WIP

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

.github/workflows/docker-file-build.yml

@@ -0,0 +1,15 @@
+name: "Dockerfile build"
+on: 
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+      - "*"
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: "Build Docker image"
+      run: docker build .

.github/workflows/go-licenses.yml

@@ -50,11 +50,11 @@ jobs:
           private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
 
       - name: Send pull request
-        uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 #v4.2.4
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
-          author: License Updater <noreply@tailscale.com>
-          committer: License Updater <noreply@tailscale.com>
+          author: License Updater <noreply+license-updater@tailscale.com>
+          committer: License Updater <noreply+license-updater@tailscale.com>
           branch: licenses/cli
           commit-message: "licenses: update tailscale{,d} licenses"
           title: "licenses: update tailscale{,d} licenses"

.github/workflows/golangci-lint.yml

@@ -0,0 +1,40 @@
+name: golangci-lint
+on:
+  # For now, only lint pull requests, not the main branches.
+  pull_request:
+
+  # TODO(andrew): enable for main branch after an initial waiting period.
+  #push:
+  #  branches:
+  #    - main
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: golangci-lint
+        # Note: this is the 'v3' tag as of 2023-04-17
+        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299
+        with:
+          version: v1.52.2
+
+          # Show only new issues if it's a pull request.
+          only-new-issues: true

.github/workflows/govulncheck.yml

@@ -0,0 +1,37 @@
+name: govulncheck
+
+on:
+  schedule:
+    - cron: "0 12 * * *" # 8am EST / 10am PST / 12pm UTC
+  workflow_dispatch: # allow manual trigger for testing
+  pull_request:
+    paths:
+      - ".github/workflows/govulncheck.yml"
+
+jobs:
+  source-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+
+      - name: Install govulncheck
+        run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Scan source code for known vulnerabilities
+        run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...
+
+      - uses: ruby/action-slack@v3.2.1
+        with:
+          payload: >
+            {
+              "attachments": [{
+                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks>
+                        (<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|commit>) of ${{ github.repository }}@${{ github.ref_name }} by ${{ github.event.head_commit.committer.name }}",
+                "color": "danger"
+              }]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        if: failure() && github.event_name == 'schedule'

.github/workflows/installer.yml

@@ -0,0 +1,102 @@
+name: test installer.sh
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - scripts/installer.sh
+  pull_request:
+    branches:
+      - "*"
+    paths:
+      - scripts/installer.sh
+
+jobs:
+  test:
+    strategy:
+      # Don't abort the entire matrix if one element fails.
+      fail-fast: false
+      # Don't start all of these at once, which could saturate Github workers.
+      max-parallel: 4
+      matrix:
+        image:
+          # This is a list of Docker images against which we test our installer.
+          # If you find that some of these no longer exist, please feel free
+          # to remove them from the list.
+          # When adding new images, please only use official ones.
+          - "debian:oldstable-slim"
+          - "debian:stable-slim"
+          - "debian:testing-slim"
+          - "debian:sid-slim"
+          - "ubuntu:18.04"
+          - "ubuntu:20.04"
+          - "ubuntu:22.04"
+          - "ubuntu:22.10"
+          - "ubuntu:23.04"
+          - "elementary/docker:stable"
+          - "elementary/docker:unstable"
+          - "parrotsec/core:lts-amd64"
+          - "parrotsec/core:latest"
+          - "kalilinux/kali-rolling"
+          - "kalilinux/kali-dev"
+          - "oraclelinux:9"
+          - "oraclelinux:8"
+          - "fedora:latest"
+          - "rockylinux:8.7"
+          - "rockylinux:9"
+          - "amazonlinux:latest"
+          - "opensuse/leap:latest"
+          - "opensuse/tumbleweed:latest"
+          - "archlinux:latest"
+          - "alpine:3.14"
+          - "alpine:latest"
+          - "alpine:edge"
+        deps:
+          # Run all images installing curl as a dependency.
+          - curl
+        include:
+          # Check a few images with wget rather than curl.
+          - { image: "debian:oldstable-slim", deps: "wget" }
+          - { image: "debian:sid-slim", deps: "wget" }
+          - { image: "ubuntu:23.04", deps: "wget" }
+          # Ubuntu 16.04 also needs apt-transport-https installed.
+          - { image: "ubuntu:16.04", deps: "curl apt-transport-https" }
+          - { image: "ubuntu:16.04", deps: "wget apt-transport-https" }
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ matrix.image }}
+      options: --user root
+    steps:
+    - name: install dependencies (yum)
+      # tar and gzip are needed by the actions/checkout below.
+      run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}
+      if: |
+        contains(matrix.image, 'centos')
+        || contains(matrix.image, 'oraclelinux')
+        || contains(matrix.image, 'fedora')
+        || contains(matrix.image, 'amazonlinux')
+    - name: install dependencies (zypper)
+      # tar and gzip are needed by the actions/checkout below.
+      run: zypper --non-interactive install tar gzip ${{ matrix.deps }}
+      if: contains(matrix.image, 'opensuse')
+    - name: install dependencies (apt-get)
+      run: |
+        apt-get update
+        apt-get install -y ${{ matrix.deps }}
+      if: |
+        contains(matrix.image, 'debian')
+        || contains(matrix.image, 'ubuntu')
+        || contains(matrix.image, 'elementary')
+        || contains(matrix.image, 'parrotsec')
+        || contains(matrix.image, 'kalilinux')
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: run installer
+      run: scripts/installer.sh
+      # Package installation can fail in docker because systemd is not running
+      # as PID 1, so ignore errors at this step. The real check is the
+      # `tailscale --version` command below.
+      continue-on-error: true
+    - name: check tailscale version
+      run: tailscale --version

.github/workflows/test.yml

@@ -46,14 +46,31 @@ jobs:
         include:
           - goarch: amd64
           - goarch: amd64
-            variant: race
+            buildflags: "-race"
           - goarch: "386" # thanks yaml
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
       uses: actions/checkout@v3
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-
     - name: build all
-      run: ./tool/go build ./...
+      run: ./tool/go build ${{matrix.buildflags}} ./...
       env:
         GOARCH: ${{ matrix.goarch }}
     - name: build variant CLIs
@@ -73,13 +90,11 @@ jobs:
     - name: build test wrapper
       run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
     - name: test all
-      if: matrix.variant != 'race'
-      run: ./tool/go test -exec=/tmp/testwrapper -bench=. -benchtime=1x ./...
+      run: PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}}
       env:
         GOARCH: ${{ matrix.goarch }}
-    - name: test all (race)
-      if: matrix.variant == 'race'
-      run: ./tool/go test -race -exec=/tmp/testwrapper -bench=. -benchtime=1x ./...
+    - name: bench all
+      run: PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ 
       env:
         GOARCH: ${{ matrix.goarch }}
     - name: check that no tracked files changed
@@ -101,6 +116,13 @@ jobs:
     steps:
     - name: checkout
       uses: actions/checkout@v3
+
+    - name: Install Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
+        cache: false
+
     - name: Restore Cache
       uses: actions/cache@v3
       with:
@@ -109,17 +131,20 @@ jobs:
         # contains zips that can be unpacked in parallel faster than they can be
         # fetched and extracted by tar
         path: |
+          ~/.cache/go-build
           ~/go/pkg/mod/cache
           ~\AppData\Local\go-build
         # The -2- here should be incremented when the scheme of data to be
         # cached changes (e.g. path above changes).
-        # TODO(raggi): add a go version here.
-        key: ${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
+        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-go-2-
     - name: test
       # Don't use -bench=. -benchtime=1x.
       # Somewhere in the layers (powershell?)
       # the equals signs cause great confusion.
-      run: ./tool/go test -bench . -benchtime 1x ./...
+      run: go run ./cmd/testwrapper ./... -bench . -benchtime 1x
 
   vm:
     runs-on: ["self-hosted", "linux", "vm"]
@@ -174,6 +199,23 @@ jobs:
     steps:
     - name: checkout
       uses: actions/checkout@v3
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
     - name: build all
       run: ./tool/go build ./cmd/...
       env:
@@ -223,6 +265,23 @@ jobs:
     steps:
     - name: checkout
       uses: actions/checkout@v3
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-go-2-
     - name: build tsconnect client
       run: ./tool/go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
       env:
@@ -235,6 +294,15 @@ jobs:
         ./tool/go run ./cmd/tsconnect --fast-compression build
         ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
 
+  tailscale_go: # Subset of tests that depend on our custom Go toolchain.
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: test tailscale_go
+      run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...
+
+
   fuzz:
     # This target periodically breaks (see TS_FUZZ_CURRENTLY_BROKEN at the top
     # of the file), so it's more complex than usual: the 'build fuzzers' step
@@ -372,6 +440,7 @@ jobs:
       - cross
       - ios
       - wasm
+      - tailscale_go
       - fuzz
       - depaware
       - go_generate
@@ -389,7 +458,7 @@ jobs:
       # By having the job always run, but skipping its only step as needed, we
       # let the CI output collapse nicely in PRs.
       if: failure() && github.event_name == 'push'
-      uses: ruby/action-slack@v3.0.0
+      uses: ruby/action-slack@v3.2.1
       with:
         payload: |
           {
@@ -416,6 +485,7 @@ jobs:
       - cross
       - ios
       - wasm
+      - tailscale_go
       - fuzz
       - depaware
       - go_generate

.github/workflows/tsconnect-pkg-publish.yml

@@ -1,31 +0,0 @@
-name: "@tailscale/connect npm publish"
-
-on: workflow_dispatch
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Set up node
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16.x"
-          registry-url: "https://registry.npmjs.org"
-
-      - name: Build package
-        # Build with build_dist.sh to ensure that version information is embedded.
-        # GOROOT is specified so that the Go/Wasm that is trigged by build-pk
-        # also picks up our custom Go toolchain.
-        run: |
-          export TS_USE_TOOLCHAIN=1
-          ./build_dist.sh tailscale.com/cmd/tsconnect
-          GOROOT="${HOME}/.cache/tailscale-go" ./tsconnect build-pkg
-
-      - name: Publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.TSCONNECT_NPM_PUBLISH_AUTH_TOKEN }}
-        run: ./tool/yarn --cwd ./cmd/tsconnect/pkg publish --access public

.github/workflows/update-flake.yml

@@ -35,11 +35,11 @@ jobs:
           private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
 
       - name: Send pull request
-        uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 #v4.2.4
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
-          author: Flakes Updater <noreply@tailscale.com>
-          committer: Flakes Updater <noreply@tailscale.com>
+          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
+          committer: Flakes Updater <noreply+flakes-updater@tailscale.com>
           branch: flakes
           commit-message: "go.mod.sri: update SRI hash for go.mod changes"
           title: "go.mod.sri: update SRI hash for go.mod changes"

.gitignore

@@ -35,5 +35,10 @@ cmd/tailscaled/tailscaled
 # Ignore direnv nix-shell environment cache
 .direnv/
 
+# Ignore web client node modules
+.vite/
+client/web/node_modules
+client/web/build
+
 /gocross
 /dist

.golangci.yml

@@ -0,0 +1,61 @@
+linters:
+  # Don't enable any linters by default; just the ones that we explicitly
+  # enable in the list below.
+  disable-all: true
+  enable:
+    - bidichk
+    - gofmt
+    - goimports
+    - misspell
+    - revive
+
+# Configuration for how we run golangci-lint
+run:
+  timeout: 5m
+
+issues:
+  # Excluding configuration per-path, per-linter, per-text and per-source
+  exclude-rules:
+    # These are forks of an upstream package and thus are exempt from stylistic
+    # changes that would make pulling in upstream changes harder.
+    - path: tempfork/.*\.go
+      text: "File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`"
+    - path: util/singleflight/.*\.go
+      text: "File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`"
+
+# Per-linter settings are contained in this top-level key
+linters-settings:
+  # Enable all rules by default; we don't use invisible unicode runes.
+  bidichk:
+
+  gofmt:
+    rewrite-rules:
+      - pattern: 'interface{}'
+        replacement: 'any'
+
+  goimports:
+
+  misspell:
+
+  revive:
+    enable-all-rules: false
+    ignore-generated-header: true
+    rules:
+      - name: atomic
+      - name: context-keys-type
+      - name: defer
+        arguments: [[
+          # Calling 'recover' at the time a defer is registered (i.e. "defer recover()") has no effect.
+          "immediate-recover",
+          # Calling 'recover' outside of a deferred function has no effect
+          "recover",
+          # Returning values from a deferred function has no effect
+          "return",
+        ]]
+      - name: duplicated-imports
+      - name: errorf
+      - name: string-of-int
+      - name: time-equal
+      - name: unconditional-recursion
+      - name: useless-break
+      - name: waitgroup-by-value

Dockerfile

@@ -31,7 +31,7 @@
 #     $ docker exec tailscaled tailscale status
 
 
-FROM golang:1.20-alpine AS build-env
+FROM golang:1.21-alpine AS build-env
 
 WORKDIR /go/src/tailscale
 
@@ -47,8 +47,7 @@ RUN go install \
     golang.org/x/crypto/ssh \
     golang.org/x/crypto/acme \
     nhooyr.io/websocket \
-    github.com/mdlayher/netlink \
-    golang.zx2c4.com/wireguard/device
+    github.com/mdlayher/netlink
 
 COPY . .
 
@@ -73,4 +72,4 @@ RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be
 # using build_docker.sh which sets an entrypoint for the image.
-RUN ln -s /usr/local/bin/containerboot /tailscale/run.sh
+RUN mkdir /tailscale && ln -s /usr/local/bin/containerboot /tailscale/run.sh

Dockerfile.base

@@ -2,4 +2,4 @@
 # SPDX-License-Identifier: BSD-3-Clause
 
 FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils

Makefile

@@ -48,11 +48,10 @@ staticcheck: ## Run staticcheck.io checks
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
 
 spk: ## Build synology package for ${SYNO_ARCH} architecture and ${SYNO_DSM} DSM version
-	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}
+	./tool/go run ./cmd/dist build synology/dsm${SYNO_DSM}/${SYNO_ARCH}
 
 spkall: ## Build synology packages for all architectures and DSM versions
-	mkdir -p spks
-	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o spks --source=. --goarch=all --dsm-version=all
+	./tool/go run ./cmd/dist build synology
 
 pushspk: spk ## Push and install synology package on ${SYNO_HOST} host
 	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."

README.md

@@ -37,7 +37,7 @@ not open source.
 
 ## Building
 
-We always require the latest Go release, currently Go 1.20. (While we build
+We always require the latest Go release, currently Go 1.21. (While we build
 releases with our [Go fork](https://github.com/tailscale/go/), its use is not
 required.)
 

VERSION.txt

@@ -1 +1 @@
-1.39.0
+1.49.0

api.md

@@ -101,8 +101,8 @@ You can also [list all devices in the tailnet](#list-tailnet-devices) to get the
 ``` jsonc
 {
   // addresses (array of strings) is a list of Tailscale IP
-  // addresses for the device, including both ipv4 (formatted as 100.x.y.z)
-  // and ipv6 (formatted as fd7a:115c:a1e0:a:b:c:d:e) addresses.
+  // addresses for the device, including both IPv4 (formatted as 100.x.y.z)
+  // and IPv6 (formatted as fd7a:115c:a1e0:a:b:c:d:e) addresses.
   "addresses": [
     "100.87.74.78",
     "fd7a:115c:a1e0:ac82:4843:ca90:697d:c36e"
@@ -503,7 +503,8 @@ Returns the enabled and advertised subnet routes for a device.
 POST /api/v2/device/{deviceID}/authorized
 ```
 
-Authorize a device. This call marks a device as authorized for tailnets where device authorization is required.
+Authorize a device.
+This call marks a device as authorized or revokes its authorization for tailnets where device authorization is required, according to the `authorized` field in the payload.
 
 This returns a successful 2xx response with an empty JSON object in the response body.
 
@@ -515,7 +516,8 @@ The ID of the device.
 
 #### `authorized` (required in `POST` body)
 
-Specify whether the device is authorized. Only 'true' is currently supported.
+Specify whether the device is authorized. False to deauthorize an authorized device, and true to authorize a new device or to re-authorize a previously deauthorized device.
+
 
 ``` jsonc
 {
@@ -1113,6 +1115,21 @@ Look at the response body to determine whether there was a problem within your A
   }
   ```
 
+If your tailnet has [user and group provisioning](https://tailscale.com/kb/1180/sso-okta-scim/) turned on, we will also warn you about
+any groups that are used in the policy file that are not being synced from SCIM. Explicitly defined groups will not trigger this warning.
+
+```jsonc
+{
+  "message":"warning(s) found",
+  "data":[
+          {
+            "user": "group:unknown@example.com",
+            "warnings":["group is not syncing from SCIM and will be ignored by rules in the policy file"]
+          }
+        ]
+}
+```
+
 <a href="tailnet-devices"></a>
 
 ## List tailnet devices
@@ -1221,6 +1238,11 @@ The remaining three methods operate on auth keys and API access tokens.
 
   // expirySeconds (int) is the duration in seconds a new key is valid.
   "expirySeconds": 86400
+
+  // description (string) is an optional short phrase that describes what
+  // this key is used for. It can be a maximum of 50 alphanumeric characters.
+  // Hyphens and underscores are also allowed.
+  "description": "short description of key purpose"
 }
 ```
 
@@ -1307,6 +1329,9 @@ Note the following about required vs. optional values:
   Specifies the duration in seconds until the key should expire.
   Defaults to 90 days if not supplied.
 
+- **`description`:** Optional in `POST` body.
+  A short string specifying the purpose of the key. Can be a maximum of 50 alphanumeric characters. Hyphens and spaces are also allowed.
+
 ### Request example
 
 ``` jsonc
@@ -1324,7 +1349,8 @@ curl "https://api.tailscale.com/api/v2/tailnet/example.com/keys" \
       }
     }
   },
-  "expirySeconds": 86400
+  "expirySeconds": 86400,
+  "description": "dev access"
 }'
 ```
 
@@ -1336,8 +1362,8 @@ It holds the capabilities specified in the request and can no longer be retrieve
 
 ``` jsonc
 {
-  "id":           "XXXX456CNTRL",
-  "key":          "tskey-k123456CNTRL-abcdefghijklmnopqrstuvwxyz",
+  "id":           "k123456CNTRL",
+  "key":          "tskey-auth-k123456CNTRL-abcdefghijklmnopqrstuvwxyz",
   "created":      "2021-12-09T23:22:39Z",
   "expires":      "2022-03-09T23:22:39Z",
   "revoked":      "2022-03-12T23:22:39Z",
@@ -1348,9 +1374,10 @@ It holds the capabilities specified in the request and can no longer be retrieve
         "ephemeral": false,
         "preauthorized": false,
         "tags": [ "tag:example" ]
-        }
       }
     }
+  },
+  "description": "dev access"
 }
 ```
 
@@ -1402,7 +1429,8 @@ The response is a JSON object with information about the key supplied.
         ]
       }
     }
-  }
+  },
+  "description": "dev access"
 }
 ```
 

atomicfile/atomicfile.go

@@ -8,14 +8,20 @@
 package atomicfile // import "tailscale.com/atomicfile"
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
 )
 
-// WriteFile writes data to filename+some suffix, then renames it
-// into filename. The perm argument is ignored on Windows.
+// WriteFile writes data to filename+some suffix, then renames it into filename.
+// The perm argument is ignored on Windows. If the target filename already
+// exists but is not a regular file, WriteFile returns an error.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
+	fi, err := os.Stat(filename)
+	if err == nil && !fi.Mode().IsRegular() {
+		return fmt.Errorf("%s already exists and is not a regular file", filename)
+	}
 	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err

atomicfile/atomicfile_test.go

@@ -0,0 +1,47 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !js && !windows
+
+package atomicfile
+
+import (
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+)
+
+func TestDoesNotOverwriteIrregularFiles(t *testing.T) {
+	// Per tailscale/tailscale#7658 as one example, almost any imagined use of
+	// atomicfile.Write should likely not attempt to overwrite an irregular file
+	// such as a device node, socket, or named pipe.
+
+	const filename = "TestDoesNotOverwriteIrregularFiles"
+	var path string
+	// macOS private temp does not allow unix socket creation, but /tmp does.
+	if runtime.GOOS == "darwin" {
+		path = filepath.Join("/tmp", filename)
+		t.Cleanup(func() { os.Remove(path) })
+	} else {
+		path = filepath.Join(t.TempDir(), filename)
+	}
+
+	// The least troublesome thing to make that is not a file is a unix socket.
+	// Making a null device sadly requires root.
+	l, err := net.ListenUnix("unix", &net.UnixAddr{Name: path, Net: "unix"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	err = WriteFile(path, []byte("hello"), 0644)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	if !strings.Contains(err.Error(), "is not a regular file") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}

build_dist.sh

@@ -16,7 +16,7 @@ if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then
 	go="./tool/go"
 fi
 
-eval `GOOS=$($go env GOHOSTOS) GOARCH=$($go env GOHOSTARCH) $go run ./cmd/mkversion`
+eval `CGO_ENABLED=0 GOOS=$($go env GOHOSTOS) GOARCH=$($go env GOHOSTARCH) $go run ./cmd/mkversion`
 
 if [ "$1" = "shellvars" ]; then
 	cat <<EOF
@@ -49,4 +49,4 @@ while [ "$#" -gt 1 ]; do
 	esac
 done
 
-exec ./tool/go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
+exec $go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"

client/tailscale/acl.go

@@ -150,8 +150,9 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 // ACLTestFailureSummary specifies the JSON format sent to the
 // JavaScript client to be rendered in the HTML.
 type ACLTestFailureSummary struct {
-	User   string   `json:"user"`
-	Errors []string `json:"errors"`
+	User     string   `json:"user,omitempty"`
+	Errors   []string `json:"errors,omitempty"`
+	Warnings []string `json:"warnings,omitempty"`
 }
 
 // ACLTestError is ErrResponse but with an extra field to account for ACLTestFailureSummary.
@@ -436,7 +437,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 		}
 	}()
 
-	tests := []ACLTest{ACLTest{User: source, Allow: []string{dest}}}
+	tests := []ACLTest{{User: source, Allow: []string{dest}}}
 	postData, err := json.Marshal(tests)
 	if err != nil {
 		return nil, err

client/tailscale/apitype/apitype.go

@@ -10,12 +10,14 @@ import "tailscale.com/tailcfg"
 const LocalAPIHost = "local-tailscaled.sock"
 
 // WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
+// In successful whois responses, Node and UserProfile are never nil.
 type WhoIsResponse struct {
 	Node        *tailcfg.Node
 	UserProfile *tailcfg.UserProfile
 
-	// Caps are extra capabilities that the remote Node has to this node.
-	Caps []string `json:",omitempty"`
+	// CapMap is a map of capabilities to their values.
+	// See tailcfg.PeerCapMap and tailcfg.PeerCapability for details.
+	CapMap tailcfg.PeerCapMap
 }
 
 // FileTarget is a node to which files can be sent, and the PeerAPI

client/tailscale/apitype/controltype.go

@@ -10,6 +10,7 @@ type DNSConfig struct {
 	Domains           []string                 `json:"domains"`
 	Nameservers       []string                 `json:"nameservers"`
 	Proxied           bool                     `json:"proxied"`
+	DNSFilterURL      string                   `json:"DNSFilterURL"`
 }
 
 type DNSResolver struct {

client/tailscale/devices.go

@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"strings"
 
 	"tailscale.com/types/opt"
 )
@@ -213,8 +212,20 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)
 
 // AuthorizeDevice marks a device as authorized.
 func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
+	return c.SetAuthorized(ctx, deviceID, true)
+}
+
+// SetAuthorized marks a device as authorized or not.
+func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized bool) error {
+	params := &struct {
+		Authorized bool `json:"authorized"`
+	}{Authorized: authorized}
+	data, err := json.Marshal(params)
+	if err != nil {
+		return err
+	}
 	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}

client/tailscale/dns.go

@@ -63,7 +63,7 @@ func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, er
 	return b, nil
 }
 
-func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData interface{}) ([]byte, error) {
+func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
 	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
 	data, err := json.Marshal(&postData)
 	if err != nil {

client/tailscale/keys.go

@@ -68,12 +68,32 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 }
 
 // CreateKey creates a new key for the current user. Currently, only auth keys
-// can be created. Returns the key itself, which cannot be retrieved again
+// can be created. It returns the secret key itself, which cannot be retrieved again
 // later, and the key metadata.
-func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (string, *Key, error) {
+//
+// To create a key with a specific expiry, use CreateKeyWithExpiry.
+func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (keySecret string, keyMeta *Key, _ error) {
+	return c.CreateKeyWithExpiry(ctx, caps, 0)
+}
+
+// CreateKeyWithExpiry is like CreateKey, but allows specifying a expiration time.
+//
+// The time is truncated to a whole number of seconds. If zero, that means no expiration.
+func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities, expiry time.Duration) (keySecret string, keyMeta *Key, _ error) {
+
+	// convert expirySeconds to an int64 (seconds)
+	expirySeconds := int64(expiry.Seconds())
+	if expirySeconds < 0 {
+		return "", nil, fmt.Errorf("expiry must be positive")
+	}
+	if expirySeconds == 0 && expiry != 0 {
+		return "", nil, fmt.Errorf("non-zero expiry must be at least one second")
+	}
+
 	keyRequest := struct {
-		Capabilities KeyCapabilities `json:"capabilities"`
-	}{caps}
+		Capabilities  KeyCapabilities `json:"capabilities"`
+		ExpirySeconds int64           `json:"expirySeconds,omitempty"`
+	}{caps, int64(expirySeconds)}
 	bs, err := json.Marshal(keyRequest)
 	if err != nil {
 		return "", nil, err

client/tailscale/localclient.go

@@ -96,8 +96,9 @@ func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string)
 		// a TCP server on a random port, find the random port. For HTTP connections,
 		// we don't send the token. It gets added in an HTTP Basic-Auth header.
 		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
+			// We use 127.0.0.1 and not "localhost" (issue 7851).
 			var d net.Dialer
-			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
+			return d.DialContext(ctx, "tcp", "127.0.0.1:"+strconv.Itoa(port))
 		}
 	}
 	s := safesocket.DefaultConnectionStrategy(lc.socket())
@@ -258,6 +259,28 @@ func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
 	return lc.get200(ctx, "/localapi/v0/metrics")
 }
 
