Fatalf("e2 init: %v", err)
 	}
-	if b != nil {
-		b.Cleanup(e2.Close)
-	}

 	e1.SetFilter(filter.NewAllowAllForTest(l1))
 	e2.SetFilter(filter.NewAllowAllForTest(l2))
@@ -87,25 +80,15 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
 	var wait sync.WaitGroup
 	wait.Add(2)

-	var e1waitDoneOnce sync.Once
 	e1.SetStatusCallback(func(st *wgengine.Status, err error) {
-		if errors.Is(err, wgengine.ErrEngineClosing) {
-			return
-		}
 		if err != nil {
 			log.Fatalf("e1 status err: %v", err)
 		}
 		logf("e1 status: %v", *st)

 		var eps []string
-		var ipps []netaddr.IPPort
 		for _, ep := range st.LocalAddrs {
 			eps = append(eps, ep.Addr.String())
-			ipps = append(ipps, ep.Addr)
-		}
-		endpoint := wgcfg.Endpoints{
-			PublicKey: c1.PrivateKey.Public(),
-			IPPorts:   wgcfg.NewIPPortSet(ipps...),
 		}

 		n := tailcfg.Node{
@@ -124,32 +107,22 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
 		p := wgcfg.Peer{
 			PublicKey:  c1.PrivateKey.Public(),
 			AllowedIPs: []netaddr.IPPrefix{a1},
-			Endpoints:  endpoint,
+			Endpoints:  strings.Join(eps, ","),
 		}
 		c2.Peers = []wgcfg.Peer{p}
 		e2.Reconfig(&c2, &router.Config{}, new(dns.Config))
-		e1waitDoneOnce.Do(wait.Done)
+		wait.Done()
 	})

-	var e2waitDoneOnce sync.Once
 	e2.SetStatusCallback(func(st *wgengine.Status, err error) {
-		if errors.Is(err, wgengine.ErrEngineClosing) {
-			return
-		}
 		if err != nil {
 			log.Fatalf("e2 status err: %v", err)
 		}
 		logf("e2 status: %v", *st)

 		var eps []string
-		var ipps []netaddr.IPPort
 		for _, ep := range st.LocalAddrs {
 			eps = append(eps, ep.Addr.String())
-			ipps = append(ipps, ep.Addr)
-		}
-		endpoint := wgcfg.Endpoints{
-			PublicKey: c2.PrivateKey.Public(),
-			IPPorts:   wgcfg.NewIPPortSet(ipps...),
 		}

 		n := tailcfg.Node{
@@ -168,11 +141,11 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
 		p := wgcfg.Peer{
 			PublicKey:  c2.PrivateKey.Public(),
 			AllowedIPs: []netaddr.IPPrefix{a2},
-			Endpoints:  endpoint,
+			Endpoints:  strings.Join(eps, ","),
 		}
 		c1.Peers = []wgcfg.Peer{p}
 		e1.Reconfig(&c1, &router.Config{}, new(dns.Config))
-		e2waitDoneOnce.Do(wait.Done)
+		wait.Done()
 	})

 	// Not using DERP in this test (for now?).
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -98,8 +98,8 @@ const (
 // everything. Use in tests only, as it permits some kinds of spoofing
 // attacks to reach the OS network stack.
 func NewAllowAllForTest(logf logger.Logf) *Filter {
-	any4 := netaddr.IPPrefixFrom(netaddr.IPv4(0, 0, 0, 0), 0)
-	any6 := netaddr.IPPrefixFrom(netaddr.IPFrom16([16]byte{}), 0)
+	any4 := netaddr.IPPrefix{IP: netaddr.IPv4(0, 0, 0, 0), Bits: 0}
+	any6 := netaddr.IPPrefix{IP: netaddr.IPFrom16([16]byte{}), Bits: 0}
 	ms := []Match{
 		{
 			Srcs: []netaddr.IPPrefix{any4},
@@ -185,12 +185,12 @@ func matchesFamily(ms matches, keep func(netaddr.IP) bool) matches {
 		var retm Match
 		retm.IPProto = m.IPProto
 		for _, src := range m.Srcs {
-			if keep(src.IP()) {
+			if keep(src.IP) {
 				retm.Srcs = append(retm.Srcs, src)
 			}
 		}
 		for _, dst := range m.Dsts {
-			if keep(dst.Net.IP()) {
+			if keep(dst.Net.IP) {
 				retm.Dsts = append(retm.Dsts, dst)
 			}
 		}
@@ -266,10 +266,12 @@ func (f *Filter) CheckTCP(srcIP, dstIP netaddr.IP, dstPort uint16) Response {
 	default:
 		panic("unreachable")
 	}
-	pkt.Src = netaddr.IPPortFrom(srcIP, 0)
-	pkt.Dst = netaddr.IPPortFrom(dstIP, dstPort)
+	pkt.Src.IP = srcIP
+	pkt.Dst.IP = dstIP
 	pkt.IPProto = ipproto.TCP
 	pkt.TCPFlags = packet.TCPSyn
+	pkt.Src.Port = 0
+	pkt.Dst.Port = dstPort

 	return f.RunIn(pkt, 0)
 }
@@ -319,7 +321,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
 	// A compromised peer could try to send us packets for
 	// destinations we didn't explicitly advertise. This check is to
 	// prevent that.
-	if !f.local.Contains(q.Dst.IP()) {
+	if !f.local.Contains(q.Dst.IP) {
 		return Drop, "destination not allowed"
 	}

@@ -376,7 +378,7 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
 	// A compromised peer could try to send us packets for
 	// destinations we didn't explicitly advertise. This check is to
 	// prevent that.
-	if !f.local.Contains(q.Dst.IP()) {
+	if !f.local.Contains(q.Dst.IP) {
 		return Drop, "destination not allowed"
 	}

@@ -478,11 +480,11 @@ func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) Response {
 		return Drop
 	}

-	if q.Dst.IP().IsMulticast() {
+	if q.Dst.IP.IsMulticast() {
 		f.logRateLimit(rf, q, dir, Drop, "multicast")
 		return Drop
 	}
-	if q.Dst.IP().IsLinkLocalUnicast() && q.Dst.IP() != gcpDNSAddr {
+	if q.Dst.IP.IsLinkLocalUnicast() && q.Dst.IP != gcpDNSAddr {
 		f.logRateLimit(rf, q, dir, Drop, "link-local-unicast")
 		return Drop
 	}
@@ -504,7 +506,7 @@ func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) Response {

 // loggingAllowed reports whether p can appear in logs at all.
 func (f *Filter) loggingAllowed(p *packet.Parsed) bool {
-	return f.logIPs.Contains(p.Src.IP()) && f.logIPs.Contains(p.Dst.IP())
+	return f.logIPs.Contains(p.Src.IP) && f.logIPs.Contains(p.Dst.IP)
 }

 // omitDropLogging reports whether packet p, which has already been
@@ -516,5 +518,5 @@ func omitDropLogging(p *packet.Parsed, dir direction) bool {
 		return false
 	}

-	return p.Dst.IP().IsMulticast() || (p.Dst.IP().IsLinkLocalUnicast() && p.Dst.IP() != gcpDNSAddr) || p.IPProto == ipproto.IGMP
+	return p.Dst.IP.IsMulticast() || (p.Dst.IP.IsLinkLocalUnicast() && p.Dst.IP != gcpDNSAddr) || p.IPProto == ipproto.IGMP
 }
--- a/wgengine/filter/filter_test.go
+++ b/wgengine/filter/filter_test.go
@@ -120,9 +120,9 @@ func TestFilter(t *testing.T) {
 		if test.p.IPProto == ipproto.TCP {
 			var got Response
 			if test.p.IPVersion == 4 {
-				got = acl.CheckTCP(test.p.Src.IP(), test.p.Dst.IP(), test.p.Dst.Port())
+				got = acl.CheckTCP(test.p.Src.IP, test.p.Dst.IP, test.p.Dst.Port)
 			} else {
-				got = acl.CheckTCP(test.p.Src.IP(), test.p.Dst.IP(), test.p.Dst.Port())
+				got = acl.CheckTCP(test.p.Src.IP, test.p.Dst.IP, test.p.Dst.Port)
 			}
 			if test.want != got {
 				t.Errorf("#%d CheckTCP got=%v want=%v packet:%v", i, got, test.want, test.p)
@@ -254,9 +254,7 @@ func TestParseIPSet(t *testing.T) {
 			}
 			t.Errorf("parseIPSet(%q, %v) error: %v; want error %q", tt.host, tt.bits, err, tt.wantErr)
 		}
-		compareIP := cmp.Comparer(func(a, b netaddr.IP) bool { return a == b })
-		compareIPPrefix := cmp.Comparer(func(a, b netaddr.IPPrefix) bool { return a == b })
-		if diff := cmp.Diff(got, tt.want, compareIP, compareIPPrefix); diff != "" {
+		if diff := cmp.Diff(got, tt.want, cmp.Comparer(func(a, b netaddr.IP) bool { return a == b })); diff != "" {
 			t.Errorf("parseIPSet(%q, %v) = %s; want %s", tt.host, tt.bits, got, tt.want)
 			continue
 		}
@@ -427,10 +425,10 @@ func TestLoggingPrivacy(t *testing.T) {
 	f.logIPs = logB.IPSet()

 	var (
-		ts4       = netaddr.IPPortFrom(tsaddr.CGNATRange().IP().Next(), 1234)
-		internet4 = netaddr.IPPortFrom(netaddr.MustParseIP("8.8.8.8"), 1234)
-		ts6       = netaddr.IPPortFrom(tsaddr.TailscaleULARange().IP().Next(), 1234)
-		internet6 = netaddr.IPPortFrom(netaddr.MustParseIP("2001::1"), 1234)
+		ts4       = netaddr.IPPort{IP: tsaddr.CGNATRange().IP.Next(), Port: 1234}
+		internet4 = netaddr.IPPort{IP: netaddr.MustParseIP("8.8.8.8"), Port: 1234}
+		ts6       = netaddr.IPPort{IP: tsaddr.TailscaleULARange().IP.Next(), Port: 1234}
+		internet6 = netaddr.IPPort{IP: netaddr.MustParseIP("2001::1"), Port: 1234}
 	)

 	tests := []struct {
@@ -547,8 +545,10 @@ func parsed(proto ipproto.Proto, src, dst string, sport, dport uint16) packet.Pa
 	var ret packet.Parsed
 	ret.Decode(dummyPacket)
 	ret.IPProto = proto
-	ret.Src = netaddr.IPPortFrom(sip, sport)
-	ret.Dst = netaddr.IPPortFrom(dip, dport)
+	ret.Src.IP = sip
+	ret.Src.Port = sport
+	ret.Dst.IP = dip
+	ret.Dst.Port = dport
 	ret.TCPFlags = packet.TCPSyn

 	if sip.Is4() {
@@ -674,7 +674,7 @@ func nets(nets ...string) (ret []netaddr.IPPrefix) {
 			if ip.Is6() {
 				bits = 128
 			}
-			ret = append(ret, netaddr.IPPrefixFrom(ip, bits))
+			ret = append(ret, netaddr.IPPrefix{IP: ip, Bits: bits})
 		} else {
 			pfx, err := netaddr.ParseIPPrefix(s)
 			if err != nil {
--- a/wgengine/filter/match.go
+++ b/wgengine/filter/match.go
@@ -85,14 +85,14 @@ func (ms matches) match(q *packet.Parsed) bool {
 		if !protoInList(q.IPProto, m.IPProto) {
 			continue
 		}
-		if !ipInList(q.Src.IP(), m.Srcs) {
+		if !ipInList(q.Src.IP, m.Srcs) {
 			continue
 		}
 		for _, dst := range m.Dsts {
-			if !dst.Net.Contains(q.Dst.IP()) {
+			if !dst.Net.Contains(q.Dst.IP) {
 				continue
 			}
-			if !dst.Ports.contains(q.Dst.Port()) {
+			if !dst.Ports.contains(q.Dst.Port) {
 				continue
 			}
 			return true
@@ -103,11 +103,11 @@ func (ms matches) match(q *packet.Parsed) bool {

 func (ms matches) matchIPsOnly(q *packet.Parsed) bool {
 	for _, m := range ms {
-		if !ipInList(q.Src.IP(), m.Srcs) {
+		if !ipInList(q.Src.IP, m.Srcs) {
 			continue
 		}
 		for _, dst := range m.Dsts {
-			if dst.Net.Contains(q.Dst.IP()) {
+			if dst.Net.Contains(q.Dst.IP) {
 				return true
 			}
 		}
--- a/wgengine/filter/tailcfg.go
+++ b/wgengine/filter/tailcfg.go
@@ -99,8 +99,8 @@ func parseIPSet(arg string, bits *int) ([]netaddr.IPPrefix, error) {
 	if arg == "*" {
 		// User explicitly requested wildcard.
 		return []netaddr.IPPrefix{
-			netaddr.IPPrefixFrom(zeroIP4, 0),
-			netaddr.IPPrefixFrom(zeroIP6, 0),
+			{IP: zeroIP4, Bits: 0},
+			{IP: zeroIP6, Bits: 0},
 		}, nil
 	}
 	if strings.Contains(arg, "/") {
@@ -124,7 +124,7 @@ func parseIPSet(arg string, bits *int) ([]netaddr.IPPrefix, error) {
 		if err != nil {
 			return nil, err
 		}
-		r := netaddr.IPRangeFrom(ip1, ip2)
+		r := netaddr.IPRange{From: ip1, To: ip2}
 		if !r.Valid() {
 			return nil, fmt.Errorf("invalid IP range %q", arg)
 		}
@@ -141,5 +141,5 @@ func parseIPSet(arg string, bits *int) ([]netaddr.IPPrefix, error) {
 		}
 		bits8 = uint8(*bits)
 	}
-	return []netaddr.IPPrefix{netaddr.IPPrefixFrom(ip, bits8)}, nil
+	return []netaddr.IPPrefix{{IP: ip, Bits: bits8}}, nil
 }
--- a/wgengine/magicsock/legacy.go
+++ b/wgengine/magicsock/legacy.go
@@ -10,6 +10,7 @@ import (
 	"crypto/subtle"
 	"encoding/binary"
 	"errors"
+	"fmt"
 	"hash"
 	"net"
 	"strings"
@@ -26,7 +27,6 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/wgkey"
-	"tailscale.com/wgengine/wgcfg"
 )

 var (
@@ -34,11 +34,7 @@ var (
 	errDisabled       = errors.New("magicsock: legacy networking disabled")
 )

