tailcfg: ping request notes WIP

2021-05-06 10:23:45 -07:00
162 changed files with 2920 additions and 7322 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -2,7 +2,36 @@
 name: Bug report
 about: Create a bug report
 title: ''
-labels: 'needs-triage'
+labels: ''
 assignees: ''

 ---
+
+<!-- Please note, this template is for definite bugs, not requests for
+support. If you need help with Tailscale, please email
+support@tailscale.com. We don't provide support via Github issues. -->
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Version information:**
+ - Device: [e.g. iPhone X, laptop]
+ - OS: [e.g. Windows, MacOS]
+ - OS version: [e.g. Windows 10, Ubuntu 18.04]
+ - Tailscale version: [e.g. 0.95-0]
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -2,6 +2,25 @@
 name: Feature request
 about: Suggest an idea for this project
 title: ''
-labels: 'needs-triage'
+labels: ''
 assignees: ''
+
 ---
+
+**Is your feature request related to a problem? Please describe.**
+
+A clear and concise description of what the problem is. Ex. I'm always
+frustrated when [...]
+
+**Describe the solution you'd like**
+
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+
+A clear and concise description of any alternative solutions or
+features you've considered.
+
+**Additional context**
+
+Add any other context or screenshots about the feature request here.
--- a/.github/workflows/xe-experimental-vm-test.yml
+++ b/.github/workflows/xe-experimental-vm-test.yml
@@ -1,36 +0,0 @@
-name: "integration-vms"
-
-on:
-  # # NOTE(Xe): uncomment this region when testing the test
-  # pull_request:
-  #   branches:
-  #     - 'main'
-  release:
-    types: [ created ]
-  schedule:
-    # At minute 0 past hour 6 and 18
-    # https://crontab.guru/#00_6,18_*_*_*
-    - cron: '00 6,18 * * *'
-
-jobs:
-  experimental-linux-vm-test:
-    # To set up a new runner, see tstest/integration/vms/runner.nix
-    runs-on: [ self-hosted, linux, vm_integration_test ]
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v1
-
-      - name: Download VM Images
-        run: go test ./tstest/integration/vms -run-vm-tests -run=Download -timeout=60m
-        env:
-          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
-
-      - name: Run VM tests
-        run: go test ./tstest/integration/vms -v -run-vm-tests
-        env:
-          TMPDIR: "/tmp"
-          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
-
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.9.0
+1.7.0
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -11,36 +11,6 @@

 set -eu

-IFS=".$IFS" read -r major minor patch <VERSION.txt
-git_hash=$(git rev-parse HEAD)
-if ! git diff-index --quiet HEAD; then
-	git_hash="${git_hash}-dirty"
-fi
-base_hash=$(git rev-list --max-count=1 HEAD -- VERSION.txt)
-change_count=$(git rev-list --count HEAD "^$base_hash")
-short_hash=$(echo "$git_hash" | cut -c1-9)
+eval $(./version/version.sh)

-if expr "$minor" : "[0-9]*[13579]$" >/dev/null; then
-	patch="$change_count"
-	change_suffix=""
-elif [ "$change_count" != "0" ]; then
-	change_suffix="-$change_count"
-else
-	change_suffix=""
-fi
-
-long_suffix="$change_suffix-t$short_hash"
-SHORT="$major.$minor.$patch"
-LONG="${SHORT}$long_suffix"
-GIT_HASH="$git_hash"
-
-if [ "$1" = "shellvars" ]; then
-	cat <<EOF
-VERSION_SHORT="$SHORT"
-VERSION_LONG="$LONG"
-VERSION_GIT_HASH="$GIT_HASH"
-EOF
-	exit 0
-fi
-
-exec go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
+exec go build -tags xversion -ldflags "-X tailscale.com/version.Long=${VERSION_LONG} -X tailscale.com/version.Short=${VERSION_SHORT} -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" "$@"
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -256,25 +256,3 @@ func Logout(ctx context.Context) error {
 	_, err := send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
 	return err
 }
-
-// SetDNS adds a DNS TXT record for the given domain name, containing
-// the provided TXT value. The intended use case is answering
-// LetsEncrypt/ACME dns-01 challenges.
-//
-// The control plane will only permit SetDNS requests with very
-// specific names and values. The name should be
-// "_acme-challenge." + your node's MagicDNS name. It's expected that
-// clients cache the certs from LetsEncrypt (or whichever CA is
-// providing them) and only request new ones as needed; the control plane
-// rate limits SetDNS requests.
-//
-// This is a low-level interface; it's expected that most Tailscale
-// users use a higher level interface to getting/using TLS
-// certificates.
-func SetDNS(ctx context.Context, name, value string) error {
-	v := url.Values{}
-	v.Set("name", name)
-	v.Set("value", value)
-	_, err := send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
-	return err
-}
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -112,13 +112,13 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 		return ""
 	}
 	for _, nodeIP := range who.Node.Addresses {
-		if nodeIP.IP().Is4() && nodeIP.IsSingleIP() {
-			return nodeIP.IP().String()
+		if nodeIP.IP.Is4() && nodeIP.IsSingleIP() {
+			return nodeIP.IP.String()
 		}
 	}
 	for _, nodeIP := range who.Node.Addresses {
 		if nodeIP.IsSingleIP() {
-			return nodeIP.IP().String()
+			return nodeIP.IP.String()
 		}
 	}
 	return ""
--- a/cmd/mkpkg/main.go
+++ b/cmd/mkpkg/main.go
@@ -21,9 +21,6 @@ import (
 // into a map of filePathOnDisk -> filePathInPackage.
 func parseFiles(s string) (map[string]string, error) {
 	ret := map[string]string{}
-	if len(s) == 0 {
-		return ret, nil
-	}
 	for _, f := range strings.Split(s, ",") {
 		fs := strings.Split(f, ":")
 		if len(fs) != 2 {
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -16,91 +16,126 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/types/logger"
 	"tailscale.com/types/preftype"
 )

-// geese is a collection of gooses. It need not be complete.
-// But it should include anything handled specially (e.g. linux, windows)
-// and at least one thing that's not (darwin, freebsd).
-var geese = []string{"linux", "darwin", "windows", "freebsd"}
-
 // Test that checkForAccidentalSettingReverts's updateMaskedPrefsFromUpFlag can handle
 // all flags. This will panic if a new flag creeps in that's unhandled.
-//
-// Also, issue 1880: advertise-exit-node was being ignored. Verify that all flags cause an edit.
 func TestUpdateMaskedPrefsFromUpFlag(t *testing.T) {
-	for _, goos := range geese {
-		var upArgs upArgsT
-		fs := newUpFlagSet(goos, &upArgs)
-		fs.VisitAll(func(f *flag.Flag) {
-			mp := new(ipn.MaskedPrefs)
-			updateMaskedPrefsFromUpFlag(mp, f.Name)
-			got := mp.Pretty()
-			wantEmpty := preflessFlag(f.Name)
-			isEmpty := got == "MaskedPrefs{}"
-			if isEmpty != wantEmpty {
-				t.Errorf("flag %q created MaskedPrefs %s; want empty=%v", f.Name, got, wantEmpty)
-			}
-		})
-	}
+	mp := new(ipn.MaskedPrefs)
+	upFlagSet.VisitAll(func(f *flag.Flag) {
+		updateMaskedPrefsFromUpFlag(mp, f.Name)
+	})
 }

 func TestCheckForAccidentalSettingReverts(t *testing.T) {
+	f := func(flags ...string) map[string]bool {
+		m := make(map[string]bool)
+		for _, f := range flags {
+			m[f] = true
+		}
+		return m
+	}
 	tests := []struct {
 		name     string
-		flags    []string // argv to be parsed by FlagSet
+		flagSet  map[string]bool
 		curPrefs *ipn.Prefs
-
-		curExitNodeIP netaddr.IP
-		curUser       string // os.Getenv("USER") on the client side
-		goos          string // empty means "linux"
-
-		want string
+		curUser  string // os.Getenv("USER") on the client side
+		goos     string // empty means "linux"
+		mp       *ipn.MaskedPrefs
+		want     string
 	}{
 		{
-			name:  "bare_up_means_up",
-			flags: []string{},
+			name:    "bare_up_means_up",
+			flagSet: f(),
 			curPrefs: &ipn.Prefs{
 				ControlURL:  ipn.DefaultControlURL,
 				WantRunning: false,
 				Hostname:    "foo",
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					WantRunning: true,
+				},
+				WantRunningSet: true,
+			},
 			want: "",
 		},
 		{
-			name:  "losing_hostname",
-			flags: []string{"--accept-dns"},
+			name:    "losing_hostname",
+			flagSet: f("accept-dns"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				WantRunning:      false,
-				Hostname:         "foo",
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
+				ControlURL:  ipn.DefaultControlURL,
+				WantRunning: false,
+				Hostname:    "foo",
+				CorpDNS:     true,
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:  ipn.DefaultControlURL,
+					WantRunning: true,
+					CorpDNS:     true,
+				},
+				ControlURLSet:  true,
+				WantRunningSet: true,
+				CorpDNSSet:     true,
 			},
 			want: accidentalUpPrefix + " --accept-dns --hostname=foo",
 		},
 		{
-			name:  "hostname_changing_explicitly",
-			flags: []string{"--hostname=bar"},
+			name:    "hostname_changing_explicitly",
+			flagSet: f("hostname"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
-				Hostname:         "foo",
+				ControlURL:  ipn.DefaultControlURL,
+				WantRunning: false,
+				Hostname:    "foo",
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:  ipn.DefaultControlURL,
+					WantRunning: true,
+					Hostname:    "bar",
+				},
+				ControlURLSet:  true,
+				WantRunningSet: true,
+				HostnameSet:    true,
 			},
 			want: "",
 		},
 		{
-			name:  "hostname_changing_empty_explicitly",
-			flags: []string{"--hostname="},
+			name:    "hostname_changing_empty_explicitly",
+			flagSet: f("hostname"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
-				Hostname:         "foo",
+				ControlURL:  ipn.DefaultControlURL,
+				WantRunning: false,
+				Hostname:    "foo",
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:  ipn.DefaultControlURL,
+					WantRunning: true,
+					Hostname:    "",
+				},
+				ControlURLSet:  true,
+				WantRunningSet: true,
+				HostnameSet:    true,
+			},
+			want: "",
+		},
+		{
+			name:    "empty_slice_equals_nil_slice",
+			flagSet: f("hostname"),
+			curPrefs: &ipn.Prefs{
+				ControlURL:      ipn.DefaultControlURL,
+				AdvertiseRoutes: []netaddr.IPPrefix{},
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:      ipn.DefaultControlURL,
+					AdvertiseRoutes: nil,
+				},
+				ControlURLSet: true,
 			},
 			want: "",
 		},
@@ -108,300 +143,335 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			// Issue 1725: "tailscale up --authkey=..." (or other non-empty flags) works from
 			// a fresh server's initial prefs.
 			name:     "up_with_default_prefs",
-			flags:    []string{"--authkey=foosdlkfjskdljf"},
+			flagSet:  f("authkey"),
 			curPrefs: ipn.NewPrefs(),
-			want:     "",
+			mp: &ipn.MaskedPrefs{
+				Prefs:          *defaultPrefsFromUpArgs(t, "linux"),
+				WantRunningSet: true,
+			},
+			want: "",
 		},
 		{
-			name:  "implicit_operator_change",
-			flags: []string{"--hostname=foo"},
+			name:    "implicit_operator_change",
+			flagSet: f("hostname"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				OperatorUser:     "alice",
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ControlURL:   ipn.DefaultControlURL,
+				OperatorUser: "alice",
 			},
 			curUser: "eve",
-			want:    accidentalUpPrefix + " --hostname=foo --operator=alice",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+				},
+				ControlURLSet: true,
+			},
+			want: accidentalUpPrefix + " --hostname= --operator=alice",
 		},
 		{
-			name:  "implicit_operator_matches_shell_user",
-			flags: []string{"--hostname=foo"},
+			name:    "implicit_operator_matches_shell_user",
+			flagSet: f("hostname"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				OperatorUser:     "alice",
+				ControlURL:   ipn.DefaultControlURL,
+				OperatorUser: "alice",
 			},
 			curUser: "alice",
-			want:    "",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+				},
+				ControlURLSet: true,
+			},
+			want: "",
 		},
 		{
-			name:  "error_advertised_routes_exit_node_removed",
-			flags: []string{"--advertise-routes=10.0.42.0/24"},
+			name:    "error_advertised_routes_exit_node_removed",
+			flagSet: f("advertise-routes"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ControlURL: ipn.DefaultControlURL,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("10.0.42.0/24"),
 					netaddr.MustParseIPPrefix("0.0.0.0/0"),
 					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					},
+				},
+				AdvertiseRoutesSet: true,
+			},
 			want: accidentalUpPrefix + " --advertise-routes=10.0.42.0/24 --advertise-exit-node",
 		},
 		{
-			name:  "advertised_routes_exit_node_removed_explicit",
-			flags: []string{"--advertise-routes=10.0.42.0/24", "--advertise-exit-node=false"},
+			name:    "advertised_routes_exit_node_removed",
+			flagSet: f("advertise-routes", "advertise-exit-node"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ControlURL: ipn.DefaultControlURL,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("10.0.42.0/24"),
 					netaddr.MustParseIPPrefix("0.0.0.0/0"),
 					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					},
+				},
+				AdvertiseRoutesSet: true,
+			},
 			want: "",
 		},
 		{
-			name:  "advertised_routes_includes_the_0_routes", // but no --advertise-exit-node
-			flags: []string{"--advertise-routes=11.1.43.0/24,0.0.0.0/0,::/0"},
+			name:    "advertised_routes_includes_the_0_routes", // but no --advertise-exit-node
+			flagSet: f("advertise-routes"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ControlURL: ipn.DefaultControlURL,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("10.0.42.0/24"),
 					netaddr.MustParseIPPrefix("0.0.0.0/0"),
 					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
-			want: "",
-		},
-		{
-			name:  "advertise_exit_node", // Issue 1859
-			flags: []string{"--advertise-exit-node"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("11.1.43.0/24"),
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+						netaddr.MustParseIPPrefix("::/0"),
+					},
+				},
+				AdvertiseRoutesSet: true,
 			},
 			want: "",
 		},
 		{
-			name:  "advertise_exit_node_over_existing_routes",
-			flags: []string{"--advertise-exit-node"},
+			name:    "advertised_routes_includes_only_one_0_route", // and no --advertise-exit-node
+			flagSet: f("advertise-routes"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
+				ControlURL: ipn.DefaultControlURL,
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+				},
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("11.1.43.0/24"),
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					},
+				},
+				AdvertiseRoutesSet: true,
+			},
+			want: accidentalUpPrefix + " --advertise-routes=11.1.43.0/24,0.0.0.0/0 --advertise-exit-node",
+		},
+		{
+			name:    "advertise_exit_node", // Issue 1859
+			flagSet: f("advertise-exit-node"),
+			curPrefs: &ipn.Prefs{
+				ControlURL: ipn.DefaultControlURL,
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+						netaddr.MustParseIPPrefix("::/0"),
+					},
+				},
+				// Note: without setting "AdvertiseRoutesSet", as
+				// updateMaskedPrefsFromUpFlag doesn't set that.
+			},
+			want: "",
+		},
+		{
+			name:    "advertise_exit_node_over_existing_routes",
+			flagSet: f("advertise-exit-node"),
+			curPrefs: &ipn.Prefs{
+				ControlURL: ipn.DefaultControlURL,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+						netaddr.MustParseIPPrefix("::/0"),
+					},
+				},
+				// Note: without setting "AdvertiseRoutesSet", as
+				// updateMaskedPrefsFromUpFlag doesn't set that.
+			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
 		},
 		{
-			name:  "advertise_exit_node_over_existing_routes_and_exit_node",
-			flags: []string{"--advertise-exit-node"},
+			name:    "advertise_exit_node_over_existing_routes_and_exit_node",
+			flagSet: f("advertise-exit-node"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ControlURL: ipn.DefaultControlURL,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("0.0.0.0/0"),
 					netaddr.MustParseIPPrefix("::/0"),
 					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+						netaddr.MustParseIPPrefix("::/0"),
+					},
+				},
+				// Note: without setting "AdvertiseRoutesSet", as
+				// updateMaskedPrefsFromUpFlag doesn't set that.
+			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
 		},
 		{
-			name:  "exit_node_clearing", // Issue 1777
-			flags: []string{"--exit-node="},
+			name:    "exit_node_clearing", // Issue 1777
+			flagSet: f("exit-node"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
+				ControlURL: ipn.DefaultControlURL,
 				ExitNodeID: "fooID",
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					ExitNodeIP: netaddr.IP{},
+				},
+				ExitNodeIPSet: true,
+			},
 			want: "",
 		},
 		{
-			name:  "remove_all_implicit",
-			flags: []string{"--force-reauth"},
+			name:    "remove_all_implicit",
+			flagSet: f("force-reauth"),
 			curPrefs: &ipn.Prefs{
 				WantRunning:      true,
 				ControlURL:       ipn.DefaultControlURL,
 				RouteAll:         true,
 				AllowSingleHosts: false,
 				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
-				CorpDNS:          false,
-				ShieldsUp:        true,
-				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
-				Hostname:         "myhostname",
-				ForceDaemon:      true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.0.0/16"),
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-				},
-				NetfilterMode: preftype.NetfilterNoDivert,
-				OperatorUser:  "alice",
-			},
-			curUser: "eve",
-			want:    accidentalUpPrefix + " --force-reauth --accept-dns=false --accept-routes --advertise-exit-node --advertise-routes=10.0.0.0/16 --advertise-tags=tag:foo,tag:bar --exit-node=100.64.5.6 --host-routes=false --hostname=myhostname --netfilter-mode=nodivert --operator=alice --shields-up",
-		},
-		{
-			name:  "remove_all_implicit_except_hostname",
-			flags: []string{"--hostname=newhostname"},
-			curPrefs: &ipn.Prefs{
-				WantRunning:      true,
-				ControlURL:       ipn.DefaultControlURL,
-				RouteAll:         true,
-				AllowSingleHosts: false,
-				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
-				CorpDNS:          false,
-				ShieldsUp:        true,
-				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
-				Hostname:         "myhostname",
-				ForceDaemon:      true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.0.0/16"),
-				},
-				NetfilterMode: preftype.NetfilterNoDivert,
-				OperatorUser:  "alice",
-			},
-			curUser: "eve",
-			want:    accidentalUpPrefix + " --hostname=newhostname --accept-dns=false --accept-routes --advertise-routes=10.0.0.0/16 --advertise-tags=tag:foo,tag:bar --exit-node=100.64.5.6 --host-routes=false --netfilter-mode=nodivert --operator=alice --shields-up",
-		},
-		{
-			name:  "loggedout_is_implicit",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				LoggedOut:        true,
-				AllowSingleHosts: true,
 				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ShieldsUp:        true,
+				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
+				Hostname:         "myhostname",
+				ForceDaemon:      true,
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.0.0/16"),
+				},
+				NetfilterMode: preftype.NetfilterNoDivert,
+				OperatorUser:  "alice",
 			},
-			want: "", // not an error. LoggedOut is implicit.
+			curUser: "eve",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:  ipn.DefaultControlURL,
+					WantRunning: true,
+				},
+			},
+			want: accidentalUpPrefix + " --force-reauth --accept-routes --exit-node=100.64.5.6 --accept-dns --shields-up --advertise-tags=tag:foo,tag:bar --hostname=myhostname --unattended --advertise-routes=10.0.0.0/16 --netfilter-mode=nodivert --operator=alice",
+		},
+		{
+			name:    "remove_all_implicit_except_hostname",
+			flagSet: f("hostname"),
+			curPrefs: &ipn.Prefs{
+				WantRunning:      true,
+				ControlURL:       ipn.DefaultControlURL,
+				RouteAll:         true,
+				AllowSingleHosts: false,
+				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
+				CorpDNS:          true,
+				ShieldsUp:        true,
+				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
+				Hostname:         "myhostname",
+				ForceDaemon:      true,
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.0.0/16"),
+				},
+				NetfilterMode: preftype.NetfilterNoDivert,
+				OperatorUser:  "alice",
+			},
+			curUser: "eve",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:  ipn.DefaultControlURL,
+					WantRunning: true,
+					Hostname:    "newhostname",
+				},
+				HostnameSet: true,
+			},
+			want: accidentalUpPrefix + " --hostname=newhostname --accept-routes --exit-node=100.64.5.6 --accept-dns --shields-up --advertise-tags=tag:foo,tag:bar --unattended --advertise-routes=10.0.0.0/16 --netfilter-mode=nodivert --operator=alice",
+		},
+		{
+			name:    "loggedout_is_implicit",
+			flagSet: f("advertise-exit-node"),
+			curPrefs: &ipn.Prefs{
+				ControlURL: ipn.DefaultControlURL,
+				LoggedOut:  true,
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					},
+				},
+				AdvertiseRoutesSet: true,
+			},
+			// not an error. LoggedOut is implicit.
+			want: "",
 		},
 		{
 			// Test that a pre-1.8 version of Tailscale with bogus NoSNAT pref
 			// values is able to enable exit nodes without warnings.
-			name:  "make_windows_exit_node",
-			flags: []string{"--advertise-exit-node"},
+			name:    "make_windows_exit_node",
+			flagSet: f("advertise-exit-node"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-
-				// And assume this no-op accidental pre-1.8 value:
-				NoSNAT: true,
+				ControlURL: ipn.DefaultControlURL,
+				NoSNAT:     true, // assume this no-op accidental pre-1.8 value
 			},
 			goos: "windows",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("192.168.0.0/16"),
+					},
+				},
+				AdvertiseRoutesSet: true,
+			},
 			want: "", // not an error
 		},
 		{
-			name:  "ignore_netfilter_change_non_linux",
-			flags: []string{"--accept-dns"},
+			name:    "ignore_netfilter_change_non_linux",
+			flagSet: f("accept-dns"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-
+				ControlURL:    ipn.DefaultControlURL,
 				NetfilterMode: preftype.NetfilterNoDivert, // we never had this bug, but pretend it got set non-zero on Windows somehow
 			},
 			goos: "windows",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					CorpDNS:    false,
+				},
+				CorpDNSSet: true,
+			},
 			want: "", // not an error
 		},
-		{
-			name:  "operator_losing_routes_step1", // https://twitter.com/EXPbits/status/1390418145047887877
-			flags: []string{"--operator=expbits"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
-				},
-			},
-			want: accidentalUpPrefix + " --operator=expbits --advertise-exit-node --advertise-routes=1.2.0.0/16",
-		},
-		{
-			name:  "operator_losing_routes_step2", // https://twitter.com/EXPbits/status/1390418145047887877
-			flags: []string{"--operator=expbits", "--advertise-routes=1.2.0.0/16"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
-				},
-			},
-			want: accidentalUpPrefix + " --advertise-routes=1.2.0.0/16 --operator=expbits --advertise-exit-node",
-		},
-		{
-			name:  "errors_preserve_explicit_flags",
-			flags: []string{"--reset", "--force-reauth=false", "--authkey=secretrand"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				WantRunning:      false,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
-
-				Hostname: "foo",
-			},
-			want: accidentalUpPrefix + " --authkey=secretrand --force-reauth=false --reset --hostname=foo",
-		},
-		{
-			name:  "error_exit_node_omit_with_ip_pref",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
-				ExitNodeIP: netaddr.MustParseIP("100.64.5.4"),
-			},
-			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.4",
-		},
-		{
-			name:          "error_exit_node_omit_with_id_pref",
-			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netaddr.MustParseIP("100.64.5.7"),
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
-				ExitNodeID: "some_stable_id",
-			},
-			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -409,19 +479,8 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			if tt.goos != "" {
 				goos = tt.goos
 			}
-			var upArgs upArgsT
-			flagSet := newUpFlagSet(goos, &upArgs)
-			flagSet.Parse(tt.flags)
-			newPrefs, err := prefsFromUpArgs(upArgs, t.Logf, new(ipnstate.Status), goos)
-			if err != nil {
-				t.Fatal(err)
-			}
-			applyImplicitPrefs(newPrefs, tt.curPrefs, tt.curUser)
 			var got string
-			if err := checkForAccidentalSettingReverts(flagSet, tt.curPrefs, newPrefs, upCheckEnv{
-				goos:          goos,
-				curExitNodeIP: tt.curExitNodeIP,
-			}); err != nil {
+			if err := checkForAccidentalSettingReverts(tt.flagSet, tt.curPrefs, tt.mp, goos, tt.curUser); err != nil {
 				got = err.Error()
 			}
 			if strings.TrimSpace(got) != tt.want {
@@ -431,6 +490,16 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 	}
 }

+func defaultPrefsFromUpArgs(t testing.TB, goos string) *ipn.Prefs {
+	upArgs := upArgsFromOSArgs(goos)
+	prefs, err := prefsFromUpArgs(upArgs, logger.Discard, new(ipnstate.Status), "linux")
+	if err != nil {
+		t.Fatalf("defaultPrefsFromUpArgs: %v", err)
+	}
+	prefs.WantRunning = true
+	return prefs
+}
+
 func upArgsFromOSArgs(goos string, flagArgs ...string) (args upArgsT) {
 	fs := newUpFlagSet(goos, &args)
 	fs.Parse(flagArgs) // populates args
@@ -506,7 +575,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			args: upArgsT{
 				exitNodeIP: "foo",
 			},
-			wantErr: `invalid IP address "foo" for --exit-node: ParseIP("foo"): unable to parse IP`,
+			wantErr: `invalid IP address "foo" for --exit-node: unable to parse IP`,
 		},
 		{
 			name: "error_exit_node_allow_lan_without_exit_node",
@@ -626,17 +695,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 }

 func TestPrefFlagMapping(t *testing.T) {
-	prefHasFlag := map[string]bool{}
-	for _, pv := range prefsOfFlag {
-		for _, pref := range pv {
-			prefHasFlag[pref] = true
-		}
-	}
-
 	prefType := reflect.TypeOf(ipn.Prefs{})
 	for i := 0; i < prefType.NumField(); i++ {
 		prefName := prefType.Field(i).Name
-		if prefHasFlag[prefName] {
+		if _, ok := flagForPref[prefName]; ok {
 			continue
 		}
 		switch prefName {
@@ -654,15 +716,3 @@ func TestPrefFlagMapping(t *testing.T) {
 		t.Errorf("unexpected new ipn.Pref field %q is not handled by up.go (see addPrefFlagMapping and checkForAccidentalSettingReverts)", prefName)
 	}
 }
-
-func TestFlagAppliesToOS(t *testing.T) {
-	for _, goos := range geese {
-		var upArgs upArgsT
-		fs := newUpFlagSet(goos, &upArgs)
-		fs.VisitAll(func(f *flag.Flag) {
-			if !flagAppliesToOS(f.Name, goos) {
-				t.Errorf("flagAppliesToOS(%q, %q) = false but found in %s set", f.Name, goos, goos)
-			}
-		})
-	}
-}
--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -194,7 +194,7 @@ func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, lastSe
 	for _, ft := range fts {
 		n := ft.Node
 		for _, a := range n.Addresses {
-			if a.IP() != ip {
+			if a.IP != ip {
 				continue
 			}
 			if n.LastSeen != nil {
@@ -301,7 +301,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 		if detail != "" {
 			detail = "\t" + detail
 		}
-		fmt.Printf("%s\t%s%s\n", n.Addresses[0].IP(), n.ComputedName, detail)
+		fmt.Printf("%s\t%s%s\n", n.Addresses[0].IP, n.ComputedName, detail)
 	}
 	return nil
 }
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -139,9 +139,6 @@ func runPing(ctx context.Context, args []string) error {
 			if !anyPong {
 				return errors.New("no reply")
 			}
-			if pingArgs.untilDirect {
-				return errors.New("direct connection not established")
-			}
 			return nil
 		}
 	}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -13,6 +13,7 @@ import (
 	"reflect"
 	"runtime"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"

@@ -164,10 +165,10 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		routes = append(routes, r)
 	}
 	sort.Slice(routes, func(i, j int) bool {
-		if routes[i].Bits() != routes[j].Bits() {
-			return routes[i].Bits() < routes[j].Bits()
+		if routes[i].Bits != routes[j].Bits {
+			return routes[i].Bits < routes[j].Bits
 		}
-		return routes[i].IP().Less(routes[j].IP())
+		return routes[i].IP.Less(routes[j].IP)
 	})

 	var exitNodeIP netaddr.IP
@@ -230,9 +231,7 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 			warnf("netfilter=nodivert; add iptables calls to ts-* chains manually.")
 		case "off":
 			prefs.NetfilterMode = preftype.NetfilterOff
-			if defaultNetfilterMode() != "off" {
-				warnf("netfilter=off; configure iptables yourself.")
-			}
+			warnf("netfilter=off; configure iptables yourself.")
 		default:
 			return nil, fmt.Errorf("invalid value --netfilter-mode=%q", upArgs.netfilterMode)
 		}
@@ -268,7 +267,7 @@ func runUp(ctx context.Context, args []string) error {
 	}

 	if distro.Get() == distro.Synology {
-		notSupported := "not supported on Synology; see https://github.com/tailscale/tailscale/issues/1995"
+		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
 		if upArgs.acceptRoutes {
 			return errors.New("--accept-routes is " + notSupported)
 		}
@@ -296,13 +295,17 @@ func runUp(ctx context.Context, args []string) error {
 		return err
 	}

-	if !upArgs.reset {
-		applyImplicitPrefs(prefs, curPrefs, os.Getenv("USER"))
+	flagSet := map[string]bool{}
+	mp := new(ipn.MaskedPrefs)
+	mp.WantRunningSet = true
+	mp.Prefs = *prefs
+	upFlagSet.Visit(func(f *flag.Flag) {
+		updateMaskedPrefsFromUpFlag(mp, f.Name)
+		flagSet[f.Name] = true
+	})

-		if err := checkForAccidentalSettingReverts(upFlagSet, curPrefs, prefs, upCheckEnv{
-			goos:          runtime.GOOS,
-			curExitNodeIP: exitNodeIP(prefs, st),
-		}); err != nil {
+	if !upArgs.reset {
+		if err := checkForAccidentalSettingReverts(flagSet, curPrefs, mp, runtime.GOOS, os.Getenv("USER")); err != nil {
 			fatalf("%s", err)
 		}
 	}
@@ -314,7 +317,7 @@ func runUp(ctx context.Context, args []string) error {

 	// If we're already running and none of the flags require a
 	// restart, we can just do an EditPrefs call and change the
-	// prefs at runtime (e.g. changing hostname, changing
+	// prefs at runtime (e.g. changing hostname, changinged
 	// advertised tags, routes, etc)
 	justEdit := st.BackendState == ipn.Running.String() &&
 		!upArgs.forceReauth &&
@@ -322,13 +325,6 @@ func runUp(ctx context.Context, args []string) error {
 		upArgs.authKey == "" &&
 		!controlURLChanged
 	if justEdit {
-		mp := new(ipn.MaskedPrefs)
-		mp.WantRunningSet = true
-		mp.Prefs = *prefs
-		upFlagSet.Visit(func(f *flag.Flag) {
-			updateMaskedPrefsFromUpFlag(mp, f.Name)
-		})
-
 		_, err := tailscale.EditPrefs(ctx, mp)
 		return err
 	}
@@ -336,7 +332,7 @@ func runUp(ctx context.Context, args []string) error {
 	// simpleUp is whether we're running a simple "tailscale up"
 	// to transition to running from a previously-logged-in but
 	// down state, without changing any settings.
-	simpleUp := upFlagSet.NFlag() == 0 &&
+	simpleUp := len(flagSet) == 0 &&
 		curPrefs.Persist != nil &&
 		curPrefs.Persist.LoginName != "" &&
 		st.BackendState != ipn.NeedsLogin.String()
@@ -468,20 +464,14 @@ func runUp(ctx context.Context, args []string) error {
 }

 var (
-	prefsOfFlag = map[string][]string{} // "exit-node" => ExitNodeIP, ExitNodeID
+	flagForPref = map[string]string{} // "ExitNodeIP" => "exit-node"
+	prefsOfFlag = map[string][]string{}
 )

 func init() {
-	// Both these have the same ipn.Pref:
-	addPrefFlagMapping("advertise-exit-node", "AdvertiseRoutes")
-	addPrefFlagMapping("advertise-routes", "AdvertiseRoutes")
-
-	// And this flag has two ipn.Prefs:
-	addPrefFlagMapping("exit-node", "ExitNodeIP", "ExitNodeID")
-
-	// The rest are 1:1:
 	addPrefFlagMapping("accept-dns", "CorpDNS")
 	addPrefFlagMapping("accept-routes", "RouteAll")
+	addPrefFlagMapping("advertise-routes", "AdvertiseRoutes")
 	addPrefFlagMapping("advertise-tags", "AdvertiseTags")
 	addPrefFlagMapping("host-routes", "AllowSingleHosts")
 	addPrefFlagMapping("hostname", "Hostname")
@@ -489,6 +479,7 @@ func init() {
 	addPrefFlagMapping("netfilter-mode", "NetfilterMode")
 	addPrefFlagMapping("shields-up", "ShieldsUp")
 	addPrefFlagMapping("snat-subnet-routes", "NoSNAT")
+	addPrefFlagMapping("exit-node", "ExitNodeIP", "ExitNodeID")
 	addPrefFlagMapping("exit-node-allow-lan-access", "ExitNodeAllowLANAccess")
 	addPrefFlagMapping("unattended", "ForceDaemon")
 	addPrefFlagMapping("operator", "OperatorUser")
@@ -498,6 +489,8 @@ func addPrefFlagMapping(flagName string, prefNames ...string) {
 	prefsOfFlag[flagName] = prefNames
 	prefType := reflect.TypeOf(ipn.Prefs{})
 	for _, pref := range prefNames {
+		flagForPref[pref] = flagName
+
 		// Crash at runtime if there's a typo in the prefName.
 		if _, ok := prefType.FieldByName(pref); !ok {
 			panic(fmt.Sprintf("invalid ipn.Prefs field %q", pref))
@@ -505,27 +498,21 @@ func addPrefFlagMapping(flagName string, prefNames ...string) {
 	}
 }

-// preflessFlag reports whether flagName is a flag that doesn't
-// correspond to an ipn.Pref.
-func preflessFlag(flagName string) bool {
-	switch flagName {
-	case "authkey", "force-reauth", "reset":
-		return true
-	}
-	return false
-}
-
 func updateMaskedPrefsFromUpFlag(mp *ipn.MaskedPrefs, flagName string) {
-	if preflessFlag(flagName) {
-		return
-	}
 	if prefs, ok := prefsOfFlag[flagName]; ok {
 		for _, pref := range prefs {
 			reflect.ValueOf(mp).Elem().FieldByName(pref + "Set").SetBool(true)
 		}
 		return
 	}
-	panic(fmt.Sprintf("internal error: unhandled flag %q", flagName))
+	switch flagName {
+	case "authkey", "force-reauth", "reset":
+		// Not pref-related flags.
+	case "advertise-exit-node":
+		// This pref is a shorthand for advertise-routes.
+	default:
+		panic(fmt.Sprintf("internal error: unhandled flag %q", flagName))
+	}
 }

 const accidentalUpPrefix = "Error: changing settings via 'tailscale up' requires mentioning all\n" +
@@ -534,16 +521,9 @@ const accidentalUpPrefix = "Error: changing settings via 'tailscale up' requires
 	"all non-default settings:\n\n" +
 	"\ttailscale up"

-// upCheckEnv are extra parameters describing the environment as
-// needed by checkForAccidentalSettingReverts and friends.
-type upCheckEnv struct {
-	goos          string
-	curExitNodeIP netaddr.IP
-}
-
-// checkForAccidentalSettingReverts (the "up checker") checks for
-// people running "tailscale up" with a subset of the flags they
-// originally ran it with.
+// checkForAccidentalSettingReverts checks for people running
+// "tailscale up" with a subset of the flags they originally ran it
+// with.
 //
 // For example, in Tailscale 1.6 and prior, a user might've advertised
 // a tag, but later tried to change just one other setting and forgot
@@ -555,180 +535,178 @@ type upCheckEnv struct {
 //
 // mp is the mask of settings actually set, where mp.Prefs is the new
 // preferences to set, including any values set from implicit flags.
-func checkForAccidentalSettingReverts(flagSet *flag.FlagSet, curPrefs, newPrefs *ipn.Prefs, env upCheckEnv) error {
-	if curPrefs.ControlURL == "" {
-		// Don't validate things on initial "up" before a control URL has been set.
-		return nil
-	}
-
-	flagIsSet := map[string]bool{}
-	flagSet.Visit(func(f *flag.Flag) {
-		flagIsSet[f.Name] = true
-	})
-
-	if len(flagIsSet) == 0 {
+func checkForAccidentalSettingReverts(flagSet map[string]bool, curPrefs *ipn.Prefs, mp *ipn.MaskedPrefs, goos, curUser string) error {
+	if len(flagSet) == 0 {
 		// A bare "tailscale up" is a special case to just
 		// mean bringing the network up without any changes.
 		return nil
 	}
+	if curPrefs.ControlURL == "" {
+		// Don't validate things on initial "up" before a control URL has been set.
+		return nil
+	}
+	curWithExplicitEdits := curPrefs.Clone()
+	curWithExplicitEdits.ApplyEdits(mp)

-	// flagsCur is what flags we'd need to use to keep the exact
-	// settings as-is.
-	flagsCur := prefsToFlags(env, curPrefs)
-	flagsNew := prefsToFlags(env, newPrefs)
+	prefType := reflect.TypeOf(ipn.Prefs{})
+
+	// Explicit values (current + explicit edit):
+	ev := reflect.ValueOf(curWithExplicitEdits).Elem()
+	// Implicit values (what we'd get if we replaced everything with flag defaults):
+	iv := reflect.ValueOf(&mp.Prefs).Elem()

 	var missing []string
-	for flagName := range flagsCur {
-		valCur, valNew := flagsCur[flagName], flagsNew[flagName]
-		if flagIsSet[flagName] {
+	flagExplicitValue := map[string]interface{}{} // e.g. "accept-dns" => true (from flagSet)
+	for i := 0; i < prefType.NumField(); i++ {
+		prefName := prefType.Field(i).Name
+		// Persist is a legacy field used for storing keys, which
+		// probably should never have been part of Prefs. It's
+		// likely to migrate elsewhere eventually.
+		if prefName == "Persist" {
 			continue
 		}
-		if reflect.DeepEqual(valCur, valNew) {
+		// LoggedOut is a preference, but running the "up" command
+		// always implies that the user now prefers LoggedOut->false.
+		if prefName == "LoggedOut" {
 			continue
 		}
-		missing = append(missing, fmtFlagValueArg(flagName, valCur))
+		flagName, hasFlag := flagForPref[prefName]
+
+		// Special case for advertise-exit-node; which is a
+		// flag but doesn't have a corresponding pref.  The
+		// flag augments advertise-routes, so we have to infer
+		// the imaginary pref's current value from the routes.
+		if prefName == "AdvertiseRoutes" &&
+			hasExitNodeRoutes(curPrefs.AdvertiseRoutes) &&
+			!hasExitNodeRoutes(curWithExplicitEdits.AdvertiseRoutes) &&
+			!flagSet["advertise-exit-node"] {
+			missing = append(missing, "--advertise-exit-node")
+		}
+
+		if hasFlag && flagSet[flagName] {
+			flagExplicitValue[flagName] = ev.Field(i).Interface()
+			continue
+		}
+
+		if prefName == "AdvertiseRoutes" &&
+			(len(curPrefs.AdvertiseRoutes) == 0 ||
+				hasExitNodeRoutes(curPrefs.AdvertiseRoutes) && len(curPrefs.AdvertiseRoutes) == 2) &&
+			hasExitNodeRoutes(mp.Prefs.AdvertiseRoutes) &&
+			len(mp.Prefs.AdvertiseRoutes) == 2 &&
+			flagSet["advertise-exit-node"] {
+			continue
+		}
+
+		// Get explicit value and implicit value
+		ex, im := ev.Field(i), iv.Field(i)
+		switch ex.Kind() {
+		case reflect.String, reflect.Slice:
+			if ex.Kind() == reflect.Slice && ex.Len() == 0 && im.Len() == 0 {
+				// Treat nil and non-nil empty slices as equivalent.
+				continue
+			}
+		}
+		exi, imi := ex.Interface(), im.Interface()
+
+		if reflect.DeepEqual(exi, imi) {
+			continue
+		}
+		switch flagName {
+		case "operator":
+			if imi == "" && exi == curUser {
+				// Don't require setting operator if the current user matches
+				// the configured operator.
+				continue
+			}
+		case "snat-subnet-routes", "netfilter-mode":
+			if goos != "linux" {
+				// Issue 1833: we used to accidentally set the NoSNAT
+				// pref for non-Linux nodes. It only affects Linux, so
+				// ignore it if it changes. Likewise, ignore
+				// Linux-only netfilter-mode on non-Linux.
+				continue
+			}
+		}
+		switch flagName {
+		case "":
+			return fmt.Errorf("'tailscale up' without --reset requires all preferences with changing values to be explicitly mentioned; this command would change the value of flagless pref %q", prefName)
+		case "exit-node":
+			if prefName == "ExitNodeIP" {
+				missing = append(missing, fmtFlagValueArg("exit-node", fmtSettingVal(exi)))
+			}
+		case "advertise-routes":
+			routes := withoutExitNodes(exi.([]netaddr.IPPrefix))
+			missing = append(missing, fmtFlagValueArg("advertise-routes", fmtSettingVal(routes)))
+		default:
+			missing = append(missing, fmtFlagValueArg(flagName, fmtSettingVal(exi)))
+		}
 	}
 	if len(missing) == 0 {
 		return nil
 	}
-	sort.Strings(missing)
-
-	// Compute the stringification of the explicitly provided args in flagSet
-	// to prepend to the command to run.
-	var explicit []string
-	flagSet.Visit(func(f *flag.Flag) {
-		type isBool interface {
-			IsBoolFlag() bool
-		}
-		if ib, ok := f.Value.(isBool); ok && ib.IsBoolFlag() {
-			if f.Value.String() == "false" {
-				explicit = append(explicit, "--"+f.Name+"=false")
-			} else {
-				explicit = append(explicit, "--"+f.Name)
-			}
-		} else {
-			explicit = append(explicit, fmtFlagValueArg(f.Name, f.Value.String()))
-		}
-	})
-
 	var sb strings.Builder
 	sb.WriteString(accidentalUpPrefix)

