wgengine/magicsock: add controlknob tunable for session timeout experiments

Updates #TODO Change-Id: Ifb7ee2b69545cbc457aa2bf4c4744f431edb36e2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
tool/gocross: don't absorb --tags flags passed to subcommand
2023-10-06 06:59:17 -07:00 · 2023-10-05 17:11:03 -07:00 · 2023-10-05 17:04:07 -07:00 · 2023-10-05 16:26:06 -07:00 · 2023-10-05 16:21:06 -07:00 · 2023-10-05 16:05:45 -07:00
323 changed files with 18291 additions and 6942 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -45,7 +45,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/docker-file-build.yml
+++ b/.github/workflows/docker-file-build.yml
@@ -10,6 +10,6 @@ jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
    - name: "Build Docker image"
      run: docker build .
--- a/.github/workflows/flakehub-publish-tagged.yml
+++ b/.github/workflows/flakehub-publish-tagged.yml
@@ -17,7 +17,7 @@ jobs:
      id-token: "write"
      contents: "read"
    steps:
-      - uses: "actions/checkout@v3"
+      - uses: "actions/checkout@v4"
        with:
          ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
      - uses: "DeterminateSystems/nix-installer-action@main"
--- a/.github/workflows/go-licenses.yml
+++ b/.github/workflows/go-licenses.yml
@@ -22,7 +22,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v4
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -23,7 +23,7 @@ jobs:
    name: lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

      - uses: actions/setup-go@v4
        with:
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Install govulncheck
        run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
@@ -27,8 +27,9 @@ jobs:
          payload: >
            {
              "attachments": [{
-                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks>
-                        (<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|commit>) of ${{ github.repository }}@${{ github.ref_name }} by ${{ github.event.head_commit.committer.name }}",
+                "title": "${{ job.status }}: ${{ github.workflow }}",
+                "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",
+                "text": "${{ github.repository }}@${{ github.sha }}",
                "color": "danger"
              }]
            }
--- a/.github/workflows/installer.yml
+++ b/.github/workflows/installer.yml
@@ -91,7 +91,7 @@ jobs:
        || contains(matrix.image, 'parrotsec')
        || contains(matrix.image, 'kalilinux')
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: run installer
      run: scripts/installer.sh
      # Package installation can fail in docker because systemd is not running
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -51,7 +51,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: Restore Cache
      uses: actions/cache@v3
      with:
@@ -74,6 +74,7 @@ jobs:
      env:
        GOARCH: ${{ matrix.goarch }}
    - name: build variant CLIs
+      if: matrix.buildflags == '' # skip on race builder
      run: |
        export TS_USE_TOOLCHAIN=1
        ./build_dist.sh --extra-small ./cmd/tailscaled
@@ -83,7 +84,7 @@ jobs:
      env:
        GOARCH: ${{ matrix.goarch }}
    - name: get qemu # for tstest/archtest
-      if: matrix.goarch == 'amd64' && matrix.variant == ''
+      if: matrix.goarch == 'amd64' && matrix.buildflags == ''
      run: |
        sudo apt-get -y update
        sudo apt-get -y install qemu-user
@@ -94,7 +95,7 @@ jobs:
      env:
        GOARCH: ${{ matrix.goarch }}
    - name: bench all
-      run: PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ 
+      run: ./tool/go test ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ $(for x in $(git grep -l "^func Benchmark" | xargs dirname | sort | uniq); do echo "./$x"; done)
      env:
        GOARCH: ${{ matrix.goarch }}
    - name: check that no tracked files changed
@@ -115,7 +116,7 @@ jobs:
    runs-on: windows-2022
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    - name: Install Go
      uses: actions/setup-go@v4
@@ -141,10 +142,12 @@ jobs:
          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
          ${{ github.job }}-${{ runner.os }}-go-2-
    - name: test
+      run: go run ./cmd/testwrapper ./...
+    - name: bench all
      # Don't use -bench=. -benchtime=1x.
      # Somewhere in the layers (powershell?)
      # the equals signs cause great confusion.
-      run: go run ./cmd/testwrapper ./... -bench . -benchtime 1x
+      run: go test ./... -bench . -benchtime 1x -run "^$"

  vm:
    runs-on: ["self-hosted", "linux", "vm"]
@@ -152,7 +155,7 @@ jobs:
    if: github.repository == 'tailscale/tailscale'
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: Run VM tests
      run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
      env:
@@ -201,7 +204,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: Restore Cache
      uses: actions/cache@v3
      with:
@@ -238,7 +241,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: build some
      run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
      env:
@@ -252,7 +255,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
      # some Android breakages early.
@@ -267,7 +270,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: Restore Cache
      uses: actions/cache@v3
      with:
@@ -301,7 +304,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: test tailscale_go
      run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...

@@ -369,7 +372,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: check depaware
      run: |
        export PATH=$(./tool/go env GOROOT)/bin:$PATH
@@ -379,7 +382,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: check that 'go generate' is clean
      run: |
        pkgs=$(./tool/go list ./... | grep -v dnsfallback)
@@ -392,7 +395,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: check that 'go mod tidy' is clean
      run: |
        ./tool/go mod tidy
@@ -404,7 +407,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: check licenses
      run: ./scripts/check_license_headers.sh .

@@ -420,7 +423,7 @@ jobs:
            goarch: "386"
    steps:
    - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: install staticcheck
      run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
    - name: run staticcheck
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -21,7 +21,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Run update-flakes
        run: ./update-flake.sh
--- a/.gitignore
+++ b/.gitignore
@@ -38,7 +38,7 @@ cmd/tailscaled/tailscaled
 # Ignore web client node modules
 .vite/
 client/web/node_modules
-client/web/build
+client/web/build/assets

 /gocross
 /dist
--- a/5
+++ b/5
@@ -1,6 +1,7 @@
 IMAGE_REPO ?= tailscale/tailscale
 SYNO_ARCH ?= "amd64"
 SYNO_DSM ?= "7"
+TAGS ?= "latest"

 vet: ## Run go vet
 	./tool/go vet ./...
@@ -67,7 +68,7 @@ publishdevimage: ## Build and publish tailscale image to location specified by $
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS=latest REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh
+	TAGS="${TAGS}" REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh

 publishdevoperator: ## Build and publish k8s-operator image to location specified by ${REPO}
 	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
@@ -75,7 +76,7 @@ publishdevoperator: ## Build and publish k8s-operator image to location specifie
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS=latest REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh
+	TAGS="${TAGS}" REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh

 help: ## Show this help
 	@echo "\nSpecify a command. The choices are:\n"
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.49.0
+1.51.0
--- a/api.md
+++ b/api.md
@@ -1434,6 +1434,18 @@ The response is a JSON object with information about the key supplied.
 }
 ```

+Response for a revoked (deleted) or expired key will have an `invalid` field set to `true`:
+
+``` jsonc
+{
+  "id": "abc123456CNTRL",
+  "created": "2022-05-05T18:55:44Z",
+  "expires": "2022-08-03T18:55:44Z",
+  "revoked": "2023-04-01T20:50:00Z",
+  "invalid": true
+}
+```
+
 <a href="tailnet-keys-key-delete"></a>

 ## Delete key
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -37,6 +37,7 @@ import (
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
 	"tailscale.com/types/tkatype"
+	"tailscale.com/util/cmpx"
 )

 // defaultLocalClient is the default LocalClient when using the legacy
@@ -139,6 +140,10 @@ func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Respons
 			all, _ := io.ReadAll(res.Body)
 			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
 		}
+		if res.StatusCode == http.StatusPreconditionFailed {
+			all, _ := io.ReadAll(res.Body)
+			return nil, &PreconditionsFailedError{errors.New(errorMessageFromBody(all))}
+		}
 		return res, nil
 	}
 	if ue, ok := err.(*url.Error); ok {
@@ -169,6 +174,24 @@ func IsAccessDeniedError(err error) bool {
 	return errors.As(err, &ae)
 }

+// PreconditionsFailedError is returned when the server responds
+// with an HTTP 412 status code.
+type PreconditionsFailedError struct {
+	err error
+}
+
+func (e *PreconditionsFailedError) Error() string {
+	return fmt.Sprintf("Preconditions failed: %v", e.err)
+}
+
+func (e *PreconditionsFailedError) Unwrap() error { return e.err }
+
+// IsPreconditionsFailedError reports whether err is or wraps an PreconditionsFailedError.
+func IsPreconditionsFailedError(err error) bool {
+	var ae *PreconditionsFailedError
+	return errors.As(err, &ae)
+}
+
 // bestError returns either err, or if body contains a valid JSON
 // object of type errorJSON, its non-empty error body.
 func bestError(err error, body []byte) error {
@@ -197,27 +220,42 @@ func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
 }

 func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
+	slurp, _, err := lc.sendWithHeaders(ctx, method, path, wantStatus, body, nil)
+	return slurp, err
+}
+
+func (lc *LocalClient) sendWithHeaders(
+	ctx context.Context,
+	method,
+	path string,
+	wantStatus int,
+	body io.Reader,
+	h http.Header,
+) ([]byte, http.Header, error) {
 	if jr, ok := body.(jsonReader); ok && jr.err != nil {
-		return nil, jr.err // fail early if there was a JSON marshaling error
+		return nil, nil, jr.err // fail early if there was a JSON marshaling error
 	}
 	req, err := http.NewRequestWithContext(ctx, method, "http://"+apitype.LocalAPIHost+path, body)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
+	}
+	if h != nil {
+		req.Header = h
 	}
 	res, err := lc.doLocalRequestNiceError(req)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	defer res.Body.Close()
 	slurp, err := io.ReadAll(res.Body)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	if res.StatusCode != wantStatus {
 		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
-		return nil, bestError(err, slurp)
+		return nil, nil, bestError(err, slurp)
 	}
-	return slurp, nil
+	return slurp, res.Header, nil
 }

 func (lc *LocalClient) get200(ctx context.Context, path string) ([]byte, error) {
@@ -391,15 +429,65 @@ func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
 	return nil
 }

+// DebugResultJSON invokes a debug action and returns its result as something JSON-able.
+// These are development tools and subject to change or removal over time.
+func (lc *LocalClient) DebugResultJSON(ctx context.Context, action string) (any, error) {
+	body, err := lc.send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error %w: %s", err, body)
+	}
+	var x any
+	if err := json.Unmarshal(body, &x); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// DebugPortmapOpts contains options for the DebugPortmap command.
+type DebugPortmapOpts struct {
+	// Duration is how long the mapping should be created for. It defaults
+	// to 5 seconds if not set.
+	Duration time.Duration
+
+	// Type is the kind of portmap to debug. The empty string instructs the
+	// portmap client to perform all known types. Other valid options are
+	// "pmp", "pcp", and "upnp".
+	Type string
+
+	// GatewayAddr specifies the gateway address used during portmapping.
+	// If set, SelfAddr must also be set. If unset, it will be
+	// autodetected.
+	GatewayAddr netip.Addr
+
+	// SelfAddr specifies the gateway address used during portmapping. If
+	// set, GatewayAddr must also be set. If unset, it will be
+	// autodetected.
+	SelfAddr netip.Addr
+
+	// LogHTTP instructs the debug-portmap endpoint to print all HTTP
+	// requests and responses made to the logs.
+	LogHTTP bool
+}
+
 // DebugPortmap invokes the debug-portmap endpoint, and returns an
 // io.ReadCloser that can be used to read the logs that are printed during this
 // process.
-func (lc *LocalClient) DebugPortmap(ctx context.Context, duration time.Duration, ty, gwSelf string) (io.ReadCloser, error) {
+//
+// opts can be nil; if so, default values will be used.
+func (lc *LocalClient) DebugPortmap(ctx context.Context, opts *DebugPortmapOpts) (io.ReadCloser, error) {
 	vals := make(url.Values)
-	vals.Set("duration", duration.String())
-	vals.Set("type", ty)
-	if gwSelf != "" {
-		vals.Set("gateway_and_self", gwSelf)
+	if opts == nil {
+		opts = &DebugPortmapOpts{}
+	}
+
+	vals.Set("duration", cmpx.Or(opts.Duration, 5*time.Second).String())
+	vals.Set("type", opts.Type)
+	vals.Set("log_http", strconv.FormatBool(opts.LogHTTP))
+
+	if opts.GatewayAddr.IsValid() != opts.SelfAddr.IsValid() {
+		return nil, fmt.Errorf("both GatewayAddr and SelfAddr must be provided if one is")
+	} else if opts.GatewayAddr.IsValid() {
+		vals.Set("gateway_and_self", fmt.Sprintf("%s/%s", opts.GatewayAddr, opts.SelfAddr))
 	}

 	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+apitype.LocalAPIHost+"/localapi/v0/debug-portmap?"+vals.Encode(), nil)
@@ -1042,7 +1130,11 @@ func (lc *LocalClient) NetworkLockSubmitRecoveryAUM(ctx context.Context, aum tka
 // SetServeConfig sets or replaces the serving settings.
 // If config is nil, settings are cleared and serving is disabled.
 func (lc *LocalClient) SetServeConfig(ctx context.Context, config *ipn.ServeConfig) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/serve-config", 200, jsonBody(config))
+	h := make(http.Header)
+	if config != nil {
+		h.Set("If-Match", config.ETag)
+	}
+	_, _, err := lc.sendWithHeaders(ctx, "POST", "/localapi/v0/serve-config", 200, jsonBody(config), h)
 	if err != nil {
 		return fmt.Errorf("sending serve config: %w", err)
 	}
@@ -1057,38 +1149,23 @@ func (lc *LocalClient) NetworkLockDisable(ctx context.Context, secret []byte) er
 	return nil
 }

-// StreamServe returns an io.ReadCloser that streams serve/Funnel
-// connections made to the provided HostPort.
-//
-// If Serve and Funnel were not already enabled for the HostPort in the ServeConfig,
-// the backend enables it for the duration of the context's lifespan and
-// then turns it back off once the context is closed. If either are already enabled,
-// then they remain that way but logs are still streamed
-func (lc *LocalClient) StreamServe(ctx context.Context, hp ipn.ServeStreamRequest) (io.ReadCloser, error) {
-	req, err := http.NewRequestWithContext(ctx, "POST", "http://"+apitype.LocalAPIHost+"/localapi/v0/stream-serve", jsonBody(hp))
-	if err != nil {
-		return nil, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != 200 {
-		res.Body.Close()
-		return nil, errors.New(res.Status)
-	}
-	return res.Body, nil
-}
-
 // GetServeConfig return the current serve config.
 //
 // If the serve config is empty, it returns (nil, nil).
 func (lc *LocalClient) GetServeConfig(ctx context.Context) (*ipn.ServeConfig, error) {
-	body, err := lc.send(ctx, "GET", "/localapi/v0/serve-config", 200, nil)
+	body, h, err := lc.sendWithHeaders(ctx, "GET", "/localapi/v0/serve-config", 200, nil, nil)
 	if err != nil {
 		return nil, fmt.Errorf("getting serve config: %w", err)
 	}
-	return getServeConfigFromJSON(body)
+	sc, err := getServeConfigFromJSON(body)
+	if err != nil {
+		return nil, err
+	}
+	if sc == nil {
+		sc = new(ipn.ServeConfig)
+	}
+	sc.ETag = h.Get("Etag")
+	return sc, nil
 }

 func getServeConfigFromJSON(body []byte) (sc *ipn.ServeConfig, err error) {
--- a/client/web/assets.go
+++ b/client/web/assets.go
@@ -12,11 +12,22 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
+
+	prebuilt "github.com/tailscale/web-client-prebuilt"
 )

+func assetsHandler(devMode bool) (_ http.Handler, cleanup func()) {
+	if devMode {
+		// When in dev mode, proxy asset requests to the Vite dev server.
+		cleanup := startDevServer()
+		return devServerProxy(), cleanup
+	}
+	return http.FileServer(http.FS(prebuilt.FS())), nil
+}
+
 // startDevServer starts the JS dev server that does on-demand rebuilding
 // and serving of web client JS and CSS resources.
-func (s *Server) startDevServer() (cleanup func()) {
+func startDevServer() (cleanup func()) {
 	root := gitRootDir()
 	webClientPath := filepath.Join(root, "client", "web")

@@ -45,10 +56,8 @@ func (s *Server) startDevServer() (cleanup func()) {
 	}
 }

-func (s *Server) addProxyToDevServer() {
-	if !s.devMode {
-		return // only using Vite proxy in dev mode
-	}
+// devServerProxy returns a reverse proxy to the vite dev server.
+func devServerProxy() *httputil.ReverseProxy {
 	// We use Vite to develop on the web client.
 	// Vite starts up its own local server for development,
 	// which we proxy requests to from Server.ServeHTTP.
@@ -62,8 +71,9 @@ func (s *Server) addProxyToDevServer() {
 		w.Write([]byte("\n\nError: " + err.Error()))
 	}
 	viteTarget, _ := url.Parse("http://127.0.0.1:4000")
-	s.devProxy = httputil.NewSingleHostReverseProxy(viteTarget)
-	s.devProxy.ErrorHandler = handleErr
+	devProxy := httputil.NewSingleHostReverseProxy(viteTarget)
+	devProxy.ErrorHandler = handleErr
+	return devProxy
 }

 func gitRootDir() string {
--- a/client/web/build/index.html
+++ b/client/web/build/index.html
@@ -0,0 +1,28 @@
+<!doctype html>
+<html class="bg-gray-50">
+  <head>
+    <title>Tailscale</title>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <link rel="shortcut icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
+    
+    <script type="module" crossorigin src="./assets/index-4d1f45ea.js"></script>
+    <link rel="stylesheet" href="./assets/index-8612dca6.css">
+  </head>
+  <body>
+    <noscript>
+      <p class="mb-2">You need to enable Javascript to access the Tailscale web client.</p>
+      <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a>.</p>
+    </noscript>
+    
+    <script>
+      window.addEventListener("load", () => {
+        if (!window.Tailscale) {
+          const rootEl = document.createElement("p")
+          rootEl.innerHTML = 'Tailscale was built without the web client. See <a href="https://github.com/tailscale/tailscale#building-the-web-client">Building the web client</a> for more information.'
+          document.body.append(rootEl)
+        }
+      });
+    </script>
+  </body>
+</html>
--- a/client/web/index.html
+++ b/client/web/index.html
@@ -8,22 +8,19 @@
    <link rel="stylesheet" type="text/css" href="/src/index.css" />
  </head>
  <body>
-    <div class="min-h-screen py-10 flex justify-center items-center" style="display: none">
-      <div class="max-w-md">
-        <h3 class="font-semibold text-lg mb-4">Your web browser is unsupported.</h3>
-        <p class="mb-2">
-          Update to a modern browser to access the Tailscale web client. You can use
-          <a class="link" href="https://www.mozilla.org/en-US/firefox/new/" target="_blank">Firefox</a>,
-          <a class="link" href="https://www.microsoft.com/en-us/edge" target="_blank">Edge</a>,
-          <a class="link" href="https://www.apple.com/safari/" target="_blank">Safari</a>,
-          or <a class="link" href="https://www.google.com/chrome/" target="_blank">Chrome</a>.</p>
-        <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a></p>
-      </div>
-    </div>
    <noscript>
      <p class="mb-2">You need to enable Javascript to access the Tailscale web client.</p>
      <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a>.</p>
    </noscript>
    <script type="module" src="/src/index.tsx"></script>
+    <script>
+      window.addEventListener("load", () => {
+        if (!window.Tailscale) {
+          const rootEl = document.createElement("p")
+          rootEl.innerHTML = 'Tailscale was built without the web client. See <a href="https://github.com/tailscale/tailscale#building-the-web-client">Building the web client</a> for more information.'
+          document.body.append(rootEl)
+        }
+      });
+    </script>
  </body>
 </html>
--- a/client/web/qnap.go
+++ b/client/web/qnap.go
@@ -16,23 +16,23 @@ import (
 	"net/url"
 )

-const qnapPrefix = "/cgi-bin/qpkg/Tailscale/index.cgi/"
-
-// authorizeQNAP authenticates the logged-in QNAP user and verifies
-// that they are authorized to use the web client.  It returns true if the
-// request was handled and no further processing is required.
-func authorizeQNAP(w http.ResponseWriter, r *http.Request) (handled bool) {
+// authorizeQNAP authenticates the logged-in QNAP user and verifies that they
+// are authorized to use the web client.
+// It reports true if the request is authorized to continue, and false otherwise.
+// authorizeQNAP manages writing out any relevant authorization errors to the
+// ResponseWriter itself.
+func authorizeQNAP(w http.ResponseWriter, r *http.Request) (ok bool) {
 	_, resp, err := qnapAuthn(r)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusUnauthorized)
-		return true
+		return false
 	}
 	if resp.IsAdmin == 0 {
 		http.Error(w, "user is not an admin", http.StatusForbidden)
-		return true
+		return false
 	}

-	return false
+	return true
 }

 type qnapAuthResponse struct {
--- a/client/web/src/api.ts
+++ b/client/web/src/api.ts
@@ -1,14 +1,49 @@
 let csrfToken: string
+let unraidCsrfToken: string | undefined // required for unraid POST requests (#8062)

-// apiFetch wraps the standard JS fetch function
-// with csrf header management.
+// apiFetch wraps the standard JS fetch function with csrf header
+// management and param additions specific to the web client.
+//
+// apiFetch adds the `api` prefix to the request URL,
+// so endpoint should be provided without the `api` prefix
+// (i.e. provide `/data` rather than `api/data`).
 export function apiFetch(
-  input: RequestInfo | URL,
-  init?: RequestInit | undefined
+  endpoint: string,
+  method: "GET" | "POST",
+  body?: any,
+  params?: Record<string, string>
 ): Promise<Response> {
-  return fetch(input, {
-    ...init,
-    headers: withCsrfToken(init?.headers),
+  const urlParams = new URLSearchParams(window.location.search)
+  const nextParams = new URLSearchParams(params)
+  const token = urlParams.get("SynoToken")
+  if (token) {
+    nextParams.set("SynoToken", token)
+  }
+  const search = nextParams.toString()
+  const url = `api${endpoint}${search ? `?${search}` : ""}`
+
+  var contentType: string
+  if (unraidCsrfToken && method === "POST") {
+    const params = new URLSearchParams()
+    params.append("csrf_token", unraidCsrfToken)
+    if (body) {
+      params.append("ts_data", JSON.stringify(body))
+    }
+    body = params.toString()
+    contentType = "application/x-www-form-urlencoded;charset=UTF-8"
+  } else {
+    body = body ? JSON.stringify(body) : undefined
+    contentType = "application/json"
+  }
+
+  return fetch(url, {
+    method: method,
+    headers: {
+      Accept: "application/json",
+      "Content-Type": contentType,
+      "X-CSRF-Token": csrfToken,
+    },
+    body,
  }).then((r) => {
    updateCsrfToken(r)
    if (!r.ok) {
@@ -20,13 +55,13 @@ export function apiFetch(
  })
 }

-function withCsrfToken(h?: HeadersInit): HeadersInit {
-  return { ...h, "X-CSRF-Token": csrfToken }
-}
-
 function updateCsrfToken(r: Response) {
  const tok = r.headers.get("X-CSRF-Token")
  if (tok) {
    csrfToken = tok
  }
 }
+
+export function setUnraidCsrfToken(token?: string) {
+  unraidCsrfToken = token
+}
--- a/client/web/src/components/app.tsx
+++ b/client/web/src/components/app.tsx
@@ -1,26 +1,123 @@
 import React from "react"
 import { Footer, Header, IP, State } from "src/components/legacy"
-import useNodeData from "src/hooks/node-data"
+import useNodeData, { NodeData } from "src/hooks/node-data"
+import { ReactComponent as ConnectedDeviceIcon } from "src/icons/connected-device.svg"
+import { ReactComponent as TailscaleIcon } from "src/icons/tailscale-icon.svg"
+import { ReactComponent as TailscaleLogo } from "src/icons/tailscale-logo.svg"

 export default function App() {
  // TODO(sonia): use isPosting value from useNodeData
  // to fill loading states.
-  const { data, updateNode } = useNodeData()
+  const { data, refreshData, updateNode } = useNodeData()

-  return (
-    <div className="py-14">
-      {!data ? (
-        // TODO(sonia): add a loading view
-        <div className="text-center">Loading...</div>
+  if (!data) {
+    // TODO(sonia): add a loading view
+    return <div className="text-center py-14">Loading...</div>
+  }
+
+  const needsLogin = data?.Status === "NeedsLogin" || data?.Status === "NoState"
+
+  return !needsLogin &&
+    (data.DebugMode === "login" || data.DebugMode === "full") ? (
+    <div className="flex flex-col items-center min-w-sm max-w-lg mx-auto py-10">
+      {data.DebugMode === "login" ? (
+        <LoginView {...data} />
      ) : (
-        <>
-          <main className="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
-            <Header data={data} updateNode={updateNode} />
-            <IP data={data} />
-            <State data={data} updateNode={updateNode} />
-          </main>
-          <Footer data={data} />
-        </>
+        <ManageView {...data} />
+      )}
+      <Footer className="mt-20" licensesURL={data.LicensesURL} />
+    </div>
+  ) : (
+    // Legacy client UI
+    <div className="py-14">
+      <main className="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
+        <Header data={data} refreshData={refreshData} updateNode={updateNode} />
+        <IP data={data} />
+        <State data={data} updateNode={updateNode} />
+      </main>
+      <Footer licensesURL={data.LicensesURL} />
+    </div>
+  )
+}
+
+function LoginView(props: NodeData) {
+  return (
+    <>
+      <div className="pb-52 mx-auto">
+        <TailscaleLogo />
+      </div>
+      <div className="w-full p-4 bg-stone-50 rounded-3xl border border-gray-200 flex flex-col gap-4">
+        <div className="flex gap-2.5">
+          <ProfilePic url={props.Profile.ProfilePicURL} />
+          <div className="font-medium">
+            <div className="text-neutral-500 text-xs uppercase tracking-wide">
+              Owned by
+            </div>
+            <div className="text-neutral-800 text-sm leading-tight">
+              {/* TODO(sonia): support tagged node profile view more eloquently */}
+              {props.Profile.LoginName}
+            </div>
+          </div>
+        </div>
+        <div className="px-5 py-4 bg-white rounded-lg border border-gray-200 justify-between items-center flex">
+          <div className="flex gap-3">
+            <ConnectedDeviceIcon />
+            <div className="text-neutral-800">
+              <div className="text-lg font-medium leading-[25.20px]">
+                {props.DeviceName}
+              </div>
+              <div className="text-sm leading-tight">{props.IP}</div>
+            </div>
+          </div>
+          <button className="button button-blue ml-6">Access</button>
+        </div>
+      </div>
+    </>
+  )
+}
+
+function ManageView(props: NodeData) {
+  return (
+    <div className="px-5">
+      <div className="flex justify-between mb-12">
+        <TailscaleIcon />
+        <div className="flex">
+          <p className="mr-2">{props.Profile.LoginName}</p>
+          {/* TODO(sonia): support tagged node profile view more eloquently */}
+          <ProfilePic url={props.Profile.ProfilePicURL} />
+        </div>
+      </div>
+      <p className="tracking-wide uppercase text-gray-600 pb-3">This device</p>
+      <div className="-mx-5 border rounded-md px-5 py-4 bg-white">
+        <div className="flex justify-between items-center text-lg">
+          <div className="flex items-center">
+            <ConnectedDeviceIcon />
+            <p className="font-medium ml-3">{props.DeviceName}</p>
+          </div>
+          <p className="tracking-widest">{props.IP}</p>
+        </div>
+      </div>
+      <p className="text-gray-500 pt-2">
+        Tailscale is up and running. You can connect to this device from devices
+        in your tailnet by using its name or IP address.
+      </p>
+    </div>
+  )
+}
+
+function ProfilePic({ url }: { url: string }) {
+  return (
+    <div className="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
+      {url ? (
+        <div
+          className="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
+          style={{
+            backgroundImage: `url(${url})`,
+            backgroundSize: "cover",
+          }}
+        />
+      ) : (
+        <div className="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed" />
      )}
    </div>
  )
--- a/client/web/src/components/legacy.tsx
+++ b/client/web/src/components/legacy.tsx
@@ -1,5 +1,6 @@
 import cx from "classnames"
 import React from "react"
+import { apiFetch } from "src/api"
 import { NodeData, NodeUpdate } from "src/hooks/node-data"

 // TODO(tailscale/corp#13775): legacy.tsx contains a set of components
@@ -9,9 +10,11 @@ import { NodeData, NodeUpdate } from "src/hooks/node-data"

 export function Header({
  data,
+  refreshData,
  updateNode,
 }: {
  data: NodeData
+  refreshData: () => void
  updateNode: (update: NodeUpdate) => void
 }) {
  return (
@@ -89,7 +92,11 @@ export function Header({
                  </button>{" "}
                  |{" "}
                  <button
-                    onClick={() => updateNode({ ForceLogout: true })}
+                    onClick={() =>
+                      apiFetch("/local/v0/logout", "POST")
+                        .then(refreshData)
+                        .catch((err) => alert("Logout failed: " + err.message))
+                    }
                    className="hover:text-gray-700"
                  >
                    Logout
@@ -275,14 +282,14 @@ export function State({
  }
 }

-export function Footer(props: { data: NodeData }) {
-  const { data } = props
-
+export function Footer(props: { licensesURL: string; className?: string }) {
  return (
-    <footer className="container max-w-lg mx-auto text-center">
+    <footer
+      className={cx("container max-w-lg mx-auto text-center", props.className)}
+    >
      <a
        className="text-xs text-gray-500 hover:text-gray-600"
-        href={data.LicensesURL}
+        href={props.licensesURL}
      >
        Open Source Licenses
      </a>
--- a/client/web/src/hooks/node-data.ts
+++ b/client/web/src/hooks/node-data.ts
@@ -1,5 +1,5 @@
 import { useCallback, useEffect, useState } from "react"
-import { apiFetch } from "src/api"
+import { apiFetch, setUnraidCsrfToken } from "src/api"

 export type NodeData = {
  Profile: UserProfile
@@ -15,6 +15,8 @@ export type NodeData = {
  IsUnraid: boolean
  UnraidToken: string
  IPNVersion: string
+
+  DebugMode: "" | "login" | "full" // empty when not running in any debug mode
 }

 export type UserProfile = {
@@ -35,12 +37,17 @@ export default function useNodeData() {
  const [data, setData] = useState<NodeData>()
  const [isPosting, setIsPosting] = useState<boolean>(false)

-  const fetchNodeData = useCallback(() => {
-    apiFetch("api/data")
-      .then((r) => r.json())
-      .then((d) => setData(d))
-      .catch((error) => console.error(error))
-  }, [setData])
+  const refreshData = useCallback(
+    () =>
+      apiFetch("/data", "GET")
+        .then((r) => r.json())
+        .then((d: NodeData) => {
+          setData(d)
+          setUnraidCsrfToken(d.IsUnraid ? d.UnraidToken : undefined)
+        })
+        .catch((error) => console.error(error)),
+    [setData]
+  )

  const updateNode = useCallback(
    (update: NodeUpdate) => {
@@ -68,33 +75,7 @@ export default function useNodeData() {
            : data.AdvertiseExitNode,
      }

-      const urlParams = new URLSearchParams(window.location.search)
-      const nextParams = new URLSearchParams({ up: "true" })
-      const token = urlParams.get("SynoToken")
-      if (token) {
-        nextParams.set("SynoToken", token)
-      }
-      const search = nextParams.toString()
-      const url = `/api/data${search ? `?${search}` : ""}`
-
-      var body, contentType: string
-
-      if (data.IsUnraid) {
-        const params = new URLSearchParams()
-        params.append("csrf_token", data.UnraidToken)
-        params.append("ts_data", JSON.stringify(update))
-        body = params.toString()
-        contentType = "application/x-www-form-urlencoded;charset=UTF-8"
-      } else {
-        body = JSON.stringify(update)
-        contentType = "application/json"
-      }
-
-      apiFetch(url, {
-        method: "POST",
-        headers: { Accept: "application/json", "Content-Type": contentType },
-        body: body,
-      })
+      apiFetch("/data", "POST", update, { up: "true" })
        .then((r) => r.json())
        .then((r) => {
          setIsPosting(false)
@@ -106,7 +87,7 @@ export default function useNodeData() {
          if (url) {
            window.open(url, "_blank")
          }
-          fetchNodeData()
+          refreshData()
        })
        .catch((err) => alert("Failed operation: " + err.message))
    },
@@ -116,11 +97,11 @@ export default function useNodeData() {
  useEffect(
    () => {
      // Initial data load.
-      fetchNodeData()
+      refreshData()

      // Refresh on browser tab focus.
      const onVisibilityChange = () => {
-        document.visibilityState === "visible" && fetchNodeData()
+        document.visibilityState === "visible" && refreshData()
      }
      window.addEventListener("visibilitychange", onVisibilityChange)
      return () => {
@@ -132,5 +113,5 @@ export default function useNodeData() {
    []
  )

-  return { data, updateNode, isPosting }
+  return { data, refreshData, updateNode, isPosting }
 }
--- a/client/web/src/icons/connected-device.svg
+++ b/client/web/src/icons/connected-device.svg
@@ -0,0 +1,15 @@
+<svg width="40" height="40" viewBox="0 0 40 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="40" height="40" rx="20" fill="#F7F5F4"/>
+<g clip-path="url(#clip0_13627_11903)">
+<path d="M26.6666 11.6667H13.3333C12.4128 11.6667 11.6666 12.4129 11.6666 13.3333V16.6667C11.6666 17.5871 12.4128 18.3333 13.3333 18.3333H26.6666C27.5871 18.3333 28.3333 17.5871 28.3333 16.6667V13.3333C28.3333 12.4129 27.5871 11.6667 26.6666 11.6667Z" stroke="black" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M26.6666 21.6667H13.3333C12.4128 21.6667 11.6666 22.4129 11.6666 23.3333V26.6667C11.6666 27.5871 12.4128 28.3333 13.3333 28.3333H26.6666C27.5871 28.3333 28.3333 27.5871 28.3333 26.6667V23.3333C28.3333 22.4129 27.5871 21.6667 26.6666 21.6667Z" stroke="black" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M15 15H15.01" stroke="black" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M15 25H15.01" stroke="black" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</g>
+<circle cx="34" cy="34" r="4.5" fill="#1EA672" stroke="white"/>
+<defs>
+<clipPath id="clip0_13627_11903">
+<rect width="20" height="20" fill="white" transform="translate(10 10)"/>
+</clipPath>
+</defs>
+</svg>
--- a/client/web/src/icons/tailscale-icon.svg
+++ b/client/web/src/icons/tailscale-icon.svg
@@ -0,0 +1,18 @@
+<svg width="26" height="26" viewBox="0 0 26 26" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_13627_11860)">
+<path opacity="0.2" d="M3.8696 6.77137C5.56662 6.77137 6.94233 5.39567 6.94233 3.69865C6.94233 2.00163 5.56662 0.625919 3.8696 0.625919C2.17258 0.625919 0.796875 2.00163 0.796875 3.69865C0.796875 5.39567 2.17258 6.77137 3.8696 6.77137Z" fill="black"/>
+<path d="M3.8696 15.9327C5.56662 15.9327 6.94233 14.5569 6.94233 12.8599C6.94233 11.1629 5.56662 9.7872 3.8696 9.7872C2.17258 9.7872 0.796875 11.1629 0.796875 12.8599C0.796875 14.5569 2.17258 15.9327 3.8696 15.9327Z" fill="black"/>
+<path opacity="0.2" d="M3.8696 25.2646C5.56662 25.2646 6.94233 23.8889 6.94233 22.1919C6.94233 20.4949 5.56662 19.1192 3.8696 19.1192C2.17258 19.1192 0.796875 20.4949 0.796875 22.1919C0.796875 23.8889 2.17258 25.2646 3.8696 25.2646Z" fill="black"/>
+<path d="M13.0879 15.9327C14.7849 15.9327 16.1606 14.5569 16.1606 12.8599C16.1606 11.1629 14.7849 9.7872 13.0879 9.7872C11.3908 9.7872 10.0151 11.1629 10.0151 12.8599C10.0151 14.5569 11.3908 15.9327 13.0879 15.9327Z" fill="black"/>
+<path d="M13.0879 25.2646C14.7849 25.2646 16.1606 23.8889 16.1606 22.1919C16.1606 20.4949 14.7849 19.1192 13.0879 19.1192C11.3908 19.1192 10.0151 20.4949 10.0151 22.1919C10.0151 23.8889 11.3908 25.2646 13.0879 25.2646Z" fill="black"/>
+<path opacity="0.2" d="M13.0879 6.77137C14.7849 6.77137 16.1606 5.39567 16.1606 3.69865C16.1606 2.00163 14.7849 0.625919 13.0879 0.625919C11.3908 0.625919 10.0151 2.00163 10.0151 3.69865C10.0151 5.39567 11.3908 6.77137 13.0879 6.77137Z" fill="black"/>
+<path opacity="0.2" d="M22.1919 6.77137C23.8889 6.77137 25.2646 5.39567 25.2646 3.69865C25.2646 2.00163 23.8889 0.625919 22.1919 0.625919C20.4948 0.625919 19.1191 2.00163 19.1191 3.69865C19.1191 5.39567 20.4948 6.77137 22.1919 6.77137Z" fill="black"/>
+<path d="M22.1919 15.9327C23.8889 15.9327 25.2646 14.5569 25.2646 12.8599C25.2646 11.1629 23.8889 9.7872 22.1919 9.7872C20.4948 9.7872 19.1191 11.1629 19.1191 12.8599C19.1191 14.5569 20.4948 15.9327 22.1919 15.9327Z" fill="black"/>
+<path opacity="0.2" d="M22.1919 25.2646C23.8889 25.2646 25.2646 23.8889 25.2646 22.1919C25.2646 20.4949 23.8889 19.1192 22.1919 19.1192C20.4948 19.1192 19.1191 20.4949 19.1191 22.1919C19.1191 23.8889 20.4948 25.2646 22.1919 25.2646Z" fill="black"/>
+</g>
+<defs>
+<clipPath id="clip0_13627_11860">
+<rect width="26" height="26" fill="white"/>
+</clipPath>
+</defs>
+</svg>
--- a/client/web/src/icons/tailscale-logo.svg
+++ b/client/web/src/icons/tailscale-logo.svg
@@ -0,0 +1,20 @@
+<svg width="121" height="22" viewBox="0 0 121 22" fill="none" xmlns="http://www.w3.org/2000/svg">
+<ellipse cx="2.69191" cy="10.7677" rx="2.69191" ry="2.69191" fill="#141414"/>
+<ellipse cx="10.7676" cy="10.7677" rx="2.69191" ry="2.69191" fill="#141414"/>
+<ellipse opacity="0.2" cx="2.69191" cy="18.8434" rx="2.69191" ry="2.69191" fill="#141414"/>
+<circle opacity="0.2" cx="18.8433" cy="18.8434" r="2.69191" fill="#141414"/>
+<ellipse cx="10.7676" cy="18.8434" rx="2.69191" ry="2.69191" fill="#141414"/>
+<circle cx="18.8433" cy="10.7677" r="2.69191" fill="#141414"/>
+<ellipse opacity="0.2" cx="2.69191" cy="2.69191" rx="2.69191" ry="2.69191" fill="#141414"/>
+<ellipse opacity="0.2" cx="10.7676" cy="2.69191" rx="2.69191" ry="2.69191" fill="#141414"/>
+<circle opacity="0.2" cx="18.8433" cy="2.69191" r="2.69191" fill="#141414"/>
+<path d="M37.8847 19.9603C38.6525 19.9603 39.2764 19.8883 40.0202 19.7443V16.9609C39.5643 17.1289 39.0605 17.1769 38.5806 17.1769C37.4048 17.1769 36.9729 16.601 36.9729 15.4973V9.83453H40.0202V7.05116H36.9729V2.92409H33.6137V7.05116H31.4302V9.83453H33.6137V15.8092C33.6137 18.4486 35.0054 19.9603 37.8847 19.9603Z" fill="#141414"/>
+<path d="M45.5064 19.9603C47.306 19.9603 48.5057 19.3604 49.1056 18.4246C49.1536 18.8325 49.2975 19.3844 49.4895 19.7203H52.5128C52.3448 19.1444 52.2249 18.2326 52.2249 17.6328V11.0583C52.2249 8.34687 50.2813 6.81121 46.994 6.81121C44.4986 6.81121 42.555 7.747 41.4753 9.1147L43.3949 11.0103C44.2587 10.0505 45.3624 9.5466 46.7061 9.5466C48.3377 9.5466 49.0576 10.0985 49.0576 10.9143C49.0576 11.6101 48.5777 12.09 45.9863 12.09C43.4908 12.09 40.9714 13.1218 40.9714 16.0011C40.9714 18.6645 42.891 19.9603 45.5064 19.9603ZM46.1782 17.4168C44.8825 17.4168 44.2827 16.8649 44.2827 15.8812C44.2827 15.0174 45.0025 14.4415 46.2022 14.4415C48.1218 14.4415 48.6497 14.3215 49.0576 13.9136V14.9454C49.0576 16.3131 47.9058 17.4168 46.1782 17.4168Z" fill="#141414"/>
+<path d="M54.4086 5.44352H57.9118V2.30023H54.4086V5.44352ZM54.4805 19.7203H57.8398V7.05116H54.4805V19.7203Z" fill="#141414"/>
+<path d="M60.287 19.7203H63.6463V2.68414H60.287V19.7203Z" fill="#141414"/>
+<path d="M70.6285 19.9603C74.3237 19.9603 76.2193 18.0167 76.2193 15.9771C76.2193 14.1296 75.2835 12.7619 72.2122 12.21C70.0527 11.8261 68.709 11.3462 68.709 10.6024C68.709 9.95451 69.4768 9.49861 70.7725 9.49861C71.9242 9.49861 72.884 9.88252 73.6038 10.7223L75.7394 8.92274C74.6596 7.57904 72.884 6.81121 70.7725 6.81121C67.5332 6.81121 65.5177 8.53883 65.5177 10.6503C65.5177 12.9538 67.6292 13.9856 69.9087 14.3935C71.8043 14.7294 72.86 15.0893 72.86 15.9052C72.86 16.601 72.1162 17.1769 70.7005 17.1769C69.3088 17.1769 68.2291 16.529 67.7252 15.5692L64.8938 16.9129C65.5897 18.6405 67.9651 19.9603 70.6285 19.9603Z" fill="#141414"/>
+<path d="M83.7294 19.9603C86.1288 19.9603 87.8564 19.0005 89.1521 16.841L86.4648 15.4733C85.9609 16.481 85.1451 17.1769 83.7294 17.1769C81.5939 17.1769 80.4421 15.4493 80.4421 13.3617C80.4421 11.2742 81.6658 9.59459 83.7294 9.59459C85.0251 9.59459 85.8889 10.2904 86.3928 11.3462L89.1042 9.90652C88.1924 7.91497 86.3928 6.81121 83.7294 6.81121C79.3384 6.81121 77.0829 10.0265 77.0829 13.3617C77.0829 16.9849 79.8183 19.9603 83.7294 19.9603Z" fill="#141414"/>
+<path d="M94.5031 19.9603C96.3027 19.9603 97.5025 19.3604 98.1023 18.4246C98.1503 18.8325 98.2943 19.3844 98.4862 19.7203H101.51C101.342 19.1444 101.222 18.2326 101.222 17.6328V11.0583C101.222 8.34687 99.2781 6.81121 95.9908 6.81121C93.4954 6.81121 91.5518 7.747 90.472 9.1147L92.3916 11.0103C93.2554 10.0505 94.3592 9.5466 95.7029 9.5466C97.3345 9.5466 98.0543 10.0985 98.0543 10.9143C98.0543 11.6101 97.5744 12.09 94.983 12.09C92.4876 12.09 89.9682 13.1218 89.9682 16.0011C89.9682 18.6645 91.8877 19.9603 94.5031 19.9603ZM95.175 17.4168C93.8793 17.4168 93.2794 16.8649 93.2794 15.8812C93.2794 15.0174 93.9992 14.4415 95.199 14.4415C97.1185 14.4415 97.6464 14.3215 98.0543 13.9136V14.9454C98.0543 16.3131 96.9026 17.4168 95.175 17.4168Z" fill="#141414"/>
+<path d="M103.196 19.7203H106.555V2.68414H103.196V19.7203Z" fill="#141414"/>
+<path d="M114.617 19.9603C117.089 19.9603 119.08 18.9765 120.184 17.2249L117.641 15.5932C116.969 16.649 116.081 17.2249 114.617 17.2249C112.962 17.2249 111.762 16.3131 111.45 14.5375H121V13.3617C121 10.0265 118.96 6.81121 114.593 6.81121C110.442 6.81121 108.187 10.0505 108.187 13.3857C108.187 18.1367 111.762 19.9603 114.617 19.9603ZM111.57 11.8981C112.098 10.2904 113.202 9.5466 114.665 9.5466C116.321 9.5466 117.329 10.5304 117.665 11.8981H111.57Z" fill="#141414"/>
+</svg>
--- a/client/web/src/index.tsx
+++ b/client/web/src/index.tsx
@@ -2,6 +2,10 @@ import React from "react"
 import { createRoot } from "react-dom/client"
 import App from "src/components/app"

+declare var window: any
+// This is used to determine if the react client is built.
+window.Tailscale = true
+
 const rootEl = document.createElement("div")
 rootEl.id = "app-root"
 rootEl.classList.add("relative", "z-0")
--- a/client/web/synology.go
+++ b/client/web/synology.go
@@ -15,14 +15,14 @@ import (
 	"tailscale.com/util/groupmember"
 )

-const synologyPrefix = "/webman/3rdparty/Tailscale/index.cgi/"
-
 // authorizeSynology authenticates the logged-in Synology user and verifies
-// that they are authorized to use the web client.  It returns true if the
-// request was handled and no further processing is required.
-func authorizeSynology(w http.ResponseWriter, r *http.Request) (handled bool) {
+// that they are authorized to use the web client.
+// It reports true if the request is authorized to continue, and false otherwise.
+// authorizeSynology manages writing out any relevant authorization errors to the
+// ResponseWriter itself.
+func authorizeSynology(w http.ResponseWriter, r *http.Request) (ok bool) {
 	if synoTokenRedirect(w, r) {
-		return true
+		return false
 	}

 	// authenticate the Synology user
@@ -30,7 +30,7 @@ func authorizeSynology(w http.ResponseWriter, r *http.Request) (handled bool) {
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		http.Error(w, fmt.Sprintf("auth: %v: %s", err, out), http.StatusUnauthorized)
-		return true
+		return false
 	}
 	user := strings.TrimSpace(string(out))

@@ -38,14 +38,14 @@ func authorizeSynology(w http.ResponseWriter, r *http.Request) (handled bool) {
 	isAdmin, err := groupmember.IsMemberOfGroup("administrators", user)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusForbidden)
-		return true
+		return false
 	}
 	if !isAdmin {
 		http.Error(w, "not a member of administrators group", http.StatusForbidden)
-		return true
+		return false
 	}

-	return false
+	return true
 }

 func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
--- a/client/web/tsconfig.json
+++ b/client/web/tsconfig.json
@@ -10,6 +10,7 @@
    "forceConsistentCasingInFileNames": true,
    "allowSyntheticDefaultImports": true,
    "jsx": "react",
+    "types": ["vite-plugin-svgr/client", "vite/client"]
  },
  "include": ["src/**/*"],
  "exclude": ["node_modules"]
--- a/client/web/vite.config.ts
+++ b/client/web/vite.config.ts
@@ -32,7 +32,7 @@ export default defineConfig({
  ],
  build: {
    outDir: "build",
-    sourcemap: true,
+    sourcemap: false,
  },
  esbuild: {
    logOverride: {
--- a/client/web/web.css
+++ b/client/web/web.css
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -5,25 +5,25 @@
 package web

 import (
-	"bytes"
 	"context"
 	"crypto/rand"
-	"embed"
 	"encoding/json"
+	"errors"
 	"fmt"
-	"html/template"
 	"io"
 	"log"
 	"net/http"
-	"net/http/httputil"
 	"net/netip"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 	"sync"
+	"time"

 	"github.com/gorilla/csrf"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -34,53 +34,90 @@ import (
 	"tailscale.com/version/distro"
 )

-// This contains all files needed to build the frontend assets.
-// Because we assign this to the blank identifier, it does not actually embed the files.
-// However, this does cause `go mod vendor` to include the files when vendoring the package.
-// External packages that use the web client can `go mod vendor`, run `yarn build` to
-// build the assets, then those asset bundles will be able to be embedded.
-//
-//go:embed yarn.lock index.html *.js *.json src/*
-var _ embed.FS
-
-//go:embed web.html web.css
-var embeddedFS embed.FS
-
-var tmpls *template.Template
-
 // Server is the backend server for a Tailscale web client.
 type Server struct {
 	lc *tailscale.LocalClient

-	devMode  bool
-	devProxy *httputil.ReverseProxy // only filled when devMode is on
+	devMode     bool
+	tsDebugMode string

 	cgiMode    bool
-	cgiPath    string
-	apiHandler http.Handler // csrf-protected api handler
+	pathPrefix string

-	selfMu sync.Mutex // protects self field
-	// self is a cached NodeView of the active self node,
-	// refreshed by watching the IPN notification bus
-	// (see Server.watchSelf).
+	assetsHandler http.Handler // serves frontend assets
+	apiHandler    http.Handler // serves api endpoints; csrf-protected
+
+	// browserSessions is an in-memory cache of browser sessions for the
+	// full management web client, which is only accessible over Tailscale.
 	//
-	// self's hostname and Tailscale IP are used to verify
-	// that incoming requests to the web client api are coming
-	// from the web client frontend and not some other source.
-	// Particularly to protect against DNS rebinding attacks.
-	// self should not be used to fill data for frontend views.
-	self tailcfg.NodeView
+	// Users obtain a valid browser session by connecting to the web client
+	// over Tailscale and verifying their identity by authenticating on the
+	// control server.
+	//
+	// browserSessions get reset on every Server restart.
+	//
+	// The map provides a lookup of the session by cookie value
+	// (browserSession.ID => browserSession).
+	browserSessions sync.Map
+}
+
+const (
+	sessionCookieName   = "TS-Web-Session"
+	sessionCookieExpiry = time.Hour * 24 * 30 // 30 days
+)
+
+// browserSession holds data about a user's browser session
+// on the full management web client.
+type browserSession struct {
+	// ID is the unique identifier for the session.
+	// It is passed in the user's "TS-Web-Session" browser cookie.
+	ID            string
+	SrcNode       tailcfg.StableNodeID
+	SrcUser       tailcfg.UserID
+	AuthURL       string    // control server URL for user to authenticate the session
+	Authenticated time.Time // when zero, authentication not complete
+}
+
+// isAuthorized reports true if the given session is authorized
+// to be used by its associated user to access the full management
+// web client.
+//
+// isAuthorized is true only when s.Authenticated is non-zero
+// (i.e. the user has authenticated the session) and the session
+// is not expired.
+// 2023-10-05: Sessions expire by default after 30 days.