-// createLegacyEndpointLocked creates a new wireguard-go endpoint for a legacy connection.
-// pk is the public key of the remote peer. addrs is the ordered set of addresses for the remote peer.
-// rawDest is the encoded wireguard-go endpoint string. It should be treated as a black box.
-// It is provided so that addrSet.DstToString can return it when requested by wireguard-go.
-func (c *Conn) createLegacyEndpointLocked(pk key.Public, addrs wgcfg.IPPortSet, rawDest string) (conn.Endpoint, error) {
+func (c *Conn) createLegacyEndpointLocked(pk key.Public, addrs string) (conn.Endpoint, error) {
 	if c.disableLegacy {
 		return nil, errDisabled
 	}
@@ -47,9 +43,17 @@ func (c *Conn) createLegacyEndpointLocked(pk key.Public, addrs wgcfg.IPPortSet,
 		Logf:      c.logf,
 		publicKey: pk,
 		curAddr:   -1,
-		rawdst:    rawDest,
 	}
-	a.ipPorts = append(a.ipPorts, addrs.IPPorts()...)
+
+	if addrs != "" {
+		for _, ep := range strings.Split(addrs, ",") {
+			ipp, err := netaddr.ParseIPPort(ep)
+			if err != nil {
+				return nil, fmt.Errorf("bogus address %q", ep)
+			}
+			a.ipPorts = append(a.ipPorts, ipp)
+		}
+	}

 	// If this endpoint is being updated, remember its old set of
 	// endpoints so we can remove any (from c.addrsByUDP) that are
@@ -62,7 +66,7 @@ func (c *Conn) createLegacyEndpointLocked(pk key.Public, addrs wgcfg.IPPortSet,

 	// Add entries to c.addrsByUDP.
 	for _, ipp := range a.ipPorts {
-		if ipp.IP() == derpMagicIPAddr {
+		if ipp.IP == derpMagicIPAddr {
 			continue
 		}
 		c.addrsByUDP[ipp] = a
@@ -70,7 +74,7 @@ func (c *Conn) createLegacyEndpointLocked(pk key.Public, addrs wgcfg.IPPortSet,

 	// Remove previous c.addrsByUDP entries that are no longer in the new set.
 	for _, ipp := range oldIPP {
-		if ipp.IP() != derpMagicIPAddr && c.addrsByUDP[ipp] != a {
+		if ipp.IP != derpMagicIPAddr && c.addrsByUDP[ipp] != a {
 			delete(c.addrsByUDP, ipp)
 		}
 	}
@@ -380,16 +384,13 @@ type addrSet struct {
 	// set to a better one. This is only to suppress some
 	// redundant logs.
 	loggedLogPriMask uint32
-
-	// rawdst is the destination string from/for wireguard-go.
-	rawdst string
 }

 // derpID returns this addrSet's home DERP node, or 0 if none is found.
 func (as *addrSet) derpID() int {
 	for _, ua := range as.ipPorts {
-		if ua.IP() == derpMagicIPAddr {
-			return int(ua.Port())
+		if ua.IP == derpMagicIPAddr {
+			return int(ua.Port)
 		}
 	}
 	return 0
@@ -425,10 +426,20 @@ func (a *addrSet) DstToBytes() []byte {
 	return packIPPort(a.dst())
 }
 func (a *addrSet) DstToString() string {
-	return a.rawdst
+	var addrs []string
+	for _, addr := range a.ipPorts {
+		addrs = append(addrs, addr.String())
+	}
+
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	if a.roamAddr != nil {
+		addrs = append(addrs, a.roamAddr.String())
+	}
+	return strings.Join(addrs, ",")
 }
 func (a *addrSet) DstIP() net.IP {
-	return a.dst().IP().IPAddr().IP // TODO: add netaddr accessor to cut an alloc here?
+	return a.dst().IP.IPAddr().IP // TODO: add netaddr accessor to cut an alloc here?
 }
 func (a *addrSet) SrcIP() net.IP       { return nil }
 func (a *addrSet) SrcToString() string { return "" }
@@ -437,7 +448,7 @@ func (a *addrSet) ClearSrc()           {}
 // updateDst records receipt of a packet from new. This is used to
 // potentially update the transmit address used for this addrSet.
 func (a *addrSet) updateDst(new netaddr.IPPort) error {
-	if new.IP() == derpMagicIPAddr {
+	if new.IP == derpMagicIPAddr {
 		// Never consider DERP addresses as a viable candidate for
 		// either curAddr or roamAddr. It's only ever a last resort
 		// choice, never a preferred choice.
@@ -539,7 +550,7 @@ func (as *addrSet) populatePeerStatus(ps *ipnstate.PeerStatus) {

 	ps.LastWrite = as.lastSend
 	for i, ua := range as.ipPorts {
-		if ua.IP() == derpMagicIPAddr {
+		if ua.IP == derpMagicIPAddr {
 			continue
 		}
 		uaStr := ua.String()
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -11,7 +11,6 @@ import (
 	"context"
 	crand "crypto/rand"
 	"encoding/binary"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"hash/fnv"
@@ -28,6 +27,7 @@ import (
 	"time"

 	"github.com/tailscale/wireguard-go/conn"
+	"go4.org/mem"
 	"golang.org/x/crypto/nacl/box"
 	"golang.org/x/time/rate"
 	"inet.af/netaddr"
@@ -401,7 +401,7 @@ type Options struct {
 	// and 10 seconds seems like a good trade-off between often
 	// enough and not too often.) The provided func is called
 	// while holding userspaceEngine.wgLock and likely calls
-	// Conn.ParseEndpoint, which acquires Conn.mu. As such, you
+	// Conn.CreateEndpoint, which acquires Conn.mu. As such, you
 	// should not hold Conn.mu while calling it.
 	NoteRecvActivity func(tailcfg.DiscoKey)

@@ -832,7 +832,7 @@ func (c *Conn) Ping(peer *tailcfg.Node, res *ipnstate.PingResult, cb func(*ipnst
 		return
 	}
 	if len(peer.Addresses) > 0 {
-		res.NodeIP = peer.Addresses[0].IP().String()
+		res.NodeIP = peer.Addresses[0].IP.String()
 	}
 	res.NodeName = peer.Name // prefer DNS name
 	if res.NodeName == "" {
@@ -878,11 +878,11 @@ func (c *Conn) Ping(peer *tailcfg.Node, res *ipnstate.PingResult, cb func(*ipnst
 // c.mu must be held
 func (c *Conn) populateCLIPingResponseLocked(res *ipnstate.PingResult, latency time.Duration, ep netaddr.IPPort) {
 	res.LatencySeconds = latency.Seconds()
-	if ep.IP() != derpMagicIPAddr {
+	if ep.IP != derpMagicIPAddr {
 		res.Endpoint = ep.String()
 		return
 	}
-	regionID := int(ep.Port())
+	regionID := int(ep.Port)
 	res.DERPRegionID = regionID
 	if c.derpMap != nil {
 		if dr, ok := c.derpMap.Regions[regionID]; ok {
@@ -965,7 +965,7 @@ func (c *Conn) goDerpConnect(node int) {
 	if node == 0 {
 		return
 	}
-	go c.derpWriteChanOfAddr(netaddr.IPPortFrom(derpMagicIPAddr, uint16(node)), key.Public{})
+	go c.derpWriteChanOfAddr(netaddr.IPPort{IP: derpMagicIPAddr, Port: uint16(node)}, key.Public{})
 }

 // determineEndpoints returns the machine's endpoint addresses. It
@@ -1037,7 +1037,7 @@ func (c *Conn) determineEndpoints(ctx context.Context) ([]tailcfg.Endpoint, erro
 			ips = loopback
 		}
 		for _, ip := range ips {
-			addAddr(netaddr.IPPortFrom(ip, uint16(localAddr.Port)), tailcfg.EndpointLocal)
+			addAddr(netaddr.IPPort{IP: ip, Port: uint16(localAddr.Port)}, tailcfg.EndpointLocal)
 		}
 	} else {
 		// Our local endpoint is bound to a particular address.
@@ -1169,7 +1169,7 @@ func (c *Conn) sendUDPStd(addr *net.UDPAddr, b []byte) (sent bool, err error) {
 // IPv6 address when the local machine doesn't have IPv6 support
 // returns (false, nil); it's not an error, but nothing was sent.
 func (c *Conn) sendAddr(addr netaddr.IPPort, pubKey key.Public, b []byte) (sent bool, err error) {
-	if addr.IP() != derpMagicIPAddr {
+	if addr.IP != derpMagicIPAddr {
 		return c.sendUDP(addr, b)
 	}

@@ -1211,10 +1211,10 @@ const bufferedDerpWritesBeforeDrop = 32
 // If peer is non-zero, it can be used to find an active reverse
 // path, without using addr.
 func (c *Conn) derpWriteChanOfAddr(addr netaddr.IPPort, peer key.Public) chan<- derpWriteRequest {
-	if addr.IP() != derpMagicIPAddr {
+	if addr.IP != derpMagicIPAddr {
 		return nil
 	}
-	regionID := int(addr.Port())
+	regionID := int(addr.Port)

 	if c.networkDown() {
 		return nil
@@ -1402,7 +1402,7 @@ func (c *Conn) runDerpReader(ctx context.Context, derpFakeAddr netaddr.IPPort, d
 	}

 	didCopy := make(chan struct{}, 1)
-	regionID := int(derpFakeAddr.Port())
+	regionID := int(derpFakeAddr.Port)
 	res := derpReadResult{regionID: regionID}
 	var pkt derp.ReceivedPacket
 	res.copyBuf = func(dst []byte) int {
@@ -1676,7 +1676,7 @@ func (c *Conn) processDERPReadResult(dm derpReadResult, b []byte) (n int, ep con
 		return 0, nil
 	}