-	for _, a := range append(explicit, missing...) {
+	var flagSetSorted []string
+	for f := range flagSet {
+		flagSetSorted = append(flagSetSorted, f)
+	}
+	sort.Strings(flagSetSorted)
+	for _, flagName := range flagSetSorted {
+		if ev, ok := flagExplicitValue[flagName]; ok {
+			fmt.Fprintf(&sb, " %s", fmtFlagValueArg(flagName, fmtSettingVal(ev)))
+		} else {
+			fmt.Fprintf(&sb, " --%s", flagName)
+		}
+	}
+	for _, a := range missing {
 		fmt.Fprintf(&sb, " %s", a)
 	}
 	sb.WriteString("\n\n")
 	return errors.New(sb.String())
 }

-// applyImplicitPrefs mutates prefs to add implicit preferences. Currently
-// this is just the operator user, which only needs to be set if it doesn't
-// match the current user.
-//
-// curUser is os.Getenv("USER"). It's pulled out for testability.
-func applyImplicitPrefs(prefs, oldPrefs *ipn.Prefs, curUser string) {
-	if prefs.OperatorUser == "" && oldPrefs.OperatorUser == curUser {
-		prefs.OperatorUser = oldPrefs.OperatorUser
-	}
-}
-
-func flagAppliesToOS(flag, goos string) bool {
-	switch flag {
-	case "netfilter-mode", "snat-subnet-routes":
-		return goos == "linux"
-	case "unattended":
-		return goos == "windows"
-	}
-	return true
-}
-
-func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]interface{}) {
-	ret := make(map[string]interface{})
-
-	exitNodeIPStr := func() string {
-		if !prefs.ExitNodeIP.IsZero() {
-			return prefs.ExitNodeIP.String()
-		}
-		if prefs.ExitNodeID.IsZero() || env.curExitNodeIP.IsZero() {
-			return ""
-		}
-		return env.curExitNodeIP.String()
-	}
-
-	fs := newUpFlagSet(env.goos, new(upArgsT) /* dummy */)
-	fs.VisitAll(func(f *flag.Flag) {
-		if preflessFlag(f.Name) {
-			return
-		}
-		set := func(v interface{}) {
-			if flagAppliesToOS(f.Name, env.goos) {
-				ret[f.Name] = v
-			} else {
-				ret[f.Name] = nil
-			}
-		}
-		switch f.Name {
-		default:
-			panic(fmt.Sprintf("unhandled flag %q", f.Name))
-		case "login-server":
-			set(prefs.ControlURL)
-		case "accept-routes":
-			set(prefs.RouteAll)
-		case "host-routes":
-			set(prefs.AllowSingleHosts)
-		case "accept-dns":
-			set(prefs.CorpDNS)
-		case "shields-up":
-			set(prefs.ShieldsUp)
-		case "exit-node":
-			set(exitNodeIPStr())
-		case "exit-node-allow-lan-access":
-			set(prefs.ExitNodeAllowLANAccess)
-		case "advertise-tags":
-			set(strings.Join(prefs.AdvertiseTags, ","))
-		case "hostname":
-			set(prefs.Hostname)
-		case "operator":
-			set(prefs.OperatorUser)
-		case "advertise-routes":
-			var sb strings.Builder
-			for i, r := range withoutExitNodes(prefs.AdvertiseRoutes) {
-				if i > 0 {
-					sb.WriteByte(',')
-				}
-				sb.WriteString(r.String())
-			}
-			set(sb.String())
-		case "advertise-exit-node":
-			set(hasExitNodeRoutes(prefs.AdvertiseRoutes))
-		case "snat-subnet-routes":
-			set(!prefs.NoSNAT)
-		case "netfilter-mode":
-			set(prefs.NetfilterMode.String())
-		case "unattended":
-			set(prefs.ForceDaemon)
-		}
-	})
-	return ret
-}
-
-func fmtFlagValueArg(flagName string, val interface{}) string {
-	if val == true {
+func fmtFlagValueArg(flagName, val string) string {
+	if val == "true" {
+		// TODO: check flagName's type to see if its Pref is of type bool
 		return "--" + flagName
 	}
 	if val == "" {
 		return "--" + flagName + "="
 	}
-	return fmt.Sprintf("--%s=%v", flagName, shellquote.Join(fmt.Sprint(val)))
+	return fmt.Sprintf("--%s=%v", flagName, shellquote.Join(val))
+}
+
+func fmtSettingVal(v interface{}) string {
+	switch v := v.(type) {
+	case bool:
+		return strconv.FormatBool(v)
+	case string:
+		return v
+	case preftype.NetfilterMode:
+		return v.String()
+	case []string:
+		return strings.Join(v, ",")
+	case []netaddr.IPPrefix:
+		var sb strings.Builder
+		for i, r := range v {
+			if i > 0 {
+				sb.WriteByte(',')
+			}
+			sb.WriteString(r.String())
+		}
+		return sb.String()
+	}
+	return fmt.Sprint(v)
 }

 func hasExitNodeRoutes(rr []netaddr.IPPrefix) bool {
 	var v4, v6 bool
 	for _, r := range rr {
-		if r.Bits() == 0 {
-			if r.IP().Is4() {
+		if r.Bits == 0 {
+			if r.IP.Is4() {
 				v4 = true
-			} else if r.IP().Is6() {
+			} else if r.IP.Is6() {
 				v6 = true
 			}
 		}
@@ -745,33 +723,9 @@ func withoutExitNodes(rr []netaddr.IPPrefix) []netaddr.IPPrefix {
 	}
 	var out []netaddr.IPPrefix
 	for _, r := range rr {
-		if r.Bits() > 0 {
+		if r.Bits > 0 {
 			out = append(out, r)
 		}
 	}
 	return out
 }
-
-// exitNodeIP returns the exit node IP from p, using st to map
-// it from its ID form to an IP address if needed.
-func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netaddr.IP) {
-	if p == nil {
-		return
-	}
-	if !p.ExitNodeIP.IsZero() {
-		return p.ExitNodeIP
-	}
-	id := p.ExitNodeID
-	if id.IsZero() {
-		return
-	}
-	for _, p := range st.Peer {
-		if p.ID == id {
-			if len(p.TailscaleIPs) > 0 {
-				return p.TailscaleIPs[0]
-			}
-			break
-		}
-	}
-	return
-}
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -5,7 +5,6 @@
 package cli

 import (
-	"bufio"
 	"bytes"
 	"context"
 	_ "embed"
@@ -16,13 +15,11 @@ import (
 	"log"
 	"net/http"
 	"net/http/cgi"
-	"os"
 	"os/exec"
 	"runtime"
 	"strings"

 	"github.com/peterbourgon/ff/v2/ffcli"
-	"go4.org/mem"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
@@ -85,63 +82,17 @@ func runWeb(ctx context.Context, args []string) error {
 	return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
 }

-// authorize checks whether the provided user has access to the web UI.
-func authorize(name string) error {
+func auth() (string, error) {
 	if distro.Get() == distro.Synology {
-		return authorizeSynology(name)
-	}
-	return nil
-}
-
-// authorizeSynology checks whether the provided user has access to the web UI
-// by consulting the membership of the "administrators" group.
-func authorizeSynology(name string) error {
-	f, err := os.Open("/etc/group")
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	s := bufio.NewScanner(f)
-	var agLine string
-	for s.Scan() {
-		if !mem.HasPrefix(mem.B(s.Bytes()), mem.S("administrators:")) {
-			continue
+		cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
+		out, err := cmd.CombinedOutput()
+		if err != nil {
+			return "", fmt.Errorf("auth: %v: %s", err, out)
 		}
-		agLine = s.Text()
-		break
+		return string(out), nil
 	}
-	if err := s.Err(); err != nil {
-		return err
-	}
-	if agLine == "" {
-		return fmt.Errorf("admin group not defined")
-	}
-	agEntry := strings.Split(agLine, ":")
-	if len(agEntry) < 4 {
-		return fmt.Errorf("malformed admin group entry")
-	}
-	agMembers := agEntry[3]
-	for _, m := range strings.Split(agMembers, ",") {
-		if m == name {
-			return nil
-		}
-	}
-	return fmt.Errorf("not a member of administrators group")
-}

-// authenticate returns the name of the user accessing the web UI.
-// Note: This is different from a tailscale user, and is typically the local
-// user on the node.
-func authenticate() (string, error) {
-	if distro.Get() != distro.Synology {
-		return "", nil
-	}
-	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return "", fmt.Errorf("auth: %v: %s", err, out)
-	}
-	return strings.TrimSpace(string(out)), nil
+	return "", nil
 }

 func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
@@ -247,13 +198,8 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	user, err := authenticate()
+	user, err := auth()
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusUnauthorized)
-		return
-	}
-
-	if err := authorize(user); err != nil {
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
@@ -268,8 +214,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		url, err := tailscaleUpForceReauth(r.Context())
 		if err != nil {
-			w.WriteHeader(500)
-			json.NewEncoder(w).Encode(mi{"error": err.Error()})
+			json.NewEncoder(w).Encode(mi{"error": err})
 			return
 		}
 		json.NewEncoder(w).Encode(mi{"url": url})
@@ -375,10 +320,6 @@ func tailscaleUpForceReauth(ctx context.Context) (authURL string, retErr error)
 	})
 	bc.StartLoginInteractive()

-	<-pumpCtx.Done() // wait for authURL or complete failure
-	if authURL == "" && retErr == nil {
-		retErr = pumpCtx.Err()
-	}
 	if authURL == "" && retErr == nil {
 		return "", fmt.Errorf("login failed with no backend error message")
 	}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -1,7 +1,6 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)

-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
@@ -49,13 +48,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/ipn+
        tailscale.com/types/wgkey                                    from tailscale.com/types/netmap+
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
   L    tailscale.com/util/lineread                                  from tailscale.com/net/interfaces
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli
        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -1,43 +1,41 @@
 tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)

-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+   W 💣 github.com/github/certstore                                  from tailscale.com/control/controlclient
        github.com/go-multierror/multierror                          from tailscale.com/wgengine/router+
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
-        github.com/golang/snappy                                     from github.com/klauspost/compress/zstd
        github.com/google/btree                                      from inet.af/netstack/tcpip/header+
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/snappy                         from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-   L 💣 github.com/mdlayher/netlink                                  from tailscale.com/wgengine/monitor+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/mdlayher/netlink+
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
-   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
-   W    github.com/pkg/errors                                        from github.com/tailscale/certstore
-   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
+   W    github.com/pkg/errors                                        from github.com/github/certstore
+     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/conn/winrio                from github.com/tailscale/wireguard-go/conn
+     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
+     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
+   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
+        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
+     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
     💣 go4.org/intern                                               from inet.af/netaddr
     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
-     💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
-     💣 golang.zx2c4.com/wireguard/device                            from tailscale.com/net/tstun+
-     💣 golang.zx2c4.com/wireguard/ipc                               from golang.zx2c4.com/wireguard/device
-   W 💣 golang.zx2c4.com/wireguard/ipc/winpipe                       from golang.zx2c4.com/wireguard/ipc
-        golang.zx2c4.com/wireguard/ratelimiter                       from golang.zx2c4.com/wireguard/device
-        golang.zx2c4.com/wireguard/replay                            from golang.zx2c4.com/wireguard/device
-        golang.zx2c4.com/wireguard/rwcancel                          from golang.zx2c4.com/wireguard/device+
-        golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device+
-     💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/tun/wintun                        from golang.zx2c4.com/wireguard/tun+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        inet.af/netaddr                                              from tailscale.com/control/controlclient+
     💣 inet.af/netstack/gohacks                                     from inet.af/netstack/state/wire+
@@ -71,7 +69,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        inet.af/netstack/tcpip/transport/udp                         from inet.af/netstack/tcpip/adapters/gonet+
        inet.af/netstack/waiter                                      from inet.af/netstack/tcpip+
        inet.af/peercred                                             from tailscale.com/ipn/ipnserver
-   W 💣 inet.af/wf                                                   from tailscale.com/wf
        rsc.io/goversion/version                                     from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
        tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
@@ -81,7 +78,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/derp/derpmap                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/disco                                          from tailscale.com/derp+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
-        tailscale.com/internal/deephash                              from tailscale.com/ipn/ipnlocal+
+        tailscale.com/internal/deepprint                             from tailscale.com/ipn/ipnlocal+
        tailscale.com/ipn                                            from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
@@ -118,6 +115,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
+   W 💣 tailscale.com/tempfork/wireguard-windows/firewall            from tailscale.com/cmd/tailscaled
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
@@ -130,6 +128,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
+        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
        tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
   L    tailscale.com/util/cmpver                                    from tailscale.com/net/dns
@@ -144,7 +143,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/winutil                                   from tailscale.com/logpolicy+
        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
        tailscale.com/version/distro                                 from tailscale.com/control/controlclient+
-   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
        tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine+
@@ -156,7 +154,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
+        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
@@ -165,7 +163,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/hkdf                                     from crypto/tls
        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -173,15 +171,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2/hpack                                 from net/http
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device
-        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
+        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
+        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from tailscale.com/derp
        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/mdlayher/netlink+
-   W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
+  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
+   W    golang.org/x/sys/windows                                     from github.com/tailscale/wireguard-go/conn+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
   W    golang.org/x/sys/windows/svc                                 from tailscale.com/cmd/tailscaled+
   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -266,7 +266,7 @@ func run() error {
 			if err != nil {
 				return nil, err
 			}
-			if ns != nil && useNetstackForIP(ipp.IP()) {
+			if ns != nil && useNetstackForIP(ipp.IP) {
 				return ns.DialContextTCP(ctx, addr)
 			}
 			var d net.Dialer
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"net"
 	"os"
 	"time"

@@ -31,9 +32,9 @@ import (
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/tstun"
+	"tailscale.com/tempfork/wireguard-windows/firewall"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
-	"tailscale.com/wf"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
@@ -143,13 +144,13 @@ func beFirewallKillswitch() bool {

 	luid, err := winipcfg.LUIDFromGUID(&guid)
 	if err != nil {
-		log.Fatalf("no interface with GUID %q: %v", guid, err)
+		log.Fatalf("no interface with GUID %q", guid)
 	}

+	noProtection := false
+	var dnsIPs []net.IP // unused in called code.
 	start := time.Now()
-	if _, err := wf.New(uint64(luid)); err != nil {
-		log.Fatalf("filewall creation failed: %v", err)
-	}
+	firewall.EnableFirewall(uint64(luid), noProtection, dnsIPs)
 	log.Printf("killswitch enabled, took %s", time.Since(start))

 	// Block until the monitor goroutine shuts us down.
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -576,12 +576,9 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 	c.logf("[v1] sendStatus: %s: %v", who, state)

 	var p *persist.Persist
-	var loginFin, logoutFin *empty.Message
+	var fin *empty.Message
 	if state == StateAuthenticated {
-		loginFin = new(empty.Message)
-	}
-	if state == StateNotAuthenticated {
-		logoutFin = new(empty.Message)
+		fin = new(empty.Message)
 	}
 	if nm != nil && loggedIn && synced {
 		pp := c.direct.GetPersist()
@@ -592,13 +589,12 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		nm = nil
 	}
 	new := Status{
-		LoginFinished:  loginFin,
-		LogoutFinished: logoutFin,
-		URL:            url,
-		Persist:        p,
-		NetMap:         nm,
-		Hostinfo:       hi,
-		State:          state,
+		LoginFinished: fin,
+		URL:           url,
+		Persist:       p,
+		NetMap:        nm,
+		Hostinfo:      hi,
+		State:         state,
 	}
 	if err != nil {
 		new.Err = err.Error()
@@ -716,9 +712,3 @@ func (c *Auto) TestOnlySetAuthKey(authkey string) {
 func (c *Auto) TestOnlyTimeNow() time.Time {
 	return c.timeNow()
 }
-
-// SetDNS sends the SetDNSRequest request to the control plane server,
-// requesting a DNS record be created or updated.
-func (c *Auto) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
-	return c.direct.SetDNS(ctx, req)
-}
--- a/control/controlclient/client.go
+++ b/control/controlclient/client.go
@@ -74,7 +74,4 @@ type Client interface {
 	// in a separate http request. It has nothing to do with the rest of
 	// the state machine.
 	UpdateEndpoints(localPort uint16, endpoints []tailcfg.Endpoint)
-	// SetDNS sends the SetDNSRequest request to the control plane server,
-	// requesting a DNS record be created or updated.
-	SetDNS(context.Context, *tailcfg.SetDNSRequest) error
 }
--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -22,7 +22,7 @@ func fieldsOf(t reflect.Type) (fields []string) {

 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
+	equalHandles := []string{"LoginFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
 	if have := fieldsOf(reflect.TypeOf(Status{})); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -32,7 +32,6 @@ import (
 	"golang.org/x/crypto/nacl/box"
 	"inet.af/netaddr"
 	"tailscale.com/health"
-	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/log/logheap"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
@@ -67,7 +66,6 @@ type Direct struct {
 	debugFlags             []string
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
-	pinger                 Pinger

 	mu           sync.Mutex // mutex guards the following fields
 	serverKey    wgkey.Key
@@ -105,18 +103,6 @@ type Options struct {
 	// forwarding works and should not be double-checked by the
 	// controlclient package.
 	SkipIPForwardingCheck bool
-
-	// Pinger optionally specifies the Pinger to use to satisfy
-	// MapResponse.PingRequest queries from the control plane.
-	// If nil, PingRequest queries are not answered.
-	Pinger Pinger
-}
-
-// Pinger is a subset of the wgengine.Engine interface, containing just the Ping method.
-type Pinger interface {
-	// Ping is a request to start a discovery or TSMP ping with the peer handling
-	// the given IP and then call cb with its ping latency & method.
-	Ping(ip netaddr.IP, useTSMP bool, cb func(*ipnstate.PingResult))
 }

 type Decompressor interface {
@@ -179,7 +165,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		keepSharerAndUserSplit: opts.KeepSharerAndUserSplit,
 		linkMon:                opts.LinkMonitor,
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
-		pinger:                 opts.Pinger,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(NewHostinfo())
@@ -475,10 +460,10 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			request.NodeKey.ShortString())
 		return true, "", nil
 	}
-	if resp.Login.Provider != "" {
+	if persist.Provider == "" {
 		persist.Provider = resp.Login.Provider
 	}
-	if resp.Login.LoginName != "" {
+	if persist.LoginName == "" {
 		persist.LoginName = resp.Login.LoginName
 	}

@@ -1106,7 +1091,7 @@ func ipForwardingBroken(routes []netaddr.IPPrefix, state *interfaces.State) bool
 	localIPs := map[netaddr.IP]bool{}
 	for _, addrs := range state.InterfaceIPs {
 		for _, pfx := range addrs {
-			localIPs[pfx.IP()] = true
+			localIPs[pfx.IP] = true
 		}
 	}

@@ -1115,10 +1100,10 @@ func ipForwardingBroken(routes []netaddr.IPPrefix, state *interfaces.State) bool
 		// It's possible to advertise a route to one of the local
 		// machine's local IPs. IP forwarding isn't required for this
 		// to work, so we shouldn't warn for such exports.
-		if r.IsSingleIP() && localIPs[r.IP()] {
+		if r.IsSingleIP() && localIPs[r.IP] {
 			continue
 		}
-		if r.IP().Is4() {
+		if r.IP.Is4() {
 			v4Routes = true
 		} else {
 			v6Routes = true
@@ -1226,50 +1211,3 @@ func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<-
 		}
 	}
 }
-
-// SetDNS sends the SetDNSRequest request to the control plane server,
-// requesting a DNS record be created or updated.
-func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
-	c.mu.Lock()
-	serverKey := c.serverKey
-	c.mu.Unlock()
-
-	if serverKey.IsZero() {
-		return errors.New("zero serverKey")
-	}
-	machinePrivKey, err := c.getMachinePrivKey()
-	if err != nil {
-		return fmt.Errorf("getMachinePrivKey: %w", err)
-	}
-	if machinePrivKey.IsZero() {
-		return errors.New("getMachinePrivKey returned zero key")
-	}
-
-	bodyData, err := encode(req, &serverKey, &machinePrivKey)
-	if err != nil {
-		return err
-	}
-	body := bytes.NewReader(bodyData)
-
-	u := fmt.Sprintf("%s/machine/%s/set-dns", c.serverURL, machinePrivKey.Public().HexString())
-	hreq, err := http.NewRequestWithContext(ctx, "POST", u, body)
-	if err != nil {
-		return err
-	}
-	res, err := c.httpc.Do(hreq)
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != 200 {
-		msg, _ := ioutil.ReadAll(res.Body)
-		return fmt.Errorf("sign-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
-	}
-	var setDNSRes struct{} // no fields yet
-	if err := decode(res, &setDNSRes, &serverKey, &machinePrivKey); err != nil {
-		c.logf("error decoding SetDNSResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
-		return fmt.Errorf("set-dns-response: %v", err)
-	}
-
-	return nil
-}
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -86,7 +86,7 @@ func TestNewDirect(t *testing.T) {
 func fakeEndpoints(ports ...uint16) (ret []tailcfg.Endpoint) {
 	for _, port := range ports {
 		ret = append(ret, tailcfg.Endpoint{
-			Addr: netaddr.IPPortFrom(netaddr.IP{}, port),
+			Addr: netaddr.IPPort{Port: port},
 		})
 	}
 	return
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -18,7 +18,7 @@ import (
 	"fmt"
 	"sync"

-	"github.com/tailscale/certstore"
+	"github.com/github/certstore"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/winutil"
--- a/control/controlclient/status.go
+++ b/control/controlclient/status.go
@@ -64,12 +64,11 @@ func (s State) String() string {
 }

 type Status struct {
-	_              structs.Incomparable
-	LoginFinished  *empty.Message // nonempty when login finishes
-	LogoutFinished *empty.Message // nonempty when logout finishes
-	Err            string
-	URL            string             // interactive URL to visit to finish logging in
-	NetMap         *netmap.NetworkMap // server-pushed configuration
+	_             structs.Incomparable
+	LoginFinished *empty.Message // nonempty when login finishes
+	Err           string
+	URL           string             // interactive URL to visit to finish logging in
+	NetMap        *netmap.NetworkMap // server-pushed configuration

 	// The internal state should not be exposed outside this
 	// package, but we have some automated tests elsewhere that need to
@@ -87,7 +86,6 @@ func (s *Status) Equal(s2 *Status) bool {
 	}
 	return s != nil && s2 != nil &&
 		(s.LoginFinished == nil) == (s2.LoginFinished == nil) &&
-		(s.LogoutFinished == nil) == (s2.LogoutFinished == nil) &&
 		s.Err == s2.Err &&
 		s.URL == s2.URL &&
 		reflect.DeepEqual(s.Persist, s2.Persist) &&
--- a/disco/disco.go
+++ b/disco/disco.go
@@ -147,9 +147,9 @@ const epLength = 16 + 2 // 16 byte IP address + 2 byte port
 func (m *CallMeMaybe) AppendMarshal(b []byte) []byte {
 	ret, p := appendMsgHeader(b, TypeCallMeMaybe, v0, epLength*len(m.MyNumber))
 	for _, ipp := range m.MyNumber {
-		a := ipp.IP().As16()
+		a := ipp.IP.As16()
 		copy(p[:], a[:])
-		binary.BigEndian.PutUint16(p[16:], ipp.Port())
+		binary.BigEndian.PutUint16(p[16:], ipp.Port)
 		p = p[epLength:]
 	}
 	return ret
@@ -164,9 +164,10 @@ func parseCallMeMaybe(ver uint8, p []byte) (m *CallMeMaybe, err error) {
 	for len(p) > 0 {
 		var a [16]byte
 		copy(a[:], p)
-		m.MyNumber = append(m.MyNumber, netaddr.IPPortFrom(
-			netaddr.IPFrom16(a),
-			binary.BigEndian.Uint16(p[16:18])))
+		m.MyNumber = append(m.MyNumber, netaddr.IPPort{
+			IP:   netaddr.IPFrom16(a),
+			Port: binary.BigEndian.Uint16(p[16:18]),
+		})
 		p = p[epLength:]
 	}
 	return m, nil
@@ -186,9 +187,9 @@ const pongLen = 12 + 16 + 2
 func (m *Pong) AppendMarshal(b []byte) []byte {
 	ret, d := appendMsgHeader(b, TypePong, v0, pongLen)
 	d = d[copy(d, m.TxID[:]):]
-	ip16 := m.Src.IP().As16()
+	ip16 := m.Src.IP.As16()
 	d = d[copy(d, ip16[:]):]
-	binary.BigEndian.PutUint16(d, m.Src.Port())
+	binary.BigEndian.PutUint16(d, m.Src.Port)
 	return ret
 }

@@ -200,10 +201,10 @@ func parsePong(ver uint8, p []byte) (m *Pong, err error) {
 	copy(m.TxID[:], p)
 	p = p[12:]

-	srcIP, _ := netaddr.FromStdIP(net.IP(p[:16]))
+	m.Src.IP, _ = netaddr.FromStdIP(net.IP(p[:16]))
 	p = p[16:]
-	port := binary.BigEndian.Uint16(p)
-	m.Src = netaddr.IPPortFrom(srcIP, port)
+
+	m.Src.Port = binary.BigEndian.Uint16(p)
 	return m, nil
 }

--- a/go.mod
+++ b/go.mod
@@ -3,47 +3,47 @@ module tailscale.com
 go 1.16

 require (
-	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
-	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
-	github.com/aws/aws-sdk-go v1.38.52
-	github.com/coreos/go-iptables v0.6.0
-	github.com/frankban/quicktest v1.13.0
-	github.com/gliderlabs/ssh v0.3.2
+	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5
+	github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect
+	github.com/coreos/go-iptables v0.4.5
+	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
+	github.com/frankban/quicktest v1.12.1
+	github.com/github/certstore v0.1.0
+	github.com/gliderlabs/ssh v0.2.2
 	github.com/go-multierror/multierror v1.0.2
-	github.com/go-ole/go-ole v1.2.5
-	github.com/godbus/dbus/v5 v5.0.4
-	github.com/google/go-cmp v0.5.6
-	github.com/google/goexpect v0.0.0-20210430020637-ab937bf7fd6f
-	github.com/google/uuid v1.1.2
-	github.com/goreleaser/nfpm v1.10.3
-	github.com/jsimonetti/rtnetlink v0.0.0-20210525051524-4cc836578190
+	github.com/go-ole/go-ole v1.2.4
+	github.com/godbus/dbus/v5 v5.0.3
+	github.com/google/go-cmp v0.5.5
+	github.com/goreleaser/nfpm v1.1.10
+	github.com/jsimonetti/rtnetlink v0.0.0-20210212075122-66c871082f2b
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.12.2
+	github.com/klauspost/compress v1.10.10
 	github.com/kr/pty v1.1.8
-	github.com/mdlayher/netlink v1.4.1
-	github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697
-	github.com/miekg/dns v1.1.42
-	github.com/pborman/getopt v1.1.0
+	github.com/mdlayher/netlink v1.3.2
+	github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a
+	github.com/miekg/dns v1.1.30
+	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
-	github.com/pkg/sftp v1.13.0
-	github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
+	github.com/tailscale/wireguard-go v0.0.0-20210429195722-6cd106ab1339
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
-	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
-	golang.org/x/net v0.0.0-20210525063256-abc453219eb5
+	golang.org/x/crypto v0.0.0-20210317152858-513c2a44f670
+	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210608053332-aa57babbf139
-	golang.org/x/term v0.0.0-20210503060354-a79de5458b56
+	golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57
+	golang.org/x/term v0.0.0-20210317153231-de623e64d2a6
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
-	golang.org/x/tools v0.1.2
-	golang.zx2c4.com/wireguard v0.0.0-20210525143454-64cb82f2b3f5
-	golang.zx2c4.com/wireguard/windows v0.3.15-0.20210525143335-94c0476d63e3
-	honnef.co/go/tools v0.1.4
-	inet.af/netaddr v0.0.0-20210602152128-50f8686885e3
+	golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58
+	golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8
+	gopkg.in/yaml.v2 v2.2.8 // indirect
+	honnef.co/go/tools v0.1.0
+	inet.af/netaddr v0.0.0-20210222205655-a1ec2b7b8c44
 	inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22
-	inet.af/peercred v0.0.0-20210318190834-4259e17bb763
-	inet.af/wf v0.0.0-20210516214145-a5343001b756
+	inet.af/peercred v0.0.0-20210302202138-56e694897155
 	rsc.io/goversion v1.2.0
 )
+
+replace github.com/github/certstore => github.com/cyolosecurity/certstore v0.0.0-20200922073901-ece7f1d353c2
--- a/go.sum
+++ b/go.sum
--- a/internal/deephash/deephash.go
+++ b/internal/deephash/deephash.go
@@ -1,226 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package deephash hashes a Go value recursively, in a predictable
-// order, without looping.
-package deephash
-
-import (
-	"bufio"
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"hash"
-	"reflect"
-	"strconv"
-	"sync"
-)
-
-func calcHash(v interface{}) string {
-	h := sha256.New()
-	b := bufio.NewWriterSize(h, h.BlockSize())
-	scratch := make([]byte, 0, 128)
-	printTo(b, v, scratch)
-	b.Flush()
-	scratch = h.Sum(scratch[:0])
-	hex.Encode(scratch[:cap(scratch)], scratch[:sha256.Size])
-	return string(scratch[:sha256.Size*2])
-}
-
-// UpdateHash sets last to the hash of v and reports whether its value changed.
-func UpdateHash(last *string, v ...interface{}) (changed bool) {
-	sig := calcHash(v)
-	if *last != sig {
-		*last = sig
-		return true
-	}
-	return false
-}
-
-func printTo(w *bufio.Writer, v interface{}, scratch []byte) {
-	print(w, reflect.ValueOf(v), make(map[uintptr]bool), scratch)
-}
-
-var appenderToType = reflect.TypeOf((*appenderTo)(nil)).Elem()
-
-type appenderTo interface {
-	AppendTo([]byte) []byte
-}
-
-// print hashes v into w.
-// It reports whether it was able to do so without hitting a cycle.
-func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
-	if !v.IsValid() {
-		return true
-	}
-
-	if v.CanInterface() {
-		// Use AppendTo methods, if available and cheap.
-		if v.CanAddr() && v.Type().Implements(appenderToType) {
-			a := v.Addr().Interface().(appenderTo)
-			scratch = a.AppendTo(scratch[:0])
-			w.Write(scratch)
-			return true
-		}
-	}
-
-	// Generic handling.
-	switch v.Kind() {
-	default:
-		panic(fmt.Sprintf("unhandled kind %v for type %v", v.Kind(), v.Type()))
-	case reflect.Ptr:
-		ptr := v.Pointer()
-		if visited[ptr] {
-			return false
-		}
-		visited[ptr] = true
-		return print(w, v.Elem(), visited, scratch)
-	case reflect.Struct:
-		acyclic = true
-		w.WriteString("struct{\n")
-		for i, n := 0, v.NumField(); i < n; i++ {
-			fmt.Fprintf(w, " [%d]: ", i)
-			if !print(w, v.Field(i), visited, scratch) {
-				acyclic = false
-			}
-			w.WriteString("\n")
-		}
-		w.WriteString("}\n")
-		return acyclic
-	case reflect.Slice, reflect.Array:
-		if v.Type().Elem().Kind() == reflect.Uint8 && v.CanInterface() {
-			fmt.Fprintf(w, "%q", v.Interface())
-			return true
-		}
-		fmt.Fprintf(w, "[%d]{\n", v.Len())
-		acyclic = true
-		for i, ln := 0, v.Len(); i < ln; i++ {
-			fmt.Fprintf(w, " [%d]: ", i)
-			if !print(w, v.Index(i), visited, scratch) {
-				acyclic = false
-			}
-			w.WriteString("\n")
-		}
-		w.WriteString("}\n")
-		return acyclic
-	case reflect.Interface:
-		return print(w, v.Elem(), visited, scratch)
-	case reflect.Map:
-		if hashMapAcyclic(w, v, visited, scratch) {
-			return true
-		}
-		return hashMapFallback(w, v, visited, scratch)
-	case reflect.String:
-		w.WriteString(v.String())
-	case reflect.Bool:
-		fmt.Fprintf(w, "%v", v.Bool())
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		fmt.Fprintf(w, "%v", v.Int())
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		scratch = strconv.AppendUint(scratch[:0], v.Uint(), 10)
-		w.Write(scratch)
-	case reflect.Float32, reflect.Float64:
-		fmt.Fprintf(w, "%v", v.Float())
-	case reflect.Complex64, reflect.Complex128:
-		fmt.Fprintf(w, "%v", v.Complex())
-	}
-	return true
-}
-
-type mapHasher struct {
-	xbuf [sha256.Size]byte // XOR'ed accumulated buffer
-	ebuf [sha256.Size]byte // scratch buffer
-	s256 hash.Hash         // sha256 hash.Hash
-	bw   *bufio.Writer     // to hasher into ebuf
-	val  valueCache        // re-usable values for map iteration
-	iter *reflect.MapIter  // re-usable map iterator
-}
-
-func (mh *mapHasher) Reset() {
-	for i := range mh.xbuf {
-		mh.xbuf[i] = 0
-	}
-}
-
-func (mh *mapHasher) startEntry() {
-	for i := range mh.ebuf {
-		mh.ebuf[i] = 0
-	}
-	mh.bw.Flush()
-	mh.s256.Reset()
-}
-
-func (mh *mapHasher) endEntry() {
-	mh.bw.Flush()
-	for i, b := range mh.s256.Sum(mh.ebuf[:0]) {
-		mh.xbuf[i] ^= b
-	}
-}
-
-var mapHasherPool = &sync.Pool{
-	New: func() interface{} {
-		mh := new(mapHasher)
-		mh.s256 = sha256.New()
-		mh.bw = bufio.NewWriter(mh.s256)
-		mh.val = make(valueCache)
-		mh.iter = new(reflect.MapIter)
-		return mh
-	},
-}
-
-type valueCache map[reflect.Type]reflect.Value
-
-func (c valueCache) get(t reflect.Type) reflect.Value {
-	v, ok := c[t]
-	if !ok {
-		v = reflect.New(t).Elem()
-		c[t] = v
-	}
-	return v
-}
-
-// hashMapAcyclic is the faster sort-free version of map hashing. If
-// it detects a cycle it returns false and guarantees that nothing was
-// written to w.
-func hashMapAcyclic(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
-	mh := mapHasherPool.Get().(*mapHasher)
-	defer mapHasherPool.Put(mh)
-	mh.Reset()
-	iter := mapIter(mh.iter, v)
-	defer mapIter(mh.iter, reflect.Value{}) // avoid pinning v from mh.iter when we return
-	k := mh.val.get(v.Type().Key())
-	e := mh.val.get(v.Type().Elem())
-	for iter.Next() {
-		key := iterKey(iter, k)
-		val := iterVal(iter, e)
-		mh.startEntry()
-		if !print(mh.bw, key, visited, scratch) {
-			return false
-		}
-		if !print(mh.bw, val, visited, scratch) {
-			return false
-		}
-		mh.endEntry()
-	}
-	w.Write(mh.xbuf[:])
-	return true
-}
-
-func hashMapFallback(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
-	acyclic = true
-	sm := newSortedMap(v)
-	fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
-	for i, k := range sm.Key {
-		if !print(w, k, visited, scratch) {
-			acyclic = false
-		}
-		w.WriteString(": ")
-		if !print(w, sm.Value[i], visited, scratch) {
-			acyclic = false
-		}
-		w.WriteString("\n")
-	}
-	w.WriteString("}\n")
-	return acyclic
-}
--- a/internal/deephash/deephash_test.go
+++ b/internal/deephash/deephash_test.go
@@ -1,136 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package deephash
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"reflect"
-	"testing"
-
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/dnsname"
-	"tailscale.com/wgengine/router"
-	"tailscale.com/wgengine/wgcfg"
-)
-
-func TestDeepHash(t *testing.T) {
-	// v contains the types of values we care about for our current callers.
-	// Mostly we're just testing that we don't panic on handled types.
-	v := getVal()
-
-	hash1 := calcHash(v)
-	t.Logf("hash: %v", hash1)
-	for i := 0; i < 20; i++ {
-		hash2 := calcHash(getVal())
-		if hash1 != hash2 {
-			t.Error("second hash didn't match")
-		}
-	}
-}
-
-func getVal() []interface{} {
-	return []interface{}{
-		&wgcfg.Config{
-			Name:      "foo",
-			Addresses: []netaddr.IPPrefix{netaddr.IPPrefixFrom(netaddr.IPFrom16([16]byte{3: 3}), 5)},
-			Peers: []wgcfg.Peer{
-				{
-					Endpoints: wgcfg.Endpoints{
-						IPPorts: wgcfg.NewIPPortSet(netaddr.MustParseIPPort("42.42.42.42:5")),
-					},
-				},
-			},
-		},
-		&router.Config{
-			Routes: []netaddr.IPPrefix{
-				netaddr.MustParseIPPrefix("1.2.3.0/24"),
-				netaddr.MustParseIPPrefix("1234::/64"),
-			},
-		},
-		map[dnsname.FQDN][]netaddr.IP{
-			dnsname.FQDN("a."): {netaddr.MustParseIP("1.2.3.4"), netaddr.MustParseIP("4.3.2.1")},
-			dnsname.FQDN("b."): {netaddr.MustParseIP("8.8.8.8"), netaddr.MustParseIP("9.9.9.9")},
-			dnsname.FQDN("c."): {netaddr.MustParseIP("6.6.6.6"), netaddr.MustParseIP("7.7.7.7")},
-			dnsname.FQDN("d."): {netaddr.MustParseIP("6.7.6.6"), netaddr.MustParseIP("7.7.7.8")},
-			dnsname.FQDN("e."): {netaddr.MustParseIP("6.8.6.6"), netaddr.MustParseIP("7.7.7.9")},
-			dnsname.FQDN("f."): {netaddr.MustParseIP("6.9.6.6"), netaddr.MustParseIP("7.7.7.0")},
-		},
-		map[dnsname.FQDN][]netaddr.IPPort{
-			dnsname.FQDN("a."): {netaddr.MustParseIPPort("1.2.3.4:11"), netaddr.MustParseIPPort("4.3.2.1:22")},
-			dnsname.FQDN("b."): {netaddr.MustParseIPPort("8.8.8.8:11"), netaddr.MustParseIPPort("9.9.9.9:22")},
-			dnsname.FQDN("c."): {netaddr.MustParseIPPort("8.8.8.8:12"), netaddr.MustParseIPPort("9.9.9.9:23")},
-			dnsname.FQDN("d."): {netaddr.MustParseIPPort("8.8.8.8:13"), netaddr.MustParseIPPort("9.9.9.9:24")},
-			dnsname.FQDN("e."): {netaddr.MustParseIPPort("8.8.8.8:14"), netaddr.MustParseIPPort("9.9.9.9:25")},
-		},
-		map[tailcfg.DiscoKey]bool{
-			{1: 1}: true,
-			{1: 2}: false,
-			{2: 3}: true,
-			{3: 4}: false,
-		},
-	}
-}
-
-func BenchmarkHash(b *testing.B) {
-	b.ReportAllocs()
-	v := getVal()
-	for i := 0; i < b.N; i++ {
-		calcHash(v)
-	}
-}
-
-func TestHashMapAcyclic(t *testing.T) {
-	m := map[int]string{}
-	for i := 0; i < 100; i++ {
-		m[i] = fmt.Sprint(i)
-	}
-	got := map[string]bool{}
-
-	var buf bytes.Buffer
-	bw := bufio.NewWriter(&buf)
-
-	for i := 0; i < 20; i++ {
-		visited := map[uintptr]bool{}
-		scratch := make([]byte, 0, 64)
-		v := reflect.ValueOf(m)
-		buf.Reset()
-		bw.Reset(&buf)
-		if !hashMapAcyclic(bw, v, visited, scratch) {
-			t.Fatal("returned false")
-		}
-		if got[string(buf.Bytes())] {
-			continue
-		}
-		got[string(buf.Bytes())] = true
-	}
-	if len(got) != 1 {
-		t.Errorf("got %d results; want 1", len(got))
-	}
-}
-
-func BenchmarkHashMapAcyclic(b *testing.B) {
-	b.ReportAllocs()
-	m := map[int]string{}
-	for i := 0; i < 100; i++ {
-		m[i] = fmt.Sprint(i)
-	}
-
-	var buf bytes.Buffer
-	bw := bufio.NewWriter(&buf)
-	visited := map[uintptr]bool{}
-	scratch := make([]byte, 0, 64)
-	v := reflect.ValueOf(m)
-
-	for i := 0; i < b.N; i++ {
-		buf.Reset()
-		bw.Reset(&buf)
-		if !hashMapAcyclic(bw, v, visited, scratch) {
-			b.Fatal("returned false")
-		}
-	}
-}
--- a/internal/deephash/mapiter.go
+++ b/internal/deephash/mapiter.go
@@ -1,37 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !tailscale_go
-
-package deephash
-
-import "reflect"
-
-// iterKey returns the current iter key.
-// scratch is a re-usable reflect.Value.
-// iterKey may store the iter key in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterKey(iter *reflect.MapIter, _ reflect.Value) reflect.Value {
-	return iter.Key()
-}
-
-// iterVal returns the current iter val.
-// scratch is a re-usable reflect.Value.
-// iterVal may store the iter val in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterVal(iter *reflect.MapIter, _ reflect.Value) reflect.Value {
-	return iter.Value()
-}
-
-// mapIter returns a map iterator for mapVal.
-// scratch is a re-usable reflect.MapIter.
-// mapIter may re-use scratch and return it,
-// or it may allocate and return a new *reflect.MapIter.
-// If mapVal is the zero reflect.Value, mapIter may return nil.
-func mapIter(_ *reflect.MapIter, mapVal reflect.Value) *reflect.MapIter {
-	if !mapVal.IsValid() {
-		return nil
-	}
-	return mapVal.MapRange()
-}
--- a/internal/deephash/mapiter_future.go
+++ b/internal/deephash/mapiter_future.go
@@ -1,42 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build tailscale_go
-
-package deephash
-
-import "reflect"
-
-// iterKey returns the current iter key.
-// scratch is a re-usable reflect.Value.
-// iterKey may store the iter key in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterKey(iter *reflect.MapIter, scratch reflect.Value) reflect.Value {
-	iter.SetKey(scratch)
-	return scratch
-}
-
-// iterVal returns the current iter val.
-// scratch is a re-usable reflect.Value.
-// iterVal may store the iter val in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterVal(iter *reflect.MapIter, scratch reflect.Value) reflect.Value {
-	iter.SetValue(scratch)
-	return scratch
-}
-
-// mapIter returns a map iterator for mapVal.
-// scratch is a re-usable reflect.MapIter.
-// mapIter may re-use scratch and return it,
-// or it may allocate and return a new *reflect.MapIter.
-// If mapVal is the zero reflect.Value, mapIter may return nil.
-func mapIter(scratch *reflect.MapIter, mapVal reflect.Value) *reflect.MapIter {
-	scratch.Reset(mapVal) // always Reset, to allow the caller to avoid pinning memory
-	if !mapVal.IsValid() {
-		// Returning scratch would also be OK.
-		// Do this for consistency with the non-optimized version.
-		return nil
-	}
-	return scratch
-}
--- a/internal/deepprint/deepprint.go
+++ b/internal/deepprint/deepprint.go
@@ -0,0 +1,103 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package deepprint walks a Go value recursively, in a predictable
+// order, without looping, and prints each value out to a given
+// Writer, which is assumed to be a hash.Hash, as this package doesn't
+// format things nicely.
+//
+// This is intended as a lighter version of go-spew, etc. We don't need its
+// features when our writer is just a hash.
+package deepprint
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"io"
+	"reflect"
+)
+
+func Hash(v ...interface{}) string {
+	h := sha256.New()
+	Print(h, v)
+	return fmt.Sprintf("%x", h.Sum(nil))
+}
+
+// UpdateHash sets last to the hash of v and reports whether its value changed.
+func UpdateHash(last *string, v ...interface{}) (changed bool) {
+	sig := Hash(v)
+	if *last != sig {
+		*last = sig
+		return true
+	}
+	return false
+}
+
+func Print(w io.Writer, v ...interface{}) {
+	print(w, reflect.ValueOf(v), make(map[uintptr]bool))
+}
+
+func print(w io.Writer, v reflect.Value, visited map[uintptr]bool) {
+	if !v.IsValid() {
+		return
+	}
+	switch v.Kind() {
+	default:
+		panic(fmt.Sprintf("unhandled kind %v for type %v", v.Kind(), v.Type()))
+	case reflect.Ptr:
+		ptr := v.Pointer()
+		if visited[ptr] {
+			return
+		}
+		visited[ptr] = true
+		print(w, v.Elem(), visited)
+		return
+	case reflect.Struct:
+		fmt.Fprintf(w, "struct{\n")
+		t := v.Type()
+		for i, n := 0, v.NumField(); i < n; i++ {
+			sf := t.Field(i)
+			fmt.Fprintf(w, "%s: ", sf.Name)
+			print(w, v.Field(i), visited)
+			fmt.Fprintf(w, "\n")
+		}
+	case reflect.Slice, reflect.Array:
+		if v.Type().Elem().Kind() == reflect.Uint8 && v.CanInterface() {
+			fmt.Fprintf(w, "%q", v.Interface())
+			return
+		}
+		fmt.Fprintf(w, "[%d]{\n", v.Len())
+		for i, ln := 0, v.Len(); i < ln; i++ {
+			fmt.Fprintf(w, " [%d]: ", i)
+			print(w, v.Index(i), visited)
+			fmt.Fprintf(w, "\n")
+		}
+		fmt.Fprintf(w, "}\n")
+	case reflect.Interface:
+		print(w, v.Elem(), visited)
+	case reflect.Map:
+		sm := newSortedMap(v)
+		fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
+		for i, k := range sm.Key {
+			print(w, k, visited)
+			fmt.Fprintf(w, ": ")
+			print(w, sm.Value[i], visited)
+			fmt.Fprintf(w, "\n")
+		}
+		fmt.Fprintf(w, "}\n")
+
+	case reflect.String:
+		fmt.Fprintf(w, "%s", v.String())
+	case reflect.Bool:
+		fmt.Fprintf(w, "%v", v.Bool())
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		fmt.Fprintf(w, "%v", v.Int())
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		fmt.Fprintf(w, "%v", v.Uint())
+	case reflect.Float32, reflect.Float64:
+		fmt.Fprintf(w, "%v", v.Float())
+	case reflect.Complex64, reflect.Complex128:
+		fmt.Fprintf(w, "%v", v.Complex())
+	}
+}
--- a/internal/deepprint/deepprint_test.go
+++ b/internal/deepprint/deepprint_test.go
@@ -0,0 +1,64 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package deepprint
+
+import (
+	"bytes"
+	"testing"
+
+	"inet.af/netaddr"
+	"tailscale.com/wgengine/router"
+	"tailscale.com/wgengine/wgcfg"
+)
+
+func TestDeepPrint(t *testing.T) {
+	// v contains the types of values we care about for our current callers.
+	// Mostly we're just testing that we don't panic on handled types.
+	v := getVal()
+
+	var buf bytes.Buffer
+	Print(&buf, v)
+	t.Logf("Got: %s", buf.Bytes())
+
+	hash1 := Hash(v)
+	t.Logf("hash: %v", hash1)
+	for i := 0; i < 20; i++ {
+		hash2 := Hash(getVal())
+		if hash1 != hash2 {
+			t.Error("second hash didn't match")
+		}
+	}
+}
+
+func getVal() []interface{} {
+	return []interface{}{
+		&wgcfg.Config{
+			Name:      "foo",
+			Addresses: []netaddr.IPPrefix{{Bits: 5, IP: netaddr.IPFrom16([16]byte{3: 3})}},
+			Peers: []wgcfg.Peer{
+				{
+					Endpoints: "foo:5",
+				},
+			},
+		},
+		&router.Config{
+			Routes: []netaddr.IPPrefix{
+				netaddr.MustParseIPPrefix("1.2.3.0/24"),
+				netaddr.MustParseIPPrefix("1234::/64"),
+			},
+		},
+		map[string]string{
+			"key1": "val1",
+			"key2": "val2",
+			"key3": "val3",
+			"key4": "val4",
+			"key5": "val5",
+			"key6": "val6",
+			"key7": "val7",
+			"key8": "val8",
+			"key9": "val9",
+		},
+	}
+}
--- a/internal/deepprint/fmtsort.go
+++ b/internal/deepprint/fmtsort.go
@@ -10,7 +10,7 @@