+func (s *browserSession) isAuthorized() bool {
+	switch {
+	case s == nil:
+		return false
+	case s.Authenticated.IsZero():
+		return false // awaiting auth
+	case s.isExpired(): // TODO: add time field to server?
+		return false // expired
+	}
+	return true
+}
+
+// isExpired reports true if s is expired.
+// 2023-10-05: Sessions expire by default after 30 days.
+// If s.Authenticated is zero, isExpired reports false.
+func (s *browserSession) isExpired() bool {
+	return !s.Authenticated.IsZero() && s.Authenticated.Before(time.Now().Add(-sessionCookieExpiry)) // TODO: add time field to server?
 }

 // ServerOpts contains options for constructing a new Server.
 type ServerOpts struct {
 	DevMode bool

+	// LoginOnly indicates that the server should only serve the minimal
+	// login client and not the full web client.
+	LoginOnly bool
+
 	// CGIMode indicates if the server is running as a CGI script.
 	CGIMode bool

-	// If running in CGIMode, CGIPath is the URL path prefix to the CGI script.
-	CGIPath string
+	// PathPrefix is the URL prefix added to requests by CGI or reverse proxy.
+	PathPrefix string

 	// LocalClient is the tailscale.LocalClient to use for this web server.
 	// If nil, a new one will be created.
@@ -94,169 +131,255 @@ func NewServer(ctx context.Context, opts ServerOpts) (s *Server, cleanup func())
 		opts.LocalClient = &tailscale.LocalClient{}
 	}
 	s = &Server{
-		devMode: opts.DevMode,
-		lc:      opts.LocalClient,
-		cgiMode: opts.CGIMode,
-		cgiPath: opts.CGIPath,
+		devMode:    opts.DevMode,
+		lc:         opts.LocalClient,
+		pathPrefix: opts.PathPrefix,
 	}
-	cleanup = func() {}
-	if s.devMode {
-		cleanup = s.startDevServer()
-		s.addProxyToDevServer()
+	s.tsDebugMode = s.debugMode()
+	s.assetsHandler, cleanup = assetsHandler(opts.DevMode)

-		// Create handler for "/api" requests with CSRF protection.
-		// We don't require secure cookies, since the web client is regularly used
-		// on network appliances that are served on local non-https URLs.
-		// The client is secured by limiting the interface it listens on,
-		// or by authenticating requests before they reach the web client.
-		csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
+	// Create handler for "/api" requests with CSRF protection.
+	// We don't require secure cookies, since the web client is regularly used
+	// on network appliances that are served on local non-https URLs.
+	// The client is secured by limiting the interface it listens on,
+	// or by authenticating requests before they reach the web client.
+	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
+	if s.tsDebugMode == "login" {
+		// For the login client, we don't serve the full web client API,
+		// only the login endpoints.
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveLoginAPI))
+		s.lc.IncrementCounter(context.Background(), "web_login_client_initialization", 1)
+	} else {
 		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveAPI))
+		s.lc.IncrementCounter(context.Background(), "web_client_initialization", 1)
 	}

-	var wg sync.WaitGroup
-	defer wg.Wait()
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		go s.watchSelf(ctx)
-	}()
-
-	s.lc.IncrementCounter(context.Background(), "web_client_initialization", 1)
 	return s, cleanup
 }

-func init() {
-	tmpls = template.Must(template.New("").ParseFS(embeddedFS, "*"))
-}
-
-// watchSelf watches the IPN notification bus to refresh
-// the Server's self node cache.
-func (s *Server) watchSelf(ctx context.Context) {
-	watchCtx, cancelWatch := context.WithCancel(ctx)
-	defer cancelWatch()
-
-	watcher, err := s.lc.WatchIPNBus(watchCtx, ipn.NotifyInitialNetMap|ipn.NotifyNoPrivateKeys)
-	if err != nil {
-		log.Fatalf("lost connection to tailscaled: %v", err)
+// debugMode returns the debug mode the web client is being run in.
+// The empty string is returned in the case that this instance is
+// not running in any debug mode.
+func (s *Server) debugMode() string {
+	if !s.devMode {
+		return "" // debug modes only available in dev
 	}
-	defer watcher.Close()
-
-	for {
-		n, err := watcher.Next()
-		if err != nil {
-			log.Fatalf("lost connection to tailscaled: %v", err)
-		}
-		if state := n.State; state != nil && *state == ipn.NeedsLogin {
-			s.updateSelf(tailcfg.NodeView{})
-			continue
-		}
-		if n.NetMap == nil {
-			continue
-		}
-		s.updateSelf(n.NetMap.SelfNode)
-	}
-}
-
-// updateSelf grabs the lock and updates s.self.
-// Then logs if anything changed.
-func (s *Server) updateSelf(self tailcfg.NodeView) {
-	s.selfMu.Lock()
-	prev := s.self
-	s.self = self
-	s.selfMu.Unlock()
-
-	var old, new tailcfg.StableNodeID
-	if prev.Valid() {
-		old = prev.StableID()
-	}
-	if s.self.Valid() {
-		new = s.self.StableID()
-	}
-	if old != new {
-		if new.IsZero() {
-			log.Printf("self node logout")
-		} else {
-			log.Printf("self node login")
-		}
+	switch mode := os.Getenv("TS_DEBUG_WEB_CLIENT_MODE"); mode {
+	case "login", "full": // valid debug modes
+		return mode
 	}
+	return ""
 }

 // ServeHTTP processes all requests for the Tailscale web client.
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// some platforms where the client runs have their own authentication
-	// and authorization mechanisms we need to work with. Do those checks first.
-	switch distro.Get() {
-	case distro.Synology:
-		if authorizeSynology(w, r) {
-			return
-		}
-	case distro.QNAP:
-		if authorizeQNAP(w, r) {
-			return
-		}
-	}
-
 	handler := s.serve

-	// if running in cgi mode, strip the cgi path prefix
-	if s.cgiMode {
-		prefix := s.cgiPath
-		if prefix == "" {
-			switch distro.Get() {
-			case distro.Synology:
-				prefix = synologyPrefix
-			case distro.QNAP:
-				prefix = qnapPrefix
-			}
-		}
-		if prefix != "" {
-			handler = enforcePrefix(prefix, handler)
-		}
+	// if path prefix is defined, strip it from requests.
+	if s.pathPrefix != "" {
+		handler = enforcePrefix(s.pathPrefix, handler)
 	}

 	handler(w, r)
 }

 func (s *Server) serve(w http.ResponseWriter, r *http.Request) {
-	if s.devMode {
-		if strings.HasPrefix(r.URL.Path, "/api/") {
-			// Pass through to other handlers via CSRF protection.
-			s.apiHandler.ServeHTTP(w, r)
-			return
-		}
-		// When in dev mode, proxy to the Vite dev server.
-		s.devProxy.ServeHTTP(w, r)
+	if strings.HasPrefix(r.URL.Path, "/api/") {
+		// Pass API requests through to the API handler.
+		s.apiHandler.ServeHTTP(w, r)
+		return
+	}
+	if !s.devMode {
+		s.lc.IncrementCounter(context.Background(), "web_client_page_load", 1)
+	}
+	s.assetsHandler.ServeHTTP(w, r)
+}
+
+// authorizePlatformRequest reports whether the request from the web client
+// is authorized to access the client for those platforms that support it.
+// It reports true if the request is authorized, and false otherwise.
+// authorizePlatformRequest manages writing out any relevant authorization
+// errors to the ResponseWriter itself.
+func authorizePlatformRequest(w http.ResponseWriter, r *http.Request) (ok bool) {
+	switch distro.Get() {
+	case distro.Synology:
+		return authorizeSynology(w, r)
+	case distro.QNAP:
+		return authorizeQNAP(w, r)
+	}
+	return true
+}
+
+// serveLoginAPI serves requests for the web login client.
+// It should only be called by Server.ServeHTTP, via Server.apiHandler,
+// which protects the handler using gorilla csrf.
+func (s *Server) serveLoginAPI(w http.ResponseWriter, r *http.Request) {
+	// The login client is run directly from client plugins,
+	// so first authenticate and authorize the request for the host platform.
+	if ok := authorizePlatformRequest(w, r); !ok {
 		return
 	}

-	switch {
-	case r.Method == "POST":
-		s.servePostNodeUpdate(w, r)
-		return
-	default:
-		s.lc.IncrementCounter(context.Background(), "web_client_page_load", 1)
-		s.serveGetNodeData(w, r)
+	w.Header().Set("X-CSRF-Token", csrf.Token(r))
+	if r.URL.Path != "/api/data" { // only endpoint allowed for login client
+		http.Error(w, "invalid endpoint", http.StatusNotFound)
 		return
 	}
+	switch r.Method {
+	case httpm.GET:
+		// TODO(soniaappasamy): we may want a minimal node data response here
+		s.serveGetNodeData(w, r)
+	case httpm.POST:
+		// TODO(soniaappasamy): implement
+	default:
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+	}
+	return
+}
+
+var (
+	errNoSession         = errors.New("no-browser-session")
+	errNotUsingTailscale = errors.New("not-using-tailscale")
+	errTaggedSource      = errors.New("tagged-source")
+	errNotOwner          = errors.New("not-owner")
+)
+
+// getTailscaleBrowserSession retrieves the browser session associated with
+// the request, if one exists.
+//
+// An error is returned in any of the following cases:
+//
+//   - (errNotUsingTailscale) The request was not made over tailscale.
+//
+//   - (errNoSession) The request does not have a session.
+//
+//   - (errTaggedSource) The source is a tagged node. Users must use their
+//     own user-owned devices to manage other nodes' web clients.
+//
+//   - (errNotOwner) The source is not the owner of this client (if the
+//     client is user-owned). Only the owner is allowed to manage the
+//     node via the web client.
+//
+// If no error is returned, the browserSession is always non-nil.
+// getTailscaleBrowserSession does not check whether the session has been
+// authorized by the user. Callers can use browserSession.isAuthorized.
+func (s *Server) getTailscaleBrowserSession(r *http.Request) (*browserSession, error) {
+	whoIs, err := s.lc.WhoIs(r.Context(), r.RemoteAddr)
+	switch {
+	case err != nil:
+		return nil, errNotUsingTailscale
+	case whoIs.Node.IsTagged():
+		return nil, errTaggedSource
+	}
+	srcNode := whoIs.Node.StableID
+	srcUser := whoIs.UserProfile.ID
+
+	status, err := s.lc.StatusWithoutPeers(r.Context())
+	switch {
+	case err != nil:
+		return nil, err
+	case status.Self == nil:
+		return nil, errors.New("missing self node in tailscale status")
+	case !status.Self.IsTagged() && status.Self.UserID != srcUser:
+		return nil, errNotOwner
+	}
+
+	cookie, err := r.Cookie(sessionCookieName)
+	if errors.Is(err, http.ErrNoCookie) {
+		return nil, errNoSession
+	} else if err != nil {
+		return nil, err
+	}
+	v, ok := s.browserSessions.Load(cookie.Value)
+	if !ok {
+		return nil, errNoSession
+	}
+	session := v.(*browserSession)
+	if session.SrcNode != srcNode || session.SrcUser != srcUser {
+		// In this case the browser cookie is associated with another tailscale node.
+		// Maybe the source browser's machine was logged out and then back in as a different node.
+		// Return errNoSession because there is no session for this user.
+		return nil, errNoSession
+	} else if session.isExpired() {
+		// Session expired, remove from session map and return errNoSession.
+		s.browserSessions.Delete(session.ID)
+		return nil, errNoSession
+	}
+	return session, nil
+}
+
+type authResponse struct {
+	OK      bool   `json:"ok"`                // true when user has valid auth session
+	AuthURL string `json:"authUrl,omitempty"` // filled when user has control auth action to take
+	Error   string `json:"error,omitempty"`   // filled when Ok is false
+}
+
+func (s *Server) serveTailscaleAuth(w http.ResponseWriter, r *http.Request) {
+	var resp authResponse
+
+	session, err := s.getTailscaleBrowserSession(r)
+	switch {
+	case err != nil && !errors.Is(err, errNoSession):
+		resp = authResponse{OK: false, Error: err.Error()}
+	case session == nil:
+		// TODO(tailscale/corp#14335): Create a new auth path from control,
+		// and store back to s.browserSessions and request cookie.
+	case !session.isAuthorized():
+		// TODO(tailscale/corp#14335): Check on the session auth path status from control,
+		// and store back to s.browserSessions.
+	default:
+		resp = authResponse{OK: true}
+	}
+
+	if err := json.NewEncoder(w).Encode(resp); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
 }

 // serveAPI serves requests for the web client api.
 // It should only be called by Server.ServeHTTP, via Server.apiHandler,
 // which protects the handler using gorilla csrf.
 func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
+	if s.tsDebugMode == "full" {
+		// tailscale/corp#14335: Only restrict to tailscale auth in debug "full" web client mode.
+		// TODO(sonia,will): Switch serveAPI over to always require TS auth when we're ready
+		// to remove the debug flags.
+		// For now, existing client uses platform auth (else case below).
+
+		if r.URL.Path == "/api/auth" {
+			// Serve auth, which creates a new session for the user to authenticate,
+			// in the case that the request doesn't already have one.
+			s.serveTailscaleAuth(w, r)
+			return
+		}
+		// For all other endpoints, require a valid session to proceed.
+		session, err := s.getTailscaleBrowserSession(r)
+		if err != nil || !session.isAuthorized() {
+			http.Error(w, "no valid session", http.StatusUnauthorized)
+			return
+		}
+	} else if ok := authorizePlatformRequest(w, r); !ok {
+		return
+	}
+
 	w.Header().Set("X-CSRF-Token", csrf.Token(r))
 	path := strings.TrimPrefix(r.URL.Path, "/api")
-	switch path {
-	case "/data":
+	switch {
+	case path == "/data":
 		switch r.Method {
 		case httpm.GET:
-			s.serveGetNodeDataJSON(w, r)
+			s.serveGetNodeData(w, r)
 		case httpm.POST:
 			s.servePostNodeUpdate(w, r)
 		default:
 			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 		}
 		return
+	case strings.HasPrefix(path, "/local/"):
+		s.proxyRequestToLocalAPI(w, r)
+		return
 	}
 	http.Error(w, "invalid endpoint", http.StatusNotFound)
 }
@@ -275,16 +398,19 @@ type nodeData struct {
 	IsUnraid          bool
 	UnraidToken       string
 	IPNVersion        string
+	DebugMode         string // empty when not running in any debug mode
 }

-func (s *Server) getNodeData(ctx context.Context) (*nodeData, error) {
-	st, err := s.lc.Status(ctx)
+func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
+	st, err := s.lc.Status(r.Context())
 	if err != nil {
-		return nil, err
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
 	}
-	prefs, err := s.lc.GetPrefs(ctx)
+	prefs, err := s.lc.GetPrefs(r.Context())
 	if err != nil {
-		return nil, err
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
 	}
 	profile := st.User[st.Self.UserID]
 	deviceName := strings.Split(st.Self.DNSName, ".")[0]
@@ -300,6 +426,7 @@ func (s *Server) getNodeData(ctx context.Context) (*nodeData, error) {
 		IsUnraid:    distro.Get() == distro.Unraid,
 		UnraidToken: os.Getenv("UNRAID_CSRF_TOKEN"),
 		IPNVersion:  versionShort,
+		DebugMode:   s.tsDebugMode,
 	}
 	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
 	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
@@ -316,35 +443,11 @@ func (s *Server) getNodeData(ctx context.Context) (*nodeData, error) {
 	if len(st.TailscaleIPs) != 0 {
 		data.IP = st.TailscaleIPs[0].String()
 	}
-	return data, nil
-}
-
-func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
-	data, err := s.getNodeData(r.Context())
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	buf := new(bytes.Buffer)
-	if err := tmpls.ExecuteTemplate(buf, "web.html", data); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	w.Write(buf.Bytes())
-}
-
-func (s *Server) serveGetNodeDataJSON(w http.ResponseWriter, r *http.Request) {
-	data, err := s.getNodeData(r.Context())
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
 	if err := json.NewEncoder(w).Encode(*data); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
-	return
 }

 type nodeUpdate struct {
@@ -412,7 +515,6 @@ func (s *Server) servePostNodeUpdate(w http.ResponseWriter, r *http.Request) {
 	} else {
 		io.WriteString(w, "{}")
 	}
-	return
 }

 func (s *Server) tailscaleUp(ctx context.Context, st *ipnstate.Status, postData nodeUpdate) (authURL string, retErr error) {
@@ -474,21 +576,70 @@ func (s *Server) tailscaleUp(ctx context.Context, st *ipnstate.Status, postData
 	}
 }

+// proxyRequestToLocalAPI proxies the web API request to the localapi.
+//
+// The web API request path is expected to exactly match a localapi path,
+// with prefix /api/local/ rather than /localapi/.
+//
+// If the localapi path is not included in localapiAllowlist,
+// the request is rejected.
+func (s *Server) proxyRequestToLocalAPI(w http.ResponseWriter, r *http.Request) {
+	path := strings.TrimPrefix(r.URL.Path, "/api/local")
+	if r.URL.Path == path { // missing prefix
+		http.Error(w, "invalid request", http.StatusBadRequest)
+		return
+	}
+	if !slices.Contains(localapiAllowlist, path) {
+		http.Error(w, fmt.Sprintf("%s not allowed from localapi proxy", path), http.StatusForbidden)
+		return
+	}
+
+	localAPIURL := "http://" + apitype.LocalAPIHost + "/localapi" + path
+	req, err := http.NewRequestWithContext(r.Context(), r.Method, localAPIURL, r.Body)
+	if err != nil {
+		http.Error(w, "failed to construct request", http.StatusInternalServerError)
+		return
+	}
+
+	// Make request to tailscaled localapi.
+	resp, err := s.lc.DoLocalRequest(req)
+	if err != nil {
+		http.Error(w, err.Error(), resp.StatusCode)
+		return
+	}
+	defer resp.Body.Close()
+
+	// Send response back to web frontend.
+	w.Header().Set("Content-Type", resp.Header.Get("Content-Type"))
+	w.WriteHeader(resp.StatusCode)
+	if _, err := io.Copy(w, resp.Body); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+}
+
+// localapiAllowlist is an allowlist of localapi endpoints the
+// web client is allowed to proxy to the client's localapi.
+//
+// Rather than exposing all localapi endpoints over the proxy,
+// this limits to just the ones actually used from the web
+// client frontend.
+//
+// TODO(sonia,will): Shouldn't expand this beyond the existing
+// localapi endpoints until the larger web client auth story
+// is worked out (tailscale/corp#14335).
+var localapiAllowlist = []string{
+	"/v0/logout",
+}
+
 // csrfKey returns a key that can be used for CSRF protection.
 // If an error occurs during key creation, the error is logged and the active process terminated.
 // If the server is running in CGI mode, the key is cached to disk and reused between requests.
 // If an error occurs during key storage, the error is logged and the active process terminated.
 func (s *Server) csrfKey() []byte {
-	var csrfFile string
+	csrfFile := filepath.Join(os.TempDir(), "tailscale-web-csrf.key")

 	// if running in CGI mode, try to read from disk, but ignore errors
 	if s.cgiMode {
-		confdir, err := os.UserConfigDir()
-		if err != nil {
-			confdir = os.TempDir()
-		}
-
-		csrfFile = filepath.Join(confdir, "tailscale", "web-csrf.key")
 		key, _ := os.ReadFile(csrfFile)
 		if len(key) == 32 {
 			return key
@@ -498,14 +649,11 @@ func (s *Server) csrfKey() []byte {
 	// create a new key
 	key := make([]byte, 32)
 	if _, err := rand.Read(key); err != nil {
-		log.Fatal("error generating CSRF key: %w", err)
+		log.Fatalf("error generating CSRF key: %v", err)
 	}

 	// if running in CGI mode, try to write the newly created key to disk, and exit if it fails.
 	if s.cgiMode {
-		if err := os.Mkdir(filepath.Dir(csrfFile), 0700); err != nil && !os.IsExist(err) {
-			log.Fatalf("unable to store CSRF key: %v", err)
-		}
 		if err := os.WriteFile(csrfFile, key, 0600); err != nil {
 			log.Fatalf("unable to store CSRF key: %v", err)
 		}
@@ -519,11 +667,25 @@ func (s *Server) csrfKey() []byte {
 // Unlike http.StripPrefix, it does not return a 404 if the prefix is not present.
 // Instead, it returns a redirect to the prefix path.
 func enforcePrefix(prefix string, h http.HandlerFunc) http.HandlerFunc {
+	if prefix == "" {
+		return h
+	}
+
+	// ensure that prefix always has both a leading and trailing slash so
+	// that relative links for JS and CSS assets work correctly.
+	if !strings.HasPrefix(prefix, "/") {
+		prefix = "/" + prefix
+	}
+	if !strings.HasSuffix(prefix, "/") {
+		prefix += "/"
+	}
+
 	return func(w http.ResponseWriter, r *http.Request) {
 		if !strings.HasPrefix(r.URL.Path, prefix) {
 			http.Redirect(w, r, prefix, http.StatusFound)
 			return
 		}
+		prefix = strings.TrimSuffix(prefix, "/")
 		http.StripPrefix(prefix, h).ServeHTTP(w, r)
 	}
 }
--- a/client/web/web.html
+++ b/client/web/web.html
@@ -1,210 +0,0 @@
-<!doctype html>
-<html class="bg-gray-50">
-
-<head>
-	<meta charset="utf-8" />
-	<meta name="viewport" content="width=device-width, initial-scale=1" />
-	<link rel="shortcut icon"
-		href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
-	<title>Tailscale</title>
-	<style>{{template "web.css"}}</style>
-</head>
-
-<body class="py-14">
-<main class="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
-	<header class="flex justify-between items-center min-width-0 py-2 mb-8">
-		<svg width="26" height="26" viewBox="0 0 23 23" title="Tailscale" fill="none" xmlns="http://www.w3.org/2000/svg"
-			class="flex-shrink-0 mr-4">
-			<circle opacity="0.2" cx="3.4" cy="3.25" r="2.7" fill="currentColor"></circle>
-			<circle cx="3.4" cy="11.3" r="2.7" fill="currentColor"></circle>
-			<circle opacity="0.2" cx="3.4" cy="19.5" r="2.7" fill="currentColor"></circle>
-			<circle cx="11.5" cy="11.3" r="2.7" fill="currentColor"></circle>
-			<circle cx="11.5" cy="19.5" r="2.7" fill="currentColor"></circle>
-			<circle opacity="0.2" cx="11.5" cy="3.25" r="2.7" fill="currentColor"></circle>
-			<circle opacity="0.2" cx="19.5" cy="3.25" r="2.7" fill="currentColor"></circle>
-			<circle cx="19.5" cy="11.3" r="2.7" fill="currentColor"></circle>
-			<circle opacity="0.2" cx="19.5" cy="19.5" r="2.7" fill="currentColor"></circle>
-		</svg>
-		<div class="flex items-center justify-end space-x-2 w-2/3">
-			{{ with .Profile }}
-			<div class="text-right w-full leading-4">
-				<h4 class="truncate leading-normal">{{.LoginName}}</h4>
-				<div class="text-xs text-gray-500 text-right">
-					<a href="#" class="hover:text-gray-700 js-loginButton">Switch account</a> | <a href="#"
-						class="hover:text-gray-700 js-loginButton">Reauthenticate</a> | <a href="#"
-						class="hover:text-gray-700 js-logoutButton">Logout</a>
-				</div>
-			</div>
-			{{ end }}
-			<div class="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
-				{{ with .Profile.ProfilePicURL }}
-				<div class="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
-					style="background-image: url('{{.}}'); background-size: cover;"></div>
-				{{ else }}
-				<div class="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed"></div>
-				{{ end }}
-			</div>
-		</div>
-	</header>
-	{{ if .IP }}
-	<div
-		class="border border-gray-200 bg-gray-0 rounded-md p-2 pl-3 pr-3 width-full flex items-center justify-between">
-		<div class="flex items-center min-width-0">
-			<svg class="flex-shrink-0 text-gray-600 mr-3 ml-1" xmlns="http://www.w3.org/2000/svg" width="20" height="20"
-				viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
-				stroke-linejoin="round">
-				<rect x="2" y="2" width="20" height="8" rx="2" ry="2"></rect>
-				<rect x="2" y="14" width="20" height="8" rx="2" ry="2"></rect>
-				<line x1="6" y1="6" x2="6.01" y2="6"></line>
-				<line x1="6" y1="18" x2="6.01" y2="18"></line>
-			</svg>
-			<div>
-				<h4 class="font-semibold truncate mr-2">{{.DeviceName}}</h4>
-			</div>
-		</div>
-		<h5>{{.IP}}</h5>
-	</div>
-	<p class="mt-1 ml-1 mb-6 text-xs text-gray-600">
-		Debug info: Tailscale {{ .IPNVersion }}, tun={{.TUNMode}}{{ if .IsSynology }}, DSM{{ .DSMVersion}}
-			{{if not .TUNMode}}
-			(<a href="https://tailscale.com/kb/1152/synology-outbound/" class="link-underline text-gray-600" target="_blank"
-				aria-label="Configure outbound synology traffic"
-				rel="noopener noreferrer">outgoing access not configured</a>)
-			{{end}}
-		{{end}}
-	</p>
-	{{ end }}
-	{{ if or (eq .Status "NeedsLogin") (eq .Status "NoState") }}
-	{{ if .IP }}
-	<div class="mb-6">
-		<p class="text-gray-700">Your device's key has expired. Reauthenticate this device by logging in again, or <a
-				href="https://tailscale.com/kb/1028/key-expiry" class="link" target="_blank">learn more</a>.</p>
-	</div>
-	<a href="#" class="mb-4 js-loginButton" target="_blank">
-		<button class="button button-blue w-full">Reauthenticate</button>
-	</a>
-	{{ else }}
-	<div class="mb-6">
-		<h3 class="text-3xl font-semibold mb-3">Log in</h3>
-		<p class="text-gray-700">Get started by logging in to your Tailscale network. Or,&nbsp;learn&nbsp;more at <a
-				href="https://tailscale.com/" class="link" target="_blank">tailscale.com</a>.</p>
-	</div>
-	<a href="#" class="mb-4 js-loginButton" target="_blank">
-		<button class="button button-blue w-full">Log In</button>
-	</a>
-	{{ end }}
-	{{ else if eq .Status "NeedsMachineAuth" }}
-	<div class="mb-4">
-		This device is authorized, but needs approval from a network admin before it can connect to the network.
-	</div>
-	{{ else }}
-	<div class="mb-4">
-		<p>You are connected! Access this device over Tailscale using the device name or IP address above.</p>
-	</div>
-	<div class="mb-4">
-	<a href="#" class="mb-4 js-advertiseExitNode">
-		{{if .AdvertiseExitNode}}
-		<button class="button button-red button-medium" id="enabled">Stop advertising Exit Node</button>
-		{{else}}
-		<button class="button button-blue button-medium" id="enabled">Advertise as Exit Node</button>
-		{{end}}
-	</a>
-	</div>
-	{{ end }}
-</main>
-<footer class="container max-w-lg mx-auto text-center">
-	<a class="text-xs text-gray-500 hover:text-gray-600" href="{{ .LicensesURL }}">Open Source Licenses</a>
-</footer>
-<script>(function () {
-const advertiseExitNode = {{ .AdvertiseExitNode }};
-const isUnraid = {{ .IsUnraid }};
-const unraidCsrfToken = "{{ .UnraidToken }}";
-let fetchingUrl = false;
-var data = {
-	AdvertiseRoutes: "{{ .AdvertiseRoutes }}",
-	AdvertiseExitNode: advertiseExitNode,
-	Reauthenticate: false,
-	ForceLogout: false
-};
-
-function postData(e) {
-	e.preventDefault();
-
-	if (fetchingUrl) {
-		return;
-	}
-
-	fetchingUrl = true;
-	const urlParams = new URLSearchParams(window.location.search);
-	const token = urlParams.get("SynoToken");
-	const nextParams = new URLSearchParams({ up: true });
-	if (token) {
-		nextParams.set("SynoToken", token)
-	}
-	const nextUrl = new URL(window.location);
-	nextUrl.search = nextParams.toString()
-
-	let body = JSON.stringify(data);
-	let contentType = "application/json";
-
-	if (isUnraid) {
-		const params = new URLSearchParams();
-		params.append("csrf_token", unraidCsrfToken);
-		params.append("ts_data", JSON.stringify(data));
-
-		body = params.toString();
-		contentType = "application/x-www-form-urlencoded;charset=UTF-8";
-	}
-
-	const url = nextUrl.toString();
-	fetch(url, {
-		method: "POST",
-		headers: {
-			"Accept": "application/json",
-			"Content-Type": contentType,
-		},
-		body: body
-	}).then(res => res.json()).then(res => {
-		fetchingUrl = false;
-		const err = res["error"];
-		if (err) {
-			throw new Error(err);
-		}
-		const url = res["url"];
-		if (url) {
-			if(isUnraid) {
-				window.open(url, "_blank");
-			} else {
-				document.location.href = url;
-			}
-		} else {
-			location.reload();
-		}
-	}).catch(err => {
-		alert("Failed operation: " + err.message);
-	});
-}
-
-document.querySelectorAll(".js-loginButton").forEach(function (el){
-	el.addEventListener("click", function(e) {
-		data.Reauthenticate = true;
-		postData(e);
-	});
-})
-document.querySelectorAll(".js-logoutButton").forEach(function(el) {
-	el.addEventListener("click", function (e) {
-		data.ForceLogout = true;
-		postData(e);
-	});
-})
-document.querySelectorAll(".js-advertiseExitNode").forEach(function (el) {
-	el.addEventListener("click", function(e) {
-		data.AdvertiseExitNode = !advertiseExitNode;
-		postData(e);
-	});
-})
-
-})();</script>
-</body>
-
-</html>
--- a/client/web/web_test.go
+++ b/client/web/web_test.go
@@ -4,8 +4,24 @@
 package web

 import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"net/url"
+	"strings"
 	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/memnet"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/views"
 )

 func TestQnapAuthnURL(t *testing.T) {
@@ -62,3 +78,250 @@ func TestQnapAuthnURL(t *testing.T) {
 		})
 	}
 }
+
+// TestServeAPI tests the web client api's handling of
+//  1. invalid endpoint errors
+//  2. localapi proxy allowlist
+func TestServeAPI(t *testing.T) {
+	lal := memnet.Listen("local-tailscaled.sock:80")
+	defer lal.Close()
+	// Serve dummy localapi. Just returns "success".
+	localapi := &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "success")
+	})}
+	defer localapi.Close()
+
+	go localapi.Serve(lal)
+	s := &Server{lc: &tailscale.LocalClient{Dial: lal.Dial}}
+
+	tests := []struct {
+		name       string
+		reqPath    string
+		wantResp   string
+		wantStatus int
+	}{{
+		name:       "invalid_endpoint",
+		reqPath:    "/not-an-endpoint",
+		wantResp:   "invalid endpoint",
+		wantStatus: http.StatusNotFound,
+	}, {
+		name:       "not_in_localapi_allowlist",
+		reqPath:    "/local/v0/not-allowlisted",
+		wantResp:   "/v0/not-allowlisted not allowed from localapi proxy",
+		wantStatus: http.StatusForbidden,
+	}, {
+		name:       "in_localapi_allowlist",
+		reqPath:    "/local/v0/logout",
+		wantResp:   "success", // Successfully allowed to hit localapi.
+		wantStatus: http.StatusOK,
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := httptest.NewRequest("POST", "/api"+tt.reqPath, nil)
+			w := httptest.NewRecorder()
+
+			s.serveAPI(w, r)
+			res := w.Result()
+			defer res.Body.Close()
+			if gotStatus := res.StatusCode; tt.wantStatus != gotStatus {
+				t.Errorf("wrong status; want=%q, got=%q", tt.wantStatus, gotStatus)
+			}
+			body, err := io.ReadAll(res.Body)
+			if err != nil {
+				t.Fatal(err)
+			}
+			gotResp := strings.TrimSuffix(string(body), "\n") // trim trailing newline
+			if tt.wantResp != gotResp {
+				t.Errorf("wrong response; want=%q, got=%q", tt.wantResp, gotResp)
+			}
+		})
+	}
+}
+
+func TestGetTailscaleBrowserSession(t *testing.T) {
+	userA := &tailcfg.UserProfile{ID: tailcfg.UserID(1)}
+	userB := &tailcfg.UserProfile{ID: tailcfg.UserID(2)}
+
+	userANodeIP := "100.100.100.101"
+	userBNodeIP := "100.100.100.102"
+	taggedNodeIP := "100.100.100.103"
+
+	var selfNode *ipnstate.PeerStatus
+	tags := views.SliceOf([]string{"tag:server"})
+	tailnetNodes := map[string]*apitype.WhoIsResponse{
+		userANodeIP: {
+			Node:        &tailcfg.Node{StableID: "Node1"},
+			UserProfile: userA,
+		},
+		userBNodeIP: {
+			Node:        &tailcfg.Node{StableID: "Node2"},
+			UserProfile: userB,
+		},
+		taggedNodeIP: {
+			Node: &tailcfg.Node{StableID: "Node3", Tags: tags.AsSlice()},
+		},
+	}
+
+	lal := memnet.Listen("local-tailscaled.sock:80")
+	defer lal.Close()
+	// Serve a testing localapi handler so we can simulate
+	// whois responses without a functioning tailnet.
+	localapi := &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/localapi/v0/whois":
+			addr := r.URL.Query().Get("addr")
+			if addr == "" {
+				t.Fatalf("/whois call missing \"addr\" query")
+			}
+			if node := tailnetNodes[addr]; node != nil {
+				if err := json.NewEncoder(w).Encode(&node); err != nil {
+					http.Error(w, err.Error(), http.StatusInternalServerError)
+					return
+				}
+				w.Header().Set("Content-Type", "application/json")
+				return
+			}
+			http.Error(w, "not a node", http.StatusUnauthorized)
+			return
+		case "/localapi/v0/status":
+			status := ipnstate.Status{Self: selfNode}
+			if err := json.NewEncoder(w).Encode(status); err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+			w.Header().Set("Content-Type", "application/json")
+			return
+		default:
+			// Only the above two endpoints get triggered from getTailscaleBrowserSession.
+			// No need to mock any of the other localapi endpoint.
+			t.Fatalf("unhandled localapi test endpoint %q, add to localapi handler func in test", r.URL.Path)
+		}
+	})}
+	defer localapi.Close()
+	go localapi.Serve(lal)
+
+	s := &Server{lc: &tailscale.LocalClient{Dial: lal.Dial}}
+
+	// Add some browser sessions to cache state.
+	userASession := &browserSession{
+		ID:            "cookie1",
+		SrcNode:       "Node1",
+		SrcUser:       userA.ID,
+		Authenticated: time.Time{}, // not yet authenticated
+	}
+	userBSession := &browserSession{
+		ID:            "cookie2",
+		SrcNode:       "Node2",
+		SrcUser:       userB.ID,
+		Authenticated: time.Now().Add(-2 * sessionCookieExpiry), // expired
+	}
+	userASessionAuthorized := &browserSession{
+		ID:            "cookie3",
+		SrcNode:       "Node1",
+		SrcUser:       userA.ID,
+		Authenticated: time.Now(), // authenticated and not expired
+	}
+	s.browserSessions.Store(userASession.ID, userASession)
+	s.browserSessions.Store(userBSession.ID, userBSession)
+	s.browserSessions.Store(userASessionAuthorized.ID, userASessionAuthorized)
+
+	tests := []struct {
+		name       string
+		selfNode   *ipnstate.PeerStatus
+		remoteAddr string
+		cookie     string
+
+		wantSession      *browserSession
+		wantError        error
+		wantIsAuthorized bool // response from session.isAuthorized
+	}{
+		{
+			name:        "not-connected-over-tailscale",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:  "77.77.77.77",
+			wantSession: nil,
+			wantError:   errNotUsingTailscale,
+		},
+		{
+			name:        "no-session-user-self-node",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:  userANodeIP,
+			cookie:      "not-a-cookie",
+			wantSession: nil,
+			wantError:   errNoSession,
+		},
+		{
+			name:        "no-session-tagged-self-node",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", Tags: &tags},
+			remoteAddr:  userANodeIP,
+			wantSession: nil,
+			wantError:   errNoSession,
+		},
+		{
+			name:        "not-owner",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:  userBNodeIP,
+			wantSession: nil,
+			wantError:   errNotOwner,
+		},
+		{
+			name:        "tagged-source",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:  taggedNodeIP,
+			wantSession: nil,
+			wantError:   errTaggedSource,
+		},
+		{
+			name:        "has-session",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:  userANodeIP,
+			cookie:      userASession.ID,
+			wantSession: userASession,
+			wantError:   nil,
+		},
+		{
+			name:             "has-authorized-session",
+			selfNode:         &ipnstate.PeerStatus{ID: "self", UserID: userA.ID},
+			remoteAddr:       userANodeIP,
+			cookie:           userASessionAuthorized.ID,
+			wantSession:      userASessionAuthorized,
+			wantError:        nil,
+			wantIsAuthorized: true,
+		},
+		{
+			name:        "session-associated-with-different-source",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userB.ID},
+			remoteAddr:  userBNodeIP,
+			cookie:      userASession.ID,
+			wantSession: nil,
+			wantError:   errNoSession,
+		},
+		{
+			name:        "session-expired",
+			selfNode:    &ipnstate.PeerStatus{ID: "self", UserID: userB.ID},
+			remoteAddr:  userBNodeIP,
+			cookie:      userBSession.ID,
+			wantSession: nil,
+			wantError:   errNoSession,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			selfNode = tt.selfNode
+			r := &http.Request{RemoteAddr: tt.remoteAddr, Header: http.Header{}}
+			if tt.cookie != "" {
+				r.AddCookie(&http.Cookie{Name: sessionCookieName, Value: tt.cookie})
+			}
+			session, err := s.getTailscaleBrowserSession(r)
+			if !errors.Is(err, tt.wantError) {
+				t.Errorf("wrong error; want=%v, got=%v", tt.wantError, err)
+			}
+			if diff := cmp.Diff(session, tt.wantSession); diff != "" {
+				t.Errorf("wrong session; (-got+want):%v", diff)
+			}
+			if gotIsAuthorized := session.isAuthorized(); gotIsAuthorized != tt.wantIsAuthorized {
+				t.Errorf("wrong isAuthorized; want=%v, got=%v", tt.wantIsAuthorized, gotIsAuthorized)
+			}
+		})
+	}
+}
--- a/clientupdate/clientupdate.go
+++ b/clientupdate/clientupdate.go
@@ -7,15 +7,16 @@
 package clientupdate

 import (
+	"archive/tar"
 	"bufio"
 	"bytes"
+	"compress/gzip"
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
+	"maps"
 	"net/http"
 	"os"
 	"os/exec"
@@ -25,12 +26,10 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
-	"time"

 	"github.com/google/uuid"
-	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/clientupdate/distsign"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/must"
 	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
@@ -61,14 +60,8 @@ func versionToTrack(v string) (string, error) {
 	return "unstable", nil
 }

-type updater struct {
-	UpdateArgs
-	track  string
-	update func() error
-}
-
-// UpdateArgs contains arguments needed to run an update.
-type UpdateArgs struct {
+// Arguments contains arguments needed to run an update.
+type Arguments struct {
 	// Version can be a specific version number or one of the predefined track
 	// constants:
 	//
@@ -80,7 +73,7 @@ type UpdateArgs struct {
 	// Leaving this empty is the same as using CurrentTrack.
 	Version string
 	// AppStore forces a local app store check, even if the current binary was
-	// not installed via an app store.
+	// not installed via an app store. TODO(cpalmer): Remove this.
 	AppStore bool
 	// Logf is a logger for update progress messages.
 	Logf logger.Logf
@@ -88,29 +81,36 @@ type UpdateArgs struct {
 	// if this new version should be installed. When Confirm returns false, the
 	// update is aborted.
 	Confirm func(newVer string) bool
+	// PkgsAddr is the address of the pkgs server to fetch updates from.
+	// Defaults to "https://pkgs.tailscale.com".
+	PkgsAddr string
 }

-func (args UpdateArgs) validate() error {
+func (args Arguments) validate() error {
 	if args.Confirm == nil {
-		return errors.New("missing Confirm callback in UpdateArgs")
+		return errors.New("missing Confirm callback in Arguments")
 	}
 	if args.Logf == nil {
-		return errors.New("missing Logf callback in UpdateArgs")
+		return errors.New("missing Logf callback in Arguments")
 	}
 	return nil
 }

-// Update runs a single update attempt using the platform-specific mechanism.
-//
-// On Windows, this copies the calling binary and re-executes it to apply the
-// update. The calling binary should handle an "update" subcommand and call
-// this function again for the re-executed binary to proceed.
-func Update(args UpdateArgs) error {
-	if err := args.validate(); err != nil {
-		return err
+type Updater struct {
+	Arguments
+	track string
+	// Update is a platform-specific method that updates the installation. May be
+	// nil (not all platforms support updates from within Tailscale).
+	Update func() error
+}
+
+func NewUpdater(args Arguments) (*Updater, error) {
+	up := Updater{
+		Arguments: args,
 	}
-	up := &updater{
-		UpdateArgs: args,
+	up.Update = up.getUpdateFunction()
+	if up.Update == nil {
+		return nil, errors.ErrUnsupported
 	}
 	switch up.Version {
 	case StableTrack, UnstableTrack:
@@ -125,56 +125,82 @@ func Update(args UpdateArgs) error {
 		var err error
 		up.track, err = versionToTrack(args.Version)
 		if err != nil {
-			return err
+			return nil, err
 		}
 	}
+	if up.Arguments.PkgsAddr == "" {
+		up.Arguments.PkgsAddr = "https://pkgs.tailscale.com"
+	}
+	return &up, nil
+}
+
+type updateFunction func() error
+
+func (up *Updater) getUpdateFunction() updateFunction {
 	switch runtime.GOOS {
 	case "windows":
-		up.update = up.updateWindows
+		return up.updateWindows
 	case "linux":
 		switch distro.Get() {
 		case distro.Synology:
-			up.update = up.updateSynology
+			return up.updateSynology
 		case distro.Debian: // includes Ubuntu
-			up.update = up.updateDebLike
+			return up.updateDebLike
 		case distro.Arch:
-			up.update = up.updateArchLike
+			return up.updateArchLike
 		case distro.Alpine:
-			up.update = up.updateAlpineLike
+			return up.updateAlpineLike
 		}
 		switch {
 		case haveExecutable("pacman"):
-			up.update = up.updateArchLike
+			return up.updateArchLike
 		case haveExecutable("apt-get"): // TODO(awly): add support for "apt"
 			// The distro.Debian switch case above should catch most apt-based
 			// systems, but add this fallback just in case.
-			up.update = up.updateDebLike
+			return up.updateDebLike
 		case haveExecutable("dnf"):
-			up.update = up.updateFedoraLike("dnf")
+			return up.updateFedoraLike("dnf")
 		case haveExecutable("yum"):
-			up.update = up.updateFedoraLike("yum")
+			return up.updateFedoraLike("yum")
 		case haveExecutable("apk"):
-			up.update = up.updateAlpineLike
+			return up.updateAlpineLike
+		}
+		// If nothing matched, fall back to tarball updates.
+		if up.Update == nil {
+			return up.updateLinuxBinary
 		}
 	case "darwin":
 		switch {
-		case !args.AppStore && !version.IsSandboxedMacOS():
-			return errors.ErrUnsupported
-		case !args.AppStore && strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
-			up.update = up.updateMacSys
+		case !up.Arguments.AppStore && !version.IsSandboxedMacOS():
+			return nil
+		case !up.Arguments.AppStore && strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
+			return up.updateMacSys
 		default:
-			up.update = up.updateMacAppStore
+			return up.updateMacAppStore
 		}
 	case "freebsd":
-		up.update = up.updateFreeBSD
+		return up.updateFreeBSD
 	}
-	if up.update == nil {
-		return errors.ErrUnsupported
-	}
-	return up.update()
+	return nil
 }

-func (up *updater) confirm(ver string) bool {
+// Update runs a single update attempt using the platform-specific mechanism.
+//
+// On Windows, this copies the calling binary and re-executes it to apply the
+// update. The calling binary should handle an "update" subcommand and call
+// this function again for the re-executed binary to proceed.
+func Update(args Arguments) error {
+	if err := args.validate(); err != nil {
+		return err
+	}
+	up, err := NewUpdater(args)
+	if err != nil {
+		return err
+	}
+	return up.Update()
+}
+
+func (up *Updater) confirm(ver string) bool {
 	if version.Short() == ver {
 		up.Logf("already running %v; no update needed", ver)
 		return false
@@ -187,13 +213,14 @@ func (up *updater) confirm(ver string) bool {

 const synoinfoConfPath = "/etc/synoinfo.conf"

-func (up *updater) updateSynology() error {
+func (up *Updater) updateSynology() error {
 	if up.Version != "" {
 		return errors.New("installing a specific version on Synology is not supported")
 	}

 	// Get the latest version and list of SPKs from pkgs.tailscale.com.
-	osName := fmt.Sprintf("dsm%d", distro.DSMVersion())
+	dsmVersion := distro.DSMVersion()
+	osName := fmt.Sprintf("dsm%d", dsmVersion)
 	arch, err := synoArch(runtime.GOARCH, synoinfoConfPath)
 	if err != nil {
 		return err
@@ -202,15 +229,12 @@ func (up *updater) updateSynology() error {
 	if err != nil {
 		return err
 	}
-	if latest.Version == "" {
-		return fmt.Errorf("no latest version found for %q track", up.track)
-	}
 	spkName := latest.SPKs[osName][arch]
 	if spkName == "" {
 		return fmt.Errorf("cannot find Synology package for os=%s arch=%s, please report a bug with your device model", osName, arch)
 	}

-	if !up.confirm(latest.Version) {
+	if !up.confirm(latest.SPKsVersion) {
 		return nil
 	}
 	if err := requireRoot(); err != nil {
@@ -222,10 +246,9 @@ func (up *updater) updateSynology() error {
 	if err != nil {
 		return err
 	}
-	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/%s", up.track, spkName)
-	spkPath := filepath.Join(spkDir, path.Base(url))
-	// TODO(awly): we should sign SPKs and validate signatures here too.
-	if err := up.downloadURLToFile(url, spkPath); err != nil {
+	pkgsPath := fmt.Sprintf("%s/%s", up.track, spkName)
+	spkPath := filepath.Join(spkDir, path.Base(pkgsPath))
+	if err := up.downloadURLToFile(pkgsPath, spkPath); err != nil {
 		return err
 	}

@@ -238,8 +261,20 @@ func (up *updater) updateSynology() error {
 	// just spits out a JSON result when done.
 	out, err := cmd.CombinedOutput()
 	if err != nil {
+		if dsmVersion == 6 && bytes.Contains(out, []byte("error = [290]")) {
+			return fmt.Errorf("synopkg install failed: %w\noutput:\n%s\nplease make sure that packages from 'Any publisher' are allowed in the Package Center (Package Center -> Settings -> Trust Level -> Any publisher)", err, out)
+		}
 		return fmt.Errorf("synopkg install failed: %w\noutput:\n%s", err, out)
 	}
+	if dsmVersion == 6 {
+		// DSM6 does not automatically restart the package on install. Do it
+		// manually.
+		cmd := exec.Command("nohup", "synopkg", "start", "Tailscale")
+		out, err := cmd.CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("synopkg start failed: %w\noutput:\n%s", err, out)
+		}
+	}
 	return nil
 }

@@ -301,7 +336,15 @@ func parseSynoinfo(path string) (string, error) {
 	return "", fmt.Errorf(`missing "unique=" field in %q`, path)
 }

-func (up *updater) updateDebLike() error {
+func (up *Updater) updateDebLike() error {
+	if err := requireRoot(); err != nil {
+		return err
+	}
+	if err := exec.Command("dpkg", "--status", "tailscale").Run(); err != nil && isExitError(err) {
+		// Tailscale was not installed via apt, update via tarball download
+		// instead.
+		return up.updateLinuxBinary()
+	}
 	ver, err := requestedTailscaleVersion(up.Version, up.track)
 	if err != nil {
 		return err
@@ -310,10 +353,6 @@ func (up *updater) updateDebLike() error {
 		return nil
 	}

-	if err := requireRoot(); err != nil {
-		return err
-	}
-
 	if updated, err := updateDebianAptSourcesList(up.track); err != nil {
 		return err
 	} else if updated {
@@ -403,7 +442,12 @@ func updateDebianAptSourcesListBytes(was []byte, dstTrack string) (newContent []
 	return buf.Bytes(), nil
 }

-func (up *updater) updateArchLike() error {
+func (up *Updater) updateArchLike() error {
+	if err := exec.Command("pacman", "--query", "tailscale").Run(); err != nil && isExitError(err) {
+		// Tailscale was not installed via pacman, update via tarball download
+		// instead.
+		return up.updateLinuxBinary()
+	}
 	// Arch maintainer asked us not to implement "tailscale update" or
 	// auto-updates on Arch-based distros:
 	// https://github.com/tailscale/tailscale/issues/6995#issuecomment-1687080106
@@ -416,11 +460,16 @@ const yumRepoConfigFile = "/etc/yum.repos.d/tailscale.repo"
 // updateFedoraLike updates tailscale on any distros in the Fedora family,
 // specifically anything that uses "dnf" or "yum" package managers. The actual
 // package manager is passed via packageManager.
-func (up *updater) updateFedoraLike(packageManager string) func() error {
+func (up *Updater) updateFedoraLike(packageManager string) func() error {
 	return func() (err error) {
 		if err := requireRoot(); err != nil {
 			return err
 		}
+		if err := exec.Command(packageManager, "info", "--installed", "tailscale").Run(); err != nil && isExitError(err) {
+			// Tailscale was not installed via yum/dnf, update via tarball
+			// download instead.
+			return up.updateLinuxBinary()
+		}
 		defer func() {
 			if err != nil {
 				err = fmt.Errorf(`%w; you can try updating using "%s upgrade tailscale"`, err, packageManager)
@@ -492,13 +541,18 @@ func updateYUMRepoTrack(repoFile, dstTrack string) (rewrote bool, err error) {
 	return true, os.WriteFile(repoFile, newContent.Bytes(), 0644)
 }

-func (up *updater) updateAlpineLike() (err error) {
+func (up *Updater) updateAlpineLike() (err error) {
 	if up.Version != "" {
 		return errors.New("installing a specific version on Alpine-based distros is not supported")
 	}
 	if err := requireRoot(); err != nil {
 		return err
 	}
+	if err := exec.Command("apk", "info", "--installed", "tailscale").Run(); err != nil && isExitError(err) {
+		// Tailscale was not installed via apk, update via tarball download
+		// instead.