+// IncrementCounter increments the value of a Tailscale daemon's counter
+// metric by the given delta. If the metric has yet to exist, a new counter
+// metric is created and initialized to delta.
+//
+// IncrementCounter does not support gauge metrics or negative delta values.
+func (lc *LocalClient) IncrementCounter(ctx context.Context, name string, delta int) error {
+	type metricUpdate struct {
+		Name  string `json:"name"`
+		Type  string `json:"type"`
+		Value int    `json:"value"` // amount to increment by
+	}
+	if delta < 0 {
+		return errors.New("negative delta not allowed")
+	}
+	_, err := lc.send(ctx, "POST", "/localapi/v0/upload-client-metrics", 200, jsonBody([]metricUpdate{{
+		Name:  name,
+		Type:  "counter",
+		Value: delta,
+	}}))
+	return err
+}
+
 // TailDaemonLogs returns a stream the Tailscale daemon's logs as they arrive.
 // Close the context to stop the stream.
 func (lc *LocalClient) TailDaemonLogs(ctx context.Context) (io.Reader, error) {
@@ -806,11 +829,25 @@ func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn str
 	return "", false
 }
 
+// PingOpts contains options for the ping request.
+//
+// The zero value is valid, which means to use defaults.
+type PingOpts struct {
+	// Size is the length of the ping message in bytes. It's ignored if it's
+	// smaller than the minimum message size.
+	//
+	// For disco pings, it specifies the length of the packet's payload. That
+	// is, it includes the disco headers and message, but not the IP and UDP
+	// headers.
+	Size int
+}
+
 // Ping sends a ping of the provided type to the provided IP and waits
-// for its response.
-func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
+// for its response. The opts type specifies additional options.
+func (lc *LocalClient) PingWithOpts(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType, opts PingOpts) (*ipnstate.PingResult, error) {
 	v := url.Values{}
 	v.Set("ip", ip.String())
+	v.Set("size", strconv.Itoa(opts.Size))
 	v.Set("type", string(pingtype))
 	body, err := lc.send(ctx, "POST", "/localapi/v0/ping?"+v.Encode(), 200, nil)
 	if err != nil {
@@ -819,6 +856,12 @@ func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg
 	return decodeJSON[*ipnstate.PingResult](body)
 }
 
+// Ping sends a ping of the provided type to the provided IP and waits
+// for its response.
+func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
+	return lc.PingWithOpts(ctx, ip, pingtype, PingOpts{})
+}
+
 // NetworkLockStatus fetches information about the tailnet key authority, if one is configured.
 func (lc *LocalClient) NetworkLockStatus(ctx context.Context) (*ipnstate.NetworkLockStatus, error) {
 	body, err := lc.send(ctx, "GET", "/localapi/v0/tka/status", 200, nil)
@@ -945,6 +988,57 @@ func (lc *LocalClient) NetworkLockForceLocalDisable(ctx context.Context) error {
 	return nil
 }
 
+// NetworkLockVerifySigningDeeplink verifies the network lock deeplink contained
+// in url and returns information extracted from it.
+func (lc *LocalClient) NetworkLockVerifySigningDeeplink(ctx context.Context, url string) (*tka.DeeplinkValidationResult, error) {
+	vr := struct {
+		URL string
+	}{url}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/verify-deeplink", 200, jsonBody(vr))
+	if err != nil {
+		return nil, fmt.Errorf("sending verify-deeplink: %w", err)
+	}
+
+	return decodeJSON[*tka.DeeplinkValidationResult](body)
+}
+
+// NetworkLockGenRecoveryAUM generates an AUM for recovering from a tailnet-lock key compromise.
+func (lc *LocalClient) NetworkLockGenRecoveryAUM(ctx context.Context, removeKeys []tkatype.KeyID, forkFrom tka.AUMHash) ([]byte, error) {
+	vr := struct {
+		Keys     []tkatype.KeyID
+		ForkFrom string
+	}{removeKeys, forkFrom.String()}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/generate-recovery-aum", 200, jsonBody(vr))
+	if err != nil {
+		return nil, fmt.Errorf("sending generate-recovery-aum: %w", err)
+	}
+
+	return body, nil
+}
+
+// NetworkLockCosignRecoveryAUM co-signs a recovery AUM using the node's tailnet lock key.
+func (lc *LocalClient) NetworkLockCosignRecoveryAUM(ctx context.Context, aum tka.AUM) ([]byte, error) {
+	r := bytes.NewReader(aum.Serialize())
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/cosign-recovery-aum", 200, r)
+	if err != nil {
+		return nil, fmt.Errorf("sending cosign-recovery-aum: %w", err)
+	}
+
+	return body, nil
+}
+
+// NetworkLockSubmitRecoveryAUM submits a recovery AUM to the control plane.
+func (lc *LocalClient) NetworkLockSubmitRecoveryAUM(ctx context.Context, aum tka.AUM) error {
+	r := bytes.NewReader(aum.Serialize())
+	_, err := lc.send(ctx, "POST", "/localapi/v0/tka/submit-recovery-aum", 200, r)
+	if err != nil {
+		return fmt.Errorf("sending cosign-recovery-aum: %w", err)
+	}
+	return nil
+}
+
 // SetServeConfig sets or replaces the serving settings.
 // If config is nil, settings are cleared and serving is disabled.
 func (lc *LocalClient) SetServeConfig(ctx context.Context, config *ipn.ServeConfig) error {
@@ -1072,6 +1166,27 @@ func (lc *LocalClient) DeleteProfile(ctx context.Context, profile ipn.ProfileID)
 	return err
 }
 
+// QueryFeature makes a request for instructions on how to enable
+// a feature, such as Funnel, for the node's tailnet. If relevant,
+// this includes a control server URL the user can visit to enable
+// the feature.
+//
+// If you are looking to use QueryFeature, you'll likely want to
+// use cli.enableFeatureInteractive instead, which handles the logic
+// of wraping QueryFeature and translating its response into an
+// interactive flow for the user, including using the IPN notify bus
+// to block until the feature has been enabled.
+//
+// 2023-08-09: Valid feature values are "serve" and "funnel".
+func (lc *LocalClient) QueryFeature(ctx context.Context, feature string) (*tailcfg.QueryFeatureResponse, error) {
+	v := url.Values{"feature": {feature}}
+	body, err := lc.send(ctx, "POST", "/localapi/v0/query-feature?"+v.Encode(), 200, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error %w: %s", err, body)
+	}
+	return decodeJSON[*tailcfg.QueryFeatureResponse](body)
+}
+
 func (lc *LocalClient) DebugDERPRegion(ctx context.Context, regionIDOrCode string) (*ipnstate.DebugDERPRegionReport, error) {
 	v := url.Values{"region": {regionIDOrCode}}
 	body, err := lc.send(ctx, "POST", "/localapi/v0/debug-derp-region?"+v.Encode(), 200, nil)
@@ -1101,7 +1216,6 @@ func (lc *LocalClient) StreamDebugCapture(ctx context.Context) (io.ReadCloser, e
 	}
 	res, err := lc.doLocalRequestNiceError(req)
 	if err != nil {
-		res.Body.Close()
 		return nil, err
 	}
 	if res.StatusCode != 200 {

client/tailscale/required_version.go

@@ -1,10 +1,10 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !go1.20
+//go:build !go1.21
 
 package tailscale
 
 func init() {
-	you_need_Go_1_20_to_compile_Tailscale()
+	you_need_Go_1_21_to_compile_Tailscale()
 }

client/web/dev.go

@@ -0,0 +1,75 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package web
+
+import (
+	"log"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+)
+
+// startDevServer starts the JS dev server that does on-demand rebuilding
+// and serving of web client JS and CSS resources.
+func (s *Server) startDevServer() (cleanup func()) {
+	root := gitRootDir()
+	webClientPath := filepath.Join(root, "client", "web")
+
+	yarn := filepath.Join(root, "tool", "yarn")
+	node := filepath.Join(root, "tool", "node")
+	vite := filepath.Join(webClientPath, "node_modules", ".bin", "vite")
+
+	log.Printf("installing JavaScript deps using %s... (might take ~30s)", yarn)
+	out, err := exec.Command(yarn, "--non-interactive", "-s", "--cwd", webClientPath, "install").CombinedOutput()
+	if err != nil {
+		log.Fatalf("error running tailscale web's yarn install: %v, %s", err, out)
+	}
+	log.Printf("starting JavaScript dev server...")
+	cmd := exec.Command(node, vite)
+	cmd.Dir = webClientPath
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Start(); err != nil {
+		log.Fatalf("Starting JS dev server: %v", err)
+	}
+	log.Printf("JavaScript dev server running as pid %d", cmd.Process.Pid)
+	return func() {
+		cmd.Process.Signal(os.Interrupt)
+		err := cmd.Wait()
+		log.Printf("JavaScript dev server exited: %v", err)
+	}
+}
+
+func (s *Server) addProxyToDevServer() {
+	if !s.devMode {
+		return // only using Vite proxy in dev mode
+	}
+	// We use Vite to develop on the web client.
+	// Vite starts up its own local server for development,
+	// which we proxy requests to from Server.ServeHTTP.
+	// Here we set up the proxy to Vite's server.
+	handleErr := func(w http.ResponseWriter, r *http.Request, err error) {
+		w.Header().Set("Content-Type", "text/plain")
+		w.WriteHeader(http.StatusBadGateway)
+		w.Write([]byte("The web client development server isn't running. " +
+			"Run `./tool/yarn --cwd client/web start` from " +
+			"the repo root to start the development server."))
+		w.Write([]byte("\n\nError: " + err.Error()))
+	}
+	viteTarget, _ := url.Parse("http://127.0.0.1:4000")
+	s.devProxy = httputil.NewSingleHostReverseProxy(viteTarget)
+	s.devProxy.ErrorHandler = handleErr
+}
+
+func gitRootDir() string {
+	top, err := exec.Command("git", "rev-parse", "--show-toplevel").Output()
+	if err != nil {
+		log.Fatalf("failed to find git top level (not in corp git?): %v", err)
+	}
+	return strings.TrimSpace(string(top))
+}

client/web/index.html

@@ -0,0 +1,29 @@
+<!doctype html>
+<html class="bg-gray-50">
+  <head>
+    <title>Tailscale</title>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <link rel="shortcut icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
+    <link rel="stylesheet" type="text/css" href="/src/index.css" />
+  </head>
+  <body>
+    <div class="min-h-screen py-10 flex justify-center items-center" style="display: none">
+      <div class="max-w-md">
+        <h3 class="font-semibold text-lg mb-4">Your web browser is unsupported.</h3>
+        <p class="mb-2">
+          Update to a modern browser to access the Tailscale web client. You can use
+          <a class="link" href="https://www.mozilla.org/en-US/firefox/new/" target="_blank">Firefox</a>,
+          <a class="link" href="https://www.microsoft.com/en-us/edge" target="_blank">Edge</a>,
+          <a class="link" href="https://www.apple.com/safari/" target="_blank">Safari</a>,
+          or <a class="link" href="https://www.google.com/chrome/" target="_blank">Chrome</a>.</p>
+        <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a></p>
+      </div>
+    </div>
+    <noscript>
+      <p class="mb-2">You need to enable Javascript to access the Tailscale web client.</p>
+      <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a>.</p>
+    </noscript>
+    <script type="module" src="/src/index.tsx"></script>
+  </body>
+</html>

client/web/package.json

@@ -0,0 +1,42 @@
+{
+  "name": "webclient",
+  "version": "0.0.1",
+  "license": "BSD-3-Clause",
+  "engines": {
+    "node": "18.16.1",
+    "yarn": "1.22.19"
+  },
+  "private": true,
+  "dependencies": {
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0"
+  },
+  "devDependencies": {
+    "@types/react": "^18.0.20",
+    "@types/react-dom": "^18.0.6",
+    "@vitejs/plugin-react-swc": "^3.3.2",
+    "autoprefixer": "^10.4.15",
+    "postcss": "^8.4.27",
+    "prettier": "^2.5.1",
+    "prettier-plugin-organize-imports": "^3.2.2",
+    "tailwindcss": "^3.3.3",
+    "typescript": "^4.7.4",
+    "vite": "^4.3.9",
+    "vite-plugin-rewrite-all": "^1.0.1",
+    "vite-plugin-svgr": "^3.2.0",
+    "vite-tsconfig-paths": "^3.5.0",
+    "vitest": "^0.32.0"
+  },
+  "scripts": {
+    "build": "vite build",
+    "start": "vite",
+    "lint": "tsc --noEmit",
+    "test": "vitest",
+    "format": "prettier --write 'src/**/*.{ts,tsx}'",
+    "format-check": "prettier --check 'src/**/*.{ts,tsx}'"
+  },
+  "prettier": {
+    "semi": false,
+    "printWidth": 80
+  }
+}

client/web/postcss.config.js

@@ -0,0 +1,6 @@
+module.exports = {
+  plugins: {
+    tailwindcss: {},
+    autoprefixer: {},
+  },
+}

client/web/src/components/app.tsx

@@ -0,0 +1,25 @@
+import React from "react"
+import { Footer, Header, IP, State } from "src/components/legacy"
+import useNodeData from "src/hooks/node-data"
+
+export default function App() {
+  const data = useNodeData()
+
+  return (
+    <div className="py-14">
+      {!data ? (
+        // TODO(sonia): add a loading view
+        <div className="text-center">Loading...</div>
+      ) : (
+        <>
+          <main className="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
+            <Header data={data} />
+            <IP data={data} />
+            <State data={data} />
+          </main>
+          <Footer data={data} />
+        </>
+      )}
+    </div>
+  )
+}

client/web/src/components/legacy.tsx

@@ -0,0 +1,272 @@
+import React from "react"
+import { NodeData } from "src/hooks/node-data"
+
+// TODO(tailscale/corp#13775): legacy.tsx contains a set of components
+// that (crudely) implement the pre-2023 web client. These are implemented
+// purely to ease migration to the new React-based web client, and will
+// eventually be completely removed.
+
+export function Header(props: { data: NodeData }) {
+  const { data } = props
+
+  return (
+    <header className="flex justify-between items-center min-width-0 py-2 mb-8">
+      <svg
+        width="26"
+        height="26"
+        viewBox="0 0 23 23"
+        fill="none"
+        xmlns="http://www.w3.org/2000/svg"
+        className="flex-shrink-0 mr-4"
+      >
+        <circle
+          opacity="0.2"
+          cx="3.4"
+          cy="3.25"
+          r="2.7"
+          fill="currentColor"
+        ></circle>
+        <circle cx="3.4" cy="11.3" r="2.7" fill="currentColor"></circle>
+        <circle
+          opacity="0.2"
+          cx="3.4"
+          cy="19.5"
+          r="2.7"
+          fill="currentColor"
+        ></circle>
+        <circle cx="11.5" cy="11.3" r="2.7" fill="currentColor"></circle>
+        <circle cx="11.5" cy="19.5" r="2.7" fill="currentColor"></circle>
+        <circle
+          opacity="0.2"
+          cx="11.5"
+          cy="3.25"
+          r="2.7"
+          fill="currentColor"
+        ></circle>
+        <circle
+          opacity="0.2"
+          cx="19.5"
+          cy="3.25"
+          r="2.7"
+          fill="currentColor"
+        ></circle>
+        <circle cx="19.5" cy="11.3" r="2.7" fill="currentColor"></circle>
+        <circle
+          opacity="0.2"
+          cx="19.5"
+          cy="19.5"
+          r="2.7"
+          fill="currentColor"
+        ></circle>
+      </svg>
+      <div className="flex items-center justify-end space-x-2 w-2/3">
+        {data.Profile && (
+          <>
+            <div className="text-right w-full leading-4">
+              <h4 className="truncate leading-normal">
+                {data.Profile.LoginName}
+              </h4>
+              <div className="text-xs text-gray-500 text-right">
+                <a href="#" className="hover:text-gray-700 js-loginButton">
+                  Switch account
+                </a>{" "}
+                |{" "}
+                <a href="#" className="hover:text-gray-700 js-loginButton">
+                  Reauthenticate
+                </a>{" "}
+                |{" "}
+                <a href="#" className="hover:text-gray-700 js-logoutButton">
+                  Logout
+                </a>
+              </div>
+            </div>
+            <div className="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
+              {data.Profile.ProfilePicURL ? (
+                <div
+                  className="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
+                  style={{
+                    backgroundImage: `url(${data.Profile.ProfilePicURL})`,
+                    backgroundSize: "cover",
+                  }}
+                />
+              ) : (
+                <div className="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed" />
+              )}
+            </div>
+          </>
+        )}
+      </div>
+    </header>
+  )
+}
+
+export function IP(props: { data: NodeData }) {
+  const { data } = props
+
+  if (!data.IP) {
+    return null
+  }
+
+  return (
+    <>
+      <div className="border border-gray-200 bg-gray-50 rounded-md p-2 pl-3 pr-3 width-full flex items-center justify-between">
+        <div className="flex items-center min-width-0">
+          <svg
+            className="flex-shrink-0 text-gray-600 mr-3 ml-1"
+            xmlns="http://www.w3.org/2000/svg"
+            width="20"
+            height="20"
+            viewBox="0 0 24 24"
+            fill="none"
+            stroke="currentColor"
+            strokeWidth="2"
+            strokeLinecap="round"
+            strokeLinejoin="round"
+          >
+            <rect x="2" y="2" width="20" height="8" rx="2" ry="2"></rect>
+            <rect x="2" y="14" width="20" height="8" rx="2" ry="2"></rect>
+            <line x1="6" y1="6" x2="6.01" y2="6"></line>
+            <line x1="6" y1="18" x2="6.01" y2="18"></line>
+          </svg>
+          <div>
+            <h4 className="font-semibold truncate mr-2">{data.DeviceName}</h4>
+          </div>
+        </div>
+        <h5>{data.IP}</h5>
+      </div>
+      <p className="mt-1 ml-1 mb-6 text-xs text-gray-600">
+        Debug info: Tailscale {data.IPNVersion}, tun={data.TUNMode.toString()}
+        {data.IsSynology && (
+          <>
+            , DSM{data.DSMVersion}
+            {data.TUNMode || (
+              <>
+                {" "}
+                (
+                <a
+                  href="https://tailscale.com/kb/1152/synology-outbound/"
+                  className="link-underline text-gray-600"
+                  target="_blank"
+                  aria-label="Configure outbound synology traffic"
+                  rel="noopener noreferrer"
+                >
+                  outgoing access not configured
+                </a>
+                )
+              </>
+            )}
+          </>
+        )}
+      </p>
+    </>
+  )
+}
+
+export function State(props: { data: NodeData }) {
+  const { data } = props
+
+  switch (data.Status) {
+    case "NeedsLogin":
+    case "NoState":
+      if (data.IP) {
+        return (
+          <>
+            <div className="mb-6">
+              <p className="text-gray-700">
+                Your device's key has expired. Reauthenticate this device by
+                logging in again, or{" "}
+                <a
+                  href="https://tailscale.com/kb/1028/key-expiry"
+                  className="link"
+                  target="_blank"
+                >
+                  learn more
+                </a>
+                .
+              </p>
+            </div>
+            <a href="#" className="mb-4 js-loginButton" target="_blank">
+              <button className="button button-blue w-full">
+                Reauthenticate
+              </button>
+            </a>
+          </>
+        )
+      } else {
+        return (
+          <>
+            <div className="mb-6">
+              <h3 className="text-3xl font-semibold mb-3">Log in</h3>
+              <p className="text-gray-700">
+                Get started by logging in to your Tailscale network.
+                Or,&nbsp;learn&nbsp;more at{" "}
+                <a
+                  href="https://tailscale.com/"
+                  className="link"
+                  target="_blank"
+                >
+                  tailscale.com
+                </a>
+                .
+              </p>
+            </div>
+            <a href="#" className="mb-4 js-loginButton" target="_blank">
+              <button className="button button-blue w-full">Log In</button>
+            </a>
+          </>
+        )
+      }
+    case "NeedsMachineAuth":
+      return (
+        <div className="mb-4">
+          This device is authorized, but needs approval from a network admin
+          before it can connect to the network.
+        </div>
+      )
+    default:
+      return (
+        <>
+          <div className="mb-4">
+            <p>
+              You are connected! Access this device over Tailscale using the
+              device name or IP address above.
+            </p>
+          </div>
+          <div className="mb-4">
+            <a href="#" className="mb-4 js-advertiseExitNode">
+              {data.AdvertiseExitNode ? (
+                <button
+                  className="button button-red button-medium"
+                  id="enabled"
+                >
+                  Stop advertising Exit Node
+                </button>
+              ) : (
+                <button
+                  className="button button-blue button-medium"
+                  id="enabled"
+                >
+                  Advertise as Exit Node
+                </button>
+              )}
+            </a>
+          </div>
+        </>
+      )
+  }
+}
+
+export function Footer(props: { data: NodeData }) {
+  const { data } = props
+
+  return (
+    <footer className="container max-w-lg mx-auto text-center">
+      <a
+        className="text-xs text-gray-500 hover:text-gray-600"
+        href={data.LicensesURL}
+      >
+        Open Source Licenses
+      </a>
+    </footer>
+  )
+}

client/web/src/hooks/node-data.ts

@@ -0,0 +1,37 @@
+import { useEffect, useState } from "react"
+
+export type NodeData = {
+  Profile: UserProfile
+  Status: string
+  DeviceName: string
+  IP: string
+  AdvertiseExitNode: boolean
+  AdvertiseRoutes: string
+  LicensesURL: string
+  TUNMode: boolean
+  IsSynology: boolean
+  DSMVersion: number
+  IsUnraid: boolean
+  UnraidToken: string
+  IPNVersion: string
+}
+
+export type UserProfile = {
+  LoginName: string
+  DisplayName: string
+  ProfilePicURL: string
+}
+
+// useNodeData returns basic data about the current node.
+export default function useNodeData() {
+  const [data, setData] = useState<NodeData>()
+
+  useEffect(() => {
+    fetch("/api/data")
+      .then((response) => response.json())
+      .then((json) => setData(json))
+      .catch((error) => console.error(error))
+  }, [])
+
+  return data
+}

client/web/src/index.css

@@ -0,0 +1,130 @@
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
+
+/**
+ * Non-Tailwind styles begin here.
+ */
+
+.bg-gray-0 {
+  --tw-bg-opacity: 1;
+  background-color: rgba(250, 249, 248, var(--tw-bg-opacity));
+}
+
+.bg-gray-50 {
+  --tw-bg-opacity: 1;
+  background-color: rgba(249, 247, 246, var(--tw-bg-opacity));
+}
+
+html {
+  letter-spacing: -0.015em;
+  text-rendering: optimizeLegibility;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+
+.link {
+  --text-opacity: 1;
+  color: #4b70cc;
+  color: rgba(75, 112, 204, var(--text-opacity));
+}
+
+.link:hover,
+.link:active {
+  --text-opacity: 1;
+  color: #19224a;
+  color: rgba(25, 34, 74, var(--text-opacity));
+}
+
+.link-underline {
+  text-decoration: underline;
+}
+
+.link-underline:hover,
+.link-underline:active {
+  text-decoration: none;
+}
+
+.link-muted {
+  /* same as text-gray-500 */
+  --tw-text-opacity: 1;
+  color: rgba(112, 110, 109, var(--tw-text-opacity));
+}
+
+.link-muted:hover,
+.link-muted:active {
+  /* same as text-gray-500 */
+  --tw-text-opacity: 1;
+  color: rgba(68, 67, 66, var(--tw-text-opacity));
+}
+
+.button {
+  font-weight: 500;
+  padding-top: 0.45rem;
+  padding-bottom: 0.45rem;
+  padding-left: 1rem;
+  padding-right: 1rem;
+  border-radius: 0.375rem;
+  border-width: 1px;
+  border-color: transparent;
+  transition-property: background-color, border-color, color, box-shadow;
+  transition-duration: 120ms;
+  box-shadow: 0 1px 1px rgba(0, 0, 0, 0.04);
+  min-width: 80px;
+}
+
+.button:focus {
+  outline: 0;
+  box-shadow: 0 0 0 3px rgba(66, 153, 225, 0.5);
+}
+
+.button:disabled {
+  cursor: not-allowed;
+  -webkit-user-select: none;
+  -ms-user-select: none;
+  user-select: none;
+}
+
+.button-blue {
+  --bg-opacity: 1;
+  background-color: #4b70cc;
+  background-color: rgba(75, 112, 204, var(--bg-opacity));
+  --border-opacity: 1;
+  border-color: #4b70cc;
+  border-color: rgba(75, 112, 204, var(--border-opacity));
+  --text-opacity: 1;
+  color: #fff;
+  color: rgba(255, 255, 255, var(--text-opacity));
+}
+
+.button-blue:enabled:hover {
+  --bg-opacity: 1;
+  background-color: #3f5db3;
+  background-color: rgba(63, 93, 179, var(--bg-opacity));
+  --border-opacity: 1;
+  border-color: #3f5db3;
+  border-color: rgba(63, 93, 179, var(--border-opacity));
+}
+
+.button-blue:disabled {
+  --text-opacity: 1;
+  color: #cedefd;
+  color: rgba(206, 222, 253, var(--text-opacity));
+  --bg-opacity: 1;
+  background-color: #6c94ec;
+  background-color: rgba(108, 148, 236, var(--bg-opacity));
+  --border-opacity: 1;
+  border-color: #6c94ec;
+  border-color: rgba(108, 148, 236, var(--border-opacity));
+}
+
+.button-red {
+  background-color: #d04841;
+  border-color: #d04841;
+  color: #fff;
+}
+
+.button-red:enabled:hover {
+  background-color: #b22d30;
+  border-color: #b22d30;
+}

client/web/src/index.tsx

@@ -0,0 +1,16 @@
+import React from "react"
+import { createRoot } from "react-dom/client"
+import App from "src/components/app"
+
+const rootEl = document.createElement("div")
+rootEl.id = "app-root"
+rootEl.classList.add("relative", "z-0")
+document.body.append(rootEl)
+
+const root = createRoot(rootEl)
+
+root.render(
+  <React.StrictMode>
+    <App />
+  </React.StrictMode>
+)

client/web/tailwind.config.js

@@ -0,0 +1,12 @@
+/** @type {import('tailwindcss').Config} */
+module.exports = {
+  content: [
+    "./index.html",
+    "./src/**/*.{js,ts,jsx,tsx}",
+  ],
+  theme: {
+    extend: {},
+  },
+  plugins: [],
+}
+