 // This is a slightly modified fork of Go's src/internal/fmtsort/sort.go

-package deephash
+package deepprint

 import (
 	"reflect"
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -29,7 +29,7 @@ import (
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/health"
-	"tailscale.com/internal/deephash"
+	"tailscale.com/internal/deepprint"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
@@ -44,13 +44,11 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
-	"tailscale.com/types/preftype"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
-	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
@@ -328,9 +326,6 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func
 		}
 	})
 	sb.MutateSelfStatus(func(ss *ipnstate.PeerStatus) {
-		if b.netMap != nil && b.netMap.SelfNode != nil {
-			ss.ID = b.netMap.SelfNode.StableID
-		}
 		for _, pln := range b.peerAPIListeners {
 			ss.PeerAPIURL = append(ss.PeerAPIURL, pln.urlStr)
 		}
@@ -358,19 +353,18 @@ func (b *LocalBackend) populatePeerStatusLocked(sb *ipnstate.StatusBuilder) {
 		var tailAddr4 string
 		var tailscaleIPs = make([]netaddr.IP, 0, len(p.Addresses))
 		for _, addr := range p.Addresses {
-			if addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.IP()) {
-				if addr.IP().Is4() && tailAddr4 == "" {
+			if addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.IP) {
+				if addr.IP.Is4() && tailAddr4 == "" {
 					// The peer struct previously only allowed a single
 					// Tailscale IP address. For compatibility for a few releases starting
 					// with 1.8, keep it pulled out as IPv4-only for a bit.
-					tailAddr4 = addr.IP().String()
+					tailAddr4 = addr.IP.String()
 				}
-				tailscaleIPs = append(tailscaleIPs, addr.IP())
+				tailscaleIPs = append(tailscaleIPs, addr.IP)
 			}
 		}
 		sb.AddPeer(key.Public(p.Key), &ipnstate.PeerStatus{
 			InNetworkMap:       true,
-			ID:                 p.StableID,
 			UserID:             p.User,
 			TailAddrDeprecated: tailAddr4,
 			TailscaleIPs:       tailscaleIPs,
@@ -392,10 +386,10 @@ func (b *LocalBackend) populatePeerStatusLocked(sb *ipnstate.StatusBuilder) {
 func (b *LocalBackend) WhoIs(ipp netaddr.IPPort) (n *tailcfg.Node, u tailcfg.UserProfile, ok bool) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
-	n, ok = b.nodeByAddr[ipp.IP()]
+	n, ok = b.nodeByAddr[ipp.IP]
 	if !ok {
 		var ip netaddr.IP
-		if ipp.Port() != 0 {
+		if ipp.Port != 0 {
 			ip, ok = b.e.WhoIsIPPort(ipp)
 		}
 		if !ok {
@@ -436,15 +430,14 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		}
 		return
 	}
-
-	b.mu.Lock()
-	wasBlocked := b.blocked
-	b.mu.Unlock()
-
-	if st.LoginFinished != nil && wasBlocked {
+	if st.LoginFinished != nil {
 		// Auth completed, unblock the engine
 		b.blockEngineUpdates(false)
 		b.authReconfig()
+		b.EditPrefs(&ipn.MaskedPrefs{
+			LoggedOutSet: true,
+			Prefs:        ipn.Prefs{LoggedOut: false},
+		})
 		b.send(ipn.Notify{LoginFinished: &empty.Message{}})
 	}

@@ -453,13 +446,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	// Lock b once and do only the things that require locking.
 	b.mu.Lock()

-	if st.LogoutFinished != nil {
-		// Since we're logged out now, our netmap cache is invalid.
-		// Since st.NetMap==nil means "netmap is unchanged", there is
-		// no other way to represent this change.
-		b.setNetMapLocked(nil)
-	}
-
 	prefs := b.prefs
 	stateKey := b.stateKey
 	netMap := b.netMap
@@ -490,15 +476,11 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		b.authURL = st.URL
 		b.authURLSticky = st.URL
 	}
-	if wasBlocked && st.LoginFinished != nil {
-		// Interactive login finished successfully (URL visited).
-		// After an interactive login, the user always wants
-		// WantRunning.
-		if !b.prefs.WantRunning || b.prefs.LoggedOut {
+	if b.state == ipn.NeedsLogin {
+		if !b.prefs.WantRunning {
 			prefsChanged = true
 		}
 		b.prefs.WantRunning = true
-		b.prefs.LoggedOut = false
 	}
 	// Prefs will be written out; this is not safe unless locked or cloned.
 	if prefsChanged {
@@ -561,7 +543,7 @@ func (b *LocalBackend) findExitNodeIDLocked(nm *netmap.NetworkMap) (prefsChanged

 	for _, peer := range nm.Peers {
 		for _, addr := range peer.Addresses {
-			if !addr.IsSingleIP() || addr.IP() != b.prefs.ExitNodeIP {
+			if !addr.IsSingleIP() || addr.IP != b.prefs.ExitNodeIP {
 				continue
 			}
 			// Found the node being referenced, upgrade prefs to
@@ -580,18 +562,10 @@ func (b *LocalBackend) findExitNodeIDLocked(nm *netmap.NetworkMap) (prefsChanged
 func (b *LocalBackend) setWgengineStatus(s *wgengine.Status, err error) {
 	if err != nil {
 		b.logf("wgengine status error: %v", err)
-
-		b.statusLock.Lock()
-		b.statusChanged.Broadcast()
-		b.statusLock.Unlock()
 		return
 	}
 	if s == nil {
 		b.logf("[unexpected] non-error wgengine update with status=nil: %v", s)
-
-		b.statusLock.Lock()
-		b.statusChanged.Broadcast()
-		b.statusLock.Unlock()
 		return
 	}

@@ -657,12 +631,6 @@ func (b *LocalBackend) getNewControlClientFunc() clientGen {
 // startIsNoopLocked reports whether a Start call on this LocalBackend
 // with the provided Start Options would be a useless no-op.
 //
-// TODO(apenwarr): we shouldn't need this.
-//  The state machine is now nearly clean enough where it can accept a new
-//  connection while in any state, not just Running, and on any platform.
-//  We'd want to add a few more tests to state_test.go to ensure this continues
-//  to work as expected.
-//
 // b.mu must be held.
 func (b *LocalBackend) startIsNoopLocked(opts ipn.Options) bool {
 	// Options has 5 fields; check all of them:
@@ -716,7 +684,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		b.send(ipn.Notify{
 			State:         &state,
 			NetMap:        nm,
-			Prefs:         b.prefs,
 			LoginFinished: new(empty.Message),
 		})
 		return nil
@@ -907,7 +874,7 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 	}
 	if prefs != nil {
 		for _, r := range prefs.AdvertiseRoutes {
-			if r.Bits() == 0 {
+			if r.Bits == 0 {
 				// When offering a default route to the world, we
 				// filter out locally reachable LANs, so that the
 				// default route effectively appears to be a "guest
@@ -929,10 +896,10 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 			}
 		}
 	}
-	localNets, _ := localNetsB.IPSet()
-	logNets, _ := logNetsB.IPSet()
+	localNets := localNetsB.IPSet()
+	logNets := logNetsB.IPSet()

-	changed := deephash.UpdateHash(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp)
+	changed := deepprint.UpdateHash(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp)
 	if !changed {
 		return
 	}
@@ -975,20 +942,19 @@ var removeFromDefaultRoute = []netaddr.IPPrefix{
 func interfaceRoutes() (ips *netaddr.IPSet, hostIPs []netaddr.IP, err error) {
 	var b netaddr.IPSetBuilder
 	if err := interfaces.ForeachInterfaceAddress(func(_ interfaces.Interface, pfx netaddr.IPPrefix) {
-		if tsaddr.IsTailscaleIP(pfx.IP()) {
+		if tsaddr.IsTailscaleIP(pfx.IP) {
 			return
 		}
 		if pfx.IsSingleIP() {
 			return
 		}
-		hostIPs = append(hostIPs, pfx.IP())
+		hostIPs = append(hostIPs, pfx.IP)
 		b.AddPrefix(pfx)
 	}); err != nil {
 		return nil, nil, err
 	}

-	ipSet, _ := b.IPSet()
-	return ipSet, hostIPs, nil
+	return b.IPSet(), hostIPs, nil
 }

 // shrinkDefaultRoute returns an IPSet representing the IPs in route,
@@ -1019,7 +985,7 @@ func shrinkDefaultRoute(route netaddr.IPPrefix) (*netaddr.IPSet, error) {
 	for _, pfx := range removeFromDefaultRoute {
 		b.RemovePrefix(pfx)
 	}
-	return b.IPSet()
+	return b.IPSet(), nil
 }

 // dnsCIDRsEqual determines whether two CIDR lists are equal
@@ -1711,45 +1677,9 @@ func (b *LocalBackend) authReconfig() {

 	rcfg := b.routerConfig(cfg, uc)

-	dcfg := dns.Config{
-		Routes: map[dnsname.FQDN][]netaddr.IPPort{},
-		Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-	}
-
-	// Populate MagicDNS records. We do this unconditionally so that
-	// quad-100 can always respond to MagicDNS queries, even if the OS
-	// isn't configured to make MagicDNS resolution truly
-	// magic. Details in
-	// https://github.com/tailscale/tailscale/issues/1886.
-	set := func(name string, addrs []netaddr.IPPrefix) {
-		if len(addrs) == 0 || name == "" {
-			return
-		}
-		fqdn, err := dnsname.ToFQDN(name)
-		if err != nil {
-			return // TODO: propagate error?
-		}
-		var ips []netaddr.IP
-		for _, addr := range addrs {
-			// Remove IPv6 addresses for now, as we don't
-			// guarantee that the peer node actually can speak
-			// IPv6 correctly.
-			//
-			// https://github.com/tailscale/tailscale/issues/1152
-			// tracks adding the right capability reporting to
-			// enable AAAA in MagicDNS.
-			if addr.IP().Is6() {
-				continue
-			}
-			ips = append(ips, addr.IP())
-		}
-		dcfg.Hosts[fqdn] = ips
-	}
-	set(nm.Name, nm.Addresses)
-	for _, peer := range nm.Peers {
-		set(peer.Name, peer.Addresses)
-	}
+	var dcfg dns.Config

+	// If CorpDNS is false, dcfg remains the zero value.
 	if uc.CorpDNS {
 		addDefault := func(resolvers []tailcfg.DNSResolver) {
 			for _, resolver := range resolvers {
@@ -1763,6 +1693,9 @@ func (b *LocalBackend) authReconfig() {
 		}

 		addDefault(nm.DNS.Resolvers)
+		if len(nm.DNS.Routes) > 0 {
+			dcfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{}
+		}
 		for suffix, resolvers := range nm.DNS.Routes {
 			fqdn, err := dnsname.ToFQDN(suffix)
 			if err != nil {
@@ -1784,9 +1717,36 @@ func (b *LocalBackend) authReconfig() {
 			}
 			dcfg.SearchDomains = append(dcfg.SearchDomains, fqdn)
 		}
+		set := func(name string, addrs []netaddr.IPPrefix) {
+			if len(addrs) == 0 || name == "" {
+				return
+			}
+			fqdn, err := dnsname.ToFQDN(name)
+			if err != nil {
+				return // TODO: propagate error?
+			}
+			var ips []netaddr.IP
+			for _, addr := range addrs {
+				// Remove IPv6 addresses for now, as we don't
+				// guarantee that the peer node actually can speak
+				// IPv6 correctly.
+				//
+				// https://github.com/tailscale/tailscale/issues/1152
+				// tracks adding the right capability reporting to
+				// enable AAAA in MagicDNS.
+				if addr.IP.Is6() {
+					continue
+				}
+				ips = append(ips, addr.IP)
+			}
+			dcfg.Hosts[fqdn] = ips
+		}
 		if nm.DNS.Proxied { // actually means "enable MagicDNS"
-			for _, dom := range magicDNSRootDomains(nm) {
-				dcfg.Routes[dom] = nil // resolve internally with dcfg.Hosts
+			dcfg.AuthoritativeSuffixes = magicDNSRootDomains(nm)
+			dcfg.Hosts = map[dnsname.FQDN][]netaddr.IP{}
+			set(nm.Name, nm.Addresses)
+			for _, peer := range nm.Peers {
+				set(peer.Name, peer.Addresses)
 			}
 		}

@@ -1810,7 +1770,7 @@ func (b *LocalBackend) authReconfig() {
 			//
 			// https://github.com/tailscale/tailscale/issues/1713
 			addDefault(nm.DNS.FallbackResolvers)
-		case len(dcfg.Routes) == 0:
+		case len(dcfg.Routes) == 0 && len(dcfg.Hosts) == 0 && len(dcfg.AuthoritativeSuffixes) == 0:
 			// No settings requiring split DNS, no problem.
 		case version.OS() == "android":
 			// We don't support split DNS at all on Android yet.
@@ -1832,15 +1792,17 @@ func parseResolver(cfg tailcfg.DNSResolver) (netaddr.IPPort, error) {
 	if err != nil {
 		return netaddr.IPPort{}, fmt.Errorf("[unexpected] non-IP resolver %q", cfg.Addr)
 	}
-	return netaddr.IPPortFrom(ip, 53), nil
+	return netaddr.IPPort{
+		IP:   ip,
+		Port: 53,
+	}, nil
 }

 // tailscaleVarRoot returns the root directory of Tailscale's writable
 // storage area. (e.g. "/var/lib/tailscale")
 func tailscaleVarRoot() string {
-	switch runtime.GOOS {
-	case "ios", "android":
-		dir, _ := paths.AppSharedDir.Load().(string)
+	if runtime.GOOS == "ios" {
+		dir, _ := paths.IOSSharedDir.Load().(string)
 		return dir
 	}
 	stateFile := paths.DefaultTailscaledStateFile()
@@ -1888,19 +1850,10 @@ func (b *LocalBackend) initPeerAPIListener() {
 	b.mu.Lock()
 	defer b.mu.Unlock()

-	if b.netMap == nil {
-		// We're called from authReconfig which checks that
-		// netMap is non-nil, but if a concurrent Logout,
-		// ResetForClientDisconnect, or Start happens when its
-		// mutex was released, the netMap could be
-		// nil'ed out (Issue 1996). Bail out early here if so.
-		return
-	}
-
 	if len(b.netMap.Addresses) == len(b.peerAPIListeners) {
 		allSame := true
 		for i, pln := range b.peerAPIListeners {
-			if pln.ip != b.netMap.Addresses[i].IP() {
+			if pln.ip != b.netMap.Addresses[i].IP {
 				allSame = false
 				break
 			}
@@ -1945,7 +1898,7 @@ func (b *LocalBackend) initPeerAPIListener() {
 		var err error
 		skipListen := i > 0 && isNetstack
 		if !skipListen {
-			ln, err = ps.listen(a.IP(), b.prevIfState)
+			ln, err = ps.listen(a.IP, b.prevIfState)
 			if err != nil {
 				if runtime.GOOS == "windows" {
 					// Expected for now. See Issue 1620.
@@ -1953,13 +1906,13 @@ func (b *LocalBackend) initPeerAPIListener() {
 					// ("peerAPIListeners too low").
 					continue
 				}
-				b.logf("[unexpected] peerapi listen(%q) error: %v", a.IP(), err)
+				b.logf("[unexpected] peerapi listen(%q) error: %v", a.IP, err)
 				continue
 			}
 		}
 		pln := &peerAPIListener{
 			ps: ps,
-			ip: a.IP(),
+			ip: a.IP,
 			ln: ln, // nil for 2nd+ on netstack
 			lb: b,
 		}
@@ -1968,7 +1921,7 @@ func (b *LocalBackend) initPeerAPIListener() {
 		} else {
 			pln.port = ln.Addr().(*net.TCPAddr).Port
 		}
-		pln.urlStr = "http://" + net.JoinHostPort(a.IP().String(), strconv.Itoa(pln.port))
+		pln.urlStr = "http://" + net.JoinHostPort(a.IP.String(), strconv.Itoa(pln.port))
 		b.logf("peerapi: serving on %s", pln.urlStr)
 		go pln.serve()
 		b.peerAPIListeners = append(b.peerAPIListeners, pln)
@@ -2019,14 +1972,14 @@ func peerRoutes(peers []wgcfg.Peer, cgnatThreshold int) (routes []netaddr.IPPref
 		for _, aip := range peer.AllowedIPs {
 			aip = unmapIPPrefix(aip)
 			// Only add the Tailscale IPv6 ULA once, if we see anybody using part of it.
-			if aip.IP().Is6() && aip.IsSingleIP() && tsULA.Contains(aip.IP()) {
+			if aip.IP.Is6() && aip.IsSingleIP() && tsULA.Contains(aip.IP) {
 				if !didULA {
 					didULA = true
 					routes = append(routes, tsULA)
 				}
 				continue
 			}
-			if aip.IsSingleIP() && cgNAT.Contains(aip.IP()) {
+			if aip.IsSingleIP() && cgNAT.Contains(aip.IP) {
 				cgNATIPs = append(cgNATIPs, aip)
 			} else {
 				routes = append(routes, aip)
@@ -2052,11 +2005,6 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		Routes:           peerRoutes(cfg.Peers, 10_000),
 	}

-	if distro.Get() == distro.Synology {
-		// Issue 1995: we don't use iptables on Synology.
-		rs.NetfilterMode = preftype.NetfilterOff
-	}
-
 	// Sanity check: we expect the control server to program both a v4
 	// and a v6 default route, if default routing is on. Fill in
 	// blackhole routes appropriately if we're missing some. This is
@@ -2098,13 +2046,16 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		}
 	}

-	rs.Routes = append(rs.Routes, netaddr.IPPrefixFrom(tsaddr.TailscaleServiceIP(), 32))
+	rs.Routes = append(rs.Routes, netaddr.IPPrefix{
+		IP:   tsaddr.TailscaleServiceIP(),
+		Bits: 32,
+	})

 	return rs
 }

 func unmapIPPrefix(ipp netaddr.IPPrefix) netaddr.IPPrefix {
-	return netaddr.IPPrefixFrom(ipp.IP().Unmap(), ipp.Bits())
+	return netaddr.IPPrefix{IP: ipp.IP.Unmap(), Bits: ipp.Bits}
 }

 func unmapIPPrefixes(ippsList ...[]netaddr.IPPrefix) (ret []netaddr.IPPrefix) {
@@ -2158,8 +2109,8 @@ func (b *LocalBackend) enterState(newState ipn.State) {
 	if oldState == newState {
 		return
 	}
-	b.logf("Switching ipn state %v -> %v (WantRunning=%v, nm=%v)",
-		oldState, newState, prefs.WantRunning, netMap != nil)
+	b.logf("Switching ipn state %v -> %v (WantRunning=%v)",
+		oldState, newState, prefs.WantRunning)
 	health.SetIPNState(newState.String(), prefs.WantRunning)
 	b.send(ipn.Notify{State: &newState})

@@ -2188,7 +2139,7 @@ func (b *LocalBackend) enterState(newState ipn.State) {
 	case ipn.Running:
 		var addrs []string
 		for _, addr := range b.netMap.Addresses {
-			addrs = append(addrs, addr.IP().String())
+			addrs = append(addrs, addr.IP.String())
 		}
 		systemd.Status("Connected; %s; %s", activeLogin, strings.Join(addrs, " "))
 	default:
@@ -2215,14 +2166,13 @@ func (b *LocalBackend) nextState() ipn.State {
 		cc          = b.cc
 		netMap      = b.netMap
 		state       = b.state
-		blocked     = b.blocked
 		wantRunning = b.prefs.WantRunning
 		loggedOut   = b.prefs.LoggedOut
 	)
 	b.mu.Unlock()

 	switch {
-	case !wantRunning && !loggedOut && !blocked && b.hasNodeKey():
+	case !wantRunning && !loggedOut && b.hasNodeKey():
 		return ipn.Stopped
 	case netMap == nil:
 		if cc.AuthCantContinue() || loggedOut {
@@ -2350,6 +2300,7 @@ func (b *LocalBackend) LogoutSync(ctx context.Context) error {
 func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 	b.mu.Lock()
 	cc := b.cc
+	b.setNetMapLocked(nil)
 	b.mu.Unlock()

 	b.EditPrefs(&ipn.MaskedPrefs{
@@ -2376,6 +2327,10 @@ func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 		cc.StartLogout()
 	}

+	b.mu.Lock()
+	b.setNetMapLocked(nil)
+	b.mu.Unlock()
+
 	b.stateMachine()
 	return err
 }
@@ -2451,7 +2406,7 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	addNode := func(n *tailcfg.Node) {
 		for _, ipp := range n.Addresses {
 			if ipp.IsSingleIP() {
-				b.nodeByAddr[ipp.IP()] = n
+				b.nodeByAddr[ipp.IP] = n
 			}
 		}
 	}
@@ -2577,42 +2532,6 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 	return ret, nil
 }

-// SetDNS adds a DNS record for the given domain name & TXT record
-// value.
-//
-// It's meant for use with dns-01 ACME (LetsEncrypt) challenges.
-//
-// This is the low-level interface. Other layers will provide more
-// friendly options to get HTTPS certs.
-func (b *LocalBackend) SetDNS(ctx context.Context, name, value string) error {
-	req := &tailcfg.SetDNSRequest{
-		Version: 1,
-		Type:    "TXT",
-		Name:    name,
-		Value:   value,
-	}
-
-	b.mu.Lock()
-	cc := b.cc
-	if prefs := b.prefs; prefs != nil {
-		req.NodeKey = tailcfg.NodeKey(prefs.Persist.PrivateNodeKey.Public())
-	}
-	b.mu.Unlock()
-	if cc == nil {
-		return errors.New("not connected")
-	}
-	if req.NodeKey.IsZero() {
-		return errors.New("no nodekey")
-	}
-	if name == "" {
-		return errors.New("missing 'name'")
-	}
-	if value == "" {
-		return errors.New("missing 'value'")
-	}
-	return cc.SetDNS(ctx, req)
-}
-
 func (b *LocalBackend) registerIncomingFile(inf *incomingFile, active bool) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -2639,9 +2558,9 @@ func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {
 			continue
 		}
 		switch {
-		case a.IP().Is4():
+		case a.IP.Is4():
 			have4 = true
-		case a.IP().Is6():
+		case a.IP.Is6():
 			have6 = true
 		}
 	}
@@ -2657,11 +2576,11 @@ func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {
 	var ipp netaddr.IPPort
 	switch {
 	case have4 && p4 != 0:
-		ipp = netaddr.IPPortFrom(nodeIP(peer, netaddr.IP.Is4), p4)
+		ipp = netaddr.IPPort{IP: nodeIP(peer, netaddr.IP.Is4), Port: p4}
 	case have6 && p6 != 0:
-		ipp = netaddr.IPPortFrom(nodeIP(peer, netaddr.IP.Is6), p6)
+		ipp = netaddr.IPPort{IP: nodeIP(peer, netaddr.IP.Is6), Port: p6}
 	}
-	if ipp.IP().IsZero() {
+	if ipp.IP.IsZero() {
 		return ""
 	}
 	return fmt.Sprintf("http://%v", ipp)
@@ -2669,8 +2588,8 @@ func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {

 func nodeIP(n *tailcfg.Node, pred func(netaddr.IP) bool) netaddr.IP {
 	for _, a := range n.Addresses {
-		if a.IsSingleIP() && pred(a.IP()) {
-			return a.IP()
+		if a.IsSingleIP() && pred(a.IP) {
+			return a.IP
 		}
 	}
 	return netaddr.IP{}
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -171,7 +171,7 @@ func TestShrinkDefaultRoute(t *testing.T) {
 			out: []string{
 				"fe80::1",
 				"ff00::1",
-				tsaddr.TailscaleULARange().IP().String(),
+				tsaddr.TailscaleULARange().IP.String(),
 			},
 			localIPFn: func(ip netaddr.IP) bool { return !inRemove(ip) && ip.Is6() },
 		},
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -510,7 +510,7 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 <body>
 <h1>Hello, %s (%v)</h1>
 This is my Tailscale device. Your device is %v.
-`, html.EscapeString(who), h.remoteAddr.IP(), html.EscapeString(h.peerNode.ComputedName))
+`, html.EscapeString(who), h.remoteAddr.IP, html.EscapeString(h.peerNode.ComputedName))

 	if h.isSelf {
 		fmt.Fprintf(w, "<p>You are the owner of this node.\n")
--- a/ipn/ipnlocal/peerapi_macios_ext.go
+++ b/ipn/ipnlocal/peerapi_macios_ext.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build darwin,ts_macext ios,ts_macext
+// +build darwin,redo ios,redo

 package ipnlocal

--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -140,8 +140,6 @@ func (cc *mockControl) send(err error, url string, loginFinished bool, nm *netma
 		}
 		if loginFinished {
 			s.LoginFinished = &empty.Message{}
-		} else if url == "" && err == nil && nm == nil {
-			s.LogoutFinished = &empty.Message{}
 		}
 		cc.statusFunc(s)
 	}
@@ -248,10 +246,6 @@ func (cc *mockControl) UpdateEndpoints(localPort uint16, endpoints []tailcfg.End
 	cc.called("UpdateEndpoints")
 }

-func (*mockControl) SetDNS(context.Context, *tailcfg.SetDNSRequest) error {
-	panic("unexpected SetDNS call")
-}
-
 // A very precise test of the sequence of function calls generated by
 // ipnlocal.Local into its controlclient instance, and the events it
 // produces upstream into the UI.
@@ -374,11 +368,13 @@ func TestStateMachine(t *testing.T) {
 	{
 		c.Assert(cc.getCalls(), qt.DeepEquals, []string{"Login"})
 		notifies.drain(0)
-		// Note: WantRunning isn't true yet. It'll switch to true
-		// after a successful login finishes.
-		// (This behaviour is needed so that b.Login() won't
-		// start connecting to an old account right away, if one
-		// exists when you launch another login.)
+		// BUG: this should immediately set WantRunning to true.
+		// Users don't log in if they don't want to also connect.
+		// (Generally, we're inconsistent about who is supposed to
+		// update Prefs at what time. But the overall philosophy is:
+		// update it when the user's intent changes. This is clearly
+		// at the time the user *requests* Login, not at the time
+		// the login finishes.)
 	}

 	// Attempted non-interactive login with no key; indicate that
@@ -388,16 +384,18 @@ func TestStateMachine(t *testing.T) {
 	url1 := "http://localhost:1/1"
 	cc.send(nil, url1, false, nil)
 	{
-		c.Assert(cc.getCalls(), qt.DeepEquals, []string{})
+		c.Assert(cc.getCalls(), qt.HasLen, 0)

 		// ...but backend eats that notification, because the user
 		// didn't explicitly request interactive login yet, and
 		// we're already in NeedsLogin state.
 		nn := notifies.drain(1)

+		// Trying to log in automatically sets WantRunning.
+		// BUG: that should have happened right after Login().
 		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
 		c.Assert(nn[0].Prefs.LoggedOut, qt.IsFalse)
-		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 	}

 	// Now we'll try an interactive login.
@@ -453,12 +451,11 @@ func TestStateMachine(t *testing.T) {
 	// same time.
 	// The backend should propagate this upward for the UI.
 	t.Logf("\n\nLoginFinished")
-	notifies.expect(3)
+	notifies.expect(2)
 	cc.setAuthBlocked(false)
-	cc.persist.LoginName = "user1"
 	cc.send(nil, "", true, &netmap.NetworkMap{})
 	{
-		nn := notifies.drain(3)
+		nn := notifies.drain(2)
 		// BUG: still too soon for UpdateEndpoints.
 		//
 		// Arguably it makes sense to unpause now, since the machine
@@ -471,12 +468,15 @@ func TestStateMachine(t *testing.T) {
 		// it's visible in the logs)
 		c.Assert([]string{"unpause", "UpdateEndpoints"}, qt.DeepEquals, cc.getCalls())
 		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
-		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(nn[2].State, qt.Not(qt.IsNil))
-		c.Assert(nn[1].Prefs.Persist.LoginName, qt.Equals, "user1")
-		c.Assert(ipn.NeedsMachineAuth, qt.Equals, *nn[2].State)
+		c.Assert(nn[1].State, qt.Not(qt.IsNil))
+		c.Assert(ipn.NeedsMachineAuth, qt.Equals, *nn[1].State)
 	}

+	// TODO: check that the logged-in username propagates from control
+	// through to the UI notifications. I think it's used as a hint
+	// for future logins, to pre-fill the username box? Not really sure
+	// how it works.
+
 	// Pretend that the administrator has authorized our machine.
 	t.Logf("\n\nMachineAuthorized")
 	notifies.expect(1)
@@ -554,7 +554,10 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
 		c.Assert(nn[0].NetMap, qt.Not(qt.IsNil))
-		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		// BUG: Prefs should be sent too, or the UI could end up in
+		// a bad state. (iOS, the only current user of this feature,
+		// probably wouldn't notice because it happens to not display
+		// any prefs. Maybe exit nodes will look weird?)
 	}

 	// undo the state hack above.
@@ -566,13 +569,14 @@ func TestStateMachine(t *testing.T) {
 	b.Logout()
 	{
 		nn := notifies.drain(2)
-		c.Assert([]string{"pause", "StartLogout"}, qt.DeepEquals, cc.getCalls())
+		// BUG: now is not the time to unpause.
+		c.Assert([]string{"unpause", "StartLogout"}, qt.DeepEquals, cc.getCalls())
 		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
+		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
 		c.Assert(nn[1].Prefs.LoggedOut, qt.IsTrue)
 		c.Assert(nn[1].Prefs.WantRunning, qt.IsFalse)
-		c.Assert(ipn.Stopped, qt.Equals, b.State())
+		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

 	// Let's make the logout succeed.
@@ -582,69 +586,72 @@ func TestStateMachine(t *testing.T) {
 	cc.send(nil, "", false, nil)
 	{
 		nn := notifies.drain(1)
-		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(nn[0].State, qt.Not(qt.IsNil))
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
-		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
-		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
+		// BUG: WantRunning should be false after manual logout.
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

 	// A second logout should do nothing, since the prefs haven't changed.
 	t.Logf("\n\nLogout2 (async)")
-	notifies.expect(0)
+	notifies.expect(1)
 	b.Logout()
 	{
-		notifies.drain(0)
+		nn := notifies.drain(1)
 		// BUG: the backend has already called StartLogout, and we're
 		// still logged out. So it shouldn't call it again.
 		c.Assert([]string{"StartLogout"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
-		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
+		// BUG: Prefs should not change here. Already logged out.
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

 	// Let's acknowledge the second logout too.
 	t.Logf("\n\nLogout2 (async) - succeed")
-	notifies.expect(0)
+	notifies.expect(1)
 	cc.setAuthBlocked(true)
 	cc.send(nil, "", false, nil)
 	{
-		notifies.drain(0)
+		nn := notifies.drain(1)
 		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
-		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
+		// BUG: second logout shouldn't cause WantRunning->true !!
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

 	// Try the synchronous logout feature.
 	t.Logf("\n\nLogout3 (sync)")
-	notifies.expect(0)
+	notifies.expect(1)
 	b.LogoutSync(context.Background())
 	// NOTE: This returns as soon as cc.Logout() returns, which is okay
 	// I guess, since that's supposed to be synchronous.
 	{
-		notifies.drain(0)
+		nn := notifies.drain(1)
 		c.Assert([]string{"Logout"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
-		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

 	// Generate the third logout event.
 	t.Logf("\n\nLogout3 (sync) - succeed")
-	notifies.expect(0)
+	notifies.expect(1)
 	cc.setAuthBlocked(true)
 	cc.send(nil, "", false, nil)
 	{
-		notifies.drain(0)
+		nn := notifies.drain(1)
 		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
-		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
+		// BUG: third logout shouldn't cause WantRunning->true !!
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

@@ -662,6 +669,10 @@ func TestStateMachine(t *testing.T) {
 	// happens if the user exits and restarts while logged out.
 	// Note that it's explicitly okay to call b.Start() over and over
 	// again, every time the frontend reconnects.
+	//
+	// BUG: WantRunning is true here (because of the bug above).
+	//  We'll have to adjust the following test's expectations if we
+	//  fix that.