+		return up.updateLinuxBinary()
+	}

 	defer func() {
 		if err != nil {
@@ -549,11 +603,11 @@ func parseAlpinePackageVersion(out []byte) (string, error) {
 	return "", errors.New("tailscale version not found in output")
 }

-func (up *updater) updateMacSys() error {
+func (up *Updater) updateMacSys() error {
 	return errors.New("NOTREACHED: On MacSys builds, `tailscale update` is handled in Swift to launch the GUI updater")
 }

-func (up *updater) updateMacAppStore() error {
+func (up *Updater) updateMacAppStore() error {
 	out, err := exec.Command("defaults", "read", "/Library/Preferences/com.apple.commerce.plist", "AutoUpdate").CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("can't check App Store auto-update setting: %w, output: %q", err, string(out))
@@ -614,7 +668,7 @@ var (
 	markTempFileFunc   func(string) error // or nil on non-Windows
 )

-func (up *updater) updateWindows() error {
+func (up *Updater) updateWindows() error {
 	if msi := os.Getenv(winMSIEnv); msi != "" {
 		up.Logf("installing %v ...", msi)
 		if err := up.installMSI(msi); err != nil {
@@ -650,9 +704,9 @@ func (up *updater) updateWindows() error {
 	if err := os.MkdirAll(msiDir, 0700); err != nil {
 		return err
 	}
-	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", up.track, ver, arch)
-	msiTarget := filepath.Join(msiDir, path.Base(url))
-	if err := up.downloadURLToFile(url, msiTarget); err != nil {
+	pkgsPath := fmt.Sprintf("%s/tailscale-setup-%s-%s.msi", up.track, ver, arch)
+	msiTarget := filepath.Join(msiDir, path.Base(pkgsPath))
+	if err := up.downloadURLToFile(pkgsPath, msiTarget); err != nil {
 		return err
 	}

@@ -684,7 +738,7 @@ func (up *updater) updateWindows() error {
 	panic("unreachable")
 }

-func (up *updater) installMSI(msi string) error {
+func (up *Updater) installMSI(msi string) error {
 	var err error
 	for tries := 0; tries < 2; tries++ {
 		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/promptrestart", "/qn")
@@ -751,115 +805,26 @@ func makeSelfCopy() (tmpPathExe string, err error) {
 	return f2.Name(), f2.Close()
 }

-func (up *updater) downloadURLToFile(urlSrc, fileDst string) (ret error) {
-	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.Proxy = tshttpproxy.ProxyFromEnvironment
-	defer tr.CloseIdleConnections()
-	c := &http.Client{Transport: tr}
-
-	quickCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-	headReq := must.Get(http.NewRequestWithContext(quickCtx, "HEAD", urlSrc, nil))
-
-	res, err := c.Do(headReq)
+func (up *Updater) downloadURLToFile(pathSrc, fileDst string) (ret error) {
+	c, err := distsign.NewClient(up.Logf, up.PkgsAddr)
 	if err != nil {
 		return err
 	}
-	if res.StatusCode != http.StatusOK {
-		return fmt.Errorf("HEAD %s: %v", urlSrc, res.Status)
-	}
-	if res.ContentLength <= 0 {
-		return fmt.Errorf("HEAD %s: unexpected Content-Length %v", urlSrc, res.ContentLength)
-	}
-	up.Logf("Download size: %v", res.ContentLength)
-
-	hashReq := must.Get(http.NewRequestWithContext(quickCtx, "GET", urlSrc+".sha256", nil))
-	hashRes, err := c.Do(hashReq)
-	if err != nil {
-		return err
-	}
-	hashHex, err := io.ReadAll(io.LimitReader(hashRes.Body, 100))
-	hashRes.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		return fmt.Errorf("GET %s.sha256: %v", urlSrc, res.Status)
-	}
-	if err != nil {
-		return err
-	}
-	wantHash, err := hex.DecodeString(string(strings.TrimSpace(string(hashHex))))
-	if err != nil {
-		return err
-	}
-	hash := sha256.New()
-
-	dlReq := must.Get(http.NewRequestWithContext(context.Background(), "GET", urlSrc, nil))
-	dlRes, err := c.Do(dlReq)
-	if err != nil {
-		return err
-	}
-	// TODO(bradfitz): resume from existing partial file on disk
-	if dlRes.StatusCode != http.StatusOK {
-		return fmt.Errorf("GET %s: %v", urlSrc, dlRes.Status)
-	}
-
-	of, err := os.Create(fileDst)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if ret != nil {
-			of.Close()
-			// TODO(bradfitz): os.Remove(fileDst) too? or keep it to resume from/debug later.
-		}
-	}()
-	pw := &progressWriter{total: res.ContentLength, logf: up.Logf}
-	n, err := io.Copy(io.MultiWriter(hash, of, pw), io.LimitReader(dlRes.Body, res.ContentLength))
-	if err != nil {
-		return err
-	}
-	if n != res.ContentLength {
-		return fmt.Errorf("downloaded %v; want %v", n, res.ContentLength)
-	}
-	if err := of.Close(); err != nil {
-		return err
-	}
-	pw.print()
-
-	if !bytes.Equal(hash.Sum(nil), wantHash) {
-		return fmt.Errorf("SHA-256 of downloaded MSI didn't match expected value")
-	}
-	up.Logf("hash matched")
-
-	return nil
+	return c.Download(context.Background(), pathSrc, fileDst)
 }

-type progressWriter struct {
-	done      int64
-	total     int64
-	lastPrint time.Time
-	logf      logger.Logf
-}
-
-func (pw *progressWriter) Write(p []byte) (n int, err error) {
-	pw.done += int64(len(p))
-	if time.Since(pw.lastPrint) > 2*time.Second {
-		pw.print()
-	}
-	return len(p), nil
-}
-
-func (pw *progressWriter) print() {
-	pw.lastPrint = time.Now()
-	pw.logf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
-}
-
-func (up *updater) updateFreeBSD() (err error) {
+func (up *Updater) updateFreeBSD() (err error) {
 	if up.Version != "" {
 		return errors.New("installing a specific version on FreeBSD is not supported")
 	}
 	if err := requireRoot(); err != nil {
 		return err
 	}
+	if err := exec.Command("pkg", "query", "%n", "tailscale").Run(); err != nil && isExitError(err) {
+		// Tailscale was not installed via pkg and we don't pre-compile
+		// binaries for it.
+		return errors.New("Tailscale was not installed via pkg, binary updates on FreeBSD are not supported; please reinstall Tailscale using pkg or update manually")
+	}

 	defer func() {
 		if err != nil {
@@ -889,6 +854,165 @@ func (up *updater) updateFreeBSD() (err error) {
 	return nil
 }

+func (up *Updater) updateLinuxBinary() error {
+	ver, err := requestedTailscaleVersion(up.Version, up.track)
+	if err != nil {
+		return err
+	}
+	if !up.confirm(ver) {
+		return nil
+	}
+	// Root is needed to overwrite binaries and restart systemd unit.
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	dlPath, err := up.downloadLinuxTarball(ver)
+	if err != nil {
+		return err
+	}
+	up.Logf("Extracting %q", dlPath)
+	if err := up.unpackLinuxTarball(dlPath); err != nil {
+		return err
+	}
+	if err := os.Remove(dlPath); err != nil {
+		up.Logf("failed to clean up %q: %v", dlPath, err)
+	}
+	if err := restartSystemdUnit(context.Background()); err != nil {
+		if errors.Is(err, errors.ErrUnsupported) {
+			up.Logf("Tailscale binaries updated successfully.\nPlease restart tailscaled to finish the update.")
+		} else {
+			up.Logf("Tailscale binaries updated successfully, but failed to restart tailscaled: %s.\nPlease restart tailscaled to finish the update.", err)
+		}
+	} else {
+		up.Logf("Success")
+	}
+
+	return nil
+}
+
+func (up *Updater) downloadLinuxTarball(ver string) (string, error) {
+	dlDir, err := os.UserCacheDir()
+	if err != nil {
+		return "", err
+	}
+	dlDir = filepath.Join(dlDir, "tailscale-update")
+	if err := os.MkdirAll(dlDir, 0700); err != nil {
+		return "", err
+	}
+	pkgsPath := fmt.Sprintf("%s/tailscale_%s_%s.tgz", up.track, ver, runtime.GOARCH)
+	dlPath := filepath.Join(dlDir, path.Base(pkgsPath))
+	if err := up.downloadURLToFile(pkgsPath, dlPath); err != nil {
+		return "", err
+	}
+	return dlPath, nil
+}
+
+func (up *Updater) unpackLinuxTarball(path string) error {
+	tailscale, tailscaled, err := binaryPaths()
+	if err != nil {
+		return err
+	}
+	f, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	gr, err := gzip.NewReader(f)
+	if err != nil {
+		return err
+	}
+	defer gr.Close()
+	tr := tar.NewReader(gr)
+	files := make(map[string]int)
+	wantFiles := map[string]int{
+		"tailscale":  1,
+		"tailscaled": 1,
+	}
+	for {
+		th, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("failed extracting %q: %w", path, err)
+		}
+		// TODO(awly): try to also extract tailscaled.service. The tricky part
+		// is fixing up binary paths in that file if they differ from where
+		// local tailscale/tailscaled are installed. Also, this may not be a
+		// systemd distro.
+		switch filepath.Base(th.Name) {
+		case "tailscale":
+			files["tailscale"]++
+			if err := writeFile(tr, tailscale+".new", 0755); err != nil {
+				return fmt.Errorf("failed extracting the new tailscale binary from %q: %w", path, err)
+			}
+		case "tailscaled":
+			files["tailscaled"]++
+			if err := writeFile(tr, tailscaled+".new", 0755); err != nil {
+				return fmt.Errorf("failed extracting the new tailscaled binary from %q: %w", path, err)
+			}
+		}
+	}
+	if !maps.Equal(files, wantFiles) {
+		return fmt.Errorf("%q has missing or duplicate files: got %v, want %v", path, files, wantFiles)
+	}
+
+	// Only place the files in final locations after everything extracted correctly.
+	if err := os.Rename(tailscale+".new", tailscale); err != nil {
+		return err
+	}
+	up.Logf("Updated %s", tailscale)
+	if err := os.Rename(tailscaled+".new", tailscaled); err != nil {
+		return err
+	}
+	up.Logf("Updated %s", tailscaled)
+	return nil
+}
+
+func writeFile(r io.Reader, path string, perm os.FileMode) error {
+	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to remove existing file at %q: %w", path, err)
+	}
+	f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, perm)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	if _, err := io.Copy(f, r); err != nil {
+		return err
+	}
+	return f.Close()
+}
+
+// Var allows overriding this in tests.
+var binaryPaths = func() (tailscale, tailscaled string, err error) {
+	// This can be either tailscale or tailscaled.
+	this, err := os.Executable()
+	if err != nil {
+		return "", "", err
+	}
+	otherName := "tailscaled"
+	if filepath.Base(this) == "tailscaled" {
+		otherName = "tailscale"
+	}
+	// Try to find the other binary in the same directory.
+	other := filepath.Join(filepath.Dir(this), otherName)
+	_, err = os.Stat(other)
+	if os.IsNotExist(err) {
+		// If it's not in the same directory, try to find it in $PATH.
+		other, err = exec.LookPath(otherName)
+	}
+	if err != nil {
+		return "", "", fmt.Errorf("cannot find %q in neither %q nor $PATH: %w", otherName, filepath.Dir(this), err)
+	}
+	if otherName == "tailscaled" {
+		return this, other, nil
+	} else {
+		return other, this, nil
+	}
+}
+
 func haveExecutable(name string) bool {
 	path, err := exec.LookPath(name)
 	return err == nil && path != ""
@@ -923,12 +1047,17 @@ func LatestTailscaleVersion(track string) (string, error) {
 }

 type trackPackages struct {
-	Version  string
-	Tarballs map[string]string
-	Exes     []string
-	MSIs     map[string]string
-	MacZips  map[string]string
-	SPKs     map[string]map[string]string
+	Version         string
+	Tarballs        map[string]string
+	TarballsVersion string
+	Exes            []string
+	ExesVersion     string
+	MSIs            map[string]string
+	MSIsVersion     string
+	MacZips         map[string]string
+	MacZipsVersion  string
+	SPKs            map[string]map[string]string
+	SPKsVersion     string
 }

 func latestPackages(track string) (*trackPackages, error) {
@@ -958,3 +1087,8 @@ func requireRoot() error {
 		return errors.New("must be root")
 	}
 }
+
+func isExitError(err error) bool {
+	var exitErr *exec.ExitError
+	return errors.As(err, &exitErr)
+}
--- a/clientupdate/clientupdate_test.go
+++ b/clientupdate/clientupdate_test.go
@@ -4,9 +4,14 @@
 package clientupdate

 import (
+	"archive/tar"
+	"compress/gzip"
 	"fmt"
+	"io/fs"
+	"maps"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 )

@@ -502,3 +507,257 @@ unique="synology_88f6281_213air"
 		})
 	}
 }
+
+func TestUnpackLinuxTarball(t *testing.T) {
+	oldBinaryPaths := binaryPaths
+	t.Cleanup(func() { binaryPaths = oldBinaryPaths })
+
+	tests := []struct {
+		desc    string
+		tarball map[string]string
+		before  map[string]string
+		after   map[string]string
+		wantErr bool
+	}{
+		{
+			desc: "success",
+			before: map[string]string{
+				"tailscale":  "v1",
+				"tailscaled": "v1",
+			},
+			tarball: map[string]string{
+				"/usr/bin/tailscale":  "v2",
+				"/usr/bin/tailscaled": "v2",
+			},
+			after: map[string]string{
+				"tailscale":  "v2",
+				"tailscaled": "v2",
+			},
+		},
+		{
+			desc: "don't touch unrelated files",
+			before: map[string]string{
+				"tailscale":  "v1",
+				"tailscaled": "v1",
+				"foo":        "bar",
+			},
+			tarball: map[string]string{
+				"/usr/bin/tailscale":  "v2",
+				"/usr/bin/tailscaled": "v2",
+			},
+			after: map[string]string{
+				"tailscale":  "v2",
+				"tailscaled": "v2",
+				"foo":        "bar",
+			},
+		},
+		{
+			desc: "unmodified",
+			before: map[string]string{
+				"tailscale":  "v1",
+				"tailscaled": "v1",
+			},
+			tarball: map[string]string{
+				"/usr/bin/tailscale":  "v1",
+				"/usr/bin/tailscaled": "v1",
+			},
+			after: map[string]string{
+				"tailscale":  "v1",
+				"tailscaled": "v1",
+			},
+		},
+		{
+			desc: "ignore extra tarball files",
+			before: map[string]string{
+				"tailscale":  "v1",
+				"tailscaled": "v1",
+			},
+			tarball: map[string]string{
+				"/usr/bin/tailscale":          "v2",
+				"/usr/bin/tailscaled":         "v2",
+				"/systemd/tailscaled.service": "v2",
+			},
+			after: map[string]string{
+				"tailscale":  "v2",
+				"tailscaled": "v2",
+			},
+		},
+		{
+			desc: "tarball missing tailscaled",
+			before: map[string]string{
+				"tailscale":  "v1",
+				"tailscaled": "v1",
+			},
+			tarball: map[string]string{
+				"/usr/bin/tailscale": "v2",
+			},
+			after: map[string]string{
+				"tailscale":     "v1",
+				"tailscale.new": "v2",
+				"tailscaled":    "v1",
+			},
+			wantErr: true,
+		},
+		{
+			desc: "duplicate tailscale binary",
+			before: map[string]string{
+				"tailscale":  "v1",
+				"tailscaled": "v1",
+			},
+			tarball: map[string]string{
+				"/usr/bin/tailscale":  "v2",
+				"/usr/sbin/tailscale": "v2",
+				"/usr/bin/tailscaled": "v2",
+			},
+			after: map[string]string{
+				"tailscale":      "v1",
+				"tailscale.new":  "v2",
+				"tailscaled":     "v1",
+				"tailscaled.new": "v2",
+			},
+			wantErr: true,
+		},
+		{
+			desc: "empty archive",
+			before: map[string]string{
+				"tailscale":  "v1",
+				"tailscaled": "v1",
+			},
+			tarball: map[string]string{},
+			after: map[string]string{
+				"tailscale":  "v1",
+				"tailscaled": "v1",
+			},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.desc, func(t *testing.T) {
+			// Swap out binaryPaths function to point at dummy file paths.
+			tmp := t.TempDir()
+			tailscalePath := filepath.Join(tmp, "tailscale")
+			tailscaledPath := filepath.Join(tmp, "tailscaled")
+			binaryPaths = func() (string, string, error) {
+				return tailscalePath, tailscaledPath, nil
+			}
+			for name, content := range tt.before {
+				if err := os.WriteFile(filepath.Join(tmp, name), []byte(content), 0755); err != nil {
+					t.Fatal(err)
+				}
+			}
+			tarPath := filepath.Join(tmp, "tailscale.tgz")
+			genTarball(t, tarPath, tt.tarball)
+
+			up := &Updater{Arguments: Arguments{Logf: t.Logf}}
+			err := up.unpackLinuxTarball(tarPath)
+			if err != nil {
+				if !tt.wantErr {
+					t.Fatalf("unexpected error: %v", err)
+				}
+			} else if tt.wantErr {
+				t.Fatalf("unpack succeeded, expected an error")
+			}
+
+			gotAfter := make(map[string]string)
+			err = filepath.WalkDir(tmp, func(path string, d fs.DirEntry, err error) error {
+				if err != nil {
+					return err
+				}
+				if d.Type().IsDir() {
+					return nil
+				}
+				if path == tarPath {
+					return nil
+				}
+				content, err := os.ReadFile(path)
+				if err != nil {
+					return err
+				}
+				path = filepath.ToSlash(path)
+				base := filepath.ToSlash(tmp)
+				gotAfter[strings.TrimPrefix(path, base+"/")] = string(content)
+				return nil
+			})
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if !maps.Equal(gotAfter, tt.after) {
+				t.Errorf("files after unpack: %+v, want %+v", gotAfter, tt.after)
+			}
+		})
+	}
+}
+
+func genTarball(t *testing.T, path string, files map[string]string) {
+	f, err := os.Create(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+	gw := gzip.NewWriter(f)
+	defer gw.Close()
+	tw := tar.NewWriter(gw)
+	defer tw.Close()
+	for file, content := range files {
+		if err := tw.WriteHeader(&tar.Header{
+			Name: file,
+			Size: int64(len(content)),
+			Mode: 0755,
+		}); err != nil {
+			t.Fatal(err)
+		}
+		if _, err := tw.Write([]byte(content)); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
+func TestWriteFileOverwrite(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "test")
+	for i := 0; i < 2; i++ {
+		content := fmt.Sprintf("content %d", i)
+		if err := writeFile(strings.NewReader(content), path, 0600); err != nil {
+			t.Fatal(err)
+		}
+		got, err := os.ReadFile(path)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(got) != content {
+			t.Errorf("got content: %q, want: %q", got, content)
+		}
+	}
+}
+
+func TestWriteFileSymlink(t *testing.T) {
+	// Test for a malicious symlink at the destination path.
+	// f2 points to f1 and writeFile(f2) should not end up overwriting f1.
+	tmp := t.TempDir()
+	f1 := filepath.Join(tmp, "f1")
+	if err := os.WriteFile(f1, []byte("old"), 0600); err != nil {
+		t.Fatal(err)
+	}
+	f2 := filepath.Join(tmp, "f2")
+	if err := os.Symlink(f1, f2); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := writeFile(strings.NewReader("new"), f2, 0600); err != nil {
+		t.Errorf("writeFile(%q) failed: %v", f2, err)
+	}
+	want := map[string]string{
+		f1: "old",
+		f2: "new",
+	}
+	for f, content := range want {
+		got, err := os.ReadFile(f)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(got) != content {
+			t.Errorf("%q: got content %q, want %q", f, got, content)
+		}
+	}
+}
--- a/clientupdate/distsign/distsign.go
+++ b/clientupdate/distsign/distsign.go
@@ -38,6 +38,7 @@
 package distsign

 import (
+	"context"
 	"crypto/ed25519"
 	"crypto/rand"
 	"encoding/binary"
@@ -46,12 +47,18 @@ import (
 	"fmt"
 	"hash"
 	"io"
+	"log"
 	"net/http"
 	"net/url"
 	"os"
+	"time"

 	"github.com/hdevalence/ed25519consensus"
 	"golang.org/x/crypto/blake2s"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/types/logger"
+	"tailscale.com/util/httpm"
+	"tailscale.com/util/must"
 )

 const (
@@ -177,18 +184,22 @@ func (ph *PackageHash) Len() int64 { return ph.len }

 // Client downloads and validates files from a distribution server.
 type Client struct {
+	logf     logger.Logf
 	roots    []ed25519.PublicKey
 	pkgsAddr *url.URL
 }

 // NewClient returns a new client for distribution server located at pkgsAddr,
 // and uses embedded root keys from the roots/ subdirectory of this package.
-func NewClient(pkgsAddr string) (*Client, error) {
+func NewClient(logf logger.Logf, pkgsAddr string) (*Client, error) {
+	if logf == nil {
+		logf = log.Printf
+	}
 	u, err := url.Parse(pkgsAddr)
 	if err != nil {
 		return nil, fmt.Errorf("invalid pkgsAddr %q: %w", pkgsAddr, err)
 	}
-	return &Client{roots: roots(), pkgsAddr: u}, nil
+	return &Client{logf: logf, roots: roots(), pkgsAddr: u}, nil
 }

 func (c *Client) url(path string) string {
@@ -199,7 +210,7 @@ func (c *Client) url(path string) string {
 // The file is downloaded to dstPath and its signature is validated using the
 // embedded root keys. Download returns an error if anything goes wrong with
 // the actual file download or with signature validation.
-func (c *Client) Download(srcPath, dstPath string) error {
+func (c *Client) Download(ctx context.Context, srcPath, dstPath string) error {
 	// Always fetch a fresh signing key.
 	sigPub, err := c.signingKeys()
 	if err != nil {
@@ -209,11 +220,13 @@ func (c *Client) Download(srcPath, dstPath string) error {
 	srcURL := c.url(srcPath)
 	sigURL := srcURL + ".sig"

+	c.logf("Downloading %q", srcURL)
 	dstPathUnverified := dstPath + ".unverified"
-	hash, len, err := download(srcURL, dstPathUnverified, downloadSizeLimit)
+	hash, len, err := c.download(ctx, srcURL, dstPathUnverified, downloadSizeLimit)
 	if err != nil {
 		return err
 	}
+	c.logf("Downloading %q", sigURL)
 	sig, err := fetch(sigURL, signatureSizeLimit)
 	if err != nil {
 		// Best-effort clean up of downloaded package.
@@ -224,8 +237,9 @@ func (c *Client) Download(srcPath, dstPath string) error {
 	if !VerifyAny(sigPub, msg, sig) {
 		// Best-effort clean up of downloaded package.
 		os.Remove(dstPathUnverified)
-		return fmt.Errorf("signature %q for key %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key", sigURL, srcURL)
+		return fmt.Errorf("signature %q for file %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key", sigURL, srcURL)
 	}
+	c.logf("Signature OK")

 	if err := os.Rename(dstPathUnverified, dstPath); err != nil {
 		return fmt.Errorf("failed to move %q to %q after signature validation", dstPathUnverified, dstPath)
@@ -234,6 +248,48 @@ func (c *Client) Download(srcPath, dstPath string) error {
 	return nil
 }

+// ValidateLocalBinary fetches the latest signature associated with the binary
+// at srcURLPath and uses it to validate the file located on disk via
+// localFilePath. ValidateLocalBinary returns an error if anything goes wrong
+// with the signature download or with signature validation.
+func (c *Client) ValidateLocalBinary(srcURLPath, localFilePath string) error {
+	// Always fetch a fresh signing key.
+	sigPub, err := c.signingKeys()
+	if err != nil {
+		return err
+	}
+
+	srcURL := c.url(srcURLPath)
+	sigURL := srcURL + ".sig"
+
+	localFile, err := os.Open(localFilePath)
+	if err != nil {
+		return err
+	}
+	defer localFile.Close()
+
+	h := NewPackageHash()
+	_, err = io.Copy(h, localFile)
+	if err != nil {
+		return err
+	}
+	hash, hashLen := h.Sum(nil), h.Len()
+
+	c.logf("Downloading %q", sigURL)
+	sig, err := fetch(sigURL, signatureSizeLimit)
+	if err != nil {
+		return err
+	}
+
+	msg := binary.LittleEndian.AppendUint64(hash, uint64(hashLen))
+	if !VerifyAny(sigPub, msg, sig) {
+		return fmt.Errorf("signature %q for file %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key", sigURL, localFilePath)
+	}
+	c.logf("Signature OK")
+
+	return nil
+}
+
 // signingKeys fetches current signing keys from the server and validates them
 // against the roots. Should be called before validation of any downloaded file
 // to get the fresh keys.
@@ -272,32 +328,84 @@ func fetch(url string, limit int64) ([]byte, error) {

 // download writes the response body of url into a local file at dst, up to
 // limit bytes. On success, the returned value is a BLAKE2s hash of the file.
-func download(url, dst string, limit int64) ([]byte, int64, error) {
-	resp, err := http.Get(url)
+func (c *Client) download(ctx context.Context, url, dst string, limit int64) ([]byte, int64, error) {
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	tr.Proxy = tshttpproxy.ProxyFromEnvironment
+	defer tr.CloseIdleConnections()
+	hc := &http.Client{Transport: tr}
+
+	quickCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+	headReq := must.Get(http.NewRequestWithContext(quickCtx, httpm.HEAD, url, nil))
+
+	res, err := hc.Do(headReq)
 	if err != nil {
 		return nil, 0, err
 	}
-	defer resp.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return nil, 0, fmt.Errorf("HEAD %q: %v", url, res.Status)
+	}
+	if res.ContentLength <= 0 {
+		return nil, 0, fmt.Errorf("HEAD %q: unexpected Content-Length %v", url, res.ContentLength)
+	}
+	c.logf("Download size: %v", res.ContentLength)

+	dlReq := must.Get(http.NewRequestWithContext(ctx, httpm.GET, url, nil))
+	dlRes, err := hc.Do(dlReq)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer dlRes.Body.Close()
+	// TODO(bradfitz): resume from existing partial file on disk
+	if dlRes.StatusCode != http.StatusOK {
+		return nil, 0, fmt.Errorf("GET %q: %v", url, dlRes.Status)
+	}
+
+	of, err := os.Create(dst)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer of.Close()
+	pw := &progressWriter{total: res.ContentLength, logf: c.logf}
 	h := NewPackageHash()
-	r := io.TeeReader(io.LimitReader(resp.Body, limit), h)
-
-	f, err := os.Create(dst)
+	n, err := io.Copy(io.MultiWriter(of, h, pw), io.LimitReader(dlRes.Body, limit))
 	if err != nil {
-		return nil, 0, err
+		return nil, n, err
 	}
-	defer f.Close()
-
-	if _, err := io.Copy(f, r); err != nil {
-		return nil, 0, err
+	if n != res.ContentLength {
+		return nil, n, fmt.Errorf("GET %q: downloaded %v, want %v", url, n, res.ContentLength)
 	}
-	if err := f.Close(); err != nil {
-		return nil, 0, err
+	if err := dlRes.Body.Close(); err != nil {
+		return nil, n, err
 	}
+	if err := of.Close(); err != nil {
+		return nil, n, err
+	}
+	pw.print()

 	return h.Sum(nil), h.Len(), nil
 }

+type progressWriter struct {
+	done      int64
+	total     int64
+	lastPrint time.Time
+	logf      logger.Logf
+}
+
+func (pw *progressWriter) Write(p []byte) (n int, err error) {
+	pw.done += int64(len(p))
+	if time.Since(pw.lastPrint) > 2*time.Second {
+		pw.print()
+	}
+	return len(p), nil
+}
+
+func (pw *progressWriter) print() {
+	pw.lastPrint = time.Now()
+	pw.logf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
+}
+
 func parsePrivateKey(data []byte, typeTag string) (ed25519.PrivateKey, error) {
 	b, rest := pem.Decode(data)
 	if b == nil {
--- a/clientupdate/distsign/distsign_test.go
+++ b/clientupdate/distsign/distsign_test.go
@@ -5,6 +5,7 @@ package distsign

 import (
 	"bytes"
+	"context"
 	"crypto/ed25519"
 	"net/http"
 	"net/http/httptest"
@@ -97,7 +98,7 @@ func TestDownload(t *testing.T) {
 			t.Cleanup(func() {
 				os.Remove(dst)
 			})
-			err := c.Download(tt.src, dst)
+			err := c.Download(context.Background(), tt.src, dst)
 			if err != nil {
 				if tt.wantErr {
 					return
@@ -118,12 +119,128 @@ func TestDownload(t *testing.T) {
 	}
 }

+func TestValidateLocalBinary(t *testing.T) {
+	srv := newTestServer(t)
+	c := srv.client(t)
+
+	tests := []struct {
+		desc    string
+		before  func(*testing.T)
+		src     string
+		wantErr bool
+	}{
+		{
+			desc:    "missing file",
+			before:  func(*testing.T) {},
+			src:     "hello",
+			wantErr: true,
+		},
+		{
+			desc: "success",
+			before: func(*testing.T) {
+				srv.addSigned("hello", []byte("world"))
+			},
+			src: "hello",
+		},
+		{
+			desc: "contents changed",
+			before: func(*testing.T) {
+				srv.addSigned("hello", []byte("new world"))
+			},
+			src:     "hello",
+			wantErr: true,
+		},
+		{
+			desc: "no signature",
+			before: func(*testing.T) {
+				srv.add("hello", []byte("world"))
+			},
+			src:     "hello",
+			wantErr: true,
+		},
+		{
+			desc: "bad signature",
+			before: func(*testing.T) {
+				srv.add("hello", []byte("world"))
+				srv.add("hello.sig", []byte("potato"))
+			},
+			src:     "hello",
+			wantErr: true,
+		},
+		{
+			desc: "signed with untrusted key",
+			before: func(t *testing.T) {
+				srv.add("hello", []byte("world"))
+				srv.add("hello.sig", newSigningKeyPair(t).sign([]byte("world")))
+			},
+			src:     "hello",
+			wantErr: true,
+		},
+		{
+			desc: "signed with root key",
+			before: func(t *testing.T) {
+				srv.add("hello", []byte("world"))
+				srv.add("hello.sig", ed25519.Sign(srv.roots[0].k, []byte("world")))
+			},
+			src:     "hello",
+			wantErr: true,
+		},
+		{
+			desc: "bad signing key signature",
+			before: func(t *testing.T) {
+				srv.add("distsign.pub.sig", []byte("potato"))
+				srv.addSigned("hello", []byte("world"))
+			},
+			src:     "hello",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.desc, func(t *testing.T) {
+			srv.reset()
+
+			// First just do a successful Download.
+			want := []byte("world")
+			srv.addSigned("hello", want)
+			dst := filepath.Join(t.TempDir(), tt.src)
+			err := c.Download(context.Background(), tt.src, dst)
+			if err != nil {
+				t.Fatalf("unexpected error from Download(%q): %v", tt.src, err)
+			}
+			got, err := os.ReadFile(dst)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if !bytes.Equal(want, got) {
+				t.Errorf("Download(%q): got %q, want %q", tt.src, got, want)
+			}
+
+			// Now we reset srv with the test case and validate against the local dst.
+			srv.reset()
+			tt.before(t)
+
+			err = c.ValidateLocalBinary(tt.src, dst)
+			if err != nil {
+				if tt.wantErr {
+					return
+				}
+				t.Fatalf("unexpected error from ValidateLocalBinary(%q): %v", tt.src, err)
+			}
+			if tt.wantErr {
+				t.Fatalf("ValidateLocalBinary(%q) succeeded, expected an error", tt.src)
+			}
+		})
+	}
+}
+
 func TestRotateRoot(t *testing.T) {
 	srv := newTestServer(t)
 	c1 := srv.client(t)
+	ctx := context.Background()

 	srv.addSigned("hello", []byte("world"))
-	if err := c1.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
+	if err := c1.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
 		t.Fatalf("Download failed on a fresh server: %v", err)
 	}

@@ -132,13 +249,13 @@ func TestRotateRoot(t *testing.T) {

 	// Old client can still download files because it still trusts the old
 	// root key.
-	if err := c1.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
+	if err := c1.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
 		t.Fatalf("Download failed after root rotation on old client: %v", err)
 	}
 	// New client should fail download because current signing key is signed by
 	// the revoked root that new client doesn't trust.
 	c2 := srv.client(t)
-	if err := c2.Download("hello", filepath.Join(t.TempDir(), "hello")); err == nil {
+	if err := c2.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err == nil {
 		t.Fatalf("Download succeeded on new client, but signing key is signed with revoked root key")
 	}
 	// Re-sign signing key with another valid root that client still trusts.
@@ -147,10 +264,10 @@ func TestRotateRoot(t *testing.T) {
 	//
 	// Note: we don't need to re-sign the "hello" file because signing key
 	// didn't change (only signing key's signature).
-	if err := c1.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
+	if err := c1.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
 		t.Fatalf("Download failed after root rotation on old client with re-signed signing key: %v", err)
 	}
-	if err := c2.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
+	if err := c2.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
 		t.Fatalf("Download failed after root rotation on new client with re-signed signing key: %v", err)
 	}
 }
@@ -158,46 +275,47 @@ func TestRotateRoot(t *testing.T) {
 func TestRotateSigning(t *testing.T) {
 	srv := newTestServer(t)
 	c := srv.client(t)
+	ctx := context.Background()

 	srv.addSigned("hello", []byte("world"))
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
+	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
 		t.Fatalf("Download failed on a fresh server: %v", err)
 	}

 	// Replace signing key but don't publish it yet.
 	srv.sign = append(srv.sign, newSigningKeyPair(t))
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
+	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
 		t.Fatalf("Download failed after new signing key added but before publishing it: %v", err)
 	}

 	// Publish new signing key bundle with both keys.
 	srv.resignSigningKeys()
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
+	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
 		t.Fatalf("Download failed after new signing key was published: %v", err)
 	}

 	// Re-sign the "hello" file with new signing key.
 	srv.add("hello.sig", srv.sign[1].sign([]byte("world")))
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
+	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
 		t.Fatalf("Download failed after re-signing with new signing key: %v", err)
 	}

 	// Drop the old signing key.
 	srv.sign = srv.sign[1:]
 	srv.resignSigningKeys()
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
+	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
 		t.Fatalf("Download failed after removing old signing key: %v", err)
 	}

 	// Add another key and re-sign the file with it *before* publishing.
 	srv.sign = append(srv.sign, newSigningKeyPair(t))
 	srv.add("hello.sig", srv.sign[1].sign([]byte("world")))
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err == nil {
+	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err == nil {
 		t.Fatalf("Download succeeded when signed with a not-yet-published signing key")
 	}
 	// Fix this by publishing the new key.
 	srv.resignSigningKeys()
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
+	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
 		t.Fatalf("Download failed after publishing new signing key: %v", err)
 	}
 }
@@ -355,6 +473,7 @@ func (s *testServer) client(t *testing.T) *Client {
 		t.Fatal(err)
 	}
 	return &Client{
+		logf:     t.Logf,
 		roots:    roots,
 		pkgsAddr: u,
 	}
--- a/clientupdate/distsign/roots/crawshaw-root.pem
+++ b/clientupdate/distsign/roots/crawshaw-root.pem
@@ -0,0 +1,3 @@
+-----BEGIN ROOT PUBLIC KEY-----
+Psrabv2YNiEDhPlnLVSMtB5EKACm7zxvKxfvYD4i7X8=
+-----END ROOT PUBLIC KEY-----
--- a/clientupdate/systemd_linux.go
+++ b/clientupdate/systemd_linux.go
@@ -0,0 +1,37 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package clientupdate
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/coreos/go-systemd/v22/dbus"
+)
+
+func restartSystemdUnit(ctx context.Context) error {
+	c, err := dbus.NewWithContext(ctx)
+	if err != nil {
+		// Likely not a systemd-managed distro.
+		return errors.ErrUnsupported
+	}
+	defer c.Close()
+	if err := c.ReloadContext(ctx); err != nil {
+		return fmt.Errorf("failed to reload tailsacled.service: %w", err)
+	}
+	ch := make(chan string, 1)
+	if _, err := c.RestartUnitContext(ctx, "tailscaled.service", "replace", ch); err != nil {
+		return fmt.Errorf("failed to restart tailsacled.service: %w", err)
+	}
+	select {
+	case res := <-ch:
+		if res != "done" {
+			return fmt.Errorf("systemd service restart failed with result %q", res)
+		}
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+	return nil
+}
--- a/clientupdate/systemd_other.go
+++ b/clientupdate/systemd_other.go
@@ -0,0 +1,15 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !linux
+
+package clientupdate
+
+import (
+	"context"
+	"errors"
+)
+
+func restartSystemdUnit(ctx context.Context) error {
+	return errors.ErrUnsupported
+}
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -122,12 +122,15 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 		case *types.Slice:
 			if codegen.ContainsPointers(ft.Elem()) {
 				n := it.QualifiedName(ft.Elem())
+				writef("if src.%s != nil {", fname)
 				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
 				writef("for i := range dst.%s {", fname)
 				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
 					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
 						it.Import("tailscale.com/types/ptr")
+						writef("if src.%s[i] == nil { dst.%s[i] = nil } else {", fname, fname)
 						writef("\tdst.%s[i] = ptr.To(*src.%s[i])", fname, fname)
+						writef("}")
 					} else {
 						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 					}
@@ -137,6 +140,7 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}
 				writef("}")
+				writef("}")
 			} else {
 				writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
 			}
--- a/cmd/cloner/cloner_test.go
+++ b/cmd/cloner/cloner_test.go
@@ -0,0 +1,60 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+package main
+
+import (
+	"reflect"
+	"testing"
+
+	"tailscale.com/cmd/cloner/clonerex"
+)
+
+func TestSliceContainer(t *testing.T) {
+	num := 5
+	examples := []struct {
+		name string
+		in   *clonerex.SliceContainer
+	}{
+		{
+			name: "nil",
+			in:   nil,
+		},
+		{
+			name: "zero",
+			in:   &clonerex.SliceContainer{},
+		},
+		{
+			name: "empty",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{},
+			},
+		},
+		{
+			name: "nils",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{nil, nil, nil, nil, nil},
+			},
+		},
+		{
+			name: "one",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{&num},
+			},
+		},
+		{
+			name: "several",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{&num, &num, &num, &num, &num},
+			},
+		},
+	}
+
+	for _, ex := range examples {
+		t.Run(ex.name, func(t *testing.T) {
+			out := ex.in.Clone()
+			if !reflect.DeepEqual(ex.in, out) {
+				t.Errorf("Clone() = %v, want %v", out, ex.in)
+			}
+		})
+	}
+}
--- a/cmd/cloner/clonerex/clonerex.go
+++ b/cmd/cloner/clonerex/clonerex.go
@@ -0,0 +1,10 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type SliceContainer
+
+package clonerex
+
+type SliceContainer struct {
+	Slice []*int
+}
--- a/cmd/cloner/clonerex/clonerex_clone.go
+++ b/cmd/cloner/clonerex/clonerex_clone.go
@@ -0,0 +1,54 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
+
+package clonerex
+
+import (
+	"tailscale.com/types/ptr"
+)
+
+// Clone makes a deep copy of SliceContainer.
+// The result aliases no memory with the original.
+func (src *SliceContainer) Clone() *SliceContainer {
+	if src == nil {
+		return nil
+	}
+	dst := new(SliceContainer)
+	*dst = *src
+	if src.Slice != nil {
+		dst.Slice = make([]*int, len(src.Slice))
+		for i := range dst.Slice {
+			if src.Slice[i] == nil {
+				dst.Slice[i] = nil
+			} else {
+				dst.Slice[i] = ptr.To(*src.Slice[i])
+			}
+		}
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _SliceContainerCloneNeedsRegeneration = SliceContainer(struct {
+	Slice []*int
+}{})
+
+// Clone duplicates src into dst and reports whether it succeeded.
+// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,
+// where T is one of SliceContainer.
+func Clone(dst, src any) bool {
+	switch src := src.(type) {
+	case *SliceContainer:
+		switch dst := dst.(type) {
+		case *SliceContainer:
+			*dst = *src.Clone()
+			return true
+		case **SliceContainer:
+			*dst = src.Clone()
+			return true
+		}
+	}
+	return false
+}
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@@ -7,9 +7,11 @@ package main

 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"log"
 	"net/http"
+	"net/netip"
 	"os"

 	"tailscale.com/kube"
@@ -32,7 +34,7 @@ func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error)

 // storeDeviceInfo writes deviceID into the "device_id" data field of the kube
 // secret secretName.
-func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string) error {
+func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string, addresses []netip.Prefix) error {
 	// First check if the secret exists at all. Even if running on
 	// kubernetes, we do not necessarily store state in a k8s secret.
 	if _, err := kc.GetSecret(ctx, secretName); err != nil {
@@ -46,10 +48,20 @@ func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.St
 		return err
 	}

+	var ips []string
+	for _, addr := range addresses {
+		ips = append(ips, addr.Addr().String())
+	}
+	deviceIPs, err := json.Marshal(ips)
+	if err != nil {
+		return err
+	}
+
 	m := &kube.Secret{
 		Data: map[string][]byte{
 			"device_id":   []byte(deviceID),
 			"device_fqdn": []byte(fqdn),
+			"device_ips":  deviceIPs,
 		},
 	}
 	return kc.StrategicMergePatchSecret(ctx, secretName, m, "tailscale-container")
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -16,6 +16,8 @@
 //   - TS_ROUTES: subnet routes to advertise.
 //   - TS_DEST_IP: proxy all incoming Tailscale traffic to the given
 //     destination.
+//   - TS_TAILNET_TARGET_IP: proxy all incoming non-Tailscale traffic to the given
+//     destination.
 //   - TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
 //   - TS_EXTRA_ARGS: extra arguments to 'tailscale login', these are not
 //     reset on restart.
@@ -34,9 +36,15 @@
 //   - TS_SOCKET: the path where the tailscaled LocalAPI socket should
 //     be created.
 //   - TS_AUTH_ONCE: if true, only attempt to log in if not already
-//     logged in. If false (the default, for backwards
-//     compatibility), forcibly log in every time the
-//     container starts.
+//     logged in. If false, forcibly log in every time the container starts.
+//     The default until 1.50.0 was false, but that was misleading: until
+//     1.50, containerboot used `tailscale up` which would ignore an authkey
+//     argument if there was already a node key. Effectively, this behaved
+//     as though TS_AUTH_ONCE were always true.
+//     In 1.50.0 the change was made to use `tailscale login` instead of `up`,
+//     and login will reauthenticate every time it is given an authkey.
+//     In 1.50.1 we set the TS_AUTH_ONCE to true, to match the previously
+//     observed behavior.
 //   - TS_SERVE_CONFIG: if specified, is the file path where the ipn.ServeConfig is located.
 //     It will be applied once tailscaled is up and running. If the file contains
 //     ${TS_CERT_DOMAIN}, it will be replaced with the value of the available FQDN.
@@ -88,8 +96,9 @@ func main() {
 		AuthKey:         defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
 		Hostname:        defaultEnv("TS_HOSTNAME", ""),
 		Routes:          defaultEnv("TS_ROUTES", ""),
-		ProxyTo:         defaultEnv("TS_DEST_IP", ""),
 		ServeConfigPath: defaultEnv("TS_SERVE_CONFIG", ""),
+		ProxyTo:         defaultEnv("TS_DEST_IP", ""),
+		TailnetTargetIP: defaultEnv("TS_TAILNET_TARGET_IP", ""),
 		DaemonExtraArgs: defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
 		ExtraArgs:       defaultEnv("TS_EXTRA_ARGS", ""),
 		InKubernetes:    os.Getenv("KUBERNETES_SERVICE_HOST") != "",
@@ -100,23 +109,24 @@ func main() {
 		SOCKSProxyAddr:  defaultEnv("TS_SOCKS5_SERVER", ""),
 		HTTPProxyAddr:   defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
 		Socket:          defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
-		AuthOnce:        defaultBool("TS_AUTH_ONCE", false),
+		AuthOnce:        defaultBool("TS_AUTH_ONCE", true),
 		Root:            defaultEnv("TS_TEST_ONLY_ROOT", "/"),
 	}

 	if cfg.ProxyTo != "" && cfg.UserspaceMode {
 		log.Fatal("TS_DEST_IP is not supported with TS_USERSPACE")
 	}
-	if cfg.ProxyTo != "" && cfg.ServeConfigPath != "" {
-		log.Fatal("TS_DEST_IP is not supported with TS_SERVE_CONFIG")
+
+	if cfg.TailnetTargetIP != "" && cfg.UserspaceMode {
+		log.Fatal("TS_TAILNET_TARGET_IP is not supported with TS_USERSPACE")
 	}

 	if !cfg.UserspaceMode {
 		if err := ensureTunFile(cfg.Root); err != nil {
 			log.Fatalf("Unable to create tuntap device file: %v", err)
 		}
-		if cfg.ProxyTo != "" || cfg.Routes != "" {
-			if err := ensureIPForwarding(cfg.Root, cfg.ProxyTo, cfg.Routes); err != nil {
+		if cfg.ProxyTo != "" || cfg.Routes != "" || cfg.TailnetTargetIP != "" {
+			if err := ensureIPForwarding(cfg.Root, cfg.ProxyTo, cfg.TailnetTargetIP, cfg.Routes); err != nil {
 				log.Printf("Failed to enable IP forwarding: %v", err)
 				log.Printf("To run tailscale as a proxy or router container, IP forwarding must be enabled.")
 				if cfg.InKubernetes {
@@ -248,10 +258,13 @@ authLoop:
 	if err := tailscaleSet(ctx, cfg); err != nil {
 		log.Fatalf("failed to auth tailscale: %v", err)
 	}
-	// Remove any serve config that may have been set by a previous
-	// run of containerboot.
-	if err := client.SetServeConfig(ctx, new(ipn.ServeConfig)); err != nil {
-		log.Fatalf("failed to unset serve config: %v", err)
+
+	if cfg.ServeConfigPath != "" {
+		// Remove any serve config that may have been set by a previous run of
+		// containerboot, but only if we're providing a new one.
+		if err := client.SetServeConfig(ctx, new(ipn.ServeConfig)); err != nil {
+			log.Fatalf("failed to unset serve config: %v", err)
+		}
 	}

 	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && cfg.AuthOnce {
@@ -270,7 +283,7 @@ authLoop:
 	}

 	var (
-		wantProxy         = cfg.ProxyTo != ""
+		wantProxy         = cfg.ProxyTo != "" || cfg.TailnetTargetIP != ""
 		wantDeviceInfo    = cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch
 		startupTasksDone  = false
 		currentIPs        deephash.Sum // tailscale IPs assigned to device
@@ -297,9 +310,13 @@ authLoop:
 			log.Fatalf("tailscaled left running state (now in state %q), exiting", *n.State)
 		}
 		if n.NetMap != nil {
-			if cfg.ProxyTo != "" && len(n.NetMap.Addresses) > 0 && deephash.Update(&currentIPs, &n.NetMap.Addresses) {
-				if err := installIPTablesRule(ctx, cfg.ProxyTo, n.NetMap.Addresses); err != nil {
-					log.Fatalf("installing proxy rules: %v", err)
+			addrs := n.NetMap.SelfNode.Addresses().AsSlice()
+			newCurrentIPs := deephash.Hash(&addrs)
+			ipsHaveChanged := newCurrentIPs != currentIPs
+			if cfg.ProxyTo != "" && len(addrs) > 0 && ipsHaveChanged {
+				log.Printf("Installing proxy rules")
+				if err := installIngressForwardingRule(ctx, cfg.ProxyTo, addrs); err != nil {
+					log.Fatalf("installing ingress proxy rules: %v", err)
 				}
 			}
 			if cfg.ServeConfigPath != "" && len(n.NetMap.DNS.CertDomains) > 0 {
@@ -312,9 +329,16 @@ authLoop:
 					}
 				}
 			}
+			if cfg.TailnetTargetIP != "" && ipsHaveChanged && len(addrs) > 0 {
+				if err := installEgressForwardingRule(ctx, cfg.TailnetTargetIP, addrs); err != nil {
+					log.Fatalf("installing egress proxy rules: %v", err)
+				}
+			}
+			currentIPs = newCurrentIPs
+
 			deviceInfo := []any{n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name()}
 			if cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != "" && deephash.Update(&currentDeviceInfo, &deviceInfo) {
-				if err := storeDeviceInfo(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name()); err != nil {
+				if err := storeDeviceInfo(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name(), n.NetMap.SelfNode.Addresses().AsSlice()); err != nil {
 					log.Fatalf("storing device ID in kube secret: %v", err)
 				}
 			}
@@ -570,14 +594,25 @@ func ensureTunFile(root string) error {
 }

 // ensureIPForwarding enables IPv4/IPv6 forwarding for the container.
-func ensureIPForwarding(root, proxyTo, routes string) error {
+func ensureIPForwarding(root, clusterProxyTarget, tailnetTargetiP, routes string) error {
 	var (
 		v4Forwarding, v6Forwarding bool
 	)
-	if proxyTo != "" {
-		proxyIP, err := netip.ParseAddr(proxyTo)
+	if clusterProxyTarget != "" {
+		proxyIP, err := netip.ParseAddr(clusterProxyTarget)
 		if err != nil {
-			return fmt.Errorf("invalid proxy destination IP: %v", err)
+			return fmt.Errorf("invalid cluster destination IP: %v", err)
+		}
+		if proxyIP.Is4() {
+			v4Forwarding = true
+		} else {
+			v6Forwarding = true
+		}
+	}
+	if tailnetTargetiP != "" {
+		proxyIP, err := netip.ParseAddr(tailnetTargetiP)
+		if err != nil {
+			return fmt.Errorf("invalid tailnet destination IP: %v", err)
 		}
 		if proxyIP.Is4() {
 			v4Forwarding = true
@@ -627,7 +662,60 @@ func ensureIPForwarding(root, proxyTo, routes string) error {
 	return nil
 }

-func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix) error {
+func installEgressForwardingRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix) error {
+	dst, err := netip.ParseAddr(dstStr)
+	if err != nil {
+		return err
+	}
+	argv0 := "iptables"
+	if dst.Is6() {
+		argv0 = "ip6tables"
+	}
+	var local string
+	for _, pfx := range tsIPs {
+		if !pfx.IsSingleIP() {
+			continue
+		}
+		if pfx.Addr().Is4() != dst.Is4() {
+			continue
+		}
+		local = pfx.Addr().String()
+		break
+	}
+	if local == "" {
+		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstStr, tsIPs)
+	}
+	// Technically, if the control server ever changes the IPs assigned to this
+	// node, we'll slowly accumulate iptables rules. This shouldn't happen, so
+	// for now we'll live with it.