client/web/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "baseUrl": ".",
+    "target": "ES2017",
+    "module": "ES2020",
+    "strict": true,
+    "sourceMap": true,
+    "isolatedModules": true,
+    "moduleResolution": "node",
+    "forceConsistentCasingInFileNames": true,
+    "allowSyntheticDefaultImports": true,
+    "jsx": "react",
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules"]
+}

client/web/vite.config.ts

@@ -0,0 +1,69 @@
+/// <reference types="vitest" />
+import { createLogger, defineConfig } from "vite"
+import rewrite from "vite-plugin-rewrite-all"
+import svgr from "vite-plugin-svgr"
+import paths from "vite-tsconfig-paths"
+
+// Use a custom logger that filters out Vite's logging of server URLs, since
+// they are an attractive nuisance (we run a proxy in front of Vite, and the
+// tailscale web client should be accessed through that).
+// Unfortunately there's no option to disable this logging, so the best we can
+// do it to ignore calls from a specific function.
+const filteringLogger = createLogger(undefined, { allowClearScreen: false })
+const originalInfoLog = filteringLogger.info
+filteringLogger.info = (...args) => {
+  if (new Error("ignored").stack?.includes("printServerUrls")) {
+    return
+  }
+  originalInfoLog.apply(filteringLogger, args)
+}
+
+// https://vitejs.dev/config/
+export default defineConfig({
+  base: "/",
+  plugins: [
+    paths(),
+    svgr(),
+    // By default, the Vite dev server doesn't handle dots
+    // in path names and treats them as static files.
+    // This plugin changes Vite's routing logic to fix this.
+    // See: https://github.com/vitejs/vite/issues/2415
+    rewrite(),
+  ],
+  build: {
+    outDir: "build",
+    sourcemap: true,
+  },
+  esbuild: {
+    logOverride: {
+      // Silence a warning about `this` being undefined in ESM when at the
+      // top-level. The way JSX is transpiled causes this to happen, but it
+      // isn't a problem.
+      // See: https://github.com/vitejs/vite/issues/8644
+      "this-is-undefined-in-esm": "silent",
+    },
+  },
+  server: {
+    // This needs to be 127.0.0.1 instead of localhost, because of how our
+    // Go proxy connects to it.
+    host: "127.0.0.1",
+    // If you change the port, be sure to update the proxy in adminhttp.go too.
+    port: 4000,
+    // Don't proxy the WebSocket connection used for live reloading by running
+    // it on a separate port.
+    hmr: {
+      protocol: "ws",
+      port: 4001,
+    },
+  },
+  test: {
+    exclude: ["**/node_modules/**", "**/dist/**"],
+    testTimeout: 20000,
+    environment: "jsdom",
+    deps: {
+      inline: ["date-fns", /\.wasm\?url$/],
+    },
+  },
+  clearScreen: false,
+  customLogger: filteringLogger,
+})

client/web/web.go

@@ -0,0 +1,529 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package web provides the Tailscale client for web.
+package web
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	_ "embed"
+	"encoding/json"
+	"encoding/xml"
+	"fmt"
+	"html/template"
+	"io"
+	"log"
+	"net/http"
+	"net/http/httputil"
+	"net/netip"
+	"net/url"
+	"os"
+	"os/exec"
+	"strings"
+
+	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/licenses"
+	"tailscale.com/net/netutil"
+	"tailscale.com/tailcfg"
+	"tailscale.com/util/groupmember"
+	"tailscale.com/util/httpm"
+	"tailscale.com/version/distro"
+)
+
+//go:embed web.html
+var webHTML string
+
+//go:embed web.css
+var webCSS string
+
+//go:embed auth-redirect.html
+var authenticationRedirectHTML string
+
+var tmpl *template.Template
+
+// Server is the backend server for a Tailscale web client.
+type Server struct {
+	lc *tailscale.LocalClient
+
+	devMode  bool
+	devProxy *httputil.ReverseProxy // only filled when devMode is on
+}
+
+// NewServer constructs a new Tailscale web client server.
+//
+// lc is an optional parameter. When not filled, NewServer
+// initializes its own tailscale.LocalClient.
+func NewServer(devMode bool, lc *tailscale.LocalClient) (s *Server, cleanup func()) {
+	if lc == nil {
+		lc = &tailscale.LocalClient{}
+	}
+	s = &Server{
+		devMode: devMode,
+		lc:      lc,
+	}
+	cleanup = func() {}
+	if s.devMode {
+		cleanup = s.startDevServer()
+		s.addProxyToDevServer()
+	}
+	return s, cleanup
+}
+
+func init() {
+	tmpl = template.Must(template.New("web.html").Parse(webHTML))
+	template.Must(tmpl.New("web.css").Parse(webCSS))
+}
+
+// authorize returns the name of the user accessing the web UI after verifying
+// whether the user has access to the web UI. The function will write the
+// error to the provided http.ResponseWriter.
+// Note: This is different from a tailscale user, and is typically the local
+// user on the node.
+func authorize(w http.ResponseWriter, r *http.Request) (string, error) {
+	switch distro.Get() {
+	case distro.Synology:
+		user, err := synoAuthn()
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return "", err
+		}
+		if err := authorizeSynology(user); err != nil {
+			http.Error(w, err.Error(), http.StatusForbidden)
+			return "", err
+		}
+		return user, nil
+	case distro.QNAP:
+		user, resp, err := qnapAuthn(r)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return "", err
+		}
+		if resp.IsAdmin == 0 {
+			http.Error(w, err.Error(), http.StatusForbidden)
+			return "", err
+		}
+		return user, nil
+	}
+	return "", nil
+}
+
+// authorizeSynology checks whether the provided user has access to the web UI
+// by consulting the membership of the "administrators" group.
+func authorizeSynology(name string) error {
+	yes, err := groupmember.IsMemberOfGroup("administrators", name)
+	if err != nil {
+		return err
+	}
+	if !yes {
+		return fmt.Errorf("not a member of administrators group")
+	}
+	return nil
+}
+
+type qnapAuthResponse struct {
+	AuthPassed int    `xml:"authPassed"`
+	IsAdmin    int    `xml:"isAdmin"`
+	AuthSID    string `xml:"authSid"`
+	ErrorValue int    `xml:"errorValue"`
+}
+
+func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
+	user, err := r.Cookie("NAS_USER")
+	if err != nil {
+		return "", nil, err
+	}
+	token, err := r.Cookie("qtoken")
+	if err == nil {
+		return qnapAuthnQtoken(r, user.Value, token.Value)
+	}
+	sid, err := r.Cookie("NAS_SID")
+	if err == nil {
+		return qnapAuthnSid(r, user.Value, sid.Value)
+	}
+	return "", nil, fmt.Errorf("not authenticated by any mechanism")
+}
+
+// qnapAuthnURL returns the auth URL to use by inferring where the UI is
+// running based on the request URL. This is necessary because QNAP has so
+// many options, see https://github.com/tailscale/tailscale/issues/7108
+// and https://github.com/tailscale/tailscale/issues/6903
+func qnapAuthnURL(requestUrl string, query url.Values) string {
+	in, err := url.Parse(requestUrl)
+	scheme := ""
+	host := ""
+	if err != nil || in.Scheme == "" {
+		log.Printf("Cannot parse QNAP login URL %v", err)
+
+		// try localhost and hope for the best
+		scheme = "http"
+		host = "localhost"
+	} else {
+		scheme = in.Scheme
+		host = in.Host
+	}
+
+	u := url.URL{
+		Scheme:   scheme,
+		Host:     host,
+		Path:     "/cgi-bin/authLogin.cgi",
+		RawQuery: query.Encode(),
+	}
+
+	return u.String()
+}
+
+func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
+	query := url.Values{
+		"qtoken": []string{token},
+		"user":   []string{user},
+	}
+	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+}
+
+func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
+	query := url.Values{
+		"sid": []string{sid},
+	}
+	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+}
+
+func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
+	// QNAP Force HTTPS mode uses a self-signed certificate. Even importing
+	// the QNAP root CA isn't enough, the cert doesn't have a usable CN nor
+	// SAN. See https://github.com/tailscale/tailscale/issues/6903
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	client := &http.Client{Transport: tr}
+	resp, err := client.Get(url)
+	if err != nil {
+		return "", nil, err
+	}
+	defer resp.Body.Close()
+	out, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", nil, err
+	}
+	authResp := &qnapAuthResponse{}
+	if err := xml.Unmarshal(out, authResp); err != nil {
+		return "", nil, err
+	}
+	if authResp.AuthPassed == 0 {
+		return "", nil, fmt.Errorf("not authenticated")
+	}
+	return user, authResp, nil
+}
+
+func synoAuthn() (string, error) {
+	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("auth: %v: %s", err, out)
+	}
+	return strings.TrimSpace(string(out)), nil
+}
+
+func authRedirect(w http.ResponseWriter, r *http.Request) bool {
+	if distro.Get() == distro.Synology {
+		return synoTokenRedirect(w, r)
+	}
+	return false
+}
+
+func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
+	if r.Header.Get("X-Syno-Token") != "" {
+		return false
+	}
+	if r.URL.Query().Get("SynoToken") != "" {
+		return false
+	}
+	if r.Method == "POST" && r.FormValue("SynoToken") != "" {
+		return false
+	}
+	// We need a SynoToken for authenticate.cgi.
+	// So we tell the client to get one.
+	_, _ = fmt.Fprint(w, synoTokenRedirectHTML)
+	return true
+}
+
+const synoTokenRedirectHTML = `<html><body>
+Redirecting with session token...
+<script>
+var serverURL = window.location.protocol + "//" + window.location.host;
+var req = new XMLHttpRequest();
+req.overrideMimeType("application/json");
+req.open("GET", serverURL + "/webman/login.cgi", true);
+req.onload = function() {
+	var jsonResponse = JSON.parse(req.responseText);
+	var token = jsonResponse["SynoToken"];
+	document.location.href = serverURL + "/webman/3rdparty/Tailscale/?SynoToken=" + token;
+};
+req.send(null);
+</script>
+</body></html>
+`
+
+// ServeHTTP processes all requests for the Tailscale web client.
+func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if s.devMode {
+		if r.URL.Path == "/api/data" {
+			user, err := authorize(w, r)
+			if err != nil {
+				return
+			}
+			switch r.Method {
+			case httpm.GET:
+				s.serveGetNodeDataJSON(w, r, user)
+			case httpm.POST:
+				s.servePostNodeUpdate(w, r)
+			default:
+				http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			}
+			return
+		}
+		// When in dev mode, proxy to the Vite dev server.
+		s.devProxy.ServeHTTP(w, r)
+		return
+	}
+
+	if authRedirect(w, r) {
+		return
+	}
+
+	user, err := authorize(w, r)
+	if err != nil {
+		return
+	}
+
+	switch {
+	case r.URL.Path == "/redirect" || r.URL.Path == "/redirect/":
+		io.WriteString(w, authenticationRedirectHTML)
+		return
+	case r.Method == "POST":
+		s.servePostNodeUpdate(w, r)
+		return
+	default:
+		s.serveGetNodeData(w, r, user)
+		return
+	}
+}
+
+type nodeData struct {
+	Profile           tailcfg.UserProfile
+	SynologyUser      string
+	Status            string
+	DeviceName        string
+	IP                string
+	AdvertiseExitNode bool
+	AdvertiseRoutes   string
+	LicensesURL       string
+	TUNMode           bool
+	IsSynology        bool
+	DSMVersion        int // 6 or 7, if IsSynology=true
+	IsUnraid          bool
+	UnraidToken       string
+	IPNVersion        string
+}
+
+func (s *Server) getNodeData(ctx context.Context, user string) (*nodeData, error) {
+	st, err := s.lc.Status(ctx)
+	if err != nil {
+		return nil, err
+	}
+	prefs, err := s.lc.GetPrefs(ctx)
+	if err != nil {
+		return nil, err
+	}
+	profile := st.User[st.Self.UserID]
+	deviceName := strings.Split(st.Self.DNSName, ".")[0]
+	versionShort := strings.Split(st.Version, "-")[0]
+	data := &nodeData{
+		SynologyUser: user,
+		Profile:      profile,
+		Status:       st.BackendState,
+		DeviceName:   deviceName,
+		LicensesURL:  licenses.LicensesURL(),
+		TUNMode:      st.TUN,
+		IsSynology:   distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
+		DSMVersion:   distro.DSMVersion(),
+		IsUnraid:     distro.Get() == distro.Unraid,
+		UnraidToken:  os.Getenv("UNRAID_CSRF_TOKEN"),
+		IPNVersion:   versionShort,
+	}
+	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
+	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
+	for _, r := range prefs.AdvertiseRoutes {
+		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
+			data.AdvertiseExitNode = true
+		} else {
+			if data.AdvertiseRoutes != "" {
+				data.AdvertiseRoutes += ","
+			}
+			data.AdvertiseRoutes += r.String()
+		}
+	}
+	if len(st.TailscaleIPs) != 0 {
+		data.IP = st.TailscaleIPs[0].String()
+	}
+	return data, nil
+}
+
+func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request, user string) {
+	data, err := s.getNodeData(r.Context(), user)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	buf := new(bytes.Buffer)
+	if err := tmpl.Execute(buf, *data); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Write(buf.Bytes())
+}
+
+func (s *Server) serveGetNodeDataJSON(w http.ResponseWriter, r *http.Request, user string) {
+	data, err := s.getNodeData(r.Context(), user)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if err := json.NewEncoder(w).Encode(*data); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	return
+}
+
+type nodeUpdate struct {
+	AdvertiseRoutes   string
+	AdvertiseExitNode bool
+	Reauthenticate    bool
+	ForceLogout       bool
+}
+
+func (s *Server) servePostNodeUpdate(w http.ResponseWriter, r *http.Request) {
+	defer r.Body.Close()
+
+	st, err := s.lc.Status(r.Context())
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	var postData nodeUpdate
+	type mi map[string]any
+	if err := json.NewDecoder(r.Body).Decode(&postData); err != nil {
+		w.WriteHeader(400)
+		json.NewEncoder(w).Encode(mi{"error": err.Error()})
+		return
+	}
+
+	routes, err := netutil.CalcAdvertiseRoutes(postData.AdvertiseRoutes, postData.AdvertiseExitNode)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		json.NewEncoder(w).Encode(mi{"error": err.Error()})
+		return
+	}
+	mp := &ipn.MaskedPrefs{
+		AdvertiseRoutesSet: true,
+		WantRunningSet:     true,
+	}
+	mp.Prefs.WantRunning = true
+	mp.Prefs.AdvertiseRoutes = routes
+	log.Printf("Doing edit: %v", mp.Pretty())
+
+	if _, err := s.lc.EditPrefs(r.Context(), mp); err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		json.NewEncoder(w).Encode(mi{"error": err.Error()})
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	var reauth, logout bool
+	if postData.Reauthenticate {
+		reauth = true
+	}
+	if postData.ForceLogout {
+		logout = true
+	}
+	log.Printf("tailscaleUp(reauth=%v, logout=%v) ...", reauth, logout)
+	url, err := s.tailscaleUp(r.Context(), st, postData)
+	log.Printf("tailscaleUp = (URL %v, %v)", url != "", err)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		json.NewEncoder(w).Encode(mi{"error": err.Error()})
+		return
+	}
+	if url != "" {
+		json.NewEncoder(w).Encode(mi{"url": url})
+	} else {
+		io.WriteString(w, "{}")
+	}
+	return
+}
+
+func (s *Server) tailscaleUp(ctx context.Context, st *ipnstate.Status, postData nodeUpdate) (authURL string, retErr error) {
+	if postData.ForceLogout {
+		if err := s.lc.Logout(ctx); err != nil {
+			return "", fmt.Errorf("Logout error: %w", err)
+		}
+		return "", nil
+	}
+
+	origAuthURL := st.AuthURL
+	isRunning := st.BackendState == ipn.Running.String()
+
+	forceReauth := postData.Reauthenticate
+	if !forceReauth {
+		if origAuthURL != "" {
+			return origAuthURL, nil
+		}
+		if isRunning {
+			return "", nil
+		}
+	}
+
+	// printAuthURL reports whether we should print out the
+	// provided auth URL from an IPN notify.
+	printAuthURL := func(url string) bool {
+		return url != origAuthURL
+	}
+
+	watchCtx, cancelWatch := context.WithCancel(ctx)
+	defer cancelWatch()
+	watcher, err := s.lc.WatchIPNBus(watchCtx, 0)
+	if err != nil {
+		return "", err
+	}
+	defer watcher.Close()
+
+	go func() {
+		if !isRunning {
+			s.lc.Start(ctx, ipn.Options{})
+		}
+		if forceReauth {
+			s.lc.StartLoginInteractive(ctx)
+		}
+	}()
+
+	for {
+		n, err := watcher.Next()
+		if err != nil {
+			return "", err
+		}
+		if n.ErrMessage != nil {
+			msg := *n.ErrMessage
+			return "", fmt.Errorf("backend error: %v", msg)
+		}
+		if url := n.BrowseToURL; url != nil && printAuthURL(*url) {
+			return *url, nil
+		}
+	}
+}

client/web/web.html

@@ -26,9 +26,9 @@
 			<circle opacity="0.2" cx="19.5" cy="19.5" r="2.7" fill="currentColor"></circle>
 		</svg>
 		<div class="flex items-center justify-end space-x-2 w-2/3">
-			{{ with .Profile.LoginName }}
+			{{ with .Profile }}
 			<div class="text-right w-full leading-4">
-				<h4 class="truncate leading-normal">{{.}}</h4>
+				<h4 class="truncate leading-normal">{{.LoginName}}</h4>
 				<div class="text-xs text-gray-500 text-right">
 					<a href="#" class="hover:text-gray-700 js-loginButton">Switch account</a> | <a href="#"
 						class="hover:text-gray-700 js-loginButton">Reauthenticate</a> | <a href="#"
@@ -116,10 +116,12 @@
 	<a class="text-xs text-gray-500 hover:text-gray-600" href="{{ .LicensesURL }}">Open Source Licenses</a>
 </footer>
 <script>(function () {
-const advertiseExitNode = {{.AdvertiseExitNode}};
+const advertiseExitNode = {{ .AdvertiseExitNode }};
+const isUnraid = {{ .IsUnraid }};
+const unraidCsrfToken = "{{ .UnraidToken }}";
 let fetchingUrl = false;
 var data = {
-	AdvertiseRoutes: "{{.AdvertiseRoutes}}",
+	AdvertiseRoutes: "{{ .AdvertiseRoutes }}",
 	AdvertiseExitNode: advertiseExitNode,
 	Reauthenticate: false,
 	ForceLogout: false
@@ -141,15 +143,27 @@ function postData(e) {
 	}
 	const nextUrl = new URL(window.location);
 	nextUrl.search = nextParams.toString()
-	const url = nextUrl.toString();
 
+	let body = JSON.stringify(data);
+	let contentType = "application/json";
+
+	if (isUnraid) {
+		const params = new URLSearchParams();
+		params.append("csrf_token", unraidCsrfToken);
+		params.append("ts_data", JSON.stringify(data));
+
+		body = params.toString();
+		contentType = "application/x-www-form-urlencoded;charset=UTF-8";
+	}
+
+	const url = nextUrl.toString();
 	fetch(url, {
 		method: "POST",
 		headers: {
 			"Accept": "application/json",
-			"Content-Type": "application/json",
+			"Content-Type": contentType,
 		},
-		body: JSON.stringify(data)
+		body: body
 	}).then(res => res.json()).then(res => {
 		fetchingUrl = false;
 		const err = res["error"];
@@ -158,7 +172,11 @@ function postData(e) {
 		}
 		const url = res["url"];
 		if (url) {
-			document.location.href = url;
+			if(isUnraid) {
+				window.open(url, "_blank");
+			} else {
+				document.location.href = url;
+			}
 		} else {
 			location.reload();
 		}

client/web/web_test.go

@@ -0,0 +1,64 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package web
+
+import (
+	"net/url"
+	"testing"
+)
+
+func TestQnapAuthnURL(t *testing.T) {
+	query := url.Values{
+		"qtoken": []string{"token"},
+	}
+	tests := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{
+			name: "localhost http",
+			in:   "http://localhost:8088/",
+			want: "http://localhost:8088/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "localhost https",
+			in:   "https://localhost:5000/",
+			want: "https://localhost:5000/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "IP http",
+			in:   "http://10.1.20.4:80/",
+			want: "http://10.1.20.4:80/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "IP6 https",
+			in:   "https://[ff7d:0:1:2::1]/",
+			want: "https://[ff7d:0:1:2::1]/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "hostname https",
+			in:   "https://qnap.example.com/",
+			want: "https://qnap.example.com/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "invalid URL",
+			in:   "This is not a URL, it is a really really really really really really really really really really really really long string to exercise the URL truncation code in the error path.",
+			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "err != nil",
+			in:   "http://192.168.0.%31/",
+			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			u := qnapAuthnURL(tt.in, query)
+			if u != tt.want {
+				t.Errorf("expected url: %q, got: %q", tt.want, u)
+			}
+		})
+	}
+}