 	// TODO: test user switching between statekeys.

@@ -680,7 +691,7 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
 		c.Assert(nn[1].State, qt.Not(qt.IsNil))
 		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
-		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[1].State)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}
@@ -692,20 +703,16 @@ func TestStateMachine(t *testing.T) {
 	t.Logf("\n\nLoginFinished3")
 	notifies.expect(3)
 	cc.setAuthBlocked(false)
-	cc.persist.LoginName = "user2"
 	cc.send(nil, "", true, &netmap.NetworkMap{
 		MachineStatus: tailcfg.MachineAuthorized,
 	})
 	{
 		nn := notifies.drain(3)
 		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
-		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[1].LoginFinished, qt.Not(qt.IsNil))
 		c.Assert(nn[2].State, qt.Not(qt.IsNil))
-		// Prefs after finishing the login, so LoginName updated.
-		c.Assert(nn[1].Prefs.Persist.LoginName, qt.Equals, "user2")
-		c.Assert(nn[1].Prefs.LoggedOut, qt.IsFalse)
-		c.Assert(nn[1].Prefs.WantRunning, qt.IsTrue)
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsFalse)
 		c.Assert(ipn.Starting, qt.Equals, *nn[2].State)
 	}

@@ -766,63 +773,6 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
 	}

-	// Disconnect.
-	t.Logf("\n\nStop")
-	notifies.expect(2)
-	b.EditPrefs(&ipn.MaskedPrefs{
-		WantRunningSet: true,
-		Prefs:          ipn.Prefs{WantRunning: false},
-	})
-	{
-		nn := notifies.drain(2)
-		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.Not(qt.IsNil))
-		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
-	}
-
-	// We want to try logging in as a different user, while Stopped.
-	// First, start the login process (without logging out first).
-	t.Logf("\n\nLoginDifferent")
-	notifies.expect(2)
-	b.StartLoginInteractive()
-	url3 := "http://localhost:1/3"
-	cc.send(nil, url3, false, nil)
-	{
-		nn := notifies.drain(2)
-		// It might seem like WantRunning should switch to true here,
-		// but that would be risky since we already have a valid
-		// user account. It might try to reconnect to the old account
-		// before the new one is ready. So no change yet.
-		c.Assert([]string{"Login", "unpause"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(nn[0].BrowseToURL, qt.Not(qt.IsNil))
-		c.Assert(nn[1].State, qt.Not(qt.IsNil))
-		c.Assert(*nn[0].BrowseToURL, qt.Equals, url3)
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[1].State)
-	}
-
-	// Now, let's say the interactive login completed, using a different
-	// user account than before.
-	t.Logf("\n\nLoginDifferent URL visited")
-	notifies.expect(3)
-	cc.persist.LoginName = "user3"
-	cc.send(nil, "", true, &netmap.NetworkMap{
-		MachineStatus: tailcfg.MachineAuthorized,
-	})
-	{
-		nn := notifies.drain(3)
-		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
-		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(nn[2].State, qt.Not(qt.IsNil))
-		// Prefs after finishing the login, so LoginName updated.
-		c.Assert(nn[1].Prefs.Persist.LoginName, qt.Equals, "user3")
-		c.Assert(nn[1].Prefs.LoggedOut, qt.IsFalse)
-		c.Assert(nn[1].Prefs.WantRunning, qt.IsTrue)
-		c.Assert(ipn.Starting, qt.Equals, *nn[2].State)
-	}
-
 	// The last test case is the most common one: restarting when both
 	// logged in and WantRunning.
 	t.Logf("\n\nStart5")
@@ -843,18 +793,17 @@ func TestStateMachine(t *testing.T) {

 	// Control server accepts our valid key from before.
 	t.Logf("\n\nLoginFinished5")
-	notifies.expect(1)
+	notifies.expect(2)
 	cc.setAuthBlocked(false)
 	cc.send(nil, "", true, &netmap.NetworkMap{
 		MachineStatus: tailcfg.MachineAuthorized,
 	})
 	{
-		nn := notifies.drain(1)
+		nn := notifies.drain(2)
 		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		// NOTE: No LoginFinished message since no interactive
-		// login was needed.
-		c.Assert(nn[0].State, qt.Not(qt.IsNil))
-		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
+		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
+		c.Assert(nn[1].State, qt.Not(qt.IsNil))
+		c.Assert(ipn.Starting, qt.Equals, *nn[1].State)
 		// NOTE: No prefs change this time. WantRunning stays true.
 		// We were in Starting in the first place, so that doesn't
 		// change either.
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -6,9 +6,7 @@ package ipnserver

 import (
 	"bufio"
-	"bytes"
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -147,7 +145,7 @@ func (s *server) getConnIdentity(c net.Conn) (ci connIdentity, err error) {
 	if err != nil {
 		return ci, fmt.Errorf("parsing local remote: %w", err)
 	}
-	if !la.IP().IsLoopback() || !ra.IP().IsLoopback() {
+	if !la.IP.IsLoopback() || !ra.IP.IsLoopback() {
 		return ci, errors.New("non-loopback connection")
 	}
 	tab, err := netstat.Get()
@@ -253,7 +251,8 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 			return
 		}
 		defer c.Close()
-		bs := ipn.NewBackendServer(logf, nil, jsonNotifier(c, s.logf))
+		serverToClient := func(b []byte) { ipn.WriteMsg(c, b) }
+		bs := ipn.NewBackendServer(logf, nil, serverToClient)
 		_, occupied := err.(inUseOtherUserError)
 		if occupied {
 			bs.SendInUseOtherUserErrorMessage(err.Error())
@@ -568,9 +567,7 @@ func (s *server) setServerModeUserLocked() {
 	}
 }

-var jsonEscapedZero = []byte(`\u0000`)
-
-func (s *server) writeToClients(n ipn.Notify) {
+func (s *server) writeToClients(b []byte) {
 	inServerMode := s.b.InServerMode()

 	s.mu.Lock()
@@ -587,17 +584,8 @@ func (s *server) writeToClients(n ipn.Notify) {
 		}
 	}

-	if len(s.clients) == 0 {
-		// Common case (at least on busy servers): nobody
-		// connected (no GUI, etc), so return before
-		// serializing JSON.
-		return
-	}
-
-	if b, ok := marshalNotify(n, s.logf); ok {
-		for c := range s.clients {
-			ipn.WriteMsg(c, b)
-		}
+	for c := range s.clients {
+		ipn.WriteMsg(c, b)
 	}
 }

@@ -683,7 +671,8 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 			errMsg := err.Error()
 			go func() {
 				defer c.Close()
-				bs := ipn.NewBackendServer(logf, nil, jsonNotifier(c, logf))
+				serverToClient := func(b []byte) { ipn.WriteMsg(c, b) }
+				bs := ipn.NewBackendServer(logf, nil, serverToClient)
 				bs.SendErrorMessage(errMsg)
 				time.Sleep(time.Second)
 			}()
@@ -973,25 +962,3 @@ func peerPid(entries []netstat.Entry, la, ra netaddr.IPPort) int {
 	}
 	return 0
 }
-
-// jsonNotifier returns a notify-writer func that writes ipn.Notify
-// messages to w.
-func jsonNotifier(w io.Writer, logf logger.Logf) func(ipn.Notify) {
-	return func(n ipn.Notify) {
-		if b, ok := marshalNotify(n, logf); ok {
-			ipn.WriteMsg(w, b)
-		}
-	}
-}
-
-func marshalNotify(n ipn.Notify, logf logger.Logf) (b []byte, ok bool) {
-	b, err := json.Marshal(n)
-	if err != nil {
-		logf("ipnserver: [unexpected] error serializing JSON: %v", err)
-		return nil, false
-	}
-	if bytes.Contains(b, jsonEscapedZero) {
-		logf("[unexpected] zero byte in BackendServer.send notify message: %q", b)
-	}
-	return b, true
-}
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -65,7 +65,6 @@ type PeerStatusLite struct {
 }

 type PeerStatus struct {
-	ID        tailcfg.StableNodeID
 	PublicKey key.Public
 	HostName  string // HostInfo's Hostname (not a DNS name or necessarily unique)
 	DNSName   string
@@ -204,9 +203,6 @@ func (sb *StatusBuilder) AddPeer(peer key.Public, st *PeerStatus) {
 		return
 	}

-	if v := st.ID; v != "" {
-		e.ID = v
-	}
 	if v := st.HostName; v != "" {
 		e.HostName = v
 	}
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -100,8 +100,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveBugReport(w, r)
 	case "/localapi/v0/file-targets":
 		h.serveFileTargets(w, r)
-	case "/localapi/v0/set-dns":
-		h.serveSetDNS(w, r)
 	case "/":
 		io.WriteString(w, "tailscaled\n")
 	default:
@@ -384,25 +382,6 @@ func (h *Handler) serveFilePut(w http.ResponseWriter, r *http.Request) {
 	rp.ServeHTTP(w, outReq)
 }

-func (h *Handler) serveSetDNS(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != "POST" {
-		http.Error(w, "want POST", 400)
-		return
-	}
-	ctx := r.Context()
-	err := h.b.SetDNS(ctx, r.FormValue("name"), r.FormValue("value"))
-	if err != nil {
-		writeErrorJSON(w, err)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(struct{}{})
-}
-
 var dialPeerTransportOnce struct {
 	sync.Once
 	v *http.Transport
--- a/ipn/message.go
+++ b/ipn/message.go
@@ -88,9 +88,9 @@ type Command struct {

 type BackendServer struct {
 	logf          logger.Logf
-	b             Backend      // the Backend we are serving up
-	sendNotifyMsg func(Notify) // send a notification message
-	GotQuit       bool         // a Quit command was received
+	b             Backend              // the Backend we are serving up
+	sendNotifyMsg func(jsonMsg []byte) // send a notification message
+	GotQuit       bool                 // a Quit command was received
 }

 // NewBackendServer creates a new BackendServer using b.
@@ -98,15 +98,13 @@ type BackendServer struct {
 // If sendNotifyMsg is non-nil, it additionally sets the Backend's
 // notification callback to call the func with ipn.Notify messages in
 // JSON form. If nil, it does not change the notification callback.
-func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(Notify)) *BackendServer {
+func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(b []byte)) *BackendServer {
 	bs := &BackendServer{
 		logf:          logf,
 		b:             b,
 		sendNotifyMsg: sendNotifyMsg,
 	}
-	// b may be nil if the BackendServer is being created just to
-	// encapsulate and send an error message.
-	if sendNotifyMsg != nil && b != nil {
+	if sendNotifyMsg != nil {
 		b.SetNotifyCallback(bs.send)
 	}
 	return bs
@@ -117,7 +115,14 @@ func (bs *BackendServer) send(n Notify) {
 		return
 	}
 	n.Version = version.Long
-	bs.sendNotifyMsg(n)
+	b, err := json.Marshal(n)
+	if err != nil {
+		log.Fatalf("Failed json.Marshal(notify): %v\n%#v", err, n)
+	}
+	if bytes.Contains(b, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in BackendServer.send notify message: %q", b)
+	}
+	bs.sendNotifyMsg(b)
 }

 func (bs *BackendServer) SendErrorMessage(msg string) {
--- a/ipn/message_test.go
+++ b/ipn/message_test.go
@@ -7,7 +7,6 @@ package ipn
 import (
 	"bytes"
 	"context"
-	"encoding/json"
 	"testing"
 	"time"

@@ -75,11 +74,7 @@ func TestClientServer(t *testing.T) {
 			bc.GotNotifyMsg(b)
 		}
 	}()
-	serverToClient := func(n Notify) {
-		b, err := json.Marshal(n)
-		if err != nil {
-			panic(err.Error())
-		}
+	serverToClient := func(b []byte) {
 		serverToClientCh <- append([]byte{}, b...)
 	}
 	clientToServer := func(b []byte) {
@@ -187,17 +182,3 @@ func TestClientServer(t *testing.T) {
 	})
 	flushUntil(Running)
 }
-
-func TestNilBackend(t *testing.T) {
-	var called *Notify
-	bs := NewBackendServer(t.Logf, nil, func(n Notify) {
-		called = &n
-	})
-	bs.SendErrorMessage("Danger, Will Robinson!")
-	if called == nil {
-		t.Errorf("expect callback to be called, wasn't")
-	}
-	if called.ErrMessage == nil || *called.ErrMessage != "Danger, Will Robinson!" {
-		t.Errorf("callback got wrong error: %v", called.ErrMessage)
-	}
-}
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -15,7 +15,6 @@ import (
 	"net/http"
 	"os"
 	"strconv"
-	"sync/atomic"
 	"time"

 	"tailscale.com/logtail/backoff"
@@ -73,7 +72,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 	}
 	l := &Logger{
 		stderr:         cfg.Stderr,
-		stderrLevel:    int64(cfg.StderrLevel),
+		stderrLevel:    cfg.StderrLevel,
 		httpc:          cfg.HTTPC,
 		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String(),
 		lowMem:         cfg.LowMemory,
@@ -104,7 +103,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 // logging facilities and uploading to a log server.
 type Logger struct {
 	stderr         io.Writer
-	stderrLevel    int64 // accessed atomically
+	stderrLevel    int
 	httpc          *http.Client
 	url            string
 	lowMem         bool
@@ -126,8 +125,10 @@ type Logger struct {
 // SetVerbosityLevel controls the verbosity level that should be
 // written to stderr. 0 is the default (not verbose). Levels 1 or higher
 // are increasingly verbose.
+//
+// It should not be changed concurrently with log writes.
 func (l *Logger) SetVerbosityLevel(level int) {
-	atomic.StoreInt64(&l.stderrLevel, int64(level))
+	l.stderrLevel = level
 }

 // SetLinkMonitor sets the optional the link monitor.
@@ -513,7 +514,7 @@ func (l *Logger) Write(buf []byte) (int, error) {
 		return 0, nil
 	}
 	level, buf := parseAndRemoveLogLevel(buf)
-	if l.stderr != nil && l.stderr != ioutil.Discard && int64(level) <= atomic.LoadInt64(&l.stderrLevel) {
+	if l.stderr != nil && l.stderr != ioutil.Discard && level <= l.stderrLevel {
 		if buf[len(buf)-1] == '\n' {
 			l.stderr.Write(buf)
 		} else {
--- a/net/dns/config.go
+++ b/net/dns/config.go
@@ -22,26 +22,27 @@ type Config struct {
 	// for queries that fall within that suffix.
 	// If a query doesn't match any entry in Routes, the
 	// DefaultResolvers are used.
-	// A Routes entry with no resolvers means the route should be
-	// authoritatively answered using the contents of Hosts.
 	Routes map[dnsname.FQDN][]netaddr.IPPort
 	// SearchDomains are DNS suffixes to try when expanding
 	// single-label queries.
 	SearchDomains []dnsname.FQDN
 	// Hosts maps DNS FQDNs to their IPs, which can be a mix of IPv4
 	// and IPv6.
-	// Queries matching entries in Hosts are resolved locally by
-	// 100.100.100.100 without leaving the machine.
-	// Adding an entry to Hosts merely creates the record. If you want
-	// it to resolve, you also need to add appropriate routes to
-	// Routes.
+	// Queries matching entries in Hosts are resolved locally without
+	// recursing off-machine.
 	Hosts map[dnsname.FQDN][]netaddr.IP
+	// AuthoritativeSuffixes is a list of fully-qualified DNS suffixes
+	// for which the in-process Tailscale resolver is authoritative.
+	// Queries for names within AuthoritativeSuffixes can only be
+	// fulfilled by entries in Hosts. Queries with no match in Hosts
+	// return NXDOMAIN.
+	AuthoritativeSuffixes []dnsname.FQDN
 }

 // needsAnyResolvers reports whether c requires a resolver to be set
 // at the OS level.
 func (c Config) needsOSResolver() bool {
-	return c.hasDefaultResolvers() || c.hasRoutes()
+	return c.hasDefaultResolvers() || c.hasRoutes() || c.hasHosts()
 }

 func (c Config) hasRoutes() bool {
@@ -51,7 +52,7 @@ func (c Config) hasRoutes() bool {
 // hasDefaultResolversOnly reports whether the only resolvers in c are
 // DefaultResolvers.
 func (c Config) hasDefaultResolversOnly() bool {
-	return c.hasDefaultResolvers() && !c.hasRoutes()
+	return c.hasDefaultResolvers() && !c.hasRoutes() && !c.hasHosts()
 }

 func (c Config) hasDefaultResolvers() bool {
@@ -62,28 +63,44 @@ func (c Config) hasDefaultResolvers() bool {
 // routes use the same resolvers, or nil if multiple sets of resolvers
 // are specified.
 func (c Config) singleResolverSet() []netaddr.IPPort {
-	var (
-		prev            []netaddr.IPPort
-		prevInitialized bool
-	)
+	var first []netaddr.IPPort
 	for _, resolvers := range c.Routes {
-		if !prevInitialized {
-			prev = resolvers
-			prevInitialized = true
+		if first == nil {
+			first = resolvers
 			continue
 		}
-		if !sameIPPorts(prev, resolvers) {
+		if !sameIPPorts(first, resolvers) {
 			return nil
 		}
 	}
-	return prev
+	return first
 }

-// matchDomains returns the list of match suffixes needed by Routes.
+// hasHosts reports whether c requires resolution of MagicDNS hosts or
+// domains.
+func (c Config) hasHosts() bool {
+	return len(c.Hosts) > 0 || len(c.AuthoritativeSuffixes) > 0
+}
+
+// matchDomains returns the list of match suffixes needed by Routes,
+// AuthoritativeSuffixes. Hosts is not considered as we assume that
+// they're covered by AuthoritativeSuffixes for now.
 func (c Config) matchDomains() []dnsname.FQDN {
-	ret := make([]dnsname.FQDN, 0, len(c.Routes))
-	for suffix := range c.Routes {
+	ret := make([]dnsname.FQDN, 0, len(c.Routes)+len(c.AuthoritativeSuffixes))
+	seen := map[dnsname.FQDN]bool{}
+	for _, suffix := range c.AuthoritativeSuffixes {
+		if seen[suffix] {
+			continue
+		}
 		ret = append(ret, suffix)
+		seen[suffix] = true
+	}
+	for suffix := range c.Routes {
+		if seen[suffix] {
+			continue
+		}
+		ret = append(ret, suffix)
+		seen[suffix] = true
 	}
 	sort.Slice(ret, func(i, j int) bool {
 		return ret[i].WithTrailingDot() < ret[j].WithTrailingDot()
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -6,6 +6,7 @@ package dns

 import (
 	"runtime"
+	"strings"
 	"time"

 	"inet.af/netaddr"
@@ -74,40 +75,40 @@ func (m *Manager) Set(cfg Config) error {

 // compileConfig converts cfg into a quad-100 resolver configuration
 // and an OS-level configuration.
-func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig, err error) {
-	// The internal resolver always gets MagicDNS hosts and
-	// authoritative suffixes, even if we don't propagate MagicDNS to
-	// the OS.
-	rcfg.Hosts = cfg.Hosts
-	routes := map[dnsname.FQDN][]netaddr.IPPort{} // assigned conditionally to rcfg.Routes below.
-	for suffix, resolvers := range cfg.Routes {
-		if len(resolvers) == 0 {
-			rcfg.LocalDomains = append(rcfg.LocalDomains, suffix)
-		} else {
-			routes[suffix] = resolvers
-		}
-	}
-	// Similarly, the OS always gets search paths.
-	ocfg.SearchDomains = cfg.SearchDomains
-
+func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 	// Deal with trivial configs first.
 	switch {
 	case !cfg.needsOSResolver():
 		// Set search domains, but nothing else. This also covers the
 		// case where cfg is entirely zero, in which case these
 		// configs clear all Tailscale DNS settings.
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			SearchDomains: cfg.SearchDomains,
+		}, nil
 	case cfg.hasDefaultResolversOnly():
 		// Trivial CorpDNS configuration, just override the OS
 		// resolver.
-		ocfg.Nameservers = toIPsOnly(cfg.DefaultResolvers)
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			Nameservers:   toIPsOnly(cfg.DefaultResolvers),
+			SearchDomains: cfg.SearchDomains,
+		}, nil
 	case cfg.hasDefaultResolvers():
 		// Default resolvers plus other stuff always ends up proxying
 		// through quad-100.
-		rcfg.Routes = routes
-		rcfg.Routes["."] = cfg.DefaultResolvers
-		ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
+		rcfg := resolver.Config{
+			Routes: map[dnsname.FQDN][]netaddr.IPPort{
+				".": cfg.DefaultResolvers,
+			},
+			Hosts:        cfg.Hosts,
+			LocalDomains: cfg.AuthoritativeSuffixes,
+		}
+		for suffix, resolvers := range cfg.Routes {
+			rcfg.Routes[suffix] = resolvers
+		}
+		ocfg := OSConfig{
+			Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
+			SearchDomains: cfg.SearchDomains,
+		}
 		return rcfg, ocfg, nil
 	}

@@ -115,6 +116,8 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// configurations. The possible cases don't return directly any
 	// more, because as a final step we have to handle the case where
 	// the OS can't do split DNS.
+	var rcfg resolver.Config
+	var ocfg OSConfig

 	// Workaround for
 	// https://github.com/tailscale/corp/issues/1662. Even though
@@ -132,19 +135,35 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// This bool is used in a couple of places below to implement this
 	// workaround.
 	isWindows := runtime.GOOS == "windows"
-	if cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
+
+	// The windows check is for
+	// . See also below
+	// for further routing workarounds there.
+	if !cfg.hasHosts() && cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
 		// Split DNS configuration requested, where all split domains
 		// go to the same resolvers. We can let the OS do it.
-		ocfg.Nameservers = toIPsOnly(cfg.singleResolverSet())
-		ocfg.MatchDomains = cfg.matchDomains()
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			Nameservers:   toIPsOnly(cfg.singleResolverSet()),
+			SearchDomains: cfg.SearchDomains,
+			MatchDomains:  cfg.matchDomains(),
+		}, nil
 	}

 	// Split DNS configuration with either multiple upstream routes,
 	// or routes + MagicDNS, or just MagicDNS, or on an OS that cannot
 	// split-DNS. Install a split config pointing at quad-100.
-	rcfg.Routes = routes
-	ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
+	rcfg = resolver.Config{
+		Hosts:        cfg.Hosts,
+		LocalDomains: cfg.AuthoritativeSuffixes,
+		Routes:       map[dnsname.FQDN][]netaddr.IPPort{},
+	}
+	for suffix, resolvers := range cfg.Routes {
+		rcfg.Routes[suffix] = resolvers
+	}
+	ocfg = OSConfig{
+		Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
+		SearchDomains: cfg.SearchDomains,
+	}

 	// If the OS can't do native split-dns, read out the underlying
 	// resolver config and blend it into our config.
@@ -154,7 +173,28 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	if !m.os.SupportsSplitDNS() || isWindows {
 		bcfg, err := m.os.GetBaseConfig()
 		if err != nil {
-			return resolver.Config{}, OSConfig{}, err
+			// Temporary hack to make OSes where split-DNS isn't fully
+			// implemented yet not completely crap out, but instead
+			// fall back to quad-9 as a hardcoded "backup resolver".
+			//
+			// This codepath currently only triggers when opted into
+			// the split-DNS feature server side, and when at least
+			// one search domain is something within tailscale.com, so
+			// we don't accidentally leak unstable user DNS queries to
+			// quad-9 if we accidentally go down this codepath.
+			canUseHack := false
+			for _, dom := range cfg.SearchDomains {
+				if strings.HasSuffix(dom.WithoutTrailingDot(), ".tailscale.com") {
+					canUseHack = true
+					break
+				}
+			}
+			if !canUseHack {
+				return resolver.Config{}, OSConfig{}, err
+			}
+			bcfg = OSConfig{
+				Nameservers: []netaddr.IP{netaddr.IPv4(9, 9, 9, 9)},
+			}
 		}
 		rcfg.Routes["."] = toIPPorts(bcfg.Nameservers)
 		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)
@@ -171,7 +211,7 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 func toIPsOnly(ipps []netaddr.IPPort) (ret []netaddr.IP) {
 	ret = make([]netaddr.IP, 0, len(ipps))
 	for _, ipp := range ipps {
-		ret = append(ret, ipp.IP())
+		ret = append(ret, ipp.IP)
 	}
 	return ret
 }
@@ -179,7 +219,7 @@ func toIPsOnly(ipps []netaddr.IPPort) (ret []netaddr.IP) {
 func toIPPorts(ips []netaddr.IP) (ret []netaddr.IPPort) {
 	ret = make([]netaddr.IPPort, 0, len(ips))
 	for _, ip := range ips {
-		ret = append(ret, netaddr.IPPortFrom(ip, 53))
+		ret = append(ret, netaddr.IPPort{IP: ip, Port: 53})
 	}
 	return ret
 }
--- a/net/dns/manager_linux.go
+++ b/net/dns/manager_linux.go
@@ -57,12 +57,12 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 		}
 		if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err != nil {
 			dbg("nm", "no")
-			return newResolvedManager(logf, interfaceName)
+			return newResolvedManager(logf)
 		}
 		dbg("nm", "yes")
 		if err := nmIsUsingResolved(); err != nil {
 			dbg("nm-resolved", "no")
-			return newResolvedManager(logf, interfaceName)
+			return newResolvedManager(logf)
 		}
 		dbg("nm-resolved", "yes")

@@ -90,7 +90,7 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 			return newNMManager(interfaceName)
 		}
 		dbg("nm-old", "no")
-		return newResolvedManager(logf, interfaceName)
+		return newResolvedManager(logf)
 	case "resolvconf":
 		dbg("rc", "resolvconf")
 		if err := resolvconfSourceIsNM(bs); err == nil {
--- a/net/dns/manager_test.go
+++ b/net/dns/manager_test.go
@@ -76,20 +76,6 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 		},
-		{
-			// Regression test for https://github.com/tailscale/tailscale/issues/1886
-			name: "hosts-only",
-			in: Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-			},
-			rs: resolver.Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-			},
-		},
 		{
 			name: "corp",
 			in: Config{
@@ -118,10 +104,10 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
 			},
 			os: OSConfig{
 				Nameservers:   mustIPs("100.100.100.100"),
@@ -140,10 +126,10 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
 			},
 			split: true,
 			os: OSConfig{
@@ -275,8 +261,8 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				Routes:        upstreams("ts.com", ""),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
 				Nameservers:   mustIPs("8.8.8.8"),
@@ -300,8 +286,8 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				Routes:        upstreams("ts.com", ""),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
 			os: OSConfig{
@@ -319,11 +305,12 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic",
 			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2:53", "ts.com", ""),
+				Routes: upstreams("corp.com", "2.2.2.2:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
 				Nameservers:   mustIPs("8.8.8.8"),
@@ -346,13 +333,12 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic-split",
 			in: Config{
-				Routes: upstreams(
-					"corp.com", "2.2.2.2:53",
-					"ts.com", ""),
+				Routes: upstreams("corp.com", "2.2.2.2:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
 			os: OSConfig{
@@ -382,12 +368,11 @@ func TestManager(t *testing.T) {
 			if err := m.Set(test.in); err != nil {
 				t.Fatalf("m.Set: %v", err)
 			}
-			trIP := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
-			trIPPort := cmp.Transformer("ippStr", func(ipp netaddr.IPPort) string { return ipp.String() })
-			if diff := cmp.Diff(f.OSConfig, test.os, trIP, trIPPort, cmpopts.EquateEmpty()); diff != "" {
+			tr := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
+			if diff := cmp.Diff(f.OSConfig, test.os, tr, cmpopts.EquateEmpty()); diff != "" {
 				t.Errorf("wrong OSConfig (-got+want)\n%s", diff)
 			}
-			if diff := cmp.Diff(f.ResolverConfig, test.rs, trIP, trIPPort, cmpopts.EquateEmpty()); diff != "" {
+			if diff := cmp.Diff(f.ResolverConfig, test.rs, tr, cmpopts.EquateEmpty()); diff != "" {
 				t.Errorf("wrong resolver.Config (-got+want)\n%s", diff)
 			}
 		})
@@ -443,12 +428,7 @@ func upstreams(strs ...string) (ret map[dnsname.FQDN][]netaddr.IPPort) {
 	var key dnsname.FQDN
 	ret = map[dnsname.FQDN][]netaddr.IPPort{}
 	for _, s := range strs {
-		if s == "" {
-			if key == "" {
-				panic("IPPort provided before suffix")
-			}
-			ret[key] = nil
-		} else if ipp, err := netaddr.ParseIPPort(s); err == nil {
+		if ipp, err := netaddr.ParseIPPort(s); err == nil {
 			if key == "" {
 				panic("IPPort provided before suffix")
 			}
--- a/net/dns/nm.go
+++ b/net/dns/nm.go
@@ -175,12 +175,9 @@ func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
 		search = append(search, "~.")
 	}

-	// Ideally we would like to disable LLMNR and mdns on the
-	// interface here, but older NetworkManagers don't understand
-	// those settings and choke on them, so we don't. Both LLMNR and
-	// mdns will fail since tailscale0 doesn't do multicast, so it's
-	// effectively fine. We used to try and enforce LLMNR and mdns
-	// settings here, but that led to #1870.
+	general := settings["connection"]
+	general["llmnr"] = dbus.MakeVariant(0)
+	general["mdns"] = dbus.MakeVariant(0)

 	ipv4Map := settings["ipv4"]
 	ipv4Map["dns"] = dbus.MakeVariant(dnsv4)
@@ -250,7 +247,7 @@ func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
 	}

 	if call := device.CallWithContext(ctx, "org.freedesktop.NetworkManager.Device.Reapply", 0, settings, version, uint32(0)); call.Err != nil {
-		return fmt.Errorf("reapply: %w", call.Err)
+		return fmt.Errorf("reapply: %w", err)
 	}

 	return nil
--- a/net/dns/resolved.go
+++ b/net/dns/resolved.go
@@ -12,11 +12,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net"

 	"github.com/godbus/dbus/v5"
 	"golang.org/x/sys/unix"
 	"inet.af/netaddr"
+	"tailscale.com/net/interfaces"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
 )
@@ -85,24 +85,17 @@ func isResolvedActive() bool {
 // resolvedManager uses the systemd-resolved DBus API.
 type resolvedManager struct {
 	logf     logger.Logf
-	ifidx    int
 	resolved dbus.BusObject
 }

-func newResolvedManager(logf logger.Logf, interfaceName string) (*resolvedManager, error) {
+func newResolvedManager(logf logger.Logf) (*resolvedManager, error) {
 	conn, err := dbus.SystemBus()
 	if err != nil {
 		return nil, err
 	}

-	iface, err := net.InterfaceByName(interfaceName)
-	if err != nil {
-		return nil, err
-	}
-
 	return &resolvedManager{
 		logf:     logf,
-		ifidx:    iface.Index,
 		resolved: conn.Object("org.freedesktop.resolve1", dbus.ObjectPath("/org/freedesktop/resolve1")),
 	}, nil
 }
@@ -112,6 +105,16 @@ func (m *resolvedManager) SetDNS(config OSConfig) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reconfigTimeout)
 	defer cancel()

+	// In principle, we could persist this in the manager struct
+	// if we knew that interface indices are persistent. This does not seem to be the case.
+	_, iface, err := interfaces.Tailscale()
+	if err != nil {
+		return fmt.Errorf("getting interface index: %w", err)
+	}
+	if iface == nil {
+		return errNotReady
+	}
+
 	var linkNameservers = make([]resolvedLinkNameserver, len(config.Nameservers))
 	for i, server := range config.Nameservers {
 		ip := server.As16()
@@ -128,9 +131,9 @@ func (m *resolvedManager) SetDNS(config OSConfig) error {
 		}
 	}

-	err := m.resolved.CallWithContext(
+	err = m.resolved.CallWithContext(
 		ctx, "org.freedesktop.resolve1.Manager.SetLinkDNS", 0,
-		m.ifidx, linkNameservers,
+		iface.Index, linkNameservers,
 	).Store()
 	if err != nil {
 		return fmt.Errorf("setLinkDNS: %w", err)
@@ -171,13 +174,13 @@ func (m *resolvedManager) SetDNS(config OSConfig) error {

 	err = m.resolved.CallWithContext(
 		ctx, "org.freedesktop.resolve1.Manager.SetLinkDomains", 0,
-		m.ifidx, linkDomains,
+		iface.Index, linkDomains,
 	).Store()
 	if err != nil {
 		return fmt.Errorf("setLinkDomains: %w", err)
 	}

-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDefaultRoute", 0, m.ifidx, len(config.MatchDomains) == 0); call.Err != nil {
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDefaultRoute", 0, iface.Index, len(config.MatchDomains) == 0); call.Err != nil {
 		return fmt.Errorf("setLinkDefaultRoute: %w", err)
 	}

@@ -186,22 +189,22 @@ func (m *resolvedManager) SetDNS(config OSConfig) error {
 	// or something).