+	// Set up a rule that ensures that all packets
+	// except for those received on tailscale0 interface is forwarded to
+	// destination address
+	cmdDNAT := exec.CommandContext(ctx, argv0, "-t", "nat", "-I", "PREROUTING", "1", "!", "-i", "tailscale0", "-j", "DNAT", "--to-destination", dstStr)
+	cmdDNAT.Stdout = os.Stdout
+	cmdDNAT.Stderr = os.Stderr
+	if err := cmdDNAT.Run(); err != nil {
+		return fmt.Errorf("executing iptables failed: %w", err)
+	}
+	// Set up a rule that ensures that all packets sent to the destination
+	// address will have the proxy's IP set as source IP
+	cmdSNAT := exec.CommandContext(ctx, argv0, "-t", "nat", "-I", "POSTROUTING", "1", "--destination", dstStr, "-j", "SNAT", "--to-source", local)
+	cmdSNAT.Stdout = os.Stdout
+	cmdSNAT.Stderr = os.Stderr
+	if err := cmdSNAT.Run(); err != nil {
+		return fmt.Errorf("setting up SNAT via iptables failed: %w", err)
+	}
+
+	cmdClamp := exec.CommandContext(ctx, argv0, "-t", "mangle", "-A", "FORWARD", "-o", "tailscale0", "-p", "tcp", "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
+	cmdClamp.Stdout = os.Stdout
+	cmdClamp.Stderr = os.Stderr
+	if err := cmdClamp.Run(); err != nil {
+		return fmt.Errorf("executing iptables failed: %w", err)
+	}
+	return nil
+}
+
+func installIngressForwardingRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix) error {
 	dst, err := netip.ParseAddr(dstStr)
 	if err != nil {
 		return err
@@ -659,15 +747,28 @@ func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefi
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("executing iptables failed: %w", err)
 	}
+	cmdClamp := exec.CommandContext(ctx, argv0, "-t", "mangle", "-A", "FORWARD", "-o", "tailscale0", "-p", "tcp", "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
+	cmdClamp.Stdout = os.Stdout
+	cmdClamp.Stderr = os.Stderr
+	if err := cmdClamp.Run(); err != nil {
+		return fmt.Errorf("executing iptables failed: %w", err)
+	}
 	return nil
 }

 // settings is all the configuration for containerboot.
 type settings struct {
-	AuthKey            string
-	Hostname           string
-	Routes             string
-	ProxyTo            string
+	AuthKey  string
+	Hostname string
+	Routes   string
+	// ProxyTo is the destination IP to which all incoming
+	// Tailscale traffic should be proxied. If empty, no proxying
+	// is done. This is typically a locally reachable IP.
+	ProxyTo string
+	// TailnetTargetIP is the destination IP to which all incoming
+	// non-Tailscale traffic should be proxied. If empty, no
+	// proxying is done. This is typically a Tailscale IP.
+	TailnetTargetIP    string
 	ServeConfigPath    string
 	DaemonExtraArgs    string
 	ExtraArgs          string
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -113,10 +113,10 @@ func TestContainerBoot(t *testing.T) {
 		State: ptr.To(ipn.Running),
 		NetMap: &netmap.NetworkMap{
 			SelfNode: (&tailcfg.Node{
-				StableID: tailcfg.StableNodeID("myID"),
-				Name:     "test-node.test.ts.net",
+				StableID:  tailcfg.StableNodeID("myID"),
+				Name:      "test-node.test.ts.net",
+				Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
 			}).View(),
-			Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
 		},
 	}
 	tests := []struct {
@@ -129,16 +129,22 @@ func TestContainerBoot(t *testing.T) {
 		{
 			// Out of the box default: runs in userspace mode, ephemeral storage, interactive login.
 			Name: "no_args",
-			Env:  nil,
+			Env: map[string]string{
+				"TS_AUTH_ONCE": "false",
+			},
+
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login",
 					},
 				},
 				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 				},
 			},
 		},
@@ -146,17 +152,21 @@ func TestContainerBoot(t *testing.T) {
 			// Userspace mode, ephemeral storage, authkey provided on every run.
 			Name: "authkey",
 			Env: map[string]string{
-				"TS_AUTHKEY": "tskey-key",
+				"TS_AUTHKEY":   "tskey-key",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 				},
 				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 				},
 			},
 		},
@@ -164,17 +174,21 @@ func TestContainerBoot(t *testing.T) {
 			// Userspace mode, ephemeral storage, authkey provided on every run.
 			Name: "authkey-old-flag",
 			Env: map[string]string{
-				"TS_AUTH_KEY": "tskey-key",
+				"TS_AUTH_KEY":  "tskey-key",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 				},
 				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 				},
 			},
 		},
@@ -183,30 +197,35 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_STATE_DIR": filepath.Join(d, "tmp"),
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 				},
 				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 				},
 			},
 		},
 		{
 			Name: "routes",
 			Env: map[string]string{
-				"TS_AUTHKEY": "tskey-key",
-				"TS_ROUTES":  "1.2.3.0/24,10.20.30.0/24",
+				"TS_AUTHKEY":   "tskey-key",
+				"TS_ROUTES":    "1.2.3.0/24,10.20.30.0/24",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=1.2.3.0/24,10.20.30.0/24",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 				},
 				{
@@ -215,6 +234,9 @@ func TestContainerBoot(t *testing.T) {
 						"proc/sys/net/ipv4/ip_forward":          "0",
 						"proc/sys/net/ipv6/conf/all/forwarding": "0",
 					},
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false --advertise-routes=1.2.3.0/24,10.20.30.0/24",
+					},
 				},
 			},
 		},
@@ -224,12 +246,13 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_ROUTES":    "1.2.3.0/24,10.20.30.0/24",
 				"TS_USERSPACE": "false",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=1.2.3.0/24,10.20.30.0/24",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 				},
 				{
@@ -238,6 +261,9 @@ func TestContainerBoot(t *testing.T) {
 						"proc/sys/net/ipv4/ip_forward":          "1",
 						"proc/sys/net/ipv6/conf/all/forwarding": "0",
 					},
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false --advertise-routes=1.2.3.0/24,10.20.30.0/24",
+					},
 				},
 			},
 		},
@@ -247,12 +273,13 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_ROUTES":    "::/64,1::/64",
 				"TS_USERSPACE": "false",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=::/64,1::/64",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 				},
 				{
@@ -261,6 +288,9 @@ func TestContainerBoot(t *testing.T) {
 						"proc/sys/net/ipv4/ip_forward":          "0",
 						"proc/sys/net/ipv6/conf/all/forwarding": "1",
 					},
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false --advertise-routes=::/64,1::/64",
+					},
 				},
 			},
 		},
@@ -270,12 +300,13 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_ROUTES":    "::/64,1.2.3.0/24",
 				"TS_USERSPACE": "false",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=::/64,1.2.3.0/24",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 				},
 				{
@@ -284,27 +315,59 @@ func TestContainerBoot(t *testing.T) {
 						"proc/sys/net/ipv4/ip_forward":          "1",
 						"proc/sys/net/ipv6/conf/all/forwarding": "1",
 					},
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false --advertise-routes=::/64,1.2.3.0/24",
+					},
 				},
 			},
 		},
 		{
-			Name: "proxy",
+			Name: "ingres proxy",
 			Env: map[string]string{
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_DEST_IP":   "1.2.3.4",
 				"TS_USERSPACE": "false",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 				},
 				{
 					Notify: runningNotify,
 					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
 						"/usr/bin/iptables -t nat -I PREROUTING 1 -d 100.64.0.1 -j DNAT --to-destination 1.2.3.4",
+						"/usr/bin/iptables -t mangle -A FORWARD -o tailscale0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu",
+					},
+				},
+			},
+		},
+		{
+			Name: "egress proxy",
+			Env: map[string]string{
+				"TS_AUTHKEY":           "tskey-key",
+				"TS_TAILNET_TARGET_IP": "100.99.99.99",
+				"TS_USERSPACE":         "false",
+				"TS_AUTH_ONCE":         "false",
+			},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+						"/usr/bin/iptables -t nat -I PREROUTING 1 ! -i tailscale0 -j DNAT --to-destination 100.99.99.99",
+						"/usr/bin/iptables -t nat -I POSTROUTING 1 --destination 100.99.99.99 -j SNAT --to-source 100.64.0.1",
+						"/usr/bin/iptables -t mangle -A FORWARD -o tailscale0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu",
 					},
 				},
 			},
@@ -326,11 +389,14 @@ func TestContainerBoot(t *testing.T) {
 						State: ptr.To(ipn.NeedsLogin),
 					},
 					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 				},
 				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 				},
 			},
 		},
@@ -339,6 +405,7 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"KUBERNETES_SERVICE_HOST":       kube.Host,
 				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
+				"TS_AUTH_ONCE":                  "false",
 			},
 			KubeSecret: map[string]string{
 				"authkey": "tskey-key",
@@ -347,7 +414,7 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 					WantKubeSecret: map[string]string{
 						"authkey": "tskey-key",
@@ -355,10 +422,14 @@ func TestContainerBoot(t *testing.T) {
 				},
 				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 					WantKubeSecret: map[string]string{
 						"authkey":     "tskey-key",
 						"device_fqdn": "test-node.test.ts.net",
 						"device_id":   "myID",
+						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 			},
@@ -372,18 +443,22 @@ func TestContainerBoot(t *testing.T) {
 				"TS_KUBE_SECRET": "",
 				"TS_STATE_DIR":   filepath.Join(d, "tmp"),
 				"TS_AUTHKEY":     "tskey-key",
+				"TS_AUTH_ONCE":   "false",
 			},
 			KubeSecret: map[string]string{},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 					WantKubeSecret: map[string]string{},
 				},
 				{
-					Notify:         runningNotify,
+					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 					WantKubeSecret: map[string]string{},
 				},
 			},
@@ -394,6 +469,7 @@ func TestContainerBoot(t *testing.T) {
 				"KUBERNETES_SERVICE_HOST":       kube.Host,
 				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
 				"TS_AUTHKEY":                    "tskey-key",
+				"TS_AUTH_ONCE":                  "false",
 			},
 			KubeSecret:    map[string]string{},
 			KubeDenyPatch: true,
@@ -401,12 +477,15 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 					WantKubeSecret: map[string]string{},
 				},
 				{
-					Notify:         runningNotify,
+					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 					WantKubeSecret: map[string]string{},
 				},
 			},
@@ -436,7 +515,7 @@ func TestContainerBoot(t *testing.T) {
 						State: ptr.To(ipn.NeedsLogin),
 					},
 					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 					WantKubeSecret: map[string]string{
 						"authkey": "tskey-key",
@@ -444,9 +523,13 @@ func TestContainerBoot(t *testing.T) {
 				},
 				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 					WantKubeSecret: map[string]string{
 						"device_fqdn": "test-node.test.ts.net",
 						"device_id":   "myID",
+						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 			},
@@ -456,6 +539,7 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"KUBERNETES_SERVICE_HOST":       kube.Host,
 				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
+				"TS_AUTH_ONCE":                  "false",
 			},
 			KubeSecret: map[string]string{
 				"authkey": "tskey-key",
@@ -464,7 +548,7 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
 					},
 					WantKubeSecret: map[string]string{
 						"authkey": "tskey-key",
@@ -472,10 +556,14 @@ func TestContainerBoot(t *testing.T) {
 				},
 				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 					WantKubeSecret: map[string]string{
 						"authkey":     "tskey-key",
 						"device_fqdn": "test-node.test.ts.net",
 						"device_id":   "myID",
+						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 				{
@@ -483,16 +571,17 @@ func TestContainerBoot(t *testing.T) {
 						State: ptr.To(ipn.Running),
 						NetMap: &netmap.NetworkMap{
 							SelfNode: (&tailcfg.Node{
-								StableID: tailcfg.StableNodeID("newID"),
-								Name:     "new-name.test.ts.net",
+								StableID:  tailcfg.StableNodeID("newID"),
+								Name:      "new-name.test.ts.net",
+								Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
 							}).View(),
-							Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
 						},
 					},
 					WantKubeSecret: map[string]string{
 						"authkey":     "tskey-key",
 						"device_fqdn": "new-name.test.ts.net",
 						"device_id":   "newID",
+						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 			},
@@ -502,16 +591,20 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"TS_SOCKS5_SERVER":              "localhost:1080",
 				"TS_OUTBOUND_HTTP_PROXY_LISTEN": "localhost:8080",
+				"TS_AUTH_ONCE":                  "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --socks5-server=localhost:1080 --outbound-http-proxy-listen=localhost:8080",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login",
 					},
 				},
 				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 				},
 			},
 		},
@@ -519,16 +612,20 @@ func TestContainerBoot(t *testing.T) {
 			Name: "dns",
 			Env: map[string]string{
 				"TS_ACCEPT_DNS": "true",
+				"TS_AUTH_ONCE":  "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=true",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login",
 					},
 				},
 				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=true",
+					},
 				},
 			},
 		},
@@ -537,31 +634,41 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"TS_EXTRA_ARGS":            "--widget=rotated",
 				"TS_TAILSCALED_EXTRA_ARGS": "--experiments=widgets",
+				"TS_AUTH_ONCE":             "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --experiments=widgets",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --widget=rotated",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --widget=rotated",
 					},
-				}, {
+				},
+				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+					},
 				},
 			},
 		},
 		{
 			Name: "hostname",
 			Env: map[string]string{
-				"TS_HOSTNAME": "my-server",
+				"TS_HOSTNAME":  "my-server",
+				"TS_AUTH_ONCE": "false",
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --hostname=my-server",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login",
 					},
-				}, {
+				},
+				{
 					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false --hostname=my-server",
+					},
 				},
 			},
 		},
@@ -790,10 +897,17 @@ func (l *localAPI) Notify(n *ipn.Notify) {
 }

 func (l *localAPI) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if r.Method != "GET" {
-		panic(fmt.Sprintf("unsupported method %q", r.Method))
-	}
-	if r.URL.Path != "/localapi/v0/watch-ipn-bus" {
+	switch r.URL.Path {
+	case "/localapi/v0/serve-config":
+		if r.Method != "POST" {
+			panic(fmt.Sprintf("unsupported method %q", r.Method))
+		}
+		return
+	case "/localapi/v0/watch-ipn-bus":
+		if r.Method != "GET" {
+			panic(fmt.Sprintf("unsupported method %q", r.Method))
+		}
+	default:
 		panic(fmt.Sprintf("unsupported path %q", r.URL.Path))
 	}

--- a/cmd/containerboot/test_tailscaled.sh
+++ b/cmd/containerboot/test_tailscaled.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# This is a fake tailscale CLI that records its arguments, symlinks a
+# This is a fake tailscale daemon that records its arguments, symlinks a
 # fake LocalAPI socket into place, and does nothing until terminated.
 #
 # It is used by main_test.go to test the behavior of containerboot.
@@ -33,5 +33,6 @@ if [[ -z "$socket" ]]; then
 fi

 ln -s "$TS_TEST_SOCKET" "$socket"
+trap 'rm -f "$socket"' EXIT

-while true; do sleep 1; done
+while sleep 10; do :; done
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -16,7 +16,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil+
+        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil
+        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header
   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
@@ -78,6 +79,22 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
+        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/buffer+
+        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip+
+        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs
+     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
+        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
+        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
+     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
+        gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/buffer+
+        gvisor.dev/gvisor/pkg/tcpip/header                           from tailscale.com/net/packet
+        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header
+        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
@@ -136,7 +153,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/types/structs                                  from tailscale.com/ipn+
        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
-   W    tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy
+        tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy+
        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
        tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
@@ -220,7 +237,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
+        encoding/base32                                              from tailscale.com/tka+
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
@@ -269,7 +286,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
        runtime/trace                                                from net/http/pprof
-        slices                                                       from tailscale.com/ipn+
+        slices                                                       from tailscale.com/ipn/ipnstate+
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
        strings                                                      from bufio+
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -50,7 +50,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 			return
 		}
 		counterWebSocketAccepts.Add(1)
-		wc := wsconn.NetConn(r.Context(), c, websocket.MessageBinary)
+		wc := wsconn.NetConn(r.Context(), c, websocket.MessageBinary, r.RemoteAddr)
 		brw := bufio.NewReadWriter(bufio.NewReader(wc), bufio.NewWriter(wc))
 		s.Accept(r.Context(), wc, brw, r.RemoteAddr)
 	})
--- a/cmd/gitops-pusher/README.md
+++ b/cmd/gitops-pusher/README.md
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      
      - name: Setup Go environment
        uses: actions/setup-go@v3.2.0
--- a/cmd/k8s-operator/ingress.go
+++ b/cmd/k8s-operator/ingress.go
@@ -8,10 +8,11 @@ package main
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
+	"sync"

 	"go.uber.org/zap"
-	"golang.org/x/exp/slices"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -21,6 +22,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"tailscale.com/ipn"
 	"tailscale.com/types/opt"
+	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/set"
 )

 type IngressReconciler struct {
@@ -29,8 +32,20 @@ type IngressReconciler struct {
 	recorder record.EventRecorder
 	ssr      *tailscaleSTSReconciler
 	logger   *zap.SugaredLogger
+
+	mu sync.Mutex // protects following
+
+	// managedIngresses is a set of all ingress resources that we're currently
+	// managing. This is only used for metrics.
+	managedIngresses set.Slice[types.UID]
 }

+var (
+	// gaugeIngressResources tracks the number of ingress resources that we're
+	// currently managing.
+	gaugeIngressResources = clientmetric.NewGauge("k8s_ingress_resources")
+)
+
 func (a *IngressReconciler) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, err error) {
 	logger := a.logger.With("ingress-ns", req.Namespace, "ingress-name", req.Name)
 	logger.Debugf("starting reconcile")
@@ -57,6 +72,10 @@ func (a *IngressReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 	ix := slices.Index(ing.Finalizers, FinalizerName)
 	if ix < 0 {
 		logger.Debugf("no finalizer, nothing to do")
+		a.mu.Lock()
+		defer a.mu.Unlock()
+		a.managedIngresses.Remove(ing.UID)
+		gaugeIngressResources.Set(int64(a.managedIngresses.Len()))
 		return nil
 	}

@@ -77,6 +96,10 @@ func (a *IngressReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 	// cleanup removes the tailscale finalizer, which will make all future
 	// reconciles exit early.
 	logger.Infof("unexposed ingress from tailnet")
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.managedIngresses.Remove(ing.UID)
+	gaugeIngressResources.Set(int64(a.managedIngresses.Len()))
 	return nil
 }

@@ -97,6 +120,14 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 			return fmt.Errorf("failed to add finalizer: %w", err)
 		}
 	}
+	a.mu.Lock()
+	a.managedIngresses.Add(ing.UID)
+	gaugeIngressResources.Set(int64(a.managedIngresses.Len()))
+	a.mu.Unlock()
+
+	if !a.ssr.IsHTTPSEnabledOnTailnet() {
+		a.recorder.Event(ing, corev1.EventTypeWarning, "HTTPSNotEnabled", "HTTPS is not enabled on the tailnet; ingress may not work")
+	}

 	// magic443 is a fake hostname that we can use to tell containerboot to swap
 	// out with the real hostname once it's known.
@@ -190,11 +221,11 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		ChildResourceLabels: crl,
 	}

-	if err := a.ssr.Provision(ctx, logger, sts); err != nil {
+	if _, err := a.ssr.Provision(ctx, logger, sts); err != nil {
 		return fmt.Errorf("failed to provision: %w", err)
 	}

-	_, tsHost, err := a.ssr.DeviceInfo(ctx, crl)
+	_, tsHost, _, err := a.ssr.DeviceInfo(ctx, crl)
 	if err != nil {
 		return fmt.Errorf("failed to get device ID: %w", err)
 	}
--- a/cmd/k8s-operator/manifests/operator.yaml
+++ b/cmd/k8s-operator/manifests/operator.yaml
@@ -48,7 +48,7 @@ metadata:
  name: tailscale-operator
 rules:
 - apiGroups: [""]
-  resources: ["services", "services/status"]
+  resources: ["events", "services", "services/status"]
  verbs: ["*"]
 - apiGroups: ["networking.k8s.io"]
  resources: ["ingresses", "ingresses/status"]
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -47,12 +47,11 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true

 	var (
-		tsNamespace        = defaultEnv("OPERATOR_NAMESPACE", "")
-		tslogging          = defaultEnv("OPERATOR_LOGGING", "info")
-		image              = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
-		priorityClassName  = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
-		tags               = defaultEnv("PROXY_TAGS", "tag:k8s")
-		shouldRunAuthProxy = defaultBool("AUTH_PROXY", false)
+		tsNamespace       = defaultEnv("OPERATOR_NAMESPACE", "")
+		tslogging         = defaultEnv("OPERATOR_LOGGING", "info")
+		image             = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
+		priorityClassName = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
+		tags              = defaultEnv("PROXY_TAGS", "tag:k8s")
 	)

 	var opts []kzap.Opts
@@ -70,10 +69,8 @@ func main() {
 	s, tsClient := initTSNet(zlog)
 	defer s.Close()
 	restConfig := config.GetConfigOrDie()
-	if shouldRunAuthProxy {
-		launchAuthProxy(zlog, restConfig, s)
-	}
-	startReconcilers(zlog, tsNamespace, restConfig, tsClient, image, priorityClassName, tags)
+	maybeLaunchAPIServerProxy(zlog, restConfig, s)
+	runReconcilers(zlog, s, tsNamespace, restConfig, tsClient, image, priorityClassName, tags)
 }

 // initTSNet initializes the tsnet.Server and logs in to Tailscale. It uses the
@@ -180,9 +177,12 @@ waitOnline:
 	return s, tsClient
 }

-// startReconcilers starts the controller-runtime manager and registers the
-// ServiceReconciler.
-func startReconcilers(zlog *zap.SugaredLogger, tsNamespace string, restConfig *rest.Config, tsClient *tailscale.Client, image, priorityClassName, tags string) {
+// runReconcilers starts the controller-runtime manager and registers the
+// ServiceReconciler. It blocks forever.
+func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string, restConfig *rest.Config, tsClient *tailscale.Client, image, priorityClassName, tags string) {
+	var (
+		isDefaultLoadBalancer = defaultBool("OPERATOR_DEFAULT_LOAD_BALANCER", false)
+	)
 	startlog := zlog.Named("startReconcilers")
 	// For secrets and statefulsets, we only get permission to touch the objects
 	// in the controller's own namespace. This cannot be expressed by
@@ -205,23 +205,12 @@ func startReconcilers(zlog *zap.SugaredLogger, tsNamespace string, restConfig *r
 		startlog.Fatalf("could not create manager: %v", err)
 	}

-	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(_ context.Context, o client.Object) []reconcile.Request {
-		ls := o.GetLabels()
-		if ls[LabelManaged] != "true" {
-			return nil
-		}
-		return []reconcile.Request{
-			{
-				NamespacedName: types.NamespacedName{
-					Namespace: ls[LabelParentNamespace],
-					Name:      ls[LabelParentName],
-				},
-			},
-		}
-	})
+	svcFilter := handler.EnqueueRequestsFromMapFunc(serviceHandler)
+	svcChildFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("svc"))
 	eventRecorder := mgr.GetEventRecorderFor("tailscale-operator")
 	ssr := &tailscaleSTSReconciler{
 		Client:                 mgr.GetClient(),
+		tsnetServer:            s,
 		tsClient:               tsClient,
 		defaultTags:            strings.Split(tags, ","),
 		operatorNamespace:      tsNamespace,
@@ -230,22 +219,26 @@ func startReconcilers(zlog *zap.SugaredLogger, tsNamespace string, restConfig *r
 	}
 	err = builder.
 		ControllerManagedBy(mgr).
-		For(&corev1.Service{}).
-		Watches(&appsv1.StatefulSet{}, reconcileFilter).
-		Watches(&corev1.Secret{}, reconcileFilter).
+		Named("service-reconciler").
+		Watches(&corev1.Service{}, svcFilter).
+		Watches(&appsv1.StatefulSet{}, svcChildFilter).
+		Watches(&corev1.Secret{}, svcChildFilter).
 		Complete(&ServiceReconciler{
-			ssr:    ssr,
-			Client: mgr.GetClient(),
-			logger: zlog.Named("service-reconciler"),
+			ssr:                   ssr,
+			Client:                mgr.GetClient(),
+			logger:                zlog.Named("service-reconciler"),
+			isDefaultLoadBalancer: isDefaultLoadBalancer,
 		})
 	if err != nil {
 		startlog.Fatalf("could not create controller: %v", err)
 	}
+	ingressChildFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("ingress"))
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&networkingv1.Ingress{}).
-		Watches(&appsv1.StatefulSet{}, reconcileFilter).
-		Watches(&corev1.Secret{}, reconcileFilter).
+		Watches(&appsv1.StatefulSet{}, ingressChildFilter).
+		Watches(&corev1.Secret{}, ingressChildFilter).
+		Watches(&corev1.Service{}, ingressChildFilter).
 		Complete(&IngressReconciler{
 			ssr:      ssr,
 			recorder: eventRecorder,
@@ -266,3 +259,54 @@ type tsClient interface {
 	CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error)
 	DeleteDevice(ctx context.Context, nodeStableID string) error
 }
+
+func isManagedResource(o client.Object) bool {
+	ls := o.GetLabels()
+	return ls[LabelManaged] == "true"
+}
+
+func isManagedByType(o client.Object, typ string) bool {
+	ls := o.GetLabels()
+	return isManagedResource(o) && ls[LabelParentType] == typ
+}
+
+func parentFromObjectLabels(o client.Object) types.NamespacedName {
+	ls := o.GetLabels()
+	return types.NamespacedName{
+		Namespace: ls[LabelParentNamespace],
+		Name:      ls[LabelParentName],
+	}
+}
+func managedResourceHandlerForType(typ string) handler.MapFunc {
+	return func(_ context.Context, o client.Object) []reconcile.Request {
+		if !isManagedByType(o, typ) {
+			return nil
+		}
+		return []reconcile.Request{
+			{NamespacedName: parentFromObjectLabels(o)},
+		}
+	}
+
+}
+
+func serviceHandler(_ context.Context, o client.Object) []reconcile.Request {
+	if isManagedByType(o, "svc") {
+		// If this is a Service managed by a Service we want to enqueue its parent
+		return []reconcile.Request{{NamespacedName: parentFromObjectLabels(o)}}
+
+	}
+	if isManagedResource(o) {
+		// If this is a Servce managed by a resource that is not a Service, we leave it alone
+		return nil
+	}
+	// If this is not a managed Service we want to enqueue it
+	return []reconcile.Request{
+		{
+			NamespacedName: types.NamespacedName{
+				Namespace: o.GetNamespace(),
+				Name:      o.GetName(),
+			},
+		},
+	}
+
+}
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -7,6 +7,7 @@ package main

 import (
 	"context"
+	"fmt"
 	"strings"
 	"sync"
 	"testing"
@@ -80,6 +81,7 @@ func TestLoadBalancerClass(t *testing.T) {
 		}
 		s.Data["device_id"] = []byte("ts-id-1234")
 		s.Data["device_fqdn"] = []byte("tailscale.device.name.")
+		s.Data["device_ips"] = []byte(`["100.99.98.97", "2c0a:8083:94d4:2012:3165:34a5:3616:5fdf"]`)
 	})
 	expectReconciled(t, sr, "default", "test")
 	want := &corev1.Service{
@@ -104,6 +106,9 @@ func TestLoadBalancerClass(t *testing.T) {
 					{
 						Hostname: "tailscale.device.name",
 					},
+					{
+						IP: "100.99.98.97",
+					},
 				},
 			},
 		},
@@ -149,6 +154,111 @@ func TestLoadBalancerClass(t *testing.T) {
 	}
 	expectEqual(t, fc, want)
 }
+func TestTailnetTargetIPAnnotation(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	tailnetTargetIP := "100.66.66.66"
+	sr := &ServiceReconciler{
+		Client: fc,
+		ssr: &tailscaleSTSReconciler{
+			Client:            fc,
+			tsClient:          ft,
+			defaultTags:       []string{"tag:k8s"},
+			operatorNamespace: "operator-ns",
+			proxyImage:        "tailscale/tailscale",
+		},
+		logger: zl.Sugar(),
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+			Annotations: map[string]string{
+				AnnotationTailnetTargetIP: tailnetTargetIP,
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			Type: corev1.ServiceTypeClusterIP,
+			Selector: map[string]string{
+				"foo": "bar",
+			},
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test")
+
+	expectEqual(t, fc, expectedSecret(fullName))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedEgressSTS(shortName, fullName, tailnetTargetIP, "default-test", ""))
+	want := &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test",
+			Namespace:  "default",
+			Finalizers: []string{"tailscale.com/finalizer"},
+			UID:        types.UID("1234-UID"),
+			Annotations: map[string]string{
+				AnnotationTailnetTargetIP: tailnetTargetIP,
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ExternalName: fmt.Sprintf("%s.operator-ns.svc.cluster.local", shortName),
+			Type:         corev1.ServiceTypeExternalName,
+			Selector:     nil,
+		},
+	}
+	expectEqual(t, fc, want)
+	expectEqual(t, fc, expectedSecret(fullName))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedEgressSTS(shortName, fullName, tailnetTargetIP, "default-test", ""))
+
+	// Change the tailscale-target-ip annotation which should update the
+	// StatefulSet
+	tailnetTargetIP = "100.77.77.77"
+	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
+		s.ObjectMeta.Annotations = map[string]string{
+			AnnotationTailnetTargetIP: tailnetTargetIP,
+		}
+	})
+
+	// Remove the tailscale-target-ip annotation which should make the
+	// operator clean up
+	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
+		s.ObjectMeta.Annotations = map[string]string{}
+	})
+	expectReconciled(t, sr, "default", "test")
+
+	// // synchronous StatefulSet deletion triggers a requeue. But, the StatefulSet
+	// // didn't create any child resources since this is all faked, so the
+	// // deletion goes through immediately.
+	expectReconciled(t, sr, "default", "test")
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	// // The deletion triggers another reconcile, to finish the cleanup.
+	expectReconciled(t, sr, "default", "test")
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
+
+	// At the moment we don't revert changes to the user created Service -
+	// we don't have a reliable way how to tell what it was before and also
+	// we don't really expect it to be re-used
+}

 func TestAnnotations(t *testing.T) {
 	fc := fake.NewFakeClient()
@@ -306,6 +416,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 		}
 		s.Data["device_id"] = []byte("ts-id-1234")
 		s.Data["device_fqdn"] = []byte("tailscale.device.name.")
+		s.Data["device_ips"] = []byte(`["100.99.98.97", "2c0a:8083:94d4:2012:3165:34a5:3616:5fdf"]`)
 	})
 	expectReconciled(t, sr, "default", "test")
 	want := &corev1.Service{
@@ -364,6 +475,9 @@ func TestAnnotationIntoLB(t *testing.T) {
 					{
 						Hostname: "tailscale.device.name",
 					},
+					{
+						IP: "100.99.98.97",
+					},
 				},
 			},
 		},
@@ -425,6 +539,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 		}
 		s.Data["device_id"] = []byte("ts-id-1234")
 		s.Data["device_fqdn"] = []byte("tailscale.device.name.")
+		s.Data["device_ips"] = []byte(`["100.99.98.97", "2c0a:8083:94d4:2012:3165:34a5:3616:5fdf"]`)
 	})
 	expectReconciled(t, sr, "default", "test")
 	want := &corev1.Service{
@@ -449,6 +564,9 @@ func TestLBIntoAnnotation(t *testing.T) {
 					{
 						Hostname: "tailscale.device.name",
 					},
+					{
+						IP: "100.99.98.97",
+					},
 				},
 			},
 		},
@@ -650,6 +768,52 @@ func TestCustomPriorityClassName(t *testing.T) {
 	expectEqual(t, fc, expectedSTS(shortName, fullName, "custom-priority-class-name", "tailscale-critical"))
 }

+func TestDefaultLoadBalancer(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sr := &ServiceReconciler{
+		Client: fc,
+		ssr: &tailscaleSTSReconciler{
+			Client:            fc,
+			tsClient:          ft,
+			defaultTags:       []string{"tag:k8s"},
+			operatorNamespace: "operator-ns",
+			proxyImage:        "tailscale/tailscale",
+		},
+		logger:                zl.Sugar(),
+		isDefaultLoadBalancer: true,
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeLoadBalancer,
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test")
+
+	expectEqual(t, fc, expectedSecret(fullName))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+}
+
 func expectedSecret(name string) *corev1.Secret {
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
@@ -723,8 +887,8 @@ func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations: map[string]string{
-						"tailscale.com/operator-last-set-hostname": hostname,
-						"tailscale.com/operator-last-set-ip":       "10.20.30.40",
+						"tailscale.com/operator-last-set-hostname":   hostname,
+						"tailscale.com/operator-last-set-cluster-ip": "10.20.30.40",
 					},
 					DeletionGracePeriodSeconds: ptr.To[int64](10),
 					Labels:                     map[string]string{"app": "1234-UID"},
@@ -767,6 +931,75 @@ func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv
 		},
 	}
 }
+func expectedEgressSTS(stsName, secretName, tailnetTargetIP, hostname, priorityClassName string) *appsv1.StatefulSet {
+	return &appsv1.StatefulSet{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "StatefulSet",
+			APIVersion: "apps/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      stsName,
+			Namespace: "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   "default",
+				"tailscale.com/parent-resource-type": "svc",
+			},
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Replicas: ptr.To[int32](1),
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"app": "1234-UID"},
+			},
+			ServiceName: stsName,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"tailscale.com/operator-last-set-hostname":             hostname,
+						"tailscale.com/operator-last-set-ts-tailnet-target-ip": tailnetTargetIP,
+					},
+					DeletionGracePeriodSeconds: ptr.To[int64](10),
+					Labels:                     map[string]string{"app": "1234-UID"},
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: "proxies",
+					PriorityClassName:  priorityClassName,
+					InitContainers: []corev1.Container{
+						{
+							Name:    "sysctler",
+							Image:   "busybox",
+							Command: []string{"/bin/sh"},
+							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
+							SecurityContext: &corev1.SecurityContext{
+								Privileged: ptr.To(true),
+							},
+						},
+					},
+					Containers: []corev1.Container{
+						{
+							Name:  "tailscale",
+							Image: "tailscale/tailscale",
+							Env: []corev1.EnvVar{
+								{Name: "TS_USERSPACE", Value: "false"},
+								{Name: "TS_AUTH_ONCE", Value: "true"},
+								{Name: "TS_KUBE_SECRET", Value: secretName},
+								{Name: "TS_HOSTNAME", Value: hostname},
+								{Name: "TS_TAILNET_TARGET_IP", Value: tailnetTargetIP},
+							},
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Add: []corev1.Capability{"NET_ADMIN"},
+								},
+							},
+							ImagePullPolicy: "Always",
+						},
+					},
+				},
+			},
+		},
+	}
+}

 func findGenName(t *testing.T, client client.Client, ns, name string) (full, noSuffix string) {
 	t.Helper()
@@ -780,6 +1013,9 @@ func findGenName(t *testing.T, client client.Client, ns, name string) (full, noS
 	if err != nil {
 		t.Fatalf("finding secret for %q: %v", name, err)
 	}
+	if s == nil {
+		t.Fatalf("no secret found for %q", name)
+	}
 	return s.GetName(), strings.TrimSuffix(s.GetName(), "-0")
 }

--- a/cmd/k8s-operator/proxy.go
+++ b/cmd/k8s-operator/proxy.go
@@ -25,6 +25,7 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/set"
 )

@@ -42,12 +43,54 @@ func addWhoIsToRequest(r *http.Request, who *apitype.WhoIsResponse) *http.Reques
 	return r.WithContext(context.WithValue(r.Context(), whoIsKey{}, who))
 }

-// launchAuthProxy launches the auth proxy, which is a small HTTP server that
-// authenticates requests using the Tailscale LocalAPI and then proxies them to
-// the kube-apiserver.
-func launchAuthProxy(zlog *zap.SugaredLogger, restConfig *rest.Config, s *tsnet.Server) {
+var counterNumRequestsProxied = clientmetric.NewCounter("k8s_auth_proxy_requests_proxied")
+
+type apiServerProxyMode int
+
+const (
+	apiserverProxyModeDisabled apiServerProxyMode = iota
+	apiserverProxyModeEnabled
+	apiserverProxyModeNoAuth
+)
+
+func parseAPIProxyMode() apiServerProxyMode {
+	haveAuthProxyEnv := os.Getenv("AUTH_PROXY") != ""
+	haveAPIProxyEnv := os.Getenv("APISERVER_PROXY") != ""
+	switch {
+	case haveAPIProxyEnv && haveAuthProxyEnv:
+		log.Fatal("AUTH_PROXY and APISERVER_PROXY are mutually exclusive")
+	case haveAuthProxyEnv:
+		var authProxyEnv = defaultBool("AUTH_PROXY", false) // deprecated
+		if authProxyEnv {
+			return apiserverProxyModeEnabled
+		}
+		return apiserverProxyModeDisabled
+	case haveAPIProxyEnv:
+		var apiProxyEnv = defaultEnv("APISERVER_PROXY", "") // true, false or "noauth"
+		switch apiProxyEnv {
+		case "true":
+			return apiserverProxyModeEnabled
+		case "false", "":
+			return apiserverProxyModeDisabled
+		case "noauth":
+			return apiserverProxyModeNoAuth
+		default:
+			panic(fmt.Sprintf("unknown APISERVER_PROXY value %q", apiProxyEnv))
+		}
+	}
+	return apiserverProxyModeDisabled
+}
+
+// maybeLaunchAPIServerProxy launches the auth proxy, which is a small HTTP server
+// that authenticates requests using the Tailscale LocalAPI and then proxies
+// them to the kube-apiserver.
+func maybeLaunchAPIServerProxy(zlog *zap.SugaredLogger, restConfig *rest.Config, s *tsnet.Server) {
+	mode := parseAPIProxyMode()
+	if mode == apiserverProxyModeDisabled {
+		return
+	}
 	hostinfo.SetApp("k8s-operator-proxy")
-	startlog := zlog.Named("launchAuthProxy")
+	startlog := zlog.Named("launchAPIProxy")
 	cfg, err := restConfig.TransportConfig()
 	if err != nil {
 		startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
@@ -66,49 +109,60 @@ func launchAuthProxy(zlog *zap.SugaredLogger, restConfig *rest.Config, s *tsnet.
 	if err != nil {
 		startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
 	}
-	go runAuthProxy(s, rt, zlog.Named("auth-proxy").Infof)
+	go runAPIServerProxy(s, rt, zlog.Named("apiserver-proxy").Infof, mode)
 }

-// authProxy is an http.Handler that authenticates requests using the Tailscale
+// apiserverProxy is an http.Handler that authenticates requests using the Tailscale
 // LocalAPI and then proxies them to the Kubernetes API.
-type authProxy struct {
+type apiserverProxy struct {
 	logf logger.Logf
 	lc   *tailscale.LocalClient
 	rp   *httputil.ReverseProxy
 }

-func (h *authProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+func (h *apiserverProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	who, err := h.lc.WhoIs(r.Context(), r.RemoteAddr)
 	if err != nil {
 		h.logf("failed to authenticate caller: %v", err)
 		http.Error(w, "failed to authenticate caller", http.StatusInternalServerError)
 		return
 	}
+	counterNumRequestsProxied.Add(1)
 	h.rp.ServeHTTP(w, addWhoIsToRequest(r, who))
 }

-// runAuthProxy runs an HTTP server that authenticates requests using the
+// runAPIServerProxy runs an HTTP server that authenticates requests using the
 // Tailscale LocalAPI and then proxies them to the Kubernetes API.
 // It listens on :443 and uses the Tailscale HTTPS certificate.
 // s will be started if it is not already running.
 // rt is used to proxy requests to the Kubernetes API.
 //
+// mode controls how the proxy behaves:
+//   - apiserverProxyModeDisabled: the proxy is not started.
+//   - apiserverProxyModeEnabled: the proxy is started and requests are impersonated using the
+//     caller's identity from the Tailscale LocalAPI.
+//   - apiserverProxyModeNoAuth: the proxy is started and requests are not impersonated and
+//     are passed through to the Kubernetes API.
+//
 // It never returns.
-func runAuthProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf) {
+func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf, mode apiServerProxyMode) {
+	if mode == apiserverProxyModeDisabled {
+		return
+	}
 	ln, err := s.Listen("tcp", ":443")
 	if err != nil {
 		log.Fatalf("could not listen on :443: %v", err)
 	}
 	u, err := url.Parse(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
 	if err != nil {
-		log.Fatalf("runAuthProxy: failed to parse URL %v", err)
+		log.Fatalf("runAPIServerProxy: failed to parse URL %v", err)
 	}

 	lc, err := s.LocalClient()
 	if err != nil {
 		log.Fatalf("could not get local client: %v", err)
 	}
-	ap := &authProxy{
+	ap := &apiserverProxy{
 		logf: logf,
 		lc:   lc,
 		rp: &httputil.ReverseProxy{
@@ -116,6 +170,12 @@ func runAuthProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf) {
 				// Replace the URL with the Kubernetes APIServer.
 				r.URL.Scheme = u.Scheme
 				r.URL.Host = u.Host
+				if mode == apiserverProxyModeNoAuth {
+					// If we are not providing authentication, then we are just
+					// proxying to the Kubernetes API, so we don't need to do
+					// anything else.
+					return
+				}

 				// We want to proxy to the Kubernetes API, but we want to use
 				// the caller's identity to do so. We do this by impersonating
@@ -153,7 +213,7 @@ func runAuthProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf) {
 		Handler:      ap,
 	}
 	if err := hs.ServeTLS(ln, "", ""); err != nil {
-		log.Fatalf("runAuthProxy: failed to serve %v", err)
+		log.Fatalf("runAPIServerProxy: failed to serve %v", err)
 	}
 }

@@ -173,7 +233,7 @@ type impersonateRule struct {

 // addImpersonationHeaders adds the appropriate headers to r to impersonate the
 // caller when proxying to the Kubernetes API. It uses the WhoIsResponse stashed
-// in the context by the authProxy.
+// in the context by the apiserverProxy.
 func addImpersonationHeaders(r *http.Request) error {
 	who := whoIsFromRequest(r)
 	rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, capabilityName)
--- a/cmd/k8s-operator/proxy_test.go
+++ b/cmd/k8s-operator/proxy_test.go
@@ -45,15 +45,15 @@ func TestImpersonationHeaders(t *testing.T) {
 			emailish: "foo@example.com",
 			capMap: tailcfg.PeerCapMap{
 				capabilityName: {
-					[]byte(`{"impersonate":{"groups":["group1","group2"]}}`),
-					[]byte(`{"impersonate":{"groups":["group1","group3"]}}`), // One group is duplicated.
-					[]byte(`{"impersonate":{"groups":["group4"]}}`),
-					[]byte(`{"impersonate":{"groups":["group2"]}}`), // duplicate
+					tailcfg.RawMessage(`{"impersonate":{"groups":["group1","group2"]}}`),
+					tailcfg.RawMessage(`{"impersonate":{"groups":["group1","group3"]}}`), // One group is duplicated.
+					tailcfg.RawMessage(`{"impersonate":{"groups":["group4"]}}`),
+					tailcfg.RawMessage(`{"impersonate":{"groups":["group2"]}}`), // duplicate

 					// These should be ignored, but should parse correctly.
-					[]byte(`{}`),
-					[]byte(`{"impersonate":{}}`),
-					[]byte(`{"impersonate":{"groups":[]}}`),
+					tailcfg.RawMessage(`{}`),
+					tailcfg.RawMessage(`{"impersonate":{}}`),
+					tailcfg.RawMessage(`{"impersonate":{"groups":[]}}`),
 				},
 			},
 			wantHeaders: http.Header{
@@ -67,7 +67,7 @@ func TestImpersonationHeaders(t *testing.T) {
 			tags:     []string{"tag:foo", "tag:bar"},
 			capMap: tailcfg.PeerCapMap{
 				capabilityName: {
-					[]byte(`{"impersonate":{"groups":["group1"]}}`),
+					tailcfg.RawMessage(`{"impersonate":{"groups":["group1"]}}`),
 				},
 			},
 			wantHeaders: http.Header{
@@ -81,7 +81,7 @@ func TestImpersonationHeaders(t *testing.T) {
 			tags:     []string{"tag:foo", "tag:bar"},
 			capMap: tailcfg.PeerCapMap{
 				capabilityName: {
-					[]byte(`[]`),
+					tailcfg.RawMessage(`[]`),
 				},
 			},
 			wantHeaders: http.Header{},
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -24,6 +24,7 @@ import (
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tsnet"
 	"tailscale.com/types/opt"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
@@ -38,17 +39,20 @@ const (
 	FinalizerName = "tailscale.com/finalizer"

 	// Annotations settable by users on services.
-	AnnotationExpose   = "tailscale.com/expose"
-	AnnotationTags     = "tailscale.com/tags"
-	AnnotationHostname = "tailscale.com/hostname"
+	AnnotationExpose             = "tailscale.com/expose"
+	AnnotationTags               = "tailscale.com/tags"
+	AnnotationHostname           = "tailscale.com/hostname"
+	annotationTailnetTargetIPOld = "tailscale.com/ts-tailnet-target-ip"
+	AnnotationTailnetTargetIP    = "tailscale.com/tailnet-ip"

 	// Annotations settable by users on ingresses.
 	AnnotationFunnel = "tailscale.com/funnel"

 	// Annotations set by the operator on pods to trigger restarts when the
 	// hostname or IP changes.
-	podAnnotationLastSetIP       = "tailscale.com/operator-last-set-ip"
-	podAnnotationLastSetHostname = "tailscale.com/operator-last-set-hostname"
+	podAnnotationLastSetClusterIP       = "tailscale.com/operator-last-set-cluster-ip"
+	podAnnotationLastSetHostname        = "tailscale.com/operator-last-set-hostname"
+	podAnnotationLastSetTailnetTargetIP = "tailscale.com/operator-last-set-ts-tailnet-target-ip"
 )

 type tailscaleSTSConfig struct {
@@ -57,7 +61,11 @@ type tailscaleSTSConfig struct {
 	ChildResourceLabels map[string]string

 	ServeConfig *ipn.ServeConfig
-	TargetIP    string
+	// Tailscale target in cluster we are setting up ingress for
+	ClusterTargetIP string
+
+	// Tailscale IP of a Tailscale service we are setting up egress for
+	TailnetTargetIP string

 	Hostname string
 	Tags     []string // if empty, use defaultTags
@@ -65,6 +73,7 @@ type tailscaleSTSConfig struct {

 type tailscaleSTSReconciler struct {
 	client.Client
+	tsnetServer            *tsnet.Server
 	tsClient               tsClient
 	defaultTags            []string
 	operatorNamespace      string
@@ -72,25 +81,30 @@ type tailscaleSTSReconciler struct {
 	proxyPriorityClassName string
 }

+// IsHTTPSEnabledOnTailnet reports whether HTTPS is enabled on the tailnet.
+func (a *tailscaleSTSReconciler) IsHTTPSEnabledOnTailnet() bool {
+	return len(a.tsnetServer.CertDomains()) > 0
+}
+
 // Provision ensures that the StatefulSet for the given service is running and
 // up to date.
-func (a *tailscaleSTSReconciler) Provision(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig) error {
+func (a *tailscaleSTSReconciler) Provision(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig) (*corev1.Service, error) {
 	// Do full reconcile.
 	hsvc, err := a.reconcileHeadlessService(ctx, logger, sts)
 	if err != nil {
-		return fmt.Errorf("failed to reconcile headless service: %w", err)
+		return nil, fmt.Errorf("failed to reconcile headless service: %w", err)
 	}

 	secretName, err := a.createOrGetSecret(ctx, logger, sts, hsvc)
 	if err != nil {
-		return fmt.Errorf("failed to create or get API key secret: %w", err)
+		return nil, fmt.Errorf("failed to create or get API key secret: %w", err)
 	}
 	_, err = a.reconcileSTS(ctx, logger, sts, hsvc, secretName)
 	if err != nil {
-		return fmt.Errorf("failed to reconcile statefulset: %w", err)
+		return nil, fmt.Errorf("failed to reconcile statefulset: %w", err)
 	}

-	return nil
+	return hsvc, nil
 }

 // Cleanup removes all resources associated that were created by Provision with
@@ -122,7 +136,7 @@ func (a *tailscaleSTSReconciler) Cleanup(ctx context.Context, logger *zap.Sugare
 		return false, nil
 	}

-	id, _, err := a.DeviceInfo(ctx, labels)
+	id, _, _, err := a.DeviceInfo(ctx, labels)
 	if err != nil {
 		return false, fmt.Errorf("getting device info: %w", err)
 	}
@@ -175,15 +189,15 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 			Labels:    stsC.ChildResourceLabels,
 		},
 	}
-	alreadyExists := false
+	var orig *corev1.Secret // unmodified copy of secret
 	if err := a.Get(ctx, client.ObjectKeyFromObject(secret), secret); err == nil {
 		logger.Debugf("secret %s/%s already exists", secret.GetNamespace(), secret.GetName())
-		alreadyExists = true
+		orig = secret.DeepCopy()
 	} else if !apierrors.IsNotFound(err) {
 		return "", err
 	}

-	if !alreadyExists {
+	if orig == nil {
 		// Secret doesn't exist yet, create one. Initially it contains
 		// only the Tailscale authkey, but once Tailscale starts it'll
 		// also store the daemon state.
@@ -218,8 +232,8 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 		}
 		mak.Set(&secret.StringData, "serve-config", string(j))
 	}
-	if alreadyExists {
-		if err := a.Update(ctx, secret); err != nil {
+	if orig != nil {
+		if err := a.Patch(ctx, secret, client.MergeFrom(orig)); err != nil {
 			return "", err
 		}
 	} else {
@@ -232,25 +246,31 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *

 // DeviceInfo returns the device ID and hostname for the Tailscale device
 // associated with the given labels.
-func (a *tailscaleSTSReconciler) DeviceInfo(ctx context.Context, childLabels map[string]string) (id tailcfg.StableNodeID, hostname string, err error) {
+func (a *tailscaleSTSReconciler) DeviceInfo(ctx context.Context, childLabels map[string]string) (id tailcfg.StableNodeID, hostname string, ips []string, err error) {
 	sec, err := getSingleObject[corev1.Secret](ctx, a.Client, a.operatorNamespace, childLabels)
 	if err != nil {
-		return "", "", err
+		return "", "", nil, err
 	}
 	if sec == nil {
-		return "", "", nil
+		return "", "", nil, nil
 	}
 	id = tailcfg.StableNodeID(sec.Data["device_id"])
 	if id == "" {
-		return "", "", nil
+		return "", "", nil, nil
 	}
 	// Kubernetes chokes on well-formed FQDNs with the trailing dot, so we have
 	// to remove it.
 	hostname = strings.TrimSuffix(string(sec.Data["device_fqdn"]), ".")
 	if hostname == "" {
-		return "", "", nil
+		return "", "", nil, nil
 	}
-	return id, hostname, nil
+	if rawDeviceIPs, ok := sec.Data["device_ips"]; ok {
+		if err := json.Unmarshal(rawDeviceIPs, &ips); err != nil {
+			return "", "", nil, err
+		}
+	}
+
+	return id, hostname, ips, nil
 }

 func (a *tailscaleSTSReconciler) newAuthKey(ctx context.Context, tags []string) (string, error) {
@@ -299,11 +319,17 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 			Name:  "TS_HOSTNAME",
 			Value: sts.Hostname,
 		})
-	if sts.TargetIP != "" {
+	if sts.ClusterTargetIP != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_DEST_IP",
-			Value: sts.TargetIP,
+			Value: sts.ClusterTargetIP,
 		})
+	} else if sts.TailnetTargetIP != "" {
+		container.Env = append(container.Env, corev1.EnvVar{
+			Name:  "TS_TAILNET_TARGET_IP",
+			Value: sts.TailnetTargetIP,
+		})
+
 	} else if sts.ServeConfig != nil {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_SERVE_CONFIG",
@@ -344,10 +370,13 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 	// container when the value changes. We do this by adding an annotation to
 	// the pod template that contains the last value we set.
 	ss.Spec.Template.Annotations = map[string]string{
-		"tailscale.com/operator-last-set-hostname": sts.Hostname,
+		podAnnotationLastSetHostname: sts.Hostname,
 	}
-	if sts.TargetIP != "" {
-		ss.Spec.Template.Annotations["tailscale.com/operator-last-set-ip"] = sts.TargetIP
+	if sts.ClusterTargetIP != "" {
+		ss.Spec.Template.Annotations[podAnnotationLastSetClusterIP] = sts.ClusterTargetIP
+	}
+	if sts.TailnetTargetIP != "" {
+		ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetIP] = sts.TailnetTargetIP
 	}
 	ss.Spec.Template.Labels = map[string]string{
 		"app": sts.ParentResourceUID,
--- a/cmd/k8s-operator/svc.go
+++ b/cmd/k8s-operator/svc.go
@@ -8,22 +8,46 @@ package main
 import (
 	"context"
 	"fmt"
+	"net/netip"
+	"slices"
 	"strings"
+	"sync"

 	"go.uber.org/zap"
-	"golang.org/x/exp/slices"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/set"
 )

 type ServiceReconciler struct {
 	client.Client
-	ssr    *tailscaleSTSReconciler
-	logger *zap.SugaredLogger
+	ssr                   *tailscaleSTSReconciler
+	logger                *zap.SugaredLogger
+	isDefaultLoadBalancer bool
+
+	mu sync.Mutex // protects following
+
+	// managedIngressProxies is a set of all ingress proxies that we're
+	// currently managing. This is only used for metrics.