clientupdate/clientupdate.go

@@ -0,0 +1,998 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package clientupdate implements tailscale client update for all supported
+// platforms. This package can be used from both tailscaled and tailscale
+// binaries.
+package clientupdate
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"tailscale.com/hostinfo"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/logger"
+	"tailscale.com/util/must"
+	"tailscale.com/util/winutil"
+	"tailscale.com/version"
+	"tailscale.com/version/distro"
+)
+
+const (
+	CurrentTrack  = ""
+	StableTrack   = "stable"
+	UnstableTrack = "unstable"
+)
+
+func versionToTrack(v string) (string, error) {
+	_, rest, ok := strings.Cut(v, ".")
+	if !ok {
+		return "", fmt.Errorf("malformed version %q", v)
+	}
+	minorStr, _, ok := strings.Cut(rest, ".")
+	if !ok {
+		return "", fmt.Errorf("malformed version %q", v)
+	}
+	minor, err := strconv.Atoi(minorStr)
+	if err != nil {
+		return "", fmt.Errorf("malformed version %q", v)
+	}
+	if minor%2 == 0 {
+		return "stable", nil
+	}
+	return "unstable", nil
+}
+
+type updater struct {
+	UpdateArgs
+	track  string
+	update func() error
+}
+
+// UpdateArgs contains arguments needed to run an update.
+type UpdateArgs struct {
+	// Version can be a specific version number or one of the predefined track
+	// constants:
+	//
+	//   - CurrentTrack will use the latest version from the same track as the
+	//     running binary
+	//   - StableTrack and UnstableTrack will use the latest versions of the
+	//     corresponding tracks
+	//
+	// Leaving this empty is the same as using CurrentTrack.
+	Version string
+	// AppStore forces a local app store check, even if the current binary was
+	// not installed via an app store.
+	AppStore bool
+	// Logf is a logger for update progress messages.
+	Logf logger.Logf
+	// Confirm is called when a new version is available and should return true
+	// if this new version should be installed. When Confirm returns false, the
+	// update is aborted.
+	Confirm func(newVer string) bool
+}
+
+func (args UpdateArgs) validate() error {
+	if args.Confirm == nil {
+		return errors.New("missing Confirm callback in UpdateArgs")
+	}
+	if args.Logf == nil {
+		return errors.New("missing Logf callback in UpdateArgs")
+	}
+	return nil
+}
+
+// Update runs a single update attempt using the platform-specific mechanism.
+//
+// On Windows, this copies the calling binary and re-executes it to apply the
+// update. The calling binary should handle an "update" subcommand and call
+// this function again for the re-executed binary to proceed.
+func Update(args UpdateArgs) error {
+	if err := args.validate(); err != nil {
+		return err
+	}
+	up := &updater{
+		UpdateArgs: args,
+	}
+	switch up.Version {
+	case StableTrack, UnstableTrack:
+		up.track = up.Version
+	case CurrentTrack:
+		if version.IsUnstableBuild() {
+			up.track = UnstableTrack
+		} else {
+			up.track = StableTrack
+		}
+	default:
+		var err error
+		up.track, err = versionToTrack(args.Version)
+		if err != nil {
+			return err
+		}
+	}
+	switch runtime.GOOS {
+	case "windows":
+		up.update = up.updateWindows
+	case "linux":
+		switch distro.Get() {
+		case distro.Synology:
+			up.update = up.updateSynology
+		case distro.Debian: // includes Ubuntu
+			up.update = up.updateDebLike
+		case distro.Arch:
+			up.update = up.updateArchLike
+		case distro.Alpine:
+			up.update = up.updateAlpineLike
+		}
+		switch {
+		case haveExecutable("pacman"):
+			up.update = up.updateArchLike
+		case haveExecutable("apt-get"): // TODO(awly): add support for "apt"
+			// The distro.Debian switch case above should catch most apt-based
+			// systems, but add this fallback just in case.
+			up.update = up.updateDebLike
+		case haveExecutable("dnf"):
+			up.update = up.updateFedoraLike("dnf")
+		case haveExecutable("yum"):
+			up.update = up.updateFedoraLike("yum")
+		case haveExecutable("apk"):
+			up.update = up.updateAlpineLike
+		}
+	case "darwin":
+		switch {
+		case !args.AppStore && !version.IsSandboxedMacOS():
+			return errors.ErrUnsupported
+		case !args.AppStore && strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
+			up.update = up.updateMacSys
+		default:
+			up.update = up.updateMacAppStore
+		}
+	case "freebsd":
+		up.update = up.updateFreeBSD
+	}
+	if up.update == nil {
+		return errors.ErrUnsupported
+	}
+	return up.update()
+}
+
+func (up *updater) confirm(ver string) bool {
+	if version.Short() == ver {
+		up.Logf("already running %v; no update needed", ver)
+		return false
+	}
+	if up.Confirm != nil {
+		return up.Confirm(ver)
+	}
+	return true
+}
+
+func (up *updater) updateSynology() error {
+	if up.Version != "" {
+		return errors.New("installing a specific version on Synology is not supported")
+	}
+
+	// Get the latest version and list of SPKs from pkgs.tailscale.com.
+	osName := fmt.Sprintf("dsm%d", distro.DSMVersion())
+	arch, err := synoArch(hostinfo.New())
+	if err != nil {
+		return err
+	}
+	latest, err := latestPackages(up.track)
+	if err != nil {
+		return err
+	}
+	if latest.Version == "" {
+		return fmt.Errorf("no latest version found for %q track", up.track)
+	}
+	spkName := latest.SPKs[osName][arch]
+	if spkName == "" {
+		return fmt.Errorf("cannot find Synology package for os=%s arch=%s, please report a bug with your device model", osName, arch)
+	}
+
+	if !up.confirm(latest.Version) {
+		return nil
+	}
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	// Download the SPK into a temporary directory.
+	spkDir, err := os.MkdirTemp("", "tailscale-update")
+	if err != nil {
+		return err
+	}
+	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/%s", up.track, spkName)
+	spkPath := filepath.Join(spkDir, path.Base(url))
+	// TODO(awly): we should sign SPKs and validate signatures here too.
+	if err := up.downloadURLToFile(url, spkPath); err != nil {
+		return err
+	}
+
+	// Install the SPK. Run via nohup to allow install to succeed when we're
+	// connected over tailscale ssh and this parent process dies. Otherwise, if
+	// you abort synopkg install mid-way, tailscaled is not restarted.
+	cmd := exec.Command("nohup", "synopkg", "install", spkPath)
+	// Don't attach cmd.Stdout to os.Stdout because nohup will redirect that
+	// into nohup.out file. synopkg doesn't have any progress output anyway, it
+	// just spits out a JSON result when done.
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("synopkg install failed: %w\noutput:\n%s", err, out)
+	}
+	return nil
+}
+
+// synoArch returns the Synology CPU architecture matching one of the SPK
+// architectures served from pkgs.tailscale.com.
+func synoArch(hinfo *tailcfg.Hostinfo) (string, error) {
+	// Most Synology boxes just use a different arch name from GOARCH.
+	arch := map[string]string{
+		"amd64": "x86_64",
+		"386":   "i686",
+		"arm64": "armv8",
+	}[hinfo.GoArch]
+	// Here's the fun part, some older ARM boxes require you to use SPKs
+	// specifically for their CPU.
+	//
+	// See https://github.com/SynoCommunity/spksrc/wiki/Synology-and-SynoCommunity-Package-Architectures
+	// for a complete list. Here, we override GOARCH for those older boxes that
+	// support at least DSM6.
+	//
+	// This is an artisanal hand-crafted list based on the wiki page. Some
+	// values may be wrong, since we don't have all those devices to actually
+	// test with.
+	switch hinfo.DeviceModel {
+	case "DS213air", "DS213", "DS413j",
+		"DS112", "DS112+", "DS212", "DS212+", "RS212", "RS812", "DS212j", "DS112j",
+		"DS111", "DS211", "DS211+", "DS411slim", "DS411", "RS411", "DS211j", "DS411j":
+		arch = "88f6281"
+	case "NVR1218", "NVR216", "VS960HD", "VS360HD":
+		arch = "hi3535"
+	case "DS1517", "DS1817", "DS416", "DS2015xs", "DS715", "DS1515", "DS215+":
+		arch = "alpine"
+	case "DS216se", "DS115j", "DS114", "DS214se", "DS414slim", "RS214", "DS14", "EDS14", "DS213j":
+		arch = "armada370"
+	case "DS115", "DS215j":
+		arch = "armada375"
+	case "DS419slim", "DS218j", "RS217", "DS116", "DS216j", "DS216", "DS416slim", "RS816", "DS416j":
+		arch = "armada38x"
+	case "RS815", "DS214", "DS214+", "DS414", "RS814":
+		arch = "armadaxp"
+	case "DS414j":
+		arch = "comcerto2k"
+	case "DS216play":
+		arch = "monaco"
+	}
+	if arch == "" {
+		return "", fmt.Errorf("cannot determine CPU architecture for Synology model %q (Go arch %q), please report a bug at https://github.com/tailscale/tailscale/issues/new/choose", hinfo.DeviceModel, hinfo.GoArch)
+	}
+	return arch, nil
+}
+
+func (up *updater) updateDebLike() error {
+	ver, err := requestedTailscaleVersion(up.Version, up.track)
+	if err != nil {
+		return err
+	}
+	if !up.confirm(ver) {
+		return nil
+	}
+
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	if updated, err := updateDebianAptSourcesList(up.track); err != nil {
+		return err
+	} else if updated {
+		up.Logf("Updated %s to use the %s track", aptSourcesFile, up.track)
+	}
+
+	cmd := exec.Command("apt-get", "update",
+		// Only update the tailscale repo, not the other ones, treating
+		// the tailscale.list file as the main "sources.list" file.
+		"-o", "Dir::Etc::SourceList=sources.list.d/tailscale.list",
+		// Disable the "sources.list.d" directory:
+		"-o", "Dir::Etc::SourceParts=-",
+		// Don't forget about packages in the other repos just because
+		// we're not updating them:
+		"-o", "APT::Get::List-Cleanup=0",
+	)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return err
+	}
+
+	cmd = exec.Command("apt-get", "install", "--yes", "--allow-downgrades", "tailscale="+ver)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+const aptSourcesFile = "/etc/apt/sources.list.d/tailscale.list"
+
+// updateDebianAptSourcesList updates the /etc/apt/sources.list.d/tailscale.list
+// file to make sure it has the provided track (stable or unstable) in it.
+//
+// If it already has the right track (including containing both stable and
+// unstable), it does nothing.
+func updateDebianAptSourcesList(dstTrack string) (rewrote bool, err error) {
+	was, err := os.ReadFile(aptSourcesFile)
+	if err != nil {
+		return false, err
+	}
+	newContent, err := updateDebianAptSourcesListBytes(was, dstTrack)
+	if err != nil {
+		return false, err
+	}
+	if bytes.Equal(was, newContent) {
+		return false, nil
+	}
+	return true, os.WriteFile(aptSourcesFile, newContent, 0644)
+}
+
+func updateDebianAptSourcesListBytes(was []byte, dstTrack string) (newContent []byte, err error) {
+	trackURLPrefix := []byte("https://pkgs.tailscale.com/" + dstTrack + "/")
+	var buf bytes.Buffer
+	var changes int
+	bs := bufio.NewScanner(bytes.NewReader(was))
+	hadCorrect := false
+	commentLine := regexp.MustCompile(`^\s*\#`)
+	pkgsURL := regexp.MustCompile(`\bhttps://pkgs\.tailscale\.com/((un)?stable)/`)
+	for bs.Scan() {
+		line := bs.Bytes()
+		if !commentLine.Match(line) {
+			line = pkgsURL.ReplaceAllFunc(line, func(m []byte) []byte {
+				if bytes.Equal(m, trackURLPrefix) {
+					hadCorrect = true
+				} else {
+					changes++
+				}
+				return trackURLPrefix
+			})
+		}
+		buf.Write(line)
+		buf.WriteByte('\n')
+	}
+	if hadCorrect || (changes == 1 && bytes.Equal(bytes.TrimSpace(was), bytes.TrimSpace(buf.Bytes()))) {
+		// Unchanged or close enough.
+		return was, nil
+	}
+	if changes != 1 {
+		// No changes, or an unexpected number of changes (what?). Bail.
+		// They probably editted it by hand and we don't know what to do.
+		return nil, fmt.Errorf("unexpected/unsupported %s contents", aptSourcesFile)
+	}
+	return buf.Bytes(), nil
+}
+
+func (up *updater) updateArchLike() (err error) {
+	if up.Version != "" {
+		return errors.New("installing a specific version on Arch-based distros is not supported")
+	}
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf(`%w; you can try updating using "pacman --sync --refresh tailscale"`, err)
+		}
+	}()
+
+	out, err := exec.Command("pacman", "--sync", "--refresh", "--info", "tailscale").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed checking pacman for latest tailscale version: %w, output: %q", err, out)
+	}
+	ver, err := parsePacmanVersion(out)
+	if err != nil {
+		return err
+	}
+	if !up.confirm(ver) {
+		return nil
+	}
+
+	cmd := exec.Command("pacman", "--sync", "--noconfirm", "tailscale")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed tailscale update using pacman: %w", err)
+	}
+	return nil
+}
+
+func parsePacmanVersion(out []byte) (string, error) {
+	for _, line := range strings.Split(string(out), "\n") {
+		// The line we're looking for looks like this:
+		// Version         : 1.44.2-1
+		if !strings.HasPrefix(line, "Version") {
+			continue
+		}
+		parts := strings.SplitN(line, ":", 2)
+		if len(parts) != 2 {
+			return "", fmt.Errorf("version output from pacman is malformed: %q, cannot determine upgrade version", line)
+		}
+		ver := strings.TrimSpace(parts[1])
+		// Trim the Arch patch version.
+		ver = strings.Split(ver, "-")[0]
+		if ver == "" {
+			return "", fmt.Errorf("version output from pacman is malformed: %q, cannot determine upgrade version", line)
+		}
+		return ver, nil
+	}
+	return "", fmt.Errorf("could not find latest version of tailscale via pacman")
+}
+
+const yumRepoConfigFile = "/etc/yum.repos.d/tailscale.repo"
+
+// updateFedoraLike updates tailscale on any distros in the Fedora family,
+// specifically anything that uses "dnf" or "yum" package managers. The actual
+// package manager is passed via packageManager.
+func (up *updater) updateFedoraLike(packageManager string) func() error {
+	return func() (err error) {
+		if err := requireRoot(); err != nil {
+			return err
+		}
+		defer func() {
+			if err != nil {
+				err = fmt.Errorf(`%w; you can try updating using "%s upgrade tailscale"`, err, packageManager)
+			}
+		}()
+
+		ver, err := requestedTailscaleVersion(up.Version, up.track)
+		if err != nil {
+			return err
+		}
+		if !up.confirm(ver) {
+			return nil
+		}
+
+		if updated, err := updateYUMRepoTrack(yumRepoConfigFile, up.track); err != nil {
+			return err
+		} else if updated {
+			up.Logf("Updated %s to use the %s track", yumRepoConfigFile, up.track)
+		}
+
+		cmd := exec.Command(packageManager, "install", "--assumeyes", fmt.Sprintf("tailscale-%s-1", ver))
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		if err := cmd.Run(); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// updateYUMRepoTrack updates the repoFile file to make sure it has the
+// provided track (stable or unstable) in it.
+func updateYUMRepoTrack(repoFile, dstTrack string) (rewrote bool, err error) {
+	was, err := os.ReadFile(repoFile)
+	if err != nil {
+		return false, err
+	}
+
+	urlRe := regexp.MustCompile(`^(baseurl|gpgkey)=https://pkgs\.tailscale\.com/(un)?stable/`)
+	urlReplacement := fmt.Sprintf("$1=https://pkgs.tailscale.com/%s/", dstTrack)
+
+	s := bufio.NewScanner(bytes.NewReader(was))
+	newContent := bytes.NewBuffer(make([]byte, 0, len(was)))
+	for s.Scan() {
+		line := s.Text()
+		// Handle repo section name, like "[tailscale-stable]".
+		if len(line) > 0 && line[0] == '[' {
+			if !strings.HasPrefix(line, "[tailscale-") {
+				return false, fmt.Errorf("%q does not look like a tailscale repo file, it contains an unexpected %q section", repoFile, line)
+			}
+			fmt.Fprintf(newContent, "[tailscale-%s]\n", dstTrack)
+			continue
+		}
+		// Update the track mentioned in repo name.
+		if strings.HasPrefix(line, "name=") {
+			fmt.Fprintf(newContent, "name=Tailscale %s\n", dstTrack)
+			continue
+		}
+		// Update the actual repo URLs.
+		if strings.HasPrefix(line, "baseurl=") || strings.HasPrefix(line, "gpgkey=") {
+			fmt.Fprintln(newContent, urlRe.ReplaceAllString(line, urlReplacement))
+			continue
+		}
+		fmt.Fprintln(newContent, line)
+	}
+	if bytes.Equal(was, newContent.Bytes()) {
+		return false, nil
+	}
+	return true, os.WriteFile(repoFile, newContent.Bytes(), 0644)
+}
+
+func (up *updater) updateAlpineLike() (err error) {
+	if up.Version != "" {
+		return errors.New("installing a specific version on Alpine-based distros is not supported")
+	}
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf(`%w; you can try updating using "apk upgrade tailscale"`, err)
+		}
+	}()
+
+	out, err := exec.Command("apk", "update").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed refresh apk repository indexes: %w, output: %q", err, out)
+	}
+	out, err = exec.Command("apk", "info", "tailscale").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed checking apk for latest tailscale version: %w, output: %q", err, out)
+	}
+	ver, err := parseAlpinePackageVersion(out)
+	if err != nil {
+		return fmt.Errorf(`failed to parse latest version from "apk info tailscale": %w`, err)
+	}
+	if !up.confirm(ver) {
+		return nil
+	}
+
+	cmd := exec.Command("apk", "upgrade", "tailscale")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed tailscale update using apk: %w", err)
+	}
+	return nil
+}
+
+func parseAlpinePackageVersion(out []byte) (string, error) {
+	s := bufio.NewScanner(bytes.NewReader(out))
+	for s.Scan() {
+		// The line should look like this:
+		// tailscale-1.44.2-r0 description:
+		line := strings.TrimSpace(s.Text())
+		if !strings.HasPrefix(line, "tailscale-") {
+			continue
+		}
+		parts := strings.SplitN(line, "-", 3)
+		if len(parts) < 3 {
+			return "", fmt.Errorf("malformed info line: %q", line)
+		}
+		return parts[1], nil
+	}
+	return "", errors.New("tailscale version not found in output")
+}
+
+func (up *updater) updateMacSys() error {
+	return errors.New("NOTREACHED: On MacSys builds, `tailscale update` is handled in Swift to launch the GUI updater")
+}
+
+func (up *updater) updateMacAppStore() error {
+	out, err := exec.Command("defaults", "read", "/Library/Preferences/com.apple.commerce.plist", "AutoUpdate").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("can't check App Store auto-update setting: %w, output: %q", err, string(out))
+	}
+	const on = "1\n"
+	if string(out) != on {
+		up.Logf("NOTE: Automatic updating for App Store apps is turned off. You can change this setting in System Settings (search for ‘update’).")
+	}
+
+	out, err = exec.Command("softwareupdate", "--list").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("can't check App Store for available updates: %w, output: %q", err, string(out))
+	}
+
+	newTailscale := parseSoftwareupdateList(out)
+	if newTailscale == "" {
+		up.Logf("no Tailscale update available")
+		return nil
+	}
+
+	newTailscaleVer := strings.TrimPrefix(newTailscale, "Tailscale-")
+	if !up.confirm(newTailscaleVer) {
+		return nil
+	}
+
+	cmd := exec.Command("sudo", "softwareupdate", "--install", newTailscale)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("can't install App Store update for Tailscale: %w", err)
+	}
+	return nil
+}
+
+var macOSAppStoreListPattern = regexp.MustCompile(`(?m)^\s+\*\s+Label:\s*(Tailscale-\d[\d\.]+)`)
+
+// parseSoftwareupdateList searches the output of `softwareupdate --list` on
+// Darwin and returns the matching Tailscale package label. If there is none,
+// returns the empty string.
+//
+// See TestParseSoftwareupdateList for example inputs.
+func parseSoftwareupdateList(stdout []byte) string {
+	matches := macOSAppStoreListPattern.FindSubmatch(stdout)
+	if len(matches) < 2 {
+		return ""
+	}
+	return string(matches[1])
+}
+
+// winMSIEnv is the environment variable that, if set, is the MSI file for the
+// update command to install. It's passed like this so we can stop the
+// tailscale.exe process from running before the msiexec process runs and tries
+// to overwrite ourselves.
+const winMSIEnv = "TS_UPDATE_WIN_MSI"
+
+var (
+	verifyAuthenticode func(string) error // or nil on non-Windows
+	markTempFileFunc   func(string) error // or nil on non-Windows
+)
+
+func (up *updater) updateWindows() error {
+	if msi := os.Getenv(winMSIEnv); msi != "" {
+		up.Logf("installing %v ...", msi)
+		if err := up.installMSI(msi); err != nil {
+			up.Logf("MSI install failed: %v", err)
+			return err
+		}
+		up.Logf("success.")
+		return nil
+	}
+	ver, err := requestedTailscaleVersion(up.Version, up.track)
+	if err != nil {
+		return err
+	}
+	arch := runtime.GOARCH
+	if arch == "386" {
+		arch = "x86"
+	}
+
+	if !up.confirm(ver) {
+		return nil
+	}
+	if !winutil.IsCurrentProcessElevated() {
+		return errors.New("must be run as Administrator")
+	}
+
+	tsDir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
+	msiDir := filepath.Join(tsDir, "MSICache")
+	if fi, err := os.Stat(tsDir); err != nil {
+		return fmt.Errorf("expected %s to exist, got stat error: %w", tsDir, err)
+	} else if !fi.IsDir() {
+		return fmt.Errorf("expected %s to be a directory; got %v", tsDir, fi.Mode())
+	}
+	if err := os.MkdirAll(msiDir, 0700); err != nil {
+		return err
+	}
+	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", up.track, ver, arch)
+	msiTarget := filepath.Join(msiDir, path.Base(url))
+	if err := up.downloadURLToFile(url, msiTarget); err != nil {
+		return err
+	}
+
+	up.Logf("verifying MSI authenticode...")
+	if err := verifyAuthenticode(msiTarget); err != nil {
+		return fmt.Errorf("authenticode verification of %s failed: %w", msiTarget, err)
+	}
+	up.Logf("authenticode verification succeeded")
+
+	up.Logf("making tailscale.exe copy to switch to...")
+	selfCopy, err := makeSelfCopy()
+	if err != nil {
+		return err
+	}
+	defer os.Remove(selfCopy)
+	up.Logf("running tailscale.exe copy for final install...")
+
+	cmd := exec.Command(selfCopy, "update")
+	cmd.Env = append(os.Environ(), winMSIEnv+"="+msiTarget)
+	cmd.Stdout = os.Stderr
+	cmd.Stderr = os.Stderr
+	cmd.Stdin = os.Stdin
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	// Once it's started, exit ourselves, so the binary is free
+	// to be replaced.
+	os.Exit(0)
+	panic("unreachable")
+}
+
+func (up *updater) installMSI(msi string) error {
+	var err error
+	for tries := 0; tries < 2; tries++ {
+		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/promptrestart", "/qn")
+		cmd.Dir = filepath.Dir(msi)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		cmd.Stdin = os.Stdin
+		err = cmd.Run()
+		if err == nil {
+			break
+		}
+		uninstallVersion := version.Short()
+		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
+			uninstallVersion = v
+		}
+		// Assume it's a downgrade, which msiexec won't permit. Uninstall our current version first.
+		up.Logf("Uninstalling current version %q for downgrade...", uninstallVersion)
+		cmd = exec.Command("msiexec.exe", "/x", msiUUIDForVersion(uninstallVersion), "/norestart", "/qn")
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		cmd.Stdin = os.Stdin
+		err = cmd.Run()
+		up.Logf("msiexec uninstall: %v", err)
+	}
+	return err
+}
+
+func msiUUIDForVersion(ver string) string {
+	arch := runtime.GOARCH
+	if arch == "386" {
+		arch = "x86"
+	}
+	track, err := versionToTrack(ver)
+	if err != nil {
+		track = UnstableTrack
+	}
+	msiURL := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", track, ver, arch)
+	return "{" + strings.ToUpper(uuid.NewSHA1(uuid.NameSpaceURL, []byte(msiURL)).String()) + "}"
+}
+
+func makeSelfCopy() (tmpPathExe string, err error) {
+	selfExe, err := os.Executable()
+	if err != nil {
+		return "", err
+	}
+	f, err := os.Open(selfExe)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	f2, err := os.CreateTemp("", "tailscale-updater-*.exe")
+	if err != nil {
+		return "", err
+	}
+	if f := markTempFileFunc; f != nil {
+		if err := f(f2.Name()); err != nil {
+			return "", err
+		}
+	}
+	if _, err := io.Copy(f2, f); err != nil {
+		f2.Close()
+		return "", err
+	}
+	return f2.Name(), f2.Close()
+}
+
+func (up *updater) downloadURLToFile(urlSrc, fileDst string) (ret error) {
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	tr.Proxy = tshttpproxy.ProxyFromEnvironment
+	defer tr.CloseIdleConnections()
+	c := &http.Client{Transport: tr}
+
+	quickCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+	headReq := must.Get(http.NewRequestWithContext(quickCtx, "HEAD", urlSrc, nil))
+
+	res, err := c.Do(headReq)
+	if err != nil {
+		return err
+	}
+	if res.StatusCode != http.StatusOK {
+		return fmt.Errorf("HEAD %s: %v", urlSrc, res.Status)
+	}
+	if res.ContentLength <= 0 {
+		return fmt.Errorf("HEAD %s: unexpected Content-Length %v", urlSrc, res.ContentLength)
+	}
+	up.Logf("Download size: %v", res.ContentLength)
+
+	hashReq := must.Get(http.NewRequestWithContext(quickCtx, "GET", urlSrc+".sha256", nil))
+	hashRes, err := c.Do(hashReq)
+	if err != nil {
+		return err
+	}
+	hashHex, err := io.ReadAll(io.LimitReader(hashRes.Body, 100))
+	hashRes.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return fmt.Errorf("GET %s.sha256: %v", urlSrc, res.Status)
+	}
+	if err != nil {
+		return err
+	}
+	wantHash, err := hex.DecodeString(string(strings.TrimSpace(string(hashHex))))
+	if err != nil {
+		return err
+	}
+	hash := sha256.New()
+
+	dlReq := must.Get(http.NewRequestWithContext(context.Background(), "GET", urlSrc, nil))
+	dlRes, err := c.Do(dlReq)
+	if err != nil {
+		return err
+	}
+	// TODO(bradfitz): resume from existing partial file on disk
+	if dlRes.StatusCode != http.StatusOK {
+		return fmt.Errorf("GET %s: %v", urlSrc, dlRes.Status)
+	}
+
+	of, err := os.Create(fileDst)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if ret != nil {
+			of.Close()
+			// TODO(bradfitz): os.Remove(fileDst) too? or keep it to resume from/debug later.
+		}
+	}()
+	pw := &progressWriter{total: res.ContentLength, logf: up.Logf}
+	n, err := io.Copy(io.MultiWriter(hash, of, pw), io.LimitReader(dlRes.Body, res.ContentLength))
+	if err != nil {
+		return err
+	}
+	if n != res.ContentLength {
+		return fmt.Errorf("downloaded %v; want %v", n, res.ContentLength)
+	}
+	if err := of.Close(); err != nil {
+		return err
+	}
+	pw.print()
+
+	if !bytes.Equal(hash.Sum(nil), wantHash) {
+		return fmt.Errorf("SHA-256 of downloaded MSI didn't match expected value")
+	}
+	up.Logf("hash matched")
+
+	return nil
+}
+
+type progressWriter struct {
+	done      int64
+	total     int64
+	lastPrint time.Time
+	logf      logger.Logf
+}
+
+func (pw *progressWriter) Write(p []byte) (n int, err error) {
+	pw.done += int64(len(p))
+	if time.Since(pw.lastPrint) > 2*time.Second {
+		pw.print()
+	}
+	return len(p), nil
+}
+
+func (pw *progressWriter) print() {
+	pw.lastPrint = time.Now()
+	pw.logf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
+}
+
+func (up *updater) updateFreeBSD() (err error) {
+	if up.Version != "" {
+		return errors.New("installing a specific version on FreeBSD is not supported")
+	}
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf(`%w; you can try updating using "pkg upgrade tailscale"`, err)
+		}
+	}()
+
+	out, err := exec.Command("pkg", "update").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed refresh pkg repository indexes: %w, output: %q", err, out)
+	}
+	out, err = exec.Command("pkg", "rquery", "%v", "tailscale").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed checking pkg for latest tailscale version: %w, output: %q", err, out)
+	}
+	ver := string(bytes.TrimSpace(out))
+	if !up.confirm(ver) {
+		return nil
+	}
+
+	cmd := exec.Command("pkg", "upgrade", "tailscale")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed tailscale update using pkg: %w", err)
+	}
+	return nil
+}
+
+func haveExecutable(name string) bool {
+	path, err := exec.LookPath(name)
+	return err == nil && path != ""
+}
+
+func requestedTailscaleVersion(ver, track string) (string, error) {
+	if ver != "" {
+		return ver, nil
+	}
+	return LatestTailscaleVersion(track)
+}
+
+// LatestTailscaleVersion returns the latest released version for the given
+// track from pkgs.tailscale.com.
+func LatestTailscaleVersion(track string) (string, error) {
+	if track == CurrentTrack {
+		if version.IsUnstableBuild() {
+			track = UnstableTrack
+		} else {
+			track = StableTrack
+		}
+	}
+
+	latest, err := latestPackages(track)
+	if err != nil {
+		return "", err
+	}
+	if latest.Version == "" {
+		return "", fmt.Errorf("no latest version found for %q track", track)
+	}
+	return latest.Version, nil
+}
+
+type trackPackages struct {
+	Version  string
+	Tarballs map[string]string
+	Exes     []string
+	MSIs     map[string]string
+	MacZips  map[string]string
+	SPKs     map[string]map[string]string
+}
+
+func latestPackages(track string) (*trackPackages, error) {
+	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/?mode=json&os=%s", track, runtime.GOOS)
+	res, err := http.Get(url)
+	if err != nil {
+		return nil, fmt.Errorf("fetching latest tailscale version: %w", err)
+	}
+	defer res.Body.Close()
+	var latest trackPackages
+	if err := json.NewDecoder(res.Body).Decode(&latest); err != nil {
+		return nil, fmt.Errorf("decoding JSON: %v: %w", res.Status, err)
+	}
+	return &latest, nil
+}
+
+func requireRoot() error {
+	if os.Geteuid() == 0 {
+		return nil
+	}
+	switch runtime.GOOS {
+	case "linux":
+		return errors.New("must be root; use sudo")
+	case "freebsd", "openbsd":
+		return errors.New("must be root; use doas")
+	default:
+		return errors.New("must be root")
+	}
+}