 	// Disable LLMNR, we don't do multicast.
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkLLMNR", 0, m.ifidx, "no"); call.Err != nil {
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkLLMNR", 0, iface.Index, "no"); call.Err != nil {
 		m.logf("[v1] failed to disable LLMNR: %v", call.Err)
 	}

 	// Disable mdns.
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkMulticastDNS", 0, m.ifidx, "no"); call.Err != nil {
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkMulticastDNS", 0, iface.Index, "no"); call.Err != nil {
 		m.logf("[v1] failed to disable mdns: %v", call.Err)
 	}

 	// We don't support dnssec consistently right now, force it off to
 	// avoid partial failures when we split DNS internally.
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDNSSEC", 0, m.ifidx, "no"); call.Err != nil {
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDNSSEC", 0, iface.Index, "no"); call.Err != nil {
 		m.logf("[v1] failed to disable DNSSEC: %v", call.Err)
 	}

-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDNSOverTLS", 0, m.ifidx, "no"); call.Err != nil {
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDNSOverTLS", 0, iface.Index, "no"); call.Err != nil {
 		m.logf("[v1] failed to disable DoT: %v", call.Err)
 	}

@@ -224,7 +227,15 @@ func (m *resolvedManager) Close() error {
 	ctx, cancel := context.WithTimeout(context.Background(), reconfigTimeout)
 	defer cancel()

-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.RevertLink", 0, m.ifidx); call.Err != nil {
+	_, iface, err := interfaces.Tailscale()
+	if err != nil {
+		return fmt.Errorf("getting interface index: %w", err)
+	}
+	if iface == nil {
+		return errNotReady
+	}
+
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.RevertLink", 0, iface.Index); call.Err != nil {
 		return fmt.Errorf("RevertLink: %w", call.Err)
 	}

--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -14,7 +14,6 @@ import (
 	"math/rand"
 	"net"
 	"sync"
-	"syscall"
 	"time"

 	dns "golang.org/x/net/dns/dnsmessage"
@@ -194,14 +193,8 @@ func (f *forwarder) recv(conn *fwdConn) {
 			return
 		default:
 		}
-		// The 1 extra byte is to detect packet truncation.
-		out := make([]byte, maxResponseBytes+1)
+		out := make([]byte, maxResponseBytes)
 		n := conn.read(out)
-		var truncated bool
-		if n > maxResponseBytes {
-			n = maxResponseBytes
-			truncated = true
-		}
 		if n == 0 {
 			continue
 		}
@@ -212,19 +205,6 @@ func (f *forwarder) recv(conn *fwdConn) {
 		out = out[:n]
 		txid := getTxID(out)

-		if truncated {
-			const dnsFlagTruncated = 0x200
-			flags := binary.BigEndian.Uint16(out[2:4])
-			flags |= dnsFlagTruncated
-			binary.BigEndian.PutUint16(out[2:4], flags)
-
-			// TODO(#2067): Remove any incomplete records? RFC 1035 section 6.2
-			// states that truncation should head drop so that the authority
-			// section can be preserved if possible. However, the UDP read with
-			// a too-small buffer has already dropped the end, so that's the
-			// best we can do.
-		}
-
 		f.mu.Lock()

 		record, found := f.txMap[txid]
@@ -306,8 +286,6 @@ func (f *forwarder) forward(query packet) error {
 	}
 	f.mu.Unlock()

-	// TODO(#2066): EDNS size clamping
-
 	for _, resolver := range resolvers {
 		f.send(query.bs, resolver)
 	}
@@ -393,12 +371,6 @@ func (c *fwdConn) send(packet []byte, dst netaddr.IPPort) {
 			backOff(err)
 			continue
 		}
-		if errors.Is(err, syscall.EHOSTUNREACH) {
-			// "No route to host." The network stack is fine, but
-			// can't talk to this destination. Not much we can do
-			// about that, don't spam logs.
-			return
-		}
 		if networkIsDown(err) {
 			// Fail.
 			c.logf("send: network is down")
@@ -450,7 +422,7 @@ func (c *fwdConn) read(out []byte) int {
 		c.mu.Unlock()

 		n, _, err := conn.ReadFrom(out)
-		if err == nil || packetWasTruncated(err) {
+		if err == nil {
 			// Success.
 			return n
 		}
--- a/net/dns/resolver/neterr_darwin.go
+++ b/net/dns/resolver/neterr_darwin.go
@@ -23,8 +23,3 @@ func networkIsDown(err error) bool {
 func networkIsUnreachable(err error) bool {
 	return errors.Is(err, networkUnreachable)
 }
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. It always returns false on this
-// platform.
-func packetWasTruncated(err error) bool { return false }
--- a/net/dns/resolver/neterr_other.go
+++ b/net/dns/resolver/neterr_other.go
@@ -8,8 +8,3 @@ package resolver

 func networkIsDown(err error) bool        { return false }
 func networkIsUnreachable(err error) bool { return false }
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. It always returns false on this
-// platform.
-func packetWasTruncated(err error) bool   { return false }
--- a/net/dns/resolver/neterr_windows.go
+++ b/net/dns/resolver/neterr_windows.go
@@ -5,7 +5,6 @@
 package resolver

 import (
-	"errors"
 	"net"
 	"os"

@@ -28,16 +27,3 @@ func networkIsUnreachable(err error) bool {
 	// difference between down and unreachable? Add comments.
 	return false
 }
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. On Windows, Go's UDP RecvFrom
-// calls WSARecvFrom which returns the WSAEMSGSIZE error code when the received
-// datagram is larger than the provided buffer. When that happens, both a valid
-// size and an error are returned (as per the partial fix for golang/go#14074).
-// If the WSAEMSGSIZE error is returned, then we ignore the error to get
-// semantics similar to the POSIX operating systems. One caveat is that it
-// appears that the source address is not returned when WSAEMSGSIZE occurs, but
-// we do not currently look at the source address.
-func packetWasTruncated(err error) bool {
-	return errors.Is(err, windows.WSAEMSGSIZE)
-}
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -22,10 +22,8 @@ import (
 	"tailscale.com/wgengine/monitor"
 )

-// maxResponseBytes is the maximum size of a response from a Resolver. The
-// actual buffer size will be one larger than this so that we can detect
-// truncation in a platform-agnostic way.
-const maxResponseBytes = 4095
+// maxResponseBytes is the maximum size of a response from a Resolver.
+const maxResponseBytes = 512

 // queueSize is the maximal number of DNS requests that can await polling.
 // If EnqueueRequest is called when this many requests are already pending,
--- a/net/dns/resolver/tsdns_server_test.go
+++ b/net/dns/resolver/tsdns_server_test.go
@@ -66,39 +66,6 @@ func resolveToIP(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
 	}
 }

-// resolveToTXT returns a handler function which responds to queries of type TXT
-// it receives with the strings in txts.
-func resolveToTXT(txts []string) dns.HandlerFunc {
-	return func(w dns.ResponseWriter, req *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(req)
-
-		if len(req.Question) != 1 {
-			panic("not a single-question request")
-		}
-		question := req.Question[0]
-
-		if question.Qtype != dns.TypeTXT {
-			w.WriteMsg(m)
-			return
-		}
-
-		ans := &dns.TXT{
-			Hdr: dns.RR_Header{
-				Name:   question.Name,
-				Rrtype: dns.TypeTXT,
-				Class:  dns.ClassINET,
-			},
-			Txt: txts,
-		}
-
-		m.Answer = append(m.Answer, ans)
-		if err := w.WriteMsg(m); err != nil {
-			panic(err)
-		}
-	}
-}
-
 var resolveToNXDOMAIN = dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
 	m := new(dns.Msg)
 	m.SetRcode(req, dns.RcodeNameError)
--- a/net/dns/resolver/tsdns_test.go
+++ b/net/dns/resolver/tsdns_test.go
@@ -6,9 +6,7 @@ package resolver

 import (
 	"bytes"
-	"encoding/hex"
 	"errors"
-	"math/rand"
 	"net"
 	"testing"

@@ -46,11 +44,9 @@ func dnspacket(domain dnsname.FQDN, tp dns.Type) []byte {
 }

 type dnsResponse struct {
-	ip        netaddr.IP
-	txt       []string
-	name      dnsname.FQDN
-	rcode     dns.RCode
-	truncated bool
+	ip    netaddr.IP
+	name  dnsname.FQDN
+	rcode dns.RCode
 }

 func unpackResponse(payload []byte) (dnsResponse, error) {
@@ -71,16 +67,6 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 		return response, nil
 	}

-	response.truncated = h.Truncated
-	if response.truncated {
-		// TODO(#2067): Ideally, answer processing should still succeed when
-		// dealing with a truncated message, but currently when we truncate
-		// a packet, it's caused by the buffer being too small and usually that
-		// means the data runs out mid-record. dns.Parser does not like it when
-		// that happens. We can improve this by trimming off incomplete records.
-		return response, nil
-	}
-
 	err = parser.SkipAllQuestions()
 	if err != nil {
 		return response, err
@@ -104,12 +90,6 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 			return response, err
 		}
 		response.ip = netaddr.IPv6Raw(res.AAAA)
-	case dns.TypeTXT:
-		res, err := parser.TXTResource()
-		if err != nil {
-			return response, err
-		}
-		response.txt = res.TXT
 	case dns.TypeNS:
 		res, err := parser.NSResource()
 		if err != nil {
@@ -289,32 +269,6 @@ func ipv6Works() bool {
 	return true
 }

-func generateTXT(size int, source rand.Source) []string {
-	const sizePerTXT = 120
-
-	if size%2 != 0 {
-		panic("even lengths only")
-	}
-
-	rng := rand.New(source)
-
-	txts := make([]string, 0, size/sizePerTXT+1)
-
-	raw := make([]byte, sizePerTXT/2)
-
-	rem := size
-	for ; rem > sizePerTXT; rem -= sizePerTXT {
-		rng.Read(raw)
-		txts = append(txts, hex.EncodeToString(raw))
-	}
-	if rem > 0 {
-		rng.Read(raw[:rem/2])
-		txts = append(txts, hex.EncodeToString(raw[:rem/2]))
-	}
-
-	return txts
-}
-
 func TestDelegate(t *testing.T) {
 	tstest.ResourceCheck(t)

@@ -322,43 +276,13 @@ func TestDelegate(t *testing.T) {
 		t.Skip("skipping test that requires localhost IPv6")
 	}

-	randSource := rand.NewSource(4)
-
-	// smallTXT does not require EDNS
-	smallTXT := generateTXT(300, randSource)
-
-	// medTXT and largeTXT are responses that require EDNS but we would like to
-	// support these sizes of response without truncation because they are
-	// moderately common.
-	medTXT := generateTXT(1200, randSource)
-	largeTXT := generateTXT(4000, randSource)
-
-	// xlargeTXT is slightly above the maximum response size that we support,
-	// so there should be truncation.
-	xlargeTXT := generateTXT(5000, randSource)
-
-	// hugeTXT is significantly larger than any typical MTU and will require
-	// significant fragmentation. For buffer management reasons, we do not
-	// intend to handle responses this large, so there should be truncation.
-	hugeTXT := generateTXT(64000, randSource)
-
 	v4server := serveDNS(t, "127.0.0.1:0",
 		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."),
-		"nxdomain.site.", resolveToNXDOMAIN,
-		"small.txt.", resolveToTXT(smallTXT),
-		"med.txt.", resolveToTXT(medTXT),
-		"large.txt.", resolveToTXT(largeTXT),
-		"xlarge.txt.", resolveToTXT(xlargeTXT),
-		"huge.txt.", resolveToTXT(hugeTXT))
+		"nxdomain.site.", resolveToNXDOMAIN)
 	defer v4server.Shutdown()
 	v6server := serveDNS(t, "[::1]:0",
 		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."),
-		"nxdomain.site.", resolveToNXDOMAIN,
-		"small.txt.", resolveToTXT(smallTXT),
-		"med.txt.", resolveToTXT(medTXT),
-		"large.txt.", resolveToTXT(largeTXT),
-		"xlarge.txt.", resolveToTXT(xlargeTXT),
-		"huge.txt.", resolveToTXT(hugeTXT))
+		"nxdomain.site.", resolveToNXDOMAIN)
 	defer v6server.Shutdown()

 	r := New(t.Logf, nil)
@@ -398,31 +322,6 @@ func TestDelegate(t *testing.T) {
 			dnspacket("nxdomain.site.", dns.TypeA),
 			dnsResponse{rcode: dns.RCodeNameError},
 		},
-		{
-			"smalltxt",
-			dnspacket("small.txt.", dns.TypeTXT),
-			dnsResponse{txt: smallTXT, rcode: dns.RCodeSuccess},
-		},
-		{
-			"medtxt",
-			dnspacket("med.txt.", dns.TypeTXT),
-			dnsResponse{txt: medTXT, rcode: dns.RCodeSuccess},
-		},
-		{
-			"largetxt",
-			dnspacket("large.txt.", dns.TypeTXT),
-			dnsResponse{txt: largeTXT, rcode: dns.RCodeSuccess},
-		},
-		{
-			"xlargetxt",
-			dnspacket("xlarge.txt.", dns.TypeTXT),
-			dnsResponse{rcode: dns.RCodeSuccess, truncated: true},
-		},
-		{
-			"hugetxt",
-			dnspacket("huge.txt.", dns.TypeTXT),
-			dnsResponse{rcode: dns.RCodeSuccess, truncated: true},
-		},
 	}

 	for _, tt := range tests {
@@ -446,15 +345,6 @@ func TestDelegate(t *testing.T) {
 			if response.name != tt.response.name {
 				t.Errorf("name = %v; want %v", response.name, tt.response.name)
 			}
-			if len(response.txt) != len(tt.response.txt) {
-				t.Errorf("%v txt records, want %v txt records", len(response.txt), len(tt.response.txt))
-			} else {
-				for i := range response.txt {
-					if response.txt[i] != tt.response.txt[i] {
-						t.Errorf("txt record %v is %s, want %s", i, response.txt[i], tt.response.txt[i])
-					}
-				}
-			}
 		})
 	}
 }
@@ -543,8 +433,8 @@ func TestDelegateCollision(t *testing.T) {
 		qtype dns.Type
 		addr  netaddr.IPPort
 	}{
-		{"test.site.", dns.TypeA, netaddr.IPPortFrom(netaddr.IPv4(1, 1, 1, 1), 1001)},
-		{"test.site.", dns.TypeAAAA, netaddr.IPPortFrom(netaddr.IPv4(1, 1, 1, 1), 1002)},
+		{"test.site.", dns.TypeA, netaddr.IPPort{IP: netaddr.IPv4(1, 1, 1, 1), Port: 1001}},
+		{"test.site.", dns.TypeAAAA, netaddr.IPPort{IP: netaddr.IPv4(1, 1, 1, 1), Port: 1002}},
 	}

 	// packets will have the same dns txid.
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@@ -195,7 +195,7 @@ func ForeachInterface(fn func(Interface, []netaddr.IPPrefix)) error {
 			}
 		}
 		sort.Slice(pfxs, func(i, j int) bool {
-			return pfxs[i].IP().Less(pfxs[j].IP())
+			return pfxs[i].IP.Less(pfxs[j].IP)
 		})
 		fn(Interface{iface}, pfxs)
 	}
@@ -264,7 +264,7 @@ func (s *State) String() string {
 			fmt.Fprintf(&sb, "%s:[", ifName)
 			needSpace := false
 			for _, pfx := range s.InterfaceIPs[ifName] {
-				if !isInterestingIP(pfx.IP()) {
+				if !isInterestingIP(pfx.IP) {
 					continue
 				}
 				if needSpace {
@@ -367,7 +367,7 @@ func (s *State) AnyInterfaceUp() bool {

 func hasTailscaleIP(pfxs []netaddr.IPPrefix) bool {
 	for _, pfx := range pfxs {
-		if tsaddr.IsTailscaleIP(pfx.IP()) {
+		if tsaddr.IsTailscaleIP(pfx.IP) {
 			return true
 		}
 	}
@@ -407,11 +407,11 @@ func GetState() (*State, error) {
 			return
 		}
 		for _, pfx := range pfxs {
-			if pfx.IP().IsLoopback() || pfx.IP().IsLinkLocalUnicast() {
+			if pfx.IP.IsLoopback() || pfx.IP.IsLinkLocalUnicast() {
 				continue
 			}
-			s.HaveV6Global = s.HaveV6Global || isGlobalV6(pfx.IP())
-			s.HaveV4 = s.HaveV4 || pfx.IP().Is4()
+			s.HaveV6Global = s.HaveV6Global || isGlobalV6(pfx.IP)
+			s.HaveV4 = s.HaveV4 || pfx.IP.Is4()
 		}
 	}); err != nil {
 		return nil, err
@@ -447,7 +447,7 @@ func HTTPOfListener(ln net.Listener) string {
 	var goodIP string
 	var privateIP string
 	ForeachInterfaceAddress(func(i Interface, pfx netaddr.IPPrefix) {
-		ip := pfx.IP()
+		ip := pfx.IP
 		if isPrivateIP(ip) {
 			if privateIP == "" {
 				privateIP = ip.String()
@@ -484,7 +484,7 @@ func LikelyHomeRouterIP() (gateway, myIP netaddr.IP, ok bool) {
 		return
 	}
 	ForeachInterfaceAddress(func(i Interface, pfx netaddr.IPPrefix) {
-		ip := pfx.IP()
+		ip := pfx.IP
 		if !i.IsUp() || ip.IsZero() || !myIP.IsZero() {
 			return
 		}
@@ -528,7 +528,7 @@ var (
 // isInterestingIP.
 func anyInterestingIP(pfxs []netaddr.IPPrefix) bool {
 	for _, pfx := range pfxs {
-		if isInterestingIP(pfx.IP()) {
+		if isInterestingIP(pfx.IP) {
 			return true
 		}
 	}
--- a/net/interfaces/interfaces_darwin.go
+++ b/net/interfaces/interfaces_darwin.go
@@ -10,6 +10,7 @@ import (
 	"log"
 	"net"
 	"syscall"
+	"time"

 	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"
@@ -28,9 +29,32 @@ func DefaultRouteInterface() (string, error) {
 	return iface.Name, nil
 }

-// fetchRoutingTable calls route.FetchRIB, fetching NET_RT_DUMP2.
+// fetchRoutingTable is a retry loop around route.FetchRIB, fetching NET_RT_DUMP2.
+//
+// The retry loop is due to a bug in the BSDs (or Go?). See
+// https://github.com/tailscale/tailscale/issues/1345
 func fetchRoutingTable() (rib []byte, err error) {
-	return route.FetchRIB(syscall.AF_UNSPEC, syscall.NET_RT_DUMP2, 0)
+	fails := 0
+	for {
+		rib, err := route.FetchRIB(syscall.AF_UNSPEC, syscall.NET_RT_DUMP2, 0)
+		if err == nil {
+			return rib, nil
+		}
+		fails++
+		if fails < 10 {
+			// Empirically, 1 retry is enough. In a long
+			// stress test while toggling wifi on & off, I
+			// only saw a few occurrences of 2 and one 3.
+			// So 10 should be more plenty.
+			if fails > 5 {
+				time.Sleep(5 * time.Millisecond)
+			}
+			continue
+		}
+		if err != nil {
+			return nil, fmt.Errorf("route.FetchRIB: %w", err)
+		}
+	}
 }

 func DefaultRouteInterfaceIndex() (int, error) {
--- a/net/interfaces/interfaces_default_route_test.go
+++ b/net/interfaces/interfaces_default_route_test.go
@@ -2,11 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build linux darwin,!ts_macext
+// +build linux,!redo

 package interfaces

 import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
 	"testing"
 )

@@ -19,3 +23,64 @@ func TestDefaultRouteInterface(t *testing.T) {
 	}
 	t.Logf("got %q", v)
 }
+
+// test the specific /proc/net/route path as found on Google Cloud Run instances
+func TestGoogleCloudRunDefaultRouteInterface(t *testing.T) {
+	dir := t.TempDir()
+	savedProcNetRoutePath := procNetRoutePath
+	defer func() { procNetRoutePath = savedProcNetRoutePath }()
+	procNetRoutePath = filepath.Join(dir, "CloudRun")
+	buf := []byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n" +
+		"eth0\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n" +
+		"eth1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n")
+	err := ioutil.WriteFile(procNetRoutePath, buf, 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+	got, err := DefaultRouteInterface()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if got != "eth1" {
+		t.Fatalf("got %s, want eth1", got)
+	}
+}
+
+// we read chunks of /proc/net/route at a time, test that files longer than the chunk
+// size can be handled.
+func TestExtremelyLongProcNetRoute(t *testing.T) {
+	dir := t.TempDir()
+	savedProcNetRoutePath := procNetRoutePath
+	defer func() { procNetRoutePath = savedProcNetRoutePath }()
+	procNetRoutePath = filepath.Join(dir, "VeryLong")
+	f, err := os.Create(procNetRoutePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = f.Write([]byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for n := 0; n <= 1000; n++ {
+		line := fmt.Sprintf("eth%d\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n", n)
+		_, err := f.Write([]byte(line))
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	_, err = f.Write([]byte("tokenring1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	got, err := DefaultRouteInterface()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if got != "tokenring1" {
+		t.Fatalf("got %q, want tokenring1", got)
+	}
+}
--- a/net/interfaces/interfaces_linux_test.go
+++ b/net/interfaces/interfaces_linux_test.go
@@ -4,74 +4,7 @@

 package interfaces

-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-// test the specific /proc/net/route path as found on Google Cloud Run instances
-func TestGoogleCloudRunDefaultRouteInterface(t *testing.T) {
-	dir := t.TempDir()
-	savedProcNetRoutePath := procNetRoutePath
-	defer func() { procNetRoutePath = savedProcNetRoutePath }()
-	procNetRoutePath = filepath.Join(dir, "CloudRun")
-	buf := []byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n" +
-		"eth0\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n" +
-		"eth1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n")
-	err := ioutil.WriteFile(procNetRoutePath, buf, 0644)
-	if err != nil {
-		t.Fatal(err)
-	}
-	got, err := DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if got != "eth1" {
-		t.Fatalf("got %s, want eth1", got)
-	}
-}
-
-// we read chunks of /proc/net/route at a time, test that files longer than the chunk
-// size can be handled.
-func TestExtremelyLongProcNetRoute(t *testing.T) {
-	dir := t.TempDir()
-	savedProcNetRoutePath := procNetRoutePath
-	defer func() { procNetRoutePath = savedProcNetRoutePath }()
-	procNetRoutePath = filepath.Join(dir, "VeryLong")
-	f, err := os.Create(procNetRoutePath)
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, err = f.Write([]byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for n := 0; n <= 1000; n++ {
-		line := fmt.Sprintf("eth%d\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n", n)
-		_, err := f.Write([]byte(line))
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-	_, err = f.Write([]byte("tokenring1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	got, err := DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if got != "tokenring1" {
-		t.Fatalf("got %q, want tokenring1", got)
-	}
-}
+import "testing"

 func BenchmarkDefaultRouteInterface(b *testing.B) {
 	b.ReportAllocs()
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -625,7 +625,7 @@ func (rs *reportState) stopTimers() {
 func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netaddr.IPPort, d time.Duration) {
 	var ipPortStr string
 	if ipp != (netaddr.IPPort{}) {
-		ipPortStr = net.JoinHostPort(ipp.IP().String(), fmt.Sprint(ipp.Port()))
+		ipPortStr = net.JoinHostPort(ipp.IP.String(), fmt.Sprint(ipp.Port))
 	}

 	rs.mu.Lock()
@@ -650,13 +650,13 @@ func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netaddr.IPPort
 	}

 	switch {
-	case ipp.IP().Is6():
+	case ipp.IP.Is6():
 		updateLatency(ret.RegionV6Latency, node.RegionID, d)
 		ret.IPv6 = true
 		ret.GlobalV6 = ipPortStr
 		// TODO: track MappingVariesByDestIP for IPv6
 		// too? Would be sad if so, but who knows.
-	case ipp.IP().Is4():
+	case ipp.IP.Is4():
 		updateLatency(ret.RegionV4Latency, node.RegionID, d)
 		ret.IPv4 = true
 		if rs.gotEP4 == "" {
@@ -1172,7 +1172,7 @@ func (c *Client) nodeAddr(ctx context.Context, n *tailcfg.DERPNode, proto probeP
 		if proto == probeIPv6 && ip.Is4() {
 			return nil
 		}
-		return netaddr.IPPortFrom(ip, uint16(port)).UDPAddr()
+		return netaddr.IPPort{IP: ip, Port: uint16(port)}.UDPAddr()
 	}

 	switch proto {
@@ -1182,7 +1182,7 @@ func (c *Client) nodeAddr(ctx context.Context, n *tailcfg.DERPNode, proto probeP
 			if !ip.Is4() {
 				return nil
 			}
-			return netaddr.IPPortFrom(ip, uint16(port)).UDPAddr()
+			return netaddr.IPPort{IP: ip, Port: uint16(port)}.UDPAddr()
 		}
 	case probeIPv6:
 		if n.IPv6 != "" {
@@ -1190,7 +1190,7 @@ func (c *Client) nodeAddr(ctx context.Context, n *tailcfg.DERPNode, proto probeP
 			if !ip.Is6() {
 				return nil
 			}
-			return netaddr.IPPortFrom(ip, uint16(port)).UDPAddr()
+			return netaddr.IPPort{IP: ip, Port: uint16(port)}.UDPAddr()
 		}
 	default:
 		return nil
--- a/net/netns/netns_darwin_tailscaled.go
+++ b/net/netns/netns_darwin_tailscaled.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build darwin,!ts_macext
+// +build darwin,!redo

 package netns

--- a/net/netns/netns_default.go
+++ b/net/netns/netns_default.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build !linux,!windows,!darwin darwin,ts_macext
+// +build !linux,!windows,!darwin darwin,redo

 package netns

--- a/net/netstat/netstat_windows.go
+++ b/net/netstat/netstat_windows.go
@@ -157,9 +157,10 @@ func ipport4(addr uint32, port uint16) netaddr.IPPort {
 	if !endian.Big {
 		addr = bits.ReverseBytes32(addr)
 	}
-	return netaddr.IPPortFrom(
-		netaddr.IPv4(byte(addr>>24), byte(addr>>16), byte(addr>>8), byte(addr)),
-		port)
+	return netaddr.IPPort{
+		IP:   netaddr.IPv4(byte(addr>>24), byte(addr>>16), byte(addr>>8), byte(addr)),
+		Port: port,
+	}
 }

 func ipport6(addr [16]byte, scope uint32, port uint16) netaddr.IPPort {
@@ -168,7 +169,10 @@ func ipport6(addr [16]byte, scope uint32, port uint16) netaddr.IPPort {
 		// TODO: something better here?
 		ip = ip.WithZone(fmt.Sprint(scope))
 	}
-	return netaddr.IPPortFrom(ip, port)
+	return netaddr.IPPort{
+		IP:   ip,
+		Port: port,
+	}
 }

 func port(v *uint32) uint16 {
--- a/net/packet/packet.go
+++ b/net/packet/packet.go
@@ -12,6 +12,7 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/types/ipproto"
+	"tailscale.com/types/strbuilder"
 )

 const unknown = ipproto.Unknown
@@ -61,17 +62,36 @@ func (p *Parsed) String() string {
 		return "Unknown{???}"
 	}

-	// max is the maximum reasonable length of the string we are constructing.
-	// It's OK to overshoot, as the temp buffer is allocated on the stack.
-	const max = len("ICMPv6{[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%enp5s0]:65535 > [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%enp5s0]:65535}")
-	b := make([]byte, 0, max)
-	b = append(b, p.IPProto.String()...)
-	b = append(b, '{')
-	b = p.Src.AppendTo(b)
-	b = append(b, ' ', '>', ' ')
-	b = p.Dst.AppendTo(b)
-	b = append(b, '}')
-	return string(b)
+	sb := strbuilder.Get()
+	sb.WriteString(p.IPProto.String())
+	sb.WriteByte('{')
+	writeIPPort(sb, p.Src)
+	sb.WriteString(" > ")
+	writeIPPort(sb, p.Dst)
+	sb.WriteByte('}')
+	return sb.String()
+}
+
+// writeIPPort writes ipp.String() into sb, with fewer allocations.
+//
+// TODO: make netaddr more efficient in this area, and retire this func.
+func writeIPPort(sb *strbuilder.Builder, ipp netaddr.IPPort) {
+	if ipp.IP.Is4() {
+		raw := ipp.IP.As4()
+		sb.WriteUint(uint64(raw[0]))
+		sb.WriteByte('.')
+		sb.WriteUint(uint64(raw[1]))
+		sb.WriteByte('.')
+		sb.WriteUint(uint64(raw[2]))
+		sb.WriteByte('.')
+		sb.WriteUint(uint64(raw[3]))
+		sb.WriteByte(':')
+	} else {
+		sb.WriteByte('[')
+		sb.WriteString(ipp.IP.String()) // TODO: faster?
+		sb.WriteString("]:")
+	}
+	sb.WriteUint(uint64(ipp.Port))
 }

 // Decode extracts data from the packet in b into q.
@@ -122,8 +142,8 @@ func (q *Parsed) decode4(b []byte) {
 	}

 	// If it's valid IPv4, then the IP addresses are valid
-	q.Src = q.Src.WithIP(netaddr.IPv4(b[12], b[13], b[14], b[15]))
-	q.Dst = q.Dst.WithIP(netaddr.IPv4(b[16], b[17], b[18], b[19]))
+	q.Src.IP = netaddr.IPv4(b[12], b[13], b[14], b[15])
+	q.Dst.IP = netaddr.IPv4(b[16], b[17], b[18], b[19])

 	q.subofs = int((b[0] & 0x0F) << 2)
 	if q.subofs > q.length {
@@ -165,8 +185,8 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = unknown
 				return
 			}
-			q.Src = q.Src.WithPort(0)
-			q.Dst = q.Dst.WithPort(0)
+			q.Src.Port = 0
+			q.Dst.Port = 0
 			q.dataofs = q.subofs + icmp4HeaderLength
 			return
 		case ipproto.IGMP:
@@ -178,8 +198,8 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = unknown
 				return
 			}
-			q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-			q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+			q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+			q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 			q.TCPFlags = TCPFlag(sub[13]) & 0x3F
 			headerLength := (sub[12] & 0xF0) >> 2
 			q.dataofs = q.subofs + int(headerLength)
@@ -189,8 +209,8 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = unknown
 				return
 			}
-			q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-			q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+			q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+			q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 			q.dataofs = q.subofs + udpHeaderLength
 			return
 		case ipproto.SCTP:
@@ -198,8 +218,8 @@ func (q *Parsed) decode4(b []byte) {
 				q.IPProto = unknown
 				return
 			}
-			q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-			q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+			q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+			q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 			return
 		case ipproto.TSMP:
 			// Inter-tailscale messages.
@@ -245,10 +265,8 @@ func (q *Parsed) decode6(b []byte) {

 	// okay to ignore `ok` here, because IPs pulled from packets are
 	// always well-formed stdlib IPs.
-	srcIP, _ := netaddr.FromStdIP(net.IP(b[8:24]))
-	dstIP, _ := netaddr.FromStdIP(net.IP(b[24:40]))
-	q.Src = q.Src.WithIP(srcIP)
-	q.Dst = q.Dst.WithIP(dstIP)
+	q.Src.IP, _ = netaddr.FromStdIP(net.IP(b[8:24]))
+	q.Dst.IP, _ = netaddr.FromStdIP(net.IP(b[24:40]))

 	// We don't support any IPv6 extension headers. Don't try to
 	// be clever. Therefore, the IP subprotocol always starts at
@@ -272,16 +290,16 @@ func (q *Parsed) decode6(b []byte) {
 			q.IPProto = unknown
 			return
 		}
-		q.Src = q.Src.WithPort(0)
-		q.Dst = q.Dst.WithPort(0)
+		q.Src.Port = 0
+		q.Dst.Port = 0
 		q.dataofs = q.subofs + icmp6HeaderLength
 	case ipproto.TCP:
 		if len(sub) < tcpHeaderLength {
 			q.IPProto = unknown
 			return
 		}
-		q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-		q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+		q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+		q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 		q.TCPFlags = TCPFlag(sub[13]) & 0x3F
 		headerLength := (sub[12] & 0xF0) >> 2
 		q.dataofs = q.subofs + int(headerLength)
@@ -291,16 +309,16 @@ func (q *Parsed) decode6(b []byte) {
 			q.IPProto = unknown
 			return
 		}
-		q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-		q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+		q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+		q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 		q.dataofs = q.subofs + udpHeaderLength
 	case ipproto.SCTP:
 		if len(sub) < sctpHeaderLength {
 			q.IPProto = unknown
 			return
 		}
-		q.Src = q.Src.WithPort(binary.BigEndian.Uint16(sub[0:2]))
-		q.Dst = q.Dst.WithPort(binary.BigEndian.Uint16(sub[2:4]))
+		q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
+		q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
 		return
 	case ipproto.TSMP:
 		// Inter-tailscale messages.
@@ -320,8 +338,8 @@ func (q *Parsed) IP4Header() IP4Header {
 	return IP4Header{
 		IPID:    ipid,
 		IPProto: q.IPProto,
-		Src:     q.Src.IP(),
-		Dst:     q.Dst.IP(),
+		Src:     q.Src.IP,
+		Dst:     q.Dst.IP,
 	}
 }

@@ -333,8 +351,8 @@ func (q *Parsed) IP6Header() IP6Header {
 	return IP6Header{
 		IPID:    ipid,
 		IPProto: q.IPProto,
-		Src:     q.Src.IP(),
-		Dst:     q.Dst.IP(),
+		Src:     q.Src.IP,
+		Dst:     q.Dst.IP,
 	}
 }

@@ -355,8 +373,8 @@ func (q *Parsed) UDP4Header() UDP4Header {
 	}
 	return UDP4Header{
 		IP4Header: q.IP4Header(),
-		SrcPort:   q.Src.Port(),
-		DstPort:   q.Dst.Port(),
+		SrcPort:   q.Src.Port,
+		DstPort:   q.Dst.Port,
 	}
 }

--- a/net/packet/packet_test.go
+++ b/net/packet/packet_test.go
@@ -378,9 +378,11 @@ func TestParsedString(t *testing.T) {
 		})
 	}

+	var sink string
 	allocs := testing.AllocsPerRun(1000, func() {
-		sinkString = tests[0].qdecode.String()
+		sink = tests[0].qdecode.String()
 	})
+	_ = sink
 	if allocs != 1 {
 		t.Errorf("allocs = %v; want 1", allocs)
 	}
@@ -530,33 +532,3 @@ func TestMarshalResponse(t *testing.T) {
 		})
 	}
 }
-
-var sinkString string
-
-func BenchmarkString(b *testing.B) {
-	benches := []struct {
-		name string
-		buf  []byte
-	}{
-		{"tcp4", tcp4PacketBuffer},
-		{"tcp6", tcp6RequestBuffer},
-		{"udp4", udp4RequestBuffer},
-		{"udp6", udp6RequestBuffer},
-		{"icmp4", icmp4RequestBuffer},
-		{"icmp6", icmp6PacketBuffer},
-		{"igmp", igmpPacketBuffer},
-		{"unknown", unknownPacketBuffer},
-	}
-
-	for _, bench := range benches {
-		b.Run(bench.name, func(b *testing.B) {
-			b.ReportAllocs()
-			var p Parsed
-			p.Decode(bench.buf)
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				sinkString = p.String()
-			}
-		})
-	}
-}
--- a/net/packet/tsmp.go
+++ b/net/packet/tsmp.go
@@ -143,7 +143,7 @@ func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
 	if len(buf) > maxPacketLength {
 		return errLargePacket
 	}
-	if h.Src.IP().Is4() {
+	if h.Src.IP.Is4() {
 		iph := IP4Header{
 			IPProto: ipproto.TSMP,
 			Src:     h.IPSrc,
@@ -151,7 +151,7 @@ func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
 		}
 		iph.Marshal(buf)
 		buf = buf[ip4HeaderLength:]
-	} else if h.Src.IP().Is6() {
+	} else if h.Src.IP.Is6() {
 		iph := IP6Header{
 			IPProto: ipproto.TSMP,
 			Src:     h.IPSrc,
@@ -165,8 +165,8 @@ func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
 	buf[0] = byte(TSMPTypeRejectedConn)
 	buf[1] = byte(h.Proto)
 	buf[2] = byte(h.Reason)
-	binary.BigEndian.PutUint16(buf[3:5], h.Src.Port())
-	binary.BigEndian.PutUint16(buf[5:7], h.Dst.Port())
+	binary.BigEndian.PutUint16(buf[3:5], h.Src.Port)
+	binary.BigEndian.PutUint16(buf[5:7], h.Dst.Port)

 	if h.hasFlags() {
 		var flags byte
@@ -190,10 +190,10 @@ func (pp *Parsed) AsTailscaleRejectedHeader() (h TailscaleRejectedHeader, ok boo
 	h = TailscaleRejectedHeader{
 		Proto:  ipproto.Proto(p[1]),
 		Reason: TailscaleRejectReason(p[2]),
-		IPSrc:  pp.Src.IP(),
-		IPDst:  pp.Dst.IP(),
-		Src:    netaddr.IPPortFrom(pp.Dst.IP(), binary.BigEndian.Uint16(p[3:5])),
-		Dst:    netaddr.IPPortFrom(pp.Src.IP(), binary.BigEndian.Uint16(p[5:7])),
+		IPSrc:  pp.Src.IP,
+		IPDst:  pp.Dst.IP,
+		Src:    netaddr.IPPort{IP: pp.Dst.IP, Port: binary.BigEndian.Uint16(p[3:5])},
+		Dst:    netaddr.IPPort{IP: pp.Src.IP, Port: binary.BigEndian.Uint16(p[5:7])},
 	}
 	if len(p) > 7 {
 		flags := p[7]
--- a/net/portmapper/portmapper.go
+++ b/net/portmapper/portmapper.go
@@ -84,7 +84,7 @@ type pmpMapping struct {

 // externalValid reports whether m.external is valid, with both its IP and Port populated.
 func (m *pmpMapping) externalValid() bool {
-	return !m.external.IP().IsZero() && m.external.Port() != 0
+	return !m.external.IP.IsZero() && m.external.Port != 0
 }

 // release does a best effort fire-and-forget release of the PMP mapping m.
@@ -94,8 +94,8 @@ func (m *pmpMapping) release() {
 		return
 	}
 	defer uc.Close()
-	pkt := buildPMPRequestMappingPacket(m.internal.Port(), m.external.Port(), pmpMapLifetimeDelete)
-	uc.WriteTo(pkt, netaddr.IPPortFrom(m.gw, pmpPort).UDPAddr())
+	pkt := buildPMPRequestMappingPacket(m.internal.Port, m.external.Port, pmpMapLifetimeDelete)
+	uc.WriteTo(pkt, netaddr.IPPort{IP: m.gw, Port: pmpPort}.UDPAddr())
 }

 // NewClient returns a new portmapping client.
@@ -256,7 +256,7 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	localPort := c.localPort
 	m := &pmpMapping{
 		gw:       gw,
-		internal: netaddr.IPPortFrom(myIP, localPort),
+		internal: netaddr.IPPort{IP: myIP, Port: localPort},
 	}

 	// prevPort is the port we had most previously, if any. We try
@@ -271,7 +271,7 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 			return m.external, nil
 		}
 		// The mapping might still be valid, so just try to renew it.
-		prevPort = m.external.Port()
+		prevPort = m.external.Port
 	}

 	// If we just did a Probe (e.g. via netchecker) but didn't
@@ -279,7 +279,7 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	// again. Cuts down latency for most clients.
 	haveRecentPMP := c.sawPMPRecentlyLocked()
 	if haveRecentPMP {
-		m.external = m.external.WithIP(c.pmpPubIP)
+		m.external.IP = c.pmpPubIP
 	}
 	if c.lastProbe.After(now.Add(-5*time.Second)) && !haveRecentPMP {
 		c.mu.Unlock()
@@ -297,11 +297,11 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	uc.SetReadDeadline(time.Now().Add(portMapServiceTimeout))
 	defer closeCloserOnContextDone(ctx, uc)()

-	pmpAddr := netaddr.IPPortFrom(gw, pmpPort)
+	pmpAddr := netaddr.IPPort{IP: gw, Port: pmpPort}
 	pmpAddru := pmpAddr.UDPAddr()

 	// Ask for our external address if needed.
-	if m.external.IP().IsZero() {
+	if m.external.IP.IsZero() {
 		if _, err := uc.WriteTo(pmpReqExternalAddrPacket, pmpAddru); err != nil {
 			return netaddr.IPPort{}, err
 		}
@@ -337,10 +337,10 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 				return netaddr.IPPort{}, NoMappingError{fmt.Errorf("PMP response Op=0x%x,Res=0x%x", pres.OpCode, pres.ResultCode)}
 			}
 			if pres.OpCode == pmpOpReply|pmpOpMapPublicAddr {
-				m.external = m.external.WithIP(pres.PublicAddr)
+				m.external.IP = pres.PublicAddr
 			}
 			if pres.OpCode == pmpOpReply|pmpOpMapUDP {
-				m.external = m.external.WithPort(pres.ExternalPort)
+				m.external.Port = pres.ExternalPort
 				d := time.Duration(pres.MappingValidSeconds) * time.Second
 				d /= 2 // renew in half the time
 				m.useUntil = time.Now().Add(d)
@@ -468,9 +468,9 @@ func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) {
 	defer cancel()
 	defer closeCloserOnContextDone(ctx, uc)()

-	pcpAddr := netaddr.IPPortFrom(gw, pcpPort).UDPAddr()
-	pmpAddr := netaddr.IPPortFrom(gw, pmpPort).UDPAddr()
-	upnpAddr := netaddr.IPPortFrom(gw, upnpPort).UDPAddr()
+	pcpAddr := netaddr.IPPort{IP: gw, Port: pcpPort}.UDPAddr()
+	pmpAddr := netaddr.IPPort{IP: gw, Port: pmpPort}.UDPAddr()
+	upnpAddr := netaddr.IPPort{IP: gw, Port: upnpPort}.UDPAddr()

 	// Don't send probes to services that we recently learned (for
 	// the same gw/myIP) are available. See
--- a/net/tsaddr/tsaddr.go
+++ b/net/tsaddr/tsaddr.go
@@ -41,9 +41,12 @@ var (
 // TailscaleServiceIP returns the listen address of services
 // provided by Tailscale itself such as the MagicDNS proxy.
 func TailscaleServiceIP() netaddr.IP {
-	return netaddr.IPv4(100, 100, 100, 100) // "100.100.100.100" for those grepping
+	serviceIP.Do(func() { mustIP(&serviceIP.v, "100.100.100.100") })
+	return serviceIP.v
 }

+var serviceIP onceIP
+
 // IsTailscaleIP reports whether ip is an IP address in a range that
 // Tailscale assigns from.
 func IsTailscaleIP(ip netaddr.IP) bool {
@@ -89,7 +92,7 @@ func TailscaleEphemeral6Range() netaddr.IPPrefix {
 // Currently used to work around a Windows limitation when programming
 // IPv6 routes in corner cases.
 func Tailscale4To6Placeholder() netaddr.IP {
-	return Tailscale4To6Range().IP()
+	return Tailscale4To6Range().IP
 }

 // Tailscale4To6 returns a Tailscale IPv6 address that maps 1:1 to the
@@ -99,7 +102,7 @@ func Tailscale4To6(ipv4 netaddr.IP) netaddr.IP {
 	if !ipv4.Is4() || !IsTailscaleIP(ipv4) {
 		return netaddr.IP{}
 	}
-	ret := Tailscale4To6Range().IP().As16()
+	ret := Tailscale4To6Range().IP.As16()
 	v4 := ipv4.As4()
 	copy(ret[13:], v4[1:])
 	return netaddr.IPFrom16(ret)
@@ -123,6 +126,19 @@ type oncePrefix struct {
 	v netaddr.IPPrefix
 }

+func mustIP(v *netaddr.IP, ip string) {
+	var err error
+	*v, err = netaddr.ParseIP(ip)
+	if err != nil {
+		panic(err)
+	}
+}
+
+type onceIP struct {
+	sync.Once
+	v netaddr.IP
+}
+
 // NewContainsIPFunc returns a func that reports whether ip is in addrs.
 //
 // It's optimized for the cases of addrs being empty and addrs
@@ -156,16 +172,16 @@ func NewContainsIPFunc(addrs []netaddr.IPPrefix) func(ip netaddr.IP) bool {
 	// Fast paths for 1 and 2 IPs:
 	if len(addrs) == 1 {
 		a := addrs[0]
-		return func(ip netaddr.IP) bool { return ip == a.IP() }
+		return func(ip netaddr.IP) bool { return ip == a.IP }
 	}
 	if len(addrs) == 2 {
 		a, b := addrs[0], addrs[1]
-		return func(ip netaddr.IP) bool { return ip == a.IP() || ip == b.IP() }
+		return func(ip netaddr.IP) bool { return ip == a.IP || ip == b.IP }
 	}
 	// General case:
 	m := map[netaddr.IP]bool{}
 	for _, a := range addrs {
-		m[a.IP()] = true
+		m[a.IP] = true
 	}
 	return func(ip netaddr.IP) bool { return m[ip] }
 }
--- a/net/tsaddr/tsaddr_test.go
+++ b/net/tsaddr/tsaddr_test.go
@@ -93,11 +93,3 @@ func TestNewContainsIPFunc(t *testing.T) {
 		t.Fatal("bad")
 	}
 }
-
-var sinkIP netaddr.IP
-
-func BenchmarkTailscaleServiceAddr(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		sinkIP = TailscaleServiceIP()
-	}
-}
--- a/net/tstun/fake.go
+++ b/net/tstun/fake.go
@@ -8,7 +8,7 @@ import (
 	"io"
 	"os"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 )

 type fakeTUN struct {
--- a/net/tstun/ifstatus_noop.go
+++ b/net/tstun/ifstatus_noop.go
@@ -9,7 +9,7 @@ package tstun
 import (
 	"time"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
 )