+	managedIngressProxies set.Slice[types.UID]
+	// managedEgressProxies is a set of all egress proxies that we're currently
+	// managing. This is only used for metrics.
+	managedEgressProxies set.Slice[types.UID]
 }

+var (
+	// gaugeEgressProxies tracks the number of egress proxies that we're
+	// currently managing.
+	gaugeEgressProxies = clientmetric.NewGauge("k8s_egress_proxies")
+	// gaugeIngressProxies tracks the number of ingress proxies that we're
+	// currently managing.
+	gaugeIngressProxies = clientmetric.NewGauge("k8s_ingress_proxies")
+)
+
 func childResourceLabels(name, ns, typ string) map[string]string {
 	// You might wonder why we're using owner references, since they seem to be
 	// built for exactly this. Unfortunately, Kubernetes does not support
@@ -53,8 +77,9 @@ func (a *ServiceReconciler) Reconcile(ctx context.Context, req reconcile.Request
 	} else if err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to get svc: %w", err)
 	}
-	if !svc.DeletionTimestamp.IsZero() || !a.shouldExpose(svc) {
-		logger.Debugf("service is being deleted or should not be exposed, cleaning up")
+	targetIP := a.tailnetTargetAnnotation(svc)
+	if !svc.DeletionTimestamp.IsZero() || !a.shouldExpose(svc) && targetIP == "" {
+		logger.Debugf("service is being deleted or is (no longer) referring to Tailscale ingress/egress, ensuring any created resources are cleaned up")
 		return reconcile.Result{}, a.maybeCleanup(ctx, logger, svc)
 	}

@@ -69,6 +94,12 @@ func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 	ix := slices.Index(svc.Finalizers, FinalizerName)
 	if ix < 0 {
 		logger.Debugf("no finalizer, nothing to do")
+		a.mu.Lock()
+		defer a.mu.Unlock()
+		a.managedIngressProxies.Remove(svc.UID)
+		a.managedEgressProxies.Remove(svc.UID)
+		gaugeIngressProxies.Set(int64(a.managedIngressProxies.Len()))
+		gaugeEgressProxies.Set(int64(a.managedEgressProxies.Len()))
 		return nil
 	}

@@ -89,6 +120,13 @@ func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 	// cleanup removes the tailscale finalizer, which will make all future
 	// reconciles exit early.
 	logger.Infof("unexposed service from tailnet")
+
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.managedIngressProxies.Remove(svc.UID)
+	a.managedEgressProxies.Remove(svc.UID)
+	gaugeIngressProxies.Set(int64(a.managedIngressProxies.Len()))
+	gaugeEgressProxies.Set(int64(a.managedEgressProxies.Len()))
 	return nil
 }

@@ -123,22 +161,50 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 	sts := &tailscaleSTSConfig{
 		ParentResourceName:  svc.Name,
 		ParentResourceUID:   string(svc.UID),
-		TargetIP:            svc.Spec.ClusterIP,
 		Hostname:            hostname,
 		Tags:                tags,
 		ChildResourceLabels: crl,
 	}

-	if err := a.ssr.Provision(ctx, logger, sts); err != nil {
+	a.mu.Lock()
+	if a.shouldExpose(svc) {
+		sts.ClusterTargetIP = svc.Spec.ClusterIP
+		a.managedIngressProxies.Add(svc.UID)
+		gaugeIngressProxies.Set(int64(a.managedIngressProxies.Len()))
+	} else if ip := a.tailnetTargetAnnotation(svc); ip != "" {
+		sts.TailnetTargetIP = ip
+		a.managedEgressProxies.Add(svc.UID)
+		gaugeEgressProxies.Set(int64(a.managedEgressProxies.Len()))
+	}
+	a.mu.Unlock()
+
+	var hsvc *corev1.Service
+	if hsvc, err = a.ssr.Provision(ctx, logger, sts); err != nil {
 		return fmt.Errorf("failed to provision: %w", err)
 	}

+	if sts.TailnetTargetIP != "" {
+		// TODO (irbekrm): cluster.local is the default DNS name, but
+		// can be changed by users. Make this configurable or figure out
+		// how to discover the DNS name from within operator
+		headlessSvcName := hsvc.Name + "." + hsvc.Namespace + ".svc.cluster.local"
+		if svc.Spec.ExternalName != headlessSvcName || svc.Spec.Type != corev1.ServiceTypeExternalName {
+			svc.Spec.ExternalName = headlessSvcName
+			svc.Spec.Selector = nil
+			svc.Spec.Type = corev1.ServiceTypeExternalName
+			if err := a.Update(ctx, svc); err != nil {
+				return fmt.Errorf("failed to update service: %w", err)
+			}
+		}
+		return nil
+	}
+
 	if !a.hasLoadBalancerClass(svc) {
 		logger.Debugf("service is not a LoadBalancer, so not updating ingress")
 		return nil
 	}

-	_, tsHost, err := a.ssr.DeviceInfo(ctx, crl)
+	_, tsHost, tsIPs, err := a.ssr.DeviceInfo(ctx, crl)
 	if err != nil {
 		return fmt.Errorf("failed to get device ID: %w", err)
 	}
@@ -152,12 +218,24 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		return nil
 	}

-	logger.Debugf("setting ingress hostname to %q", tsHost)
-	svc.Status.LoadBalancer.Ingress = []corev1.LoadBalancerIngress{
-		{
-			Hostname: tsHost,
-		},
+	logger.Debugf("setting ingress to %q, %s", tsHost, strings.Join(tsIPs, ", "))
+	ingress := []corev1.LoadBalancerIngress{
+		{Hostname: tsHost},
 	}
+	clusterIPAddr, err := netip.ParseAddr(svc.Spec.ClusterIP)
+	if err != nil {
+		return fmt.Errorf("failed to parse cluster IP: %w", err)
+	}
+	for _, ip := range tsIPs {
+		addr, err := netip.ParseAddr(ip)
+		if err != nil {
+			continue
+		}
+		if addr.Is4() == clusterIPAddr.Is4() { // only add addresses of the same family
+			ingress = append(ingress, corev1.LoadBalancerIngress{IP: ip})
+		}
+	}
+	svc.Status.LoadBalancer.Ingress = ingress
 	if err := a.Status().Update(ctx, svc); err != nil {
 		return fmt.Errorf("failed to update service status: %w", err)
 	}
@@ -171,17 +249,32 @@ func (a *ServiceReconciler) shouldExpose(svc *corev1.Service) bool {
 		return false
 	}

-	return a.hasLoadBalancerClass(svc) || a.hasAnnotation(svc)
+	return a.hasLoadBalancerClass(svc) || a.hasExposeAnnotation(svc)
 }

 func (a *ServiceReconciler) hasLoadBalancerClass(svc *corev1.Service) bool {
 	return svc != nil &&
 		svc.Spec.Type == corev1.ServiceTypeLoadBalancer &&
-		svc.Spec.LoadBalancerClass != nil &&
-		*svc.Spec.LoadBalancerClass == "tailscale"
+		(svc.Spec.LoadBalancerClass != nil && *svc.Spec.LoadBalancerClass == "tailscale" ||
+			svc.Spec.LoadBalancerClass == nil && a.isDefaultLoadBalancer)
 }

-func (a *ServiceReconciler) hasAnnotation(svc *corev1.Service) bool {
-	return svc != nil &&
-		svc.Annotations[AnnotationExpose] == "true"
+// hasExposeAnnotation reports whether Service has the tailscale.com/expose
+// annotation set
+func (a *ServiceReconciler) hasExposeAnnotation(svc *corev1.Service) bool {
+	return svc != nil && svc.Annotations[AnnotationExpose] == "true"
+}
+
+// hasTailnetTargetAnnotation returns the value of tailscale.com/tailnet-ip
+// annotation or of the deprecated tailscale.com/ts-tailnet-target-ip
+// annotation. If neither is set, it returns an empty string. If both are set,
+// it returns the value of the new annotation.
+func (a *ServiceReconciler) tailnetTargetAnnotation(svc *corev1.Service) string {
+	if svc == nil {
+		return ""
+	}
+	if ip := svc.Annotations[AnnotationTailnetTargetIP]; ip != "" {
+		return ip
+	}
+	return svc.Annotations[annotationTailnetTargetIPOld]
 }
--- a/cmd/netlogfmt/main.go
+++ b/cmd/netlogfmt/main.go
@@ -42,6 +42,7 @@ import (

 	"github.com/dsnet/try"
 	jsonv2 "github.com/go-json-experiment/json"
+	"github.com/go-json-experiment/json/jsontext"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netlogtype"
 	"tailscale.com/util/cmpx"
@@ -75,13 +76,13 @@ func main() {

 func processStream(r io.Reader) (err error) {
 	defer try.Handle(&err)
-	dec := jsonv2.NewDecoder(os.Stdin)
+	dec := jsontext.NewDecoder(os.Stdin)
 	for {
 		processValue(dec)
 	}
 }

-func processValue(dec *jsonv2.Decoder) {
+func processValue(dec *jsontext.Decoder) {
 	switch dec.PeekKind() {
 	case '[':
 		processArray(dec)
@@ -92,7 +93,7 @@ func processValue(dec *jsonv2.Decoder) {
 	}
 }

-func processArray(dec *jsonv2.Decoder) {
+func processArray(dec *jsontext.Decoder) {
 	try.E1(dec.ReadToken()) // parse '['
 	for dec.PeekKind() != ']' {
 		processValue(dec)
@@ -100,7 +101,7 @@ func processArray(dec *jsonv2.Decoder) {
 	try.E1(dec.ReadToken()) // parse ']'
 }

-func processObject(dec *jsonv2.Decoder) {
+func processObject(dec *jsontext.Decoder) {
 	var hasTraffic bool
 	var rawMsg []byte
 	try.E1(dec.ReadToken()) // parse '{'
--- a/cmd/sniproxy/sniproxy.go
+++ b/cmd/sniproxy/sniproxy.go
@@ -16,10 +16,12 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"os"
 	"strconv"
 	"strings"
 	"time"

+	"github.com/peterbourgon/ff/v3"
 	"golang.org/x/net/dns/dnsmessage"
 	"inet.af/tcpproxy"
 	"tailscale.com/client/tailscale"
@@ -32,14 +34,6 @@ import (
 	"tailscale.com/util/clientmetric"
 )

-var (
-	ports        = flag.String("ports", "443", "comma-separated list of ports to proxy")
-	forwards     = flag.String("forwards", "", "comma-separated list of ports to transparently forward, protocol/number/destination. For example, --forwards=tcp/22/github.com,tcp/5432/sql.example.com")
-	wgPort       = flag.Int("wg-listen-port", 0, "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	promoteHTTPS = flag.Bool("promote-https", true, "promote HTTP to HTTPS")
-	debugPort    = flag.Int("debug-port", 8080, "Listening port for debug/metrics endpoint")
-)
-
 var tsMBox = dnsmessage.MustNewName("support.tailscale.com.")

 // portForward is the state for a single port forwarding entry, as passed to the --forward flag.
@@ -74,7 +68,19 @@ func parseForward(value string) (*portForward, error) {
 }

 func main() {
-	flag.Parse()
+	fs := flag.NewFlagSet("sniproxy", flag.ContinueOnError)
+	var (
+		ports        = fs.String("ports", "443", "comma-separated list of ports to proxy")
+		forwards     = fs.String("forwards", "", "comma-separated list of ports to transparently forward, protocol/number/destination. For example, --forwards=tcp/22/github.com,tcp/5432/sql.example.com")
+		wgPort       = fs.Int("wg-listen-port", 0, "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
+		promoteHTTPS = fs.Bool("promote-https", true, "promote HTTP to HTTPS")
+		debugPort    = fs.Int("debug-port", 8893, "Listening port for debug/metrics endpoint")
+	)
+
+	err := ff.Parse(fs, os.Args[1:], ff.WithEnvVarPrefix("TS_APPC"))
+	if err != nil {
+		log.Fatal("ff.Parse")
+	}
 	if *ports == "" {
 		log.Fatal("no ports")
 	}
@@ -126,7 +132,6 @@ func main() {
 		})

 		go s.forward(ln, forw)
-
 	}

 	ln, err := s.ts.Listen("udp", ":53")
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -121,7 +121,7 @@ change in the future.
 			ncCmd,
 			sshCmd,
 			funnelCmd(),
-			serveCmd,
+			serveCmd(),
 			versionCmd,
 			webCmd,
 			fileCmd,
@@ -130,6 +130,7 @@ change in the future.
 			netlockCmd,
 			licensesCmd,
 			exitNodeCmd,
+			updateCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
@@ -145,8 +146,6 @@ change in the future.
 	switch {
 	case slices.Contains(args, "debug"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
-	case slices.Contains(args, "update"):
-		rootCmd.Subcommands = append(rootCmd.Subcommands, updateCmd)
 	}
 	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
 		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -21,6 +21,7 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/tstest"
+	"tailscale.com/types/logger"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
 	"tailscale.com/util/cmpx"
@@ -555,6 +556,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				NetfilterMode:    preftype.NetfilterOn,
 				CorpDNS:          true,
 				AllowSingleHosts: true,
+				AutoUpdate: ipn.AutoUpdatePrefs{
+					Check: true,
+					Apply: false,
+				},
 			},
 		},
 		{
@@ -568,6 +573,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				AllowSingleHosts: true,
 				RouteAll:         true,
 				NetfilterMode:    preftype.NetfilterOn,
+				AutoUpdate: ipn.AutoUpdatePrefs{
+					Check: true,
+					Apply: false,
+				},
 			},
 		},
 		{
@@ -583,6 +592,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 					netip.MustParsePrefix("::/0"),
 				},
 				NetfilterMode: preftype.NetfilterOn,
+				AutoUpdate: ipn.AutoUpdatePrefs{
+					Check: true,
+					Apply: false,
+				},
 			},
 		},
 		{
@@ -669,6 +682,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				WantRunning:   true,
 				NetfilterMode: preftype.NetfilterNoDivert,
 				NoSNAT:        true,
+				AutoUpdate: ipn.AutoUpdatePrefs{
+					Check: true,
+					Apply: false,
+				},
 			},
 		},
 		{
@@ -682,6 +699,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				WantRunning:   true,
 				NetfilterMode: preftype.NetfilterOff,
 				NoSNAT:        true,
+				AutoUpdate: ipn.AutoUpdatePrefs{
+					Check: true,
+					Apply: false,
+				},
 			},
 		},
 		{
@@ -697,6 +718,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				AdvertiseRoutes: []netip.Prefix{
 					netip.MustParsePrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
 				},
+				AutoUpdate: ipn.AutoUpdatePrefs{
+					Check: true,
+					Apply: false,
+				},
 			},
 		},
 		{
@@ -1151,18 +1176,13 @@ func TestUpdatePrefs(t *testing.T) {
 				justEditMP.Prefs = ipn.Prefs{} // uninteresting
 			}
 			if !reflect.DeepEqual(justEditMP, tt.wantJustEditMP) {
-				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was \n%v", asJSON(oldEditPrefs))
+				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was \n%v", logger.AsJSON(oldEditPrefs))
 				t.Fatalf("justEditMP: %v\n\n: ", cmp.Diff(justEditMP, tt.wantJustEditMP, cmpIP))
 			}
 		})
 	}
 }

-func asJSON(v any) string {
-	b, _ := json.MarshalIndent(v, "", "\t")
-	return string(b)
-}
-
 var cmpIP = cmp.Comparer(func(a, b netip.Addr) bool {
 	return a == b
 })
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -28,6 +28,7 @@ import (

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/net/http/httpproxy"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlhttp"
 	"tailscale.com/hostinfo"
@@ -62,9 +63,10 @@ var debugCmd = &ffcli.Command{
 			ShortHelp: "print DERP map",
 		},
 		{
-			Name:      "component-logs",
-			Exec:      runDebugComponentLogs,
-			ShortHelp: "enable/disable debug logs for a component",
+			Name:       "component-logs",
+			Exec:       runDebugComponentLogs,
+			ShortHelp:  "enable/disable debug logs for a component",
+			ShortUsage: "tailscale debug component-logs [" + strings.Join(ipn.DebuggableComponents, "|") + "]",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("component-logs")
 				fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
@@ -137,6 +139,16 @@ var debugCmd = &ffcli.Command{
 			Exec:      localAPIAction("break-derp-conns"),
 			ShortHelp: "break any open DERP connections from the daemon",
 		},
+		{
+			Name:      "force-netmap-update",
+			Exec:      localAPIAction("force-netmap-update"),
+			ShortHelp: "force a full no-op netmap update (for load testing)",
+		},
+		{
+			Name:      "control-knobs",
+			Exec:      debugControlKnobs,
+			ShortHelp: "see current control knobs",
+		},
 		{
 			Name:      "prefs",
 			Exec:      runPrefs,
@@ -219,7 +231,9 @@ var debugCmd = &ffcli.Command{
 				fs := newFlagSet("portmap")
 				fs.DurationVar(&debugPortmapArgs.duration, "duration", 5*time.Second, "timeout for port mapping")
 				fs.StringVar(&debugPortmapArgs.ty, "type", "", `portmap debug type (one of "", "pmp", "pcp", or "upnp")`)
-				fs.StringVar(&debugPortmapArgs.gwSelf, "gw-self", "", `override gateway and self IP (format: "gatewayIP/selfIP")`)
+				fs.StringVar(&debugPortmapArgs.gatewayAddr, "gateway-addr", "", `override gateway IP (must also pass --self-addr)`)
+				fs.StringVar(&debugPortmapArgs.selfAddr, "self-addr", "", `override self IP (must also pass --gateway-addr)`)
+				fs.BoolVar(&debugPortmapArgs.logHTTP, "log-http", false, `print all HTTP requests and responses to the log`)
 				return fs
 			})(),
 		},
@@ -711,7 +725,7 @@ var debugComponentLogsArgs struct {

 func runDebugComponentLogs(ctx context.Context, args []string) error {
 	if len(args) != 1 {
-		return errors.New("usage: debug component-logs <component>")
+		return errors.New("usage: debug component-logs [" + strings.Join(ipn.DebuggableComponents, "|") + "]")
 	}
 	component := args[0]
 	dur := debugComponentLogsArgs.forDur
@@ -818,17 +832,34 @@ func runCapture(ctx context.Context, args []string) error {
 }

 var debugPortmapArgs struct {
-	duration time.Duration
-	gwSelf   string
-	ty       string
+	duration    time.Duration
+	gatewayAddr string
+	selfAddr    string
+	ty          string
+	logHTTP     bool
 }

 func debugPortmap(ctx context.Context, args []string) error {
-	rc, err := localClient.DebugPortmap(ctx,
-		debugPortmapArgs.duration,
-		debugPortmapArgs.ty,
-		debugPortmapArgs.gwSelf,
-	)
+	opts := &tailscale.DebugPortmapOpts{
+		Duration: debugPortmapArgs.duration,
+		Type:     debugPortmapArgs.ty,
+		LogHTTP:  debugPortmapArgs.logHTTP,
+	}
+	if (debugPortmapArgs.gatewayAddr != "") != (debugPortmapArgs.selfAddr != "") {
+		return fmt.Errorf("if one of --gateway-addr and --self-addr is provided, the other must be as well")
+	}
+	if debugPortmapArgs.gatewayAddr != "" {
+		var err error
+		opts.GatewayAddr, err = netip.ParseAddr(debugPortmapArgs.gatewayAddr)
+		if err != nil {
+			return fmt.Errorf("invalid --gateway-addr: %w", err)
+		}
+		opts.SelfAddr, err = netip.ParseAddr(debugPortmapArgs.selfAddr)
+		if err != nil {
+			return fmt.Errorf("invalid --self-addr: %w", err)
+		}
+	}
+	rc, err := localClient.DebugPortmap(ctx, opts)
 	if err != nil {
 		return err
 	}
@@ -895,3 +926,17 @@ func runPeerEndpointChanges(ctx context.Context, args []string) error {
 	fmt.Printf("%s", dst.String())
 	return nil
 }
+
+func debugControlKnobs(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		return errors.New("unexpected arguments")
+	}
+	v, err := localClient.DebugResultJSON(ctx, "control-knobs")
+	if err != nil {
+		return err
+	}
+	e := json.NewEncoder(os.Stdout)
+	e.SetIndent("", "  ")
+	e.Encode(v)
+	return nil
+}
--- a/cmd/tailscale/cli/funnel.go
+++ b/cmd/tailscale/cli/funnel.go
@@ -9,11 +9,11 @@ import (
 	"fmt"
 	"net"
 	"os"
-	"slices"
 	"strconv"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
@@ -25,8 +25,8 @@ var funnelCmd = func() *ffcli.Command {
 	// This flag is used to switch to an in-development
 	// implementation of the tailscale funnel command.
 	// See https://github.com/tailscale/tailscale/issues/7844
-	if os.Getenv("TAILSCALE_FUNNEL_DEV") == "on" {
-		return newFunnelDevCommand(se)
+	if envknob.UseWIPCode() {
+		return newServeDevCommand(se, funnel)
 	}
 	return newFunnelCommand(se)
 }
@@ -146,15 +146,13 @@ func (e *serveEnv) runFunnel(ctx context.Context, args []string) error {
 //
 // verifyFunnelEnabled may refresh the local state and modify the st input.
 func (e *serveEnv) verifyFunnelEnabled(ctx context.Context, st *ipnstate.Status, port uint16) error {
-	hasFunnelAttrs := func(attrs []string) bool {
-		hasHTTPS := slices.Contains(attrs, tailcfg.CapabilityHTTPS)
-		hasFunnel := slices.Contains(attrs, tailcfg.NodeAttrFunnel)
-		return hasHTTPS && hasFunnel
+	hasFunnelAttrs := func(selfNode *ipnstate.PeerStatus) bool {
+		return selfNode.HasCap(tailcfg.CapabilityHTTPS) && selfNode.HasCap(tailcfg.NodeAttrFunnel)
 	}
-	if hasFunnelAttrs(st.Self.Capabilities) {
+	if hasFunnelAttrs(st.Self) {
 		return nil // already enabled
 	}
-	enableErr := e.enableFeatureInteractive(ctx, "funnel", hasFunnelAttrs)
+	enableErr := e.enableFeatureInteractive(ctx, "funnel", tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel)
 	st, statusErr := e.getLocalClientStatusWithoutPeers(ctx) // get updated status; interactive flow may block
 	switch {
 	case statusErr != nil:
@@ -166,12 +164,12 @@ func (e *serveEnv) verifyFunnelEnabled(ctx context.Context, st *ipnstate.Status,
 		// the feature flag on.
 		// TODO(sonia,tailscale/corp#10577): Remove this fallback once the
 		// control flag is turned on for all domains.
-		if err := ipn.CheckFunnelAccess(port, st.Self.Capabilities); err != nil {
+		if err := ipn.CheckFunnelAccess(port, st.Self); err != nil {
 			return err
 		}
 	default:
 		// Done with enablement, make sure the requested port is allowed.
-		if err := ipn.CheckFunnelPort(port, st.Self.Capabilities); err != nil {
+		if err := ipn.CheckFunnelPort(port, st.Self); err != nil {
 			return err
 		}
 	}
--- a/cmd/tailscale/cli/funnel_dev.go
+++ b/cmd/tailscale/cli/funnel_dev.go
@@ -1,112 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"io"
-	"os"
-	"strconv"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/ipn"
-)
-
-// newFunnelDevCommand returns a new "funnel" subcommand using e as its environment.
-// The funnel subcommand is used to turn on/off the Funnel service.
-// Funnel is off by default.
-// Funnel allows you to publish a 'tailscale serve' server publicly,
-// open to the entire internet.
-// newFunnelCommand shares the same serveEnv as the "serve" subcommand.
-// See newServeCommand and serve.go for more details.
-func newFunnelDevCommand(e *serveEnv) *ffcli.Command {
-	return &ffcli.Command{
-		Name:      "funnel",
-		ShortHelp: "Turn on/off Funnel service",
-		ShortUsage: strings.Join([]string{
-			"funnel <port>",
-			"funnel status [--json]",
-		}, "\n  "),
-		LongHelp: strings.Join([]string{
-			"Funnel allows you to expose your local",
-			"server publicly to the entire internet.",
-			"Note that it only supports https servers at this point.",
-			"This command is in development and is unsupported",
-		}, "\n"),
-		Exec:      e.runFunnelDev,
-		UsageFunc: usageFunc,
-		Subcommands: []*ffcli.Command{
-			{
-				Name:      "status",
-				Exec:      e.runServeStatus,
-				ShortHelp: "show current serve/Funnel status",
-				FlagSet: e.newFlags("funnel-status", func(fs *flag.FlagSet) {
-					fs.BoolVar(&e.json, "json", false, "output JSON")
-				}),
-				UsageFunc: usageFunc,
-			},
-		},
-	}
-}
-
-// runFunnelDev is the entry point for the "tailscale funnel" subcommand and
-// manages turning on/off Funnel. Funnel is off by default.
-//
-// Note: funnel is only supported on single DNS name for now. (2023-08-18)
-func (e *serveEnv) runFunnelDev(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return flag.ErrHelp
-	}
-	var source string
-	port64, err := strconv.ParseUint(args[0], 10, 16)
-	if err == nil {
-		source = fmt.Sprintf("http://127.0.0.1:%d", port64)
-	} else {
-		source, err = expandProxyTarget(args[0])
-	}
-	if err != nil {
-		return err
-	}
-
-	st, err := e.getLocalClientStatusWithoutPeers(ctx)
-	if err != nil {
-		return fmt.Errorf("getting client status: %w", err)
-	}
-
-	if err := e.verifyFunnelEnabled(ctx, st, 443); err != nil {
-		return err
-	}
-
-	dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
-	hp := ipn.HostPort(dnsName + ":443") // TODO(marwan-at-work): support the 2 other ports
-
-	// In the streaming case, the process stays running in the
-	// foreground and prints out connections to the HostPort.
-	//
-	// The local backend handles updating the ServeConfig as
-	// necessary, then restores it to its original state once
-	// the process's context is closed or the client turns off
-	// Tailscale.
-	return e.streamServe(ctx, ipn.ServeStreamRequest{
-		HostPort:   hp,
-		Source:     source,
-		MountPoint: "/", // TODO(marwan-at-work): support multiple mount points
-	})
-}
-
-func (e *serveEnv) streamServe(ctx context.Context, req ipn.ServeStreamRequest) error {
-	stream, err := e.lc.StreamServe(ctx, req)
-	if err != nil {
-		return err
-	}
-	defer stream.Close()
-
-	fmt.Fprintf(os.Stderr, "Funnel started on \"https://%s\".\n", strings.TrimSuffix(string(req.HostPort), ":443"))
-	fmt.Fprintf(os.Stderr, "Press Ctrl-C to stop Funnel.\n\n")
-	_, err = io.Copy(os.Stdout, stream)
-	return err
-}
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -53,7 +53,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 		return err
 	}
 	c := &netcheck.Client{
-		PortMapper:  portmapper.NewClient(logf, netMon, nil, nil),
+		PortMapper:  portmapper.NewClient(logf, netMon, nil, nil, nil),
 		UseDNSCache: false, // always resolve, don't cache
 	}
 	if netcheckArgs.verbose {
@@ -153,7 +153,11 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	if len(report.RegionLatency) == 0 {
 		printf("\t* Nearest DERP: unknown (no response to latency probes)\n")
 	} else {
-		printf("\t* Nearest DERP: %v\n", dm.Regions[report.PreferredDERP].RegionName)
+		if report.PreferredDERP != 0 {
+			printf("\t* Nearest DERP: %v\n", dm.Regions[report.PreferredDERP].RegionName)
+		} else {
+			printf("\t* Nearest DERP: [none]\n")
+		}
 		printf("\t* DERP latency:\n")
 		var rids []int
 		for rid := range dm.Regions {
--- a/cmd/tailscale/cli/serve.go
+++ b/cmd/tailscale/cli/serve.go
@@ -18,13 +18,13 @@ import (
 	"path/filepath"
 	"reflect"
 	"runtime"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
@@ -32,7 +32,16 @@ import (
 	"tailscale.com/version"
 )

-var serveCmd = newServeCommand(&serveEnv{lc: &localClient})
+var serveCmd = func() *ffcli.Command {
+	se := &serveEnv{lc: &localClient}
+	// This flag is used to switch to an in-development
+	// implementation of the tailscale funnel command.
+	// See https://github.com/tailscale/tailscale/issues/7844
+	if envknob.UseWIPCode() {
+		return newServeDevCommand(se, serve)
+	}
+	return newServeCommand(se)
+}

 // newServeCommand returns a new "serve" subcommand using e as its environment.
 func newServeCommand(e *serveEnv) *ffcli.Command {
@@ -110,6 +119,10 @@ EXAMPLES
 	}
 }

+// errHelp is standard error text that prompts users to
+// run `serve --help` for information on how to use serve.
+var errHelp = errors.New("try `tailscale serve --help` for usage info")
+
 func (e *serveEnv) newFlags(name string, setup func(fs *flag.FlagSet)) *flag.FlagSet {
 	onError, out := flag.ExitOnError, Stderr
 	if e.testFlagOut != nil {
@@ -135,7 +148,6 @@ type localServeClient interface {
 	QueryFeature(ctx context.Context, feature string) (*tailcfg.QueryFeatureResponse, error)
 	WatchIPNBus(ctx context.Context, mask ipn.NotifyWatchOpt) (*tailscale.IPNBusWatcher, error)
 	IncrementCounter(ctx context.Context, name string, delta int) error
-	StreamServe(ctx context.Context, req ipn.ServeStreamRequest) (io.ReadCloser, error) // TODO: testing :)
 }

 // serveEnv is the environment the serve command runs within. All I/O should be
@@ -145,9 +157,18 @@ type localServeClient interface {
 //
 // It also contains the flags, as registered with newServeCommand.
 type serveEnv struct {
-	// flags
+	// v1 flags
 	json bool // output JSON (status only for now)

+	// v2 specific flags
+	bg               bool      // background mode
+	setPath          string    // serve path
+	https            string    // HTTP port
+	http             string    // HTTP port
+	tcp              string    // TCP port
+	tlsTerminatedTCP string    // a TLS terminated TCP port
+	subcmd           serveMode // subcommand
+
 	lc localServeClient // localClient interface, specific to serve

 	// optional stuff for tests:
@@ -234,7 +255,7 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {

 	if len(args) < 2 || ((srcType == "https" || srcType == "http") && !turnOff && len(args) < 3) {
 		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
-		return flag.ErrHelp
+		return errHelp
 	}

 	if srcType == "https" && !turnOff {
@@ -247,9 +268,7 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		// on, enableFeatureInteractive will error. For now, we hide that
 		// error and maintain the previous behavior (prior to 2023-08-15)
 		// of letting them edit the serve config before enabling certs.
-		e.enableFeatureInteractive(ctx, "serve", func(caps []string) bool {
-			return slices.Contains(caps, tailcfg.CapabilityHTTPS)
-		})
+		e.enableFeatureInteractive(ctx, "serve", tailcfg.CapabilityHTTPS)
 	}

 	srcPort, err := parseServePort(srcPortStr)
@@ -276,7 +295,7 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 	default:
 		fmt.Fprintf(os.Stderr, "error: invalid serve type %q\n", srcType)
 		fmt.Fprint(os.Stderr, "must be one of: http:<port>, https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
-		return flag.ErrHelp
+		return errHelp
 	}
 }

@@ -312,13 +331,13 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bo
 		}
 		if !filepath.IsAbs(source) {
 			fmt.Fprintf(os.Stderr, "error: path must be absolute\n\n")
-			return flag.ErrHelp
+			return errHelp
 		}
 		source = filepath.Clean(source)
 		fi, err := os.Stat(source)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "error: invalid path: %v\n\n", err)
-			return flag.ErrHelp
+			return errHelp
 		}
 		if fi.IsDir() && !strings.HasSuffix(mount, "/") {
 			// dir mount points must end in /
@@ -344,7 +363,7 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bo

 	if sc.IsTCPForwardingOnPort(srvPort) {
 		fmt.Fprintf(os.Stderr, "error: cannot serve web; already serving TCP\n")
-		return flag.ErrHelp
+		return errHelp
 	}

 	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: useTLS, HTTP: !useTLS})
@@ -532,18 +551,18 @@ func (e *serveEnv) handleTCPServe(ctx context.Context, srcType string, srcPort u
 		terminateTLS = true
 	default:
 		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q\n\n", dest)
-		return flag.ErrHelp
+		return errHelp
 	}

 	dstURL, err := url.Parse(dest)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q: %v\n\n", dest, err)
-		return flag.ErrHelp
+		return errHelp
 	}
 	host, dstPortStr, err := net.SplitHostPort(dstURL.Host)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q: %v\n\n", dest, err)
-		return flag.ErrHelp
+		return errHelp
 	}

 	switch host {
@@ -552,12 +571,12 @@ func (e *serveEnv) handleTCPServe(ctx context.Context, srcType string, srcPort u
 	default:
 		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q\n", dest)
 		fmt.Fprint(os.Stderr, "must be one of: localhost or 127.0.0.1\n\n", dest)
-		return flag.ErrHelp
+		return errHelp
 	}

 	if p, err := strconv.ParseUint(dstPortStr, 10, 16); p == 0 || err != nil {
 		fmt.Fprintf(os.Stderr, "error: invalid port %q\n\n", dstPortStr)
-		return flag.ErrHelp
+		return errHelp
 	}

 	cursc, err := e.lc.GetServeConfig(ctx)
@@ -807,7 +826,7 @@ func parseServePort(s string) (uint16, error) {
 //
 // 2023-08-09: The only valid feature values are "serve" and "funnel".
 // This can be moved to some CLI lib when expanded past serve/funnel.
-func (e *serveEnv) enableFeatureInteractive(ctx context.Context, feature string, hasRequiredCapabilities func(caps []string) bool) (err error) {
+func (e *serveEnv) enableFeatureInteractive(ctx context.Context, feature string, caps ...tailcfg.NodeCapability) (err error) {
 	info, err := e.lc.QueryFeature(ctx, feature)
 	if err != nil {
 		return err
@@ -853,7 +872,16 @@ func (e *serveEnv) enableFeatureInteractive(ctx context.Context, feature string,
 			return err
 		}
 		if nm := n.NetMap; nm != nil && nm.SelfNode.Valid() {
-			if hasRequiredCapabilities(nm.SelfNode.Capabilities().AsSlice()) {
+			gotAll := true
+			for _, c := range caps {
+				if !nm.SelfNode.HasCap(c) {
+					// The feature is not yet enabled.
+					// Continue blocking until it is.
+					gotAll = false
+					break
+				}
+			}
+			if gotAll {
 				e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_enabled", feature), 1)
 				fmt.Fprintln(os.Stdout, "Success.")
 				return nil
--- a/cmd/tailscale/cli/serve_dev.go
+++ b/cmd/tailscale/cli/serve_dev.go
@@ -0,0 +1,810 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/url"
+	"os"
+	"os/signal"
+	"path"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
+	"tailscale.com/util/mak"
+	"tailscale.com/version"
+)
+
+type execFunc func(ctx context.Context, args []string) error
+
+type commandInfo struct {
+	Name      string
+	ShortHelp string
+	LongHelp  string
+}
+
+var serveHelpCommon = strings.TrimSpace(`
+<target> can be a port number (e.g., 3000), a partial URL (e.g., localhost:3000), or a
+full URL including a path (e.g., http://localhost:3000/foo, https+insecure://localhost:3000/foo).
+
+EXAMPLES
+  - Mount a local web server at 127.0.0.1:3000 in the foreground:
+    $ tailscale %s localhost:3000
+
+  - Mount a local web server at 127.0.0.1:3000 in the background:
+    $ tailscale %s --bg localhost:3000
+
+For more examples and use cases visit our docs site https://tailscale.com/kb/1247/funnel-serve-use-cases
+`)
+
+type serveMode int
+
+const (
+	serve serveMode = iota
+	funnel
+)
+
+type serveType int
+
+const (
+	serveTypeHTTPS serveType = iota
+	serveTypeHTTP
+	serveTypeTCP
+	serveTypeTLSTerminatedTCP
+)
+
+var infoMap = map[serveMode]commandInfo{
+	serve: {
+		Name:      "serve",
+		ShortHelp: "Serve content and local servers on your tailnet",
+		LongHelp: strings.Join([]string{
+			"Serve enables you to share a local server securely within your tailnet.\n",
+			"To share a local server on the internet, use `tailscale funnel`\n\n",
+		}, "\n"),
+	},
+	funnel: {
+		Name:      "funnel",
+		ShortHelp: "Serve content and local servers on the internet",
+		LongHelp: strings.Join([]string{
+			"Funnel enables you to share a local server on the internet using Tailscale.\n",
+			"To share only within your tailnet, use `tailscale serve`\n\n",
+		}, "\n"),
+	},
+}
+
+func buildShortUsage(subcmd string) string {
+	return strings.Join([]string{
+		subcmd + " [flags] <target> [off]",
+		subcmd + " status [--json]",
+		subcmd + " reset",
+	}, "\n  ")
+}
+
+// newServeDevCommand returns a new "serve" subcommand using e as its environment.
+func newServeDevCommand(e *serveEnv, subcmd serveMode) *ffcli.Command {
+	if subcmd != serve && subcmd != funnel {
+		log.Fatalf("newServeDevCommand called with unknown subcmd %q", subcmd)
+	}
+
+	info := infoMap[subcmd]
+
+	return &ffcli.Command{
+		Name:      info.Name,
+		ShortHelp: info.ShortHelp,
+		ShortUsage: strings.Join([]string{
+			fmt.Sprintf("%s <target>", info.Name),
+			fmt.Sprintf("%s status [--json]", info.Name),
+			fmt.Sprintf("%s reset", info.Name),
+		}, "\n  "),
+		LongHelp: info.LongHelp + fmt.Sprintf(strings.TrimSpace(serveHelpCommon), info.Name, info.Name),
+		Exec:     e.runServeCombined(subcmd),
+
+		FlagSet: e.newFlags("serve-set", func(fs *flag.FlagSet) {
+			fs.BoolVar(&e.bg, "bg", false, "run the command in the background")
+			fs.StringVar(&e.setPath, "set-path", "", "set a path for a specific target and run in the background")
+			fs.StringVar(&e.https, "https", "", "default; HTTPS listener")
+			fs.StringVar(&e.http, "http", "", "HTTP listener")
+			fs.StringVar(&e.tcp, "tcp", "", "TCP listener")
+			fs.StringVar(&e.tlsTerminatedTCP, "tls-terminated-tcp", "", "TLS terminated TCP listener")
+
+		}),
+		UsageFunc: usageFunc,
+		Subcommands: []*ffcli.Command{
+			{
+				Name:      "status",
+				Exec:      e.runServeStatus,
+				ShortHelp: "view current proxy configuration",
+				FlagSet: e.newFlags("serve-status", func(fs *flag.FlagSet) {
+					fs.BoolVar(&e.json, "json", false, "output JSON")
+				}),
+				UsageFunc: usageFunc,
+			},
+			{
+				Name:      "reset",
+				ShortHelp: "reset current serve/funnel config",
+				Exec:      e.runServeReset,
+				FlagSet:   e.newFlags("serve-reset", nil),
+				UsageFunc: usageFunc,
+			},
+		},
+	}
+}
+
+func validateArgs(subcmd serveMode, args []string) error {
+	switch len(args) {
+	case 0:
+		return flag.ErrHelp
+	case 1, 2:
+		if isLegacyInvocation(subcmd, args) {
+			fmt.Fprintf(os.Stderr, "error: the CLI for serve and funnel has changed.")
+			fmt.Fprintf(os.Stderr, "Please see https://tailscale.com/kb/1242/tailscale-serve for more information.")
+			return errHelp
+		}
+	default:
+		fmt.Fprintf(os.Stderr, "error: invalid number of arguments (%d)", len(args))
+		return errHelp
+	}
+	return nil
+}
+
+// runServeCombined is the entry point for the "tailscale {serve,funnel}" commands.
+func (e *serveEnv) runServeCombined(subcmd serveMode) execFunc {
+	e.subcmd = subcmd
+
+	return func(ctx context.Context, args []string) error {
+		if err := validateArgs(subcmd, args); err != nil {
+			return err
+		}
+
+		ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
+		defer cancel()
+
+		st, err := e.getLocalClientStatusWithoutPeers(ctx)
+		if err != nil {
+			return fmt.Errorf("getting client status: %w", err)
+		}
+
+		funnel := subcmd == funnel
+		if funnel {
+			// verify node has funnel capabilities
+			if err := e.verifyFunnelEnabled(ctx, st, 443); err != nil {
+				return err
+			}
+		}
+
+		mount, err := cleanURLPath(e.setPath)
+		if err != nil {
+			return fmt.Errorf("failed to clean the mount point: %w", err)
+		}
+
+		if e.setPath != "" {
+			// TODO(marwan-at-work): either
+			// 1. Warn the user that this is a side effect.
+			// 2. Force the user to pass --bg
+			// 3. Allow set-path to be in the foreground.
+			e.bg = true
+		}
+
+		srvType, srvPort, err := srvTypeAndPortFromFlags(e)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "error: %v\n\n", err)
+			return errHelp
+		}
+
+		sc, err := e.lc.GetServeConfig(ctx)
+		if err != nil {
+			return fmt.Errorf("error getting serve config: %w", err)
+		}
+
+		// nil if no config
+		if sc == nil {
+			sc = new(ipn.ServeConfig)
+		}
+		dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
+
+		// set parent serve config to always be persisted
+		// at the top level, but a nested config might be
+		// the one that gets manipulated depending on
+		// foreground or background.
+		parentSC := sc
+
+		turnOff := "off" == args[len(args)-1]
+		if !turnOff && srvType == serveTypeHTTPS {
+			// Running serve with https requires that the tailnet has enabled
+			// https cert provisioning. Send users through an interactive flow
+			// to enable this if not already done.
+			//
+			// TODO(sonia,tailscale/corp#10577): The interactive feature flow
+			// is behind a control flag. If the tailnet doesn't have the flag
+			// on, enableFeatureInteractive will error. For now, we hide that
+			// error and maintain the previous behavior (prior to 2023-08-15)
+			// of letting them edit the serve config before enabling certs.
+			if err := e.enableFeatureInteractive(ctx, "serve", tailcfg.CapabilityHTTPS); err != nil {
+				return fmt.Errorf("error enabling https feature: %w", err)
+			}
+		}
+
+		var watcher *tailscale.IPNBusWatcher
+		if !e.bg && !turnOff {
+			// if foreground mode, create a WatchIPNBus session
+			// and use the nested config for all following operations
+			// TODO(marwan-at-work): nested-config validations should happen here or previous to this point.
+			watcher, err = e.lc.WatchIPNBus(ctx, ipn.NotifyInitialState)
+			if err != nil {
+				return err
+			}
+			defer watcher.Close()
+			n, err := watcher.Next()
+			if err != nil {
+				return err
+			}
+			if n.SessionID == "" {
+				return errors.New("missing SessionID")
+			}
+			fsc := &ipn.ServeConfig{}
+			mak.Set(&sc.Foreground, n.SessionID, fsc)
+			sc = fsc
+		}
+
+		var msg string
+		if turnOff {
+			err = e.unsetServe(sc, dnsName, srvType, srvPort, mount)
+		} else {
+			if err := e.validateConfig(parentSC, srvPort, srvType); err != nil {
+				return err
+			}
+			err = e.setServe(sc, st, dnsName, srvType, srvPort, mount, args[0], funnel)
+			msg = e.messageForPort(sc, st, dnsName, srvPort)
+		}
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "error: %v\n\n", err)
+			return errHelp
+		}
+
+		if err := e.lc.SetServeConfig(ctx, parentSC); err != nil {
+			if tailscale.IsPreconditionsFailedError(err) {
+				fmt.Fprintln(os.Stderr, "Another client is changing the serve config; please try again.")
+			}
+			return err
+		}
+
+		if msg != "" {
+			fmt.Fprintln(os.Stderr, msg)
+		}
+
+		if watcher != nil {
+			for {
+				_, err = watcher.Next()
+				if err != nil {
+					if errors.Is(err, io.EOF) || errors.Is(err, context.Canceled) {
+						return nil
+					}
+					return err
+				}
+			}
+		}
+
+		return nil
+	}
+}
+
+func (e *serveEnv) validateConfig(sc *ipn.ServeConfig, port uint16, wantServe serveType) error {
+	sc, isFg := findConfig(sc, port)
+	if sc == nil {
+		return nil
+	}
+	if isFg {
+		return errors.New("foreground already exists under this port")
+	}
+	if !e.bg {
+		return errors.New("background serve already exists under this port")
+	}
+	existingServe := serveFromPortHandler(sc.TCP[port])
+	if wantServe != existingServe {
+		return fmt.Errorf("want %q but port is already serving %q", wantServe, existingServe)
+	}
+	return nil
+}
+
+func serveFromPortHandler(tcp *ipn.TCPPortHandler) serveType {
+	switch {
+	case tcp.HTTP:
+		return serveTypeHTTP
+	case tcp.HTTPS:
+		return serveTypeHTTPS
+	case tcp.TerminateTLS != "":
+		return serveTypeTLSTerminatedTCP
+	case tcp.TCPForward != "":
+		return serveTypeTCP
+	default:
+		return -1
+	}
+}
+
+// findConfig finds a config that contains the given port, which can be
+// the top level background config or an inner foreground one. The second
+// result is true if it's foreground
+func findConfig(sc *ipn.ServeConfig, port uint16) (*ipn.ServeConfig, bool) {
+	if sc == nil {
+		return nil, false
+	}
+	if _, ok := sc.TCP[port]; ok {
+		return sc, false
+	}
+	for _, sc := range sc.Foreground {
+		if _, ok := sc.TCP[port]; ok {
+			return sc, true
+		}
+	}
+	return nil, false
+}
+
+func (e *serveEnv) setServe(sc *ipn.ServeConfig, st *ipnstate.Status, dnsName string, srvType serveType, srvPort uint16, mount string, target string, allowFunnel bool) error {
+	// update serve config based on the type
+	switch srvType {
+	case serveTypeHTTPS, serveTypeHTTP:
+		useTLS := srvType == serveTypeHTTPS
+		err := e.applyWebServe(sc, dnsName, srvPort, useTLS, mount, target)
+		if err != nil {
+			return fmt.Errorf("failed apply web serve: %w", err)
+		}
+	case serveTypeTCP, serveTypeTLSTerminatedTCP:
+		err := e.applyTCPServe(sc, dnsName, srvType, srvPort, target)
+		if err != nil {
+			return fmt.Errorf("failed to apply TCP serve: %w", err)
+		}
+	default:
+		return fmt.Errorf("invalid type %q", srvType)
+	}
+
+	// update the serve config based on if funnel is enabled
+	e.applyFunnel(sc, dnsName, srvPort, allowFunnel)
+
+	return nil
+}
+
+// messageForPort returns a message for the given port based on the
+// serve config and status.
+func (e *serveEnv) messageForPort(sc *ipn.ServeConfig, st *ipnstate.Status, dnsName string, srvPort uint16) string {
+	var output strings.Builder
+
+	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
+
+	if sc.AllowFunnel[hp] == true {
+		output.WriteString("Available on the internet:\n")
+	} else {
+		output.WriteString("Available within your tailnet:\n")
+	}
+
+	scheme := "https"
+	if sc.IsServingHTTP(srvPort) {
+		scheme = "http"
+	}
+
+	portPart := ":" + fmt.Sprint(srvPort)
+	if scheme == "http" && srvPort == 80 ||
+		scheme == "https" && srvPort == 443 {
+		portPart = ""
+	}
+
+	output.WriteString(fmt.Sprintf("%s://%s%s\n\n", scheme, dnsName, portPart))
+
+	if !e.bg {
+		output.WriteString("Press Ctrl+C to exit.")