-	ipp := netaddr.IPPortFrom(derpMagicIPAddr, uint16(regionID))
+	ipp := netaddr.IPPort{IP: derpMagicIPAddr, Port: uint16(regionID)}
 	if c.handleDiscoMessage(b[:n], ipp) {
 		return 0, nil
 	}
@@ -1696,7 +1696,7 @@ func (c *Conn) processDERPReadResult(dm derpReadResult, b []byte) (n int, ep con
 		if discoEp == nil && c.noteRecvActivity != nil {
 			didNoteRecvActivity = true
 			c.mu.Unlock()          // release lock before calling noteRecvActivity
-			c.noteRecvActivity(dk) // (calls back into ParseEndpoint)
+			c.noteRecvActivity(dk) // (calls back into CreateEndpoint)
 			// Now require the lock. No invariants need to be rechecked; just
 			// 1-2 map lookups follow that are harmless if, say, the peer has
 			// been deleted during this time.
@@ -1837,7 +1837,7 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 		// We don't have an active endpoint for this sender but we knew about the node, so
 		// it's an idle endpoint that doesn't yet exist in the wireguard config. We now have
 		// to notify the userspace engine (via noteRecvActivity) so wireguard-go can create
-		// an Endpoint (ultimately calling our ParseEndpoint).
+		// an Endpoint (ultimately calling our CreateEndpoint).
 		c.logf("magicsock: got disco message from idle peer, starting lazy conf for %v, %v", peerNode.Key.ShortString(), sender.ShortString())
 		if c.noteRecvActivity == nil {
 			c.logf("magicsock: [unexpected] have node without endpoint, without c.noteRecvActivity hook")
@@ -1851,7 +1851,7 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 		// We can't hold Conn.mu while calling noteRecvActivity.
 		// noteRecvActivity acquires userspaceEngine.wgLock (and per our
 		// lock ordering rules: wgLock must come first), and also calls
-		// back into our Conn.ParseEndpoint, which would double-acquire
+		// back into our Conn.CreateEndpoint, which would double-acquire
 		// Conn.mu.
 		c.mu.Unlock()
 		c.noteRecvActivity(sender)
@@ -1922,7 +1922,7 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 		}
 		de.handlePongConnLocked(dm, src)
 	case *disco.CallMeMaybe:
-		if src.IP() != derpMagicIPAddr {
+		if src.IP != derpMagicIPAddr {
 			// CallMeMaybe messages should only come via DERP.
 			c.logf("[unexpected] CallMeMaybe packets should only come via DERP")
 			return
@@ -2722,7 +2722,7 @@ func (c *Conn) resetEndpointStates() {

 // packIPPort packs an IPPort into the form wanted by WireGuard.
 func packIPPort(ua netaddr.IPPort) []byte {
-	ip := ua.IP().Unmap()
+	ip := ua.IP.Unmap()
 	a := ip.As16()
 	ipb := a[:]
 	if ip.Is4() {
@@ -2730,38 +2730,50 @@ func packIPPort(ua netaddr.IPPort) []byte {
 	}
 	b := make([]byte, 0, len(ipb)+2)
 	b = append(b, ipb...)
-	b = append(b, byte(ua.Port()))
-	b = append(b, byte(ua.Port()>>8))
+	b = append(b, byte(ua.Port))
+	b = append(b, byte(ua.Port>>8))
 	return b
 }

 // ParseEndpoint is called by WireGuard to connect to an endpoint.
-// endpointStr is a json-serialized wgcfg.Endpoints struct.
-// If those Endpoints contain an active discovery key, ParseEndpoint returns a discoEndpoint.
-// Otherwise it returns a legacy endpoint.
-func (c *Conn) ParseEndpoint(endpointStr string) (conn.Endpoint, error) {
-	var endpoints wgcfg.Endpoints
-	err := json.Unmarshal([]byte(endpointStr), &endpoints)
-	if err != nil {
-		return nil, fmt.Errorf("magicsock: ParseEndpoint: json.Unmarshal failed on %q: %w", endpointStr, err)
+//
+// keyAddrs is the 32 byte public key of the peer followed by addrs.
+// Addrs is either:
+//
+//  1) a comma-separated list of UDP ip:ports (the peer doesn't have a discovery key)
+//  2) "<hex-discovery-key>.disco.tailscale:12345", a magic value that means the peer
+//     is running code that supports active discovery, so CreateEndpoint returns
+//     a discoEndpoint.
+func (c *Conn) ParseEndpoint(keyAddrs string) (conn.Endpoint, error) {
+	if len(keyAddrs) < 32 {
+		c.logf("[unexpected] ParseEndpoint keyAddrs too short: %q", keyAddrs)
+		return nil, errors.New("endpoint string too short")
 	}
-	pk := key.Public(endpoints.PublicKey)
-	discoKey := endpoints.DiscoKey
-	c.logf("magicsock: ParseEndpoint: key=%s: disco=%s ipps=%s", pk.ShortString(), discoKey.ShortString(), derpStr(endpoints.IPPorts.String()))
-
+	var pk key.Public
+	copy(pk[:], keyAddrs)
+	addrs := keyAddrs[len(pk):]
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	if discoKey.IsZero() {
-		return c.createLegacyEndpointLocked(pk, endpoints.IPPorts, endpointStr)
+
+	c.logf("magicsock: ParseEndpoint: key=%s: %s", pk.ShortString(), derpStr(addrs))
+
+	if !strings.HasSuffix(addrs, wgcfg.EndpointDiscoSuffix) {
+		return c.createLegacyEndpointLocked(pk, addrs)
+	}
+
+	discoHex := strings.TrimSuffix(addrs, wgcfg.EndpointDiscoSuffix)
+	discoKey, err := key.NewPublicFromHexMem(mem.S(discoHex))
+	if err != nil {
+		return nil, fmt.Errorf("magicsock: invalid discokey endpoint %q for %v: %w", addrs, pk.ShortString(), err)
 	}
 	de := &discoEndpoint{
-		c:             c,
-		publicKey:     tailcfg.NodeKey(pk),        // peer public key (for WireGuard + DERP)
-		discoKey:      tailcfg.DiscoKey(discoKey), // for discovery mesages
-		discoShort:    tailcfg.DiscoKey(discoKey).ShortString(),
-		wgEndpoint:    endpointStr,
-		sentPing:      map[stun.TxID]sentPing{},
-		endpointState: map[netaddr.IPPort]*endpointState{},
+		c:                  c,
+		publicKey:          tailcfg.NodeKey(pk),        // peer public key (for WireGuard + DERP)
+		discoKey:           tailcfg.DiscoKey(discoKey), // for discovery mesages
+		discoShort:         tailcfg.DiscoKey(discoKey).ShortString(),
+		wgEndpointHostPort: addrs,
+		sentPing:           map[stun.TxID]sentPing{},
+		endpointState:      map[netaddr.IPPort]*endpointState{},
 	}
 	de.initFakeUDPAddr()
 	de.updateFromNode(c.nodeOfDisco[de.discoKey])
@@ -2972,15 +2984,15 @@ func peerShort(k key.Public) string {
 }

 func sbPrintAddr(sb *strings.Builder, a netaddr.IPPort) {
-	is6 := a.IP().Is6()
+	is6 := a.IP.Is6()
 	if is6 {
 		sb.WriteByte('[')
 	}
-	fmt.Fprintf(sb, "%s", a.IP())
+	fmt.Fprintf(sb, "%s", a.IP)
 	if is6 {
 		sb.WriteByte(']')
 	}
-	fmt.Fprintf(sb, ":%d", a.Port())
+	fmt.Fprintf(sb, ":%d", a.Port)
 }

 func (c *Conn) derpRegionCodeOfAddrLocked(ipPort string) string {
@@ -3017,15 +3029,15 @@ func (c *Conn) UpdateStatus(sb *ipnstate.StatusBuilder) {
 			if !addr.IsSingleIP() {
 				continue
 			}
-			sb.AddTailscaleIP(addr.IP())
+			sb.AddTailscaleIP(addr.IP)
 			// TailAddr previously only allowed for a
 			// single Tailscale IP. For compatibility for
 			// a couple releases starting with 1.8, keep
 			// that field pulled out separately.
-			if addr.IP().Is4() {
-				tailAddr4 = addr.IP().String()
+			if addr.IP.Is4() {
+				tailAddr4 = addr.IP.String()
 			}
-			tailscaleIPs = append(tailscaleIPs, addr.IP())
+			tailscaleIPs = append(tailscaleIPs, addr.IP)
 		}
 	}

@@ -3084,8 +3096,8 @@ func (c *Conn) UpdateStatus(sb *ipnstate.StatusBuilder) {
 }

 func ippDebugString(ua netaddr.IPPort) string {
-	if ua.IP() == derpMagicIPAddr {
-		return fmt.Sprintf("derp-%d", ua.Port())
+	if ua.IP == derpMagicIPAddr {
+		return fmt.Sprintf("derp-%d", ua.Port)
 	}
 	return ua.String()
 }
@@ -3098,12 +3110,12 @@ type discoEndpoint struct {
 	numStopAndResetAtomic int64

 	// These fields are initialized once and never modified.
-	c          *Conn
-	publicKey  tailcfg.NodeKey  // peer public key (for WireGuard + DERP)
-	discoKey   tailcfg.DiscoKey // for discovery mesages
-	discoShort string           // ShortString of discoKey
-	fakeWGAddr netaddr.IPPort   // the UDP address we tell wireguard-go we're using
-	wgEndpoint string           // string from ParseEndpoint, holds a JSON-serialized wgcfg.Endpoints
+	c                  *Conn
+	publicKey          tailcfg.NodeKey  // peer public key (for WireGuard + DERP)
+	discoKey           tailcfg.DiscoKey // for discovery mesages
+	discoShort         string           // ShortString of discoKey
+	fakeWGAddr         netaddr.IPPort   // the UDP address we tell wireguard-go we're using
+	wgEndpointHostPort string           // string from CreateEndpoint: "<hex-discovery-key>.disco.tailscale:12345"

 	// Owned by Conn.mu:
 	lastPingFrom netaddr.IPPort
@@ -3254,7 +3266,10 @@ func (de *discoEndpoint) initFakeUDPAddr() {
 	addr[0] = 0xfd
 	addr[1] = 0x00
 	binary.BigEndian.PutUint64(addr[2:], uint64(reflect.ValueOf(de).Pointer()))
-	de.fakeWGAddr = netaddr.IPPortFrom(netaddr.IPFrom16(addr), 12345)
+	de.fakeWGAddr = netaddr.IPPort{
+		IP:   netaddr.IPFrom16(addr),
+		Port: 12345,
+	}
 }

 // isFirstRecvActivityInAwhile notes that receive activity has occured for this
@@ -3280,7 +3295,7 @@ func (de *discoEndpoint) String() string {
 func (de *discoEndpoint) ClearSrc()           {}
 func (de *discoEndpoint) SrcToString() string { panic("unused") } // unused by wireguard-go
 func (de *discoEndpoint) SrcIP() net.IP       { panic("unused") } // unused by wireguard-go
-func (de *discoEndpoint) DstToString() string { return de.wgEndpoint }
+func (de *discoEndpoint) DstToString() string { return de.wgEndpointHostPort }
 func (de *discoEndpoint) DstIP() net.IP       { panic("unused") }
 func (de *discoEndpoint) DstToBytes() []byte  { return packIPPort(de.fakeWGAddr) }

@@ -3629,7 +3644,7 @@ func (de *discoEndpoint) handlePongConnLocked(m *disco.Pong, src netaddr.IPPort)
 	de.mu.Lock()
 	defer de.mu.Unlock()

-	isDerp := src.IP() == derpMagicIPAddr
+	isDerp := src.IP == derpMagicIPAddr

 	sp, ok := de.sentPing[m.TxID]
 	if !ok {
@@ -3705,13 +3720,13 @@ func betterAddr(a, b addrLatency) bool {
 	if a.IsZero() {
 		return false
 	}
-	if a.IP().Is6() && b.IP().Is4() {
+	if a.IP.Is6() && b.IP.Is4() {
 		// Prefer IPv6 for being a bit more robust, as long as
 		// the latencies are roughly equivalent.
 		if a.latency/10*9 < b.latency {
 			return true
 		}
-	} else if a.IP().Is4() && b.IP().Is6() {
+	} else if a.IP.Is4() && b.IP.Is6() {
 		if betterAddr(b, a) {
 			return false
 		}
@@ -3751,7 +3766,7 @@ func (de *discoEndpoint) handleCallMeMaybe(m *disco.CallMeMaybe) {
 	}
 	var newEPs []netaddr.IPPort
 	for _, ep := range m.MyNumber {
-		if ep.IP().Is6() && ep.IP().IsLinkLocalUnicast() {
+		if ep.IP.Is6() && ep.IP.IsLinkLocalUnicast() {
 			// We send these out, but ignore them for now.
 			// TODO: teach the ping code to ping on all interfaces
 			// for these.
--- a/wgengine/magicsock/magicsock_test.go
+++ b/wgengine/magicsock/magicsock_test.go
@@ -10,7 +10,6 @@ import (
 	crand "crypto/rand"
 	"crypto/tls"
 	"encoding/binary"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -168,7 +167,7 @@ func newMagicStack(t testing.TB, logf logger.Logf, l nettype.PacketListener, der
 	tsTun.SetFilter(filter.NewAllowAllForTest(logf))

 	wgLogger := wglog.NewLogger(logf)
-	dev := device.NewDevice(tsTun, conn.Bind(), wgLogger.DeviceLogger)
+	dev := device.NewDevice(tsTun, conn.Bind(), wgLogger.DeviceLogger, new(device.DeviceOptions))
 	dev.Up()