--- a/net/tstun/ifstatus_windows.go
+++ b/net/tstun/ifstatus_windows.go
@@ -9,7 +9,7 @@ import (
 	"sync"
 	"time"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/types/logger"
 )
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -11,34 +11,27 @@ import (
 	"os"
 	"os/exec"
 	"runtime"
-	"strconv"
 	"time"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
 	"tailscale.com/version/distro"
 )

-// tunMTU is the MTU we set on tailscale's TUN interface. wireguard-go
-// defaults to 1420 bytes, which only works if the "outer" MTU is 1500
-// bytes. This breaks on DSL connections (typically 1492 MTU) and on
-// GCE (1460 MTU?!).
+// minimalMTU is the MTU we set on tailscale's TUN
+// interface. wireguard-go defaults to 1420 bytes, which only works if
+// the "outer" MTU is 1500 bytes. This breaks on DSL connections
+// (typically 1492 MTU) and on GCE (1460 MTU?!).
 //
 // 1280 is the smallest MTU allowed for IPv6, which is a sensible
 // "probably works everywhere" setting until we develop proper PMTU
 // discovery.
-var tunMTU = 1280
-
-func init() {
-	if mtu, _ := strconv.Atoi(os.Getenv("TS_DEBUG_MTU")); mtu != 0 {
-		tunMTU = mtu
-	}
-}
+const minimalMTU = 1280

 // New returns a tun.Device for the requested device name, along with
 // the OS-dependent name that was allocated to the device.
 func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
-	dev, err := tun.CreateTUN(tunName, tunMTU)
+	dev, err := tun.CreateTUN(tunName, minimalMTU)
 	if err != nil {
 		return nil, "", err
 	}
--- a/net/tstun/tun_notwindows.go
+++ b/net/tstun/tun_notwindows.go
@@ -6,7 +6,7 @@

 package tstun

-import "golang.zx2c4.com/wireguard/tun"
+import "github.com/tailscale/wireguard-go/tun"

 func interfaceName(dev tun.Device) (string, error) {
 	return dev.Name()
--- a/net/tstun/tun_windows.go
+++ b/net/tstun/tun_windows.go
@@ -5,9 +5,9 @@
 package tstun

 import (
+	"github.com/tailscale/wireguard-go/tun"
+	"github.com/tailscale/wireguard-go/tun/wintun"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/tun/wintun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )

--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -14,8 +14,8 @@ import (
 	"sync/atomic"
 	"time"

-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/device"
+	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
@@ -352,7 +352,7 @@ func (t *Wrapper) Read(buf []byte, offset int) (int, error) {
 	p.Decode(buf[offset : offset+n])

 	if m, ok := t.destIPActivity.Load().(map[netaddr.IP]func()); ok {
-		if fn := m[p.Dst.IP()]; fn != nil {
+		if fn := m[p.Dst.IP]; fn != nil {
 			fn()
 		}
 	}
@@ -412,7 +412,7 @@ func (t *Wrapper) filterIn(buf []byte) filter.Response {
 		p.IPProto == ipproto.TCP &&
 		p.TCPFlags&packet.TCPSyn != 0 &&
 		t.PeerAPIPort != nil {
-		if port, ok := t.PeerAPIPort(p.Dst.IP()); ok && port == p.Dst.Port() {
+		if port, ok := t.PeerAPIPort(p.Dst.IP); ok && port == p.Dst.Port {
 			outcome = filter.Accept
 		}
 	}
@@ -425,8 +425,8 @@ func (t *Wrapper) filterIn(buf []byte) filter.Response {
 		// can show them a rejection history with reasons.
 		if p.IPVersion == 4 && p.IPProto == ipproto.TCP && p.TCPFlags&packet.TCPSyn != 0 && !t.disableTSMPRejected {
 			rj := packet.TailscaleRejectedHeader{
-				IPSrc:  p.Dst.IP(),
-				IPDst:  p.Src.IP(),
+				IPSrc:  p.Dst.IP,
+				IPDst:  p.Src.IP,
 				Src:    p.Src,
 				Dst:    p.Dst,
 				Proto:  p.IPProto,
@@ -536,7 +536,7 @@ func (t *Wrapper) injectOutboundPong(pp *packet.Parsed, req packet.TSMPPingReque
 		Data: req.Data,
 	}
 	if t.PeerAPIPort != nil {
-		pong.PeerAPIPort, _ = t.PeerAPIPort(pp.Dst.IP())
+		pong.PeerAPIPort, _ = t.PeerAPIPort(pp.Dst.IP)
 	}
 	switch pp.IPVersion {
 	case 4:
--- a/net/tstun/wrap_test.go
+++ b/net/tstun/wrap_test.go
@@ -14,7 +14,7 @@ import (
 	"testing"
 	"unsafe"

-	"golang.zx2c4.com/wireguard/tun/tuntest"
+	"github.com/tailscale/wireguard-go/tun/tuntest"
 	"inet.af/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
@@ -82,7 +82,7 @@ func nets(nets ...string) (ret []netaddr.IPPrefix) {
 			if ip.Is6() {
 				bits = 128
 			}
-			ret = append(ret, netaddr.IPPrefixFrom(ip, bits))
+			ret = append(ret, netaddr.IPPrefix{IP: ip, Bits: bits})
 		} else {
 			pfx, err := netaddr.ParseIPPrefix(s)
 			if err != nil {
@@ -146,8 +146,7 @@ func setfilter(logf logger.Logf, tun *Wrapper) {
 	}
 	var sb netaddr.IPSetBuilder
 	sb.AddPrefix(netaddr.MustParseIPPrefix("1.2.0.0/16"))
-	ipSet, _ := sb.IPSet()
-	tun.SetFilter(filter.New(matches, ipSet, ipSet, nil, logf))
+	tun.SetFilter(filter.New(matches, sb.IPSet(), sb.IPSet(), nil, logf))
 }

 func newChannelTUN(logf logger.Logf, secure bool) (*tuntest.ChannelTUN, *Wrapper) {
--- a/packages/deb/deb.go
+++ b/packages/deb/deb.go
@@ -1,184 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package deb extracts metadata from Debian packages.
-package deb
-
-import (
-	"archive/tar"
-	"bufio"
-	"bytes"
-	"compress/gzip"
-	"crypto/md5"
-	"crypto/sha1"
-	"crypto/sha256"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-)
-
-// Info is the Debian package metadata needed to integrate the package
-// into a repository.
-type Info struct {
-	// Version is the version of the package, as reported by dpkg.
-	Version string
-	// Arch is the Debian CPU architecture the package is for.
-	Arch string
-	// Control is the entire contents of the package's control file,
-	// with leading and trailing whitespace removed.
-	Control []byte
-	// MD5 is the MD5 hash of the package file.
-	MD5 []byte
-	// SHA1 is the SHA1 hash of the package file.
-	SHA1 []byte
-	// SHA256 is the SHA256 hash of the package file.
-	SHA256 []byte
-}
-
-// ReadFile returns Debian package metadata from the .deb file at path.
-func ReadFile(path string) (*Info, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	return Read(f)
-}
-
-// Read returns Debian package metadata from the .deb file in r.
-func Read(r io.Reader) (*Info, error) {
-	b := bufio.NewReader(r)
-
-	m5, s1, s256 := md5.New(), sha1.New(), sha256.New()
-	summers := io.MultiWriter(m5, s1, s256)
-	r = io.TeeReader(b, summers)
-
-	t, err := findControlTar(r)
-	if err != nil {
-		return nil, fmt.Errorf("searching for control.tar.gz: %w", err)
-	}
-
-	control, err := findControlFile(t)
-	if err != nil {
-		return nil, fmt.Errorf("searching for control file in control.tar.gz: %w", err)
-	}
-
-	arch, version, err := findArchAndVersion(control)
-	if err != nil {
-		return nil, fmt.Errorf("extracting version and architecture from control file: %w", err)
-	}
-
-	// Exhaust the remainder of r, so that the summers see the entire file.
-	if _, err := io.Copy(ioutil.Discard, r); err != nil {
-		return nil, fmt.Errorf("hashing file: %w", err)
-	}
-
-	return &Info{
-		Version: version,
-		Arch:    arch,
-		Control: control,
-		MD5:     m5.Sum(nil),
-		SHA1:    s1.Sum(nil),
-		SHA256:  s256.Sum(nil),
-	}, nil
-}
-
-// findControlTar reads r as an `ar` archive, finds a tarball named
-// `control.tar.gz` within, and returns a reader for that file.
-func findControlTar(r io.Reader) (tarReader io.Reader, err error) {
-	var magic [8]byte
-	if _, err := io.ReadFull(r, magic[:]); err != nil {
-		return nil, fmt.Errorf("reading ar magic: %w", err)
-	}
-	if string(magic[:]) != "!<arch>\n" {
-		return nil, fmt.Errorf("not an ar file (bad magic %q)", magic)
-	}
-
-	for {
-		var hdr [60]byte
-		if _, err := io.ReadFull(r, hdr[:]); err != nil {
-			return nil, fmt.Errorf("reading file header: %w", err)
-		}
-		filename := strings.TrimSpace(string(hdr[:16]))
-		size, err := strconv.ParseInt(strings.TrimSpace(string(hdr[48:58])), 10, 64)
-		if err != nil {
-			return nil, fmt.Errorf("reading size of file %q: %w", filename, err)
-		}
-		if filename == "control.tar.gz" {
-			return io.LimitReader(r, size), nil
-		}
-
-		// files in ar are padded out to 2 bytes.
-		if size%2 == 1 {
-			size++
-		}
-		if _, err := io.CopyN(ioutil.Discard, r, size); err != nil {
-			return nil, fmt.Errorf("seeking past file %q: %w", filename, err)
-		}
-	}
-}
-
-// findControlFile reads r as a tar.gz archive, finds a file named
-// `control` within, and returns its contents.
-func findControlFile(r io.Reader) (control []byte, err error) {
-	gz, err := gzip.NewReader(r)
-	if err != nil {
-		return nil, fmt.Errorf("decompressing control.tar.gz: %w", err)
-	}
-	defer gz.Close()
-
-	tr := tar.NewReader(gz)
-	for {
-		hdr, err := tr.Next()
-		if err != nil {
-			if errors.Is(err, io.EOF) {
-				return nil, errors.New("EOF while looking for control file in control.tar.gz")
-			}
-			return nil, fmt.Errorf("reading tar header: %w", err)
-		}
-
-		if filepath.Clean(hdr.Name) != "control" {
-			continue
-		}
-
-		// Found control file
-		break
-	}
-
-	bs, err := ioutil.ReadAll(tr)
-	if err != nil {
-		return nil, fmt.Errorf("reading control file: %w", err)
-	}
-
-	return bytes.TrimSpace(bs), nil
-}
-
-var (
-	archKey    = []byte("Architecture:")
-	versionKey = []byte("Version:")
-)
-
-// findArchAndVersion extracts the architecture and version strings
-// from the given control file.
-func findArchAndVersion(control []byte) (arch string, version string, err error) {
-	b := bytes.NewBuffer(control)
-	for {
-		l, err := b.ReadBytes('\n')
-		if err != nil {
-			return "", "", err
-		}
-		if bytes.HasPrefix(l, archKey) {
-			arch = string(bytes.TrimSpace(l[len(archKey):]))
-		} else if bytes.HasPrefix(l, versionKey) {
-			version = string(bytes.TrimSpace(l[len(versionKey):]))
-		}
-		if arch != "" && version != "" {
-			return arch, version, nil
-		}
-	}
-}
--- a/packages/deb/deb_test.go
+++ b/packages/deb/deb_test.go
@@ -1,202 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package deb
-
-import (
-	"bytes"
-	"crypto/md5"
-	"crypto/sha1"
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"hash"
-	"strings"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"github.com/goreleaser/nfpm"
-	_ "github.com/goreleaser/nfpm/deb"
-)
-
-func TestDebInfo(t *testing.T) {
-	tests := []struct {
-		name    string
-		in      []byte
-		want    *Info
-		wantErr bool
-	}{
-		{
-			name: "simple",
-			in:   mkTestDeb("1.2.3", "amd64"),
-			want: &Info{
-				Version: "1.2.3",
-				Arch:    "amd64",
-				Control: mkControl(
-					"Package", "tailscale",
-					"Version", "1.2.3",
-					"Section", "net",
-					"Priority", "extra",
-					"Architecture", "amd64",
-					"Installed-Size", "0",
-					"Description", "test package"),
-			},
-		},
-		{
-			name: "arm64",
-			in:   mkTestDeb("1.2.3", "arm64"),
-			want: &Info{
-				Version: "1.2.3",
-				Arch:    "arm64",
-				Control: mkControl(
-					"Package", "tailscale",
-					"Version", "1.2.3",
-					"Section", "net",
-					"Priority", "extra",
-					"Architecture", "arm64",
-					"Installed-Size", "0",
-					"Description", "test package"),
-			},
-		},
-		{
-			name: "unstable",
-			in:   mkTestDeb("1.7.25", "amd64"),
-			want: &Info{
-				Version: "1.7.25",
-				Arch:    "amd64",
-				Control: mkControl(
-					"Package", "tailscale",
-					"Version", "1.7.25",
-					"Section", "net",
-					"Priority", "extra",
-					"Architecture", "amd64",
-					"Installed-Size", "0",
-					"Description", "test package"),
-			},
-		},
-
-		// These truncation tests assume the structure of a .deb
-		// package, which is as follows:
-		//  magic: 8 bytes
-		//  file header: 60 bytes, before each file blob
-		//
-		// The first file in a .deb ar is "debian-binary", which is 4
-		// bytes long and consists of "2.0\n".
-		// The second file is control.tar.gz, which is what we care
-		// about introspecting for metadata.
-		// The final file is data.tar.gz, which we don't care about.
-		//
-		// The first file in control.tar.gz is the "control" file we
-		// want to read for metadata.
-		{
-			name:    "truncated_ar_magic",
-			in:      mkTestDeb("1.7.25", "amd64")[:4],
-			wantErr: true,
-		},
-		{
-			name:    "truncated_ar_header",
-			in:      mkTestDeb("1.7.25", "amd64")[:30],
-			wantErr: true,
-		},
-		{
-			name: "missing_control_tgz",
-			// Truncate right after the "debian-binary" file, which
-			// makes the file a valid 1-file archive that's missing
-			// control.tar.gz.
-			in:      mkTestDeb("1.7.25", "amd64")[:72],
-			wantErr: true,
-		},
-		{
-			name:    "truncated_tgz",
-			in:      mkTestDeb("1.7.25", "amd64")[:172],
-			wantErr: true,
-		},
-	}
-
-	for _, test := range tests {
-		// mkTestDeb returns non-deterministic output due to
-		// timestamps embedded in the package file, so compute the
-		// wanted hashes on the fly here.
-		if test.want != nil {
-			test.want.MD5 = mkHash(test.in, md5.New)
-			test.want.SHA1 = mkHash(test.in, sha1.New)
-			test.want.SHA256 = mkHash(test.in, sha256.New)
-		}
-
-		t.Run(test.name, func(t *testing.T) {
-			b := bytes.NewBuffer(test.in)
-			got, err := Read(b)
-			if err != nil {
-				if test.wantErr {
-					t.Logf("got expected error: %v", err)
-					return
-				}
-				t.Fatalf("reading deb info: %v", err)
-			}
-			if diff := diff(got, test.want); diff != "" {
-				t.Fatalf("parsed info diff (-got+want):\n%s", diff)
-			}
-		})
-	}
-}
-
-func diff(got, want interface{}) string {
-	matchField := func(name string) func(p cmp.Path) bool {
-		return func(p cmp.Path) bool {
-			if len(p) != 3 {
-				return false
-			}
-			return p[2].String() == "."+name
-		}
-	}
-	toLines := cmp.Transformer("lines", func(b []byte) []string { return strings.Split(string(b), "\n") })
-	toHex := cmp.Transformer("hex", func(b []byte) string { return hex.EncodeToString(b) })
-	return cmp.Diff(got, want,
-		cmp.FilterPath(matchField("Control"), toLines),
-		cmp.FilterPath(matchField("MD5"), toHex),
-		cmp.FilterPath(matchField("SHA1"), toHex),
-		cmp.FilterPath(matchField("SHA256"), toHex))
-}
-
-func mkTestDeb(version, arch string) []byte {
-	info := nfpm.WithDefaults(&nfpm.Info{
-		Name:        "tailscale",
-		Description: "test package",
-		Arch:        arch,
-		Platform:    "linux",
-		Version:     version,
-		Section:     "net",
-		Priority:    "extra",
-	})
-
-	pkg, err := nfpm.Get("deb")
-	if err != nil {
-		panic(fmt.Sprintf("getting deb packager: %v", err))
-	}
-
-	var b bytes.Buffer
-	if err := pkg.Package(info, &b); err != nil {
-		panic(fmt.Sprintf("creating deb package: %v", err))
-	}
-
-	return b.Bytes()
-}
-
-func mkControl(fs ...string) []byte {
-	if len(fs)%2 != 0 {
-		panic("odd number of control file fields")
-	}
-	var b bytes.Buffer
-	for i := 0; i < len(fs); i = i + 2 {
-		k, v := fs[i], fs[i+1]
-		fmt.Fprintf(&b, "%s: %s\n", k, v)
-	}
-	return bytes.TrimSpace(b.Bytes())
-}
-
-func mkHash(b []byte, hasher func() hash.Hash) []byte {
-	h := hasher()
-	h.Write(b)
-	return h.Sum(nil)
-}
--- a/paths/paths.go
+++ b/paths/paths.go
@@ -11,13 +11,11 @@ import (
 	"path/filepath"
 	"runtime"
 	"sync/atomic"
-
-	"tailscale.com/version/distro"
 )

-// AppSharedDir is a string set by the iOS or Android app on start
+// IOSSharedDir is a string set by the iOS app on start
 // containing a directory we can read/write in.
-var AppSharedDir atomic.Value
+var IOSSharedDir atomic.Value

 // DefaultTailscaledSocket returns the path to the tailscaled Unix socket
 // or the empty string if there's no reasonable default.
@@ -28,15 +26,11 @@ func DefaultTailscaledSocket() string {
 	if runtime.GOOS == "darwin" {
 		return "/var/run/tailscaled.socket"
 	}
-	if distro.Get() == distro.Synology {
-		// TODO(maisem): be smarter about this. We can parse /etc/VERSION.
-		const dsm6Sock = "/var/packages/Tailscale/etc/tailscaled.sock"
-		const dsm7Sock = "/var/packages/Tailscale/var/tailscaled.sock"
-		if fi, err := os.Stat(dsm6Sock); err == nil && !fi.IsDir() {
-			return dsm6Sock
-		}
-		if fi, err := os.Stat(dsm7Sock); err == nil && !fi.IsDir() {
-			return dsm7Sock
+	if runtime.GOOS == "linux" {
+		// TODO(crawshaw): does this path change with DSM7?
+		const synologySock = "/volume1/@appstore/Tailscale/var/tailscaled.sock" // SYNOPKG_PKGDEST in scripts/installer
+		if fi, err := os.Stat(filepath.Dir(synologySock)); err == nil && fi.IsDir() {
+			return synologySock
 		}
 	}
 	if fi, err := os.Stat("/var/run"); err == nil && fi.IsDir() {
--- a/scripts/installer.sh
+++ b/scripts/installer.sh
@@ -1,399 +0,0 @@
-#!/bin/sh
-# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-#
-# This script detects the current operating system, and installs
-# Tailscale according to that OS's conventions.
-
-set -eu
-
-# All the code is wrapped in a main function that gets called at the
-# bottom of the file, so that a truncated partial download doesn't end
-# up executing half a script.
-main() {
-	# Step 1: detect the current linux distro, version, and packaging system.
-	#
-	# We rely on a combination of 'uname' and /etc/os-release to find
-	# an OS name and version, and from there work out what
-	# installation method we should be using.
-	#
-	# The end result of this step is that the following three
-	# variables are populated, if detection was successful.
-	OS=""
-	VERSION=""
-	PACKAGETYPE=""
-
-	if [ -f /etc/os-release ]; then
-		# /etc/os-release populates a number of shell variables. We care about the following:
-		#  - ID: the short name of the OS (e.g. "debian", "freebsd")
-		#  - VERSION_ID: the numeric release version for the OS, if any (e.g. "18.04")
-		#  - VERSION_CODENAME: the codename of the OS release, if any (e.g. "buster")
-		. /etc/os-release
-		case "$ID" in
-			ubuntu)
-				OS="$ID"
-				VERSION="$VERSION_CODENAME"
-				PACKAGETYPE="apt"
-				;;
-			debian)
-				OS="$ID"
-				VERSION="$VERSION_CODENAME"
-				PACKAGETYPE="apt"
-				;;
-			raspbian)
-				OS="$ID"
-				VERSION="$VERSION_CODENAME"
-				PACKAGETYPE="apt"
-				;;
-			centos)
-				OS="$ID"
-				VERSION="$VERSION_ID"
-				PACKAGETYPE="dnf"
-				if [ "$VERSION" = "7" ]; then
-					PACKAGETYPE="yum"
-				fi
-				;;
-			rhel)
-				OS="$ID"
-				VERSION="$(echo "$VERSION_ID" | cut -f1 -d.)"
-				PACKAGETYPE="dnf"
-				;;
-			fedora)
-				OS="$ID"
-				VERSION=""
-				PACKAGETYPE="dnf"
-				;;
-			amzn)
-				OS="amazon-linux"
-				VERSION="$VERSION_ID"
-				PACKAGETYPE="yum"
-				;;
-			opensuse-leap)
-				OS="opensuse"
-				VERSION="leap/$VERSION_ID"
-				PACKAGETYPE="zypper"
-				;;
-			opensuse-tumbleweed)
-				OS="opensuse"
-				VERSION="tumbleweed"
-				PACKAGETYPE="zypper"
-				;;
- 			arch)
-				OS="$ID"
-				VERSION="" # rolling release
-				PACKAGETYPE="pacman"
-				;;
-			manjaro)
-				OS="$ID"
-				VERSION="" # rolling release
-				PACKAGETYPE="pacman"
-				;;
-			alpine)
-				OS="$ID"
-				VERSION="$VERSION_ID"
-				PACKAGETYPE="apk"
-				;;
-			nixos)
-				echo "Please add Tailscale to your NixOS configuration directly:"
-				echo
-				echo "services.tailscale.enable = true;"
-				exit 1
-				;;
-			void)
-				OS="$ID"
-				VERSION="" # rolling release
-				PACKAGETYPE="xbps"
-				;;
-			gentoo)
-				OS="$ID"
-				VERSION="" # rolling release
-				PACKAGETYPE="emerge"
-				;;
-			freebsd)
-				OS="$ID"
-				VERSION="$(echo "$VERSION_ID" | cut -f1 -d.)"
-				PACKAGETYPE="pkg"
-				;;
-			# TODO: wsl?
-			# TODO: synology? qnap?
-		esac
-	fi
-
-	# If we failed to detect something through os-release, consult
-	# uname and try to infer things from that.
-	if [ -z "$OS" ]; then
-		if type uname >/dev/null 2>&1; then
-			case "$(uname)" in
-				FreeBSD)
-					# FreeBSD before 12.2 doesn't have
-					# /etc/os-release, so we wouldn't have found it in
-					# the os-release probing above.
-					OS="freebsd"
-					VERSION="$(freebsd-version | cut -f1 -d.)"
-					PACKAGETYPE="pkg"
-					;;
-				OpenBSD)
-					OS="openbsd"
-					VERSION="$(uname -r)"
-					PACKAGETYPE=""
-					;;
-				Darwin)
-					OS="macos"
-					VERSION="$(sw_vers -productVersion | cut -f1-2 -d.)"
-					PACKAGETYPE="appstore"
-					;;
-				Linux)
-					OS="other-linux"
-					VERSION=""
-					PACKAGETYPE=""
-					;;
-			esac
-		fi
-	fi
-
-	# Step 2: having detected an OS we support, is it one of the
-	# versions we support?
-	OS_UNSUPPORTED=
-	case "$OS" in
-		ubuntu)
-			if [ "$VERSION" != "xenial" ] && \
-			   [ "$VERSION" != "bionic" ] && \
-			   [ "$VERSION" != "eoan" ] && \
-			   [ "$VERSION" != "focal" ] && \
-			   [ "$VERSION" != "groovy" ] && \
-			   [ "$VERSION" != "hirsute" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		debian)
-			if [ "$VERSION" != "stretch" ] && \
-			   [ "$VERSION" != "buster" ] && \
-			   [ "$VERSION" != "bullseye" ] && \
-			   [ "$VERSION" != "sid" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		raspbian)
-			if [ "$VERSION" != "buster" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		centos)
-			if [ "$VERSION" != "7" ] && \
-			   [ "$VERSION" != "8" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		rhel)
-			if [ "$VERSION" != "8" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		amazon-linux)
-			if [ "$VERSION" != "2" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-		;;
-		opensuse)
-			if [ "$VERSION" != "leap/15.1" ] && \
-			   [ "$VERSION" != "leap/15.2" ] && \
-			   [ "$VERSION" != "tumbleweed" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-			;;
-		arch)
-			# Rolling release, no version checking needed.
-			;;
-		manjaro)
-			# Rolling release, no version checking needed.
-			;;
-		alpine)
-			# All versions supported, no version checking needed.
-			# TODO: is that true? When was tailscale packaged?
-			;;
-		void)
-			# Rolling release, no version checking needed.
-			;;
-		gentoo)
-			# Rolling release, no version checking needed.
-			;;
-		freebsd)
-			if [ "$VERSION" != "12" ] && \
-			   [ "$VERSION" != "13" ]
-			then
-				OS_UNSUPPORTED=1
-			fi
-			;;
-		openbsd)
-			OS_UNSUPPORTED=1
-			;;
-		macos)
-			# We delegate macOS installation to the app store, it will
-			# perform version checks for us.
-			;;
-		other-linux)
-			OS_UNSUPPORTED=1
-			;;
-		*)
-			OS_UNSUPPORTED=1
-			;;
-	esac
-	if [ "$OS_UNSUPPORTED" = "1" ]; then
-		case "$OS" in
-			other-linux)
-				echo "Couldn't determine what kind of Linux is running."
-				echo "You could try the static binaries at:"
-				echo "https://pkgs.tailscale.com/stable/#static"
-				;;
-			"")
-				echo "Couldn't determine what operating system you're running."
-				;;
-			*)
-				echo "$OS $VERSION isn't supported by this script yet."
-				;;
-		esac
-		echo
-		echo "If you'd like us to support your system better, please email support@tailscale.com"
-		echo "and tell us what OS you're running."
-		echo
-		echo "Please include the following information we gathered from your system:"
-		echo
-		echo "OS=$OS"
-		echo "VERSION=$VERSION"
-		echo "PACKAGETYPE=$PACKAGETYPE"
-		if type uname >/dev/null 2>&1; then
-			echo "UNAME=$(uname -a)"
-		else
-			echo "UNAME="
-		fi
-		echo
-		if [ -f /etc/os-release ]; then
-			cat /etc/os-release
-		else
-			echo "No /etc/os-release"
-		fi
-		exit 1
-	fi
-
-	# Step 3: work out if we can run privileged commands, and if so,
-	# how.
-	CAN_ROOT=
-	SUDO=
-	if [ "$(id -u)" = 0 ]; then
-		CAN_ROOT=1
-		SUDO=""
-	elif type sudo >/dev/null; then
-		CAN_ROOT=1
-		SUDO="sudo"
-	elif type doas >/dev/null; then
-		CAN_ROOT=1
-		SUDO="doas"
-	fi
-	if [ "$CAN_ROOT" != "1" ]; then
-		echo "This installer needs to run commands as root."
-		echo "We tried looking for 'sudo' and 'doas', but couldn't find them."
-		echo "Either re-run this script as root, or set up sudo/doas."
-		exit 1
-	fi
-
-
-	# Step 4: run the installation.
-	echo "Installing Tailscale for $OS $VERSION, using method $PACKAGETYPE"
-	case "$PACKAGETYPE" in
-		apt)
-			# Ideally we want to use curl, but on some installs we
-			# only have wget. Detect and use what's available.
-			CURL=
-			if type curl >/dev/null; then
-				CURL="curl -fsSL"
-			elif type wget >/dev/null; then
-				CURL="wget -q -O-"
-			fi
-			if [ -z "$CURL" ]; then
-				echo "The installer needs either curl or wget to download files."
-				echo "Please install either curl or wget to proceed."
-				exit 1
-			fi
-
-			# TODO: use newfangled per-repo signature scheme
-			set -x
-			$CURL "https://pkgs.tailscale.com/stable/$OS/$VERSION.gpg" | $SUDO apt-key add -
-			$CURL "https://pkgs.tailscale.com/stable/$OS/$VERSION.list" | $SUDO tee /etc/apt/sources.list.d/tailscale.list
-			$SUDO apt-get update
-			$SUDO apt-get install tailscale
-			set +x
-		;;
-		yum)
-			set -x
-			$SUDO yum install yum-utils
-			$SUDO yum-config-manager --add-repo "https://pkgs.tailscale.com/stable/$OS/$VERSION/tailscale.repo"
-			$SUDO yum install tailscale
-			$SUDO systemctl enable --now tailscaled
-			set +x
-		;;
-		dnf)
-			set -x
-			$SUDO dnf config-manager --add-repo "https://pkgs.tailscale.com/stable/$OS/$VERSION/tailscale.repo"
-			$SUDO dnf install tailscale
-			$SUDO systemctl enable --now tailscaled
-			set +x
-		;;
-		zypper)
-			set -x
-			$SUDO zypper ar -g -r "https://pkgs.tailscale.com/stable/$OS/$VERSION/tailscale.repo"
-			$SUDO zypper ref
-			$SUDO zypper in tailscale
-			$SUDO systemctl enable --now tailscaled
-			set +x
-			;;
-		pacman)
-			set -x
-			$SUDO pacman -S tailscale
-			$SUDO systemctl enable --now tailscaled
-			set +x
-			;;
-		apk)
-			set -x
-			$SUDO apk add tailscale
-			$SUDO rc-update add tailscale
-			set +x
-			;;
-		xbps)
-			set -x
-			$SUDO xbps-install tailscale
-			set +x
-			;;
-		emerge)
-			set -x
-			$SUDO emerge net-vpn/tailscale
-			set +x
-			;;
-		appstore)
-			set -x
-			open "https://apps.apple.com/us/app/tailscale/id1475387142"
-			set +x
-			;;
-		*)
-			echo "unexpected: unknown package type $PACKAGETYPE"
-			exit 1
-			;;
-	esac
-
-	echo "Installation complete! Log in to start using Tailscale by running:"
-	echo
-	if [ -z "$SUDO" ]; then
-		echo "tailscale up"
-	else
-		echo "$SUDO tailscale up"
-	fi
-}
-
-main
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -7,7 +7,7 @@ package tailcfg
 //go:generate go run tailscale.com/cmd/cloner --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse --clonefunc=true --output=tailcfg_clone.go

 import (
-	"encoding/hex"
+	"bytes"
 	"errors"
 	"fmt"
 	"reflect"
@@ -679,7 +679,7 @@ func (et EndpointType) String() string {

 // Endpoint is an endpoint IPPort and an associated type.
 // It doesn't currently go over the wire as is but is instead
-// broken up into two parallel slices in MapRequest, for compatibility
+// broken up into two parallel slices in MapReqeust, for compatibility
 // reasons. But this type is used in the codebase.
 type Endpoint struct {
 	Addr netaddr.IPPort
@@ -884,6 +884,24 @@ type PingRequest struct {
 	// Log is whether to log about this ping in the success case.
 	// For failure cases, the client will log regardless.
 	Log bool `json:",omitempty"`
+
+	Initiator        string // admin@email; "system" (for Tailscale)
+	TestIP           netaddr.IP
+	Types            string // empty means all: TSMP+ICMP+disco
+	StopAfterNDirect int    // 1 means stop on 1st direct ping; 4 means 4 direct pings; 0 means do MaxPings and stop
+	MaxPings         int    // MaxPings total, direct or DERPed
+	PayloadSize      int    // default: 0 extra bytes
+}
+
+type StreamedPingResult struct {
+	IP      netaddr.IP
+	SeqNum  int     // somewhat redundant with TxID but for clarity
+	SentTo  NodeID  // for exit/subnet relays
+	TxID    string  // N hex bytes random
+	Dir     string  // "in"/"out"
+	Type    string  // ICMP, disco, TSMP, ...
+	Via     string  // "direct", "derp-nyc", ...
+	Seconds float64 // for Dir "in" only
 }

 type MapResponse struct {
@@ -1026,16 +1044,10 @@ func (k MachineKey) MarshalText() ([]byte, error)     { return keyMarshalText("m
 func (k MachineKey) HexString() string                { return fmt.Sprintf("%x", k[:]) }
 func (k *MachineKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "mkey:", text) }

-func appendKey(base []byte, prefix string, k [32]byte) []byte {
-	ret := append(base, make([]byte, len(prefix)+64)...)
-	buf := ret[len(base):]
-	copy(buf, prefix)
-	hex.Encode(buf[len(prefix):], k[:])
-	return ret
-}
-
 func keyMarshalText(prefix string, k [32]byte) []byte {
-	return appendKey(nil, prefix, k)
+	buf := bytes.NewBuffer(make([]byte, 0, len(prefix)+64))
+	fmt.Fprintf(buf, "%s%x", prefix, k[:])
+	return buf.Bytes()
 }

 func keyUnmarshalText(dst []byte, prefix string, text []byte) error {
@@ -1066,7 +1078,6 @@ func (k DiscoKey) String() string                   { return fmt.Sprintf("discok
 func (k DiscoKey) MarshalText() ([]byte, error)     { return keyMarshalText("discokey:", k), nil }
 func (k *DiscoKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "discokey:", text) }
 func (k DiscoKey) ShortString() string              { return fmt.Sprintf("d:%x", k[:8]) }
-func (k DiscoKey) AppendTo(b []byte) []byte         { return appendKey(b, "discokey:", k) }

 // IsZero reports whether k is the zero value.
 func (k DiscoKey) IsZero() bool { return k == DiscoKey{} }
@@ -1174,31 +1185,3 @@ const (
 	CapabilityFileSharing = "https://tailscale.com/cap/file-sharing"
 	CapabilityAdmin       = "https://tailscale.com/cap/is-admin"
 )
-
-// SetDNSRequest is a request to add a DNS record.
-//
-// This is used for ACME DNS-01 challenges (so people can use
-// LetsEncrypt, etc).
-//
-// The request is encoded to JSON, encrypted with golang.org/x/crypto/nacl/box,
-// using the local machine key, and sent to:
-//	https://login.tailscale.com/machine/<mkey hex>/set-dns
-type SetDNSRequest struct {
-	// Version indicates what level of SetDNSRequest functionality
-	// the client understands. Currently this type only has
-	// one version; this field should always be 1 for now.
-	Version int
-
-	// NodeKey is the client's current node key.
-	NodeKey NodeKey
-
-	// Name is the domain name for which to create a record.
-	Name string
-
-	// Type is the DNS record type. For ACME DNS-01 challenges, it
-	// should be "TXT".
-	Type string
-
-	// Value is the value to add.
-	Value string
-}
--- a/tailcfg/tailcfg_test.go
+++ b/tailcfg/tailcfg_test.go
@@ -14,7 +14,6 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/types/wgkey"
-	"tailscale.com/version"
 )