+		return output.String()
+	}
+
+	srvTypeAndDesc := func(h *ipn.HTTPHandler) (string, string) {
+		switch {
+		case h.Path != "":
+			return "path", h.Path
+		case h.Proxy != "":
+			return "proxy", h.Proxy
+		case h.Text != "":
+			return "text", "\"" + elipticallyTruncate(h.Text, 20) + "\""
+		}
+		return "", ""
+	}
+
+	if sc.Web[hp] != nil {
+		var mounts []string
+
+		for k := range sc.Web[hp].Handlers {
+			mounts = append(mounts, k)
+		}
+		sort.Slice(mounts, func(i, j int) bool {
+			return len(mounts[i]) < len(mounts[j])
+		})
+		maxLen := len(mounts[len(mounts)-1])
+
+		for _, m := range mounts {
+			h := sc.Web[hp].Handlers[m]
+			t, d := srvTypeAndDesc(h)
+			output.WriteString(fmt.Sprintf("%s %s%s %-5s %s\n", "|--", m, strings.Repeat(" ", maxLen-len(m)), t, d))
+		}
+	} else if sc.TCP[srvPort] != nil {
+		h := sc.TCP[srvPort]
+
+		tlsStatus := "TLS over TCP"
+		if h.TerminateTLS != "" {
+			tlsStatus = "TLS terminated"
+		}
+
+		output.WriteString(fmt.Sprintf("|-- tcp://%s (%s)\n", hp, tlsStatus))
+		for _, a := range st.TailscaleIPs {
+			ipp := net.JoinHostPort(a.String(), strconv.Itoa(int(srvPort)))
+			output.WriteString(fmt.Sprintf("|-- tcp://%s\n", ipp))
+		}
+		output.WriteString(fmt.Sprintf("|--> tcp://%s\n", h.TCPForward))
+	}
+
+	output.WriteString("\nServe started and running in the background.\n")
+	output.WriteString(fmt.Sprintf("To disable the proxy, run: tailscale %s off", infoMap[e.subcmd].Name))
+
+	return output.String()
+}
+
+func (e *serveEnv) applyWebServe(sc *ipn.ServeConfig, dnsName string, srvPort uint16, useTLS bool, mount, target string) error {
+	h := new(ipn.HTTPHandler)
+
+	switch {
+	case strings.HasPrefix(target, "text:"):
+		text := strings.TrimPrefix(target, "text:")
+		if text == "" {
+			return errors.New("unable to serve; text cannot be an empty string")
+		}
+		h.Text = text
+	case filepath.IsAbs(target):
+		if version.IsSandboxedMacOS() {
+			// don't allow path serving for now on macOS (2022-11-15)
+			return errors.New("path serving is not supported if sandboxed on macOS")
+		}
+
+		target = filepath.Clean(target)
+		fi, err := os.Stat(target)
+		if err != nil {
+			return errors.New("invalid path")
+		}
+
+		// TODO: need to understand this further
+		if fi.IsDir() && !strings.HasSuffix(mount, "/") {
+			// dir mount points must end in /
+			// for relative file links to work
+			mount += "/"
+		}
+		h.Path = target
+	default:
+		t, err := expandProxyTargetDev(target)
+		if err != nil {
+			return err
+		}
+		h.Proxy = t
+	}
+
+	// TODO: validation needs to check nested foreground configs
+	if sc.IsTCPForwardingOnPort(srvPort) {
+		return errors.New("cannot serve web; already serving TCP")
+	}
+
+	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: useTLS, HTTP: !useTLS})
+
+	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
+	if _, ok := sc.Web[hp]; !ok {
+		mak.Set(&sc.Web, hp, new(ipn.WebServerConfig))
+	}
+	mak.Set(&sc.Web[hp].Handlers, mount, h)
+
+	// TODO: handle multiple web handlers from foreground mode
+	for k, v := range sc.Web[hp].Handlers {
+		if v == h {
+			continue
+		}
+		// If the new mount point ends in / and another mount point
+		// shares the same prefix, remove the other handler.
+		// (e.g. /foo/ overwrites /foo)
+		// The opposite example is also handled.
+		m1 := strings.TrimSuffix(mount, "/")
+		m2 := strings.TrimSuffix(k, "/")
+		if m1 == m2 {
+			delete(sc.Web[hp].Handlers, k)
+		}
+	}
+
+	return nil
+}
+
+func (e *serveEnv) applyTCPServe(sc *ipn.ServeConfig, dnsName string, srcType serveType, srcPort uint16, target string) error {
+	var terminateTLS bool
+	switch srcType {
+	case serveTypeTCP:
+		terminateTLS = false
+	case serveTypeTLSTerminatedTCP:
+		terminateTLS = true
+	default:
+		return fmt.Errorf("invalid TCP target %q", target)
+	}
+
+	dstURL, err := url.Parse(target)
+	if err != nil {
+		return fmt.Errorf("invalid TCP target %q: %v", target, err)
+	}
+	host, dstPortStr, err := net.SplitHostPort(dstURL.Host)
+	if err != nil {
+		return fmt.Errorf("invalid TCP target %q: %v", target, err)
+	}
+
+	switch host {
+	case "localhost", "127.0.0.1":
+		// ok
+	default:
+		return fmt.Errorf("invalid TCP target %q, must be one of localhost or 127.0.0.1", target)
+	}
+
+	if p, err := strconv.ParseUint(dstPortStr, 10, 16); p == 0 || err != nil {
+		return fmt.Errorf("invalid port %q", dstPortStr)
+	}
+
+	fwdAddr := "127.0.0.1:" + dstPortStr
+
+	// TODO: needs to account for multiple configs from foreground mode
+	if sc.IsServingWeb(srcPort) {
+		return fmt.Errorf("cannot serve TCP; already serving web on %d", srcPort)
+	}
+
+	mak.Set(&sc.TCP, srcPort, &ipn.TCPPortHandler{TCPForward: fwdAddr})
+
+	if terminateTLS {
+		sc.TCP[srcPort].TerminateTLS = dnsName
+	}
+
+	return nil
+}
+
+func (e *serveEnv) applyFunnel(sc *ipn.ServeConfig, dnsName string, srvPort uint16, allowFunnel bool) {
+	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
+
+	// TODO: Should we return an error? Should not be possible.
+	// nil if no config
+	if sc == nil {
+		sc = new(ipn.ServeConfig)
+	}
+
+	// TODO: should ensure there is no other conflicting funnel
+	// TODO: add error handling for if toggling for existing sc
+	if allowFunnel {
+		mak.Set(&sc.AllowFunnel, hp, true)
+	}
+}
+
+// unsetServe removes the serve config for the given serve port.
+func (e *serveEnv) unsetServe(sc *ipn.ServeConfig, dnsName string, srvType serveType, srvPort uint16, mount string) error {
+	switch srvType {
+	case serveTypeHTTPS, serveTypeHTTP:
+		err := e.removeWebServe(sc, dnsName, srvPort, mount)
+		if err != nil {
+			return fmt.Errorf("failed to remove web serve: %w", err)
+		}
+	case serveTypeTCP, serveTypeTLSTerminatedTCP:
+		err := e.removeTCPServe(sc, srvPort)
+		if err != nil {
+			return fmt.Errorf("failed to remove TCP serve: %w", err)
+		}
+	default:
+		return fmt.Errorf("invalid type %q", srvType)
+	}
+
+	// TODO(tylersmalley): remove funnel
+
+	return nil
+}
+
+func srvTypeAndPortFromFlags(e *serveEnv) (srvType serveType, srvPort uint16, err error) {
+	sourceMap := map[serveType]string{
+		serveTypeHTTP:             e.http,
+		serveTypeHTTPS:            e.https,
+		serveTypeTCP:              e.tcp,
+		serveTypeTLSTerminatedTCP: e.tlsTerminatedTCP,
+	}
+
+	var srcTypeCount int
+	var srcValue string
+
+	for k, v := range sourceMap {
+		if v != "" {
+			srcTypeCount++
+			srvType = k
+			srcValue = v
+		}
+	}
+
+	if srcTypeCount > 1 {
+		return 0, 0, fmt.Errorf("cannot serve multiple types for a single mount point")
+	} else if srcTypeCount == 0 {
+		srvType = serveTypeHTTPS
+		srcValue = "443"
+	}
+
+	srvPort, err = parseServePort(srcValue)
+	if err != nil {
+		return 0, 0, fmt.Errorf("invalid port %q: %w", srcValue, err)
+	}
+
+	return srvType, srvPort, nil
+}
+
+func isLegacyInvocation(subcmd serveMode, args []string) bool {
+	if subcmd == serve && len(args) == 2 {
+		prefixes := []string{"http", "https", "tcp", "tls-terminated-tcp"}
+
+		for _, prefix := range prefixes {
+			if strings.HasPrefix(args[0], prefix) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+// removeWebServe removes a web handler from the serve config
+// and removes funnel if no remaining mounts exist for the serve port.
+// The srvPort argument is the serving port and the mount argument is
+// the mount point or registered path to remove.
+func (e *serveEnv) removeWebServe(sc *ipn.ServeConfig, dnsName string, srvPort uint16, mount string) error {
+	if sc.IsTCPForwardingOnPort(srvPort) {
+		return errors.New("cannot remove web handler; currently serving TCP")
+	}
+
+	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
+	if !sc.WebHandlerExists(hp, mount) {
+		return errors.New("error: handler does not exist")
+	}
+
+	// delete existing handler, then cascade delete if empty
+	delete(sc.Web[hp].Handlers, mount)
+	if len(sc.Web[hp].Handlers) == 0 {
+		delete(sc.Web, hp)
+		delete(sc.TCP, srvPort)
+	}
+
+	// clear empty maps mostly for testing
+	if len(sc.Web) == 0 {
+		sc.Web = nil
+	}
+
+	if len(sc.TCP) == 0 {
+		sc.TCP = nil
+	}
+
+	// disable funnel if no remaining mounts exist for the serve port
+	if sc.Web == nil && sc.TCP == nil {
+		delete(sc.AllowFunnel, hp)
+	}
+
+	return nil
+}
+
+// removeTCPServe removes the TCP forwarding configuration for the
+// given srvPort, or serving port.
+func (e *serveEnv) removeTCPServe(sc *ipn.ServeConfig, src uint16) error {
+	if sc == nil {
+		return nil
+	}
+	if sc.GetTCPPortHandler(src) == nil {
+		return errors.New("error: serve config does not exist")
+	}
+	if sc.IsServingWeb(src) {
+		return fmt.Errorf("unable to remove; serving web, not TCP forwarding on serve port %d", src)
+	}
+	delete(sc.TCP, src)
+	// clear map mostly for testing
+	if len(sc.TCP) == 0 {
+		sc.TCP = nil
+	}
+	return nil
+}
+
+// expandProxyTargetDev expands the supported target values to be proxied
+// allowing for input values to be a port number, a partial URL, or a full URL
+// including a path.
+//
+// examples:
+//   - 3000
+//   - localhost:3000
+//   - http://localhost:3000
+//   - https://localhost:3000
+//   - https-insecure://localhost:3000
+//   - https-insecure://localhost:3000/foo
+func expandProxyTargetDev(target string) (string, error) {
+	var (
+		scheme = "http"
+		host   = "127.0.0.1"
+	)
+
+	// support target being a port number
+	if port, err := strconv.ParseUint(target, 10, 16); err == nil {
+		return fmt.Sprintf("%s://%s:%d", scheme, host, port), nil
+	}
+
+	// prepend scheme if not present
+	if !strings.Contains(target, "://") {
+		target = scheme + "://" + target
+	}
+
+	// make sure we can parse the target
+	u, err := url.ParseRequestURI(target)
+	if err != nil {
+		return "", fmt.Errorf("invalid URL %w", err)
+	}
+
+	// ensure a supported scheme
+	switch u.Scheme {
+	case "http", "https", "https+insecure":
+	default:
+		return "", errors.New("must be a URL starting with http://, https://, or https+insecure://")
+	}
+
+	// validate the port
+	port, err := strconv.ParseUint(u.Port(), 10, 16)
+	if err != nil || port == 0 {
+		return "", fmt.Errorf("invalid port %q", u.Port())
+	}
+
+	// validate the host.
+	switch u.Hostname() {
+	case "localhost", "127.0.0.1":
+		u.Host = fmt.Sprintf("%s:%d", host, port)
+	default:
+		return "", errors.New("only localhost or 127.0.0.1 proxies are currently supported")
+	}
+
+	return u.String(), nil
+}
+
+// cleanURLPath ensures the path is clean and has a leading "/".
+func cleanURLPath(urlPath string) (string, error) {
+	if urlPath == "" {
+		return "/", nil
+	}
+
+	// TODO(tylersmalley) verify still needed with path being a flag
+	urlPath = cleanMinGWPathConversionIfNeeded(urlPath)
+	if !strings.HasPrefix(urlPath, "/") {
+		urlPath = "/" + urlPath
+	}
+
+	c := path.Clean(urlPath)
+	if urlPath == c || urlPath == c+"/" {
+		return urlPath, nil
+	}
+	return "", fmt.Errorf("invalid mount point %q", urlPath)
+}
+
+func (s serveType) String() string {
+	switch s {
+	case serveTypeHTTP:
+		return "http"
+	case serveTypeHTTPS:
+		return "https"
+	case serveTypeTCP:
+		return "tcp"
+	case serveTypeTLSTerminatedTCP:
+		return "tls-terminated-tcp"
+	default:
+		return "unknownServeType"
+	}
+}
--- a/cmd/tailscale/cli/serve_dev_test.go
+++ b/cmd/tailscale/cli/serve_dev_test.go
--- a/cmd/tailscale/cli/serve_test.go
+++ b/cmd/tailscale/cli/serve_test.go
@@ -9,7 +9,6 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"io"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -22,6 +21,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/logger"
 )

 func TestCleanMountPoint(t *testing.T) {
@@ -338,19 +338,19 @@ func TestServeConfigMutations(t *testing.T) {
 	add(step{reset: true})
 	add(step{ // must include scheme for tcp
 		command: cmd("tls-terminated-tcp:443 localhost:5432"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
+		wantErr: exactErr(errHelp, "errHelp"),
 	})
 	add(step{ // !somehost, must be localhost or 127.0.0.1
 		command: cmd("tls-terminated-tcp:443 tcp://somehost:5432"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
+		wantErr: exactErr(errHelp, "errHelp"),
 	})
 	add(step{ // bad target port, too low
 		command: cmd("tls-terminated-tcp:443 tcp://somehost:0"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
+		wantErr: exactErr(errHelp, "errHelp"),
 	})
 	add(step{ // bad target port, too high
 		command: cmd("tls-terminated-tcp:443 tcp://somehost:65536"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
+		wantErr: exactErr(errHelp, "errHelp"),
 	})
 	add(step{
 		command: cmd("tls-terminated-tcp:443 tcp://localhost:5432"),
@@ -471,7 +471,7 @@ func TestServeConfigMutations(t *testing.T) {
 	})
 	add(step{ // bad path
 		command: cmd("https:443 / bad/path"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
+		wantErr: exactErr(errHelp, "errHelp"),
 	})
 	add(step{reset: true})
 	add(step{
@@ -665,7 +665,7 @@ func TestServeConfigMutations(t *testing.T) {
 	})
 	add(step{ // try to start a web handler on the same port
 		command: cmd("https:443 / localhost:3000"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
+		wantErr: exactErr(errHelp, "errHelp"),
 	})
 	add(step{reset: true})
 	add(step{ // start a web handler on port 443
@@ -737,8 +737,8 @@ func TestServeConfigMutations(t *testing.T) {
 			got = lc.config
 		}
 		if !reflect.DeepEqual(got, st.want) {
-			t.Fatalf("[%d] %v: bad state. got:\n%s\n\nwant:\n%s\n",
-				i, st.command, asJSON(got), asJSON(st.want))
+			t.Fatalf("[%d] %v: bad state. got:\n%v\n\nwant:\n%v\n",
+				i, st.command, logger.AsJSON(got), logger.AsJSON(st.want))
 			// NOTE: asJSON will omit empty fields, which might make
 			// result in bad state got/want diffs being the same, even
 			// though the actual state is different. Use below to debug:
@@ -763,7 +763,7 @@ func TestVerifyFunnelEnabled(t *testing.T) {
 		// queryFeatureResponse is the mock response desired from the
 		// call made to lc.QueryFeature by verifyFunnelEnabled.
 		queryFeatureResponse mockQueryFeatureResponse
-		caps                 []string // optionally set at fakeStatus.Capabilities
+		caps                 []tailcfg.NodeCapability // optionally set at fakeStatus.Capabilities
 		wantErr              string
 		wantPanic            string
 	}{
@@ -780,13 +780,13 @@ func TestVerifyFunnelEnabled(t *testing.T) {
 		{
 			name:                 "fallback-flow-missing-acl-rule",
 			queryFeatureResponse: mockQueryFeatureResponse{resp: nil, err: errors.New("not-allowed")},
-			caps:                 []string{tailcfg.CapabilityHTTPS},
+			caps:                 []tailcfg.NodeCapability{tailcfg.CapabilityHTTPS},
 			wantErr:              `Funnel not available; "funnel" node attribute not set. See https://tailscale.com/s/no-funnel.`,
 		},
 		{
 			name:                 "fallback-flow-enabled",
 			queryFeatureResponse: mockQueryFeatureResponse{resp: nil, err: errors.New("not-allowed")},
-			caps:                 []string{tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel},
+			caps:                 []tailcfg.NodeCapability{tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel},
 			wantErr:              "", // no error, success
 		},
 		{
@@ -858,7 +858,7 @@ var fakeStatus = &ipnstate.Status{
 	BackendState: ipn.Running.String(),
 	Self: &ipnstate.PeerStatus{
 		DNSName:      "foo.test.ts.net",
-		Capabilities: []string{tailcfg.NodeAttrFunnel, tailcfg.CapabilityFunnelPorts + "?ports=443,8443"},
+		Capabilities: []tailcfg.NodeCapability{tailcfg.NodeAttrFunnel, tailcfg.CapabilityFunnelPorts + "?ports=443,8443"},
 	},
 }

@@ -901,11 +901,6 @@ func (lc *fakeLocalServeClient) IncrementCounter(ctx context.Context, name strin
 	return nil // unused in tests
 }

-func (lc *fakeLocalServeClient) StreamServe(ctx context.Context, req ipn.ServeStreamRequest) (io.ReadCloser, error) {
-	// TODO: testing :)
-	return nil, nil
-}
-
 // exactError returns an error checker that wants exactly the provided want error.
 // If optName is non-empty, it's used in the error message.
 func exactErr(want error, optName ...string) func(error) string {
--- a/cmd/tailscale/cli/set.go
+++ b/cmd/tailscale/cli/set.go
@@ -11,6 +11,7 @@ import (
 	"net/netip"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/clientupdate"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsaddr"
@@ -46,6 +47,8 @@ type setArgsT struct {
 	acceptedRisks          string
 	profileName            string
 	forceDaemon            bool
+	updateCheck            bool
+	updateApply            bool
 }

 func newSetFlagSet(goos string, setArgs *setArgsT) *flag.FlagSet {
@@ -61,6 +64,8 @@ func newSetFlagSet(goos string, setArgs *setArgsT) *flag.FlagSet {
 	setf.StringVar(&setArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
 	setf.StringVar(&setArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. \"10.0.0.0/8,192.168.0.0/24\") or empty string to not advertise routes")
 	setf.BoolVar(&setArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
+	setf.BoolVar(&setArgs.updateCheck, "update-check", true, "HIDDEN: notify about available Tailscale updates")
+	setf.BoolVar(&setArgs.updateApply, "auto-update", false, "HIDDEN: automatically update to the latest available version")
 	if safesocket.GOOSUsesPeerCreds(goos) {
 		setf.StringVar(&setArgs.opUser, "operator", "", "Unix username to allow to operate on tailscaled without sudo")
 	}
@@ -99,6 +104,10 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 			Hostname:               setArgs.hostname,
 			OperatorUser:           setArgs.opUser,
 			ForceDaemon:            setArgs.forceDaemon,
+			AutoUpdate: ipn.AutoUpdatePrefs{
+				Check: setArgs.updateCheck,
+				Apply: setArgs.updateApply,
+			},
 		},
 	}

@@ -143,6 +152,12 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 			return err
 		}
 	}
+	if maskedPrefs.AutoUpdateSet {
+		_, err := clientupdate.NewUpdater(clientupdate.Arguments{})
+		if errors.Is(err, errors.ErrUnsupported) {
+			return errors.New("automatic updates are not supported on this platform")
+		}
+	}
 	checkPrefs := curPrefs.Clone()
 	checkPrefs.ApplyEdits(maskedPrefs)
 	if err := localClient.CheckPrefs(ctx, checkPrefs); err != nil {
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -25,6 +25,7 @@ import (
 	"tailscale.com/net/interfaces"
 	"tailscale.com/util/cmpx"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/version"
 )

 var statusCmd = &ffcli.Command{
@@ -236,6 +237,9 @@ func runStatus(ctx context.Context, args []string) error {
 		printHealth()
 	}
 	printFunnelStatus(ctx)
+	if cv := st.ClientVersion; cv != nil && !cv.RunningLatest && cv.LatestVersion != "" {
+		printf("# Update available: %v -> %v, run `tailscale update` or `tailscale set --auto-update` to update.\n", version.Short(), cv.LatestVersion)
+	}
 	return nil
 }

--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -97,6 +97,8 @@ func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
 	}
 	upf := newFlagSet(cmd)

+	// When adding new flags, prefer to put them under "tailscale set" instead
+	// of here. Setting preferences via "tailscale up" is deprecated.
 	upf.BoolVar(&upArgs.qr, "qr", false, "show QR code for login URLs")
 	upf.StringVar(&upArgs.authKeyOrFile, "auth-key", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)

@@ -497,6 +499,7 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 	startLoginInteractive := func() { loginOnce.Do(func() { localClient.StartLoginInteractive(ctx) }) }

 	go func() {
+		var cv *tailcfg.ClientVersion
 		for {
 			n, err := watcher.Next()
 			if err != nil {
@@ -507,6 +510,9 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 				msg := *n.ErrMessage
 				fatalf("backend error: %v\n", msg)
 			}
+			if n.ClientVersion != nil {
+				cv = n.ClientVersion
+			}
 			if s := n.State; s != nil {
 				switch *s {
 				case ipn.NeedsLogin:
@@ -525,6 +531,11 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 					} else if printed {
 						// Only need to print an update if we printed the "please click" message earlier.
 						fmt.Fprintf(Stderr, "Success.\n")
+						if cv != nil && !cv.RunningLatest && cv.LatestVersion != "" {
+							fmt.Fprintf(Stderr, "\nUpdate available: %v -> %v\n", version.Short(), cv.LatestVersion)
+							fmt.Fprintln(Stderr, "Changelog: https://tailscale.com/changelog/#client")
+							fmt.Fprintln(Stderr, "Run `tailscale update` or `tailscale set --auto-update` to update")
+						}
 					}
 					select {
 					case running <- true:
@@ -712,6 +723,8 @@ func init() {
 	addPrefFlagMapping("operator", "OperatorUser")
 	addPrefFlagMapping("ssh", "RunSSH")
 	addPrefFlagMapping("nickname", "ProfileName")
+	addPrefFlagMapping("update-check", "AutoUpdate")
+	addPrefFlagMapping("auto-update", "AutoUpdate")
 }

 func addPrefFlagMapping(flagName string, prefNames ...string) {
--- a/cmd/tailscale/cli/update.go
+++ b/cmd/tailscale/cli/update.go
@@ -60,7 +60,7 @@ func runUpdate(ctx context.Context, args []string) error {
 	if updateArgs.track != "" {
 		ver = updateArgs.track
 	}
-	err := clientupdate.Update(clientupdate.UpdateArgs{
+	err := clientupdate.Update(clientupdate.Arguments{
 		Version:  ver,
 		AppStore: updateArgs.appStore,
 		Logf:     func(format string, args ...any) { fmt.Printf(format+"\n", args...) },
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -39,6 +39,7 @@ Tailscale, as opposed to a CLI or a native app.
 		webf.StringVar(&webArgs.listen, "listen", "localhost:8088", "listen address; use port 0 for automatic")
 		webf.BoolVar(&webArgs.cgi, "cgi", false, "run as CGI script")
 		webf.BoolVar(&webArgs.dev, "dev", false, "run web client in developer mode [this flag is in development, use is unsupported]")
+		webf.StringVar(&webArgs.prefix, "prefix", "", "URL prefix added to requests (for cgi or reverse proxies)")
 		return webf
 	})(),
 	Exec: runWeb,
@@ -48,6 +49,7 @@ var webArgs struct {
 	listen string
 	cgi    bool
 	dev    bool
+	prefix string
 }

 func tlsConfigFromEnvironment() *tls.Config {
@@ -81,6 +83,7 @@ func runWeb(ctx context.Context, args []string) error {
 	webServer, cleanup := web.NewServer(ctx, web.ServerOpts{
 		DevMode:     webArgs.dev,
 		CGIMode:     webArgs.cgi,
+		PathPrefix:  webArgs.prefix,
 		LocalClient: &localClient,
 	})
 	defer cleanup()
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -11,10 +11,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
+   L    github.com/coreos/go-systemd/v22/dbus                        from tailscale.com/clientupdate
   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil/authenticode+
   W 💣 github.com/dblohm7/wingoes/pe                                from tailscale.com/util/winutil/authenticode
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
+   L 💣 github.com/godbus/dbus/v5                                    from github.com/coreos/go-systemd/v22/dbus
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header
   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
@@ -24,7 +27,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/google/uuid                                       from tailscale.com/util/quarantine+
        github.com/gorilla/csrf                                      from tailscale.com/client/web
        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
+        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
@@ -40,6 +43,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli+
        github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
        github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
+        github.com/peterbourgon/ff/v3/internal                       from github.com/peterbourgon/ff/v3
        github.com/pkg/errors                                        from github.com/gorilla/csrf
        github.com/skip2/go-qrcode                                   from tailscale.com/cmd/tailscale/cli
        github.com/skip2/go-qrcode/bitset                            from github.com/skip2/go-qrcode+
@@ -51,6 +55,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
   L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
+        github.com/tailscale/web-client-prebuilt                     from tailscale.com/client/web
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
@@ -60,6 +65,22 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        go4.org/netipx                                               from tailscale.com/wgengine/filter+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        gopkg.in/yaml.v2                                             from sigs.k8s.io/yaml
+        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/buffer+
+        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip+
+        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs
+     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
+        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
+        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
+     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
+        gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/buffer+
+        gvisor.dev/gvisor/pkg/tcpip/header                           from tailscale.com/net/packet
+        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header
+        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
        k8s.io/client-go/util/homedir                                from tailscale.com/cmd/tailscale/cli
        nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
@@ -73,6 +94,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/client/tailscale/apitype                       from tailscale.com/cmd/tailscale/cli+
        tailscale.com/client/web                                     from tailscale.com/cmd/tailscale/cli
        tailscale.com/clientupdate                                   from tailscale.com/cmd/tailscale/cli
+        tailscale.com/clientupdate/distsign                          from tailscale.com/clientupdate
        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
        tailscale.com/control/controlbase                            from tailscale.com/control/controlhttp
        tailscale.com/control/controlhttp                            from tailscale.com/cmd/tailscale/cli
@@ -199,11 +221,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
        golang.org/x/time/rate                                       from tailscale.com/cmd/tailscale/cli+
+        archive/tar                                                  from tailscale.com/clientupdate
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
        cmp                                                          from slices
        compress/flate                                               from compress/gzip+
-        compress/gzip                                                from net/http
+        compress/gzip                                                from net/http+
        compress/zlib                                                from image/png+
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
@@ -251,7 +274,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        hash/crc32                                                   from compress/gzip+
        hash/maphash                                                 from go4.org/mem
        html                                                         from tailscale.com/ipn/ipnstate+
-        html/template                                                from tailscale.com/client/web+
+        html/template                                                from github.com/gorilla/csrf
        image                                                        from github.com/skip2/go-qrcode+
        image/color                                                  from github.com/skip2/go-qrcode+
        image/png                                                    from github.com/skip2/go-qrcode
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -34,7 +34,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/aws-sdk-go-v2/credentials/stscreds            from github.com/aws/aws-sdk-go-v2/config
   L    github.com/aws/aws-sdk-go-v2/feature/ec2/imds                from github.com/aws/aws-sdk-go-v2/config+
   L    github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config from github.com/aws/aws-sdk-go-v2/feature/ec2/imds
+   L    github.com/aws/aws-sdk-go-v2/internal/auth                   from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
   L    github.com/aws/aws-sdk-go-v2/internal/configsources          from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn   from github.com/aws/aws-sdk-go-v2/service/ssm+
   L    github.com/aws/aws-sdk-go-v2/internal/endpoints/v2           from github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints+
   L    github.com/aws/aws-sdk-go-v2/internal/ini                    from github.com/aws/aws-sdk-go-v2/config
   L    github.com/aws/aws-sdk-go-v2/internal/rand                   from github.com/aws/aws-sdk-go-v2/aws+
@@ -65,6 +67,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/encoding/httpbinding                from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm+
   L    github.com/aws/smithy-go/encoding/xml                        from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/smithy-go/endpoints                           from github.com/aws/aws-sdk-go-v2/service/ssm+
   L    github.com/aws/smithy-go/internal/sync/singleflight          from github.com/aws/smithy-go/auth/bearer
   L    github.com/aws/smithy-go/io                                  from github.com/aws/aws-sdk-go-v2/feature/ec2/imds+
   L    github.com/aws/smithy-go/logging                             from github.com/aws/aws-sdk-go-v2/aws+
@@ -76,6 +79,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
+   L    github.com/coreos/go-systemd/v22/dbus                        from tailscale.com/clientupdate
  LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
   W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com+
   W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/cmd/tailscaled+
@@ -94,8 +98,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/google/nftables/expr                              from github.com/google/nftables+
   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
-        github.com/google/uuid                                       from tailscale.com/ipn/ipnlocal
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
+        github.com/google/uuid                                       from tailscale.com/clientupdate
+        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
   L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
@@ -166,14 +170,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W 💣 golang.zx2c4.com/wintun                                      from github.com/tailscale/wireguard-go/tun+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/dns+
        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/tcpip+
-        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/bufferv2
-     💣 gvisor.dev/gvisor/pkg/bufferv2                               from gvisor.dev/gvisor/pkg/tcpip+
+        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip+
        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs
     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
        gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
-        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/bufferv2+
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/buffer+
     💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
@@ -181,7 +185,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 gvisor.dev/gvisor/pkg/sync/locking                           from gvisor.dev/gvisor/pkg/tcpip/stack
        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/bufferv2+
+        gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/buffer+
        gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
        gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
        gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
@@ -216,6 +220,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
  LD    tailscale.com/chirp                                          from tailscale.com/cmd/tailscaled
        tailscale.com/client/tailscale                               from tailscale.com/derp
        tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
+        tailscale.com/clientupdate                                   from tailscale.com/ipn/ipnlocal
+        tailscale.com/clientupdate/distsign                          from tailscale.com/clientupdate
        tailscale.com/cmd/tailscaled/childproc                       from tailscale.com/ssh/tailssh+
        tailscale.com/control/controlbase                            from tailscale.com/control/controlclient+
        tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
@@ -232,13 +238,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
        tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
        tailscale.com/ipn                                            from tailscale.com/ipn/ipnlocal+
-     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnserver+
+     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ssh/tailssh+
        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
        tailscale.com/ipn/ipnstate                                   from tailscale.com/control/controlclient+
        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
-        tailscale.com/ipn/store                                      from tailscale.com/cmd/tailscaled+
+        tailscale.com/ipn/store                                      from tailscale.com/ipn/ipnlocal+
   L    tailscale.com/ipn/store/awsstore                             from tailscale.com/ipn/store
   L    tailscale.com/ipn/store/kubestore                            from tailscale.com/ipn/store
        tailscale.com/ipn/store/mem                                  from tailscale.com/ipn/store+
@@ -286,11 +292,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
        tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
     💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
+        tailscale.com/proxymap                                       from tailscale.com/tsd+
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
-        tailscale.com/smallzstd                                      from tailscale.com/cmd/tailscaled+
+        tailscale.com/smallzstd                                      from tailscale.com/control/controlclient+
  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
+        tailscale.com/taildrop                                       from tailscale.com/ipn/ipnlocal
     💣 tailscale.com/tempfork/device                                from tailscale.com/net/tstun/table
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
        tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
@@ -302,7 +310,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
        tailscale.com/tsweb/varz                                     from tailscale.com/cmd/tailscaled
        tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
-        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
+        tailscale.com/types/empty                                    from tailscale.com/ipn+
        tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
        tailscale.com/types/key                                      from tailscale.com/control/controlbase+
@@ -312,7 +320,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/netlogtype                               from tailscale.com/net/connstats+
        tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock+
-        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
+        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
        tailscale.com/types/ptr                                      from tailscale.com/hostinfo+
@@ -334,22 +342,25 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns+
        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/must                                      from tailscale.com/logpolicy
+        tailscale.com/util/must                                      from tailscale.com/logpolicy+
     💣 tailscale.com/util/osdiag                                    from tailscale.com/cmd/tailscaled+
   W 💣 tailscale.com/util/osdiag/internal/wsc                       from tailscale.com/util/osdiag
        tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnauth
+        tailscale.com/util/race                                      from tailscale.com/net/dns/resolver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
+        tailscale.com/util/rands                                     from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/ringbuffer                                from tailscale.com/wgengine/magicsock
        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
        tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
+   W    tailscale.com/util/syspolicy                                 from tailscale.com/cmd/tailscaled
        tailscale.com/util/sysresources                              from tailscale.com/wgengine/magicsock
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/testenv                                   from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock+
     💣 tailscale.com/util/winutil                                   from tailscale.com/control/controlclient+
-   W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/util/osdiag
+   W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/util/osdiag+
   W    tailscale.com/util/winutil/policy                            from tailscale.com/ipn/ipnlocal
        tailscale.com/version                                        from tailscale.com/derp+
        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
@@ -383,7 +394,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
        golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
-        golang.org/x/exp/maps                                        from tailscale.com/wgengine/magicsock
+        golang.org/x/exp/maps                                        from tailscale.com/wgengine/magicsock+
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
@@ -411,6 +422,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
        golang.org/x/time/rate                                       from gvisor.dev/gvisor/pkg/tcpip/stack+
+        archive/tar                                                  from tailscale.com/clientupdate
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
        cmp                                                          from slices
@@ -459,7 +471,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        flag                                                         from net/http/httptest+
        fmt                                                          from compress/flate+
        hash                                                         from crypto+
-        hash/adler32                                                 from tailscale.com/ipn/ipnlocal+
+        hash/adler32                                                 from compress/zlib+
        hash/crc32                                                   from compress/gzip+
        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
        hash/maphash                                                 from go4.org/mem
@@ -498,7 +510,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        regexp                                                       from github.com/coreos/go-iptables/iptables+
        regexp/syntax                                                from regexp
        runtime/debug                                                from github.com/klauspost/compress/zstd+
-        runtime/pprof                                                from net/http/pprof+
+        runtime/pprof                                                from tailscale.com/ipn/ipnlocal+
        runtime/trace                                                from net/http/pprof
        slices                                                       from tailscale.com/wgengine/magicsock+
        sort                                                         from compress/flate+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -48,7 +48,6 @@ import (
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
-	"tailscale.com/smallzstd"
 	"tailscale.com/syncs"
 	"tailscale.com/tsd"
 	"tailscale.com/tsweb/varz"
@@ -76,6 +75,8 @@ func defaultTunName() string {
 		// "utun" is recognized by wireguard-go/tun/tun_darwin.go
 		// as a magic value that uses/creates any free number.
 		return "utun"
+	case "plan9":
+		return "userspace-networking"
 	case "linux":
 		switch distro.Get() {
 		case distro.Synology:
@@ -200,6 +201,10 @@ func main() {
 		}
 	}

+	if fd, ok := envknob.LookupInt("TS_PARENT_DEATH_FD"); ok && fd > 2 {
+		go dieOnPipeReadErrorOfFD(fd)
+	}
+
 	if printVersion {
 		fmt.Println(version.String())
 		os.Exit(0)
@@ -491,6 +496,7 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 	if err != nil {
 		return nil, fmt.Errorf("newNetstack: %w", err)
 	}
+	sys.Set(ns)
 	ns.ProcessLocalIPs = onlyNetstack
 	ns.ProcessSubnets = onlyNetstack || handleSubnetsInNetstack()

@@ -545,9 +551,6 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 	if root := lb.TailscaleVarRoot(); root != "" {
 		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"), logf)
 	}
-	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
-		return smallzstd.NewDecoder(nil)
-	})
 	configureTaildrop(logf, lb)
 	if err := ns.Start(lb); err != nil {
 		log.Fatalf("failed to start netstack: %v", err)
@@ -605,6 +608,7 @@ func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack boo
 		NetMon:       sys.NetMon.Get(),
 		Dialer:       sys.Dialer.Get(),
 		SetSubsystem: sys.Set,
+		ControlKnobs: sys.ControlKnobs(),
 	}

 	onlyNetstack = name == "userspace-networking"
@@ -707,7 +711,14 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 }

 func newNetstack(logf logger.Logf, sys *tsd.System) (*netstack.Impl, error) {
-	return netstack.Create(logf, sys.Tun.Get(), sys.Engine.Get(), sys.MagicSock.Get(), sys.Dialer.Get(), sys.DNSManager.Get())
+	return netstack.Create(logf,
+		sys.Tun.Get(),
+		sys.Engine.Get(),
+		sys.MagicSock.Get(),
+		sys.Dialer.Get(),
+		sys.DNSManager.Get(),
+		sys.ProxyMapper(),
+	)
 }

 // mustStartProxyListeners creates listeners for local SOCKS and HTTP
@@ -767,3 +778,14 @@ func beChild(args []string) error {
 	}
 	return f(args[1:])
 }
+
+// dieOnPipeReadErrorOfFD reads from the pipe named by fd and exit the process
+// when the pipe becomes readable. We use this in tests as a somewhat more
+// portable mechanism for the Linux PR_SET_PDEATHSIG, which we wish existed on
+// macOS. This helps us clean up straggler tailscaled processes when the parent
+// test driver dies unexpectedly.
+func dieOnPipeReadErrorOfFD(fd int) {
+	f := os.NewFile(uintptr(fd), "TS_PARENT_DEATH_FD")
+	f.Read(make([]byte, 1))
+	os.Exit(1)
+}
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -51,6 +51,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/util/osdiag"
+	"tailscale.com/util/syspolicy"
 	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/wf"
@@ -131,7 +132,7 @@ func runWindowsService(pol *logpolicy.Policy) error {
 		osdiag.LogSupportInfo(logger.WithPrefix(log.Printf, "Support Info: "), osdiag.LogSupportInfoReasonStartup)
 	}()

-	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
+	if logSCMInteractions, _ := syspolicy.GetBoolean(syspolicy.LogSCMInteractions, false); logSCMInteractions {
 		syslog, err := eventlog.Open(serviceName)
 		if err == nil {
 			syslogf = func(format string, args ...any) {
@@ -158,7 +159,7 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 	syslogf("Service start pending")

 	svcAccepts := svc.AcceptStop
-	if winutil.GetPolicyInteger("FlushDNSOnSessionUnlock", 0) != 0 {
+	if flushDNSOnSessionUnlock, _ := syspolicy.GetBoolean(syspolicy.FlushDNSOnSessionUnlock, false); flushDNSOnSessionUnlock {
 		svcAccepts |= svc.AcceptSessionChange
 	}

--- a/cmd/testwrapper/flakytest/flakytest.go
+++ b/cmd/testwrapper/flakytest/flakytest.go
@@ -19,7 +19,8 @@ import (
 const FlakyTestLogMessage = "flakytest: this is a known flaky test"

 // FlakeAttemptEnv is an environment variable that is set by cmd/testwrapper
-// when a flaky test is retried. It contains the attempt number, starting at 1.
+// when a flaky test is being (re)tried. It contains the attempt number,
+// starting at 1.
 const FlakeAttemptEnv = "TS_TESTWRAPPER_ATTEMPT"

 var issueRegexp = regexp.MustCompile(`\Ahttps://github\.com/tailscale/[a-zA-Z0-9_.-]+/issues/\d+\z`)
@@ -33,7 +34,11 @@ func Mark(t testing.TB, issue string) {
 	if !issueRegexp.MatchString(issue) {
 		t.Fatalf("bad issue format: %q", issue)
 	}
-
-	fmt.Fprintln(os.Stderr, FlakyTestLogMessage) // sentinel value for testwrapper
+	if _, ok := os.LookupEnv(FlakeAttemptEnv); ok {
+		// We're being run under cmd/testwrapper so send our sentinel message
+		// to stderr. (We avoid doing this when the env is absent to avoid
+		// spamming people running tests without the wrapper)
+		fmt.Fprintf(os.Stderr, "%s: %s\n", FlakyTestLogMessage, issue)
+	}
 	t.Logf("flakytest: issue tracking this flaky test: %s", issue)
 }
--- a/cmd/testwrapper/testwrapper.go
+++ b/cmd/testwrapper/testwrapper.go
@@ -8,6 +8,7 @@
 package main

 import (
+	"bufio"
 	"bytes"
 	"context"
 	"encoding/json"
@@ -18,6 +19,7 @@ import (
 	"log"
 	"os"
 	"os/exec"
+	"slices"
 	"sort"
 	"strings"
 	"time"
@@ -29,26 +31,29 @@ import (
 const maxAttempts = 3

 type testAttempt struct {
-	name          testName
+	pkg           string // "tailscale.com/types/key"
+	testName      string // "TestFoo"
 	outcome       string // "pass", "fail", "skip"
 	logs          bytes.Buffer
-	isMarkedFlaky bool // set if the test is marked as flaky
+	isMarkedFlaky bool   // set if the test is marked as flaky
+	issueURL      string // set if the test is marked as flaky

 	pkgFinished bool
 }

-type testName struct {
-	pkg  string // "tailscale.com/types/key"
-	name string // "TestFoo"
-}
-
+// packageTests describes what to run.
+// It's also JSON-marshalled to output for analysys tools to parse
+// so the fields are all exported.
+// TODO(bradfitz): move this type to its own types package?
 type packageTests struct {
-	// pattern is the package pattern to run.
-	// Must be a single pattern, not a list of patterns.
-	pattern string // "./...", "./types/key"
-	// tests is a list of tests to run. If empty, all tests in the package are
+	// Pattern is the package Pattern to run.
+	// Must be a single Pattern, not a list of patterns.
+	Pattern string // "./...", "./types/key"
+	// Tests is a list of Tests to run. If empty, all Tests in the package are
 	// run.
-	tests []string // ["TestFoo", "TestBar"]
+	Tests []string // ["TestFoo", "TestBar"]
+	// IssueURLs maps from a test name to a URL tracking its flake.
+	IssueURLs map[string]string // "TestFoo" => "https://github.com/foo/bar/issue/123"
 }

 type goTestOutput struct {
@@ -63,14 +68,15 @@ var debug = os.Getenv("TS_TESTWRAPPER_DEBUG") != ""

 // runTests runs the tests in pt and sends the results on ch. It sends a
 // testAttempt for each test and a final testAttempt per pkg with pkgFinished
-// set to true.
+// set to true. Package build errors will not emit a testAttempt (as no valid
+// JSON is produced) but the [os/exec.ExitError] will be returned.
 // It calls close(ch) when it's done.
-func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []string, ch chan<- *testAttempt) {
+func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []string, ch chan<- *testAttempt) error {
 	defer close(ch)
-	args := []string{"test", "-json", pt.pattern}
+	args := []string{"test", "-json", pt.Pattern}
 	args = append(args, otherArgs...)
-	if len(pt.tests) > 0 {
-		runArg := strings.Join(pt.tests, "|")
+	if len(pt.Tests) > 0 {
+		runArg := strings.Join(pt.Tests, "|")
 		args = append(args, "-run", runArg)
 	}
 	if debug {
@@ -91,17 +97,12 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []st
 		log.Printf("error starting test: %v", err)
 		os.Exit(1)
 	}
-	done := make(chan struct{})
-	go func() {
-		defer close(done)
-		cmd.Wait()
-	}()

-	jd := json.NewDecoder(r)
-	resultMap := make(map[testName]*testAttempt)
-	for {
+	s := bufio.NewScanner(r)
+	resultMap := make(map[string]map[string]*testAttempt) // pkg -> test -> testAttempt
+	for s.Scan() {
 		var goOutput goTestOutput
-		if err := jd.Decode(&goOutput); err != nil {
+		if err := json.Unmarshal(s.Bytes(), &goOutput); err != nil {
 			if errors.Is(err, io.EOF) || errors.Is(err, os.ErrClosed) {
 				break
 			}
@@ -111,32 +112,39 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []st
 			// The build error will be printed to stderr.
 			// See: https://github.com/golang/go/issues/35169
 			if _, ok := err.(*json.SyntaxError); ok {
-				jd = json.NewDecoder(r)
+				fmt.Println(s.Text())
 				continue
 			}
 			panic(err)
 		}
+		pkg := goOutput.Package
+		pkgTests := resultMap[pkg]
 		if goOutput.Test == "" {
 			switch goOutput.Action {
 			case "fail", "pass", "skip":
+				for _, test := range pkgTests {
+					if test.outcome == "" {
+						test.outcome = "fail"
+						ch <- test
+					}
+				}
 				ch <- &testAttempt{
-					name: testName{
-						pkg: goOutput.Package,
-					},
+					pkg:         goOutput.Package,
 					outcome:     goOutput.Action,
 					pkgFinished: true,
 				}
 			}
 			continue
 		}
-		name := testName{
-			pkg:  goOutput.Package,
-			name: goOutput.Test,
+		if pkgTests == nil {
+			pkgTests = make(map[string]*testAttempt)
+			resultMap[pkg] = pkgTests
 		}
+		testName := goOutput.Test
 		if test, _, isSubtest := strings.Cut(goOutput.Test, "/"); isSubtest {
-			name.name = test
+			testName = test
 			if goOutput.Action == "output" {
-				resultMap[name].logs.WriteString(goOutput.Output)
+				resultMap[pkg][testName].logs.WriteString(goOutput.Output)
 			}
 			continue
 		}
@@ -144,21 +152,29 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []st
 		case "start":
 			// ignore
 		case "run":
-			resultMap[name] = &testAttempt{
-				name: name,
+			pkgTests[testName] = &testAttempt{
+				pkg:      pkg,
+				testName: testName,
 			}
 		case "skip", "pass", "fail":
-			resultMap[name].outcome = goOutput.Action
-			ch <- resultMap[name]
+			pkgTests[testName].outcome = goOutput.Action
+			ch <- pkgTests[testName]
 		case "output":
-			if strings.TrimSpace(goOutput.Output) == flakytest.FlakyTestLogMessage {
-				resultMap[name].isMarkedFlaky = true
+			if suffix, ok := strings.CutPrefix(strings.TrimSpace(goOutput.Output), flakytest.FlakyTestLogMessage); ok {
+				pkgTests[testName].isMarkedFlaky = true
+				pkgTests[testName].issueURL = strings.TrimPrefix(suffix, ": ")
 			} else {
-				resultMap[name].logs.WriteString(goOutput.Output)
+				pkgTests[testName].logs.WriteString(goOutput.Output)
 			}
 		}
 	}
-	<-done
+	if err := cmd.Wait(); err != nil {
+		return err
+	}
+	if err := s.Err(); err != nil {
+		return fmt.Errorf("reading go test stdout: %w", err)
+	}
+	return nil
 }

 func main() {
@@ -201,12 +217,12 @@ func main() {

 	type nextRun struct {
 		tests   []*packageTests
-		attempt int
+		attempt int // starting at 1
 	}

 	toRun := []*nextRun{
 		{
-			tests:   []*packageTests{{pattern: pattern}},
+			tests:   []*packageTests{{Pattern: pattern}},
 			attempt: 1,
 		},
 	}
@@ -237,17 +253,36 @@ func main() {
 			os.Exit(1)
 		}
 		if thisRun.attempt > 1 {
-			fmt.Printf("\n\nAttempt #%d: Retrying flaky tests:\n\n", thisRun.attempt)
+			j, _ := json.Marshal(thisRun.tests)
+			fmt.Printf("\n\nAttempt #%d: Retrying flaky tests:\n\nflakytest failures JSON: %s\n\n", thisRun.attempt, j)
 		}

-		failed := false
-		toRetry := make(map[string][]string) // pkg -> tests to retry
+		toRetry := make(map[string][]*testAttempt) // pkg -> tests to retry
 		for _, pt := range thisRun.tests {
 			ch := make(chan *testAttempt)
-			go runTests(ctx, thisRun.attempt, pt, otherArgs, ch)
+			runErr := make(chan error, 1)
+			go func() {
+				defer close(runErr)
+				runErr <- runTests(ctx, thisRun.attempt, pt, otherArgs, ch)
+			}()
+
+			var failed bool
 			for tr := range ch {
+				// Go assigns the package name "command-line-arguments" when you
+				// `go test FILE` rather than `go test PKG`. It's more
+				// convenient for us to to specify files in tests, so fix tr.pkg
+				// so that subsequent testwrapper attempts run correctly.
+				if tr.pkg == "command-line-arguments" {
+					tr.pkg = pattern
+				}
 				if tr.pkgFinished {
-					printPkgOutcome(tr.name.pkg, tr.outcome, thisRun.attempt)
+					if tr.outcome == "fail" && len(toRetry[tr.pkg]) == 0 {
+						// If a package fails and we don't have any tests to
+						// retry, then we should fail. This typically happens
+						// when a package times out.
+						failed = true
+					}
+					printPkgOutcome(tr.pkg, tr.outcome, thisRun.attempt)
 					continue
 				}
 				if *v || tr.outcome == "fail" {
@@ -257,15 +292,28 @@ func main() {
 					continue
 				}
 				if tr.isMarkedFlaky {
-					toRetry[tr.name.pkg] = append(toRetry[tr.name.pkg], tr.name.name)
+					toRetry[tr.pkg] = append(toRetry[tr.pkg], tr)
 				} else {
 					failed = true
 				}
 			}
-		}
-		if failed {
-			fmt.Println("\n\nNot retrying flaky tests because non-flaky tests failed.")
-			os.Exit(1)
+			if failed {
+				fmt.Println("\n\nNot retrying flaky tests because non-flaky tests failed.")
+				os.Exit(1)
+			}
+
+			// If there's nothing to retry and no non-retryable tests have
+			// failed then we've probably hit a build error.
+			if err := <-runErr; len(toRetry) == 0 && err != nil {
+				var exit *exec.ExitError
+				if errors.As(err, &exit) {
+					if code := exit.ExitCode(); code > -1 {
+						os.Exit(exit.ExitCode())
+					}
+				}
+				log.Printf("testwrapper: %s", err)
+				os.Exit(1)
+			}
 		}
 		if len(toRetry) == 0 {
 			continue
@@ -277,10 +325,17 @@ func main() {
 		}
 		for _, pkg := range pkgs {
 			tests := toRetry[pkg]
-			sort.Strings(tests)
+			slices.SortFunc(tests, func(a, b *testAttempt) int { return strings.Compare(a.testName, b.testName) })
+			issueURLs := map[string]string{} // test name => URL
+			var testNames []string
+			for _, ta := range tests {
+				issueURLs[ta.testName] = ta.issueURL
+				testNames = append(testNames, ta.testName)
+			}
 			nextRun.tests = append(nextRun.tests, &packageTests{
-				pattern: pkg,
-				tests:   tests,
+				Pattern:   pkg,
+				Tests:     testNames,
+				IssueURLs: issueURLs,
 			})
 		}
 		toRun = append(toRun, nextRun)
--- a/cmd/testwrapper/testwrapper_test.go
+++ b/cmd/testwrapper/testwrapper_test.go
@@ -0,0 +1,218 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package main_test
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sync"
+	"testing"
+)
+
+var (
+	buildPath string
+	buildErr  error
+	buildOnce sync.Once
+)
+
+func cmdTestwrapper(t *testing.T, args ...string) *exec.Cmd {
+	buildOnce.Do(func() {
+		buildPath, buildErr = buildTestWrapper()
+	})
+	if buildErr != nil {
+		t.Fatalf("building testwrapper: %s", buildErr)
+	}
+	return exec.Command(buildPath, args...)