 	// Wait for magicsock to connect up to DERP.
@@ -252,13 +251,13 @@ func meshStacks(logf logger.Logf, ms []*magicStack) (cleanup func()) {
 		nm := &netmap.NetworkMap{
 			PrivateKey: me.privateKey,
 			NodeKey:    tailcfg.NodeKey(me.privateKey.Public()),
-			Addresses:  []netaddr.IPPrefix{netaddr.IPPrefixFrom(netaddr.IPv4(1, 0, 0, byte(myIdx+1)), 32)},
+			Addresses:  []netaddr.IPPrefix{{IP: netaddr.IPv4(1, 0, 0, byte(myIdx+1)), Bits: 32}},
 		}
 		for i, peer := range ms {
 			if i == myIdx {
 				continue
 			}
-			addrs := []netaddr.IPPrefix{netaddr.IPPrefixFrom(netaddr.IPv4(1, 0, 0, byte(i+1)), 32)}
+			addrs := []netaddr.IPPrefix{{IP: netaddr.IPv4(1, 0, 0, byte(i+1)), Bits: 32}}
 			peer := &tailcfg.Node{
 				ID:         tailcfg.NodeID(i + 1),
 				Name:       fmt.Sprintf("node%d", i+1),
@@ -433,7 +432,7 @@ func TestPickDERPFallback(t *testing.T) {
 	// But move if peers are elsewhere.
 	const otherNode = 789
 	c.addrsByKey = map[key.Public]*addrSet{
-		{1}: {ipPorts: []netaddr.IPPort{netaddr.IPPortFrom(derpMagicIPAddr, otherNode)}},
+		{1}: {ipPorts: []netaddr.IPPort{{IP: derpMagicIPAddr, Port: otherNode}}},
 	}
 	if got := c.pickDERPFallback(); got != otherNode {
 		t.Errorf("didn't join peers: got %v; want %v", got, someNode)
@@ -454,7 +453,7 @@ func makeConfigs(t *testing.T, addrs []netaddr.IPPort) []wgcfg.Config {
 		privKeys = append(privKeys, wgkey.Private(privKey))

 		addresses = append(addresses, []netaddr.IPPrefix{
-			netaddr.MustParseIPPrefix(fmt.Sprintf("1.0.0.%d/32", i+1)),
+			parseCIDR(t, fmt.Sprintf("1.0.0.%d/32", i+1)),
 		})
 	}

@@ -469,14 +468,10 @@ func makeConfigs(t *testing.T, addrs []netaddr.IPPort) []wgcfg.Config {
 			if peerNum == i {
 				continue
 			}
-			publicKey := privKeys[peerNum].Public()
 			peer := wgcfg.Peer{
-				PublicKey:  publicKey,
-				AllowedIPs: addresses[peerNum],
-				Endpoints: wgcfg.Endpoints{
-					PublicKey: publicKey,
-					IPPorts:   wgcfg.NewIPPortSet(addr),
-				},
+				PublicKey:           privKeys[peerNum].Public(),
+				AllowedIPs:          addresses[peerNum],
+				Endpoints:           addr.String(),
 				PersistentKeepalive: 25,
 			}
 			cfg.Peers = append(cfg.Peers, peer)
@@ -486,6 +481,15 @@ func makeConfigs(t *testing.T, addrs []netaddr.IPPort) []wgcfg.Config {
 	return cfgs
 }

+func parseCIDR(t *testing.T, addr string) netaddr.IPPrefix {
+	t.Helper()
+	cidr, err := netaddr.ParseIPPrefix(addr)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return cidr
+}
+
 // TestDeviceStartStop exercises the startup and shutdown logic of
 // wireguard-go, which is intimately intertwined with magicsock's own
 // lifecycle. We seem to be good at generating deadlocks here, so if
@@ -509,7 +513,7 @@ func TestDeviceStartStop(t *testing.T) {

 	tun := tuntest.NewChannelTUN()
 	wgLogger := wglog.NewLogger(t.Logf)
-	dev := device.NewDevice(tun.TUN(), conn.Bind(), wgLogger.DeviceLogger)
+	dev := device.NewDevice(tun.TUN(), conn.Bind(), wgLogger.DeviceLogger, new(device.DeviceOptions))
 	dev.Up()
 	dev.Close()
 }
@@ -887,8 +891,8 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 	defer m2.Close()

 	addrs := []netaddr.IPPort{
-		netaddr.IPPortFrom(d.m1IP, m1.conn.LocalPort()),
-		netaddr.IPPortFrom(d.m2IP, m2.conn.LocalPort()),
+		{IP: d.m1IP, Port: m1.conn.LocalPort()},
+		{IP: d.m2IP, Port: m2.conn.LocalPort()},
 	}
 	cfgs := makeConfigs(t, addrs)

@@ -1247,19 +1251,6 @@ func newNonLegacyTestConn(t testing.TB) *Conn {
 	return conn
 }

-func makeEndpoint(tb testing.TB, public tailcfg.NodeKey, disco tailcfg.DiscoKey) string {
-	tb.Helper()
-	ep := wgcfg.Endpoints{
-		PublicKey: wgkey.Key(public),
-		DiscoKey:  disco,
-	}
-	buf, err := json.Marshal(ep)
-	if err != nil {
-		tb.Fatal(err)
-	}
-	return string(buf)
-}
-
 // addTestEndpoint sets conn's network map to a single peer expected
 // to receive packets from sendConn (or DERP), and returns that peer's
 // nodekey and discokey.
@@ -1279,7 +1270,7 @@ func addTestEndpoint(tb testing.TB, conn *Conn, sendConn net.PacketConn) (tailcf
 		},
 	})
 	conn.SetPrivateKey(wgkey.Private{0: 1})
-	_, err := conn.ParseEndpoint(makeEndpoint(tb, nodeKey, discoKey))
+	_, err := conn.ParseEndpoint(string(nodeKey[:]) + "0000000000000000000000000000000000000000000000000000000000000001.disco.tailscale:12345")
 	if err != nil {
 		tb.Fatal(err)
 	}
@@ -1453,7 +1444,7 @@ func TestSetNetworkMapChangingNodeKey(t *testing.T) {
 			},
 		},
 	})
-	_, err := conn.ParseEndpoint(makeEndpoint(t, nodeKey1, discoKey))
+	_, err := conn.ParseEndpoint(string(nodeKey1[:]) + "0000000000000000000000000000000000000000000000000000000000000001.disco.tailscale:12345")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1555,7 +1546,7 @@ func TestEndpointSetsEqual(t *testing.T) {
 	s := func(ports ...uint16) (ret []tailcfg.Endpoint) {
 		for _, port := range ports {
 			ret = append(ret, tailcfg.Endpoint{
-				Addr: netaddr.IPPortFrom(netaddr.IP{}, port),
+				Addr: netaddr.IPPort{Port: port},
 			})
 		}
 		return
--- a/wgengine/monitor/monitor_linux.go
+++ b/wgengine/monitor/monitor_linux.go
@@ -130,11 +130,11 @@ func netaddrIP(std net.IP) netaddr.IP {

 func netaddrIPPrefix(std net.IP, bits uint8) netaddr.IPPrefix {
 	ip, _ := netaddr.FromStdIP(std)
-	return netaddr.IPPrefixFrom(ip, bits)
+	return netaddr.IPPrefix{IP: ip, Bits: bits}
 }

 func condNetAddrPrefix(ipp netaddr.IPPrefix) string {
-	if ipp.IP().IsZero() {
+	if ipp.IP.IsZero() {
 		return ""
 	}
 	return ipp.String()
@@ -157,7 +157,7 @@ type newRouteMessage struct {
 const tsTable = 52

 func (m *newRouteMessage) ignore() bool {
-	return m.Table == tsTable || tsaddr.IsTailscaleIP(m.Dst.IP())
+	return m.Table == tsTable || tsaddr.IsTailscaleIP(m.Dst.IP)
 }

 // newAddrMessage is a message for a new address being added.
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@@ -48,12 +48,6 @@ const debugNetstack = false
 // and implements wgengine.FakeImpl to act as a userspace network
 // stack when Tailscale is running in fake mode.
 type Impl struct {
-	// ForwardTCPIn, if non-nil, handles forwarding an inbound TCP
-	// connection.
-	// TODO(bradfitz): provide mechanism for tsnet to reject a
-	// port other than accepting it and closing it.
-	ForwardTCPIn func(c net.Conn, port uint16)
-
 	ipstack     *stack.Stack
 	linkEP      *channel.Endpoint
 	tundev      *tstun.Wrapper
@@ -179,7 +173,7 @@ func DNSMapFromNetworkMap(nm *netmap.NetworkMap) DNSMap {
 	suffix := nm.MagicDNSSuffix()

 	if nm.Name != "" && len(nm.Addresses) > 0 {
-		ip := nm.Addresses[0].IP()
+		ip := nm.Addresses[0].IP
 		ret[strings.TrimRight(nm.Name, ".")] = ip
 		if dnsname.HasSuffix(nm.Name, suffix) {
 			ret[dnsname.TrimSuffix(nm.Name, suffix)] = ip
@@ -187,7 +181,7 @@ func DNSMapFromNetworkMap(nm *netmap.NetworkMap) DNSMap {
 	}
 	for _, p := range nm.Peers {
 		if p.Name != "" && len(p.Addresses) > 0 {
-			ip := p.Addresses[0].IP()
+			ip := p.Addresses[0].IP
 			ret[strings.TrimRight(p.Name, ".")] = ip
 			if dnsname.HasSuffix(p.Name, suffix) {
 				ret[dnsname.TrimSuffix(p.Name, suffix)] = ip
@@ -227,8 +221,8 @@ func (ns *Impl) removeSubnetAddress(ip netaddr.IP) {

 func ipPrefixToAddressWithPrefix(ipp netaddr.IPPrefix) tcpip.AddressWithPrefix {
 	return tcpip.AddressWithPrefix{
-		Address:   tcpip.Address(ipp.IP().IPAddr().IP),
-		PrefixLen: int(ipp.Bits()),
+		Address:   tcpip.Address(ipp.IP.IPAddr().IP),
+		PrefixLen: int(ipp.Bits),
 	}
 }

@@ -322,7 +316,7 @@ func (m DNSMap) Resolve(ctx context.Context, addr string) (netaddr.IPPort, error
 	// Try MagicDNS first, else otherwise a real DNS lookup.
 	ip := m[host]
 	if !ip.IsZero() {
-		return netaddr.IPPortFrom(ip, uint16(port16)), nil
+		return netaddr.IPPort{IP: ip, Port: uint16(port16)}, nil
 	}

 	// No MagicDNS name so try real DNS.
@@ -335,7 +329,7 @@ func (m DNSMap) Resolve(ctx context.Context, addr string) (netaddr.IPPort, error
 		return netaddr.IPPort{}, fmt.Errorf("DNS lookup returned no results for %q", host)
 	}
 	ip, _ = netaddr.FromStdIP(ips[0])
-	return netaddr.IPPortFrom(ip, uint16(port16)), nil
+	return netaddr.IPPort{IP: ip, Port: uint16(port16)}, nil
 }

 func (ns *Impl) DialContextTCP(ctx context.Context, addr string) (*gonet.TCPConn, error) {
@@ -349,11 +343,11 @@ func (ns *Impl) DialContextTCP(ctx context.Context, addr string) (*gonet.TCPConn
 	}
 	remoteAddress := tcpip.FullAddress{
 		NIC:  nicID,
-		Addr: tcpip.Address(remoteIPPort.IP().IPAddr().IP),
-		Port: remoteIPPort.Port(),
+		Addr: tcpip.Address(remoteIPPort.IP.IPAddr().IP),
+		Port: remoteIPPort.Port,
 	}
 	var ipType tcpip.NetworkProtocolNumber
-	if remoteIPPort.IP().Is4() {
+	if remoteIPPort.IP.Is4() {
 		ipType = ipv4.ProtocolNumber
 	} else {
 		ipType = ipv6.ProtocolNumber
@@ -395,7 +389,7 @@ func (ns *Impl) isLocalIP(ip netaddr.IP) bool {
 }

 func (ns *Impl) injectInbound(p *packet.Parsed, t *tstun.Wrapper) filter.Response {
-	if ns.onlySubnets && ns.isLocalIP(p.Dst.IP()) {
+	if ns.onlySubnets && ns.isLocalIP(p.Dst.IP) {
 		// In hybrid ("only subnets") mode, bail out early if
 		// the traffic is destined for an actual Tailscale
 		// address. The real host OS interface will handle it.
@@ -447,15 +441,11 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
 		r.Complete(true)
 		return
 	}
-	r.Complete(false)
-	c := gonet.NewTCPConn(&wq, ep)
-	if ns.ForwardTCPIn != nil {
-		ns.ForwardTCPIn(c, reqDetails.LocalPort)
-		return
-	}
 	if isTailscaleIP {
 		dialAddr = tcpip.Address(net.ParseIP("127.0.0.1")).To4()
 	}
+	r.Complete(false)
+	c := gonet.NewTCPConn(&wq, ep)
 	ns.forwardTCP(c, &wq, dialAddr, reqDetails.LocalPort)
 }