clientupdate/clientupdate_test.go

@@ -0,0 +1,486 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package clientupdate
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"tailscale.com/tailcfg"
+)
+
+func TestUpdateDebianAptSourcesListBytes(t *testing.T) {
+	tests := []struct {
+		name    string
+		toTrack string
+		in      string
+		want    string // empty means want no change
+		wantErr string
+	}{
+		{
+			name:    "stable-to-unstable",
+			toTrack: UnstableTrack,
+			in:      "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/stable/debian bullseye main\n",
+			want:    "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
+		},
+		{
+			name:    "stable-unchanged",
+			toTrack: StableTrack,
+			in:      "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/stable/debian bullseye main\n",
+		},
+		{
+			name:    "if-both-stable-and-unstable-dont-change",
+			toTrack: StableTrack,
+			in: "# Tailscale packages for debian buster\n" +
+				"deb https://pkgs.tailscale.com/stable/debian bullseye main\n" +
+				"deb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
+		},
+		{
+			name:    "if-both-stable-and-unstable-dont-change-unstable",
+			toTrack: UnstableTrack,
+			in: "# Tailscale packages for debian buster\n" +
+				"deb https://pkgs.tailscale.com/stable/debian bullseye main\n" +
+				"deb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
+		},
+		{
+			name:    "signed-by-form",
+			toTrack: UnstableTrack,
+			in:      "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/ubuntu jammy main\n",
+			want:    "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/unstable/ubuntu jammy main\n",
+		},
+		{
+			name:    "unsupported-lines",
+			toTrack: UnstableTrack,
+			in:      "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/foobar/ubuntu jammy main\n",
+			wantErr: "unexpected/unsupported /etc/apt/sources.list.d/tailscale.list contents",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			newContent, err := updateDebianAptSourcesListBytes([]byte(tt.in), tt.toTrack)
+			if err != nil {
+				if err.Error() != tt.wantErr {
+					t.Fatalf("error = %v; want %q", err, tt.wantErr)
+				}
+				return
+			}
+			if tt.wantErr != "" {
+				t.Fatalf("got no error; want %q", tt.wantErr)
+			}
+			var gotChange string
+			if string(newContent) != tt.in {
+				gotChange = string(newContent)
+			}
+			if gotChange != tt.want {
+				t.Errorf("wrong result\n got: %q\nwant: %q", gotChange, tt.want)
+			}
+		})
+	}
+}
+
+func TestParseSoftwareupdateList(t *testing.T) {
+	tests := []struct {
+		name  string
+		input []byte
+		want  string
+	}{
+		{
+			name: "update-at-end-of-list",
+			input: []byte(`
+	 Software Update Tool
+
+	 Finding available software
+	 Software Update found the following new or updated software:
+			* Label: MacBookAirEFIUpdate2.4-2.4
+					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
+			* Label: ProAppsQTCodecs-1.0
+					 Title: ProApps QuickTime codecs, Version: 1.0, Size: 968K, Recommended: YES,
+			* Label: Tailscale-1.23.4
+					 Title: The Tailscale VPN, Version: 1.23.4, Size: 1023K, Recommended: YES,
+`),
+			want: "Tailscale-1.23.4",
+		},
+		{
+			name: "update-in-middle-of-list",
+			input: []byte(`
+	 Software Update Tool
+
+	 Finding available software
+	 Software Update found the following new or updated software:
+			* Label: MacBookAirEFIUpdate2.4-2.4
+					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
+			* Label: Tailscale-1.23.5000
+					 Title: The Tailscale VPN, Version: 1.23.4, Size: 1023K, Recommended: YES,
+			* Label: ProAppsQTCodecs-1.0
+					 Title: ProApps QuickTime codecs, Version: 1.0, Size: 968K, Recommended: YES,
+`),
+			want: "Tailscale-1.23.5000",
+		},
+		{
+			name: "update-not-in-list",
+			input: []byte(`
+	 Software Update Tool
+
+	 Finding available software
+	 Software Update found the following new or updated software:
+			* Label: MacBookAirEFIUpdate2.4-2.4
+					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
+			* Label: ProAppsQTCodecs-1.0
+					 Title: ProApps QuickTime codecs, Version: 1.0, Size: 968K, Recommended: YES,
+`),
+			want: "",
+		},
+		{
+			name: "decoy-in-list",
+			input: []byte(`
+	 Software Update Tool
+
+	 Finding available software
+	 Software Update found the following new or updated software:
+			* Label: MacBookAirEFIUpdate2.4-2.4
+					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
+			* Label: Malware-1.0
+					 Title: * Label: Tailscale-0.99.0, Version: 1.0, Size: 968K, Recommended: NOT REALLY TBH,
+`),
+			want: "",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got := parseSoftwareupdateList(test.input)
+			if test.want != got {
+				t.Fatalf("got %q, want %q", got, test.want)
+			}
+		})
+	}
+}
+
+func TestParsePacmanVersion(t *testing.T) {
+	tests := []struct {
+		desc    string
+		out     string
+		want    string
+		wantErr bool
+	}{
+		{
+			desc: "valid version",
+			out: `
+:: Synchronizing package databases...
+ endeavouros is up to date
+ core is up to date
+ extra is up to date
+ multilib is up to date
+Repository      : extra
+Name            : tailscale
+Version         : 1.44.2-1
+Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
+Architecture    : x86_64
+URL             : https://tailscale.com
+Licenses        : MIT
+Groups          : None
+Provides        : None
+Depends On      : glibc
+Optional Deps   : None
+Conflicts With  : None
+Replaces        : None
+Download Size   : 7.98 MiB
+Installed Size  : 32.47 MiB
+Packager        : Christian Heusel <gromit@archlinux.org>
+Build Date      : Tue 18 Jul 2023 12:28:37 PM PDT
+Validated By    : MD5 Sum  SHA-256 Sum  Signature
+`,
+			want: "1.44.2",
+		},
+		{
+			desc: "version without Arch patch number",
+			out: `
+... snip ...
+Name            : tailscale
+Version         : 1.44.2
+Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
+... snip ...
+`,
+			want: "1.44.2",
+		},
+		{
+			desc: "missing version",
+			out: `
+... snip ...
+Name            : tailscale
+Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
+... snip ...
+`,
+			wantErr: true,
+		},
+		{
+			desc: "empty version",
+			out: `
+... snip ...
+Name            : tailscale
+Version         :
+Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
+... snip ...
+`,
+			wantErr: true,
+		},
+		{
+			desc:    "empty input",
+			out:     "",
+			wantErr: true,
+		},
+		{
+			desc: "sneaky version in description",
+			out: `
+... snip ...
+Name            : tailscale
+Description     : A mesh VPN that makes it easy to connect your devices, wherever they are. Version : 1.2.3
+Version         : 1.44.2
+... snip ...
+`,
+			want: "1.44.2",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.desc, func(t *testing.T) {
+			got, err := parsePacmanVersion([]byte(tt.out))
+			if err == nil && tt.wantErr {
+				t.Fatalf("got nil error and version %q, want non-nil error", got)
+			}
+			if err != nil && !tt.wantErr {
+				t.Fatalf("got error: %q, want nil", err)
+			}
+			if got != tt.want {
+				t.Fatalf("got version: %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestUpdateYUMRepoTrack(t *testing.T) {
+	tests := []struct {
+		desc    string
+		before  string
+		track   string
+		after   string
+		rewrote bool
+		wantErr bool
+	}{
+		{
+			desc: "same track",
+			before: `
+[tailscale-stable]
+name=Tailscale stable
+baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch
+enabled=1
+type=rpm
+repo_gpgcheck=1
+gpgcheck=0
+gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
+`,
+			track: StableTrack,
+			after: `
+[tailscale-stable]
+name=Tailscale stable
+baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch
+enabled=1
+type=rpm
+repo_gpgcheck=1
+gpgcheck=0
+gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
+`,
+		},
+		{
+			desc: "change track",
+			before: `
+[tailscale-stable]
+name=Tailscale stable
+baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch
+enabled=1
+type=rpm
+repo_gpgcheck=1
+gpgcheck=0
+gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
+`,
+			track: UnstableTrack,
+			after: `
+[tailscale-unstable]
+name=Tailscale unstable
+baseurl=https://pkgs.tailscale.com/unstable/fedora/$basearch
+enabled=1
+type=rpm
+repo_gpgcheck=1
+gpgcheck=0
+gpgkey=https://pkgs.tailscale.com/unstable/fedora/repo.gpg
+`,
+			rewrote: true,
+		},
+		{
+			desc: "non-tailscale repo file",
+			before: `
+[fedora]
+name=Fedora $releasever - $basearch
+#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
+metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
+enabled=1
+countme=1
+metadata_expire=7d
+repo_gpgcheck=0
+type=rpm
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
+skip_if_unavailable=False
+`,
+			track:   StableTrack,
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.desc, func(t *testing.T) {
+			path := filepath.Join(t.TempDir(), "tailscale.repo")
+			if err := os.WriteFile(path, []byte(tt.before), 0644); err != nil {
+				t.Fatal(err)
+			}
+
+			rewrote, err := updateYUMRepoTrack(path, tt.track)
+			if err == nil && tt.wantErr {
+				t.Fatal("got nil error, want non-nil")
+			}
+			if err != nil && !tt.wantErr {
+				t.Fatalf("got error %q, want nil", err)
+			}
+			if err != nil {
+				return
+			}
+			if rewrote != tt.rewrote {
+				t.Errorf("got rewrote flag %v, want %v", rewrote, tt.rewrote)
+			}
+
+			after, err := os.ReadFile(path)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if string(after) != tt.after {
+				t.Errorf("got repo file after update:\n%swant:\n%s", after, tt.after)
+			}
+		})
+	}
+}
+
+func TestParseAlpinePackageVersion(t *testing.T) {
+	tests := []struct {
+		desc    string
+		out     string
+		want    string
+		wantErr bool
+	}{
+		{
+			desc: "valid version",
+			out: `
+tailscale-1.44.2-r0 description:
+The easiest, most secure way to use WireGuard and 2FA
+
+tailscale-1.44.2-r0 webpage:
+https://tailscale.com/
+
+tailscale-1.44.2-r0 installed size:
+32 MiB
+`,
+			want: "1.44.2",
+		},
+		{
+			desc: "wrong package output",
+			out: `
+busybox-1.36.1-r0 description:
+Size optimized toolbox of many common UNIX utilities
+
+busybox-1.36.1-r0 webpage:
+https://busybox.net/
+
+busybox-1.36.1-r0 installed size:
+924 KiB
+`,
+			wantErr: true,
+		},
+		{
+			desc: "missing version",
+			out: `
+tailscale description:
+The easiest, most secure way to use WireGuard and 2FA
+
+tailscale webpage:
+https://tailscale.com/
+
+tailscale installed size:
+32 MiB
+`,
+			wantErr: true,
+		},
+		{
+			desc:    "empty output",
+			out:     "",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.desc, func(t *testing.T) {
+			got, err := parseAlpinePackageVersion([]byte(tt.out))
+			if err == nil && tt.wantErr {
+				t.Fatalf("got nil error and version %q, want non-nil error", got)
+			}
+			if err != nil && !tt.wantErr {
+				t.Fatalf("got error: %q, want nil", err)
+			}
+			if got != tt.want {
+				t.Fatalf("got version: %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestSynoArch(t *testing.T) {
+	tests := []struct {
+		goarch  string
+		model   string
+		want    string
+		wantErr bool
+	}{
+		{goarch: "amd64", model: "DS224+", want: "x86_64"},
+		{goarch: "arm64", model: "DS124", want: "armv8"},
+		{goarch: "386", model: "DS415play", want: "i686"},
+		{goarch: "arm", model: "DS213air", want: "88f6281"},
+		{goarch: "arm", model: "NVR1218", want: "hi3535"},
+		{goarch: "arm", model: "DS1517", want: "alpine"},
+		{goarch: "arm", model: "DS216se", want: "armada370"},
+		{goarch: "arm", model: "DS115", want: "armada375"},
+		{goarch: "arm", model: "DS419slim", want: "armada38x"},
+		{goarch: "arm", model: "RS815", want: "armadaxp"},
+		{goarch: "arm", model: "DS414j", want: "comcerto2k"},
+		{goarch: "arm", model: "DS216play", want: "monaco"},
+		{goarch: "riscv64", model: "DS999", wantErr: true},
+	}
+
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("%s-%s", tt.goarch, tt.model), func(t *testing.T) {
+			got, err := synoArch(&tailcfg.Hostinfo{GoArch: tt.goarch, DeviceModel: tt.model})
+			if err != nil {
+				if !tt.wantErr {
+					t.Fatalf("got unexpected error %v", err)
+				}
+				return
+			}
+			if tt.wantErr {
+				t.Fatalf("got %q, expected an error", got)
+			}
+			if got != tt.want {
+				t.Errorf("got %q, want %q", got, tt.want)
+			}
+		})
+	}
+}

clientupdate/clientupdate_windows.go

@@ -1,20 +1,28 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-// Windows-specific stuff that can't go in update.go because it needs
+// Windows-specific stuff that can't go in clientupdate.go because it needs
 // x/sys/windows.
 
-package cli
+package clientupdate
 
 import (
 	"golang.org/x/sys/windows"
+	"tailscale.com/util/winutil/authenticode"
 )
 
 func init() {
 	markTempFileFunc = markTempFileWindows
+	verifyAuthenticode = verifyTailscale
 }
 
 func markTempFileWindows(name string) error {
 	name16 := windows.StringToUTF16Ptr(name)
 	return windows.MoveFileEx(name16, nil, windows.MOVEFILE_DELAY_UNTIL_REBOOT)
 }
+
+const certSubjectTailscale = "Tailscale Inc."
+
+func verifyTailscale(path string) error {
+	return authenticode.Verify(path, certSubjectTailscale)
+}

cmd/cloner/cloner.go

@@ -131,6 +131,8 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 					} else {
 						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 					}
+				} else if ft.Elem().String() == "encoding/json.RawMessage" {
+					writef("\tdst.%s[i] = append(src.%s[i][:0:0], src.%s[i]...)", fname, fname, fname)
 				} else {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}

cmd/derper/cert.go

@@ -81,7 +81,7 @@ func (m *manualCertManager) TLSConfig() *tls.Config {
 	return &tls.Config{
 		Certificates: nil,
 		NextProtos: []string{
-			"h2", "http/1.1", // enable HTTP/2
+			"http/1.1",
 		},
 		GetCertificate: m.getCertificate,
 	}

cmd/derper/depaware.txt

@@ -3,26 +3,80 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
         filippo.io/edwards25519/field                                from filippo.io/edwards25519
    W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
+   W 💣 github.com/Microsoft/go-winio/internal/fs                    from github.com/Microsoft/go-winio
    W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
+   W    github.com/Microsoft/go-winio/internal/stringbuffer          from github.com/Microsoft/go-winio/internal/fs
    W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
+     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
+   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil+
+   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
+   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
+   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
+   L    github.com/google/nftables/expr                              from github.com/google/nftables+
+   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
+   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
         github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
    L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
         github.com/klauspost/compress/flate                          from nhooyr.io/websocket
+        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
    L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
    L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
    L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
+     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
+        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
+        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
+        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
+  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
+  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
+  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
+   L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
+   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
+   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
         github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
      💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter
+        go4.org/netipx                                               from tailscale.com/wgengine/filter+
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
+        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
+        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
+        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
+        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
+        google.golang.org/protobuf/internal/encoding/text            from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/errors                   from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/filedesc                 from google.golang.org/protobuf/internal/encoding/tag+
+        google.golang.org/protobuf/internal/filetype                 from google.golang.org/protobuf/runtime/protoimpl
+        google.golang.org/protobuf/internal/flags                    from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/genid                    from google.golang.org/protobuf/encoding/prototext+
+     💣 google.golang.org/protobuf/internal/impl                     from google.golang.org/protobuf/internal/filetype+
+        google.golang.org/protobuf/internal/order                    from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/pragma                   from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
+     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
+        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
+     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
+        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
         nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
         nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
         nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
@@ -44,11 +98,13 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
      💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
         tailscale.com/net/netaddr                                    from tailscale.com/ipn+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
+        tailscale.com/net/netmon                                     from tailscale.com/net/sockstats+
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
         tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
         tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
         tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
         tailscale.com/net/stun                                       from tailscale.com/cmd/derper
+   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
         tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
         tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
@@ -59,9 +115,12 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
         tailscale.com/tka                                            from tailscale.com/client/tailscale+
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/tstime                                         from tailscale.com/derp+
+        tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
         tailscale.com/tsweb                                          from tailscale.com/cmd/derper
+        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
+        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
         tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
         tailscale.com/types/empty                                    from tailscale.com/ipn
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
@@ -79,13 +138,15 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
    W    tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy
         tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
    W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
+        tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
         tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
+   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
         tailscale.com/util/mak                                       from tailscale.com/syncs+
-        tailscale.com/util/multierr                                  from tailscale.com/health
-        tailscale.com/util/set                                       from tailscale.com/health
+        tailscale.com/util/multierr                                  from tailscale.com/health+
+        tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
         tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
         tailscale.com/util/vizerror                                  from tailscale.com/tsweb
@@ -108,11 +169,12 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
         golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
+        golang.org/x/exp/maps                                        from tailscale.com/types/views
         golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr+
    L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from net/http
-        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http/httpproxy                              from net/http+
         golang.org/x/net/http2/hpack                                 from net/http
         golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
@@ -169,14 +231,17 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         expvar                                                       from tailscale.com/cmd/derper+
         flag                                                         from tailscale.com/cmd/derper
         fmt                                                          from compress/flate+
+        go/token                                                     from google.golang.org/protobuf/internal/strs
         hash                                                         from crypto+
         hash/crc32                                                   from compress/gzip+
+        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
         hash/maphash                                                 from go4.org/mem
         html                                                         from net/http/pprof+
         io                                                           from bufio+
         io/fs                                                        from crypto/x509+
         io/ioutil                                                    from github.com/mitchellh/go-ps+
         log                                                          from expvar+
+        log/internal                                                 from log
         math                                                         from compress/flate+
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+
@@ -188,7 +253,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         net/http                                                     from expvar+
         net/http/httptrace                                           from net/http+
         net/http/internal                                            from net/http
-        net/http/pprof                                               from tailscale.com/tsweb
+        net/http/pprof                                               from tailscale.com/tsweb+
         net/netip                                                    from go4.org/netipx+
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
@@ -201,6 +266,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         regexp                                                       from internal/profile+
         regexp/syntax                                                from regexp
         runtime/debug                                                from golang.org/x/crypto/acme+
+        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof
         runtime/trace                                                from net/http/pprof
         sort                                                         from compress/flate+

cmd/derper/derper.go

@@ -33,11 +33,12 @@ import (
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
+	"tailscale.com/util/cmpx"
 )
 
 var (
-	dev        = flag.Bool("dev", false, "run in localhost development mode")
-	addr       = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
+	dev        = flag.Bool("dev", false, "run in localhost development mode (overrides -a)")
+	addr       = flag.String("a", ":443", "server HTTP/HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces. Serves HTTPS if the port is 443 and/or -certmode is manual, otherwise HTTP.")
 	httpPort   = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
 	stunPort   = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
 	configPath = flag.String("c", "", "config file path")
@@ -181,8 +182,9 @@ func main() {
 	}
 	mux.HandleFunc("/derp/probe", probeHandler)
 	go refreshBootstrapDNSLoop()
-	mux.HandleFunc("/bootstrap-dns", handleBootstrapDNS)
+	mux.HandleFunc("/bootstrap-dns", tsweb.BrowserHeaderHandlerFunc(handleBootstrapDNS))
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		tsweb.AddBrowserHeaders(w)
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 		w.WriteHeader(200)
 		io.WriteString(w, `<html><body>
@@ -202,6 +204,7 @@ func main() {
 		}
 	}))
 	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		tsweb.AddBrowserHeaders(w)
 		io.WriteString(w, "User-agent: *\nDisallow: /\n")
 	}))
 	mux.Handle("/generate_204", http.HandlerFunc(serveNoContent))
@@ -276,18 +279,6 @@ func main() {
 				defer tlsActiveVersion.Add(label, -1)
 			}
 
-			// Set HTTP headers to appease automated security scanners.
-			//
-			// Security automation gets cranky when HTTPS sites don't
-			// set HSTS, and when they don't specify a content
-			// security policy for XSS mitigation.
-			//
-			// DERP's HTTP interface is only ever used for debug
-			// access (for which trivial safe policies work just
-			// fine), and by DERP clients which don't obey any of
-			// these browser-centric headers anyway.
-			w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
-			w.Header().Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
 			mux.ServeHTTP(w, r)
 		})
 		if *httpPort > -1 {
@@ -436,11 +427,7 @@ func defaultMeshPSKFile() string {
 }
 
 func rateLimitedListenAndServeTLS(srv *http.Server) error {
-	addr := srv.Addr
-	if addr == "" {
-		addr = ":https"
-	}
-	ln, err := net.Listen("tcp", addr)
+	ln, err := net.Listen("tcp", cmpx.Or(srv.Addr, ":https"))
 	if err != nil {
 		return err
 	}

cmd/derper/mesh.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"net/netip"
 	"strings"
 	"time"
 
@@ -67,7 +68,7 @@ func startMeshWithHost(s *derp.Server, host string) error {
 		return d.DialContext(ctx, network, addr)
 	})
 
-	add := func(k key.NodePublic) { s.AddPacketForwarder(k, c) }
+	add := func(k key.NodePublic, _ netip.AddrPort) { s.AddPacketForwarder(k, c) }
 	remove := func(k key.NodePublic) { s.RemovePacketForwarder(k, c) }
 	go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove)
 	return nil

cmd/derpprobe/derpprobe.go

@@ -5,7 +5,6 @@
 package main
 
 import (
-	"expvar"
 	"flag"
 	"fmt"
 	"html"
@@ -30,7 +29,7 @@ var (
 func main() {
 	flag.Parse()
 
-	p := prober.New().WithSpread(*spread).WithOnce(*probeOnce)
+	p := prober.New().WithSpread(*spread).WithOnce(*probeOnce).WithMetricNamespace("derpprobe")
 	dp, err := prober.DERP(p, *derpMapURL, *interval, *interval, *interval)
 	if err != nil {
 		log.Fatal(err)
@@ -53,7 +52,6 @@ func main() {
 
 	mux := http.NewServeMux()
 	tsweb.Debugger(mux)
-	expvar.Publish("derpprobe", p.Expvar())
 	mux.HandleFunc("/", http.HandlerFunc(serveFunc(p)))
 	log.Fatal(http.ListenAndServe(*listen, mux))
 }

cmd/dist/dist.go

@@ -13,15 +13,38 @@ import (
 
 	"tailscale.com/release/dist"
 	"tailscale.com/release/dist/cli"
+	"tailscale.com/release/dist/synology"
 	"tailscale.com/release/dist/unixpkgs"
 )
 
-func getTargets() ([]dist.Target, error) {
-	return unixpkgs.Targets(), nil
+var synologyPackageCenter bool
+
+func getTargets(signers unixpkgs.Signers) ([]dist.Target, error) {
+	var ret []dist.Target
+
+	ret = append(ret, unixpkgs.Targets(signers)...)
+	// Synology packages can be built either for sideloading, or for
+	// distribution by Synology in their package center. When
+	// distributed through the package center, apps can request
+	// additional permissions to use a tuntap interface and control
+	// the NAS's network stack, rather than be forced to run in
+	// userspace mode.
+	//
+	// Since only we can provide packages to Synology for
+	// distribution, we default to building the "sideload" variant of
+	// packages that we distribute on pkgs.tailscale.com.
+	ret = append(ret, synology.Targets(synologyPackageCenter)...)
+	return ret, nil
 }
 
 func main() {
 	cmd := cli.CLI(getTargets)
+	for _, subcmd := range cmd.Subcommands {
+		if subcmd.Name == "build" {
+			subcmd.FlagSet.BoolVar(&synologyPackageCenter, "synology-package-center", false, "build synology packages with extra metadata for the official package center")
+		}
+	}
+
 	if err := cmd.ParseAndRun(context.Background(), os.Args[1:]); err != nil && !errors.Is(err, flag.ErrHelp) {
 		log.Fatal(err)
 	}

cmd/get-authkey/main.go

@@ -16,6 +16,7 @@ import (
 
 	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/util/cmpx"
 )
 
 func main() {
@@ -29,9 +30,9 @@ func main() {
 	tags := flag.String("tags", "", "comma-separated list of tags to apply to the authkey")
 	flag.Parse()
 
-	clientId := os.Getenv("TS_API_CLIENT_ID")
+	clientID := os.Getenv("TS_API_CLIENT_ID")
 	clientSecret := os.Getenv("TS_API_CLIENT_SECRET")
-	if clientId == "" || clientSecret == "" {
+	if clientID == "" || clientSecret == "" {
 		log.Fatal("TS_API_CLIENT_ID and TS_API_CLIENT_SECRET must be set")
 	}
 
@@ -39,22 +40,19 @@ func main() {
 		log.Fatal("at least one tag must be specified")
 	}
 
-	baseUrl := os.Getenv("TS_BASE_URL")
-	if baseUrl == "" {
-		baseUrl = "https://api.tailscale.com"
-	}
+	baseURL := cmpx.Or(os.Getenv("TS_BASE_URL"), "https://api.tailscale.com")
 
 	credentials := clientcredentials.Config{
-		ClientID:     clientId,
+		ClientID:     clientID,
 		ClientSecret: clientSecret,
-		TokenURL:     baseUrl + "/api/v2/oauth/token",
+		TokenURL:     baseURL + "/api/v2/oauth/token",
 		Scopes:       []string{"device"},
 	}
 
 	ctx := context.Background()
 	tsClient := tailscale.NewClient("-", nil)
 	tsClient.HTTPClient = credentials.Client(ctx)
-	tsClient.BaseURL = baseUrl
+	tsClient.BaseURL = baseURL
 
 	caps := tailscale.KeyCapabilities{
 		Devices: tailscale.KeyDeviceCapabilities{

cmd/gitops-pusher/gitops-pusher.go

@@ -23,6 +23,7 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/tailscale/hujson"
 	"golang.org/x/oauth2/clientcredentials"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/util/httpm"
 )
 
@@ -270,7 +271,7 @@ func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 	got := resp.StatusCode
 	want := http.StatusOK
 	if got != want {
-		var ate ACLTestError
+		var ate ACLGitopsTestError
 		err := json.NewDecoder(resp.Body).Decode(&ate)
 		if err != nil {
 			return err
@@ -306,7 +307,7 @@ func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 	}
 	defer resp.Body.Close()
 