+}
+
+func buildTestWrapper() (string, error) {
+	dir, err := os.MkdirTemp("", "testwrapper")
+	if err != nil {
+		return "", fmt.Errorf("making temp dir: %w", err)
+	}
+	_, err = exec.Command("go", "build", "-o", dir, ".").Output()
+	if err != nil {
+		return "", fmt.Errorf("go build: %w", err)
+	}
+	return filepath.Join(dir, "testwrapper"), nil
+}
+
+func TestRetry(t *testing.T) {
+	t.Parallel()
+
+	testfile := filepath.Join(t.TempDir(), "retry_test.go")
+	code := []byte(`package retry_test
+
+import (
+	"os"
+	"testing"
+	"tailscale.com/cmd/testwrapper/flakytest"
+)
+
+func TestOK(t *testing.T) {}
+
+func TestFlakeRun(t *testing.T) {
+	flakytest.Mark(t, "https://github.com/tailscale/tailscale/issues/0") // random issue
+	e := os.Getenv(flakytest.FlakeAttemptEnv)
+	if e == "" {
+		t.Skip("not running in testwrapper")
+	}
+	if e == "1" {
+		t.Fatal("First run in testwrapper, failing so that test is retried. This is expected.")
+	}
+}
+`)
+	if err := os.WriteFile(testfile, code, 0o644); err != nil {
+		t.Fatalf("writing package: %s", err)
+	}
+
+	out, err := cmdTestwrapper(t, "-v", testfile).CombinedOutput()
+	if err != nil {
+		t.Fatalf("go run . %s: %s with output:\n%s", testfile, err, out)
+	}
+
+	want := []byte("ok\t" + testfile + " [attempt=2]")
+	if !bytes.Contains(out, want) {
+		t.Fatalf("wanted output containing %q but got:\n%s", want, out)
+	}
+
+	if okRuns := bytes.Count(out, []byte("=== RUN   TestOK")); okRuns != 1 {
+		t.Fatalf("expected TestOK to be run once but was run %d times in output:\n%s", okRuns, out)
+	}
+	if flakeRuns := bytes.Count(out, []byte("=== RUN   TestFlakeRun")); flakeRuns != 2 {
+		t.Fatalf("expected TestFlakeRun to be run twice but was run %d times in output:\n%s", flakeRuns, out)
+	}
+
+	if testing.Verbose() {
+		t.Logf("success - output:\n%s", out)
+	}
+}
+
+func TestNoRetry(t *testing.T) {
+	t.Parallel()
+
+	testfile := filepath.Join(t.TempDir(), "noretry_test.go")
+	code := []byte(`package noretry_test
+
+import (
+	"testing"
+	"tailscale.com/cmd/testwrapper/flakytest"
+)
+
+func TestFlakeRun(t *testing.T) {
+	flakytest.Mark(t, "https://github.com/tailscale/tailscale/issues/0") // random issue
+	t.Error("shouldn't be retried")
+}
+
+func TestAlwaysError(t *testing.T) {
+	t.Error("error")
+}
+`)
+	if err := os.WriteFile(testfile, code, 0o644); err != nil {
+		t.Fatalf("writing package: %s", err)
+	}
+
+	out, err := cmdTestwrapper(t, "-v", testfile).Output()
+	if err == nil {
+		t.Fatalf("go run . %s: expected error but it succeeded with output:\n%s", testfile, out)
+	}
+	if code, ok := errExitCode(err); ok && code != 1 {
+		t.Fatalf("expected exit code 1 but got %d", code)
+	}
+
+	want := []byte("Not retrying flaky tests because non-flaky tests failed.")
+	if !bytes.Contains(out, want) {
+		t.Fatalf("wanted output containing %q but got:\n%s", want, out)
+	}
+
+	if flakeRuns := bytes.Count(out, []byte("=== RUN   TestFlakeRun")); flakeRuns != 1 {
+		t.Fatalf("expected TestFlakeRun to be run once but was run %d times in output:\n%s", flakeRuns, out)
+	}
+
+	if testing.Verbose() {
+		t.Logf("success - output:\n%s", out)
+	}
+}
+
+func TestBuildError(t *testing.T) {
+	t.Parallel()
+
+	// Construct our broken package.
+	testfile := filepath.Join(t.TempDir(), "builderror_test.go")
+	code := []byte("package builderror_test\n\nderp")
+	err := os.WriteFile(testfile, code, 0o644)
+	if err != nil {
+		t.Fatalf("writing package: %s", err)
+	}
+
+	buildErr := []byte("builderror_test.go:3:1: expected declaration, found derp\nFAIL	command-line-arguments [setup failed]")
+
+	// Confirm `go test` exits with code 1.
+	goOut, err := exec.Command("go", "test", testfile).CombinedOutput()
+	if code, ok := errExitCode(err); !ok || code != 1 {
+		t.Fatalf("go test %s: expected error with exit code 0 but got: %v", testfile, err)
+	}
+	if !bytes.Contains(goOut, buildErr) {
+		t.Fatalf("go test %s: expected build error containing %q but got:\n%s", testfile, buildErr, goOut)
+	}
+
+	// Confirm `testwrapper` exits with code 1.
+	twOut, err := cmdTestwrapper(t, testfile).CombinedOutput()
+	if code, ok := errExitCode(err); !ok || code != 1 {
+		t.Fatalf("testwrapper %s: expected error with exit code 0 but got: %v", testfile, err)
+	}
+	if !bytes.Contains(twOut, buildErr) {
+		t.Fatalf("testwrapper %s: expected build error containing %q but got:\n%s", testfile, buildErr, twOut)
+	}
+
+	if testing.Verbose() {
+		t.Logf("success - output:\n%s", twOut)
+	}
+}
+
+func TestTimeout(t *testing.T) {
+	t.Parallel()
+
+	// Construct our broken package.
+	testfile := filepath.Join(t.TempDir(), "timeout_test.go")
+	code := []byte(`package noretry_test
+
+import (
+	"testing"
+	"time"
+)
+
+func TestTimeout(t *testing.T) {
+	time.Sleep(500 * time.Millisecond)
+}
+`)
+	err := os.WriteFile(testfile, code, 0o644)
+	if err != nil {
+		t.Fatalf("writing package: %s", err)
+	}
+
+	out, err := cmdTestwrapper(t, testfile, "-timeout=20ms").CombinedOutput()
+	if code, ok := errExitCode(err); !ok || code != 1 {
+		t.Fatalf("testwrapper %s: expected error with exit code 0 but got: %v; output was:\n%s", testfile, err, out)
+	}
+	if want := "panic: test timed out after 20ms"; !bytes.Contains(out, []byte(want)) {
+		t.Fatalf("testwrapper %s: expected build error containing %q but got:\n%s", testfile, buildErr, out)
+	}
+
+	if testing.Verbose() {
+		t.Logf("success - output:\n%s", out)
+	}
+}
+
+func errExitCode(err error) (int, bool) {
+	var exit *exec.ExitError
+	if errors.As(err, &exit) {
+		return exit.ExitCode(), true
+	}
+	return 0, false
+}
--- a/cmd/tsconnect/common.go
+++ b/cmd/tsconnect/common.go
@@ -71,7 +71,7 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 				},
 			},
 		},
-		JSXMode: esbuild.JSXModeAutomatic,
+		JSX: esbuild.JSXAutomatic,
 	}, nil
 }

@@ -137,16 +137,19 @@ func runEsbuildServe(buildOptions esbuild.BuildOptions) {
 	if err != nil {
 		log.Fatalf("Cannot parse port: %v", err)
 	}
-	result, err := esbuild.Serve(esbuild.ServeOptions{
+	buildContext, ctxErr := esbuild.Context(buildOptions)
+	if ctxErr != nil {
+		log.Fatalf("Cannot create esbuild context: %v", err)
+	}
+	result, err := buildContext.Serve(esbuild.ServeOptions{
 		Port:     uint16(port),
 		Host:     host,
 		Servedir: "./",
-	}, buildOptions)
+	})
 	if err != nil {
 		log.Fatalf("Cannot start esbuild server: %v", err)
 	}
 	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
-	result.Wait()
 }

 func runEsbuild(buildOptions esbuild.BuildOptions) esbuild.BuildResult {
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -35,9 +35,9 @@ import (
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/safesocket"
-	"tailscale.com/smallzstd"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsd"
+	"tailscale.com/types/views"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/words"
@@ -103,16 +103,18 @@ func newIPN(jsConfig js.Value) map[string]any {
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
 		Dialer:       dialer,
 		SetSubsystem: sys.Set,
+		ControlKnobs: sys.ControlKnobs(),
 	})
 	if err != nil {
 		log.Fatal(err)
 	}
 	sys.Set(eng)

-	ns, err := netstack.Create(logf, sys.Tun.Get(), eng, sys.MagicSock.Get(), dialer, sys.DNSManager.Get())
+	ns, err := netstack.Create(logf, sys.Tun.Get(), eng, sys.MagicSock.Get(), dialer, sys.DNSManager.Get(), sys.ProxyMapper())
 	if err != nil {
 		log.Fatalf("netstack.Create: %v", err)
 	}
+	sys.Set(ns)
 	ns.ProcessLocalIPs = true
 	ns.ProcessSubnets = true

@@ -125,7 +127,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 	sys.NetstackRouter.Set(true)

 	logid := lpc.PublicID
-	srv := ipnserver.New(logf, logid, nil /* no netMon */)
+	srv := ipnserver.New(logf, logid, sys.NetMon.Get())
 	lb, err := ipnlocal.NewLocalBackend(logf, logid, sys, controlclient.LoginEphemeral)
 	if err != nil {
 		log.Fatalf("ipnlocal.NewLocalBackend: %v", err)
@@ -133,9 +135,6 @@ func newIPN(jsConfig js.Value) map[string]any {
 	if err := ns.Start(lb); err != nil {
 		log.Fatalf("failed to start netstack: %v", err)
 	}
-	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
-		return smallzstd.NewDecoder(nil)
-	})
 	srv.SetLocalBackend(lb)

 	jsIPN := &jsIPN{
@@ -251,11 +250,11 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 				Self: jsNetMapSelfNode{
 					jsNetMapNode: jsNetMapNode{
 						Name:       nm.Name,
-						Addresses:  mapSlice(nm.Addresses, func(a netip.Prefix) string { return a.Addr().String() }),
+						Addresses:  mapSliceView(nm.GetAddresses(), func(a netip.Prefix) string { return a.Addr().String() }),
 						NodeKey:    nm.NodeKey.String(),
 						MachineKey: nm.MachineKey.String(),
 					},
-					MachineStatus: jsMachineStatus[nm.MachineStatus],
+					MachineStatus: jsMachineStatus[nm.GetMachineStatus()],
 				},
 				Peers: mapSlice(nm.Peers, func(p tailcfg.NodeView) jsNetMapPeerNode {
 					name := p.Name()
@@ -326,7 +325,11 @@ func (i *jsIPN) logout() {
 	if i.lb.State() == ipn.NoState {
 		log.Printf("Backend not running")
 	}
-	go i.lb.Logout()
+	go func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		i.lb.Logout(ctx)
+	}()
 }

 func (i *jsIPN) ssh(host, username string, termConfig js.Value) map[string]any {
@@ -576,6 +579,14 @@ func mapSlice[T any, M any](a []T, f func(T) M) []M {
 	return n
 }

+func mapSliceView[T any, M any](a views.Slice[T], f func(T) M) []M {
+	n := make([]M, a.Len())
+	for i := range a.LenIter() {
+		n[i] = f(a.At(i))
+	}
+	return n
+}
+
 func filterSlice[T any](a []T, f func(T) bool) []T {
 	n := make([]T, 0, len(a))
 	for _, e := range a {
--- a/cmd/viewer/tests/tests_clone.go
+++ b/cmd/viewer/tests/tests_clone.go
@@ -136,21 +136,33 @@ func (src *StructWithSlices) Clone() *StructWithSlices {
 	dst := new(StructWithSlices)
 	*dst = *src
 	dst.Values = append(src.Values[:0:0], src.Values...)
-	dst.ValuePointers = make([]*StructWithoutPtrs, len(src.ValuePointers))
-	for i := range dst.ValuePointers {
-		dst.ValuePointers[i] = src.ValuePointers[i].Clone()
+	if src.ValuePointers != nil {
+		dst.ValuePointers = make([]*StructWithoutPtrs, len(src.ValuePointers))
+		for i := range dst.ValuePointers {
+			dst.ValuePointers[i] = src.ValuePointers[i].Clone()
+		}
 	}
-	dst.StructPointers = make([]*StructWithPtrs, len(src.StructPointers))
-	for i := range dst.StructPointers {
-		dst.StructPointers[i] = src.StructPointers[i].Clone()
+	if src.StructPointers != nil {
+		dst.StructPointers = make([]*StructWithPtrs, len(src.StructPointers))
+		for i := range dst.StructPointers {
+			dst.StructPointers[i] = src.StructPointers[i].Clone()
+		}
 	}
-	dst.Structs = make([]StructWithPtrs, len(src.Structs))
-	for i := range dst.Structs {
-		dst.Structs[i] = *src.Structs[i].Clone()
+	if src.Structs != nil {
+		dst.Structs = make([]StructWithPtrs, len(src.Structs))
+		for i := range dst.Structs {
+			dst.Structs[i] = *src.Structs[i].Clone()
+		}
 	}
-	dst.Ints = make([]*int, len(src.Ints))
-	for i := range dst.Ints {
-		dst.Ints[i] = ptr.To(*src.Ints[i])
+	if src.Ints != nil {
+		dst.Ints = make([]*int, len(src.Ints))
+		for i := range dst.Ints {
+			if src.Ints[i] == nil {
+				dst.Ints[i] = nil
+			} else {
+				dst.Ints[i] = ptr.To(*src.Ints[i])
+			}
+		}
 	}
 	dst.Slice = append(src.Slice[:0:0], src.Slice...)
 	dst.Prefixes = append(src.Prefixes[:0:0], src.Prefixes...)
--- a/cmd/viewer/viewer.go
+++ b/cmd/viewer/viewer.go
@@ -237,9 +237,10 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 				slice := u
 				sElem := slice.Elem()
 				switch x := sElem.(type) {
-				case *types.Basic:
+				case *types.Basic, *types.Named:
+					sElem := it.QualifiedName(sElem)
 					args.MapValueView = fmt.Sprintf("views.Slice[%v]", sElem)
-					args.MapValueType = "[]" + sElem.String()
+					args.MapValueType = "[]" + sElem
 					args.MapFn = "views.SliceOf(t)"
 					template = "mapFnField"
 				case *types.Pointer:
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -17,54 +17,36 @@ import (
 	"tailscale.com/net/sockstats"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstime"
-	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
-	"tailscale.com/types/ptr"
 	"tailscale.com/types/structs"
 )

 type LoginGoal struct {
-	_               structs.Incomparable
-	wantLoggedIn    bool                 // true if we *want* to be logged in
-	token           *tailcfg.Oauth2Token // oauth token to use when logging in
-	flags           LoginFlags           // flags to use when logging in
-	url             string               // auth url that needs to be visited
-	loggedOutResult chan<- error
-}
-
-func (g *LoginGoal) sendLogoutError(err error) {
-	if g.loggedOutResult == nil {
-		return
-	}
-	select {
-	case g.loggedOutResult <- err:
-	default:
-	}
+	_     structs.Incomparable
+	token *tailcfg.Oauth2Token // oauth token to use when logging in
+	flags LoginFlags           // flags to use when logging in
+	url   string               // auth url that needs to be visited
 }

 var _ Client = (*Auto)(nil)

-// waitUnpause waits until the client is unpaused then returns. It only
-// returns an error if the client is closed.
-func (c *Auto) waitUnpause(routineLogName string) error {
+// waitUnpause waits until either the client is unpaused or the Auto client is
+// shut down. It reports whether the client should keep running (i.e. it's not
+// closed).
+func (c *Auto) waitUnpause(routineLogName string) (keepRunning bool) {
 	c.mu.Lock()
-	if !c.paused {
-		c.mu.Unlock()
-		return nil
+	if !c.paused || c.closed {
+		defer c.mu.Unlock()
+		return !c.closed
 	}
 	unpaused := c.unpausedChanLocked()
 	c.mu.Unlock()
+
 	c.logf("%s: awaiting unpause", routineLogName)
-	select {
-	case <-unpaused:
-		c.logf("%s: unpaused", routineLogName)
-		return nil
-	case <-c.quit:
-		return errors.New("quit")
-	}
+	return <-unpaused
 }

 // updateRoutine is responsible for informing the server of worthy changes to
@@ -78,7 +60,7 @@ func (c *Auto) updateRoutine() {
 	var lastUpdateGenInformed updateGen

 	for {
-		if err := c.waitUnpause("updateRoutine"); err != nil {
+		if !c.waitUnpause("updateRoutine") {
 			c.logf("updateRoutine: exiting")
 			return
 		}
@@ -88,19 +70,11 @@ func (c *Auto) updateRoutine() {
 		needUpdate := gen > 0 && gen != lastUpdateGenInformed && c.loggedIn
 		c.mu.Unlock()

-		if needUpdate {
-			select {
-			case <-c.quit:
-				c.logf("updateRoutine: exiting")
-				return
-			default:
-			}
-		} else {
+		if !needUpdate {
 			// Nothing to do, wait for a signal.
 			select {
-			case <-c.quit:
-				c.logf("updateRoutine: exiting")
-				return
+			case <-ctx.Done():
+				continue
 			case <-c.updateCh:
 				continue
 			}
@@ -138,36 +112,37 @@ type updateGen int64
 // Auto connects to a tailcontrol server for a node.
 // It's a concrete implementation of the Client interface.
 type Auto struct {
-	direct     *Direct // our interface to the server APIs
-	clock      tstime.Clock
-	logf       logger.Logf
-	expiry     *time.Time
-	closed     bool
-	updateCh   chan struct{} // readable when we should inform the server of a change
-	newMapCh   chan struct{} // readable when we must restart a map request
-	statusFunc func(Status)  // called to update Client status; always non-nil
+	direct        *Direct // our interface to the server APIs
+	clock         tstime.Clock
+	logf          logger.Logf
+	closed        bool
+	updateCh      chan struct{} // readable when we should inform the server of a change
+	observer      Observer      // called to update Client status; always non-nil
+	observerQueue execQueue

 	unregisterHealthWatch func()

 	mu sync.Mutex // mutex guards the following fields

+	wantLoggedIn bool   // whether the user wants to be logged in per last method call
+	urlToVisit   string // the last url we were told to visit
+	expiry       time.Time
+
 	// lastUpdateGen is the gen of last update we had an update worth sending to
 	// the server.
 	lastUpdateGen updateGen

-	paused         bool // whether we should stop making HTTP requests
-	unpauseWaiters []chan struct{}
-	loggedIn       bool       // true if currently logged in
-	loginGoal      *LoginGoal // non-nil if some login activity is desired
-	synced         bool       // true if our netmap is up-to-date
-	inSendStatus   int        // number of sendStatus calls currently in progress
-	state          State
+	paused         bool        // whether we should stop making HTTP requests
+	unpauseWaiters []chan bool // chans that gets sent true (once) on wake, or false on Shutdown
+	loggedIn       bool        // true if currently logged in
+	loginGoal      *LoginGoal  // non-nil if some login activity is desired
+	inMapPoll      bool        // true once we get the first MapResponse in a stream; false when HTTP response ends
+	state          State       // TODO(bradfitz): delete this, make it computed by method from other state

 	authCtx    context.Context // context used for auth requests
 	mapCtx     context.Context // context used for netmap and update requests
 	authCancel func()          // cancel authCtx
 	mapCancel  func()          // cancel mapCtx
-	quit       chan struct{}   // when closed, goroutines should all exit
 	authDone   chan struct{}   // when closed, authRoutine is done
 	mapDone    chan struct{}   // when closed, mapRoutine is done
 	updateDone chan struct{}   // when closed, updateRoutine is done
@@ -194,8 +169,8 @@ func NewNoStart(opts Options) (_ *Auto, err error) {
 		}
 	}()

-	if opts.Status == nil {
-		return nil, errors.New("missing required Options.Status")
+	if opts.Observer == nil {
+		return nil, errors.New("missing required Options.Observer")
 	}
 	if opts.Logf == nil {
 		opts.Logf = func(fmt string, args ...any) {}
@@ -208,12 +183,10 @@ func NewNoStart(opts Options) (_ *Auto, err error) {
 		clock:      opts.Clock,
 		logf:       opts.Logf,
 		updateCh:   make(chan struct{}, 1),
-		newMapCh:   make(chan struct{}, 1),
-		quit:       make(chan struct{}),
 		authDone:   make(chan struct{}),
 		mapDone:    make(chan struct{}),
 		updateDone: make(chan struct{}),
-		statusFunc: opts.Status,
+		observer:   opts.Observer,
 	}
 	c.authCtx, c.authCancel = context.WithCancel(context.Background())
 	c.authCtx = sockstats.WithSockStats(c.authCtx, sockstats.LabelControlClientAuto, opts.Logf)
@@ -232,21 +205,20 @@ func NewNoStart(opts Options) (_ *Auto, err error) {
 func (c *Auto) SetPaused(paused bool) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	if paused == c.paused {
+	if paused == c.paused || c.closed {
 		return
 	}
 	c.logf("setPaused(%v)", paused)
 	c.paused = paused
 	if paused {
-		// Only cancel the map routine. (The auth routine isn't expensive
-		// so it's fine to keep it running.)
-		c.cancelMapLocked()
-	} else {
-		for _, ch := range c.unpauseWaiters {
-			close(ch)
-		}
-		c.unpauseWaiters = nil
+		c.cancelMapCtxLocked()
+		c.cancelAuthCtxLocked()
+		return
 	}
+	for _, ch := range c.unpauseWaiters {
+		ch <- true
+	}
+	c.unpauseWaiters = nil
 }

 // Start starts the client's goroutines.
@@ -280,9 +252,16 @@ func (c *Auto) updateControl() {
 	}
 }

-func (c *Auto) cancelAuth() {
+// cancelAuthCtx cancels the existing auth goroutine's context
+// & creates a new one, causing it to restart.
+func (c *Auto) cancelAuthCtx() {
 	c.mu.Lock()
 	defer c.mu.Unlock()
+	c.cancelAuthCtxLocked()
+}
+
+// cancelAuthCtxLocked is like cancelAuthCtx, but assumes the caller holds c.mu.
+func (c *Auto) cancelAuthCtxLocked() {
 	if c.authCancel != nil {
 		c.authCancel()
 	}
@@ -292,8 +271,16 @@ func (c *Auto) cancelAuth() {
 	}
 }

-// cancelMapLocked is like cancelMap, but assumes the caller holds c.mu.
-func (c *Auto) cancelMapLocked() {
+// cancelMapCtx cancels the context for the existing mapPoll and liteUpdates
+// goroutines and creates a new one, causing them to restart.
+func (c *Auto) cancelMapCtx() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.cancelMapCtxLocked()
+}
+
+// cancelMapCtxLocked is like cancelMapCtx, but assumes the caller holds c.mu.
+func (c *Auto) cancelMapCtxLocked() {
 	if c.mapCancel != nil {
 		c.mapCancel()
 	}
@@ -303,32 +290,15 @@ func (c *Auto) cancelMapLocked() {
 	}
 }

-// cancelMap cancels the existing mapPoll and liteUpdates.
-func (c *Auto) cancelMap() {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	c.cancelMapLocked()
-}
-
 // restartMap cancels the existing mapPoll and liteUpdates, and then starts a
 // new one.
 func (c *Auto) restartMap() {
 	c.mu.Lock()
-	c.cancelMapLocked()
-	synced := c.synced
+	c.cancelMapCtxLocked()
+	synced := c.inMapPoll
 	c.mu.Unlock()

 	c.logf("[v1] restartMap: synced=%v", synced)
-
-	select {
-	case c.newMapCh <- struct{}{}:
-		c.logf("[v1] restartMap: wrote to channel")
-	default:
-		// if channel write failed, then there was already
-		// an outstanding newMapCh request. One is enough,
-		// since it'll always use the latest endpoints.
-		c.logf("[v1] restartMap: channel was full")
-	}
 	c.updateControl()
 }

@@ -337,23 +307,20 @@ func (c *Auto) authRoutine() {
 	bo := backoff.NewBackoff("authRoutine", c.logf, 30*time.Second)

 	for {
+		if !c.waitUnpause("authRoutine") {
+			c.logf("authRoutine: exiting")
+			return
+		}
 		c.mu.Lock()
 		goal := c.loginGoal
 		ctx := c.authCtx
 		if goal != nil {
-			c.logf("[v1] authRoutine: %s; wantLoggedIn=%v", c.state, goal.wantLoggedIn)
+			c.logf("[v1] authRoutine: %s; wantLoggedIn=%v", c.state, true)
 		} else {
 			c.logf("[v1] authRoutine: %s; goal=nil paused=%v", c.state, c.paused)
 		}
 		c.mu.Unlock()

-		select {
-		case <-c.quit:
-			c.logf("[v1] authRoutine: quit")
-			return
-		default:
-		}
-
 		report := func(err error, msg string) {
 			c.logf("[v1] %s: %v", msg, err)
 			// don't send status updates for context errors,
@@ -371,111 +338,90 @@ func (c *Auto) authRoutine() {
 			continue
 		}

-		if !goal.wantLoggedIn {
-			health.SetAuthRoutineInError(nil)
-			err := c.direct.TryLogout(ctx)
-			goal.sendLogoutError(err)
-			if err != nil {
-				report(err, "TryLogout")
-				bo.BackOff(ctx, err)
-				continue
-			}
-
-			// success
-			c.mu.Lock()
-			c.loggedIn = false
-			c.loginGoal = nil
-			c.state = StateNotAuthenticated
-			c.synced = false
-			c.mu.Unlock()
-
-			c.sendStatus("authRoutine-wantout", nil, "", nil)
-			bo.BackOff(ctx, nil)
-		} else { // ie. goal.wantLoggedIn
-			c.mu.Lock()
-			if goal.url != "" {
-				c.state = StateURLVisitRequired
-			} else {
-				c.state = StateAuthenticating
-			}
-			c.mu.Unlock()
-
-			var url string
-			var err error
-			var f string
-			if goal.url != "" {
-				url, err = c.direct.WaitLoginURL(ctx, goal.url)
-				f = "WaitLoginURL"
-			} else {
-				url, err = c.direct.TryLogin(ctx, goal.token, goal.flags)
-				f = "TryLogin"
-			}
-			if err != nil {
-				health.SetAuthRoutineInError(err)
-				report(err, f)
-				bo.BackOff(ctx, err)
-				continue
-			}
-			if url != "" {
-				// goal.url ought to be empty here.
-				// However, not all control servers get this right,
-				// and logging about it here just generates noise.
-				c.mu.Lock()
-				c.loginGoal = &LoginGoal{
-					wantLoggedIn: true,
-					flags:        LoginDefault,
-					url:          url,
-				}
-				c.state = StateURLVisitRequired
-				c.synced = false
-				c.mu.Unlock()
-
-				c.sendStatus("authRoutine-url", err, url, nil)
-				if goal.url == url {
-					// The server sent us the same URL we already tried,
-					// backoff to avoid a busy loop.
-					bo.BackOff(ctx, errors.New("login URL not changing"))
-				} else {
-					bo.BackOff(ctx, nil)
-				}
-				continue
-			}
-
-			// success
-			health.SetAuthRoutineInError(nil)
-			c.mu.Lock()
-			c.loggedIn = true
-			c.loginGoal = nil
-			c.state = StateAuthenticated
-			c.mu.Unlock()
-
-			c.sendStatus("authRoutine-success", nil, "", nil)
-			c.restartMap()
-			bo.BackOff(ctx, nil)
+		c.mu.Lock()
+		c.urlToVisit = goal.url
+		if goal.url != "" {
+			c.state = StateURLVisitRequired
+		} else {
+			c.state = StateAuthenticating
 		}
+		c.mu.Unlock()
+
+		var url string
+		var err error
+		var f string
+		if goal.url != "" {
+			url, err = c.direct.WaitLoginURL(ctx, goal.url)
+			f = "WaitLoginURL"
+		} else {
+			url, err = c.direct.TryLogin(ctx, goal.token, goal.flags)
+			f = "TryLogin"
+		}
+		if err != nil {
+			health.SetAuthRoutineInError(err)
+			report(err, f)
+			bo.BackOff(ctx, err)
+			continue
+		}
+		if url != "" {
+			// goal.url ought to be empty here.
+			// However, not all control servers get this right,
+			// and logging about it here just generates noise.
+			c.mu.Lock()
+			c.urlToVisit = url
+			c.loginGoal = &LoginGoal{
+				flags: LoginDefault,
+				url:   url,
+			}
+			c.state = StateURLVisitRequired
+			c.mu.Unlock()
+
+			c.sendStatus("authRoutine-url", err, url, nil)
+			if goal.url == url {
+				// The server sent us the same URL we already tried,
+				// backoff to avoid a busy loop.
+				bo.BackOff(ctx, errors.New("login URL not changing"))
+			} else {
+				bo.BackOff(ctx, nil)
+			}
+			continue
+		}
+
+		// success
+		health.SetAuthRoutineInError(nil)
+		c.mu.Lock()
+		c.urlToVisit = ""
+		c.loggedIn = true
+		c.loginGoal = nil
+		c.state = StateAuthenticated
+		c.mu.Unlock()
+
+		c.sendStatus("authRoutine-success", nil, "", nil)
+		c.restartMap()
+		bo.BackOff(ctx, nil)
 	}
 }

-// Expiry returns the credential expiration time, or the zero time if
-// the expiration time isn't known. Used in tests only.
-func (c *Auto) Expiry() *time.Time {
+// ExpiryForTests returns the credential expiration time, or the zero value if
+// the expiration time isn't known. It's used in tests only.
+func (c *Auto) ExpiryForTests() time.Time {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	return c.expiry
 }

-// Direct returns the underlying direct client object. Used in tests
-// only.
-func (c *Auto) Direct() *Direct {
+// DirectForTest returns the underlying direct client object.
+// It's used in tests only.
+func (c *Auto) DirectForTest() *Direct {
 	return c.direct
 }

-// unpausedChanLocked returns a new channel that is closed when the
-// current Auto pause is unpaused.
+// unpausedChanLocked returns a new channel that gets sent
+// either a true when unpaused or false on Auto.Shutdown.
 //
 // c.mu must be held
-func (c *Auto) unpausedChanLocked() <-chan struct{} {
-	unpaused := make(chan struct{})
+func (c *Auto) unpausedChanLocked() <-chan bool {
+	unpaused := make(chan bool, 1)
 	c.unpauseWaiters = append(c.unpauseWaiters, unpaused)
 	return unpaused
 }
@@ -486,17 +432,18 @@ type mapRoutineState struct {
 	bo *backoff.Backoff
 }

+var _ NetmapDeltaUpdater = mapRoutineState{}
+
 func (mrs mapRoutineState) UpdateFullNetmap(nm *netmap.NetworkMap) {
 	c := mrs.c
-	health.SetInPollNetMap(true)

 	c.mu.Lock()
 	ctx := c.mapCtx
-	c.synced = true
+	c.inMapPoll = true
 	if c.loggedIn {
 		c.state = StateSynchronized
 	}
-	c.expiry = ptr.To(nm.Expiry)
+	c.expiry = nm.Expiry
 	stillAuthed := c.loggedIn
 	c.logf("[v1] mapRoutine: netmap received: %s", c.state)
 	c.mu.Unlock()
@@ -508,6 +455,28 @@ func (mrs mapRoutineState) UpdateFullNetmap(nm *netmap.NetworkMap) {
 	mrs.bo.BackOff(ctx, nil)
 }

+func (mrs mapRoutineState) UpdateNetmapDelta(muts []netmap.NodeMutation) bool {
+	c := mrs.c
+
+	c.mu.Lock()
+	goodState := c.loggedIn && c.inMapPoll
+	ndu, canDelta := c.observer.(NetmapDeltaUpdater)
+	c.mu.Unlock()
+
+	if !goodState || !canDelta {
+		return false
+	}
+
+	ctx, cancel := context.WithTimeout(c.mapCtx, 2*time.Second)
+	defer cancel()
+
+	var ok bool
+	err := c.observerQueue.RunSync(ctx, func() {
+		ok = ndu.UpdateNetmapDelta(muts)
+	})
+	return err == nil && ok
+}
+
 // mapRoutine is responsible for keeping a read-only streaming connection to the
 // control server, and keeping the netmap up to date.
 func (c *Auto) mapRoutine() {
@@ -518,7 +487,7 @@ func (c *Auto) mapRoutine() {
 	}

 	for {
-		if err := c.waitUnpause("mapRoutine"); err != nil {
+		if !c.waitUnpause("mapRoutine") {
 			c.logf("mapRoutine: exiting")
 			return
 		}
@@ -529,13 +498,6 @@ func (c *Auto) mapRoutine() {
 		ctx := c.mapCtx
 		c.mu.Unlock()

-		select {
-		case <-c.quit:
-			c.logf("mapRoutine: quit")
-			return
-		default:
-		}
-
 		report := func(err error, msg string) {
 			c.logf("[v1] %s: %v", msg, err)
 			err = fmt.Errorf("%s: %w", msg, err)
@@ -549,40 +511,33 @@ func (c *Auto) mapRoutine() {
 		if !loggedIn {
 			// Wait for something interesting to happen
 			c.mu.Lock()
-			c.synced = false
-			// c.state is set by authRoutine()
+			c.inMapPoll = false
 			c.mu.Unlock()

-			select {
-			case <-ctx.Done():
-				c.logf("[v1] mapRoutine: context done.")
-			case <-c.newMapCh:
-				c.logf("[v1] mapRoutine: new map needed while idle.")
-			}
-		} else {
-			health.SetInPollNetMap(false)
-
-			err := c.direct.PollNetMap(ctx, mrs)
-
-			health.SetInPollNetMap(false)
-			c.mu.Lock()
-			c.synced = false
-			if c.state == StateSynchronized {
-				c.state = StateAuthenticated
-			}
-			paused := c.paused
-			c.mu.Unlock()
-
-			if paused {
-				mrs.bo.BackOff(ctx, nil)
-				c.logf("mapRoutine: paused")
-				continue
-			}
-
-			report(err, "PollNetMap")
-			mrs.bo.BackOff(ctx, err)
+			<-ctx.Done()
+			c.logf("[v1] mapRoutine: context done.")
 			continue
 		}
+		health.SetOutOfPollNetMap()
+
+		err := c.direct.PollNetMap(ctx, mrs)
+
+		health.SetOutOfPollNetMap()
+		c.mu.Lock()
+		c.inMapPoll = false
+		if c.state == StateSynchronized {
+			c.state = StateAuthenticated
+		}
+		paused := c.paused
+		c.mu.Unlock()
+
+		if paused {
+			mrs.bo.BackOff(ctx, nil)
+			c.logf("mapRoutine: paused")
+		} else {
+			mrs.bo.BackOff(ctx, err)
+			report(err, "PollNetMap")
+		}
 	}
 }

@@ -631,6 +586,7 @@ func (c *Auto) SetTKAHead(headHash string) {
 	c.updateControl()
 }

+// sendStatus can not be called with the c.mu held.
 func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkMap) {
 	c.mu.Lock()
 	if c.closed {
@@ -639,91 +595,77 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 	}
 	state := c.state
 	loggedIn := c.loggedIn
-	synced := c.synced
-	c.inSendStatus++
+	inMapPoll := c.inMapPoll
 	c.mu.Unlock()

 	c.logf("[v1] sendStatus: %s: %v", who, state)

-	var p *persist.PersistView
-	var loginFin, logoutFin *empty.Message
-	if state == StateAuthenticated {
-		loginFin = new(empty.Message)
-	}
-	if state == StateNotAuthenticated {
-		logoutFin = new(empty.Message)
-	}
-	if nm != nil && loggedIn && synced {
-		p = ptr.To(c.direct.GetPersist())
+	var p persist.PersistView
+	if nm != nil && loggedIn && inMapPoll {
+		p = c.direct.GetPersist()
 	} else {
 		// don't send netmap status, as it's misleading when we're
 		// not logged in.
 		nm = nil
 	}
 	new := Status{
-		LoginFinished:  loginFin,
-		LogoutFinished: logoutFin,
-		URL:            url,
-		Persist:        p,
-		NetMap:         nm,
-		State:          state,
-		Err:            err,
+		URL:     url,
+		Persist: p,
+		NetMap:  nm,
+		Err:     err,
+		state:   state,
 	}
-	c.statusFunc(new)

-	c.mu.Lock()
-	c.inSendStatus--
-	c.mu.Unlock()
+	// Launch a new goroutine to avoid blocking the caller while the observer
+	// does its thing, which may result in a call back into the client.
+	c.observerQueue.Add(func() {
+		c.observer.SetControlClientStatus(c, new)
+	})
 }

 func (c *Auto) Login(t *tailcfg.Oauth2Token, flags LoginFlags) {
 	c.logf("client.Login(%v, %v)", t != nil, flags)

 	c.mu.Lock()
-	c.loginGoal = &LoginGoal{
-		wantLoggedIn: true,
-		token:        t,
-		flags:        flags,
+	defer c.mu.Unlock()
+	if c.closed {
+		return
 	}
-	c.mu.Unlock()
-
-	c.cancelAuth()
+	c.wantLoggedIn = true
+	c.loginGoal = &LoginGoal{
+		token: t,
+		flags: flags,
+	}
+	c.cancelMapCtxLocked()
+	c.cancelAuthCtxLocked()
 }

-func (c *Auto) StartLogout() {
-	c.logf("client.StartLogout()")
-
-	c.mu.Lock()
-	c.loginGoal = &LoginGoal{
-		wantLoggedIn: false,
-	}
-	c.mu.Unlock()
-	c.cancelAuth()
-}
+var ErrClientClosed = errors.New("client closed")

 func (c *Auto) Logout(ctx context.Context) error {
 	c.logf("client.Logout()")
-
-	errc := make(chan error, 1)
-
 	c.mu.Lock()
-	c.loginGoal = &LoginGoal{
-		wantLoggedIn:    false,
-		loggedOutResult: errc,
-	}
+	c.wantLoggedIn = false
+	c.loginGoal = nil
+	closed := c.closed
 	c.mu.Unlock()
-	c.cancelAuth()

-	timer, timerChannel := c.clock.NewTimer(10 * time.Second)
-	defer timer.Stop()
-	select {
-	case err := <-errc:
-		return err
-	case <-ctx.Done():
-		return ctx.Err()
-	case <-timerChannel:
-		return context.DeadlineExceeded
+	if closed {
+		return ErrClientClosed
 	}
+
+	if err := c.direct.TryLogout(ctx); err != nil {
+		return err
+	}
+	c.mu.Lock()
+	c.loggedIn = false
+	c.state = StateNotAuthenticated
+	c.cancelAuthCtxLocked()
+	c.cancelMapCtxLocked()
+	c.mu.Unlock()
+
+	c.sendStatus("authRoutine-wantout", nil, "", nil)
+	return nil
 }

 func (c *Auto) SetExpirySooner(ctx context.Context, expiry time.Time) error {
@@ -745,26 +687,32 @@ func (c *Auto) Shutdown() {
 	c.logf("client.Shutdown()")

 	c.mu.Lock()
-	inSendStatus := c.inSendStatus
 	closed := c.closed
 	direct := c.direct
 	if !closed {
 		c.closed = true
+		c.observerQueue.shutdown()
+		c.cancelAuthCtxLocked()
+		c.cancelMapCtxLocked()
+		for _, w := range c.unpauseWaiters {
+			w <- false
+		}
+		c.unpauseWaiters = nil
 	}
 	c.mu.Unlock()

-	c.logf("client.Shutdown: inSendStatus=%v", inSendStatus)
+	c.logf("client.Shutdown")
 	if !closed {
 		c.unregisterHealthWatch()
-		close(c.quit)
-		c.cancelAuth()
 		<-c.authDone
-		c.cancelMap()
 		<-c.mapDone
 		<-c.updateDone
 		if direct != nil {
 			direct.Close()
 		}
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		c.observerQueue.wait(ctx)
 		c.logf("Client.Shutdown done.")
 	}
 }
@@ -805,3 +753,95 @@ func (c *Auto) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 func (c *Auto) GetSingleUseNoiseRoundTripper(ctx context.Context) (http.RoundTripper, *tailcfg.EarlyNoise, error) {
 	return c.direct.GetSingleUseNoiseRoundTripper(ctx)
 }
+
+type execQueue struct {
+	mu         sync.Mutex
+	closed     bool
+	inFlight   bool          // whether a goroutine is running q.run
+	doneWaiter chan struct{} // non-nil if waiter is waiting, then closed
+	queue      []func()
+}
+
+func (q *execQueue) Add(f func()) {
+	q.mu.Lock()
+	defer q.mu.Unlock()
+	if q.closed {
+		return
+	}
+	if q.inFlight {
+		q.queue = append(q.queue, f)
+	} else {
+		q.inFlight = true
+		go q.run(f)
+	}
+}
+
+// RunSync waits for the queue to be drained and then synchronously runs f.
+// It returns an error if the queue is closed before f is run or ctx expires.
+func (q *execQueue) RunSync(ctx context.Context, f func()) error {
+	for {
+		if err := q.wait(ctx); err != nil {
+			return err
+		}
+		q.mu.Lock()
+		if q.inFlight {
+			q.mu.Unlock()
+			continue
+		}
+		defer q.mu.Unlock()
+		if q.closed {
+			return errors.New("closed")
+		}
+		f()
+		return nil
+	}
+}
+
+func (q *execQueue) run(f func()) {
+	f()
+
+	q.mu.Lock()
+	for len(q.queue) > 0 && !q.closed {
+		f := q.queue[0]
+		q.queue[0] = nil
+		q.queue = q.queue[1:]
+		q.mu.Unlock()
+		f()
+		q.mu.Lock()
+	}
+	q.inFlight = false
+	q.queue = nil
+	if q.doneWaiter != nil {
+		close(q.doneWaiter)
+		q.doneWaiter = nil
+	}
+	q.mu.Unlock()
+}
+
+func (q *execQueue) shutdown() {
+	q.mu.Lock()
+	defer q.mu.Unlock()
+	q.closed = true
+}
+
+// wait waits for the queue to be empty.
+func (q *execQueue) wait(ctx context.Context) error {
+	q.mu.Lock()
+	waitCh := q.doneWaiter
+	if q.inFlight && waitCh == nil {
+		waitCh = make(chan struct{})
+		q.doneWaiter = waitCh
+	}
+	q.mu.Unlock()
+
+	if waitCh == nil {
+		return nil
+	}
+
+	select {
+	case <-waitCh:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
--- a/control/controlclient/client.go
+++ b/control/controlclient/client.go
@@ -14,17 +14,28 @@ import (
 	"tailscale.com/tailcfg"
 )

+// LoginFlags is a bitmask of options to change the behavior of Client.Login
+// and LocalBackend.
 type LoginFlags int

 const (
 	LoginDefault     = LoginFlags(0)
 	LoginInteractive = LoginFlags(1 << iota) // force user login and key refresh
 	LoginEphemeral                           // set RegisterRequest.Ephemeral
+
+	// LocalBackendStartKeyOSNeutral instructs NewLocalBackend to start the
+	// LocalBackend without any OS-dependent StateStore StartKey behavior.
+	//
+	// See https://github.com/tailscale/tailscale/issues/6973.
+	LocalBackendStartKeyOSNeutral
 )

 // Client represents a client connection to the control server.
 // Currently this is done through a pair of polling https requests in
 // the Auto client, but that might change eventually.
+//
+// The Client must be comparable as it is used by the Observer to detect stale
+// clients.
 type Client interface {
 	// Shutdown closes this session, which should not be used any further
 	// afterwards.
@@ -34,10 +45,6 @@ type Client interface {
 	// LoginFinished flag (on success) or an auth URL (if further
 	// interaction is needed).
 	Login(*tailcfg.Oauth2Token, LoginFlags)
-	// StartLogout starts an asynchronous logout process.
-	// When it finishes, the Status callback will be called while
-	// AuthCantContinue()==true.
-	StartLogout()
 	// Logout starts a synchronous logout process. It doesn't return
 	// until the logout operation has been completed.
 	Logout(context.Context) error
--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -6,8 +6,6 @@ package controlclient
 import (
 	"reflect"
 	"testing"
-
-	"tailscale.com/types/empty"
 )

 func fieldsOf(t reflect.Type) (fields []string) {
@@ -21,7 +19,7 @@ func fieldsOf(t reflect.Type) (fields []string) {

 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist"}
+	equalHandles := []string{"Err", "URL", "NetMap", "Persist", "state"}
 	if have := fieldsOf(reflect.TypeOf(Status{})); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)
@@ -52,18 +50,8 @@ func TestStatusEqual(t *testing.T) {
 			true,
 		},
 		{
-			&Status{State: StateNew},
-			&Status{State: StateNew},
-			true,
-		},
-		{
-			&Status{State: StateNew},
-			&Status{State: StateAuthenticated},
-			false,
-		},
-		{
-			&Status{LoginFinished: nil},
-			&Status{LoginFinished: new(empty.Message)},
+			&Status{},
+			&Status{state: StateAuthenticated},
 			false,
 		},
 	}
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -22,9 +22,9 @@ import (
 	"os"
 	"reflect"
 	"runtime"
+	"slices"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"

 	"go4.org/mem"
@@ -42,14 +42,13 @@ import (
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/net/tshttpproxy"
-	"tailscale.com/syncs"
+	"tailscale.com/smallzstd"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/tstime"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
-	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/ptr"
 	"tailscale.com/types/tkatype"
@@ -64,11 +63,10 @@ type Direct struct {
 	httpc                 *http.Client // HTTP client used to talk to tailcontrol
 	dialer                *tsdial.Dialer
 	dnsCache              *dnscache.Resolver
-	serverURL             string // URL of the tailcontrol server
+	controlKnobs          *controlknobs.Knobs // always non-nil
+	serverURL             string              // URL of the tailcontrol server
 	clock                 tstime.Clock
 	lastPrintMap          time.Time
-	newDecompressor       func() (Decompressor, error)
-	keepAlive             bool
 	logf                  logger.Logf
 	netMon                *netmon.Monitor // or nil
 	discoPubKey           key.DiscoPublic
@@ -101,6 +99,16 @@ type Direct struct {
 	lastPingURL  string // last PingRequest.URL received, for dup suppression
 }

+// Observer is implemented by users of the control client (such as LocalBackend)
+// to get notified of changes in the control client's status.
+type Observer interface {
+	// SetControlClientStatus is called when the client has a new status to
+	// report. The Client is provided to allow the Observer to track which
+	// Client is reporting the status, allowing it to ignore stale status
+	// reports from previous Clients.
+	SetControlClientStatus(Client, Status)
+}
+
 type Options struct {
 	Persist              persist.Persist                    // initial persistent data
 	GetMachinePrivateKey func() (key.MachinePrivate, error) // returns the machine key to use
@@ -109,8 +117,6 @@ type Options struct {
 	Clock                tstime.Clock
 	Hostinfo             *tailcfg.Hostinfo // non-nil passes ownership, nil means to use default using os.Hostname, etc
 	DiscoPublicKey       key.DiscoPublic
-	NewDecompressor      func() (Decompressor, error)
-	KeepAlive            bool
 	Logf                 logger.Logf
 	HTTPTestClient       *http.Client                 // optional HTTP client to use (for tests only)
 	NoiseTestClient      *http.Client                 // optional HTTP client to use for noise RPCs (tests only)
@@ -121,9 +127,11 @@ type Options struct {
 	OnControlTime        func(time.Time)              // optional func to notify callers of new time from control
 	Dialer               *tsdial.Dialer               // non-nil
 	C2NHandler           http.Handler                 // or nil
+	ControlKnobs         *controlknobs.Knobs          // or nil to ignore

-	// Status is called when there's a change in status.
-	Status func(Status)
+	// Observer is called when there's a change in status to report
+	// from the control client.
+	Observer Observer

 	// SkipIPForwardingCheck declares that the host's IP
 	// forwarding works and should not be double-checked by the
@@ -185,6 +193,19 @@ type NetmapUpdater interface {
 	// the diff themselves between the previous full & next full network maps.
 }

+// NetmapDeltaUpdater is an optional interface that can be implemented by
+// NetmapUpdater implementations to receive delta updates from the controlclient
+// rather than just full updates.
+type NetmapDeltaUpdater interface {
+	// UpdateNetmapDelta is called with discrete changes to the network map.
+	//
+	// The ok result is whether the implementation was able to apply the
+	// mutations. It might return false if its internal state doesn't
+	// support applying them or a NetmapUpdater it's wrapping doesn't
+	// implement the NetmapDeltaUpdater optional method.
+	UpdateNetmapDelta([]netmap.NodeMutation) (ok bool)
+}
+
 // NewDirect returns a new Direct client.
 func NewDirect(opts Options) (*Direct, error) {
 	if opts.ServerURL == "" {
@@ -193,6 +214,9 @@ func NewDirect(opts Options) (*Direct, error) {
 	if opts.GetMachinePrivateKey == nil {
 		return nil, errors.New("controlclient.New: no GetMachinePrivateKey specified")
 	}
+	if opts.ControlKnobs == nil {
+		opts.ControlKnobs = &controlknobs.Knobs{}
+	}
 	opts.ServerURL = strings.TrimRight(opts.ServerURL, "/")
 	serverURL, err := url.Parse(opts.ServerURL)
 	if err != nil {
@@ -240,12 +264,11 @@ func NewDirect(opts Options) (*Direct, error) {

 	c := &Direct{
 		httpc:                 httpc,
+		controlKnobs:          opts.ControlKnobs,
 		getMachinePrivKey:     opts.GetMachinePrivateKey,
 		serverURL:             opts.ServerURL,
 		clock:                 opts.Clock,
 		logf:                  opts.Logf,
-		newDecompressor:       opts.NewDecompressor,
-		keepAlive:             opts.KeepAlive,
 		persist:               opts.Persist.View(),
 		authKey:               opts.AuthKey,
 		discoPubKey:           opts.DiscoPublicKey,
@@ -729,18 +752,6 @@ func resignNKS(priv key.NLPrivate, nodeKey key.NodePublic, oldNKS tkatype.Marsha
 	return newSig.Serialize(), nil
 }

-func sameEndpoints(a, b []tailcfg.Endpoint) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	for i := range a {
-		if a[i] != b[i] {
-			return false
-		}
-	}
-	return true
-}
-
 // newEndpoints acquires c.mu and sets the local port and endpoints and reports
 // whether they've changed.
 //
@@ -750,15 +761,11 @@ func (c *Direct) newEndpoints(endpoints []tailcfg.Endpoint) (changed bool) {
 	defer c.mu.Unlock()

 	// Nothing new?
-	if sameEndpoints(c.endpoints, endpoints) {
+	if slices.Equal(c.endpoints, endpoints) {
 		return false // unchanged
 	}
-	var epStrs []string
-	for _, ep := range endpoints {
-		epStrs = append(epStrs, ep.Addr.String())
-	}
-	c.logf("[v2] client.newEndpoints(%v)", epStrs)
-	c.endpoints = append(c.endpoints[:0], endpoints...)