--- a/wgengine/pendopen.go
+++ b/wgengine/pendopen.go
@@ -115,8 +115,8 @@ func (e *userspaceEngine) trackOpenPostFilterOut(pp *packet.Parsed, t *tstun.Wra
 	// Don't start timers tracking those. They won't succeed anyway. Avoids log spam
 	// like:
 	//    open-conn-track: timeout opening (100.115.73.60:52501 => 17.125.252.5:443); no associated peer node
-	if runtime.GOOS == "ios" && flow.Dst.Port() == 443 && !tsaddr.IsTailscaleIP(flow.Dst.IP()) {
-		if _, err := e.peerForIP(flow.Dst.IP()); err != nil {
+	if runtime.GOOS == "ios" && flow.Dst.Port == 443 && !tsaddr.IsTailscaleIP(flow.Dst.IP) {
+		if _, err := e.peerForIP(flow.Dst.IP); err != nil {
 			return
 		}
 	}
@@ -156,7 +156,7 @@ func (e *userspaceEngine) onOpenTimeout(flow flowtrack.Tuple) {
 	}

 	// Diagnose why it might've timed out.
-	n, err := e.peerForIP(flow.Dst.IP())
+	n, err := e.peerForIP(flow.Dst.IP)
 	if err != nil {
 		e.logf("open-conn-track: timeout opening %v; peerForIP: %v", flow, err)
 		return
@@ -193,7 +193,7 @@ func (e *userspaceEngine) onOpenTimeout(flow flowtrack.Tuple) {
 	if ps == nil {
 		onlyZeroRoute := true // whether peerForIP returned n only because its /0 route matched
 		for _, r := range n.AllowedIPs {
-			if r.Bits() != 0 && r.Contains(flow.Dst.IP()) {
+			if r.Bits != 0 && r.Contains(flow.Dst.IP) {
 				onlyZeroRoute = false
 				break
 			}
--- a/wgengine/router/ifconfig_windows.go
+++ b/wgengine/router/ifconfig_windows.go
@@ -324,16 +324,16 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 	var firstGateway6 *net.IP
 	addresses := make([]*net.IPNet, 0, len(cfg.LocalAddrs))
 	for _, addr := range cfg.LocalAddrs {
-		if (addr.IP().Is4() && ipif4 == nil) || (addr.IP().Is6() && ipif6 == nil) {
+		if (addr.IP.Is4() && ipif4 == nil) || (addr.IP.Is6() && ipif6 == nil) {
 			// Can't program addresses for disabled protocol.
 			continue
 		}
 		ipnet := addr.IPNet()
 		addresses = append(addresses, ipnet)
 		gateway := ipnet.IP
-		if addr.IP().Is4() && firstGateway4 == nil {
+		if addr.IP.Is4() && firstGateway4 == nil {
 			firstGateway4 = &gateway
-		} else if addr.IP().Is6() && firstGateway6 == nil {
+		} else if addr.IP.Is6() && firstGateway6 == nil {
 			firstGateway6 = &gateway
 		}
 	}
@@ -342,12 +342,12 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 	foundDefault4 := false
 	foundDefault6 := false
 	for _, route := range cfg.Routes {
-		if (route.IP().Is4() && ipif4 == nil) || (route.IP().Is6() && ipif6 == nil) {
+		if (route.IP.Is4() && ipif4 == nil) || (route.IP.Is6() && ipif6 == nil) {
 			// Can't program routes for disabled protocol.
 			continue
 		}

-		if route.IP().Is6() && firstGateway6 == nil {
+		if route.IP.Is6() && firstGateway6 == nil {
 			// Windows won't let us set IPv6 routes without having an
 			// IPv6 local address set. However, when we've configured
 			// a default route, we want to forcibly grab IPv6 traffic
@@ -357,16 +357,16 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 			ipnet := &net.IPNet{tsaddr.Tailscale4To6Placeholder().IPAddr().IP, net.CIDRMask(128, 128)}
 			addresses = append(addresses, ipnet)
 			firstGateway6 = &ipnet.IP
-		} else if route.IP().Is4() && firstGateway4 == nil {
+		} else if route.IP.Is4() && firstGateway4 == nil {
 			// TODO: do same dummy behavior as v6?
 			return errors.New("due to a Windows limitation, one cannot have interface routes without an interface address")
 		}

 		ipn := route.IPNet()
 		var gateway net.IP
-		if route.IP().Is4() {
+		if route.IP.Is4() {
 			gateway = *firstGateway4
-		} else if route.IP().Is6() {
+		} else if route.IP.Is6() {
 			gateway = *firstGateway6
 		}
 		r := winipcfg.RouteData{
@@ -385,13 +385,13 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 			// then the interface's IP won't be pingable.
 			continue
 		}
-		if route.IP().Is4() {
-			if route.Bits() == 0 {
+		if route.IP.Is4() {
+			if route.Bits == 0 {
 				foundDefault4 = true
 			}
 			r.NextHop = *firstGateway4
-		} else if route.IP().Is6() {
-			if route.Bits() == 0 {
+		} else if route.IP.Is6() {
+			if route.Bits == 0 {
 				foundDefault6 = true
 			}
 			r.NextHop = *firstGateway6
@@ -760,8 +760,11 @@ func filterRoutes(routes []*winipcfg.RouteData, dontDelete []netaddr.IPPrefix) [
 		if nr.IsSingleIP() {
 			continue
 		}
-		lastIP := nr.Range().To()
-		ddm[netaddr.IPPrefixFrom(lastIP, lastIP.BitLen())] = true
+		lastIP := nr.Range().To
+		ddm[netaddr.IPPrefix{
+			IP:   lastIP,
+			Bits: lastIP.BitLen(),
+		}] = true
 	}
 	filtered := make([]*winipcfg.RouteData, 0, len(routes))
 	for _, r := range routes {
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -360,7 +360,7 @@ func (r *linuxRouter) setNetfilterMode(mode preftype.NetfilterMode) error {
 	}

 	for cidr := range r.addrs {
-		if err := r.addLoopbackRule(cidr.IP()); err != nil {
+		if err := r.addLoopbackRule(cidr.IP); err != nil {
 			return err
 		}
 	}
@@ -372,13 +372,13 @@ func (r *linuxRouter) setNetfilterMode(mode preftype.NetfilterMode) error {
 // address is already assigned to the interface, or if the addition
 // fails.
 func (r *linuxRouter) addAddress(addr netaddr.IPPrefix) error {
-	if !r.v6Available && addr.IP().Is6() {
+	if !r.v6Available && addr.IP.Is6() {
 		return nil
 	}
 	if err := r.cmd.run("ip", "addr", "add", addr.String(), "dev", r.tunname); err != nil {
 		return fmt.Errorf("adding address %q to tunnel interface: %w", addr, err)
 	}
-	if err := r.addLoopbackRule(addr.IP()); err != nil {
+	if err := r.addLoopbackRule(addr.IP); err != nil {
 		return err
 	}
 	return nil
@@ -388,10 +388,10 @@ func (r *linuxRouter) addAddress(addr netaddr.IPPrefix) error {
 // the address is not assigned to the interface, or if the removal
 // fails.
 func (r *linuxRouter) delAddress(addr netaddr.IPPrefix) error {
-	if !r.v6Available && addr.IP().Is6() {
+	if !r.v6Available && addr.IP.Is6() {
 		return nil
 	}
-	if err := r.delLoopbackRule(addr.IP()); err != nil {
+	if err := r.delLoopbackRule(addr.IP); err != nil {
 		return err
 	}
 	if err := r.cmd.run("ip", "addr", "del", addr.String(), "dev", r.tunname); err != nil {
@@ -463,7 +463,7 @@ func (r *linuxRouter) addThrowRoute(cidr netaddr.IPPrefix) error {
 }

 func (r *linuxRouter) addRouteDef(routeDef []string, cidr netaddr.IPPrefix) error {
-	if !r.v6Available && cidr.IP().Is6() {
+	if !r.v6Available && cidr.IP.Is6() {
 		return nil
 	}
 	args := append([]string{"ip", "route", "add"}, routeDef...)
@@ -490,7 +490,7 @@ func (r *linuxRouter) delThrowRoute(cidr netaddr.IPPrefix) error {
 }

 func (r *linuxRouter) delRouteDef(routeDef []string, cidr netaddr.IPPrefix) error {
-	if !r.v6Available && cidr.IP().Is6() {
+	if !r.v6Available && cidr.IP.Is6() {
 		return nil
 	}
 	args := append([]string{"ip", "route", "del"}, routeDef...)
@@ -520,7 +520,7 @@ func dashFam(ip netaddr.IP) string {
 }

 func (r *linuxRouter) hasRoute(routeDef []string, cidr netaddr.IPPrefix) (bool, error) {
-	args := append([]string{"ip", dashFam(cidr.IP()), "route", "show"}, routeDef...)
+	args := append([]string{"ip", dashFam(cidr.IP), "route", "show"}, routeDef...)
 	if r.ipRuleAvailable {
 		args = append(args, "table", tailscaleRouteTable)
 	}
--- a/wgengine/router/router_openbsd.go
+++ b/wgengine/router/router_openbsd.go
@@ -69,11 +69,11 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 	localAddr4 := netaddr.IPPrefix{}
 	localAddr6 := netaddr.IPPrefix{}
 	for _, addr := range cfg.LocalAddrs {
-		if addr.IP().Is4() {
+		if addr.IP.Is4() {
 			numIPv4++
 			localAddr4 = addr
 		}
-		if addr.IP().Is6() {
+		if addr.IP.Is6() {
 			numIPv6++
 			localAddr6 = addr
 		}
@@ -98,7 +98,7 @@ func (r *openbsdRouter) Set(cfg *Config) error {

 			routedel := []string{"route", "-q", "-n",
 				"del", "-inet", r.local4.String(),
-				"-iface", r.local4.IP().String()}
+				"-iface", r.local4.IP.String()}
 			if out, err := cmd(routedel...).CombinedOutput(); err != nil {
 				r.logf("route del failed: %v: %v\n%s", routedel, err, out)
 				if errq == nil {
@@ -120,7 +120,7 @@ func (r *openbsdRouter) Set(cfg *Config) error {

 			routeadd := []string{"route", "-q", "-n",
 				"add", "-inet", localAddr4.String(),
-				"-iface", localAddr4.IP().String()}
+				"-iface", localAddr4.IP.String()}
 			if out, err := cmd(routeadd...).CombinedOutput(); err != nil {
 				r.logf("route add failed: %v: %v\n%s", routeadd, err, out)
 				if errq == nil {
@@ -134,7 +134,7 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 		// in https://github.com/tailscale/tailscale/issues/1307 we made
 		// FreeBSD use a /48 for IPv6 addresses, which is nice because we
 		// don't need to additionally add routing entries. Do that here too.
-		localAddr6 = netaddr.IPPrefixFrom(localAddr6.IP(), 48)
+		localAddr6 = netaddr.IPPrefix{localAddr6.IP, 48}
 	}

 	if localAddr6 != r.local6 {
@@ -171,10 +171,10 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 		if _, keep := newRoutes[route]; !keep {
 			net := route.IPNet()
 			nip := net.IP.Mask(net.Mask)
-			nstr := fmt.Sprintf("%v/%d", nip, route.Bits())
+			nstr := fmt.Sprintf("%v/%d", nip, route.Bits)
 			routedel := []string{"route", "-q", "-n",
 				"del", "-inet", nstr,
-				"-iface", localAddr4.IP().String()}
+				"-iface", localAddr4.IP.String()}
 			out, err := cmd(routedel...).CombinedOutput()
 			if err != nil {
 				r.logf("route del failed: %v: %v\n%s", routedel, err, out)
@@ -188,10 +188,10 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 		if _, exists := r.routes[route]; !exists {
 			net := route.IPNet()
 			nip := net.IP.Mask(net.Mask)
-			nstr := fmt.Sprintf("%v/%d", nip, route.Bits())
+			nstr := fmt.Sprintf("%v/%d", nip, route.Bits)
 			routeadd := []string{"route", "-q", "-n",
 				"add", "-inet", nstr,
-				"-iface", localAddr4.IP().String()}
+				"-iface", localAddr4.IP.String()}
 			out, err := cmd(routeadd...).CombinedOutput()
 			if err != nil {
 				r.logf("addr add failed: %v: %v\n%s", routeadd, err, out)
--- a/wgengine/router/router_userspace_bsd.go
+++ b/wgengine/router/router_userspace_bsd.go
@@ -87,7 +87,7 @@ func (r *userspaceBSDRouter) Up() error {
 }