-	var ate ACLTestError
+	var ate ACLGitopsTestError
 	err = json.NewDecoder(resp.Body).Decode(&ate)
 	if err != nil {
 		return err
@@ -327,12 +328,12 @@ func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 
 var lineColMessageSplit = regexp.MustCompile(`line ([0-9]+), column ([0-9]+): (.*)$`)
 
-type ACLTestError struct {
-	Message string               `json:"message"`
-	Data    []ACLTestErrorDetail `json:"data"`
+// ACLGitopsTestError is redefined here so we can add a custom .Error() response
+type ACLGitopsTestError struct {
+	tailscale.ACLTestError
 }
 
-func (ate ACLTestError) Error() string {
+func (ate ACLGitopsTestError) Error() string {
 	var sb strings.Builder
 
 	if *githubSyntax && lineColMessageSplit.MatchString(ate.Message) {
@@ -349,20 +350,28 @@ func (ate ACLTestError) Error() string {
 	fmt.Fprintln(&sb)
 
 	for _, data := range ate.Data {
-		fmt.Fprintf(&sb, "For user %s:\n", data.User)
-		for _, err := range data.Errors {
-			fmt.Fprintf(&sb, "- %s\n", err)
+		if data.User != "" {
+			fmt.Fprintf(&sb, "For user %s:\n", data.User)
+		}
+
+		if len(data.Errors) > 0 {
+			fmt.Fprint(&sb, "Errors found:\n")
+			for _, err := range data.Errors {
+				fmt.Fprintf(&sb, "- %s\n", err)
+			}
+		}
+
+		if len(data.Warnings) > 0 {
+			fmt.Fprint(&sb, "Warnings found:\n")
+			for _, err := range data.Warnings {
+				fmt.Fprintf(&sb, "- %s\n", err)
+			}
 		}
 	}
 
 	return sb.String()
 }
 
-type ACLTestErrorDetail struct {
-	User   string   `json:"user"`
-	Errors []string `json:"errors"`
-}
-
 func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string) (string, error) {
 	req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
 	if err != nil {

cmd/gitops-pusher/gitops-pusher_test.go

@@ -0,0 +1,55 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+package main
+
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"tailscale.com/client/tailscale"
+)
+
+func TestEmbeddedTypeUnmarshal(t *testing.T) {
+	var gitopsErr ACLGitopsTestError
+	gitopsErr.Message = "gitops response error"
+	gitopsErr.Data = []tailscale.ACLTestFailureSummary{
+		{
+			User:   "GitopsError",
+			Errors: []string{"this was initially created as a gitops error"},
+		},
+	}
+
+	var aclTestErr tailscale.ACLTestError
+	aclTestErr.Message = "native ACL response error"
+	aclTestErr.Data = []tailscale.ACLTestFailureSummary{
+		{
+			User:   "ACLError",
+			Errors: []string{"this was initially created as an ACL error"},
+		},
+	}
+
+	t.Run("unmarshal gitops type from acl type", func(t *testing.T) {
+		b, _ := json.Marshal(aclTestErr)
+		var e ACLGitopsTestError
+		err := json.Unmarshal(b, &e)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !strings.Contains(e.Error(), "For user ACLError") { // the gitops error prints out the user, the acl error doesn't
+			t.Fatalf("user heading for 'ACLError' not found in gitops error: %v", e.Error())
+		}
+	})
+	t.Run("unmarshal acl type from gitops type", func(t *testing.T) {
+		b, _ := json.Marshal(gitopsErr)
+		var e tailscale.ACLTestError
+		err := json.Unmarshal(b, &e)
+		if err != nil {
+			t.Fatal(err)
+		}
+		expectedErr := `Status: 0, Message: "gitops response error", Data: [{User:GitopsError Errors:[this was initially created as a gitops error] Warnings:[]}]`
+		if e.Error() != expectedErr {
+			t.Fatalf("got %v\n, expected %v", e.Error(), expectedErr)
+		}
+	})
+}

cmd/k8s-operator/operator.go

@@ -25,7 +25,6 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/transport"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -38,7 +37,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"sigs.k8s.io/controller-runtime/pkg/source"
 	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
@@ -48,6 +46,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/opt"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/version"
 )
 
 func main() {
@@ -64,6 +63,7 @@ func main() {
 		clientIDPath       = defaultEnv("CLIENT_ID_FILE", "")
 		clientSecretPath   = defaultEnv("CLIENT_SECRET_FILE", "")
 		image              = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
+		priorityClassName  = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
 		tags               = defaultEnv("PROXY_TAGS", "tag:k8s")
 		shouldRunAuthProxy = defaultBool("AUTH_PROXY", false)
 	)
@@ -183,32 +183,33 @@ waitOnline:
 	// the cache that sits a few layers below the builder stuff, which will
 	// implicitly filter what parts of the world the builder code gets to see at
 	// all.
-	nsFilter := cache.ObjectSelector{
-		Field: fields.SelectorFromSet(fields.Set{"metadata.namespace": tsNamespace}),
+	nsFilter := cache.ByObject{
+		Field: client.InNamespace(tsNamespace).AsSelector(),
 	}
 	restConfig := config.GetConfigOrDie()
 	mgr, err := manager.New(restConfig, manager.Options{
-		NewCache: cache.BuilderWithOptions(cache.Options{
-			SelectorsByObject: map[client.Object]cache.ObjectSelector{
+		Cache: cache.Options{
+			ByObject: map[client.Object]cache.ByObject{
 				&corev1.Secret{}:      nsFilter,
 				&appsv1.StatefulSet{}: nsFilter,
 			},
-		}),
+		},
 	})
 	if err != nil {
 		startlog.Fatalf("could not create manager: %v", err)
 	}
 
 	sr := &ServiceReconciler{
-		Client:            mgr.GetClient(),
-		tsClient:          tsClient,
-		defaultTags:       strings.Split(tags, ","),
-		operatorNamespace: tsNamespace,
-		proxyImage:        image,
-		logger:            zlog.Named("service-reconciler"),
+		Client:                 mgr.GetClient(),
+		tsClient:               tsClient,
+		defaultTags:            strings.Split(tags, ","),
+		operatorNamespace:      tsNamespace,
+		proxyImage:             image,
+		proxyPriorityClassName: priorityClassName,
+		logger:                 zlog.Named("service-reconciler"),
 	}
 
-	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(o client.Object) []reconcile.Request {
+	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(_ context.Context, o client.Object) []reconcile.Request {
 		ls := o.GetLabels()
 		if ls[LabelManaged] != "true" {
 			return nil
@@ -228,14 +229,14 @@ waitOnline:
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&corev1.Service{}).
-		Watches(&source.Kind{Type: &appsv1.StatefulSet{}}, reconcileFilter).
-		Watches(&source.Kind{Type: &corev1.Secret{}}, reconcileFilter).
+		Watches(&appsv1.StatefulSet{}, reconcileFilter).
+		Watches(&corev1.Secret{}, reconcileFilter).
 		Complete(sr)
 	if err != nil {
 		startlog.Fatalf("could not create controller: %v", err)
 	}
 
-	startlog.Infof("Startup complete, operator running")
+	startlog.Infof("Startup complete, operator running, version: %s", version.Long())
 	if shouldRunAuthProxy {
 		cfg, err := restConfig.TransportConfig()
 		if err != nil {
@@ -278,11 +279,12 @@ const (
 // ServiceReconciler is a simple ControllerManagedBy example implementation.
 type ServiceReconciler struct {
 	client.Client
-	tsClient          tsClient
-	defaultTags       []string
-	operatorNamespace string
-	proxyImage        string
-	logger            *zap.SugaredLogger
+	tsClient               tsClient
+	defaultTags            []string
+	operatorNamespace      string
+	proxyImage             string
+	proxyPriorityClassName string
+	logger                 *zap.SugaredLogger
 }
 
 type tsClient interface {
@@ -566,6 +568,9 @@ func (a *ServiceReconciler) getDeviceInfo(ctx context.Context, svc *corev1.Servi
 	if err != nil {
 		return "", "", err
 	}
+	if sec == nil {
+		return "", "", nil
+	}
 	id = string(sec.Data["device_id"])
 	if id == "" {
 		return "", "", nil
@@ -589,6 +594,7 @@ func (a *ServiceReconciler) newAuthKey(ctx context.Context, tags []string) (stri
 			},
 		},
 	}
+
 	key, _, err := a.tsClient.CreateKey(ctx, caps)
 	if err != nil {
 		return "", err
@@ -633,6 +639,7 @@ func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.Sugare
 	ss.Spec.Template.ObjectMeta.Labels = map[string]string{
 		"app": string(parentSvc.UID),
 	}
+	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
 	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
 }

cmd/k8s-operator/operator_test.go

@@ -14,7 +14,6 @@ import (
 	"go.uber.org/zap"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -65,7 +64,7 @@ func TestLoadBalancerClass(t *testing.T) {
 
 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 
 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -111,6 +110,8 @@ func TestLoadBalancerClass(t *testing.T) {
 	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
 		s.Spec.Type = corev1.ServiceTypeClusterIP
 		s.Spec.LoadBalancerClass = nil
+	})
+	mustUpdateStatus(t, fc, "default", "test", func(s *corev1.Service) {
 		// Fake client doesn't automatically delete the LoadBalancer status when
 		// changing away from the LoadBalancer type, we have to do
 		// controller-manager's work by hand.
@@ -186,7 +187,7 @@ func TestAnnotations(t *testing.T) {
 
 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -283,7 +284,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 
 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 
 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, since it would have normally happened at
@@ -327,7 +328,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 	// ... but the service should have a LoadBalancer status.
 
 	want = &corev1.Service{
@@ -399,7 +400,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 
 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 
 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -448,6 +449,8 @@ func TestLBIntoAnnotation(t *testing.T) {
 		}
 		s.Spec.Type = corev1.ServiceTypeClusterIP
 		s.Spec.LoadBalancerClass = nil
+	})
+	mustUpdateStatus(t, fc, "default", "test", func(s *corev1.Service) {
 		// Fake client doesn't automatically delete the LoadBalancer status when
 		// changing away from the LoadBalancer type, we have to do
 		// controller-manager's work by hand.
@@ -456,7 +459,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 
 	want = &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -523,7 +526,7 @@ func TestCustomHostname(t *testing.T) {
 
 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla", ""))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -582,6 +585,51 @@ func TestCustomHostname(t *testing.T) {
 	expectEqual(t, fc, want)
 }
 
+func TestCustomPriorityClassName(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sr := &ServiceReconciler{
+		Client:                 fc,
+		tsClient:               ft,
+		defaultTags:            []string{"tag:k8s"},
+		operatorNamespace:      "operator-ns",
+		proxyImage:             "tailscale/tailscale",
+		proxyPriorityClassName: "tailscale-critical",
+		logger:                 zl.Sugar(),
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+			Annotations: map[string]string{
+				"tailscale.com/expose":   "true",
+				"tailscale.com/hostname": "custom-priority-class-name",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test")
+
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "custom-priority-class-name", "tailscale-critical"))
+}
+
 func expectedSecret(name string) *corev1.Secret {
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
@@ -630,7 +678,7 @@ func expectedHeadlessService(name string) *corev1.Service {
 	}
 }
 
-func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
+func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv1.StatefulSet {
 	return &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "StatefulSet",
@@ -659,6 +707,7 @@ func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: "proxies",
+					PriorityClassName:  priorityClassName,
 					InitContainers: []corev1.Container{
 						{
 							Name:    "sysctler",
@@ -670,11 +719,11 @@ func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
 							},
 						},
 					},
-					Containers: []v1.Container{
+					Containers: []corev1.Container{
 						{
 							Name:  "tailscale",
 							Image: "tailscale/tailscale",
-							Env: []v1.EnvVar{
+							Env: []corev1.EnvVar{
 								{Name: "TS_USERSPACE", Value: "false"},
 								{Name: "TS_AUTH_ONCE", Value: "true"},
 								{Name: "TS_DEST_IP", Value: "10.20.30.40"},
@@ -732,6 +781,21 @@ func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, n
 	}
 }
 
+func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); err != nil {
+		t.Fatalf("getting %q: %v", name, err)
+	}
+	update(obj)
+	if err := client.Status().Update(context.Background(), obj); err != nil {
+		t.Fatalf("updating %q: %v", name, err)
+	}
+}
+
 func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
 	t.Helper()
 	got := O(new(T))
@@ -815,7 +879,6 @@ func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabili
 	k := &tailscale.Key{
 		ID:           "key",
 		Created:      time.Now(),
-		Expires:      time.Now().Add(24 * time.Hour),
 		Capabilities: caps,
 	}
 	return "secret-authkey", k, nil

cmd/mkpkg/main.go

@@ -11,35 +11,40 @@ import (
 	"os"
 	"strings"
 
-	"github.com/goreleaser/nfpm"
-	_ "github.com/goreleaser/nfpm/deb"
-	_ "github.com/goreleaser/nfpm/rpm"
+	"github.com/goreleaser/nfpm/v2"
+	_ "github.com/goreleaser/nfpm/v2/deb"
+	"github.com/goreleaser/nfpm/v2/files"
+	_ "github.com/goreleaser/nfpm/v2/rpm"
 )
 
 // parseFiles parses a comma-separated list of colon-separated pairs
-// into a map of filePathOnDisk -> filePathInPackage.
-func parseFiles(s string) (map[string]string, error) {
-	ret := map[string]string{}
+// into files.Contents format.
+func parseFiles(s string, typ string) (files.Contents, error) {
 	if len(s) == 0 {
-		return ret, nil
+		return nil, nil
 	}
+	var contents files.Contents
 	for _, f := range strings.Split(s, ",") {
 		fs := strings.Split(f, ":")
 		if len(fs) != 2 {
 			return nil, fmt.Errorf("unparseable file field %q", f)
 		}
-		ret[fs[0]] = fs[1]
+		contents = append(contents, &files.Content{Type: files.TypeFile, Source: fs[0], Destination: fs[1]})
 	}
-	return ret, nil
+	return contents, nil
 }
 
-func parseEmptyDirs(s string) []string {
+func parseEmptyDirs(s string) files.Contents {
 	// strings.Split("", ",") would return []string{""}, which is not suitable:
 	// this would create an empty dir record with path "", breaking the package
 	if s == "" {
 		return nil
 	}
-	return strings.Split(s, ",")
+	var contents files.Contents
+	for _, d := range strings.Split(s, ",") {
+		contents = append(contents, &files.Content{Type: files.TypeDir, Destination: d})
+	}
+	return contents
 }
 
 func main() {
@@ -48,7 +53,7 @@ func main() {
 	description := flag.String("description", "The easiest, most secure, cross platform way to use WireGuard + oauth2 + 2FA/SSO", "package description")
 	goarch := flag.String("arch", "amd64", "GOARCH this package is for")
 	pkgType := flag.String("type", "deb", "type of package to build (deb or rpm)")
-	files := flag.String("files", "", "comma-separated list of files in src:dst form")
+	regularFiles := flag.String("files", "", "comma-separated list of files in src:dst form")
 	configFiles := flag.String("configs", "", "like --files, but for files marked as user-editable config files")
 	emptyDirs := flag.String("emptydirs", "", "comma-separated list of empty directories")
 	version := flag.String("version", "0.0.0", "version of the package")
@@ -60,15 +65,20 @@ func main() {
 	recommends := flag.String("recommends", "", "comma-separated list of packages this package recommends")
 	flag.Parse()
 
-	filesMap, err := parseFiles(*files)
+	filesList, err := parseFiles(*regularFiles, files.TypeFile)
 	if err != nil {
 		log.Fatalf("Parsing --files: %v", err)
 	}
-	configsMap, err := parseFiles(*configFiles)
+	configsList, err := parseFiles(*configFiles, files.TypeConfig)
 	if err != nil {
 		log.Fatalf("Parsing --configs: %v", err)
 	}
 	emptyDirList := parseEmptyDirs(*emptyDirs)
+	contents := append(filesList, append(configsList, emptyDirList...)...)
+	contents, err = files.PrepareForPackager(contents, 0, *pkgType, false)
+	if err != nil {
+		log.Fatalf("Building package contents: %v", err)
+	}
 	info := nfpm.WithDefaults(&nfpm.Info{
 		Name:        *name,
 		Arch:        *goarch,
@@ -79,9 +89,7 @@ func main() {
 		Homepage:    "https://www.tailscale.com",
 		License:     "MIT",
 		Overridables: nfpm.Overridables{
-			EmptyFolders: emptyDirList,
-			Files:        filesMap,
-			ConfigFiles:  configsMap,
+			Contents: contents,
 			Scripts: nfpm.Scripts{
 				PostInstall: *postinst,
 				PreRemove:   *prerm,

cmd/netlogfmt/main.go

@@ -45,6 +45,7 @@ import (
 	"golang.org/x/exp/slices"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netlogtype"
+	"tailscale.com/util/cmpx"
 	"tailscale.com/util/must"
 )
 
@@ -151,10 +152,10 @@ func printMessage(msg message) {
 		if len(traffic) == 0 {
 			return
 		}
-		slices.SortFunc(traffic, func(x, y netlogtype.ConnectionCounts) bool {
+		slices.SortFunc(traffic, func(x, y netlogtype.ConnectionCounts) int {
 			nx := x.TxPackets + x.TxBytes + x.RxPackets + x.RxBytes
 			ny := y.TxPackets + y.TxBytes + y.RxPackets + y.RxBytes
-			return nx > ny
+			return cmpx.Compare(ny, nx)
 		})
 		var sum netlogtype.Counts
 		for _, cc := range traffic {

cmd/pgproxy/pgproxy.go

@@ -272,7 +272,7 @@ func (p *proxy) serve(sessionID int64, c net.Conn) error {
 	}
 	if buf[0] != 'S' {
 		p.errors.Add("upstream-bad-protocol", 1)
-		return fmt.Errorf("upstream didn't acknowldge start-ssl, said %q", buf[0])
+		return fmt.Errorf("upstream didn't acknowledge start-ssl, said %q", buf[0])
 	}
 	tlsConf := &tls.Config{
 		ServerName: p.upstreamHost,

cmd/sniproxy/sniproxy.go

@@ -18,25 +18,39 @@ import (
 	"golang.org/x/net/dns/dnsmessage"
 	"inet.af/tcpproxy"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/hostinfo"
 	"tailscale.com/net/netutil"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/nettype"
+	"tailscale.com/util/clientmetric"
 )
 
 var (
 	ports        = flag.String("ports", "443", "comma-separated list of ports to proxy")
+	wgPort       = flag.Int("wg-listen-port", 0, "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
 	promoteHTTPS = flag.Bool("promote-https", true, "promote HTTP to HTTPS")
 )
 
 var tsMBox = dnsmessage.MustNewName("support.tailscale.com.")
 
+var (
+	numSessions    = clientmetric.NewCounter("sniproxy_sessions")
+	numBadAddrPort = clientmetric.NewCounter("sniproxy_bad_addrport")
+	dnsResponses   = clientmetric.NewCounter("sniproxy_dns_responses")
+	dnsFailures    = clientmetric.NewCounter("sniproxy_dns_failed")
+	httpPromoted   = clientmetric.NewCounter("sniproxy_http_promoted")
+)
+
 func main() {
 	flag.Parse()
 	if *ports == "" {
 		log.Fatal("no ports")
 	}
 
+	hostinfo.SetApp("sniproxy")
+
 	var s server
+	s.ts.Port = uint16(*wgPort)
 	defer s.ts.Close()
 
 	lc, err := s.ts.LocalClient()
@@ -104,6 +118,7 @@ func (s *server) serveDNSConn(c nettype.ConnPacketConn) {
 	n, err := c.Read(buf)
 	if err != nil {
 		log.Printf("c.Read failed: %v\n ", err)
+		dnsFailures.Add(1)
 		return
 	}
 
@@ -111,20 +126,25 @@ func (s *server) serveDNSConn(c nettype.ConnPacketConn) {
 	err = msg.Unpack(buf[:n])
 	if err != nil {
 		log.Printf("dnsmessage unpack failed: %v\n ", err)
+		dnsFailures.Add(1)
 		return
 	}
 
 	buf, err = s.dnsResponse(&msg)
 	if err != nil {
 		log.Printf("s.dnsResponse failed: %v\n", err)
+		dnsFailures.Add(1)
 		return
 	}
 
 	_, err = c.Write(buf)
 	if err != nil {
 		log.Printf("c.Write failed: %v\n", err)
+		dnsFailures.Add(1)
 		return
 	}
+
+	dnsResponses.Add(1)
 }
 
 func (s *server) serveConn(c net.Conn) {
@@ -132,6 +152,7 @@ func (s *server) serveConn(c net.Conn) {
 	_, port, err := net.SplitHostPort(addrPortStr)
 	if err != nil {
 		log.Printf("bogus addrPort %q", addrPortStr)
+		numBadAddrPort.Add(1)
 		c.Close()
 		return
 	}
@@ -144,6 +165,7 @@ func (s *server) serveConn(c net.Conn) {
 		return netutil.NewOneConnListener(c, nil), nil
 	}
 	p.AddSNIRouteFunc(addrPortStr, func(ctx context.Context, sniName string) (t tcpproxy.Target, ok bool) {
+		numSessions.Add(1)
 		return &tcpproxy.DialProxy{
 			Addr:        net.JoinHostPort(sniName, port),
 			DialContext: dialer.DialContext,
@@ -213,6 +235,7 @@ func (s *server) dnsResponse(req *dnsmessage.Message) (buf []byte, err error) {
 
 func (s *server) promoteHTTPS(ln net.Listener) {
 	err := http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		httpPromoted.Add(1)
 		http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusFound)
 	}))
 	log.Fatalf("promoteHTTPS http.Serve: %v", err)

cmd/tailscale/cli/authenticode_windows.go

@@ -1,38 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved.
- */
-
-package cli
-
-import (
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-func init() {
-	verifyAuthenticode = verifyAuthenticodeWindows
-}
-
-func verifyAuthenticodeWindows(path string) error {
-	path16, err := windows.UTF16PtrFromString(path)
-	if err != nil {
-		return err
-	}
-	data := &windows.WinTrustData{
-		Size:             uint32(unsafe.Sizeof(windows.WinTrustData{})),
-		UIChoice:         windows.WTD_UI_NONE,
-		RevocationChecks: windows.WTD_REVOKE_WHOLECHAIN, // Full revocation checking, as this is called with network connectivity.
-		UnionChoice:      windows.WTD_CHOICE_FILE,
-		StateAction:      windows.WTD_STATEACTION_VERIFY,
-		FileOrCatalogOrBlobOrSgnrOrCert: unsafe.Pointer(&windows.WinTrustFileInfo{
-			Size:     uint32(unsafe.Sizeof(windows.WinTrustFileInfo{})),
-			FilePath: path16,
-		}),
-	}
-	err = windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data)
-	data.StateAction = windows.WTD_STATEACTION_CLOSE
-	windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data)
-	return err
-}

cmd/tailscale/cli/cli.go

@@ -120,6 +120,8 @@ change in the future.
 			pingCmd,
 			ncCmd,
 			sshCmd,
+			funnelCmd,
+			serveCmd,
 			versionCmd,
 			webCmd,
 			fileCmd,
@@ -127,16 +129,12 @@ change in the future.
 			certCmd,
 			netlockCmd,
 			licensesCmd,
+			exitNodeCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
 		UsageFunc: usageFunc,
 	}
-	for _, c := range rootCmd.Subcommands {
-		if c.UsageFunc == nil {
-			c.UsageFunc = usageFunc
-		}
-	}
 	if envknob.UseWIPCode() {
 		rootCmd.Subcommands = append(rootCmd.Subcommands,
 			idTokenCmd,
@@ -147,10 +145,6 @@ change in the future.
 	switch {
 	case slices.Contains(args, "debug"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
-	case slices.Contains(args, "funnel"):
-		rootCmd.Subcommands = append(rootCmd.Subcommands, funnelCmd)
-	case slices.Contains(args, "serve"):
-		rootCmd.Subcommands = append(rootCmd.Subcommands, serveCmd)
 	case slices.Contains(args, "update"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, updateCmd)
 	}
@@ -158,6 +152,12 @@ change in the future.
 		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)
 	}
 
+	for _, c := range rootCmd.Subcommands {
+		if c.UsageFunc == nil {
+			c.UsageFunc = usageFunc
+		}
+	}
+
 	if err := rootCmd.Parse(args); err != nil {
 		if errors.Is(err, flag.ErrHelp) {
 			return nil

cmd/tailscale/cli/cli_test.go

@@ -18,10 +18,12 @@ import (
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/tstest"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
+	"tailscale.com/util/cmpx"
 	"tailscale.com/version/distro"
 )
 