+	c.logf("[v2] client.newEndpoints(%v)", endpoints)
+	c.endpoints = slices.Clone(endpoints)
 	return true // changed
 }

@@ -838,8 +845,10 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 	hi := c.hostInfoLocked()
 	backendLogID := hi.BackendLogID
 	var epStrs []string
+	var eps []netip.AddrPort
 	var epTypes []tailcfg.EndpointType
 	for _, ep := range c.endpoints {
+		eps = append(eps, ep.Addr)
 		epStrs = append(epStrs, ep.Addr.String())
 		epTypes = append(epTypes, ep.Type)
 	}
@@ -871,10 +880,10 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap

 	request := &tailcfg.MapRequest{
 		Version:       tailcfg.CurrentCapabilityVersion,
-		KeepAlive:     c.keepAlive,
+		KeepAlive:     true,
 		NodeKey:       persist.PublicNodeKey(),
 		DiscoKey:      c.discoPubKey,
-		Endpoints:     epStrs,
+		Endpoints:     eps,
 		EndpointTypes: epTypes,
 		Stream:        isStreaming,
 		Hostinfo:      hi,
@@ -898,9 +907,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 		old := request.DebugFlags
 		request.DebugFlags = append(old[:len(old):len(old)], extraDebugFlags...)
 	}
-	if c.newDecompressor != nil {
-		request.Compress = "zstd"
-	}
+	request.Compress = "zstd"

 	bodyData, err := encode(request, serverKey, serverNoiseKey, machinePrivKey)
 	if err != nil {
@@ -957,7 +964,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap

 	var mapResIdx int // 0 for first message, then 1+ for deltas

-	sess := newMapSession(persist.PrivateNodeKey(), nu)
+	sess := newMapSession(persist.PrivateNodeKey(), nu, c.controlKnobs)
 	defer sess.Close()
 	sess.cancel = cancel
 	sess.logf = c.logf
@@ -1184,19 +1191,14 @@ func (c *Direct) decodeMsg(msg []byte, v any, mkey key.MachinePrivate) error {
 	} else {
 		decrypted = msg
 	}
-	var b []byte
-	if c.newDecompressor == nil {
-		b = decrypted
-	} else {
-		decoder, err := c.newDecompressor()
-		if err != nil {
-			return err
-		}
-		defer decoder.Close()
-		b, err = decoder.DecodeAll(decrypted, nil)
-		if err != nil {
-			return err
-		}
+	decoder, err := smallzstd.NewDecoder(nil)
+	if err != nil {
+		return err
+	}
+	defer decoder.Close()
+	b, err := decoder.DecodeAll(decrypted, nil)
+	if err != nil {
+		return err
 	}
 	if debugMap() {
 		var buf bytes.Buffer
@@ -1303,68 +1305,6 @@ func initDevKnob() devKnobs {

 var clock tstime.Clock = tstime.StdClock{}

-// config from control.
-var (
-	controlDisableDRPO         atomic.Bool
-	controlKeepFullWGConfig    atomic.Bool
-	controlRandomizeClientPort atomic.Bool
-	controlOneCGNAT            syncs.AtomicValue[opt.Bool]
-)
-
-// DisableDRPO reports whether control says to disable the
-// DERP route optimization (Issue 150).
-func DisableDRPO() bool {
-	return controlDisableDRPO.Load()
-}
-
-// KeepFullWGConfig reports whether control says we should disable the lazy
-// wireguard programming and instead give it the full netmap always.
-func KeepFullWGConfig() bool {
-	return controlKeepFullWGConfig.Load()
-}
-
-// RandomizeClientPort reports whether control says we should randomize
-// the client port.
-func RandomizeClientPort() bool {
-	return controlRandomizeClientPort.Load()
-}
-
-// ControlOneCGNATSetting returns control's OneCGNAT setting, if any.
-func ControlOneCGNATSetting() opt.Bool {
-	return controlOneCGNAT.Load()
-}
-
-func setControlKnobsFromNodeAttrs(selfNodeAttrs []string) {
-	var (
-		keepFullWG          bool
-		disableDRPO         bool
-		disableUPnP         bool
-		randomizeClientPort bool
-		oneCGNAT            opt.Bool
-	)
-	for _, attr := range selfNodeAttrs {
-		switch attr {
-		case tailcfg.NodeAttrDebugDisableWGTrim:
-			keepFullWG = true
-		case tailcfg.NodeAttrDebugDisableDRPO:
-			disableDRPO = true
-		case tailcfg.NodeAttrDisableUPnP:
-			disableUPnP = true
-		case tailcfg.NodeAttrRandomizeClientPort:
-			randomizeClientPort = true
-		case tailcfg.NodeAttrOneCGNATEnable:
-			oneCGNAT.Set(true)
-		case tailcfg.NodeAttrOneCGNATDisable:
-			oneCGNAT.Set(false)
-		}
-	}
-	controlKeepFullWGConfig.Store(keepFullWG)
-	controlDisableDRPO.Store(disableDRPO)
-	controlknobs.SetDisableUPnP(disableUPnP)
-	controlRandomizeClientPort.Store(randomizeClientPort)
-	controlOneCGNAT.Store(oneCGNAT)
-}
-
 // ipForwardingBroken reports whether the system's IP forwarding is disabled
 // and will definitely not work for the routes provided.
 //
@@ -1563,7 +1503,7 @@ func (c *Direct) getNoiseClient() (*NoiseClient, error) {
 		if err != nil {
 			return nil, err
 		}
-		c.logf("creating new noise client")
+		c.logf("[v1] creating new noise client")
 		nc, err := NewNoiseClient(NoiseOpts{
 			PrivKey:      k,
 			ServerPubKey: serverNoiseKey,
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -5,10 +5,18 @@ package controlclient

 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"net"
 	"net/netip"
+	"reflect"
+	"slices"
 	"sort"
+	"strconv"
+	"sync"
+	"time"

+	"tailscale.com/control/controlknobs"
 	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstime"
@@ -17,6 +25,7 @@ import (
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/ptr"
 	"tailscale.com/types/views"
+	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/cmpx"
 	"tailscale.com/wgengine/filter"
 )
@@ -31,7 +40,8 @@ import (
 // one MapRequest).
 type mapSession struct {
 	// Immutable fields.
-	nu             NetmapUpdater // called on changes (in addition to the optional hooks below)
+	netmapUpdater  NetmapUpdater       // called on changes (in addition to the optional hooks below)
+	controlKnobs   *controlknobs.Knobs // or nil
 	privateNodeKey key.NodePrivate
 	publicNodeKey  key.NodePublic
 	logf           logger.Logf
@@ -87,9 +97,10 @@ type mapSession struct {
 // Modify its optional fields on the returned value before use.
 //
 // It must have its Close method called to release resources.
-func newMapSession(privateNodeKey key.NodePrivate, nu NetmapUpdater) *mapSession {
+func newMapSession(privateNodeKey key.NodePrivate, nu NetmapUpdater, controlKnobs *controlknobs.Knobs) *mapSession {
 	ms := &mapSession{
-		nu:              nu,
+		netmapUpdater:   nu,
+		controlKnobs:    controlKnobs,
 		privateNodeKey:  privateNodeKey,
 		publicNodeKey:   privateNodeKey.Public(),
 		lastDNSConfig:   new(tailcfg.DNSConfig),
@@ -176,17 +187,28 @@ func (ms *mapSession) HandleNonKeepAliveMapResponse(ctx context.Context, resp *t
 	if resp.Node != nil {
 		if DevKnob.StripCaps() {
 			resp.Node.Capabilities = nil
+			resp.Node.CapMap = nil
 		}
-		setControlKnobsFromNodeAttrs(resp.Node.Capabilities)
+		ms.controlKnobs.UpdateFromNodeAttributes(resp.Node.Capabilities, resp.Node.CapMap)
 	}

 	// Call Node.InitDisplayNames on any changed nodes.
 	initDisplayNames(cmpx.Or(resp.Node.View(), ms.lastNode), resp)

+	ms.patchifyPeersChanged(resp)
+
 	ms.updateStateFromResponse(resp)

-	nm := ms.netmap()
+	if ms.tryHandleIncrementally(resp) {
+		ms.onConciseNetMapSummary(ms.lastNetmapSummary) // every 5s log
+		return nil
+	}

+	// We have to rebuild the whole netmap (lots of garbage & work downstream of
+	// our UpdateFullNetmap call). This is the part we tried to avoid but
+	// some field mutations (especially rare ones) aren't yet handled.
+
+	nm := ms.netmap()
 	ms.lastNetmapSummary = nm.VeryConcise()
 	ms.onConciseNetMapSummary(ms.lastNetmapSummary)

@@ -195,10 +217,25 @@ func (ms *mapSession) HandleNonKeepAliveMapResponse(ctx context.Context, resp *t
 		ms.onSelfNodeChanged(nm)
 	}

-	ms.nu.UpdateFullNetmap(nm)
+	ms.netmapUpdater.UpdateFullNetmap(nm)
 	return nil
 }

+func (ms *mapSession) tryHandleIncrementally(res *tailcfg.MapResponse) bool {
+	if ms.controlKnobs != nil && ms.controlKnobs.DisableDeltaUpdates.Load() {
+		return false
+	}
+	nud, ok := ms.netmapUpdater.(NetmapDeltaUpdater)
+	if !ok {
+		return false
+	}
+	mutations, ok := netmap.MutationsFromMapResponse(res, time.Now())
+	if ok && len(mutations) > 0 {
+		return nud.UpdateNetmapDelta(mutations)
+	}
+	return ok
+}
+
 // updateStats are some stats from updateStateFromResponse, primarily for
 // testing. It's meant to be cheap enough to always compute, though. It doesn't
 // allocate.
@@ -278,6 +315,23 @@ func (ms *mapSession) updateStateFromResponse(resp *tailcfg.MapResponse) {
 	}
 }

+var (
+	patchDERPRegion   = clientmetric.NewCounter("controlclient_patch_derp")
+	patchEndpoints    = clientmetric.NewCounter("controlclient_patch_endpoints")
+	patchCap          = clientmetric.NewCounter("controlclient_patch_capver")
+	patchKey          = clientmetric.NewCounter("controlclient_patch_key")
+	patchDiscoKey     = clientmetric.NewCounter("controlclient_patch_discokey")
+	patchOnline       = clientmetric.NewCounter("controlclient_patch_online")
+	patchLastSeen     = clientmetric.NewCounter("controlclient_patch_lastseen")
+	patchKeyExpiry    = clientmetric.NewCounter("controlclient_patch_keyexpiry")
+	patchCapabilities = clientmetric.NewCounter("controlclient_patch_capabilities")
+	patchCapMap       = clientmetric.NewCounter("controlclient_patch_capmap")
+	patchKeySignature = clientmetric.NewCounter("controlclient_patch_keysig")
+
+	patchifiedPeer      = clientmetric.NewCounter("controlclient_patchified_peer")
+	patchifiedPeerEqual = clientmetric.NewCounter("controlclient_patchified_peer_equal")
+)
+
 // updatePeersStateFromResponseres updates ms.peers and ms.sortedPeers from res. It takes ownership of res.
 func (ms *mapSession) updatePeersStateFromResponse(resp *tailcfg.MapResponse) (stats updateStats) {
 	defer func() {
@@ -362,33 +416,47 @@ func (ms *mapSession) updatePeersStateFromResponse(resp *tailcfg.MapResponse) (s
 		mut := vp.AsStruct()
 		if pc.DERPRegion != 0 {
 			mut.DERP = fmt.Sprintf("%s:%v", tailcfg.DerpMagicIP, pc.DERPRegion)
+			patchDERPRegion.Add(1)
 		}
 		if pc.Cap != 0 {
 			mut.Cap = pc.Cap
+			patchCap.Add(1)
 		}
 		if pc.Endpoints != nil {
 			mut.Endpoints = pc.Endpoints
+			patchEndpoints.Add(1)
 		}
 		if pc.Key != nil {
 			mut.Key = *pc.Key
+			patchKey.Add(1)
 		}
 		if pc.DiscoKey != nil {
 			mut.DiscoKey = *pc.DiscoKey
+			patchDiscoKey.Add(1)
 		}
 		if v := pc.Online; v != nil {
 			mut.Online = ptr.To(*v)
+			patchOnline.Add(1)
 		}
 		if v := pc.LastSeen; v != nil {
 			mut.LastSeen = ptr.To(*v)
+			patchLastSeen.Add(1)
 		}
 		if v := pc.KeyExpiry; v != nil {
 			mut.KeyExpiry = *v
+			patchKeyExpiry.Add(1)
 		}
 		if v := pc.Capabilities; v != nil {
 			mut.Capabilities = *v
+			patchCapabilities.Add(1)
 		}
 		if v := pc.KeySignature; v != nil {
 			mut.KeySignature = v
+			patchKeySignature.Add(1)
+		}
+		if v := pc.CapMap; v != nil {
+			mut.CapMap = v
+			patchCapMap.Add(1)
 		}
 		*vp = mut.View()
 	}
@@ -428,6 +496,242 @@ func (ms *mapSession) addUserProfile(nm *netmap.NetworkMap, userID tailcfg.UserI
 	}
 }

+var debugPatchifyPeer = envknob.RegisterBool("TS_DEBUG_PATCHIFY_PEER")
+
+// patchifyPeersChanged mutates resp to promote PeersChanged entries to PeersChangedPatch
+// when possible.
+func (ms *mapSession) patchifyPeersChanged(resp *tailcfg.MapResponse) {
+	filtered := resp.PeersChanged[:0]
+	for _, n := range resp.PeersChanged {
+		if p, ok := ms.patchifyPeer(n); ok {
+			patchifiedPeer.Add(1)
+			if debugPatchifyPeer() {
+				patchj, _ := json.Marshal(p)
+				ms.logf("debug: patchifyPeer[ID=%v]: %s", n.ID, patchj)
+			}
+			if p != nil {
+				resp.PeersChangedPatch = append(resp.PeersChangedPatch, p)
+			} else {
+				patchifiedPeerEqual.Add(1)
+			}
+		} else {
+			filtered = append(filtered, n)
+		}
+	}
+	resp.PeersChanged = filtered
+	if len(resp.PeersChanged) == 0 {
+		resp.PeersChanged = nil
+	}
+}
+
+var nodeFields = sync.OnceValue(getNodeFields)
+
+// getNodeFields returns the fails of tailcfg.Node.
+func getNodeFields() []string {
+	rt := reflect.TypeOf((*tailcfg.Node)(nil)).Elem()
+	ret := make([]string, rt.NumField())
+	for i := 0; i < rt.NumField(); i++ {
+		ret[i] = rt.Field(i).Name
+	}
+	return ret
+}
+
+// patchifyPeer returns a *tailcfg.PeerChange of the session's existing copy of
+// the n.ID Node to n.
+//
+// It returns ok=false if a patch can't be made, (V, ok) on a delta, or (nil,
+// true) if all the fields were identical (a zero change).
+func (ms *mapSession) patchifyPeer(n *tailcfg.Node) (_ *tailcfg.PeerChange, ok bool) {
+	was, ok := ms.peers[n.ID]
+	if !ok {
+		return nil, false
+	}
+	return peerChangeDiff(*was, n)
+}
+
+// peerChangeDiff returns the difference from 'was' to 'n', if possible.
+//
+// It returns (nil, true) if the fields were identical.
+func peerChangeDiff(was tailcfg.NodeView, n *tailcfg.Node) (_ *tailcfg.PeerChange, ok bool) {
+	var ret *tailcfg.PeerChange
+	pc := func() *tailcfg.PeerChange {
+		if ret == nil {
+			ret = new(tailcfg.PeerChange)
+		}
+		return ret
+	}
+	for _, field := range nodeFields() {
+		switch field {
+		default:
+			// The whole point of using reflect in this function is to panic
+			// here in tests if we forget to handle a new field.
+			panic("unhandled field: " + field)
+		case "computedHostIfDifferent", "ComputedName", "ComputedNameWithHost":
+			// Caller's responsibility to have populated these.
+			continue
+		case "DataPlaneAuditLogID":
+			//  Not sent for peers.
+		case "ID":
+			if was.ID() != n.ID {
+				return nil, false
+			}
+		case "StableID":
+			if was.StableID() != n.StableID {
+				return nil, false
+			}
+		case "Name":
+			if was.Name() != n.Name {
+				return nil, false
+			}
+		case "User":
+			if was.User() != n.User {
+				return nil, false
+			}
+		case "Sharer":
+			if was.Sharer() != n.Sharer {
+				return nil, false
+			}
+		case "Key":
+			if was.Key() != n.Key {
+				pc().Key = ptr.To(n.Key)
+			}
+		case "KeyExpiry":
+			if !was.KeyExpiry().Equal(n.KeyExpiry) {
+				pc().KeyExpiry = ptr.To(n.KeyExpiry)
+			}
+		case "KeySignature":
+			if !was.KeySignature().Equal(n.KeySignature) {
+				pc().KeySignature = slices.Clone(n.KeySignature)
+			}
+		case "Machine":
+			if was.Machine() != n.Machine {
+				return nil, false
+			}
+		case "DiscoKey":
+			if was.DiscoKey() != n.DiscoKey {
+				pc().DiscoKey = ptr.To(n.DiscoKey)
+			}
+		case "Addresses":
+			if !views.SliceEqual(was.Addresses(), views.SliceOf(n.Addresses)) {
+				return nil, false
+			}
+		case "AllowedIPs":
+			if !views.SliceEqual(was.AllowedIPs(), views.SliceOf(n.AllowedIPs)) {
+				return nil, false
+			}
+		case "Endpoints":
+			if !views.SliceEqual(was.Endpoints(), views.SliceOf(n.Endpoints)) {
+				pc().Endpoints = slices.Clone(n.Endpoints)
+			}
+		case "DERP":
+			if was.DERP() != n.DERP {
+				ip, portStr, err := net.SplitHostPort(n.DERP)
+				if err != nil || ip != "127.3.3.40" {
+					return nil, false
+				}
+				port, err := strconv.Atoi(portStr)
+				if err != nil || port < 1 || port > 65535 {
+					return nil, false
+				}
+				pc().DERPRegion = port
+			}
+		case "Hostinfo":
+			if !was.Hostinfo().Valid() && !n.Hostinfo.Valid() {
+				continue
+			}
+			if !was.Hostinfo().Valid() || !n.Hostinfo.Valid() {
+				return nil, false
+			}
+			if !was.Hostinfo().Equal(n.Hostinfo) {
+				return nil, false
+			}
+		case "Created":
+			if !was.Created().Equal(n.Created) {
+				return nil, false
+			}
+		case "Cap":
+			if was.Cap() != n.Cap {
+				pc().Cap = n.Cap
+			}
+		case "CapMap":
+			if n.CapMap != nil {
+				pc().CapMap = n.CapMap
+			}
+		case "Tags":
+			if !views.SliceEqual(was.Tags(), views.SliceOf(n.Tags)) {
+				return nil, false
+			}
+		case "PrimaryRoutes":
+			if !views.SliceEqual(was.PrimaryRoutes(), views.SliceOf(n.PrimaryRoutes)) {
+				return nil, false
+			}
+		case "Online":
+			wasOnline := was.Online()
+			if n.Online != nil && wasOnline != nil && *n.Online != *wasOnline {
+				pc().Online = ptr.To(*n.Online)
+			}
+		case "LastSeen":
+			wasSeen := was.LastSeen()
+			if n.LastSeen != nil && wasSeen != nil && !wasSeen.Equal(*n.LastSeen) {
+				pc().LastSeen = ptr.To(*n.LastSeen)
+			}
+		case "MachineAuthorized":
+			if was.MachineAuthorized() != n.MachineAuthorized {
+				return nil, false
+			}
+		case "Capabilities":
+			if !views.SliceEqual(was.Capabilities(), views.SliceOf(n.Capabilities)) {
+				pc().Capabilities = ptr.To(n.Capabilities)
+			}
+		case "UnsignedPeerAPIOnly":
+			if was.UnsignedPeerAPIOnly() != n.UnsignedPeerAPIOnly {
+				return nil, false
+			}
+		case "IsWireGuardOnly":
+			if was.IsWireGuardOnly() != n.IsWireGuardOnly {
+				return nil, false
+			}
+		case "Expired":
+			if was.Expired() != n.Expired {
+				return nil, false
+			}
+		case "SelfNodeV4MasqAddrForThisPeer":
+			va, vb := was.SelfNodeV4MasqAddrForThisPeer(), n.SelfNodeV4MasqAddrForThisPeer
+			if va == nil && vb == nil {
+				continue
+			}
+			if va == nil || vb == nil || *va != *vb {
+				return nil, false
+			}
+		case "SelfNodeV6MasqAddrForThisPeer":
+			va, vb := was.SelfNodeV6MasqAddrForThisPeer(), n.SelfNodeV6MasqAddrForThisPeer
+			if va == nil && vb == nil {
+				continue
+			}
+			if va == nil || vb == nil || *va != *vb {
+				return nil, false
+			}
+		case "ExitNodeDNSResolvers":
+			va, vb := was.ExitNodeDNSResolvers(), views.SliceOfViews(n.ExitNodeDNSResolvers)
+
+			if va.Len() != vb.Len() {
+				return nil, false
+			}
+
+			for i := range va.LenIter() {
+				if !va.At(i).Equal(vb.At(i)) {
+					return nil, false
+				}
+			}
+
+		}
+	}
+	if ret != nil {
+		ret.NodeID = n.ID
+	}
+	return ret, true
+}
+
 // netmap returns a fully populated NetworkMap from the last state seen from
 // a call to updateStateFromResponse, filling in omitted
 // information from prior MapResponse values.
@@ -466,12 +770,6 @@ func (ms *mapSession) netmap() *netmap.NetworkMap {
 		nm.SelfNode = node
 		nm.Expiry = node.KeyExpiry()
 		nm.Name = node.Name()
-		nm.Addresses = filterSelfAddresses(node.Addresses().AsSlice())
-		if node.MachineAuthorized() {
-			nm.MachineStatus = tailcfg.MachineAuthorized
-		} else {
-			nm.MachineStatus = tailcfg.MachineUnauthorized
-		}
 	}

 	ms.addUserProfile(nm, nm.User())
--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -14,17 +14,29 @@ import (
 	"testing"
 	"time"

+	"github.com/google/go-cmp/cmp"
 	"go4.org/mem"
+	"tailscale.com/control/controlknobs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
 	"tailscale.com/tstime"
+	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/mak"
 	"tailscale.com/util/must"
 )

+func eps(s ...string) []netip.AddrPort {
+	var eps []netip.AddrPort
+	for _, ep := range s {
+		eps = append(eps, netip.MustParseAddrPort(ep))
+	}
+	return eps
+}
+
 func TestUpdatePeersStateFromResponse(t *testing.T) {
 	var curTime time.Time

@@ -45,7 +57,7 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 	}
 	withEP := func(ep string) func(*tailcfg.Node) {
 		return func(n *tailcfg.Node) {
-			n.Endpoints = []string{ep}
+			n.Endpoints = []netip.AddrPort{netip.MustParseAddrPort(ep)}
 		}
 	}
 	n := func(id tailcfg.NodeID, name string, mod ...func(*tailcfg.Node)) *tailcfg.Node {
@@ -193,7 +205,7 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 			mapRes: &tailcfg.MapResponse{
 				PeersChangedPatch: []*tailcfg.PeerChange{{
 					NodeID:    1,
-					Endpoints: []string{"1.2.3.4:56"},
+					Endpoints: eps("1.2.3.4:56"),
 				}},
 			},
 			want:      peers(n(1, "foo", withEP("1.2.3.4:56"))),
@@ -205,7 +217,7 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 			mapRes: &tailcfg.MapResponse{
 				PeersChangedPatch: []*tailcfg.PeerChange{{
 					NodeID:    1,
-					Endpoints: []string{"1.2.3.4:56"},
+					Endpoints: eps("1.2.3.4:56"),
 				}},
 			},
 			want:      peers(n(1, "foo", withDERP("127.3.3.40:3"), withEP("1.2.3.4:56"))),
@@ -218,7 +230,7 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 				PeersChangedPatch: []*tailcfg.PeerChange{{
 					NodeID:     1,
 					DERPRegion: 2,
-					Endpoints:  []string{"1.2.3.4:56"},
+					Endpoints:  eps("1.2.3.4:56"),
 				}},
 			},
 			want:      peers(n(1, "foo", withDERP("127.3.3.40:2"), withEP("1.2.3.4:56"))),
@@ -325,13 +337,13 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 			mapRes: &tailcfg.MapResponse{
 				PeersChangedPatch: []*tailcfg.PeerChange{{
 					NodeID:       1,
-					Capabilities: ptr.To([]string{"foo"}),
+					Capabilities: ptr.To([]tailcfg.NodeCapability{"foo"}),
 				}},
 			},
 			want: peers(&tailcfg.Node{
 				ID:           1,
 				Name:         "foo",
-				Capabilities: []string{"foo"},
+				Capabilities: []tailcfg.NodeCapability{"foo"},
 			}),
 			wantStats: updateStats{changed: 1},
 		}}
@@ -390,7 +402,7 @@ func formatNodes(nodes []*tailcfg.Node) string {
 }

 func newTestMapSession(t testing.TB, nu NetmapUpdater) *mapSession {
-	ms := newMapSession(key.NewNode(), nu)
+	ms := newMapSession(key.NewNode(), nu, new(controlknobs.Knobs))
 	t.Cleanup(ms.Close)
 	ms.logf = t.Logf
 	return ms
@@ -635,13 +647,149 @@ func TestDeltaDERPMap(t *testing.T) {
 			for stepi, s := range tt.steps {
 				nm := ms.netmapForResponse(&tailcfg.MapResponse{DERPMap: s.got})
 				if !reflect.DeepEqual(nm.DERPMap, s.want) {
-					t.Errorf("unexpected result at step index %v; got: %s", stepi, must.Get(json.Marshal(nm.DERPMap)))
+					t.Errorf("unexpected result at step index %v; got: %s", stepi, logger.AsJSON(nm.DERPMap))
 				}
 			}
 		})
 	}
 }

+func TestPeerChangeDiff(t *testing.T) {
+	tests := []struct {
+		name      string
+		a, b      *tailcfg.Node
+		want      *tailcfg.PeerChange // nil means want ok=false, unless wantEqual is set
+		wantEqual bool                // means test wants (nil, true)
+	}{
+		{
+			name:      "eq",
+			a:         &tailcfg.Node{ID: 1},
+			b:         &tailcfg.Node{ID: 1},
+			wantEqual: true,
+		},
+		{
+			name: "patch-derp",
+			a:    &tailcfg.Node{ID: 1, DERP: "127.3.3.40:1"},
+			b:    &tailcfg.Node{ID: 1, DERP: "127.3.3.40:2"},
+			want: &tailcfg.PeerChange{NodeID: 1, DERPRegion: 2},
+		},
+		{
+			name: "patch-endpoints",
+			a:    &tailcfg.Node{ID: 1, Endpoints: eps("10.0.0.1:1")},
+			b:    &tailcfg.Node{ID: 1, Endpoints: eps("10.0.0.2:2")},
+			want: &tailcfg.PeerChange{NodeID: 1, Endpoints: eps("10.0.0.2:2")},
+		},
+		{
+			name: "patch-cap",
+			a:    &tailcfg.Node{ID: 1, Cap: 1},
+			b:    &tailcfg.Node{ID: 1, Cap: 2},
+			want: &tailcfg.PeerChange{NodeID: 1, Cap: 2},
+		},
+		{
+			name: "patch-lastseen",
+			a:    &tailcfg.Node{ID: 1, LastSeen: ptr.To(time.Unix(1, 0))},
+			b:    &tailcfg.Node{ID: 1, LastSeen: ptr.To(time.Unix(2, 0))},
+			want: &tailcfg.PeerChange{NodeID: 1, LastSeen: ptr.To(time.Unix(2, 0))},
+		},
+		{
+			name: "patch-capabilities-to-nonempty",
+			a:    &tailcfg.Node{ID: 1, Capabilities: []tailcfg.NodeCapability{"foo"}},
+			b:    &tailcfg.Node{ID: 1, Capabilities: []tailcfg.NodeCapability{"bar"}},
+			want: &tailcfg.PeerChange{NodeID: 1, Capabilities: ptr.To([]tailcfg.NodeCapability{"bar"})},
+		},
+		{
+			name: "patch-capabilities-to-empty",
+			a:    &tailcfg.Node{ID: 1, Capabilities: []tailcfg.NodeCapability{"foo"}},
+			b:    &tailcfg.Node{ID: 1},
+			want: &tailcfg.PeerChange{NodeID: 1, Capabilities: ptr.To([]tailcfg.NodeCapability(nil))},
+		},
+		{
+			name: "patch-online-to-true",
+			a:    &tailcfg.Node{ID: 1, Online: ptr.To(false)},
+			b:    &tailcfg.Node{ID: 1, Online: ptr.To(true)},
+			want: &tailcfg.PeerChange{NodeID: 1, Online: ptr.To(true)},
+		},
+		{
+			name: "patch-online-to-false",
+			a:    &tailcfg.Node{ID: 1, Online: ptr.To(true)},
+			b:    &tailcfg.Node{ID: 1, Online: ptr.To(false)},
+			want: &tailcfg.PeerChange{NodeID: 1, Online: ptr.To(false)},
+		},
+		{
+			name: "mix-patchable-and-not",
+			a:    &tailcfg.Node{ID: 1, Cap: 1},
+			b:    &tailcfg.Node{ID: 1, Cap: 2, StableID: "foo"},
+			want: nil,
+		},
+		{
+			name: "miss-change-stableid",
+			a:    &tailcfg.Node{ID: 1},
+			b:    &tailcfg.Node{ID: 1, StableID: "diff"},
+			want: nil,
+		},
+		{
+			name: "miss-change-id",
+			a:    &tailcfg.Node{ID: 1},
+			b:    &tailcfg.Node{ID: 2},
+			want: nil,
+		},
+		{
+			name: "miss-change-name",
+			a:    &tailcfg.Node{ID: 1, Name: "foo"},
+			b:    &tailcfg.Node{ID: 1, Name: "bar"},
+			want: nil,
+		},
+		{
+			name: "miss-change-user",
+			a:    &tailcfg.Node{ID: 1, User: 1},
+			b:    &tailcfg.Node{ID: 1, User: 2},
+			want: nil,
+		},
+		{
+			name: "miss-change-masq-v4",
+			a:    &tailcfg.Node{ID: 1, SelfNodeV4MasqAddrForThisPeer: ptr.To(netip.MustParseAddr("100.64.0.1"))},
+			b:    &tailcfg.Node{ID: 1, SelfNodeV4MasqAddrForThisPeer: ptr.To(netip.MustParseAddr("100.64.0.2"))},
+			want: nil,
+		},
+		{
+			name: "miss-change-masq-v6",
+			a:    &tailcfg.Node{ID: 1, SelfNodeV6MasqAddrForThisPeer: ptr.To(netip.MustParseAddr("2001::3456"))},
+			b:    &tailcfg.Node{ID: 1, SelfNodeV6MasqAddrForThisPeer: ptr.To(netip.MustParseAddr("2001::3006"))},
+			want: nil,
+		}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			pc, ok := peerChangeDiff(tt.a.View(), tt.b)
+			if tt.wantEqual {
+				if !ok || pc != nil {
+					t.Errorf("got (%p, %v); want (nil, true); pc=%v", pc, ok, logger.AsJSON(pc))
+				}
+				return
+			}
+			if (pc != nil) != ok {
+				t.Fatalf("inconsistent ok=%v, pc=%p", ok, pc)
+			}
+			if !reflect.DeepEqual(pc, tt.want) {
+				t.Errorf("mismatch\n got: %v\nwant: %v\n", logger.AsJSON(pc), logger.AsJSON(tt.want))
+			}
+		})
+	}
+}
+
+func TestPeerChangeDiffAllocs(t *testing.T) {
+	a := &tailcfg.Node{ID: 1}
+	b := &tailcfg.Node{ID: 1}
+	n := testing.AllocsPerRun(10000, func() {
+		diff, ok := peerChangeDiff(a.View(), b)
+		if !ok || diff != nil {
+			t.Fatalf("unexpected result: (%s, %v)", logger.AsJSON(diff), ok)
+		}
+	})
+	if n != 0 {
+		t.Errorf("allocs = %v; want 0", int(n))
+	}
+}
+
 type countingNetmapUpdater struct {
 	full atomic.Int64
 }
@@ -650,6 +798,117 @@ func (nu *countingNetmapUpdater) UpdateFullNetmap(nm *netmap.NetworkMap) {
 	nu.full.Add(1)
 }

+// tests (*mapSession).patchifyPeersChanged; smaller tests are in TestPeerChangeDiff
+func TestPatchifyPeersChanged(t *testing.T) {
+	hi := (&tailcfg.Hostinfo{}).View()
+	tests := []struct {
+		name string
+		mr0  *tailcfg.MapResponse // initial
+		mr1  *tailcfg.MapResponse // incremental
+		want *tailcfg.MapResponse // what the incremental one should've been mutated to
+	}{
+		{
+			name: "change_one_endpoint",
+			mr0: &tailcfg.MapResponse{
+				Node: &tailcfg.Node{Name: "foo.bar.ts.net."},
+				Peers: []*tailcfg.Node{
+					{ID: 1, Hostinfo: hi},
+				},
+			},
+			mr1: &tailcfg.MapResponse{
+				PeersChanged: []*tailcfg.Node{
+					{ID: 1, Endpoints: eps("10.0.0.1:1111"), Hostinfo: hi},
+				},
+			},
+			want: &tailcfg.MapResponse{
+				PeersChanged: nil,
+				PeersChangedPatch: []*tailcfg.PeerChange{
+					{NodeID: 1, Endpoints: eps("10.0.0.1:1111")},
+				},
+			},
+		},
+		{
+			name: "change_some",
+			mr0: &tailcfg.MapResponse{
+				Node: &tailcfg.Node{Name: "foo.bar.ts.net."},
+				Peers: []*tailcfg.Node{
+					{ID: 1, DERP: "127.3.3.40:1", Hostinfo: hi},
+					{ID: 2, DERP: "127.3.3.40:2", Hostinfo: hi},
+					{ID: 3, DERP: "127.3.3.40:3", Hostinfo: hi},
+				},
+			},
+			mr1: &tailcfg.MapResponse{
+				PeersChanged: []*tailcfg.Node{
+					{ID: 1, DERP: "127.3.3.40:11", Hostinfo: hi},
+					{ID: 2, StableID: "other-change", Hostinfo: hi},
+					{ID: 3, DERP: "127.3.3.40:33", Hostinfo: hi},
+					{ID: 4, DERP: "127.3.3.40:4", Hostinfo: hi},
+				},
+			},
+			want: &tailcfg.MapResponse{
+				PeersChanged: []*tailcfg.Node{
+					{ID: 2, StableID: "other-change", Hostinfo: hi},
+					{ID: 4, DERP: "127.3.3.40:4", Hostinfo: hi},
+				},
+				PeersChangedPatch: []*tailcfg.PeerChange{
+					{NodeID: 1, DERPRegion: 11},
+					{NodeID: 3, DERPRegion: 33},
+				},
+			},
+		},
+		{
+			name: "change_exitnodednsresolvers",
+			mr0: &tailcfg.MapResponse{
+				Node: &tailcfg.Node{Name: "foo.bar.ts.net."},
+				Peers: []*tailcfg.Node{
+					{ID: 1, ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns.exmaple.com"}}, Hostinfo: hi},
+				},
+			},
+			mr1: &tailcfg.MapResponse{
+				PeersChanged: []*tailcfg.Node{
+					{ID: 1, ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns2.exmaple.com"}}, Hostinfo: hi},
+				},
+			},
+			want: &tailcfg.MapResponse{
+				PeersChanged: []*tailcfg.Node{
+					{ID: 1, ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns2.exmaple.com"}}, Hostinfo: hi},
+				},
+			},
+		},
+		{
+			name: "same_exitnoderesolvers",
+			mr0: &tailcfg.MapResponse{
+				Node: &tailcfg.Node{Name: "foo.bar.ts.net."},
+				Peers: []*tailcfg.Node{
+					{ID: 1, ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns.exmaple.com"}}, Hostinfo: hi},
+				},
+			},
+			mr1: &tailcfg.MapResponse{
+				PeersChanged: []*tailcfg.Node{
+					{ID: 1, ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns.exmaple.com"}}, Hostinfo: hi},
+				},
+			},
+			want: &tailcfg.MapResponse{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			nu := &countingNetmapUpdater{}
+			ms := newTestMapSession(t, nu)
+			ms.updateStateFromResponse(tt.mr0)
+			mr1 := new(tailcfg.MapResponse)
+			must.Do(json.Unmarshal(must.Get(json.Marshal(tt.mr1)), mr1))
+			ms.patchifyPeersChanged(mr1)
+			opts := []cmp.Option{
+				cmp.Comparer(func(a, b netip.AddrPort) bool { return a == b }),
+			}
+			if diff := cmp.Diff(tt.want, mr1, opts...); diff != "" {
+				t.Errorf("wrong result (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
+
 func BenchmarkMapSessionDelta(b *testing.B) {
 	for _, size := range []int{10, 100, 1_000, 10_000} {
 		b.Run(fmt.Sprintf("size_%d", size), func(b *testing.B) {
@@ -669,7 +928,7 @@ func BenchmarkMapSessionDelta(b *testing.B) {
 					DERP:       "127.3.3.40:10",
 					Addresses:  []netip.Prefix{netip.MustParsePrefix("100.100.2.3/32"), netip.MustParsePrefix("fd7a:115c:a1e0::123/128")},
 					AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.100.2.3/32"), netip.MustParsePrefix("fd7a:115c:a1e0::123/128")},
-					Endpoints:  []string{"192.168.1.2:345", "192.168.1.3:678"},
+					Endpoints:  eps("192.168.1.2:345", "192.168.1.3:678"),
 					Hostinfo: (&tailcfg.Hostinfo{
 						OS:       "fooOS",
 						Hostname: "MyHostname",
@@ -700,5 +959,4 @@ func BenchmarkMapSessionDelta(b *testing.B) {
 			}
 		})
 	}
-
 }
--- a/control/controlclient/noise.go
+++ b/control/controlclient/noise.go
@@ -177,6 +177,7 @@ type NoiseClient struct {

 	// mu only protects the following variables.
 	mu       sync.Mutex
+	closed   bool
 	last     *noiseConn // or nil
 	nextID   int
 	connPool map[int]*noiseConn // active connections not yet closed; see noiseConn.Close
@@ -373,6 +374,7 @@ func (nc *NoiseClient) connClosed(id int) {
 // It is a no-op and returns nil if the connection is already closed.
 func (nc *NoiseClient) Close() error {
 	nc.mu.Lock()
+	nc.closed = true
 	conns := nc.connPool
 	nc.connPool = nil
 	nc.mu.Unlock()
@@ -471,6 +473,11 @@ func (nc *NoiseClient) dial(ctx context.Context) (*noiseConn, error) {
 	ncc.h2cc = h2cc

 	nc.mu.Lock()
+	if nc.closed {
+		nc.mu.Unlock()
+		ncc.Close() // Needs to be called without holding the lock.
+		return nil, errors.New("noise client closed")
+	}
 	defer nc.mu.Unlock()
 	mak.Set(&nc.connPool, ncc.id, ncc)
 	nc.last = ncc
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -40,7 +40,7 @@ var getMachineCertificateSubjectOnce struct {
 // Example: "CN=Tailscale Inc Test Root CA,OU=Tailscale Inc Test Certificate Authority,O=Tailscale Inc,ST=ON,C=CA"
 func getMachineCertificateSubject() string {
 	getMachineCertificateSubjectOnce.Do(func() {
-		getMachineCertificateSubjectOnce.v = winutil.GetRegString("MachineCertificateSubject", "")
+		getMachineCertificateSubjectOnce.v, _ = winutil.GetRegString("MachineCertificateSubject")
 	})

 	return getMachineCertificateSubjectOnce.v
--- a/control/controlclient/status.go
+++ b/control/controlclient/status.go
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"reflect"

-	"tailscale.com/types/empty"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/structs"
@@ -38,6 +37,10 @@ const (
 	StateSynchronized // connected and received map update
 )

+func (s State) AppendText(b []byte) ([]byte, error) {
+	return append(b, s.String()...), nil
+}
+
 func (s State) MarshalText() ([]byte, error) {
 	return []byte(s.String()), nil
 }
@@ -62,34 +65,55 @@ func (s State) String() string {
 }

 type Status struct {
-	_              structs.Incomparable
-	LoginFinished  *empty.Message // nonempty when login finishes
-	LogoutFinished *empty.Message // nonempty when logout finishes
-	Err            error
-	URL            string             // interactive URL to visit to finish logging in
-	NetMap         *netmap.NetworkMap // server-pushed configuration
+	_ structs.Incomparable

-	// The internal state should not be exposed outside this
+	// Err, if non-nil, is an error that occurred while logging in.
+	//
+	// If it's of type UserVisibleError then it's meant to be shown to users in
+	// their Tailscale client. Otherwise it's just logged to tailscaled's logs.
+	Err error
+
+	// URL, if non-empty, is the interactive URL to visit to finish logging in.
+	URL string
+
+	// NetMap is the latest server-pushed state of the tailnet network.
+	NetMap *netmap.NetworkMap
+
+	// Persist, when Valid, is the locally persisted configuration.
+	//
+	// TODO(bradfitz,maisem): clarify this.
+	Persist persist.PersistView
+
+	// state is the internal state. It should not be exposed outside this
 	// package, but we have some automated tests elsewhere that need to
-	// use them. Please don't use these fields.
+	// use it via the StateForTest accessor.
 	// TODO(apenwarr): Unexport or remove these.
-	State   State
-	Persist *persist.PersistView // locally persisted configuration
+	state State
 }

+// LoginFinished reports whether the controlclient is in its "StateAuthenticated"
+// state where it's in a happy register state but not yet in a map poll.
+//
+// TODO(bradfitz): delete this and everything around Status.state.
+func (s *Status) LoginFinished() bool { return s.state == StateAuthenticated }
+
+// StateForTest returns the internal state of s for tests only.
+func (s *Status) StateForTest() State { return s.state }
+
+// SetStateForTest sets the internal state of s for tests only.
+func (s *Status) SetStateForTest(state State) { s.state = state }
+
 // Equal reports whether s and s2 are equal.
 func (s *Status) Equal(s2 *Status) bool {
 	if s == nil && s2 == nil {
 		return true
 	}
 	return s != nil && s2 != nil &&
-		(s.LoginFinished == nil) == (s2.LoginFinished == nil) &&
-		(s.LogoutFinished == nil) == (s2.LogoutFinished == nil) &&
 		s.Err == s2.Err &&
 		s.URL == s2.URL &&
+		s.state == s2.state &&
 		reflect.DeepEqual(s.Persist, s2.Persist) &&
-		reflect.DeepEqual(s.NetMap, s2.NetMap) &&
-		s.State == s2.State
+		reflect.DeepEqual(s.NetMap, s2.NetMap)
 }

 func (s Status) String() string {
@@ -97,5 +121,5 @@ func (s Status) String() string {
 	if err != nil {
 		panic(err)
 	}
-	return s.State.String() + " " + string(b)
+	return s.state.String() + " " + string(b)
 }
--- a/control/controlhttp/client_js.go
+++ b/control/controlhttp/client_js.go
@@ -51,7 +51,7 @@ func (d *Dialer) Dial(ctx context.Context) (*ClientConn, error) {
 	if err != nil {
 		return nil, err
 	}
-	netConn := wsconn.NetConn(context.Background(), wsConn, websocket.MessageBinary)
+	netConn := wsconn.NetConn(context.Background(), wsConn, websocket.MessageBinary, wsURL.String())
 	cbConn, err := cont(ctx, netConn)
 	if err != nil {
 		netConn.Close()
--- a/control/controlhttp/server.go
+++ b/control/controlhttp/server.go
@@ -146,7 +146,7 @@ func acceptWebsocket(ctx context.Context, w http.ResponseWriter, r *http.Request
 		return nil, fmt.Errorf("decoding base64 handshake parameter: %v", err)
 	}

-	conn := wsconn.NetConn(ctx, c, websocket.MessageBinary)
+	conn := wsconn.NetConn(ctx, c, websocket.MessageBinary, r.RemoteAddr)
 	nc, err := controlbase.Server(ctx, conn, private, init)
 	if err != nil {
 		conn.Close()
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@@ -6,24 +6,126 @@
 package controlknobs

 import (
+	"slices"
+	"strconv"
 	"sync/atomic"
+	"time"

-	"tailscale.com/envknob"
+	"tailscale.com/syncs"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/opt"
 )

-// disableUPnP indicates whether to attempt UPnP mapping.
-var disableUPnPControl atomic.Bool
+// Knobs is the set of knobs that the control plane's coordination server can
+// adjust at runtime.
+type Knobs struct {
+	// DisableUPnP indicates whether to attempt UPnP mapping.
+	DisableUPnP atomic.Bool

-var disableUPnpEnv = envknob.RegisterBool("TS_DISABLE_UPNP")
+	// DisableDRPO is whether control says to disable the
+	// DERP route optimization (Issue 150).
+	DisableDRPO atomic.Bool

-// DisableUPnP reports the last reported value from control
-// whether UPnP portmapping should be disabled.
-func DisableUPnP() bool {
-	return disableUPnPControl.Load() || disableUPnpEnv()
+	// KeepFullWGConfig is whether we should disable the lazy wireguard
+	// programming and instead give WireGuard the full netmap always, even for
+	// idle peers.
+	KeepFullWGConfig atomic.Bool
+
+	// RandomizeClientPort is whether control says we should randomize
+	// the client port.
+	RandomizeClientPort atomic.Bool
+
+	// OneCGNAT is whether the the node should make one big CGNAT route
+	// in the OS rather than one /32 per peer.
+	OneCGNAT syncs.AtomicValue[opt.Bool]
+
+	// ForceBackgroundSTUN forces netcheck STUN queries to keep
+	// running in magicsock, even when idle.
+	ForceBackgroundSTUN atomic.Bool
+
+	// DisableDeltaUpdates is whether the node should not process
+	// incremental (delta) netmap updates and should treat all netmap
+	// changes as "full" ones as tailscaled did in 1.48.x and earlier.
+	DisableDeltaUpdates atomic.Bool
+
+	// PeerMTUEnable is whether the node should do peer path MTU discovery.
+	PeerMTUEnable atomic.Bool
+
+	// DisableDNSForwarderTCPRetries is whether the DNS forwarder should
+	// skip retrying truncated queries over TCP.
+	DisableDNSForwarderTCPRetries atomic.Bool
+
+	// MagicsockSessionActiveTimeout is an alternate magicsock session timeout
+	// duration to use. If zero or unset, the default is used.
+	MagicsockSessionActiveTimeout syncs.AtomicValue[time.Duration]
 }

-// SetDisableUPnP sets whether control says that UPnP should be
-// disabled.
-func SetDisableUPnP(v bool) {
-	disableUPnPControl.Store(v)
+// UpdateFromNodeAttributes updates k (if non-nil) based on the provided self
+// node attributes (Node.Capabilities).
+func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability, capMap tailcfg.NodeCapMap) {
+	if k == nil {
+		return
+	}
+	has := func(attr tailcfg.NodeCapability) bool {
+		_, ok := capMap[attr]
+		return ok || slices.Contains(selfNodeAttrs, attr)
+	}
+	var (
+		keepFullWG                    = has(tailcfg.NodeAttrDebugDisableWGTrim)
+		disableDRPO                   = has(tailcfg.NodeAttrDebugDisableDRPO)
+		disableUPnP                   = has(tailcfg.NodeAttrDisableUPnP)
+		randomizeClientPort           = has(tailcfg.NodeAttrRandomizeClientPort)
+		disableDeltaUpdates           = has(tailcfg.NodeAttrDisableDeltaUpdates)
+		oneCGNAT                      opt.Bool
+		forceBackgroundSTUN           = has(tailcfg.NodeAttrDebugForceBackgroundSTUN)
+		peerMTUEnable                 = has(tailcfg.NodeAttrPeerMTUEnable)
+		dnsForwarderDisableTCPRetries = has(tailcfg.NodeAttrDNSForwarderDisableTCPRetries)
+	)
+
+	if has(tailcfg.NodeAttrOneCGNATEnable) {
+		oneCGNAT.Set(true)
+	} else if has(tailcfg.NodeAttrOneCGNATDisable) {
+		oneCGNAT.Set(false)
+	}
+
+	k.KeepFullWGConfig.Store(keepFullWG)
+	k.DisableDRPO.Store(disableDRPO)
+	k.DisableUPnP.Store(disableUPnP)
+	k.RandomizeClientPort.Store(randomizeClientPort)
+	k.OneCGNAT.Store(oneCGNAT)
+	k.ForceBackgroundSTUN.Store(forceBackgroundSTUN)
+	k.DisableDeltaUpdates.Store(disableDeltaUpdates)
+	k.PeerMTUEnable.Store(peerMTUEnable)
+	k.DisableDNSForwarderTCPRetries.Store(dnsForwarderDisableTCPRetries)
+
+	var timeout time.Duration
+	if vv := capMap[tailcfg.NodeAttrMagicsockSessionTimeout]; len(vv) > 0 {
+		if v, _ := strconv.Unquote(string(vv[0])); v != "" {
+			timeout, _ = time.ParseDuration(v)
+			timeout = max(timeout, 0)
+		}
+	}
+	if was := k.MagicsockSessionActiveTimeout.Load(); was != timeout {
+		k.MagicsockSessionActiveTimeout.Store(timeout)
+	}
+}
+
+// AsDebugJSON returns k as something that can be marshalled with json.Marshal
+// for debug.
+func (k *Knobs) AsDebugJSON() map[string]any {
+	if k == nil {
+		return nil
+	}
+	return map[string]any{
+		"DisableUPnP":                   k.DisableUPnP.Load(),
+		"DisableDRPO":                   k.DisableDRPO.Load(),
+		"KeepFullWGConfig":              k.KeepFullWGConfig.Load(),
+		"RandomizeClientPort":           k.RandomizeClientPort.Load(),
+		"OneCGNAT":                      k.OneCGNAT.Load(),
+		"ForceBackgroundSTUN":           k.ForceBackgroundSTUN.Load(),
+		"DisableDeltaUpdates":           k.DisableDeltaUpdates.Load(),
+		"PeerMTUEnable":                 k.PeerMTUEnable.Load(),
+		"DisableDNSForwarderTCPRetries": k.DisableDNSForwarderTCPRetries.Load(),
+		"MagicsockSessionActiveTimeout": k.MagicsockSessionActiveTimeout.Load().String(),
+	}
 }
--- a/control/controlknobs/controlknobs_test.go
+++ b/control/controlknobs/controlknobs_test.go
@@ -0,0 +1,21 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package controlknobs
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestAsDebugJSON(t *testing.T) {
+	var nilPtr *Knobs
+	if got := nilPtr.AsDebugJSON(); got != nil {
+		t.Errorf("AsDebugJSON(nil) = %v; want nil", got)
+	}
+	k := new(Knobs)
+	got := k.AsDebugJSON()
+	if want := reflect.TypeOf(Knobs{}).NumField(); len(got) != want {
+		t.Errorf("AsDebugJSON map has %d fields; want %v", len(got), want)
+	}
+}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .49.0
 .51.0