 func inet(p netaddr.IPPrefix) string {
-	if p.IP().Is6() {
+	if p.IP.Is6() {
 		return "inet6"
 	}
 	return "inet"
@@ -116,15 +116,15 @@ func (r *userspaceBSDRouter) Set(cfg *Config) (reterr error) {
 	}
 	for _, addr := range r.addrsToAdd(cfg.LocalAddrs) {
 		var arg []string
-		if runtime.GOOS == "freebsd" && addr.IP().Is6() && addr.Bits() == 128 {
+		if runtime.GOOS == "freebsd" && addr.IP.Is6() && addr.Bits == 128 {
 			// FreeBSD rejects tun addresses of the form fc00::1/128 -> fc00::1,
 			// https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218508
 			// Instead add our whole /48, which works because we use a /48 route.
 			// Full history: https://github.com/tailscale/tailscale/issues/1307
-			tmp := netaddr.IPPrefixFrom(addr.IP(), 48)
+			tmp := netaddr.IPPrefix{IP: addr.IP, Bits: 48}
 			arg = []string{"ifconfig", r.tunname, inet(tmp), tmp.String()}
 		} else {
-			arg = []string{"ifconfig", r.tunname, inet(addr), addr.String(), addr.IP().String()}
+			arg = []string{"ifconfig", r.tunname, inet(addr), addr.String(), addr.IP.String()}
 		}
 		out, err := cmd(arg...).CombinedOutput()
 		if err != nil {
@@ -148,7 +148,7 @@ func (r *userspaceBSDRouter) Set(cfg *Config) (reterr error) {
 		if _, keep := newRoutes[route]; !keep {
 			net := route.IPNet()
 			nip := net.IP.Mask(net.Mask)
-			nstr := fmt.Sprintf("%v/%d", nip, route.Bits())
+			nstr := fmt.Sprintf("%v/%d", nip, route.Bits)
 			del := "del"
 			if version.OS() == "macOS" {
 				del = "delete"
@@ -168,7 +168,7 @@ func (r *userspaceBSDRouter) Set(cfg *Config) (reterr error) {
 		if _, exists := r.routes[route]; !exists {
 			net := route.IPNet()
 			nip := net.IP.Mask(net.Mask)
-			nstr := fmt.Sprintf("%v/%d", nip, route.Bits())
+			nstr := fmt.Sprintf("%v/%d", nip, route.Bits)
 			routeadd := []string{"route", "-q", "-n",
 				"add", "-" + inet(route), nstr,
 				"-iface", r.tunname}
--- a/wgengine/router/router_windows.go
+++ b/wgengine/router/router_windows.go
@@ -91,7 +91,7 @@ func (r *winRouter) Set(cfg *Config) error {

 func hasDefaultRoute(routes []netaddr.IPPrefix) bool {
 	for _, route := range routes {
-		if route.Bits() == 0 {
+		if route.Bits == 0 {
 			return true
 		}
 	}
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -7,10 +7,12 @@ package wgengine
 import (
 	"bufio"
 	"bytes"
+	"context"
 	crand "crypto/rand"
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"os"
 	"reflect"
 	"runtime"
@@ -26,7 +28,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/health"
-	"tailscale.com/internal/deephash"
+	"tailscale.com/internal/deepprint"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/dns/resolver"
@@ -118,6 +120,7 @@ type userspaceEngine struct {
 	statusCallback      StatusCallback
 	peerSequence        []wgkey.Key
 	endpoints           []tailcfg.Endpoint
+	pingers             map[wgkey.Key]*pinger                // legacy pingers for pre-discovery peers
 	pendOpen            map[flowtrack.Tuple]*pendingOpenFlow // see pendopen.go
 	networkMapCallbacks map[*someHandle]NetworkMapCallback
 	tsIPByIPPort        map[netaddr.IPPort]netaddr.IP          // allows registration of IP:ports as belonging to a certain Tailscale IP for whois lookups
@@ -238,6 +241,7 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error)
 		waitCh:  make(chan struct{}),
 		tundev:  tsTUNDev,
 		router:  conf.Router,
+		pingers: make(map[wgkey.Key]*pinger),
 	}
 	e.isLocalAddr.Store(tsaddr.NewContainsIPFunc(nil))

@@ -306,6 +310,52 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error)
 	}

 	e.wgLogger = wglog.NewLogger(logf)
+	opts := &device.DeviceOptions{
+		HandshakeDone: func(peerKey device.NoisePublicKey, peer *device.Peer, deviceAllowedIPs *device.AllowedIPs) {
+			// Send an unsolicited status event every time a
+			// handshake completes. This makes sure our UI can
+			// update quickly as soon as it connects to a peer.
+			//
+			// We use a goroutine here to avoid deadlocking
+			// wireguard, since RequestStatus() will call back
+			// into it, and wireguard is what called us to get
+			// here.
+			go e.RequestStatus()
+
+			peerWGKey := wgkey.Key(peerKey)
+			if e.magicConn.PeerHasDiscoKey(tailcfg.NodeKey(peerKey)) {
+				e.logf("wireguard handshake complete for %v", peerWGKey.ShortString())
+				// This is a modern peer with discovery support. No need to send pings.
+				return
+			}
+
+			e.logf("wireguard handshake complete for %v; sending legacy pings", peerWGKey.ShortString())
+
+			// Ping every single-IP that peer routes.
+			// These synthetic packets are used to traverse NATs.
+			var ips []netaddr.IP
+			var allowedIPs []netaddr.IPPrefix
+			deviceAllowedIPs.EntriesForPeer(peer, func(stdIP net.IP, cidr uint) bool {
+				ip, ok := netaddr.FromStdIP(stdIP)
+				if !ok {
+					logf("[unexpected] bad IP from deviceAllowedIPs.EntriesForPeer: %v", stdIP)
+					return true
+				}
+				ipp := netaddr.IPPrefix{IP: ip, Bits: uint8(cidr)}
+				allowedIPs = append(allowedIPs, ipp)
+				if ipp.IsSingleIP() {
+					ips = append(ips, ip)
+				}
+				return true
+			})
+			if len(ips) > 0 {
+				go e.pinger(peerWGKey, ips)
+			} else {
+				logf("[unexpected] peer %s has no single-IP routes: %v", peerWGKey.ShortString(), allowedIPs)
+			}
+		},
+	}
+
 	e.tundev.OnTSMPPongReceived = func(pong packet.TSMPPongReply) {
 		e.mu.Lock()
 		defer e.mu.Unlock()
@@ -318,7 +368,7 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error)

 	// wgdev takes ownership of tundev, will close it when closed.
 	e.logf("Creating wireguard device...")
-	e.wgdev = device.NewDevice(e.tundev, e.magicConn.Bind(), e.wgLogger.DeviceLogger)
+	e.wgdev = device.NewDevice(e.tundev, e.magicConn.Bind(), e.wgLogger.DeviceLogger, opts)
 	closePool.addFunc(e.wgdev.Close)
 	closePool.addFunc(func() {
 		if err := e.magicConn.Close(); err != nil {
@@ -399,7 +449,7 @@ func (e *userspaceEngine) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper)
 		isLocalAddr, ok := e.isLocalAddr.Load().(func(netaddr.IP) bool)
 		if !ok {
 			e.logf("[unexpected] e.isLocalAddr was nil, can't check for loopback packet")
-		} else if isLocalAddr(p.Dst.IP()) {
+		} else if isLocalAddr(p.Dst.IP) {
 			// macOS NetworkExtension directs packets destined to the
 			// tunnel's local IP address into the tunnel, instead of
 			// looping back within the kernel network stack. We have to
@@ -415,7 +465,7 @@ func (e *userspaceEngine) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper)

 // handleDNS is an outbound pre-filter resolving Tailscale domains.
 func (e *userspaceEngine) handleDNS(p *packet.Parsed, t *tstun.Wrapper) filter.Response {
-	if p.Dst.IP() == magicDNSIP && p.Dst.Port() == magicDNSPort && p.IPProto == ipproto.UDP {
+	if p.Dst.IP == magicDNSIP && p.Dst.Port == magicDNSPort && p.IPProto == ipproto.UDP {
 		err := e.dns.EnqueueRequest(append([]byte(nil), p.Payload()...), p.Src)
 		if err != nil {
 			e.logf("dns: enqueue: %v", err)
@@ -440,10 +490,10 @@ func (e *userspaceEngine) pollResolver() {
 		h := packet.UDP4Header{
 			IP4Header: packet.IP4Header{
 				Src: magicDNSIP,
-				Dst: to.IP(),
+				Dst: to.IP,
 			},
 			SrcPort: magicDNSPort,
-			DstPort: to.Port(),
+			DstPort: to.Port,
 		}
 		hlen := h.Len()

@@ -457,6 +507,132 @@ func (e *userspaceEngine) pollResolver() {
 	}
 }

+// pinger sends ping packets for a few seconds.
+//
+// These generated packets are used to ensure we trigger the spray logic in
+// the magicsock package for NAT traversal.
+//
+// These are only used with legacy peers (before 0.100.0) that don't
+// have advertised discovery keys.
+type pinger struct {
+	e      *userspaceEngine
+	done   chan struct{} // closed after shutdown (not the ctx.Done() chan)
+	cancel context.CancelFunc
+}
+
+// close cleans up pinger and removes it from the userspaceEngine.pingers map.
+// It cannot be called while p.e.mu is held.
+func (p *pinger) close() {
+	p.cancel()
+	<-p.done
+}
+
+func (p *pinger) run(ctx context.Context, peerKey wgkey.Key, ips []netaddr.IP, srcIP netaddr.IP) {
+	defer func() {
+		p.e.mu.Lock()
+		if p.e.pingers[peerKey] == p {
+			delete(p.e.pingers, peerKey)
+		}
+		p.e.mu.Unlock()
+
+		close(p.done)
+	}()
+
+	header := packet.ICMP4Header{
+		IP4Header: packet.IP4Header{
+			Src: srcIP,
+		},
+		Type: packet.ICMP4EchoRequest,
+		Code: packet.ICMP4NoCode,
+	}
+
+	// sendFreq is slightly longer than sprayFreq in magicsock to ensure
+	// that if these ping packets are the only source of early packets
+	// sent to the peer, that each one will be sprayed.
+	const sendFreq = 300 * time.Millisecond
+	const stopAfter = 3 * time.Second
+
+	start := time.Now()
+	var dstIPs []netaddr.IP
+	for _, ip := range ips {
+		if ip.Is6() {
+			// This code is only used for legacy (pre-discovery)
+			// peers. They're not going to work right with IPv6 on the
+			// overlay anyway, so don't bother trying to make ping
+			// work.
+			continue
+		}
+		dstIPs = append(dstIPs, ip)
+	}
+
+	payload := []byte("magicsock_spray") // no meaning
+
+	header.IPID = 1
+	t := time.NewTicker(sendFreq)
+	defer t.Stop()
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-t.C:
+		}
+		if time.Since(start) > stopAfter {
+			return
+		}
+		for _, dstIP := range dstIPs {
+			header.Dst = dstIP
+			// InjectOutbound take ownership of the packet, so we allocate.
+			b := packet.Generate(&header, payload)
+			p.e.tundev.InjectOutbound(b)
+		}
+		header.IPID++
+	}
+}
+
+// pinger sends ping packets for a few seconds.
+//
+// These generated packets are used to ensure we trigger the spray logic in
+// the magicsock package for NAT traversal.
+//
+// This is only used with legacy peers (before 0.100.0) that don't
+// have advertised discovery keys.
+func (e *userspaceEngine) pinger(peerKey wgkey.Key, ips []netaddr.IP) {
+	e.logf("[v1] generating initial ping traffic to %s (%v)", peerKey.ShortString(), ips)
+	var srcIP netaddr.IP
+
+	e.wgLock.Lock()
+	if len(e.lastCfgFull.Addresses) > 0 {
+		srcIP = e.lastCfgFull.Addresses[0].IP
+	}
+	e.wgLock.Unlock()
+
+	if srcIP.IsZero() {
+		e.logf("generating initial ping traffic: no source IP")
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	p := &pinger{
+		e:      e,
+		done:   make(chan struct{}),
+		cancel: cancel,
+	}
+
+	e.mu.Lock()
+	if e.closing {
+		e.mu.Unlock()
+		return
+	}
+	oldPinger := e.pingers[peerKey]
+	e.pingers[peerKey] = p
+	e.mu.Unlock()
+
+	if oldPinger != nil {
+		oldPinger.close()
+	}
+	p.run(ctx, peerKey, ips, srcIP)
+}
+
 var (
 	debugTrimWireguardEnv = os.Getenv("TS_DEBUG_TRIM_WIREGUARD")
 	debugTrimWireguard, _ = strconv.ParseBool(debugTrimWireguardEnv)
@@ -499,7 +675,15 @@ func isTrimmablePeer(p *wgcfg.Peer, numPeers int) bool {
 	if forceFullWireguardConfig(numPeers) {
 		return false
 	}
-	if p.Endpoints.DiscoKey.IsZero() {
+	if !isSingleEndpoint(p.Endpoints) {
+		return false
+	}
+
+	host, _, err := net.SplitHostPort(p.Endpoints)
+	if err != nil {
+		return false
+	}
+	if !strings.HasSuffix(host, ".disco.tailscale") {
 		return false
 	}