 func fieldsOf(t reflect.Type) (fields []string) {
@@ -519,35 +518,3 @@ func TestEndpointTypeMarshal(t *testing.T) {
 		t.Errorf("got %s; want %s", got, want)
 	}
 }
-
-var sinkBytes []byte
-
-func BenchmarkKeyMarshalText(b *testing.B) {
-	b.ReportAllocs()
-	var k [32]byte
-	for i := 0; i < b.N; i++ {
-		sinkBytes = keyMarshalText("prefix", k)
-	}
-}
-
-func TestAppendKeyAllocs(t *testing.T) {
-	if version.IsRace() {
-		t.Skip("skipping in race detector") // append(b, make([]byte, N)...) not optimized in compiler with race
-	}
-	var k [32]byte
-	n := int(testing.AllocsPerRun(1000, func() {
-		sinkBytes = keyMarshalText("prefix", k)
-	}))
-	if n != 1 {
-		t.Fatalf("allocs = %v; want 1", n)
-	}
-}
-
-func TestDiscoKeyAppend(t *testing.T) {
-	d := DiscoKey{1: 1, 2: 2}
-	got := string(d.AppendTo([]byte("foo")))
-	want := "foodiscokey:0001020000000000000000000000000000000000000000000000000000000000"
-	if got != want {
-		t.Errorf("got %q; want %q", got, want)
-	}
-}
--- a/tsnet/example/tshello/tshello.go
+++ b/tsnet/example/tshello/tshello.go
@@ -1,43 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The tshello server demonstrates how to use Tailscale as a library.
-package main
-
-import (
-	"fmt"
-	"html"
-	"log"
-	"net/http"
-	"strings"
-
-	"tailscale.com/tsnet"
-)
-
-func main() {
-	s := new(tsnet.Server)
-	ln, err := s.Listen("tcp", ":80")
-	if err != nil {
-		log.Fatal(err)
-	}
-	log.Fatal(http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		who, ok := s.WhoIs(r.RemoteAddr)
-		if !ok {
-			http.Error(w, "WhoIs failed", 500)
-			return
-		}
-		fmt.Fprintf(w, "<html><body><h1>Hello, world!</h1>\n")
-		fmt.Fprintf(w, "<p>You are <b>%s</b> from <b>%s</b> (%s)</p>",
-			html.EscapeString(who.UserProfile.LoginName),
-			html.EscapeString(firstLabel(who.Node.ComputedName)),
-			r.RemoteAddr)
-	})))
-}
-
-func firstLabel(s string) string {
-	if i := strings.Index(s, "."); i != -1 {
-		return s[:i]
-	}
-	return s
-}
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -1,274 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package tsnet provides Tailscale as a library.
-//
-// It is an experimental work in progress.
-package tsnet
-
-import (
-	"errors"
-	"fmt"
-	"log"
-	"net"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"inet.af/netaddr"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/control/controlclient"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnlocal"
-	"tailscale.com/smallzstd"
-	"tailscale.com/types/logger"
-	"tailscale.com/wgengine"
-	"tailscale.com/wgengine/monitor"
-	"tailscale.com/wgengine/netstack"
-)
-
-// Server is an embedded Tailscale server.
-//
-// Its exported fields may be changed until the first call to Listen.
-type Server struct {
-	// Dir specifies the name of the directory to use for
-	// state. If empty, a directory is selected automatically
-	// under os.UserConfigDir (https://golang.org/pkg/os/#UserConfigDir).
-	// based on the name of the binary.
-	Dir string
-
-	// Hostname is the hostname to present to the control server.
-	// If empty, the binary name is used.l
-	Hostname string
-
-	// Logf, if non-nil, specifies the logger to use. By default,
-	// log.Printf is used.
-	Logf logger.Logf
-
-	initOnce sync.Once
-	initErr  error
-	lb       *ipnlocal.LocalBackend
-	// the state directory
-	dir      string
-	hostname string
-
-	mu        sync.Mutex
-	listeners map[listenKey]*listener
-}
-
-// WhoIs reports the node and user who owns the node with the given
-// address. The addr may be an ip:port (as from an
-// http.Request.RemoteAddr) or just an IP address.
-func (s *Server) WhoIs(addr string) (w *apitype.WhoIsResponse, ok bool) {
-	ipp, err := netaddr.ParseIPPort(addr)
-	if err != nil {
-		ip, err := netaddr.ParseIP(addr)
-		if err != nil {
-			return nil, false
-		}
-		ipp = ipp.WithIP(ip)
-	}
-	n, up, ok := s.lb.WhoIs(ipp)
-	if !ok {
-		return nil, false
-	}
-	return &apitype.WhoIsResponse{
-		Node:        n,
-		UserProfile: &up,
-	}, true
-}
-
-func (s *Server) doInit() {
-	if err := s.start(); err != nil {
-		s.initErr = fmt.Errorf("tsnet: %w", err)
-	}
-}
-
-func (s *Server) start() error {
-	if v, _ := strconv.ParseBool(os.Getenv("TAILSCALE_USE_WIP_CODE")); !v {
-		return errors.New("code disabled without environment variable TAILSCALE_USE_WIP_CODE set true")
-	}
-
-	exe, err := os.Executable()
-	if err != nil {
-		return err
-	}
-	prog := strings.TrimSuffix(strings.ToLower(filepath.Base(exe)), ".exe")
-
-	s.hostname = s.Hostname
-	if s.hostname == "" {
-		s.hostname = prog
-	}
-
-	s.dir = s.Dir
-	if s.dir == "" {
-		confDir, err := os.UserConfigDir()
-		if err != nil {
-			return err
-		}
-		s.dir = filepath.Join(confDir, "tslib-"+prog)
-		if err := os.MkdirAll(s.dir, 0700); err != nil {
-			return err
-		}
-	}
-	if fi, err := os.Stat(s.dir); err != nil {
-		return err
-	} else if !fi.IsDir() {
-		return fmt.Errorf("%v is not a directory", s.dir)
-	}
-
-	logf := s.Logf
-	if logf == nil {
-		logf = log.Printf
-	}
-
-	// TODO(bradfitz): start logtail? don't use filch, perhaps?
-	// only upload plumbed Logf?
-
-	linkMon, err := monitor.New(logf)
-	if err != nil {
-		return err
-	}
-
-	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
-		ListenPort:  0,
-		LinkMonitor: linkMon,
-	})
-	if err != nil {
-		return err
-	}
-
-	tunDev, magicConn, ok := eng.(wgengine.InternalsGetter).GetInternals()
-	if !ok {
-		return fmt.Errorf("%T is not a wgengine.InternalsGetter", eng)
-	}
-
-	ns, err := netstack.Create(logf, tunDev, eng, magicConn, false)
-	if err != nil {
-		return fmt.Errorf("netstack.Create: %w", err)
-	}
-	ns.ForwardTCPIn = s.forwardTCP
-	if err := ns.Start(); err != nil {
-		return fmt.Errorf("failed to start netstack: %w", err)
-	}
-
-	statePath := filepath.Join(s.dir, "tailscaled.state")
-	store, err := ipn.NewFileStore(statePath)
-	if err != nil {
-		return err
-	}
-	logid := "tslib-TODO"
-
-	lb, err := ipnlocal.NewLocalBackend(logf, logid, store, eng)
-	if err != nil {
-		return fmt.Errorf("NewLocalBackend: %v", err)
-	}
-	s.lb = lb
-	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
-		return smallzstd.NewDecoder(nil)
-	})
-	prefs := ipn.NewPrefs()
-	prefs.Hostname = s.hostname
-	prefs.WantRunning = true
-	err = lb.Start(ipn.Options{
-		StateKey:    ipn.GlobalDaemonStateKey,
-		UpdatePrefs: prefs,
-	})
-	if err != nil {
-		return fmt.Errorf("starting backend: %w", err)
-	}
-	if os.Getenv("TS_LOGIN") == "1" {
-		s.lb.StartLoginInteractive()
-	}
-	return nil
-}
-
-func (s *Server) forwardTCP(c net.Conn, port uint16) {
-	s.mu.Lock()
-	ln, ok := s.listeners[listenKey{"tcp", "", fmt.Sprint(port)}]
-	s.mu.Unlock()
-	if !ok {
-		c.Close()
-		return
-	}
-	t := time.NewTimer(time.Second)
-	defer t.Stop()
-	select {
-	case ln.conn <- c:
-	case <-t.C:
-		c.Close()
-	}
-}
-
-func (s *Server) Listen(network, addr string) (net.Listener, error) {
-	host, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		return nil, fmt.Errorf("tsnet: %w", err)
-	}
-
-	s.initOnce.Do(s.doInit)
-	if s.initErr != nil {
-		return nil, s.initErr
-	}
-
-	key := listenKey{network, host, port}
-	ln := &listener{
-		s:    s,
-		key:  key,
-		addr: addr,
-
-		conn: make(chan net.Conn),
-	}
-	s.mu.Lock()
-	if s.listeners == nil {
-		s.listeners = map[listenKey]*listener{}
-	}
-	if _, ok := s.listeners[key]; ok {
-		s.mu.Unlock()
-		return nil, fmt.Errorf("tsnet: listener already open for %s, %s", network, addr)
-	}
-	s.listeners[key] = ln
-	s.mu.Unlock()
-	return ln, nil
-}
-
-type listenKey struct {
-	network string
-	host    string
-	port    string
-}
-
-type listener struct {
-	s    *Server
-	key  listenKey
-	addr string
-	conn chan net.Conn
-}
-
-func (ln *listener) Accept() (net.Conn, error) {
-	c, ok := <-ln.conn
-	if !ok {
-		return nil, fmt.Errorf("tsnet: %w", net.ErrClosed)
-	}
-	return c, nil
-}
-
-func (ln *listener) Addr() net.Addr { return addr{ln} }
-func (ln *listener) Close() error {
-	ln.s.mu.Lock()
-	defer ln.s.mu.Unlock()
-	if v, ok := ln.s.listeners[ln.key]; ok && v == ln {
-		delete(ln.s.listeners, ln.key)
-		close(ln.conn)
-	}
-	return nil
-}
-
-type addr struct{ ln *listener }
-
-func (a addr) Network() string { return a.ln.key.network }
-func (a addr) String() string  { return a.ln.addr }
--- a/tstest/integration/integration.go
+++ b/tstest/integration/integration.go
@@ -1,100 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package integration contains Tailscale integration tests.
-//
-// This package is considered internal and the public API is subject
-// to change without notice.
-package integration
-
-import (
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"runtime"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"tailscale.com/version"
-)
-
-// Binaries are the paths to a tailscaled and tailscale binary.
-// These can be shared by multiple nodes.
-type Binaries struct {
-	Dir    string // temp dir for tailscale & tailscaled
-	Daemon string // tailscaled
-	CLI    string // tailscale
-}
-
-// BuildTestBinaries builds tailscale and tailscaled, failing the test
-// if they fail to compile.
-func BuildTestBinaries(t testing.TB) *Binaries {
-	td := t.TempDir()
-	build(t, td, "tailscale.com/cmd/tailscaled", "tailscale.com/cmd/tailscale")
-	return &Binaries{
-		Dir:    td,
-		Daemon: filepath.Join(td, "tailscaled"+exe()),
-		CLI:    filepath.Join(td, "tailscale"+exe()),
-	}
-}
-
-// buildMu limits our use of "go build" to one at a time, so we don't
-// fight Go's built-in caching trying to do the same build concurrently.
-var buildMu sync.Mutex
-
-func build(t testing.TB, outDir string, targets ...string) {
-	buildMu.Lock()
-	defer buildMu.Unlock()
-
-	t0 := time.Now()
-	defer func() { t.Logf("built %s in %v", targets, time.Since(t0).Round(time.Millisecond)) }()
-
-	goBin := findGo(t)
-	cmd := exec.Command(goBin, "install")
-	if version.IsRace() {
-		cmd.Args = append(cmd.Args, "-race")
-	}
-	cmd.Args = append(cmd.Args, targets...)
-	cmd.Env = append(os.Environ(), "GOARCH="+runtime.GOARCH, "GOBIN="+outDir)
-	errOut, err := cmd.CombinedOutput()
-	if err == nil {
-		return
-	}
-	if strings.Contains(string(errOut), "when GOBIN is set") {
-		// Fallback slow path for cross-compiled binaries.
-		for _, target := range targets {
-			outFile := filepath.Join(outDir, path.Base(target)+exe())
-			cmd := exec.Command(goBin, "build", "-o", outFile, target)
-			cmd.Env = append(os.Environ(), "GOARCH="+runtime.GOARCH)
-			if errOut, err := cmd.CombinedOutput(); err != nil {
-				t.Fatalf("failed to build %v with %v: %v, %s", target, goBin, err, errOut)
-			}
-		}
-		return
-	}
-	t.Fatalf("failed to build %v with %v: %v, %s", targets, goBin, err, errOut)
-}
-
-func findGo(t testing.TB) string {
-	goBin := filepath.Join(runtime.GOROOT(), "bin", "go"+exe())
-	if fi, err := os.Stat(goBin); err != nil {
-		if os.IsNotExist(err) {
-			t.Fatalf("failed to find go at %v", goBin)
-		}
-		t.Fatalf("looking for go binary: %v", err)
-	} else if !fi.Mode().IsRegular() {
-		t.Fatalf("%v is unexpected %v", goBin, fi.Mode())
-	}
-	return goBin
-}
-
-func exe() string {
-	if runtime.GOOS == "windows" {
-		return ".exe"
-	}
-	return ""
-}
--- a/tstest/integration/integration_test.go
+++ b/tstest/integration/integration_test.go
@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+// Package integration contains Tailscale integration tests.
 package integration

 import (
@@ -9,8 +10,6 @@ import (
 	crand "crypto/rand"
 	"crypto/tls"
 	"encoding/json"
-	"errors"
-	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -20,8 +19,8 @@ import (
 	"net/http/httptest"
 	"os"
 	"os/exec"
+	"path"
 	"path/filepath"
-	"regexp"
 	"runtime"
 	"strings"
 	"sync"
@@ -44,8 +43,6 @@ import (
 	"tailscale.com/types/nettype"
 )

-var verbose = flag.Bool("verbose", false, "verbose debug logs")
-
 var mainError atomic.Value // of error

 func TestMain(m *testing.M) {
@@ -60,17 +57,20 @@ func TestMain(m *testing.M) {
 	os.Exit(0)
 }

-func TestOneNodeUp_NoAuth(t *testing.T) {
-	t.Parallel()
-	bins := BuildTestBinaries(t)
+func TestIntegration(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("not tested/working on Windows yet")
+	}
+
+	bins := buildTestBinaries(t)

 	env := newTestEnv(t, bins)
 	defer env.Close()

 	n1 := newTestNode(t, env)

-	d1 := n1.StartDaemon(t)
-	defer d1.Kill()
+	dcmd := n1.StartDaemon(t)
+	defer dcmd.Process.Kill()

 	n1.AwaitListening(t)

@@ -87,202 +87,69 @@ func TestOneNodeUp_NoAuth(t *testing.T) {
 		t.Error(err)
 	}

-	n1.MustUp()
+	t.Logf("Running up --login-server=%s ...", env.ControlServer.URL)
+	if err := n1.Tailscale("up", "--login-server="+env.ControlServer.URL).Run(); err != nil {
+		t.Fatalf("up: %v", err)
+	}

 	if d, _ := time.ParseDuration(os.Getenv("TS_POST_UP_SLEEP")); d > 0 {
 		t.Logf("Sleeping for %v to give 'up' time to misbehave (https://github.com/tailscale/tailscale/issues/1840) ...", d)
 		time.Sleep(d)
 	}

-	t.Logf("Got IP: %v", n1.AwaitIP(t))
-	n1.AwaitRunning(t)
-
-	d1.MustCleanShutdown(t)
-
-	t.Logf("number of HTTP logcatcher requests: %v", env.LogCatcher.numRequests())
-}
-
-func TestOneNodeUp_Auth(t *testing.T) {
-	t.Parallel()
-	bins := BuildTestBinaries(t)
-
-	env := newTestEnv(t, bins)
-	defer env.Close()
-	env.Control.RequireAuth = true
-
-	n1 := newTestNode(t, env)
-	d1 := n1.StartDaemon(t)
-	defer d1.Kill()
-
-	n1.AwaitListening(t)
-
-	st := n1.MustStatus(t)
-	t.Logf("Status: %s", st.BackendState)
-
-	t.Logf("Running up --login-server=%s ...", env.ControlServer.URL)
-
-	cmd := n1.Tailscale("up", "--login-server="+env.ControlServer.URL)
-	var authCountAtomic int32
-	cmd.Stdout = &authURLParserWriter{fn: func(urlStr string) error {
-		if env.Control.CompleteAuth(urlStr) {
-			atomic.AddInt32(&authCountAtomic, 1)
-			t.Logf("completed auth path %s", urlStr)
-			return nil
-		}
-		err := fmt.Errorf("Failed to complete auth path to %q", urlStr)
-		t.Log(err)
-		return err
-	}}
-	cmd.Stderr = cmd.Stdout
-	if err := cmd.Run(); err != nil {
-		t.Fatalf("up: %v", err)
-	}
-	t.Logf("Got IP: %v", n1.AwaitIP(t))
-
-	n1.AwaitRunning(t)
-
-	if n := atomic.LoadInt32(&authCountAtomic); n != 1 {
-		t.Errorf("Auth URLs completed = %d; want 1", n)
-	}
-
-	d1.MustCleanShutdown(t)
-
-}
-
-func TestTwoNodes(t *testing.T) {
-	t.Parallel()
-	bins := BuildTestBinaries(t)
-
-	env := newTestEnv(t, bins)
-	defer env.Close()
-
-	// Create two nodes:
-	n1 := newTestNode(t, env)
-	d1 := n1.StartDaemon(t)
-	defer d1.Kill()
-
-	n2 := newTestNode(t, env)
-	d2 := n2.StartDaemon(t)
-	defer d2.Kill()
-
-	n1.AwaitListening(t)
-	n2.AwaitListening(t)
-	n1.MustUp()
-	n2.MustUp()
-	n1.AwaitRunning(t)
-	n2.AwaitRunning(t)
-
-	if err := tstest.WaitFor(2*time.Second, func() error {
-		st := n1.MustStatus(t)
-		if len(st.Peer) == 0 {
-			return errors.New("no peers")
-		}
-		if len(st.Peer) > 1 {
-			return fmt.Errorf("got %d peers; want 1", len(st.Peer))
-		}
-		peer := st.Peer[st.Peers()[0]]
-		if peer.ID == st.Self.ID {
-			return errors.New("peer is self")
+	var ip string
+	if err := tstest.WaitFor(20*time.Second, func() error {
+		out, err := n1.Tailscale("ip").Output()
+		if err != nil {
+			return err
 		}
+		ip = string(out)
 		return nil
 	}); err != nil {
 		t.Error(err)
 	}
+	t.Logf("Got IP: %v", ip)

-	d1.MustCleanShutdown(t)
-	d2.MustCleanShutdown(t)
+	dcmd.Process.Signal(os.Interrupt)
+
+	ps, err := dcmd.Process.Wait()
+	if err != nil {
+		t.Fatalf("tailscaled Wait: %v", err)
+	}
+	if ps.ExitCode() != 0 {
+		t.Errorf("tailscaled ExitCode = %d; want 0", ps.ExitCode())
+	}
+
+	t.Logf("number of HTTP logcatcher requests: %v", env.LogCatcher.numRequests())
+	if err := env.TrafficTrap.Err(); err != nil {
+		t.Errorf("traffic trap: %v", err)
+		t.Logf("logs: %s", env.LogCatcher.logsString())
+	}
 }

-func TestNodeAddressIPFields(t *testing.T) {
-	t.Parallel()
-	bins := BuildTestBinaries(t)
-
-	env := newTestEnv(t, bins)
-	defer env.Close()
-
-	n1 := newTestNode(t, env)
-	d1 := n1.StartDaemon(t)
-	defer d1.Kill()
-
-	n1.AwaitListening(t)
-	n1.MustUp()
-	n1.AwaitRunning(t)
-
-	testNodes := env.Control.AllNodes()
-
-	if len(testNodes) != 1 {
-		t.Errorf("Expected %d nodes, got %d", 1, len(testNodes))
-	}
-	node := testNodes[0]
-	if len(node.Addresses) == 0 {
-		t.Errorf("Empty Addresses field in node")
-	}
-	if len(node.AllowedIPs) == 0 {
-		t.Errorf("Empty AllowedIPs field in node")
-	}
-
-	d1.MustCleanShutdown(t)
+// testBinaries are the paths to a tailscaled and tailscale binary.
+// These can be shared by multiple nodes.
+type testBinaries struct {
+	dir    string // temp dir for tailscale & tailscaled
+	daemon string // tailscaled
+	cli    string // tailscale
 }

-func TestAddPingRequest(t *testing.T) {
-	t.Parallel()
-	bins := BuildTestBinaries(t)
-
-	env := newTestEnv(t, bins)
-	defer env.Close()
-
-	n1 := newTestNode(t, env)
-	d1 := n1.StartDaemon(t)
-	defer d1.Kill()
-
-	n1.AwaitListening(t)
-	n1.MustUp()
-	n1.AwaitRunning(t)
-
-	gotPing := make(chan bool, 1)
-	waitPing := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		gotPing <- true
-	}))
-	defer waitPing.Close()
-
-	nodes := env.Control.AllNodes()
-	if len(nodes) != 1 {
-		t.Fatalf("expected 1 node, got %d nodes", len(nodes))
-	}
-
-	nodeKey := nodes[0].Key
-	pr := &tailcfg.PingRequest{URL: waitPing.URL, Log: true}
-	ok := env.Control.AddPingRequest(nodeKey, pr)
-	if !ok {
-		t.Fatalf("no node found with NodeKey %v in AddPingRequest", nodeKey)
-	}
-
-	// Wait for PingRequest to come back
-	waitDuration := 10 * time.Second
-	pingTimeout := time.NewTimer(waitDuration)
-
-	// Ticker sends new PingRequests if the previous did not get through
-	ticker := time.NewTicker(waitDuration / 5)
-
-	select {
-	case <-gotPing:
-		pingTimeout.Stop()
-		ticker.Stop()
-	case <-ticker.C:
-		ok := env.Control.AddPingRequest(nodeKey, pr)
-		if !ok {
-			t.Fatalf("no node found with NodeKey %v in AddPingRequest", nodeKey)
-		}
-	case <-pingTimeout.C:
-		t.Error("didn't get PingRequest from tailscaled")
+// buildTestBinaries builds tailscale and tailscaled, failing the test
+// if they fail to compile.
+func buildTestBinaries(t testing.TB) *testBinaries {
+	td := t.TempDir()
+	return &testBinaries{
+		dir:    td,
+		daemon: build(t, td, "tailscale.com/cmd/tailscaled"),
+		cli:    build(t, td, "tailscale.com/cmd/tailscale"),
 	}
 }

 // testEnv contains the test environment (set of servers) used by one
 // or more nodes.
 type testEnv struct {
-	t        testing.TB
-	Binaries *Binaries
+	Binaries *testBinaries

 	LogCatcher       *logCatcher
 	LogCatcherServer *httptest.Server
@@ -300,10 +167,7 @@ type testEnv struct {
 // environment.
 //
 // Call Close to shut everything down.
-func newTestEnv(t testing.TB, bins *Binaries) *testEnv {
-	if runtime.GOOS == "windows" {
-		t.Skip("not tested/working on Windows yet")
-	}
+func newTestEnv(t testing.TB, bins *testBinaries) *testEnv {
 	derpMap, derpShutdown := runDERPAndStun(t, logger.Discard)
 	logc := new(logCatcher)
 	control := &testcontrol.Server{
@@ -311,7 +175,6 @@ func newTestEnv(t testing.TB, bins *Binaries) *testEnv {
 	}
 	trafficTrap := new(trafficTrap)
 	e := &testEnv{
-		t:                 t,
 		Binaries:          bins,
 		LogCatcher:        logc,
 		LogCatcherServer:  httptest.NewServer(logc),
@@ -321,16 +184,10 @@ func newTestEnv(t testing.TB, bins *Binaries) *testEnv {
 		TrafficTrapServer: httptest.NewServer(trafficTrap),
 		derpShutdown:      derpShutdown,
 	}
-	e.Control.BaseURL = e.ControlServer.URL
 	return e
 }

 func (e *testEnv) Close() error {
-	if err := e.TrafficTrap.Err(); err != nil {
-		e.t.Errorf("traffic trap: %v", err)
-		e.t.Logf("logs: %s", e.LogCatcher.logsString())
-	}
-
 	e.LogCatcherServer.Close()
 	e.TrafficTrapServer.Close()
 	e.ControlServer.Close()
@@ -361,29 +218,10 @@ func newTestNode(t *testing.T, env *testEnv) *testNode {
 	}
 }

-type Daemon struct {
-	Process *os.Process
-}
-
-func (d *Daemon) Kill() {
-	d.Process.Kill()
-}
-
-func (d *Daemon) MustCleanShutdown(t testing.TB) {
-	d.Process.Signal(os.Interrupt)
-	ps, err := d.Process.Wait()
-	if err != nil {
-		t.Fatalf("tailscaled Wait: %v", err)
-	}
-	if ps.ExitCode() != 0 {
-		t.Errorf("tailscaled ExitCode = %d; want 0", ps.ExitCode())
-	}
-}
-
 // StartDaemon starts the node's tailscaled, failing if it fails to
 // start.
-func (n *testNode) StartDaemon(t testing.TB) *Daemon {
-	cmd := exec.Command(n.env.Binaries.Daemon,
+func (n *testNode) StartDaemon(t testing.TB) *exec.Cmd {
+	cmd := exec.Command(n.env.Binaries.daemon,
 		"--tun=userspace-networking",
 		"--state="+n.stateFile,
 		"--socket="+n.sockFile,
@@ -396,17 +234,7 @@ func (n *testNode) StartDaemon(t testing.TB) *Daemon {
 	if err := cmd.Start(); err != nil {
 		t.Fatalf("starting tailscaled: %v", err)
 	}
-	return &Daemon{
-		Process: cmd.Process,
-	}
-}
-
-func (n *testNode) MustUp() {
-	t := n.env.t
-	t.Logf("Running up --login-server=%s ...", n.env.ControlServer.URL)
-	if err := n.Tailscale("up", "--login-server="+n.env.ControlServer.URL).Run(); err != nil {
-		t.Fatalf("up: %v", err)
-	}
+	return cmd
 }

 // AwaitListening waits for the tailscaled to be serving local clients
@@ -424,70 +252,62 @@ func (n *testNode) AwaitListening(t testing.TB) {
 	}
 }

-func (n *testNode) AwaitIP(t testing.TB) (ips string) {
-	t.Helper()
-	if err := tstest.WaitFor(20*time.Second, func() error {
-		out, err := n.Tailscale("ip").Output()
-		if err != nil {
-			return err
-		}
-		ips = string(out)
-		return nil
-	}); err != nil {
-		t.Fatalf("awaiting an IP address: %v", err)
-	}
-	if ips == "" {
-		t.Fatalf("returned IP address was blank")
-	}
-	return ips
-}
-
-func (n *testNode) AwaitRunning(t testing.TB) {
-	t.Helper()
-	if err := tstest.WaitFor(20*time.Second, func() error {
-		st, err := n.Status()
-		if err != nil {
-			return err
-		}
-		if st.BackendState != "Running" {
-			return fmt.Errorf("in state %q", st.BackendState)
-		}
-		return nil
-	}); err != nil {
-		t.Fatalf("failure/timeout waiting for transition to Running status: %v", err)
-	}
-}
-
 // Tailscale returns a command that runs the tailscale CLI with the provided arguments.
 // It does not start the process.
 func (n *testNode) Tailscale(arg ...string) *exec.Cmd {
-	cmd := exec.Command(n.env.Binaries.CLI, "--socket="+n.sockFile)
+	cmd := exec.Command(n.env.Binaries.cli, "--socket="+n.sockFile)
 	cmd.Args = append(cmd.Args, arg...)
 	cmd.Dir = n.dir
 	return cmd
 }

-func (n *testNode) Status() (*ipnstate.Status, error) {
+func (n *testNode) MustStatus(tb testing.TB) *ipnstate.Status {
+	tb.Helper()
 	out, err := n.Tailscale("status", "--json").CombinedOutput()
 	if err != nil {
-		return nil, fmt.Errorf("running tailscale status: %v, %s", err, out)
+		tb.Fatalf("getting status: %v, %s", err, out)
 	}
 	st := new(ipnstate.Status)
 	if err := json.Unmarshal(out, st); err != nil {
-		return nil, fmt.Errorf("decoding tailscale status JSON: %w", err)
-	}
-	return st, nil
-}
-
-func (n *testNode) MustStatus(tb testing.TB) *ipnstate.Status {
-	tb.Helper()
-	st, err := n.Status()
-	if err != nil {
-		tb.Fatal(err)
+		tb.Fatalf("parsing status json: %v, from: %s", err, out)
 	}
 	return st
 }

+func exe() string {
+	if runtime.GOOS == "windows" {
+		return ".exe"
+	}
+	return ""
+}
+
+func findGo(t testing.TB) string {
+	goBin := filepath.Join(runtime.GOROOT(), "bin", "go"+exe())
+	if fi, err := os.Stat(goBin); err != nil {
+		if os.IsNotExist(err) {
+			t.Fatalf("failed to find go at %v", goBin)
+		}
+		t.Fatalf("looking for go binary: %v", err)
+	} else if !fi.Mode().IsRegular() {
+		t.Fatalf("%v is unexpected %v", goBin, fi.Mode())
+	}
+	t.Logf("using go binary %v", goBin)
+	return goBin
+}
+
+func build(t testing.TB, outDir, target string) string {
+	exe := ""
+	if runtime.GOOS == "windows" {
+		exe = ".exe"
+	}
+	bin := filepath.Join(outDir, path.Base(target)) + exe
+	errOut, err := exec.Command(findGo(t), "build", "-o", bin, target).CombinedOutput()
+	if err != nil {
+		t.Fatalf("failed to build %v: %v, %s", target, err, errOut)
+	}
+	return bin
+}
+
 // logCatcher is a minimal logcatcher for the logtail upload client.
 type logCatcher struct {
 	mu     sync.Mutex
@@ -558,9 +378,6 @@ func (lc *logCatcher) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	} else {
 		for _, ent := range jreq {
 			fmt.Fprintf(&lc.buf, "%s\n", strings.TrimSpace(ent.Text))
-			if *verbose {
-				fmt.Fprintf(os.Stderr, "%s\n", strings.TrimSpace(ent.Text))
-			}
 		}
 	}
 	w.WriteHeader(200) // must have no content, but not a 204
@@ -637,23 +454,3 @@ func runDERPAndStun(t testing.TB, logf logger.Logf) (derpMap *tailcfg.DERPMap, c

 	return m, cleanup
 }
-
-type authURLParserWriter struct {
-	buf bytes.Buffer
-	fn  func(urlStr string) error
-}
-
-var authURLRx = regexp.MustCompile(`(https?://\S+/auth/\S+)`)
-
-func (w *authURLParserWriter) Write(p []byte) (n int, err error) {
-	n, err = w.buf.Write(p)
-	m := authURLRx.FindSubmatch(w.buf.Bytes())
-	if m != nil {
-		urlStr := string(m[1])
-		w.buf.Reset() // so it's not matched again
-		if err := w.fn(urlStr); err != nil {
-			return 0, err
-		}
-	}
-	return n, err
-}
--- a/tstest/integration/testcontrol/testcontrol.go
+++ b/tstest/integration/testcontrol/testcontrol.go
@@ -17,8 +17,6 @@ import (
 	"log"
 	"math/rand"
 	"net/http"
-	"net/url"
-	"sort"
 	"strings"
 	"sync"
 	"time"
@@ -36,76 +34,19 @@ import (
 // Server is a control plane server. Its zero value is ready for use.
 // Everything is stored in-memory in one tailnet.
 type Server struct {
-	Logf        logger.Logf      // nil means to use the log package
-	DERPMap     *tailcfg.DERPMap // nil means to use prod DERP map
-	RequireAuth bool
-	BaseURL     string // must be set to e.g. "http://127.0.0.1:1234" with no trailing URL
-	Verbose     bool
+	Logf    logger.Logf      // nil means to use the log package
+	DERPMap *tailcfg.DERPMap // nil means to use prod DERP map

 	initMuxOnce sync.Once
 	mux         *http.ServeMux

-	mu            sync.Mutex
-	pubKey        wgkey.Key
-	privKey       wgkey.Private
-	nodes         map[tailcfg.NodeKey]*tailcfg.Node
-	users         map[tailcfg.NodeKey]*tailcfg.User
-	logins        map[tailcfg.NodeKey]*tailcfg.Login
-	updates       map[tailcfg.NodeID]chan updateType
-	authPath      map[string]*AuthPath
-	nodeKeyAuthed map[tailcfg.NodeKey]bool // key => true once authenticated
-	pingReqsToAdd map[tailcfg.NodeKey]*tailcfg.PingRequest
-}
-
-// NumNodes returns the number of nodes in the testcontrol server.
-//
-// This is useful when connecting a bunch of virtual machines to a testcontrol
-// server to see how many of them connected successfully.
-func (s *Server) NumNodes() int {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	return len(s.nodes)
-}
-
-// AddPingRequest sends the ping pr to nodeKeyDst. It reports whether it did so. That is,
-// it reports whether nodeKeyDst was connected.
-func (s *Server) AddPingRequest(nodeKeyDst tailcfg.NodeKey, pr *tailcfg.PingRequest) bool {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.pingReqsToAdd == nil {
-		s.pingReqsToAdd = map[tailcfg.NodeKey]*tailcfg.PingRequest{}
-	}
-	// Now send the update to the channel
-	node := s.nodeLocked(nodeKeyDst)
-	if node == nil {
-		return false
-	}
-
-	s.pingReqsToAdd[nodeKeyDst] = pr
-	nodeID := node.ID
-	oldUpdatesCh := s.updates[nodeID]
-	sendUpdate(oldUpdatesCh, updateDebugInjection)
-	return true
-}
-
-type AuthPath struct {
-	nodeKey tailcfg.NodeKey
-
-	closeOnce sync.Once
-	ch        chan struct{}
-	success   bool
-}
-
-func (ap *AuthPath) completeSuccessfully() {
-	ap.success = true
-	close(ap.ch)
-}
-
-// CompleteSuccessfully completes the login path successfully, as if
-// the user did the whole auth dance.
-func (ap *AuthPath) CompleteSuccessfully() {
-	ap.closeOnce.Do(ap.completeSuccessfully)
+	mu      sync.Mutex
+	pubKey  wgkey.Key
+	privKey wgkey.Private
+	nodes   map[tailcfg.NodeKey]*tailcfg.Node
+	users   map[tailcfg.NodeKey]*tailcfg.User
+	logins  map[tailcfg.NodeKey]*tailcfg.Login
+	updates map[tailcfg.NodeID]chan updateType
 }

 func (s *Server) logf(format string, a ...interface{}) {
@@ -198,28 +139,9 @@ func (s *Server) serveMachine(w http.ResponseWriter, r *http.Request) {
 func (s *Server) Node(nodeKey tailcfg.NodeKey) *tailcfg.Node {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	return s.nodeLocked(nodeKey)
-}
-
-// nodeLocked returns the node for nodeKey. It's always nil or cloned memory.
-//
-// s.mu must be held.
-func (s *Server) nodeLocked(nodeKey tailcfg.NodeKey) *tailcfg.Node {
 	return s.nodes[nodeKey].Clone()
 }

-func (s *Server) AllNodes() (nodes []*tailcfg.Node) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for _, n := range s.nodes {
-		nodes = append(nodes, n.Clone())
-	}
-	sort.Slice(nodes, func(i, j int) bool {
-		return nodes[i].StableID < nodes[j].StableID
-	})
-	return nodes
-}
-
 func (s *Server) getUser(nodeKey tailcfg.NodeKey) (*tailcfg.User, *tailcfg.Login) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -256,56 +178,6 @@ func (s *Server) getUser(nodeKey tailcfg.NodeKey) (*tailcfg.User, *tailcfg.Login
 	return user, login
 }

-// authPathDone returns a close-only struct that's closed when the
-// authPath ("/auth/XXXXXX") has authenticated.
-func (s *Server) authPathDone(authPath string) <-chan struct{} {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if a, ok := s.authPath[authPath]; ok {
-		return a.ch
-	}
-	return nil
-}
-
-func (s *Server) addAuthPath(authPath string, nodeKey tailcfg.NodeKey) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.authPath == nil {
-		s.authPath = map[string]*AuthPath{}
-	}
-	s.authPath[authPath] = &AuthPath{
-		ch:      make(chan struct{}),
-		nodeKey: nodeKey,
-	}
-}
-
-// CompleteAuth marks the provided path or URL (containing
-// "/auth/...")  as successfully authenticated, unblocking any
-// requests blocked on that in serveRegister.
-func (s *Server) CompleteAuth(authPathOrURL string) bool {
-	i := strings.Index(authPathOrURL, "/auth/")
-	if i == -1 {
-		return false
-	}
-	authPath := authPathOrURL[i:]
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	ap, ok := s.authPath[authPath]
-	if !ok {
-		return false
-	}
-	if ap.nodeKey.IsZero() {
-		panic("zero AuthPath.NodeKey")
-	}
-	if s.nodeKeyAuthed == nil {
-		s.nodeKeyAuthed = map[tailcfg.NodeKey]bool{}
-	}
-	s.nodeKeyAuthed[ap.nodeKey] = true
-	ap.CompleteSuccessfully()
-	return true
-}
-
 func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey tailcfg.MachineKey) {
 	var req tailcfg.RegisterRequest
 	if err := s.decode(mkey, r.Body, &req); err != nil {
@@ -317,71 +189,28 @@ func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey tail
 	if req.NodeKey.IsZero() {
 		panic("serveRegister: request has zero node key")
 	}
-	if s.Verbose {
-		j, _ := json.MarshalIndent(req, "", "\t")
-		log.Printf("Got %T: %s", req, j)
-	}
-
-	// If this is a followup request, wait until interactive followup URL visit complete.
-	if req.Followup != "" {
-		followupURL, err := url.Parse(req.Followup)
-		if err != nil {
-			panic(err)
-		}
-		doneCh := s.authPathDone(followupURL.Path)
-		select {
-		case <-r.Context().Done():
-			return
-		case <-doneCh:
-		}
-		// TODO(bradfitz): support a side test API to mark an
-		// auth as failued so we can send an error response in
-		// some follow-ups? For now all are successes.
-	}

 	user, login := s.getUser(req.NodeKey)
 	s.mu.Lock()
 	if s.nodes == nil {
 		s.nodes = map[tailcfg.NodeKey]*tailcfg.Node{}
 	}
-
-	machineAuthorized := true // TODO: add Server.RequireMachineAuth
-
-	allowedIPs := []netaddr.IPPrefix{
-		netaddr.MustParseIPPrefix(fmt.Sprintf("100.64.%d.%d/32", uint8(tailcfg.NodeID(user.ID)>>8), uint8(tailcfg.NodeID(user.ID)))),
-	}
-
 	s.nodes[req.NodeKey] = &tailcfg.Node{
 		ID:                tailcfg.NodeID(user.ID),
 		StableID:          tailcfg.StableNodeID(fmt.Sprintf("TESTCTRL%08x", int(user.ID))),
 		User:              user.ID,
 		Machine:           mkey,
 		Key:               req.NodeKey,
-		MachineAuthorized: machineAuthorized,
-		Addresses:         allowedIPs,
-		AllowedIPs:        allowedIPs,
-	}
-	requireAuth := s.RequireAuth
-	if requireAuth && s.nodeKeyAuthed[req.NodeKey] {
-		requireAuth = false
+		MachineAuthorized: true,
 	}
 	s.mu.Unlock()

-	authURL := ""
-	if requireAuth {
-		randHex := make([]byte, 10)
-		crand.Read(randHex)
-		authPath := fmt.Sprintf("/auth/%x", randHex)
-		s.addAuthPath(authPath, req.NodeKey)
-		authURL = s.BaseURL + authPath
-	}
-
 	res, err := s.encode(mkey, false, tailcfg.RegisterResponse{
 		User:              *user,
 		Login:             *login,
 		NodeKeyExpired:    false,
-		MachineAuthorized: machineAuthorized,
-		AuthURL:           authURL,
+		MachineAuthorized: true,
+		AuthURL:           "", // all good; TODO(bradfitz): add ways to not start all good.
 	})
 	if err != nil {
 		go panic(fmt.Sprintf("serveRegister: encode: %v", err))
@@ -402,9 +231,6 @@ const (
 	// via a lite endpoint update. These ones are never dup-suppressed,
 	// as the client is expecting an answer regardless.
 	updateSelfChanged
-
-	// updateDebugInjection is an update used for PingRequests
-	updateDebugInjection
 )

 func (s *Server) updateLocked(source string, peers []tailcfg.NodeID) {
@@ -428,21 +254,6 @@ func sendUpdate(dst chan<- updateType, updateType updateType) {
 	}
 }

-func (s *Server) UpdateNode(n *tailcfg.Node) (peersToUpdate []tailcfg.NodeID) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if n.Key.IsZero() {
-		panic("zero nodekey")
-	}
-	s.nodes[n.Key] = n.Clone()
-	for _, n2 := range s.nodes {
-		if n.ID != n2.ID {
-			peersToUpdate = append(peersToUpdate, n2.ID)
-		}
-	}
-	return peersToUpdate
-}
-
 func (s *Server) serveMap(w http.ResponseWriter, r *http.Request, mkey tailcfg.MachineKey) {
 	ctx := r.Context()

@@ -468,8 +279,10 @@ func (s *Server) serveMap(w http.ResponseWriter, r *http.Request, mkey tailcfg.M
 	if !req.ReadOnly {
 		endpoints := filterInvalidIPv6Endpoints(req.Endpoints)
 		node.Endpoints = endpoints
-		node.DiscoKey = req.DiscoKey
-		peersToUpdate = s.UpdateNode(node)
+		// TODO: more
+		// TODO: register node,
+		//s.UpdateEndpoint(mkey, req.NodeKey,
+		// XXX
 	}

 	nodeID := node.ID
@@ -576,24 +389,10 @@ func (s *Server) MapResponse(req *tailcfg.MapRequest) (res *tailcfg.MapResponse,
 		CollectServices: "true",
 		PacketFilter:    tailcfg.FilterAllowAll,
 	}
-	for _, p := range s.AllNodes() {
-		if p.StableID != node.StableID {
-			res.Peers = append(res.Peers, p)
-		}
-	}
-
 	res.Node.Addresses = []netaddr.IPPrefix{
 		netaddr.MustParseIPPrefix(fmt.Sprintf("100.64.%d.%d/32", uint8(node.ID>>8), uint8(node.ID))),
 	}
 	res.Node.AllowedIPs = res.Node.Addresses
-
-	// Consume the PingRequest while protected by mutex if it exists
-	s.mu.Lock()
-	if pr, ok := s.pingReqsToAdd[node.Key]; ok {
-		res.PingRequest = pr
-		delete(s.pingReqsToAdd, node.Key)
-	}
-	s.mu.Unlock()
 	return res, nil
 }