@@ -621,9 +623,16 @@ func TestPrefsFromUpArgs(t *testing.T) {
 		{
 			name: "error_long_hostname",
 			args: upArgsT{
-				hostname: strings.Repeat("a", 300),
+				hostname: strings.Repeat(strings.Repeat("a", 63)+".", 4),
 			},
-			wantErr: `hostname too long: 300 bytes (max 256)`,
+			wantErr: `"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" is too long to be a DNS name`,
+		},
+		{
+			name: "error_long_label",
+			args: upArgsT{
+				hostname: strings.Repeat("a", 64) + ".example.com",
+			},
+			wantErr: `"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" is not a valid DNS label`,
 		},
 		{
 			name: "error_linux_netfilter_empty",
@@ -712,10 +721,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var warnBuf tstest.MemLogger
-			goos := tt.goos
-			if goos == "" {
-				goos = "linux"
-			}
+			goos := cmpx.Or(tt.goos, "linux")
 			st := tt.st
 			if st == nil {
 				st = new(ipnstate.Status)
@@ -829,7 +835,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{},
 			curPrefs: &ipn.Prefs{
 				ControlURL: ipn.DefaultControlURL,
-				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:    &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 			},
 			env: upCheckEnv{
 				backendState: "Stopped",
@@ -841,7 +847,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{},
 			curPrefs: &ipn.Prefs{
 				ControlURL: ipn.DefaultControlURL,
-				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:    &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 			},
 			env:            upCheckEnv{backendState: "Running"},
 			wantSimpleUp:   true,
@@ -852,7 +858,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{"--reset"},
 			curPrefs: &ipn.Prefs{
 				ControlURL: ipn.DefaultControlURL,
-				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:    &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 			},
 			env: upCheckEnv{backendState: "Running"},
 			wantJustEditMP: &ipn.MaskedPrefs{
@@ -879,7 +885,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{},
 			curPrefs: &ipn.Prefs{
 				ControlURL: "https://login.tailscale.com",
-				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:    &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 			},
 			env:            upCheckEnv{backendState: "Running"},
 			wantSimpleUp:   true,
@@ -890,7 +896,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{"--login-server=https://localhost:1000"},
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -905,7 +911,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{"--advertise-tags=tag:foo"},
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -939,7 +945,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{"--ssh"},
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -960,7 +966,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{"--ssh=false"},
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				RunSSH:           true,
@@ -985,7 +991,7 @@ func TestUpdatePrefs(t *testing.T) {
 			sshOverTailscale: true,
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -1009,7 +1015,7 @@ func TestUpdatePrefs(t *testing.T) {
 			sshOverTailscale: true,
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -1032,7 +1038,7 @@ func TestUpdatePrefs(t *testing.T) {
 			sshOverTailscale: true,
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -1054,7 +1060,7 @@ func TestUpdatePrefs(t *testing.T) {
 			sshOverTailscale: true,
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				RunSSH:           true,

cmd/tailscale/cli/debug.go

@@ -127,6 +127,16 @@ var debugCmd = &ffcli.Command{
 			Exec:      localAPIAction("rebind"),
 			ShortHelp: "force a magicsock rebind",
 		},
+		{
+			Name:      "break-tcp-conns",
+			Exec:      localAPIAction("break-tcp-conns"),
+			ShortHelp: "break any open TCP connections from the daemon",
+		},
+		{
+			Name:      "break-derp-conns",
+			Exec:      localAPIAction("break-derp-conns"),
+			ShortHelp: "break any open DERP connections from the daemon",
+		},
 		{
 			Name:      "prefs",
 			Exec:      runPrefs,

cmd/tailscale/cli/diag.go

@@ -66,7 +66,7 @@ func isSystemdSystem() bool {
 		return false
 	}
 	switch distro.Get() {
-	case distro.QNAP, distro.Gokrazy, distro.Synology:
+	case distro.QNAP, distro.Gokrazy, distro.Synology, distro.Unraid:
 		return false
 	}
 	_, err := exec.LookPath("systemctl")

cmd/tailscale/cli/exitnode.go

@@ -0,0 +1,248 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"os"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
+	"tailscale.com/util/cmpx"
+)
+
+var exitNodeCmd = &ffcli.Command{
+	Name:       "exit-node",
+	ShortUsage: "exit-node [flags]",
+	Subcommands: []*ffcli.Command{
+		{
+			Name:       "list",
+			ShortUsage: "exit-node list [flags]",
+			ShortHelp:  "Show exit nodes",
+			Exec:       runExitNodeList,
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("list")
+				fs.StringVar(&exitNodeArgs.filter, "filter", "", "filter exit nodes by country")
+				return fs
+			})(),
+		},
+	},
+	Exec: func(context.Context, []string) error {
+		return errors.New("exit-node subcommand required; run 'tailscale exit-node -h' for details")
+	},
+}
+
+var exitNodeArgs struct {
+	filter string
+}
+
+// runExitNodeList returns a formatted list of exit nodes for a tailnet.
+// If the exit node has location and priority data, only the highest
+// priority node for each city location is shown to the user.
+// If the country location has more than one city, an 'Any' city
+// is returned for the country, which lists the highest priority
+// node in that country.
+// For countries without location data, each exit node is displayed.
+func runExitNodeList(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		return errors.New("unexpected non-flag arguments to 'tailscale exit-node list'")
+	}
+	getStatus := localClient.Status
+	st, err := getStatus(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+
+	var peers []*ipnstate.PeerStatus
+	for _, ps := range st.Peer {
+		if !ps.ExitNodeOption {
+			// We only show exit nodes under the exit-node subcommand.
+			continue
+		}
+
+		peers = append(peers, ps)
+	}
+
+	if len(peers) == 0 {
+		return errors.New("no exit nodes found")
+	}
+
+	filteredPeers := filterFormatAndSortExitNodes(peers, exitNodeArgs.filter)
+
+	if len(filteredPeers.Countries) == 0 && exitNodeArgs.filter != "" {
+		return fmt.Errorf("no exit nodes found for %q", exitNodeArgs.filter)
+	}
+
+	w := tabwriter.NewWriter(os.Stdout, 10, 5, 5, ' ', 0)
+	defer w.Flush()
+	fmt.Fprintf(w, "\n %s\t%s\t%s\t%s\t%s\t", "IP", "HOSTNAME", "COUNTRY", "CITY", "STATUS")
+	for _, country := range filteredPeers.Countries {
+		for _, city := range country.Cities {
+			for _, peer := range city.Peers {
+
+				fmt.Fprintf(w, "\n %s\t%s\t%s\t%s\t%s\t", peer.TailscaleIPs[0], strings.Trim(peer.DNSName, "."), country.Name, city.Name, peerStatus(peer))
+			}
+		}
+	}
+	fmt.Fprintln(w)
+	fmt.Fprintln(w)
+	fmt.Fprintln(w, "# To use an exit node, use `tailscale set --exit-node=` followed by the hostname or IP")
+
+	return nil
+}
+
+// peerStatus returns a string representing the current state of
+// a peer. If there is no notable state, a - is returned.
+func peerStatus(peer *ipnstate.PeerStatus) string {
+	if !peer.Active {
+		if peer.ExitNode {
+			return "selected but offline"
+		}
+		if !peer.Online {
+			return "offline"
+		}
+	}
+
+	if peer.ExitNode {
+		return "selected"
+	}
+
+	return "-"
+}
+
+type filteredExitNodes struct {
+	Countries []*filteredCountry
+}
+
+type filteredCountry struct {
+	Name   string
+	Cities []*filteredCity
+}
+
+type filteredCity struct {
+	Name  string
+	Peers []*ipnstate.PeerStatus
+}
+
+const noLocationData = "-"
+
+// filterFormatAndSortExitNodes filters and sorts exit nodes into
+// alphabetical order, by country, city and then by priority if
+// present.
+// If an exit node has location data, and the country has more than
+// once city, an `Any` city is added to the country that contains the
+// highest priority exit node within that country.
+// For exit nodes without location data, their country fields are
+// defined as '-' to indicate that the data is not available.
+func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string) filteredExitNodes {
+	countries := make(map[string]*filteredCountry)
+	cities := make(map[string]*filteredCity)
+	for _, ps := range peers {
+		if ps.Location == nil {
+			ps.Location = &tailcfg.Location{
+				Country:     noLocationData,
+				CountryCode: noLocationData,
+				City:        noLocationData,
+				CityCode:    noLocationData,
+			}
+		}
+
+		if filterBy != "" && ps.Location.Country != filterBy {
+			continue
+		}
+
+		co, coOK := countries[ps.Location.CountryCode]
+		if !coOK {
+			co = &filteredCountry{
+				Name: ps.Location.Country,
+			}
+			countries[ps.Location.CountryCode] = co
+
+		}
+
+		ci, ciOK := cities[ps.Location.CityCode]
+		if !ciOK {
+			ci = &filteredCity{
+				Name: ps.Location.City,
+			}
+			cities[ps.Location.CityCode] = ci
+			co.Cities = append(co.Cities, ci)
+		}
+		ci.Peers = append(ci.Peers, ps)
+	}
+
+	filteredExitNodes := filteredExitNodes{
+		Countries: maps.Values(countries),
+	}
+
+	for _, country := range filteredExitNodes.Countries {
+		if country.Name == noLocationData {
+			// Countries without location data should not
+			// be filtered further.
+			continue
+		}
+
+		var countryANYPeer []*ipnstate.PeerStatus
+		for _, city := range country.Cities {
+			sortPeersByPriority(city.Peers)
+			countryANYPeer = append(countryANYPeer, city.Peers...)
+			var reducedCityPeers []*ipnstate.PeerStatus
+			for i, peer := range city.Peers {
+				if i == 0 || peer.ExitNode {
+					// We only return the highest priority peer and any peer that
+					// is currently the active exit node.
+					reducedCityPeers = append(reducedCityPeers, peer)
+				}
+			}
+			city.Peers = reducedCityPeers
+		}
+		sortByCityName(country.Cities)
+		sortPeersByPriority(countryANYPeer)
+
+		if len(country.Cities) > 1 {
+			// For countries with more than one city, we want to return the
+			// option of the best peer for that country.
+			country.Cities = append([]*filteredCity{
+				{
+					Name:  "Any",
+					Peers: []*ipnstate.PeerStatus{countryANYPeer[0]},
+				},
+			}, country.Cities...)
+		}
+	}
+	sortByCountryName(filteredExitNodes.Countries)
+
+	return filteredExitNodes
+}
+
+// sortPeersByPriority sorts a slice of PeerStatus
+// by location.Priority, in order of highest priority.
+func sortPeersByPriority(peers []*ipnstate.PeerStatus) {
+	slices.SortStableFunc(peers, func(a, b *ipnstate.PeerStatus) int {
+		return cmpx.Compare(b.Location.Priority, a.Location.Priority)
+	})
+}
+
+// sortByCityName sorts a slice of filteredCity alphabetically
+// by name. The '-' used to indicate no location data will always
+// be sorted to the front of the slice.
+func sortByCityName(cities []*filteredCity) {
+	slices.SortStableFunc(cities, func(a, b *filteredCity) int { return strings.Compare(a.Name, b.Name) })
+}
+
+// sortByCountryName sorts a slice of filteredCountry alphabetically
+// by name. The '-' used to indicate no location data will always
+// be sorted to the front of the slice.
+func sortByCountryName(countries []*filteredCountry) {
+	slices.SortStableFunc(countries, func(a, b *filteredCountry) int { return strings.Compare(a.Name, b.Name) })
+}

cmd/tailscale/cli/exitnode_test.go

@@ -0,0 +1,308 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package cli
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+)
+
+func TestFilterFormatAndSortExitNodes(t *testing.T) {
+	t.Run("without filter", func(t *testing.T) {
+		ps := []*ipnstate.PeerStatus{
+			{
+				HostName: "everest-1",
+				Location: &tailcfg.Location{
+					Country:     "Everest",
+					CountryCode: "evr",
+					City:        "Hillary",
+					CityCode:    "hil",
+					Priority:    100,
+				},
+			},
+			{
+				HostName: "lhotse-1",
+				Location: &tailcfg.Location{
+					Country:     "Lhotse",
+					CountryCode: "lho",
+					City:        "Fritz",
+					CityCode:    "fri",
+					Priority:    200,
+				},
+			},
+			{
+				HostName: "lhotse-2",
+				Location: &tailcfg.Location{
+					Country:     "Lhotse",
+					CountryCode: "lho",
+					City:        "Fritz",
+					CityCode:    "fri",
+					Priority:    100,
+				},
+			},
+			{
+				HostName: "nuptse-1",
+				Location: &tailcfg.Location{
+					Country:     "Nuptse",
+					CountryCode: "nup",
+					City:        "Walmsley",
+					CityCode:    "wal",
+					Priority:    200,
+				},
+			},
+			{
+				HostName: "nuptse-2",
+				Location: &tailcfg.Location{
+					Country:     "Nuptse",
+					CountryCode: "nup",
+					City:        "Bonington",
+					CityCode:    "bon",
+					Priority:    10,
+				},
+			},
+			{
+				HostName: "Makalu",
+			},
+		}
+
+		want := filteredExitNodes{
+			Countries: []*filteredCountry{
+				{
+					Name: noLocationData,
+					Cities: []*filteredCity{
+						{
+							Name: noLocationData,
+							Peers: []*ipnstate.PeerStatus{
+								ps[5],
+							},
+						},
+					},
+				},
+				{
+					Name: "Everest",
+					Cities: []*filteredCity{
+						{
+							Name: "Hillary",
+							Peers: []*ipnstate.PeerStatus{
+								ps[0],
+							},
+						},
+					},
+				},
+				{
+					Name: "Lhotse",
+					Cities: []*filteredCity{
+						{
+							Name: "Fritz",
+							Peers: []*ipnstate.PeerStatus{
+								ps[1],
+							},
+						},
+					},
+				},
+				{
+					Name: "Nuptse",
+					Cities: []*filteredCity{
+						{
+							Name: "Any",
+							Peers: []*ipnstate.PeerStatus{
+								ps[3],
+							},
+						},
+						{
+							Name: "Bonington",
+							Peers: []*ipnstate.PeerStatus{
+								ps[4],
+							},
+						},
+						{
+							Name: "Walmsley",
+							Peers: []*ipnstate.PeerStatus{
+								ps[3],
+							},
+						},
+					},
+				},
+			},
+		}
+
+		result := filterFormatAndSortExitNodes(ps, "")
+
+		if res := cmp.Diff(result.Countries, want.Countries, cmpopts.IgnoreUnexported(key.NodePublic{})); res != "" {
+			t.Fatalf(res)
+		}
+	})
+
+	t.Run("with country filter", func(t *testing.T) {
+		ps := []*ipnstate.PeerStatus{
+			{
+				HostName: "baker-1",
+				Location: &tailcfg.Location{
+					Country:     "Pacific",
+					CountryCode: "pst",
+					City:        "Baker",
+					CityCode:    "col",
+					Priority:    100,
+				},
+			},
+			{
+				HostName: "hood-1",
+				Location: &tailcfg.Location{
+					Country:     "Pacific",
+					CountryCode: "pst",
+					City:        "Hood",
+					CityCode:    "hoo",
+					Priority:    500,
+				},
+			},
+			{
+				HostName: "rainier-1",
+				Location: &tailcfg.Location{
+					Country:     "Pacific",
+					CountryCode: "pst",
+					City:        "Rainier",
+					CityCode:    "rai",
+					Priority:    100,
+				},
+			},
+			{
+				HostName: "rainier-2",
+				Location: &tailcfg.Location{
+					Country:     "Pacific",
+					CountryCode: "pst",
+					City:        "Rainier",
+					CityCode:    "rai",
+					Priority:    10,
+				},
+			},
+			{
+				HostName: "mitchell-1",
+				Location: &tailcfg.Location{
+					Country:     "Atlantic",
+					CountryCode: "atl",
+					City:        "Mitchell",
+					CityCode:    "mit",
+					Priority:    200,
+				},
+			},
+		}
+
+		want := filteredExitNodes{
+			Countries: []*filteredCountry{
+				{
+					Name: "Pacific",
+					Cities: []*filteredCity{
+						{
+							Name: "Any",
+							Peers: []*ipnstate.PeerStatus{
+								ps[1],
+							},
+						},
+						{
+							Name: "Baker",
+							Peers: []*ipnstate.PeerStatus{
+								ps[0],
+							},
+						},
+						{
+							Name: "Hood",
+							Peers: []*ipnstate.PeerStatus{
+								ps[1],
+							},
+						},
+						{
+							Name: "Rainier",
+							Peers: []*ipnstate.PeerStatus{
+								ps[2],
+							},
+						},
+					},
+				},
+			},
+		}
+
+		result := filterFormatAndSortExitNodes(ps, "Pacific")
+
+		if res := cmp.Diff(result.Countries, want.Countries, cmpopts.IgnoreUnexported(key.NodePublic{})); res != "" {
+			t.Fatalf(res)
+		}
+	})
+}
+
+func TestSortPeersByPriority(t *testing.T) {
+	ps := []*ipnstate.PeerStatus{
+		{
+			Location: &tailcfg.Location{
+				Priority: 100,
+			},
+		},
+		{
+			Location: &tailcfg.Location{
+				Priority: 200,
+			},
+		},
+		{
+			Location: &tailcfg.Location{
+				Priority: 300,
+			},
+		},
+	}
+
+	sortPeersByPriority(ps)
+
+	if ps[0].Location.Priority != 300 {
+		t.Fatalf("sortPeersByPriority did not order PeerStatus with highest priority as index 0, got %v, want %v", ps[0].Location.Priority, 300)
+	}
+}
+
+func TestSortByCountryName(t *testing.T) {
+	fc := []*filteredCountry{
+		{
+			Name: "Albania",
+		},
+		{
+			Name: "Sweden",
+		},
+		{
+			Name: "Zimbabwe",
+		},
+		{
+			Name: noLocationData,
+		},
+	}
+
+	sortByCountryName(fc)
+
+	if fc[0].Name != noLocationData {
+		t.Fatalf("sortByCountryName did not order countries by alphabetical order, got %v, want %v", fc[0].Name, noLocationData)
+	}
+}
+
+func TestSortByCityName(t *testing.T) {
+	fc := []*filteredCity{
+		{
+			Name: "Kingston",
+		},
+		{
+			Name: "Goteborg",
+		},
+		{
+			Name: "Squamish",
+		},
+		{
+			Name: noLocationData,
+		},
+	}
+
+	sortByCityName(fc)
+
+	if fc[0].Name != noLocationData {
+		t.Fatalf("sortByCityName did not order cities by alphabetical order, got %v, want %v", fc[0].Name, noLocationData)
+	}
+}

cmd/tailscale/cli/funnel.go

@@ -13,7 +13,10 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"golang.org/x/exp/slices"
 	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
 	"tailscale.com/util/mak"
 )
 
@@ -29,11 +32,11 @@ var funnelCmd = newFunnelCommand(&serveEnv{lc: &localClient})
 func newFunnelCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "funnel",
-		ShortHelp: "[ALPHA] turn Tailscale Funnel on or off",
-		ShortUsage: strings.TrimSpace(`
-funnel <serve-port> {on|off}
-  funnel status [--json]
-`),
+		ShortHelp: "Turn on/off Funnel service",
+		ShortUsage: strings.Join([]string{
+			"funnel <serve-port> {on|off}",
+			"funnel status [--json]",
+		}, "\n  "),
 		LongHelp: strings.Join([]string{
 			"Funnel allows you to publish a 'tailscale serve'",
 			"server publicly, open to the entire internet.",
@@ -91,9 +94,15 @@ func (e *serveEnv) runFunnel(ctx context.Context, args []string) error {
 	}
 	port := uint16(port64)
 
-	if err := ipn.CheckFunnelAccess(port, st.Self.Capabilities); err != nil {
-		return err
+	if on {
+		// Don't block from turning off existing Funnel if
+		// network configuration/capabilities have changed.
+		// Only block from starting new Funnels.
+		if err := e.verifyFunnelEnabled(ctx, st, port); err != nil {
+			return err
+		}
 	}
+
 	dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
 	hp := ipn.HostPort(dnsName + ":" + strconv.Itoa(int(port)))
 	if on == sc.AllowFunnel[hp] {
@@ -117,6 +126,49 @@ func (e *serveEnv) runFunnel(ctx context.Context, args []string) error {
 	return nil
 }
 
+// verifyFunnelEnabled verifies that the self node is allowed to use Funnel.
+//
+// If Funnel is not yet enabled by the current node capabilities,
+// the user is sent through an interactive flow to enable the feature.
+// Once enabled, verifyFunnelEnabled checks that the given port is allowed
+// with Funnel.
+//
+// If an error is reported, the CLI should stop execution and return the error.
+//
+// verifyFunnelEnabled may refresh the local state and modify the st input.
+func (e *serveEnv) verifyFunnelEnabled(ctx context.Context, st *ipnstate.Status, port uint16) error {
+	hasFunnelAttrs := func(attrs []string) bool {
+		hasHTTPS := slices.Contains(attrs, tailcfg.CapabilityHTTPS)
+		hasFunnel := slices.Contains(attrs, tailcfg.NodeAttrFunnel)
+		return hasHTTPS && hasFunnel
+	}
+	if hasFunnelAttrs(st.Self.Capabilities) {
+		return nil // already enabled
+	}
+	enableErr := e.enableFeatureInteractive(ctx, "funnel", hasFunnelAttrs)
+	st, statusErr := e.getLocalClientStatus(ctx) // get updated status; interactive flow may block
+	switch {
+	case statusErr != nil:
+		return fmt.Errorf("getting client status: %w", statusErr)
+	case enableErr != nil:
+		// enableFeatureInteractive is a new flow behind a control server
+		// feature flag. If anything caused it to error, fallback to using
+		// the old CheckFunnelAccess call. Likely this domain does not have
+		// the feature flag on.
+		// TODO(sonia,tailscale/corp#10577): Remove this fallback once the
+		// control flag is turned on for all domains.
+		if err := ipn.CheckFunnelAccess(port, st.Self.Capabilities); err != nil {
+			return err
+		}
+	default:
+		// Done with enablement, make sure the requested port is allowed.
+		if err := ipn.CheckFunnelPort(port, st.Self.Capabilities); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 // printFunnelWarning prints a warning if the Funnel is on but there is no serve
 // config for its host:port.
 func printFunnelWarning(sc *ipn.ServeConfig) {
@@ -129,7 +181,7 @@ func printFunnelWarning(sc *ipn.ServeConfig) {
 		p, _ := strconv.ParseUint(portStr, 10, 16)
 		if _, ok := sc.TCP[uint16(p)]; !ok {
 			warn = true
-			fmt.Fprintf(os.Stderr, "Warning: funnel=on for %s, but no serve config\n", hp)
+			fmt.Fprintf(os.Stderr, "\nWarning: funnel=on for %s, but no serve config\n", hp)
 		}
 	}
 	if warn {

cmd/tailscale/cli/licenses.go

@@ -5,9 +5,9 @@ package cli
 
 import (
 	"context"
-	"runtime"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/licenses"
 )
 
 var licensesCmd = &ffcli.Command{
@@ -18,27 +18,13 @@ var licensesCmd = &ffcli.Command{
 	Exec:       runLicenses,
 }
 
-// licensesURL returns the absolute URL containing open source license information for the current platform.
-func licensesURL() string {
-	switch runtime.GOOS {
-	case "android":
-		return "https://tailscale.com/licenses/android"
-	case "darwin", "ios":
-		return "https://tailscale.com/licenses/apple"
-	case "windows":
-		return "https://tailscale.com/licenses/windows"
-	default:
-		return "https://tailscale.com/licenses/tailscale"
-	}
-}
-
 func runLicenses(ctx context.Context, args []string) error {
-	licenses := licensesURL()
+	url := licenses.LicensesURL()
 	outln(`
 Tailscale wouldn't be possible without the contributions of thousands of open
 source developers. To see the open source packages included in Tailscale and
 their respective license information, visit:
 
-    ` + licenses)
+    ` + url)
 	return nil
 }

cmd/tailscale/cli/netcheck.go

@@ -19,6 +19,7 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netcheck"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/portmapper"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
@@ -45,9 +46,14 @@ var netcheckArgs struct {
 }
 
 func runNetcheck(ctx context.Context, args []string) error {
+	logf := logger.WithPrefix(log.Printf, "portmap: ")
+	netMon, err := netmon.New(logf)
+	if err != nil {
+		return err
+	}
 	c := &netcheck.Client{
-		UDPBindAddr: envknob.String("TS_DEBUG_NETCHECK_UDP_BIND"),
-		PortMapper:  portmapper.NewClient(logger.WithPrefix(log.Printf, "portmap: "), nil, nil),
+		PortMapper:  portmapper.NewClient(logf, netMon, nil, nil),
+		UseDNSCache: false, // always resolve, don't cache
 	}
 	if netcheckArgs.verbose {
 		c.Logf = logger.WithPrefix(log.Printf, "netcheck: ")
@@ -60,6 +66,10 @@ func runNetcheck(ctx context.Context, args []string) error {
 		fmt.Fprintln(Stderr, "# Warning: this JSON format is not yet considered a stable interface")
 	}
 
+	if err := c.Standalone(ctx, envknob.String("TS_DEBUG_NETCHECK_UDP_BIND")); err != nil {
+		fmt.Fprintln(Stderr, "netcheck: UDP test failure:", err)
+	}
+
 	dm, err := localClient.CurrentDERPMap(ctx)
 	noRegions := dm != nil && len(dm.Regions) == 0
 	if noRegions {
@@ -96,7 +106,6 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	var err error
 	switch netcheckArgs.format {
 	case "":
-		break
 	case "json":
 		j, err = json.MarshalIndent(report, "", "\t")
 	case "json-line":

cmd/tailscale/cli/network-lock.go

@@ -23,6 +23,7 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
+	"tailscale.com/types/tkatype"
 )
 
 var netlockCmd = &ffcli.Command{
@@ -40,6 +41,7 @@ var netlockCmd = &ffcli.Command{
 		nlDisablementKDFCmd,
 		nlLogCmd,
 		nlLocalDisableCmd,
+		nlRevokeKeysCmd,
 	},
 	Exec: runNetworkLockNoSubcommand,
 }
@@ -465,7 +467,16 @@ func runNetworkLockSign(ctx context.Context, args []string) error {
 		}
 	}
 