@@ -569,6 +753,26 @@ func (e *userspaceEngine) isActiveSince(dk tailcfg.DiscoKey, ip netaddr.IP, t ti
 	return unixTime >= t.Unix()
 }

+// discoKeyFromPeer returns the DiscoKey for a wireguard config's Peer.
+//
+// Invariant: isTrimmablePeer(p) == true, so it should have 1 endpoint with
+// Host of form "<64-hex-digits>.disco.tailscale". If invariant is violated,
+// we return the zero value.
+func discoKeyFromPeer(p *wgcfg.Peer) tailcfg.DiscoKey {
+	if len(p.Endpoints) < 64 {
+		return tailcfg.DiscoKey{}
+	}
+	host, rest := p.Endpoints[:64], p.Endpoints[64:]
+	if !strings.HasPrefix(rest, ".disco.tailscale") {
+		return tailcfg.DiscoKey{}
+	}
+	k, err := key.NewPublicFromHexMem(mem.S(host))
+	if err != nil {
+		return tailcfg.DiscoKey{}
+	}
+	return tailcfg.DiscoKey(k)
+}
+
 // discoChanged are the set of peers whose disco keys have changed, implying they've restarted.
 // If a peer is in this set and was previously in the live wireguard config,
 // it needs to be first removed and then re-added to flush out its wireguard session key.
@@ -616,12 +820,12 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[key.Publ
 			}
 			continue
 		}
-		dk := p.Endpoints.DiscoKey
+		dk := discoKeyFromPeer(p)
 		trackDisco = append(trackDisco, dk)
 		recentlyActive := false
 		for _, cidr := range p.AllowedIPs {
-			trackIPs = append(trackIPs, cidr.IP())
-			recentlyActive = recentlyActive || e.isActiveSince(dk, cidr.IP(), activeCutoff)
+			trackIPs = append(trackIPs, cidr.IP)
+			recentlyActive = recentlyActive || e.isActiveSince(dk, cidr.IP, activeCutoff)
 		}
 		if recentlyActive {
 			min.Peers = append(min.Peers, *p)
@@ -633,7 +837,7 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[key.Publ
 		}
 	}

-	if !deephash.UpdateHash(&e.lastEngineSigTrim, min, trimmedDisco, trackDisco, trackIPs) {
+	if !deepprint.UpdateHash(&e.lastEngineSigTrim, min, trimmedDisco, trackDisco, trackIPs) {
 		// No changes
 		return nil
 	}
@@ -754,8 +958,8 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
 	}
 	e.mu.Unlock()

-	engineChanged := deephash.UpdateHash(&e.lastEngineSigFull, cfg)
-	routerChanged := deephash.UpdateHash(&e.lastRouterSig, routerCfg, dnsCfg)
+	engineChanged := deepprint.UpdateHash(&e.lastEngineSigFull, cfg)
+	routerChanged := deepprint.UpdateHash(&e.lastRouterSig, routerCfg, dnsCfg)
 	if !engineChanged && !routerChanged {
 		return ErrNoChanges
 	}
@@ -766,26 +970,26 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
 	// and a second time with it.
 	discoChanged := make(map[key.Public]bool)
 	{
-		prevEP := make(map[key.Public]tailcfg.DiscoKey)
+		prevEP := make(map[key.Public]string)
 		for i := range e.lastCfgFull.Peers {
-			if p := &e.lastCfgFull.Peers[i]; !p.Endpoints.DiscoKey.IsZero() {
-				prevEP[key.Public(p.PublicKey)] = p.Endpoints.DiscoKey
+			if p := &e.lastCfgFull.Peers[i]; isSingleEndpoint(p.Endpoints) {
+				prevEP[key.Public(p.PublicKey)] = p.Endpoints
 			}
 		}
 		for i := range cfg.Peers {
 			p := &cfg.Peers[i]
-			if p.Endpoints.DiscoKey.IsZero() {
+			if !isSingleEndpoint(p.Endpoints) {
 				continue
 			}
 			pub := key.Public(p.PublicKey)
-			if old, ok := prevEP[pub]; ok && old != p.Endpoints.DiscoKey {
+			if old, ok := prevEP[pub]; ok && old != p.Endpoints {
 				discoChanged[pub] = true
 				e.logf("wgengine: Reconfig: %s changed from %q to %q", pub.ShortString(), old, p.Endpoints)
 			}
 		}
 	}

-	e.lastCfgFull = *cfg.Clone()
+	e.lastCfgFull = cfg.Copy()

 	// Tell magicsock about the new (or initial) private key
 	// (which is needed by DERP) before wgdev gets it, as wgdev
@@ -822,6 +1026,11 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
 	return nil
 }

+// isSingleEndpoint reports whether endpoints contains exactly one host:port pair.
+func isSingleEndpoint(s string) bool {
+	return s != "" && !strings.Contains(s, ",")
+}
+
 func (e *userspaceEngine) GetFilter() *filter.Filter {
 	return e.tundev.GetFilter()
 }
@@ -844,8 +1053,6 @@ func (e *userspaceEngine) getStatusCallback() StatusCallback {

 var singleNewline = []byte{'\n'}

-var ErrEngineClosing = errors.New("engine closing; no status")
-
 func (e *userspaceEngine) getStatus() (*Status, error) {
 	// Grab derpConns before acquiring wgLock to not violate lock ordering;
 	// the DERPs method acquires magicsock.Conn.mu.
@@ -859,7 +1066,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 	closing := e.closing
 	e.mu.Unlock()
 	if closing {
-		return nil, ErrEngineClosing
+		return nil, errors.New("engine closing; no status")
 	}

 	if e.wgdev == nil {
@@ -1006,12 +1213,17 @@ func (e *userspaceEngine) RequestStatus() {
 }

 func (e *userspaceEngine) Close() {
+	var pingers []*pinger
+
 	e.mu.Lock()
 	if e.closing {
 		e.mu.Unlock()
 		return
 	}
 	e.closing = true
+	for _, pinger := range e.pingers {
+		pingers = append(pingers, pinger)
+	}
 	e.mu.Unlock()

 	r := bufio.NewReader(strings.NewReader(""))
@@ -1025,6 +1237,13 @@ func (e *userspaceEngine) Close() {
 	e.router.Close()
 	e.wgdev.Close()
 	e.tundev.Close()
+
+	// Shut down pingers after tundev is closed (by e.wgdev.Close) so the
+	// synchronous close does not get stuck on InjectOutbound.
+	for _, pinger := range pingers {
+		pinger.close()
+	}
+
 	close(e.waitCh)
 }