@@ -707,7 +506,7 @@ func keepClientEndpoint(ep string) bool {
 		// the incoming JSON response.
 		return false
 	}
-	ip := ipp.IP()
+	ip := ipp.IP
 	if ip.Zone() != "" {
 		return false
 	}
--- a/tstest/integration/vms/README.md
+++ b/tstest/integration/vms/README.md
@@ -1,98 +0,0 @@
-# End-to-End VM-based Integration Testing
-
-This test spins up a bunch of common linux distributions and then tries to get
-them to connect to a
-[`testcontrol`](https://pkg.go.dev/tailscale.com/tstest/integration/testcontrol)
-server.
-
-## Running
-
-This test currently only runs on Linux.
-
-This test depends on the following command line tools:
-
- [qemu](https://www.qemu.org/)
- [cdrkit](https://en.wikipedia.org/wiki/Cdrkit)
- [openssh](https://www.openssh.com/)
-
-This test also requires the following:
-
- about 10 GB of temporary storage
- about 10 GB of cached VM images
- at least 4 GB of ram for virtual machines
- hardware virtualization support
-  ([KVM](https://www.linux-kvm.org/page/Main_Page)) enabled in the BIOS
- the `kvm` module to be loaded (`modprobe kvm`)
- the user running these tests must have access to `/dev/kvm` (being in the
-  `kvm` group should suffice)
-
-This optionally requires an AWS profile to be configured at the [default
-path](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).
-The S3 bucket is set so that the requester pays. Please keep this in mind when
-running these tests on your machine. If you are uncomfortable with the cost from
-downloading from S3, you should pass the `-no-s3` flag to disable downloads from
-S3. However keep in mind that some distributions do not use stable URLs for each
-individual image artifact, so there may be spurious test failures as a result.
-
-If you are using [Nix](https://nixos.org), you can run all of the tests with the
-correct command line tools using this command:
-
-```console
-$ nix-shell -p openssh -p go -p qemu -p cdrkit --run "go test . --run-vm-tests --v --timeout 30m"
-```
-
-Keep the timeout high for the first run, especially if you are not downloading
-VM images from S3. The mirrors we pull images from have download rate limits and
-will take a while to download.
-
-Because of the hardware requirements of this test, this test will not run
-without the `--run-vm-tests` flag set.
-
-## Other Fun Flags
-
-This test's behavior is customized with command line flags.
-
-### Don't Download Images From S3
-
-If you pass the `-no-s3` flag to `go test`, the S3 step will be skipped in favor
-of downloading the images directly from upstream sources, which may cause the
-test to fail in odd places.
-
-### Distribution Picking
-
-This test runs on a large number of distributions. By default it tries to run
-everything, which may or may not be ideal for you. If you only want to test a
-subset of distributions, you can use the `--distro-regex` flag to match a subset
-of distributions using a [regular expression](https://golang.org/pkg/regexp/)
-such as like this:
-
-```console
-$ go test -run-vm-tests -distro-regex centos
-```
-
-This would run all tests on all versions of CentOS.
-
-```console
-$ go test -run-vm-tests -distro-regex '(debian|ubuntu)'
-```
-
-This would run all tests on all versions of Debian and Ubuntu.
-
-### Ram Limiting
-
-This test uses a lot of memory. In order to avoid making machines run out of
-memory running this test, a semaphore is used to limit how many megabytes of ram
-are being used at once. By default this semaphore is set to 4096 MB of ram
-(about 4 gigabytes). You can customize this with the `--ram-limit` flag:
-
-```console
-$ go test --run-vm-tests --ram-limit 2048
-$ go test --run-vm-tests --ram-limit 65536
-```
-
-The first example will set the limit to 2048 MB of ram (about 2 gigabytes). The
-second example will set the limit to 65536 MB of ram (about 65 gigabytes).
-Please be careful with this flag, improper usage of it is known to cause the
-Linux out-of-memory killer to engage. Try to keep it within 50-75% of your
-machine's available ram (there is some overhead involved with the
-virtualization) to be on the safe side.
--- a/tstest/integration/vms/doc.go
+++ b/tstest/integration/vms/doc.go
@@ -1,7 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package vms does VM-based integration/functional tests by using
-// qemu and a bank of pre-made VM images.
-package vms
--- a/tstest/integration/vms/opensuse_leap_15_1_test.go
+++ b/tstest/integration/vms/opensuse_leap_15_1_test.go
@@ -1,86 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build linux
-
-package vms
-
-import (
-	"encoding/json"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/google/uuid"
-)
-
-/*
-   The images that we use for OpenSUSE Leap 15.1 have an issue that makes the
-   nocloud backend[1] for cloud-init just not work. As a distro-specific
-   workaround, we're gonna pretend to be OpenStack.
-
-   TODO(Xe): delete once we no longer need to support OpenSUSE Leap 15.1.
-
-   [1]: https://cloudinit.readthedocs.io/en/latest/topics/datasources/nocloud.html
-*/
-
-type openSUSELeap151MetaData struct {
-	Zone        string                      `json:"availability_zone"` // nova
-	Hostname    string                      `json:"hostname"`          // opensuse-leap-15-1
-	LaunchIndex string                      `json:"launch_index"`      // 0
-	Meta        openSUSELeap151MetaDataMeta `json:"meta"`              // some openstack metadata we don't need to care about
-	Name        string                      `json:"name"`              // opensuse-leap-15-1
-	UUID        string                      `json:"uuid"`              // e9c664cd-b116-433b-aa61-7ff420163dcd
-}
-
-type openSUSELeap151MetaDataMeta struct {
-	Role      string `json:"role"`      // server
-	DSMode    string `json:"dsmode"`    // local
-	Essential string `json:"essential"` // essential
-}
-
-func hackOpenSUSE151UserData(t *testing.T, d Distro, dir string) bool {
-	if d.name != "opensuse-leap-15-1" {
-		return false
-	}
-
-	t.Log("doing OpenSUSE Leap 15.1 hack")
-	osDir := filepath.Join(dir, "openstack", "latest")
-	err := os.MkdirAll(osDir, 0755)
-	if err != nil {
-		t.Fatalf("can't make metadata home: %v", err)
-	}
-
-	metadata, err := json.Marshal(openSUSELeap151MetaData{
-		Zone:        "nova",
-		Hostname:    d.name,
-		LaunchIndex: "0",
-		Meta: openSUSELeap151MetaDataMeta{
-			Role:      "server",
-			DSMode:    "local",
-			Essential: "false",
-		},
-		Name: d.name,
-		UUID: uuid.New().String(),
-	})
-	if err != nil {
-		t.Fatalf("can't encode metadata: %v", err)
-	}
-	err = os.WriteFile(filepath.Join(osDir, "meta_data.json"), metadata, 0666)
-	if err != nil {
-		t.Fatalf("can't write to meta_data.json: %v", err)
-	}
-
-	data, err := os.ReadFile(filepath.Join(dir, "user-data"))
-	if err != nil {
-		t.Fatalf("can't read user_data: %v", err)
-	}
-
-	err = os.WriteFile(filepath.Join(osDir, "user_data"), data, 0666)
-	if err != nil {
-		t.Fatalf("can't create output user_data: %v", err)
-	}
-
-	return true
-}
--- a/tstest/integration/vms/regex_flag.go
+++ b/tstest/integration/vms/regex_flag.go
@@ -1,30 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package vms
-
-import "regexp"
-
-type regexValue struct {
-	r *regexp.Regexp
-}
-
-func (r *regexValue) String() string {
-	if r.r == nil {
-		return ""
-	}
-
-	return r.r.String()
-}
-
-func (r *regexValue) Set(val string) error {
-	if rex, err := regexp.Compile(val); err != nil {
-		return err
-	} else {
-		r.r = rex
-		return nil
-	}
-}
-
-func (r regexValue) Unwrap() *regexp.Regexp { return r.r }
--- a/tstest/integration/vms/regex_flag_test.go
+++ b/tstest/integration/vms/regex_flag_test.go
@@ -1,22 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package vms
-
-import (
-	"flag"
-	"testing"
-)
-
-func TestRegexFlag(t *testing.T) {
-	var v regexValue
-	fs := flag.NewFlagSet(t.Name(), flag.PanicOnError)
-	fs.Var(&v, "regex", "regex to parse")
-
-	const want = `.*`
-	fs.Parse([]string{"-regex", want})
-	if v.Unwrap().String() != want {
-		t.Fatalf("got wrong regex: %q, wanted: %q", v.Unwrap().String(), want)
-	}
-}
--- a/tstest/integration/vms/runner.nix
+++ b/tstest/integration/vms/runner.nix
@@ -1,77 +0,0 @@
-# This is a NixOS module to allow a machine to act as an integration test
-# runner. This is used for the end-to-end VM test suite.
-
-{ lib, config, pkgs, ... }:
-
-{
-  # The GitHub Actions self-hosted runner service.
-  services.github-runner = {
-    enable = true;
-    url = "https://github.com/tailscale/tailscale";
-    replace = true;
-    extraLabels = [ "vm_integration_test" ];
-
-    # Justifications for the packages:
-    extraPackages = with pkgs; [
-      # The test suite is written in Go.
-      go
-
-      # This contains genisoimage, which is needed to create cloud-init
-      # seeds.
-      cdrkit
-
-      # This package is the virtual machine hypervisor we use in tests.
-      qemu
-
-      # This package contains tools like `ssh-keygen`.
-      openssh
-
-      # The C complier so cgo builds work.
-      gcc
-    ];
-
-    # Customize this to include your GitHub username so we can track
-    # who is running which node.
-    name = "YOUR-GITHUB-USERNAME-tstest-integration-vms";
-
-    # Replace this with the path to the GitHub Actions runner token on
-    # your disk.
-    tokenFile = "/run/decrypted/ts-oss-ghaction-token";
-  };
-
-  # A user account so there is a home directory and so they have kvm
-  # access. Please don't change this account name.
-  users.users.ghrunner = {
-    createHome = true;
-    isSystemUser = true;
-    extraGroups = [ "kvm" ];
-  };
-
-  # The default github-runner service sets a lot of isolation features
-  # that attempt to limit the damage that malicious code can use.
-  # Unfortunately we rely on some "dangerous" features to do these tests,
-  # so this shim will peel some of them away.
-  systemd.services.github-runner = {
-    serviceConfig = {
-      # We need access to /dev to poke /dev/kvm.
-      PrivateDevices = lib.mkForce false;
-
-      # /dev/kvm is how qemu creates a virtual machine with KVM.
-      DeviceAllow = lib.mkForce [ "/dev/kvm" ];
-
-      # Ensure the service has KVM permissions with the `kvm` group.
-      ExtraGroups = [ "kvm" ];
-
-      # The service runs as a dynamic user by default. This makes it hard
-      # to persistently store things in /var/lib/ghrunner. This line
-      # disables the dynamic user feature.
-      DynamicUser = lib.mkForce false;
-
-      # Run this service as our ghrunner user.
-      User = "ghrunner";
-
-      # We need access to /var/lib/ghrunner to store VM images.
-      ProtectSystem = lib.mkForce null;
-    };
-  };
-}
--- a/tstest/integration/vms/vms_test.go
+++ b/tstest/integration/vms/vms_test.go
@@ -1,805 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build linux
-
-package vms
-
-import (
-	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"errors"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"net"
-	"net/http"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"regexp"
-	"strconv"
-	"strings"
-	"sync"
-	"syscall"
-	"testing"
-	"text/template"
-	"time"
-
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/s3"
-	"github.com/aws/aws-sdk-go/service/s3/s3manager"
-	expect "github.com/google/goexpect"
-	"github.com/pkg/sftp"
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/sync/semaphore"
-	"inet.af/netaddr"
-	"tailscale.com/net/interfaces"
-	"tailscale.com/tstest"
-	"tailscale.com/tstest/integration"
-	"tailscale.com/tstest/integration/testcontrol"
-)
-
-const (
-	securePassword = "hunter2"
-	bucketName     = "tailscale-integration-vm-images"
-)
-
-var (
-	runVMTests = flag.Bool("run-vm-tests", false, "if set, run expensive VM based integration tests")
-	noS3       = flag.Bool("no-s3", false, "if set, always download images from the public internet (risks breaking)")
-	vmRamLimit = flag.Int("ram-limit", 4096, "the maximum number of megabytes of ram that can be used for VMs, must be greater than or equal to 1024")
-	distroRex  = func() *regexValue {
-		result := &regexValue{r: regexp.MustCompile(`.*`)}
-		flag.Var(result, "distro-regex", "The regex that matches what distros should be run")
-		return result
-	}()
-)
-
-type Distro struct {
-	name           string // amazon-linux
-	url            string // URL to a qcow2 image
-	sha256sum      string // hex-encoded sha256 sum of contents of URL
-	mem            int    // VM memory in megabytes
-	packageManager string // yum/apt/dnf/zypper
-}
-
-func (d *Distro) InstallPre() string {
-	switch d.packageManager {
-	case "yum":
-		return ` - [ yum, update, gnupg2 ]
- - [ yum, "-y", install, iptables ]`
-	case "zypper":
-		return ` - [ zypper, in, "-y", iptables ]`
-
-	case "dnf":
-		return ` - [ dnf, install, "-y", iptables ]`
-
-	case "apt":
-		return ` - [ apt-get, update ]
- - [ apt-get, "-y", install, curl, "apt-transport-https", gnupg2 ]`
-
-	case "apk":
-		return ` - [ apk, "-U", add, curl, "ca-certificates" ]`
-	}
-
-	return ""
-}
-
-func TestDownloadImages(t *testing.T) {
-	if !*runVMTests {
-		t.Skip("not running integration tests (need --run-vm-tests)")
-	}
-
-	for _, d := range distros {
-		distro := d
-		t.Run(distro.name, func(t *testing.T) {
-			if !distroRex.Unwrap().MatchString(distro.name) {
-				t.Skipf("distro name %q doesn't match regex: %s", distro.name, distroRex)
-			}
-
-			t.Parallel()
-
-			fetchDistro(t, distro)
-		})
-	}
-}
-
-var distros = []Distro{
-	// NOTE(Xe): If you run into issues getting the autoconfig to work, comment
-	// out all the other distros and uncomment this one. Connect with a VNC
-	// client with a command like this:
-	//
-	//    $ vncviewer :0
-	//
-	// On NixOS you can get away with something like this:
-	//
-	//    $ env NIXPKGS_ALLOW_UNFREE=1 nix-shell -p tigervnc --run 'vncviewer :0'
-	//
-	// Login as root with the password root. Then look in
-	// /var/log/cloud-init-output.log for what you messed up.
-
-	// {"alpine-edge", "https://xena.greedo.xeserv.us/pkg/alpine/img/alpine-edge-2021-05-18-cloud-init-within.qcow2", "b3bb15311c0bd3beffa1b554f022b75d3b7309b5fdf76fb146fe7c72b83b16d0", 256, "apk"},
-
-	{"amazon-linux", "https://cdn.amazonlinux.com/os-images/2.0.20210427.0/kvm/amzn2-kvm-2.0.20210427.0-x86_64.xfs.gpt.qcow2", "6ef9daef32cec69b2d0088626ec96410cd24afc504d57278bbf2f2ba2b7e529b", 512, "yum"},
-	{"arch", "https://mirror.pkgbuild.com/images/v20210515.22945/Arch-Linux-x86_64-cloudimg-20210515.22945.qcow2", "e4077f5ba3c5d545478f64834bc4852f9f7a2e05950fce8ecd0df84193162a27", 512, "pacman"},
-	{"centos-7", "https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud-2003.qcow2c", "b7555ecf90b24111f2efbc03c1e80f7b38f1e1fc7e1b15d8fee277d1a4575e87", 512, "yum"},
-	{"centos-8", "https://cloud.centos.org/centos/8/x86_64/images/CentOS-8-GenericCloud-8.3.2011-20201204.2.x86_64.qcow2", "7ec97062618dc0a7ebf211864abf63629da1f325578868579ee70c495bed3ba0", 768, "dnf"},
-	{"debian-9", "http://cloud.debian.org/images/cloud/OpenStack/9.13.22-20210531/debian-9.13.22-20210531-openstack-amd64.qcow2", "c36e25f2ab0b5be722180db42ed9928476812f02d053620e1c287f983e9f6f1d", 512, "apt"},
-	{"debian-10", "https://cdimage.debian.org/images/cloud/buster/20210329-591/debian-10-generic-amd64-20210329-591.qcow2", "70c61956095870c4082103d1a7a1cb5925293f8405fc6cb348588ec97e8611b0", 768, "apt"},
-	{"fedora-34", "https://download.fedoraproject.org/pub/fedora/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-Base-34-1.2.x86_64.qcow2", "b9b621b26725ba95442d9a56cbaa054784e0779a9522ec6eafff07c6e6f717ea", 768, "dnf"},
-	{"opensuse-leap-15-1", "https://download.opensuse.org/repositories/Cloud:/Images:/Leap_15.1/images/openSUSE-Leap-15.1-OpenStack.x86_64.qcow2", "40bc72b8ee143364fc401f2c9c9a11ecb7341a29fa84c6f7bf42fc94acf19a02", 512, "zypper"},
-	{"opensuse-leap-15-2", "https://download.opensuse.org/repositories/Cloud:/Images:/Leap_15.2/images/openSUSE-Leap-15.2-OpenStack.x86_64.qcow2", "4df9cee9281d1f57d20f79dc65d76e255592b904760e73c0dd44ac753a54330f", 512, "zypper"},
-	{"opensuse-leap-15-3", "http://mirror.its.dal.ca/opensuse/distribution/leap/15.3/appliances/openSUSE-Leap-15.3-JeOS.x86_64-OpenStack-Cloud.qcow2", "22e0392e4d0becb523d1bc5f709366140b7ee20d6faf26de3d0f9046d1ee15d5", 512, "zypper"},
-	{"opensuse-tumbleweed", "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-JeOS.x86_64-OpenStack-Cloud.qcow2", "79e610bba3ed116556608f031c06e4b9260e3be2b193ce1727914ba213afac3f", 512, "zypper"},
-	{"ubuntu-16-04", "https://cloud-images.ubuntu.com/xenial/20210429/xenial-server-cloudimg-amd64-disk1.img", "50a21bc067c05e0c73bf5d8727ab61152340d93073b3dc32eff18b626f7d813b", 512, "apt"},
-	{"ubuntu-18-04", "https://cloud-images.ubuntu.com/bionic/20210526/bionic-server-cloudimg-amd64.img", "389ffd5d36bbc7a11bf384fd217cda9388ccae20e5b0cb7d4516733623c96022", 512, "apt"},
-	{"ubuntu-20-04", "https://cloud-images.ubuntu.com/focal/20210603/focal-server-cloudimg-amd64.img", "1c0969323b058ba8b91fec245527069c2f0502fc119b9138b213b6bfebd965cb", 512, "apt"},
-	{"ubuntu-20-10", "https://cloud-images.ubuntu.com/groovy/20210604/groovy-server-cloudimg-amd64.img", "2196df5f153faf96443e5502bfdbcaa0baaefbaec614348fec344a241855b0ef", 512, "apt"},
-	{"ubuntu-21-04", "https://cloud-images.ubuntu.com/hirsute/20210603/hirsute-server-cloudimg-amd64.img", "bf07f36fc99ff521d3426e7d257e28f0c81feebc9780b0c4f4e25ae594ff4d3b", 512, "apt"},
-}
-
-// fetchFromS3 fetches a distribution image from Amazon S3 or reports whether
-// it is unable to. It can fail to fetch from S3 if there is either no AWS
-// configuration (in ~/.aws/credentials) or if the `-no-s3` flag is passed. In
-// that case the test will fall back to downloading distribution images from the
-// public internet.
-//
-// Like fetching from HTTP, the test will fail if an error is encountered during
-// the downloading process.
-//
-// This function writes the distribution image to fout. It is always closed. Do
-// not expect fout to remain writable.
-func fetchFromS3(t *testing.T, fout *os.File, d Distro) bool {
-	t.Helper()
-
-	if *noS3 {
-		t.Log("you asked to not use S3, not using S3")
-		return false
-	}
-
-	sess, err := session.NewSession(&aws.Config{
-		Region: aws.String("us-east-1"),
-	})
-	if err != nil {
-		t.Logf("can't make AWS session: %v", err)
-		return false
-	}
-
-	dler := s3manager.NewDownloader(sess, func(d *s3manager.Downloader) {
-		d.PartSize = 64 * 1024 * 1024 // 64MB per part
-	})
-
-	t.Logf("fetching s3://%s/%s", bucketName, d.sha256sum)
-
-	_, err = dler.Download(fout, &s3.GetObjectInput{
-		Bucket: aws.String(bucketName),
-		Key:    aws.String(d.sha256sum),
-	})
-	if err != nil {
-		fout.Close()
-		t.Fatalf("can't get s3://%s/%s: %v", bucketName, d.sha256sum, err)
-	}
-
-	err = fout.Close()
-	if err != nil {
-		t.Fatalf("can't close fout: %v", err)
-	}
-
-	return true
-}
-
-// fetchDistro fetches a distribution from the internet if it doesn't already exist locally. It
-// also validates the sha256 sum from a known good hash.
-func fetchDistro(t *testing.T, resultDistro Distro) {
-	t.Helper()
-
-	cdir, err := os.UserCacheDir()
-	if err != nil {
-		t.Fatalf("can't find cache dir: %v", err)
-	}
-	cdir = filepath.Join(cdir, "tailscale", "vm-test")
-
-	qcowPath := filepath.Join(cdir, "qcow2", resultDistro.sha256sum)
-
-	_, err = os.Stat(qcowPath)
-	if err == nil {
-		hash := checkCachedImageHash(t, resultDistro, cdir)
-		if hash != resultDistro.sha256sum {
-			t.Logf("hash for %s (%s) doesn't match expected %s, re-downloading", resultDistro.name, qcowPath, resultDistro.sha256sum)
-			err = errors.New("some fake non-nil error to force a redownload")
-
-			if err := os.Remove(qcowPath); err != nil {
-				t.Fatalf("can't delete wrong cached image: %v", err)
-			}
-		}
-	}
-
-	if err != nil {
-		t.Logf("downloading distro image %s to %s", resultDistro.url, qcowPath)
-		fout, err := os.Create(qcowPath)
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if !fetchFromS3(t, fout, resultDistro) {
-			resp, err := http.Get(resultDistro.url)
-			if err != nil {
-				t.Fatalf("can't fetch qcow2 for %s (%s): %v", resultDistro.name, resultDistro.url, err)
-			}
-
-			if resp.StatusCode != http.StatusOK {
-				resp.Body.Close()
-				t.Fatalf("%s replied %s", resultDistro.url, resp.Status)
-			}
-
-			_, err = io.Copy(fout, resp.Body)
-			resp.Body.Close()
-			if err != nil {
-				t.Fatalf("download of %s failed: %v", resultDistro.url, err)
-			}
-
-			hash := checkCachedImageHash(t, resultDistro, cdir)
-
-			if hash != resultDistro.sha256sum {
-				t.Fatalf("hash mismatch, want: %s, got: %s", resultDistro.sha256sum, hash)
-			}
-		}
-	}
-}
-
-func checkCachedImageHash(t *testing.T, d Distro, cacheDir string) (gotHash string) {
-	t.Helper()
-
-	qcowPath := filepath.Join(cacheDir, "qcow2", d.sha256sum)
-
-	fin, err := os.Open(qcowPath)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	hasher := sha256.New()
-	if _, err := io.Copy(hasher, fin); err != nil {
-		t.Fatal(err)
-	}
-	hash := hex.EncodeToString(hasher.Sum(nil))
-
-	if hash != d.sha256sum {
-		t.Fatalf("hash mismatch, got: %q, want: %q", hash, d.sha256sum)
-	}
-
-	gotHash = hash
-
-	return
-}
-
-// run runs a command or fails the test.
-func run(t *testing.T, dir, prog string, args ...string) {
-	t.Helper()
-	t.Logf("running: %s %s", prog, strings.Join(args, " "))
-	tstest.FixLogs(t)
-
-	cmd := exec.Command(prog, args...)
-	cmd.Stdout = log.Writer()
-	cmd.Stderr = log.Writer()
-	cmd.Dir = dir
-	if err := cmd.Run(); err != nil {
-		t.Fatal(err)
-	}
-}
-
-// mkLayeredQcow makes a layered qcow image that allows us to keep the upstream
-// VM images pristine and only do our changes on an overlay.
-func mkLayeredQcow(t *testing.T, tdir string, d Distro) {
-	t.Helper()
-
-	cdir, err := os.UserCacheDir()
-	if err != nil {
-		t.Fatalf("can't find cache dir: %v", err)
-	}
-	cdir = filepath.Join(cdir, "tailscale", "vm-test")
-
-	run(t, tdir, "qemu-img", "create",
-		"-f", "qcow2",
-		"-o", "backing_file="+filepath.Join(cdir, "qcow2", d.sha256sum),
-		filepath.Join(tdir, d.name+".qcow2"),
-	)
-}
-
-var (
-	metaDataTempl = template.Must(template.New("meta-data.yaml").Parse(metaDataTemplate))
-	userDataTempl = template.Must(template.New("user-data.yaml").Parse(userDataTemplate))
-)
-
-// mkSeed makes the cloud-init seed ISO that is used to configure a VM with
-// tailscale.
-func mkSeed(t *testing.T, d Distro, sshKey, hostURL, tdir string, port int) {
-	t.Helper()
-
-	dir := filepath.Join(tdir, d.name, "seed")
-	os.MkdirAll(dir, 0700)
-
-	// make meta-data
-	{
-		fout, err := os.Create(filepath.Join(dir, "meta-data"))
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		err = metaDataTempl.Execute(fout, struct {
-			ID       string
-			Hostname string
-		}{
-			ID:       "31337",
-			Hostname: d.name,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		err = fout.Close()
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	// make user-data
-	{
-		fout, err := os.Create(filepath.Join(dir, "user-data"))
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		err = userDataTempl.Execute(fout, struct {
-			SSHKey     string
-			HostURL    string
-			Hostname   string
-			Port       int
-			InstallPre string
-			Password   string
-		}{
-			SSHKey:     strings.TrimSpace(sshKey),
-			HostURL:    hostURL,
-			Hostname:   d.name,
-			Port:       port,
-			InstallPre: d.InstallPre(),
-			Password:   securePassword,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		err = fout.Close()
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	args := []string{
-		"-output", filepath.Join(dir, "seed.iso"),
-		"-volid", "cidata", "-joliet", "-rock",
-		filepath.Join(dir, "meta-data"),
-		filepath.Join(dir, "user-data"),
-	}
-
-	if hackOpenSUSE151UserData(t, d, dir) {
-		args = append(args, filepath.Join(dir, "openstack"))
-	}
-
-	run(t, tdir, "genisoimage", args...)
-}
-
-// mkVM makes a KVM-accelerated virtual machine and prepares it for introduction
-// to the testcontrol server. The function it returns is for killing the virtual
-// machine when it is time for it to die.
-func mkVM(t *testing.T, n int, d Distro, sshKey, hostURL, tdir string) func() {
-	t.Helper()
-
-	cdir, err := os.UserCacheDir()
-	if err != nil {
-		t.Fatalf("can't find cache dir: %v", err)
-	}
-	cdir = filepath.Join(cdir, "tailscale", "vm-test")
-	os.MkdirAll(filepath.Join(cdir, "qcow2"), 0755)
-
-	port := 23100 + n
-
-	fetchDistro(t, d)
-	mkLayeredQcow(t, tdir, d)
-	mkSeed(t, d, sshKey, hostURL, tdir, port)
-
-	driveArg := fmt.Sprintf("file=%s,if=virtio", filepath.Join(tdir, d.name+".qcow2"))
-
-	args := []string{
-		"-machine", "pc-q35-5.1,accel=kvm,usb=off,vmport=off,dump-guest-core=off",
-		"-netdev", fmt.Sprintf("user,hostfwd=::%d-:22,id=net0", port),
-		"-device", "virtio-net-pci,netdev=net0,id=net0,mac=8a:28:5c:30:1f:25",
-		"-m", fmt.Sprint(d.mem),
-		"-boot", "c",
-		"-drive", driveArg,
-		"-cdrom", filepath.Join(tdir, d.name, "seed", "seed.iso"),
-		"-vnc", fmt.Sprintf(":%d", n),
-		"-smbios", "type=1,serial=ds=nocloud;h=" + d.name,
-	}
-
-	t.Logf("running: qemu-system-x86_64 %s", strings.Join(args, " "))
-
-	cmd := exec.Command("qemu-system-x86_64", args...)
-	cmd.Stdout = log.Writer()
-	cmd.Stderr = log.Writer()
-	err = cmd.Start()
-
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	time.Sleep(time.Second)
-
-	if err := cmd.Process.Signal(syscall.Signal(0)); err != nil {
-		t.Fatal("qemu is not running")
-	}
-
-	return func() {
-		err := cmd.Process.Kill()
-		if err != nil {
-			t.Errorf("can't kill %s (%d): %v", d.name, cmd.Process.Pid, err)
-		}
-
-		cmd.Wait()
-	}
-}
-
-// ipMapping maps a hostname, SSH port and SSH IP together
-type ipMapping struct {
-	name string
-	port int
-	ip   string
-}
-
-// TestVMIntegrationEndToEnd creates a virtual machine with qemu, installs
-// tailscale on it and then ensures that it connects to the network
-// successfully.
-func TestVMIntegrationEndToEnd(t *testing.T) {
-	if !*runVMTests {
-		t.Skip("not running integration tests (need --run-vm-tests)")
-	}
-
-	os.Setenv("CGO_ENABLED", "0")
-
-	if _, err := exec.LookPath("qemu-system-x86_64"); err != nil {
-		t.Logf("hint: nix-shell -p go -p qemu -p cdrkit --run 'go test --v --timeout=60m --run-vm-tests'")
-		t.Fatalf("missing dependency: %v", err)
-	}
-
-	if _, err := exec.LookPath("genisoimage"); err != nil {
-		t.Logf("hint: nix-shell -p go -p qemu -p cdrkit --run 'go test --v --timeout=60m --run-vm-tests'")
-		t.Fatalf("missing dependency: %v", err)
-	}
-
-	dir := t.TempDir()
-
-	rex := distroRex.Unwrap()
-
-	ln, err := net.Listen("tcp", deriveBindhost(t)+":0")
-	if err != nil {
-		t.Fatalf("can't make TCP listener: %v", err)
-	}
-	defer ln.Close()
-	t.Logf("host:port: %s", ln.Addr())
-
-	cs := &testcontrol.Server{}
-
-	var (
-		ipMu  sync.Mutex
-		ipMap = map[string]ipMapping{}
-	)
-
-	mux := http.NewServeMux()
-	mux.Handle("/", cs)
-
-	// This handler will let the virtual machines tell the host information about that VM.
-	// This is used to maintain a list of port->IP address mappings that are known to be
-	// working. This allows later steps to connect over SSH. This returns no response to
-	// clients because no response is needed.
-	mux.HandleFunc("/myip/", func(w http.ResponseWriter, r *http.Request) {
-		ipMu.Lock()
-		defer ipMu.Unlock()
-
-		name := path.Base(r.URL.Path)
-		host, _, _ := net.SplitHostPort(r.RemoteAddr)
-		port, err := strconv.Atoi(name)
-		if err != nil {
-			log.Panicf("bad port: %v", port)
-		}
-		distro := r.UserAgent()
-		ipMap[distro] = ipMapping{distro, port, host}
-		t.Logf("%s: %v", name, host)
-	})
-
-	hs := &http.Server{Handler: mux}
-	go hs.Serve(ln)
-
-	run(t, dir, "ssh-keygen", "-t", "ed25519", "-f", "machinekey", "-N", ``)
-	pubkey, err := os.ReadFile(filepath.Join(dir, "machinekey.pub"))
-	if err != nil {
-		t.Fatalf("can't read ssh key: %v", err)
-	}
-
-	privateKey, err := os.ReadFile(filepath.Join(dir, "machinekey"))
-	if err != nil {
-		t.Fatalf("can't read ssh private key: %v", err)
-	}
-
-	signer, err := ssh.ParsePrivateKey(privateKey)
-	if err != nil {
-		t.Fatalf("can't parse private key: %v", err)
-	}
-
-	loginServer := fmt.Sprintf("http://%s", ln.Addr())
-	t.Logf("loginServer: %s", loginServer)
-
-	tstest.FixLogs(t)
-	defer tstest.UnfixLogs(t)
-
-	ramsem := semaphore.NewWeighted(int64(*vmRamLimit))
-	bins := integration.BuildTestBinaries(t)
-
-	t.Run("do", func(t *testing.T) {
-		for n, distro := range distros {
-			n, distro := n, distro
-			if rex.MatchString(distro.name) {
-				t.Logf("%s matches %s", distro.name, rex)
-			} else {
-				continue
-			}
-
-			t.Run(distro.name, func(t *testing.T) {
-				ctx, done := context.WithCancel(context.Background())
-				defer done()
-
-				t.Parallel()
-
-				err := ramsem.Acquire(ctx, int64(distro.mem))
-				if err != nil {
-					t.Fatalf("can't acquire ram semaphore: %v", err)
-				}
-				defer ramsem.Release(int64(distro.mem))
-
-				cancel := mkVM(t, n, distro, string(pubkey), loginServer, dir)
-				defer cancel()
-				var ipm ipMapping
-
-				t.Run("wait-for-start", func(t *testing.T) {
-					waiter := time.NewTicker(time.Second)
-					defer waiter.Stop()
-					var ok bool
-					for {
-						<-waiter.C
-						ipMu.Lock()
-						if ipm, ok = ipMap[distro.name]; ok {
-							ipMu.Unlock()
-							break
-						}
-						ipMu.Unlock()
-					}
-				})
-
-				testDistro(t, loginServer, signer, ipm, bins)
-			})
-		}
-	})
-}
-
-func testDistro(t *testing.T, loginServer string, signer ssh.Signer, ipm ipMapping, bins *integration.Binaries) {
-	t.Helper()
-	port := ipm.port
-	hostport := fmt.Sprintf("127.0.0.1:%d", port)
-	ccfg := &ssh.ClientConfig{
-		User:            "root",
-		Auth:            []ssh.AuthMethod{ssh.PublicKeys(signer), ssh.Password(securePassword)},
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-	}
-
-	// NOTE(Xe): This deadline loop helps to make things a bit faster, centos
-	// sometimes is slow at starting its sshd and will sometimes randomly kill
-	// SSH sessions on transition to multi-user.target. I don't know why they
-	// don't use socket activation.
-	const maxRetries = 5
-	var working bool
-	for i := 0; i < maxRetries; i++ {
-		cli, err := ssh.Dial("tcp", hostport, ccfg)
-		if err == nil {
-			working = true
-			cli.Close()
-			break
-		}
-
-		time.Sleep(10 * time.Second)
-	}
-
-	if !working {
-		t.Fatalf("can't connect to %s, tried %d times", hostport, maxRetries)
-	}
-
-	t.Logf("about to ssh into 127.0.0.1:%d", port)
-	cli, err := ssh.Dial("tcp", hostport, ccfg)
-	if err != nil {
-		t.Fatal(err)
-	}
-	copyBinaries(t, cli, bins)
-
-	timeout := 5 * time.Minute
-
-	e, _, err := expect.SpawnSSH(cli, timeout, expect.Verbose(true), expect.VerboseWriter(log.Writer()))
-	if err != nil {
-		t.Fatalf("%d: can't register a shell session: %v", port, err)
-	}
-	defer e.Close()
-
-	t.Log("opened session")
-
-	_, _, err = e.Expect(regexp.MustCompile(`(\#)`), timeout)
-	if err != nil {
-		t.Fatalf("%d: can't get a shell: %v", port, err)
-	}
-	t.Logf("got shell for %d", port)
-	err = e.Send("systemctl start tailscaled.service\n")
-	if err != nil {
-		t.Fatalf("can't send command to start tailscaled: %v", err)
-	}
-	_, _, err = e.Expect(regexp.MustCompile(`(\#)`), timeout)
-	if err != nil {
-		t.Fatalf("%d: can't get a shell: %v", port, err)
-	}
-	err = e.Send(fmt.Sprintf("sudo tailscale up --login-server %s\n", loginServer))
-	if err != nil {
-		t.Fatalf("%d: can't send tailscale up command: %v", port, err)
-	}
-	_, _, err = e.Expect(regexp.MustCompile(`Success.`), timeout)
-	if err != nil {
-		t.Fatalf("not successful: %v", err)
-	}
-}
-
-func copyBinaries(t *testing.T, conn *ssh.Client, bins *integration.Binaries) {
-	cli, err := sftp.NewClient(conn)
-	if err != nil {
-		t.Fatalf("can't connect over sftp to copy binaries: %v", err)
-	}
-
-	mkdir(t, cli, "/usr/bin")
-	mkdir(t, cli, "/usr/sbin")
-	mkdir(t, cli, "/etc/systemd/system")
-	mkdir(t, cli, "/etc/default")
-
-	copyFile(t, cli, bins.Daemon, "/usr/sbin/tailscaled")
-	copyFile(t, cli, bins.CLI, "/usr/bin/tailscale")
-
-	// TODO(Xe): revisit this life decision, hopefully before this assumption
-	// breaks the test.
-	copyFile(t, cli, "../../../cmd/tailscaled/tailscaled.defaults", "/etc/default/tailscaled")
-	copyFile(t, cli, "../../../cmd/tailscaled/tailscaled.service", "/etc/systemd/system/tailscaled.service")
-
-	t.Log("tailscale installed!")
-}
-
-func mkdir(t *testing.T, cli *sftp.Client, name string) {
-	t.Helper()
-
-	err := cli.MkdirAll(name)
-	if err != nil {
-		t.Fatalf("can't make %s: %v", name, err)
-	}
-}
-
-func copyFile(t *testing.T, cli *sftp.Client, localSrc, remoteDest string) {
-	t.Helper()
-
-	fin, err := os.Open(localSrc)
-	if err != nil {
-		t.Fatalf("can't open: %v", err)
-	}
-	defer fin.Close()
-
-	fi, err := fin.Stat()
-	if err != nil {
-		t.Fatalf("can't stat: %v", err)
-	}
-
-	fout, err := cli.Create(remoteDest)
-	if err != nil {
-		t.Fatalf("can't create output file: %v", err)
-	}
-
-	err = fout.Chmod(fi.Mode())
-	if err != nil {
-		fout.Close()
-		t.Fatalf("can't chmod fout: %v", err)
-	}
-
-	n, err := io.Copy(fout, fin)
-	if err != nil {
-		fout.Close()
-		t.Fatalf("copy failed: %v", err)
-	}
-
-	if fi.Size() != n {
-		t.Fatalf("incorrect number of bytes copied: wanted: %d, got: %d", fi.Size(), n)
-	}
-
-	err = fout.Close()
-	if err != nil {
-		t.Fatalf("can't close fout on remote host: %v", err)
-	}
-}
-
-func deriveBindhost(t *testing.T) string {
-	t.Helper()
-
-	ifName, err := interfaces.DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	var ret string
-	err = interfaces.ForeachInterfaceAddress(func(i interfaces.Interface, prefix netaddr.IPPrefix) {
-		if ret != "" || i.Name != ifName {
-			return
-		}
-		ret = prefix.IP().String()
-	})
-	if ret != "" {
-		return ret
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Fatal("can't find a bindhost")
-	return "unreachable"
-}
-
-func TestDeriveBindhost(t *testing.T) {
-	t.Log(deriveBindhost(t))
-}
-
-const metaDataTemplate = `instance-id: {{.ID}}
-local-hostname: {{.Hostname}}`
-
-const userDataTemplate = `#cloud-config
-#vim:syntax=yaml
-
-cloud_config_modules:
- - runcmd
-
-cloud_final_modules:
- - [users-groups, always]
- - [scripts-user, once-per-instance]
-
-users:
- - name: root
-   ssh-authorized-keys:
-    - {{.SSHKey}}
- - name: ts
-   plain_text_passwd: {{.Password}}
-   groups: [ wheel ]
-   sudo: [ "ALL=(ALL) NOPASSWD:ALL" ]
-   shell: /bin/sh
-   ssh-authorized-keys:
-    - {{.SSHKey}}
-
-write_files:
-  - path: /etc/cloud/cloud.cfg.d/80_disable_network_after_firstboot.cfg
-    content: |
-      # Disable network configuration after first boot
-      network:
-        config: disabled
-
-runcmd:
-{{.InstallPre}}
- - [ curl, "{{.HostURL}}/myip/{{.Port}}", "-H", "User-Agent: {{.Hostname}}" ]
-`
--- a/tstest/natlab/firewall.go
+++ b/tstest/natlab/firewall.go
@@ -52,7 +52,7 @@ func (s FirewallType) key(src, dst netaddr.IPPort) fwKey {
 	switch s {
 	case EndpointIndependentFirewall:
 	case AddressDependentFirewall:
-		k.dst = k.dst.WithIP(dst.IP())
+		k.dst.IP = dst.IP
 	case AddressAndPortDependentFirewall:
 		k.dst = dst
 	default:
--- a/tstest/natlab/nat.go
+++ b/tstest/natlab/nat.go
@@ -62,7 +62,7 @@ func (t NATType) key(src, dst netaddr.IPPort) natKey {
 	switch t {
 	case EndpointIndependentNAT:
 	case AddressDependentNAT:
-		k.dst = k.dst.WithIP(dst.IP())
+		k.dst.IP = dst.IP
 	case AddressAndPortDependentNAT:
 		k.dst = dst
 	default:
@@ -171,7 +171,7 @@ func (n *SNAT44) HandleIn(p *Packet, iif *Interface) *Packet {
 func (n *SNAT44) HandleForward(p *Packet, iif, oif *Interface) *Packet {
 	switch {
 	case oif == n.ExternalInterface:
-		if p.Src.IP() == oif.V4() {
+		if p.Src.IP == oif.V4() {
 			// Packet already NATed and is just retraversing Forward,
 			// don't touch it again.
 			return p
@@ -237,7 +237,10 @@ func (n *SNAT44) allocateMappedPort() (net.PacketConn, netaddr.IPPort) {
 	if err != nil {
 		panic(fmt.Sprintf("ran out of NAT ports: %v", err))
 	}
-	addr := netaddr.IPPortFrom(ip, uint16(pc.LocalAddr().(*net.UDPAddr).Port))
+	addr := netaddr.IPPort{
+		IP:   ip,
+		Port: uint16(pc.LocalAddr().(*net.UDPAddr).Port),
+	}
 	return pc, addr
 }

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .9.0
 .7.0