@@ -1156,8 +1375,8 @@ func (e *userspaceEngine) mySelfIPMatchingFamily(dst netaddr.IP) (src netaddr.IP
 		return netaddr.IP{}, errors.New("no netmap")
 	}
 	for _, a := range e.netMap.Addresses {
-		if a.IsSingleIP() && a.IP().BitLen() == dst.BitLen() {
-			return a.IP(), nil
+		if a.IsSingleIP() && a.IP.BitLen() == dst.BitLen() {
+			return a.IP, nil
 		}
 	}
 	if len(e.netMap.Addresses) == 0 {
@@ -1293,7 +1512,7 @@ func (e *userspaceEngine) peerForIP(ip netaddr.IP) (n *tailcfg.Node, err error)
 	var bestInNM *tailcfg.Node
 	for _, p := range nm.Peers {
 		for _, a := range p.Addresses {
-			if a.IP() == ip && a.IsSingleIP() && tsaddr.IsTailscaleIP(ip) {
+			if a.IP == ip && a.IsSingleIP() && tsaddr.IsTailscaleIP(ip) {
 				return p, nil
 			}
 		}
@@ -1301,7 +1520,7 @@ func (e *userspaceEngine) peerForIP(ip netaddr.IP) (n *tailcfg.Node, err error)
 			if !cidr.Contains(ip) {
 				continue
 			}
-			if bestInNMPrefix.IsZero() || cidr.Bits() > bestInNMPrefix.Bits() {
+			if bestInNMPrefix.IsZero() || cidr.Bits > bestInNMPrefix.Bits {
 				bestInNMPrefix = cidr
 				bestInNM = p
 			}
@@ -1319,7 +1538,7 @@ func (e *userspaceEngine) peerForIP(ip netaddr.IP) (n *tailcfg.Node, err error)
 			if !cidr.Contains(ip) {
 				continue
 			}
-			if best.IsZero() || cidr.Bits() > best.Bits() {
+			if best.IsZero() || cidr.Bits > best.Bits {
 				best = cidr
 				bestKey = tailcfg.NodeKey(p.PublicKey)
 			}
@@ -1337,7 +1556,7 @@ func (e *userspaceEngine) peerForIP(ip netaddr.IP) (n *tailcfg.Node, err error)
 	if bestInNM == nil {
 		return nil, nil
 	}
-	if bestInNMPrefix.Bits() == 0 {
+	if bestInNMPrefix.Bits == 0 {
 		return nil, errors.New("exit node found but not enabled")
 	}
 	return nil, fmt.Errorf("node %q found, but not using its %v route", bestInNM.ComputedNameWithHost, bestInNMPrefix)
--- a/wgengine/userspace_test.go
+++ b/wgengine/userspace_test.go
@@ -102,9 +102,9 @@ func TestUserspaceEngineReconfig(t *testing.T) {
 			Peers: []wgcfg.Peer{
 				{
 					AllowedIPs: []netaddr.IPPrefix{
-						netaddr.IPPrefixFrom(netaddr.IPv4(100, 100, 99, 1), 32),
+						{IP: netaddr.IPv4(100, 100, 99, 1), Bits: 32},
 					},
-					Endpoints: wgcfg.Endpoints{DiscoKey: dkFromHex(discoHex)},
+					Endpoints: discoHex + ".disco.tailscale:12345",
 				},
 			},
 		}
--- a/wgengine/wgcfg/clone.go
+++ b/wgengine/wgcfg/clone.go
@@ -1,101 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Code generated by tailscale.com/cmd/cloner -type Config,Peer,Endpoints,IPPortSet; DO NOT EDIT.
-
-package wgcfg
-
-import (
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/wgkey"
-)
-
-// Clone makes a deep copy of Config.
-// The result aliases no memory with the original.
-func (src *Config) Clone() *Config {
-	if src == nil {
-		return nil
-	}
-	dst := new(Config)
-	*dst = *src
-	dst.Addresses = append(src.Addresses[:0:0], src.Addresses...)
-	dst.DNS = append(src.DNS[:0:0], src.DNS...)
-	dst.Peers = make([]Peer, len(src.Peers))
-	for i := range dst.Peers {
-		dst.Peers[i] = *src.Peers[i].Clone()
-	}
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type Config,Peer,Endpoints,IPPortSet
-var _ConfigNeedsRegeneration = Config(struct {
-	Name       string
-	PrivateKey wgkey.Private
-	Addresses  []netaddr.IPPrefix
-	MTU        uint16
-	DNS        []netaddr.IP
-	Peers      []Peer
-}{})
-
-// Clone makes a deep copy of Peer.
-// The result aliases no memory with the original.
-func (src *Peer) Clone() *Peer {
-	if src == nil {
-		return nil
-	}
-	dst := new(Peer)
-	*dst = *src
-	dst.AllowedIPs = append(src.AllowedIPs[:0:0], src.AllowedIPs...)
-	dst.Endpoints = *src.Endpoints.Clone()
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type Config,Peer,Endpoints,IPPortSet
-var _PeerNeedsRegeneration = Peer(struct {
-	PublicKey           wgkey.Key
-	AllowedIPs          []netaddr.IPPrefix
-	Endpoints           Endpoints
-	PersistentKeepalive uint16
-}{})
-
-// Clone makes a deep copy of Endpoints.
-// The result aliases no memory with the original.
-func (src *Endpoints) Clone() *Endpoints {
-	if src == nil {
-		return nil
-	}
-	dst := new(Endpoints)
-	*dst = *src
-	dst.IPPorts = *src.IPPorts.Clone()
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type Config,Peer,Endpoints,IPPortSet
-var _EndpointsNeedsRegeneration = Endpoints(struct {
-	PublicKey wgkey.Key
-	DiscoKey  tailcfg.DiscoKey
-	IPPorts   IPPortSet
-}{})
-
-// Clone makes a deep copy of IPPortSet.
-// The result aliases no memory with the original.
-func (src *IPPortSet) Clone() *IPPortSet {
-	if src == nil {
-		return nil
-	}
-	dst := new(IPPortSet)
-	*dst = *src
-	dst.ipp = append(src.ipp[:0:0], src.ipp...)
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type Config,Peer,Endpoints,IPPortSet
-var _IPPortSetNeedsRegeneration = IPPortSet(struct {
-	ipp []netaddr.IPPort
-}{})
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
David Anderson	e1571ed7e0	VERSION.txt: this is v1.8.7 Signed-off-by: David Anderson <danderson@tailscale.com>	2021-06-07 13:05:30 -07:00
Maisem Ali	86a278042a	cmd/tailscale/web: restrict web access to synology admins. Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `fbf77a2c24`)	2021-06-04 10:21:56 +05:00
David Anderson	ac009426a0	util/dnsname: don't validate the contents of DNS labels. DNS names consist of labels, but outside of length limits, DNS itself permits any content within the labels. Some records require labels to conform to hostname limitations (which is what we implemented before), but not all. Fixes #2024. Signed-off-by: David Anderson <danderson@tailscale.com> (cherry picked from commit `caaefa00a0`)	2021-06-03 09:48:45 -07:00
Brad Fitzpatrick	1cd4e11b26	ipn/ipnlocal: avoid initPeerAPIListener crash on certain concurrent actions We were crashing on in initPeerAPIListener when called from authReconfig when b.netMap is nil. But authReconfig already returns before the call to initPeerAPIListener when b.netMap is nil, but it releases the b.mu mutex before calling initPeerAPIListener which reacquires it and assumes it's still nil. The only thing that can be setting it to nil is setNetMapLocked, which is called by ResetForClientDisconnect, Logout/logout, or Start, all of which can happen during an authReconfig. So be more defensive. Fixes #1996 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit `ecfb2639cc`)	2021-06-03 09:48:09 -07:00
Denton Gentry	28a8f9c90e	VERSION.txt: this is v1.8.6 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2021-05-27 15:07:12 -07:00
Brad Fitzpatrick	cd8b434ccd	ipn/ipnlocal: ignore NetfilterMode pref on Synology On clean installs we didn't set use iptables, but during upgrades it looks like we could use old prefs that directed us to go into the iptables paths that might fail on Synology. Updates #1995 Fixes tailscale/tailscale-synology#57 (I think) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit `a04801e037`)	2021-05-27 11:04:40 -07:00
Brad Fitzpatrick	36db80e57d	cmd/tailscale/cli: update URL in error message for Synology unsupported feature Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit `d2c4e75099`)	2021-05-27 11:04:33 -07:00
Brad Fitzpatrick	8b5912345e	cmd/tailscale/cli: don't warn about iptables=off on Synology We don't use iptables on Synology, so don't scare the user. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit `cdd231cb7d`)	2021-05-27 11:04:27 -07:00
David Crawshaw	cc080b72fd	cmd/tailscale: have web POST wait for authURL Fixes #1939 Signed-off-by: David Crawshaw <crawshaw@tailscale.com> (cherry picked from commit `82b217f82e`)	2021-05-27 11:01:16 -07:00
David Crawshaw	039541661e	cmd/tailscale: show web 'login' error message For #1939 Signed-off-by: David Crawshaw <crawshaw@tailscale.com> (cherry picked from commit `50c976d3f1`)	2021-05-27 11:01:13 -07:00
David Anderson	118cf0cd75	VERSION.txt: this is v1.8.5 Signed-off-by: David Anderson <danderson@tailscale.com>	2021-05-20 20:57:11 -07:00
David Anderson	593ee7c7f1	ipn/ipnlocal: initialize DNS config maps unconditionally. Fixes #1963. Signed-off-by: David Anderson <danderson@tailscale.com> (cherry picked from commit `df350e2069`)	2021-05-20 20:38:49 -07:00
Maisem Ali	33ff4a25b2	VERSION.txt: this is v1.8.4 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2021-05-21 01:04:32 +05:00
Avery Pennarun	f308995edf	ipnlocal: in Start() fast path, don't forget to send Prefs. The resulting empty Prefs had AllowSingleHosts=false and Routeall=false, so that on iOS if you did these steps: - Login and leave running - Terminate the frontend - Restart the frontend (fast path restart, missing prefs) - Set WantRunning=false - Set WantRunning=true ...then you would have Tailscale running, but with no routes. You would also accidentally disable the ExitNodeID/IP prefs (symptom: the current exit node setting didn't appear in the UI), but since nothing else worked either, you probably didn't notice. The fix was easy enough. It turns out we already knew about the problem, so this also fixes one of the BUG entries in state_test. Fixes: #1918 (BUG-1) and some as-yet-unreported bugs with exit nodes. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	2021-05-20 03:35:14 -04:00
Avery Pennarun	ee19c53063	ipnlocal: don't assume NeedsLogin immediately after StartLogout(). Previously, there was no server round trip required to log out, so when you asked ipnlocal to Logout(), it could clear the netmap immediately and switch to NeedsLogin state. In v1.8, we added a true Logout operation. ipn.Logout() would trigger an async cc.StartLogout() and also immediately switch to NeedsLogin. Unfortunately, some frontends would see NeedsLogin and immediately trigger a new StartInteractiveLogin() operation, before the controlclient auth state machine actually acted on the Logout command, thus accidentally invalidating the entire logout operation, retaining the netmap, and violating the user's expectations. Instead, add a new LogoutFinished signal from controlclient (paralleling LoginFinished) and, upon starting a logout, don't update the ipn state machine until it's received. Updates: #1918 (BUG-2) Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	2021-05-20 03:35:14 -04:00
Avery Pennarun	d9facab159	ipnlocal: fix switching users while logged in + Stopped. This code path is very tricky since it was originally designed for the "re-authenticate to refresh my keys" use case, which didn't want to lose the original session even if the refresh cycle failed. This is why it acts differently from the Logout(); Login(); case. Maybe that's too fancy, considering that it probably never quite worked at all, for switching between users without logging out first. But it works now. This was more invasive than I hoped, but the necessary fixes actually removed several other suspicious BUG: lines from state_test.go, so I'm pretty confident this is a significant net improvement. Fixes tailscale/corp#1756. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	2021-05-20 01:08:06 -04:00
Avery Pennarun	30869d0f40	controlclient: update Persist.LoginName when it changes. Well, that was anticlimactic. Fixes tailscale/corp#461. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	2021-05-20 01:07:23 -04:00
Avery Pennarun	3a426a40b6	ipnlocal: fix deadlock in RequestEngineStatusAndWait() error path. If the engine was shutting down from a previous session (e.closing=true), it would return an error code when trying to get status. In that case, ipnlocal would never unblock any callers that were waiting on the status. Not sure if this ever happened in real life, but I accidentally triggered it while writing a test. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	2021-05-20 01:07:23 -04:00
David Crawshaw	256db54c9d	ipn: allow b to be nil in NewBackendServer A couple of code paths in ipnserver use a NewBackendServer with a nil backend just to call the callback with an encapsulated error message. This covers a panic case seen in logs. For #1920 Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	2021-05-19 14:22:26 -04:00
David Anderson	f22185cae1	net/dns: always offer MagicDNS records at 100.100.100.100. Fixes #1886. Signed-off-by: David Anderson <danderson@tailscale.com> (cherry picked from commit `6690f86ef4`)	2021-05-18 14:20:47 -07:00
David Anderson	d0e86b08c9	VERSION.txt: this is v1.8.3 Signed-off-by: David Anderson <dave@natulte.net>	2021-05-10 16:39:53 -07:00
David Anderson	38a83e937f	net/dns: don't use interfaces.Tailscale to find the tailscale interface index. interfaces.Tailscale only returns an interface if it has at least one Tailscale IP assigned to it. In the resolved DNS manager, when we're called upon to tear down DNS config, the interface no longer has IPs. Instead, look up the interface index on construction and reuse it throughout the daemon lifecycle. Fixes #1892. Signed-off-by: David Anderson <dave@natulte.net> (cherry picked from commit `cfde997699`)	2021-05-10 15:27:36 -07:00
David Anderson	04d015abbf	VERSION.txt: this is v1.8.2 Signed-off-by: David Anderson <dave@natulte.net>	2021-05-10 13:35:04 -07:00
David Anderson	fdc48ff96f	Revert "net/dns: set IPv4 auto mode in NM, so it lets us set DNS." This reverts commit `7d16c8228b`. I have no idea how I ended up here. The bug I was fixing with this change fails to reproduce on Ubuntu 18.04 now, and this change definitely does break 20.04, 20.10, and Debian Buster. So, until we can reliably reproduce the problem this was meant to fix, reverting. Part of #1875 Signed-off-by: David Anderson <dave@natulte.net> (cherry picked from commit `3c8e230ee1`)	2021-05-10 13:08:10 -07:00
David Anderson	b308f6ad21	util/dnsname: normalize leading dots in ToFQDN. Fixes #1888. Signed-off-by: David Anderson <dave@natulte.net> (cherry picked from commit `dc32b4695c`)	2021-05-10 13:07:51 -07:00
Josh Bleecher Snyder	b8bd18b053	go.mod: pull in wintun alignment fix from upstream wireguard-go `6cd106ab13...030c638da3` Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2021-05-10 11:10:59 -07:00
Brad Fitzpatrick	87c804b481	cmd/tailscale: rewrite the "up" checker, fix bugs The old way was way too fragile and had felt like it had more special cases than normal cases. (see #1874, #1860, #1834, etc) It became very obvious the old algorithm didn't work when we made the output be pretty and try to show the user the command they need to run in `5ecc7c7200` for #1746) The new algorithm is to map the prefs (current and new) back to flags and then compare flags. This nicely handles the OS-specific flags and the n:1 and 1:n flag:pref cases. No change in the existing already-massive test suite, except some ordering differences (the missing items are now sorted), but some new tests are added for behavior that was broken before. In particular, it now: * preserves non-pref boolean flags set to false, and preserves exit node IPs (mapping them back from the ExitNodeID pref, as well as ExitNodeIP), * doesn't ignore --advertise-exit-node when doing an EditPrefs call (#1880) * doesn't lose the --operator on the non-EditPrefs paths (e.g. with --force-reauth, or when the backend was not in state Running). Fixes #1880 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit `5190435d6e`)	2021-05-07 09:32:33 -07:00
Brad Fitzpatrick	d39db05b7c	ipn/{ipnlocal,ipnstate}: add PeerStatus.ID stable ID to status --json output Needed for the "up checker" to map back from exit node stable IDs (the ipn.Prefs.ExitNodeID) back to an IP address in error messages. But also previously requested so people can use it to then make API calls. The upcoming "tailscale admin" subcommand will probably need it too. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit `e72ed3fcc2`)	2021-05-07 09:32:28 -07:00
David Anderson	fbfdcc56ed	VERSION.txt: this is v1.8.1 Signed-off-by: David Anderson <danderson@tailscale.com>	2021-05-06 16:18:29 -07:00
David Anderson	f2a38320f8	net/dns: log the correct error when NM Reapply fails. Found while debugging #1870. Signed-off-by: David Anderson <danderson@tailscale.com> (cherry picked from commit `5bd38b10b4`)	2021-05-06 16:04:27 -07:00
David Anderson	71bcaae29e	net/dns: set IPv4 auto mode in NM, so it lets us set DNS. Part of #1870. Signed-off-by: David Anderson <danderson@tailscale.com> (cherry picked from commit `7d16c8228b`)	2021-05-06 16:04:23 -07:00
David Anderson	bf7c50dbdd	net/dns: don't try to configure LLMNR or mdns in NetworkManager. Fixes #1870. Signed-off-by: David Anderson <danderson@tailscale.com> (cherry picked from commit `77e2375501`)	2021-05-06 16:04:18 -07:00
Brad Fitzpatrick	ff4c2dbec9	cmd/tailscale: fix another up warning with exit nodes The --advertise-routes and --advertise-exit-node flags both mutating one pref is the gift that keeps on giving. I need to rewrite the this up warning code to first map prefs back to flag values and then just compare flags instead of comparing prefs, but this is the minimal fix for now. This also includes work on the tests, to make them easier to write (and more accurate), by letting you write the flag args directly and have that parse into the upArgs/MaskedPrefs directly, the same as the code, rather than them being possibly out of sync being written by hand. Fixes https://twitter.com/EXPbits/status/1390418145047887877 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit `e78e26b6fb`)	2021-05-06 15:51:25 -07:00
David Crawshaw	e7899afbf6	VERSION.txt: this is v1.8.0 Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	2021-05-06 07:08:25 -07:00
@@ -1 +1 @@
 .9.0
 .8.7