-	return localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey.Verifier()))
+	err := localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey.Verifier()))
+	// Provide a better help message for when someone clicks through the signing flow
+	// on the wrong device.
+	if err != nil && strings.Contains(err.Error(), "this node is not trusted by network lock") {
+		fmt.Fprintln(os.Stderr, "Error: Signing is not available on this device because it does not have a trusted tailnet lock key.")
+		fmt.Fprintln(os.Stderr)
+		fmt.Fprintln(os.Stderr, "Try again on a signing device instead. Tailnet admins can see signing devices on the admin panel.")
+		fmt.Fprintln(os.Stderr)
+	}
+	return err
 }
 
 var nlDisableCmd = &ffcli.Command{
@@ -702,3 +713,114 @@ func wrapAuthKey(ctx context.Context, keyStr string, status *ipnstate.Status) er
 	fmt.Println(wrapped)
 	return nil
 }
+
+var nlRevokeKeysArgs struct {
+	cosign   bool
+	finish   bool
+	forkFrom string
+}
+
+var nlRevokeKeysCmd = &ffcli.Command{
+	Name:       "revoke-keys",
+	ShortUsage: "revoke-keys <tailnet-lock-key>...\n  revoke-keys [--cosign] [--finish] <recovery-blob>",
+	ShortHelp:  "Revoke compromised tailnet-lock keys",
+	LongHelp: `Retroactively revoke the specified tailnet lock keys (tlpub:abc).
+
+Revoked keys are prevented from being used in the future. Any nodes previously signed
+by revoked keys lose their authorization and must be signed again.
+
+Revocation is a multi-step process that requires several signing nodes to ` + "`--cosign`" + ` the revocation. Use ` + "`tailscale lock remove`" + ` instead if the key has not been compromised.
+
+1. To start, run ` + "`tailscale revoke-keys <tlpub-keys>`" + ` with the tailnet lock keys to revoke.
+2. Re-run the ` + "`--cosign`" + ` command output by ` + "`revoke-keys`" + ` on other signing nodes. Use the
+   most recent command output on the next signing node in sequence.
+3. Once the number of ` + "`--cosign`" + `s is greater than the number of keys being revoked,
+   run the command one final time with ` + "`--finish`" + ` instead of ` + "`--cosign`" + `.`,
+	Exec: runNetworkLockRevokeKeys,
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("lock revoke-keys")
+		fs.BoolVar(&nlRevokeKeysArgs.cosign, "cosign", false, "continue generating the recovery using the tailnet lock key on this device and the provided recovery blob")
+		fs.BoolVar(&nlRevokeKeysArgs.finish, "finish", false, "finish the recovery process by transmitting the revocation")
+		fs.StringVar(&nlRevokeKeysArgs.forkFrom, "fork-from", "", "parent AUM hash to rewrite from (advanced users only)")
+		return fs
+	})(),
+}
+
+func runNetworkLockRevokeKeys(ctx context.Context, args []string) error {
+	// First step in the process
+	if !nlRevokeKeysArgs.cosign && !nlRevokeKeysArgs.finish {
+		removeKeys, _, err := parseNLArgs(args, true, false)
+		if err != nil {
+			return err
+		}
+
+		keyIDs := make([]tkatype.KeyID, len(removeKeys))
+		for i, k := range removeKeys {
+			keyIDs[i], err = k.ID()
+			if err != nil {
+				return fmt.Errorf("generating keyID: %v", err)
+			}
+		}
+
+		var forkFrom tka.AUMHash
+		if nlRevokeKeysArgs.forkFrom != "" {
+			if len(nlRevokeKeysArgs.forkFrom) == (len(forkFrom) * 2) {
+				// Hex-encoded: like the output of the lock log command.
+				b, err := hex.DecodeString(nlRevokeKeysArgs.forkFrom)
+				if err != nil {
+					return fmt.Errorf("invalid fork-from hash: %v", err)
+				}
+				copy(forkFrom[:], b)
+			} else {
+				if err := forkFrom.UnmarshalText([]byte(nlRevokeKeysArgs.forkFrom)); err != nil {
+					return fmt.Errorf("invalid fork-from hash: %v", err)
+				}
+			}
+		}
+
+		aumBytes, err := localClient.NetworkLockGenRecoveryAUM(ctx, keyIDs, forkFrom)
+		if err != nil {
+			return fmt.Errorf("generation of recovery AUM failed: %w", err)
+		}
+
+		fmt.Printf(`Run the following command on another machine with a trusted tailnet lock key:
+	%s lock recover-compromised-key --cosign %X
+`, os.Args[0], aumBytes)
+		return nil
+	}
+
+	// If we got this far, we need to co-sign the AUM and/or transmit it for distribution.
+	b, err := hex.DecodeString(args[0])
+	if err != nil {
+		return fmt.Errorf("parsing hex: %v", err)
+	}
+	var recoveryAUM tka.AUM
+	if err := recoveryAUM.Unserialize(b); err != nil {
+		return fmt.Errorf("decoding recovery AUM: %v", err)
+	}
+
+	if nlRevokeKeysArgs.cosign {
+		aumBytes, err := localClient.NetworkLockCosignRecoveryAUM(ctx, recoveryAUM)
+		if err != nil {
+			return fmt.Errorf("co-signing recovery AUM failed: %w", err)
+		}
+
+		fmt.Printf(`Co-signing completed successfully.
+
+To accumulate an additional signature, run the following command on another machine with a trusted tailnet lock key:
+	%s lock recover-compromised-key --cosign %X
+
+Alternatively if you are done with co-signing, complete recovery by running the following command:
+	%s lock recover-compromised-key --finish %X
+`, os.Args[0], aumBytes, os.Args[0], aumBytes)
+	}
+
+	if nlRevokeKeysArgs.finish {
+		if err := localClient.NetworkLockSubmitRecoveryAUM(ctx, recoveryAUM); err != nil {
+			return fmt.Errorf("submitting recovery AUM failed: %w", err)
+		}
+		fmt.Println("Recovery completed.")
+	}
+
+	return nil
+}

cmd/tailscale/cli/ping.go

@@ -16,6 +16,7 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 )
@@ -51,14 +52,16 @@ relay node.
 		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through WireGuard, but not either host OS stack)")
 		fs.BoolVar(&pingArgs.icmp, "icmp", false, "do a ICMP-level ping (through WireGuard, but not the local host OS stack)")
 		fs.BoolVar(&pingArgs.peerAPI, "peerapi", false, "try hitting the peer's peerapi HTTP server")
-		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
+		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send. 0 for infinity.")
 		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
+		fs.IntVar(&pingArgs.size, "size", 0, "size of the ping message (disco pings only). 0 for minimum size.")
 		return fs
 	})(),
 }
 
 var pingArgs struct {
 	num         int
+	size        int
 	untilDirect bool
 	verbose     bool
 	tsmp        bool
@@ -115,7 +118,7 @@ func runPing(ctx context.Context, args []string) error {
 	for {
 		n++
 		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
-		pr, err := localClient.Ping(ctx, netip.MustParseAddr(ip), pingType())
+		pr, err := localClient.PingWithOpts(ctx, netip.MustParseAddr(ip), pingType(), tailscale.PingOpts{Size: pingArgs.size})
 		cancel()
 		if err != nil {
 			if errors.Is(err, context.DeadlineExceeded) {

cmd/tailscale/cli/risks.go

@@ -12,6 +12,8 @@ import (
 	"strings"
 	"syscall"
 	"time"
+
+	"tailscale.com/util/testenv"
 )
 
 var (
@@ -56,7 +58,7 @@ func presentRiskToUser(riskType, riskMessage, acceptedRisks string) error {
 	if isRiskAccepted(riskType, acceptedRisks) {
 		return nil
 	}
-	if inTest() {
+	if testenv.InTest() {
 		return errAborted
 	}
 	outln(riskMessage)

cmd/tailscale/cli/serve.go

@@ -10,19 +10,24 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"log"
 	"net"
 	"net/url"
 	"os"
 	"path"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"sort"
 	"strconv"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"golang.org/x/exp/slices"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
 	"tailscale.com/util/mak"
 	"tailscale.com/version"
 )
@@ -33,15 +38,17 @@ var serveCmd = newServeCommand(&serveEnv{lc: &localClient})
 func newServeCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "serve",
-		ShortHelp: "[ALPHA] Serve from your Tailscale node",
-		ShortUsage: strings.TrimSpace(`
-serve https:<port> <mount-point> <source> [off]
-  serve tcp:<port> tcp://localhost:<local-port> [off]
-  serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]
-  serve status [--json]
-`),
+		ShortHelp: "Serve content and local servers",
+		ShortUsage: strings.Join([]string{
+			"serve http:<port> <mount-point> <source> [off]",
+			"serve https:<port> <mount-point> <source> [off]",
+			"serve tcp:<port> tcp://localhost:<local-port> [off]",
+			"serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]",
+			"serve status [--json]",
+			"serve reset",
+		}, "\n  "),
 		LongHelp: strings.TrimSpace(`
-*** ALPHA; all of this is subject to change ***
+*** BETA; all of this is subject to change ***
 
 The 'tailscale serve' set of commands allows you to serve
 content and local servers from your Tailscale node to
@@ -56,8 +63,8 @@ EXAMPLES
   - To proxy requests to a web server at 127.0.0.1:3000:
     $ tailscale serve https:443 / http://127.0.0.1:3000
 
-	Or, using the default port:
-	$ tailscale serve https / http://127.0.0.1:3000
+    Or, using the default port (443):
+    $ tailscale serve https / http://127.0.0.1:3000
 
   - To serve a single file or a directory of files:
     $ tailscale serve https / /home/alice/blog/index.html
@@ -66,6 +73,12 @@ EXAMPLES
   - To serve simple static text:
     $ tailscale serve https:8080 / text:"Hello, world!"
 
+  - To serve over HTTP (tailnet only):
+    $ tailscale serve http:80 / http://127.0.0.1:3000
+
+    Or, using the default port (80):
+    $ tailscale serve http / http://127.0.0.1:3000
+
   - To forward incoming TCP connections on port 2222 to a local TCP server on
     port 22 (e.g. to run OpenSSH in parallel with Tailscale SSH):
     $ tailscale serve tcp:2222 tcp://localhost:22
@@ -86,6 +99,13 @@ EXAMPLES
 				}),
 				UsageFunc: usageFunc,
 			},
+			{
+				Name:      "reset",
+				Exec:      e.runServeReset,
+				ShortHelp: "reset current serve/funnel config",
+				FlagSet:   e.newFlags("serve-reset", nil),
+				UsageFunc: usageFunc,
+			},
 		},
 	}
 }
@@ -112,6 +132,9 @@ type localServeClient interface {
 	Status(context.Context) (*ipnstate.Status, error)
 	GetServeConfig(context.Context) (*ipn.ServeConfig, error)
 	SetServeConfig(context.Context, *ipn.ServeConfig) error
+	QueryFeature(ctx context.Context, feature string) (*tailcfg.QueryFeatureResponse, error)
+	WatchIPNBus(ctx context.Context, mask ipn.NotifyWatchOpt) (*tailscale.IPNBusWatcher, error)
+	IncrementCounter(ctx context.Context, name string, delta int) error
 }
 
 // serveEnv is the environment the serve command runs within. All I/O should be
@@ -166,6 +189,7 @@ func (e *serveEnv) getLocalClientStatus(ctx context.Context) (*ipnstate.Status,
 // serve config types like proxy, path, and text.
 //
 // Examples:
+// - tailscale serve http / http://localhost:3000
 // - tailscale serve https / http://localhost:3000
 // - tailscale serve https /images/ /var/www/images/
 // - tailscale serve https:10000 /motd.txt text:"Hello, world!"
@@ -190,19 +214,14 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return e.lc.SetServeConfig(ctx, sc)
 	}
 
-	parsePort := func(portStr string) (uint16, error) {
-		port64, err := strconv.ParseUint(portStr, 10, 16)
-		if err != nil {
-			return 0, err
-		}
-		return uint16(port64), nil
-	}
-
 	srcType, srcPortStr, found := strings.Cut(args[0], ":")
 	if !found {
 		if srcType == "https" && srcPortStr == "" {
 			// Default https port to 443.
 			srcPortStr = "443"
+		} else if srcType == "http" && srcPortStr == "" {
+			// Default http port to 80.
+			srcPortStr = "80"
 		} else {
 			return flag.ErrHelp
 		}
@@ -210,18 +229,33 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 
 	turnOff := "off" == args[len(args)-1]
 
-	if len(args) < 2 || (srcType == "https" && !turnOff && len(args) < 3) {
+	if len(args) < 2 || ((srcType == "https" || srcType == "http") && !turnOff && len(args) < 3) {
 		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
 		return flag.ErrHelp
 	}
 
-	srcPort, err := parsePort(srcPortStr)
+	if srcType == "https" && !turnOff {
+		// Running serve with https requires that the tailnet has enabled
+		// https cert provisioning. Send users through an interactive flow
+		// to enable this if not already done.
+		//
+		// TODO(sonia,tailscale/corp#10577): The interactive feature flow
+		// is behind a control flag. If the tailnet doesn't have the flag
+		// on, enableFeatureInteractive will error. For now, we hide that
+		// error and maintain the previous behavior (prior to 2023-08-15)
+		// of letting them edit the serve config before enabling certs.
+		e.enableFeatureInteractive(ctx, "serve", func(caps []string) bool {
+			return slices.Contains(caps, tailcfg.CapabilityHTTPS)
+		})
+	}
+
+	srcPort, err := parseServePort(srcPortStr)
 	if err != nil {
-		return err
+		return fmt.Errorf("invalid port %q: %w", srcPortStr, err)
 	}
 
 	switch srcType {
-	case "https":
+	case "https", "http":
 		mount, err := cleanMountPoint(args[1])
 		if err != nil {
 			return err
@@ -229,7 +263,8 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		if turnOff {
 			return e.handleWebServeRemove(ctx, srcPort, mount)
 		}
-		return e.handleWebServe(ctx, srcPort, mount, args[2])
+		useTLS := srcType == "https"
+		return e.handleWebServe(ctx, srcPort, useTLS, mount, args[2])
 	case "tcp", "tls-terminated-tcp":
 		if turnOff {
 			return e.handleTCPServeRemove(ctx, srcPort)
@@ -237,20 +272,20 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return e.handleTCPServe(ctx, srcType, srcPort, args[1])
 	default:
 		fmt.Fprintf(os.Stderr, "error: invalid serve type %q\n", srcType)
-		fmt.Fprint(os.Stderr, "must be one of: https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
+		fmt.Fprint(os.Stderr, "must be one of: http:<port>, https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
 		return flag.ErrHelp
 	}
 }
 
-// handleWebServe handles the "tailscale serve https:..." subcommand.
-// It configures the serve config to forward HTTPS connections to the
-// given source.
+// handleWebServe handles the "tailscale serve (http/https):..." subcommand. It
+// configures the serve config to forward HTTPS connections to the given source.
 //
 // Examples:
+//   - tailscale serve http / http://localhost:3000
 //   - tailscale serve https / http://localhost:3000
 //   - tailscale serve https:8443 /files/ /home/alice/shared-files/
 //   - tailscale serve https:10000 /motd.txt text:"Hello, world!"
-func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, mount, source string) error {
+func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bool, mount, source string) error {
 	h := new(ipn.HTTPHandler)
 
 	ts, _, _ := strings.Cut(source, ":")
@@ -309,7 +344,7 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, mount, so
 		return flag.ErrHelp
 	}
 
-	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: true})
+	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: useTLS, HTTP: !useTLS})
 
 	if _, ok := sc.Web[hp]; !ok {
 		mak.Set(&sc.Web, hp, new(ipn.WebServerConfig))
@@ -412,6 +447,7 @@ func cleanMountPoint(mount string) (string, error) {
 	if mount == "" {
 		return "", errors.New("mount point cannot be empty")
 	}
+	mount = cleanMinGWPathConversionIfNeeded(mount)
 	if !strings.HasPrefix(mount, "/") {
 		mount = "/" + mount
 	}
@@ -422,6 +458,26 @@ func cleanMountPoint(mount string) (string, error) {
 	return "", fmt.Errorf("invalid mount point %q", mount)
 }
 
+// cleanMinGWPathConversionIfNeeded strips the EXEPATH prefix from the given
+// path if the path is a MinGW(ish) (Windows) shell arg.
+//
+// MinGW(ish) (Windows) shells perform POSIX-to-Windows path conversion
+// converting the leading "/" of any shell arg to the EXEPATH, which mangles the
+// mount point. Strip the EXEPATH prefix if it exists. #7963
+//
+// "/C:/Program Files/Git/foo" -> "/foo"
+func cleanMinGWPathConversionIfNeeded(path string) string {
+	// Only do this on Windows.
+	if runtime.GOOS != "windows" {
+		return path
+	}
+	if _, ok := os.LookupEnv("MSYSTEM"); ok {
+		exepath := filepath.ToSlash(os.Getenv("EXEPATH"))
+		path = strings.TrimPrefix(path, exepath)
+	}
+	return path
+}
+
 func expandProxyTarget(source string) (string, error) {
 	if !strings.Contains(source, "://") {
 		source = "http://" + source
@@ -453,6 +509,7 @@ func expandProxyTarget(source string) (string, error) {
 	if u.Port() != "" {
 		url += ":" + u.Port()
 	}
+	url += u.Path
 	return url, nil
 }
 
@@ -595,7 +652,10 @@ func (e *serveEnv) runServeStatus(ctx context.Context, args []string) error {
 		printf("\n")
 	}
 	for hp := range sc.Web {
-		printWebStatusTree(sc, hp)
+		err := e.printWebStatusTree(sc, hp)
+		if err != nil {
+			return err
+		}
 		printf("\n")
 	}
 	printFunnelWarning(sc)
@@ -634,20 +694,37 @@ func printTCPStatusTree(ctx context.Context, sc *ipn.ServeConfig, st *ipnstate.S
 	return nil
 }
 
-func printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) {
+func (e *serveEnv) printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) error {
+	// No-op if no serve config
 	if sc == nil {
-		return
+		return nil
 	}
 	fStatus := "tailnet only"
 	if sc.AllowFunnel[hp] {
 		fStatus = "Funnel on"
 	}
 	host, portStr, _ := net.SplitHostPort(string(hp))
-	if portStr == "443" {
-		printf("https://%s (%s)\n", host, fStatus)
-	} else {
-		printf("https://%s:%s (%s)\n", host, portStr, fStatus)
+
+	port, err := parseServePort(portStr)
+	if err != nil {
+		return fmt.Errorf("invalid port %q: %w", portStr, err)
 	}
+
+	scheme := "https"
+	if sc.IsServingHTTP(port) {
+		scheme = "http"
+	}
+
+	portPart := ":" + portStr
+	if scheme == "http" && portStr == "80" ||
+		scheme == "https" && portStr == "443" {
+		portPart = ""
+	}
+	if scheme == "http" {
+		hostname, _, _ := strings.Cut(host, ".")
+		printf("%s://%s%s (%s)\n", scheme, hostname, portPart, fStatus)
+	}
+	printf("%s://%s%s (%s)\n", scheme, host, portPart, fStatus)
 	srvTypeAndDesc := func(h *ipn.HTTPHandler) (string, string) {
 		switch {
 		case h.Path != "":
@@ -674,6 +751,8 @@ func printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) {
 		t, d := srvTypeAndDesc(h)
 		printf("%s %s%s %-5s %s\n", "|--", m, strings.Repeat(" ", maxLen-len(m)), t, d)
 	}
+
+	return nil
 }
 
 func elipticallyTruncate(s string, max int) string {
@@ -682,3 +761,100 @@ func elipticallyTruncate(s string, max int) string {
 	}
 	return s[:max-3] + "..."
 }
+
+// runServeReset clears out the current serve config.
+//
+// Usage:
+//   - tailscale serve reset
+func (e *serveEnv) runServeReset(ctx context.Context, args []string) error {
+	if len(args) != 0 {
+		return flag.ErrHelp
+	}
+	sc := new(ipn.ServeConfig)
+	return e.lc.SetServeConfig(ctx, sc)
+}
+
+// parseServePort parses a port number from a string and returns it as a
+// uint16. It returns an error if the port number is invalid or zero.
+func parseServePort(s string) (uint16, error) {
+	p, err := strconv.ParseUint(s, 10, 16)
+	if err != nil {
+		return 0, err
+	}
+	if p == 0 {
+		return 0, errors.New("port number must be non-zero")
+	}
+	return uint16(p), nil
+}
+
+// enableFeatureInteractive sends the node's user through an interactive
+// flow to enable a feature, such as Funnel, on their tailnet.
+//
+// hasRequiredCapabilities should be provided as a function that checks
+// whether a slice of node capabilities encloses the necessary values
+// needed to use the feature.
+//
+// If err is returned empty, the feature has been successfully enabled.
+//
+// If err is returned non-empty, the client failed to query the control
+// server for information about how to enable the feature.
+//
+// If the feature cannot be enabled, enableFeatureInteractive terminates
+// the CLI process.
+//
+// 2023-08-09: The only valid feature values are "serve" and "funnel".
+// This can be moved to some CLI lib when expanded past serve/funnel.
+func (e *serveEnv) enableFeatureInteractive(ctx context.Context, feature string, hasRequiredCapabilities func(caps []string) bool) (err error) {
+	info, err := e.lc.QueryFeature(ctx, feature)
+	if err != nil {
+		return err
+	}
+	if info.Complete {
+		return nil // already enabled
+	}
+	if info.Text != "" {
+		fmt.Fprintln(os.Stdout, "\n"+info.Text)
+	}
+	if info.URL != "" {
+		fmt.Fprintln(os.Stdout, "\n         "+info.URL+"\n")
+	}
+	if !info.ShouldWait {
+		e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_not_awaiting_enablement", feature), 1)
+		// The feature has not been enabled yet,
+		// but the CLI should not block on user action.
+		// Once info.Text is printed, exit the CLI.
+		os.Exit(0)
+	}
+	e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_awaiting_enablement", feature), 1)
+	// Block until feature is enabled.
+	watchCtx, cancelWatch := context.WithCancel(ctx)
+	defer cancelWatch()
+	watcher, err := e.lc.WatchIPNBus(watchCtx, 0)
+	if err != nil {
+		// If we fail to connect to the IPN notification bus,
+		// don't block. We still present the URL in the CLI,
+		// then close the process. Swallow the error.
+		log.Fatalf("lost connection to tailscaled: %v", err)
+		e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_enablement_lost_connection", feature), 1)
+		return err
+	}
+	defer watcher.Close()
+	for {
+		n, err := watcher.Next()
+		if err != nil {
+			// Stop blocking if we error.
+			// Let the user finish enablement then rerun their
+			// command themselves.
+			log.Fatalf("lost connection to tailscaled: %v", err)
+			e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_enablement_lost_connection", feature), 1)
+			return err
+		}
+		if nm := n.NetMap; nm != nil && nm.SelfNode != nil {
+			if hasRequiredCapabilities(nm.SelfNode.Capabilities) {
+				e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_enabled", feature), 1)
+				fmt.Fprintln(os.Stdout, "Success.")
+				return nil
+			}
+		}
+	}
+}

cmd/tailscale/cli/serve_test.go

@@ -6,6 +6,7 @@ package cli
 import (
 	"bytes"
 	"context"
+	"errors"
 	"flag"
 	"fmt"
 	"os"
@@ -16,6 +17,7 @@ import (
 	"testing"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
@@ -89,6 +91,59 @@ func TestServeConfigMutations(t *testing.T) {
 		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 
+	// https
+	add(step{reset: true})
+	add(step{ // allow omitting port (default to 80)
+		command: cmd("http / http://localhost:3000"),
+		want: &ipn.ServeConfig{
+			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
+			Web: map[ipn.HostPort]*ipn.WebServerConfig{
+				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
+					"/": {Proxy: "http://127.0.0.1:3000"},
+				}},
+			},
+		},
+	})
+	add(step{ // support non Funnel port
+		command: cmd("http:9999 /abc http://localhost:3001"),
+		want: &ipn.ServeConfig{
+			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 9999: {HTTP: true}},
+			Web: map[ipn.HostPort]*ipn.WebServerConfig{
+				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
+					"/": {Proxy: "http://127.0.0.1:3000"},
+				}},
+				"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
+					"/abc": {Proxy: "http://127.0.0.1:3001"},
+				}},
+			},
+		},
+	})
+	add(step{
+		command: cmd("http:9999 /abc off"),
+		want: &ipn.ServeConfig{
+			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
+			Web: map[ipn.HostPort]*ipn.WebServerConfig{
+				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
+					"/": {Proxy: "http://127.0.0.1:3000"},
+				}},
+			},
+		},
+	})
+	add(step{
+		command: cmd("http:8080 /abc http://127.0.0.1:3001"),
+		want: &ipn.ServeConfig{
+			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 8080: {HTTP: true}},
+			Web: map[ipn.HostPort]*ipn.WebServerConfig{
+				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
+					"/": {Proxy: "http://127.0.0.1:3000"},
+				}},
+				"foo.test.ts.net:8080": {Handlers: map[string]*ipn.HTTPHandler{
+					"/abc": {Proxy: "http://127.0.0.1:3001"},
+				}},
+			},
+		},
+	})
+
 	// https
 	add(step{reset: true})
 	add(step{
@@ -224,7 +279,10 @@ func TestServeConfigMutations(t *testing.T) {
 		command: cmd("https:443 bar https://127.0.0.1:8443"),
 		want:    nil, // nothing to save
 	})
-	add(step{reset: true})
+	add(step{ // try resetting using reset command
+		command: cmd("reset"),
+		want:    &ipn.ServeConfig{},
+	})
 	add(step{
 		command: cmd("https:443 / https+insecure://127.0.0.1:3001"),
 		want: &ipn.ServeConfig{
@@ -262,6 +320,18 @@ func TestServeConfigMutations(t *testing.T) {
 			},
 		},
 	})
+	add(step{reset: true})
+	add(step{ // support path in proxy
+		command: cmd("https / http://127.0.0.1:3000/foo/bar"),
+		want: &ipn.ServeConfig{
+			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
+			Web: map[ipn.HostPort]*ipn.WebServerConfig{
+				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
+					"/": {Proxy: "http://127.0.0.1:3000/foo/bar"},
+				}},
+			},
+		},
+	})
 
 	// tcp
 	add(step{reset: true})
@@ -677,14 +747,105 @@ func TestServeConfigMutations(t *testing.T) {
 	}
 }
 
+func TestVerifyFunnelEnabled(t *testing.T) {
+	lc := &fakeLocalServeClient{}
+	var stdout bytes.Buffer
+	var flagOut bytes.Buffer
+	e := &serveEnv{
+		lc:          lc,
+		testFlagOut: &flagOut,
+		testStdout:  &stdout,
+	}
+
+	tests := []struct {
+		name string
+		// queryFeatureResponse is the mock response desired from the
+		// call made to lc.QueryFeature by verifyFunnelEnabled.
+		queryFeatureResponse mockQueryFeatureResponse
+		caps                 []string // optionally set at fakeStatus.Capabilities
+		wantErr              string
+		wantPanic            string
+	}{
+		{
+			name:                 "enabled",
+			queryFeatureResponse: mockQueryFeatureResponse{resp: &tailcfg.QueryFeatureResponse{Complete: true}, err: nil},
+			wantErr:              "", // no error, success
+		},
+		{
+			name:                 "fallback-to-non-interactive-flow",
+			queryFeatureResponse: mockQueryFeatureResponse{resp: nil, err: errors.New("not-allowed")},
+			wantErr:              "Funnel not available; HTTPS must be enabled. See https://tailscale.com/s/https.",
+		},
+		{
+			name:                 "fallback-flow-missing-acl-rule",
+			queryFeatureResponse: mockQueryFeatureResponse{resp: nil, err: errors.New("not-allowed")},
+			caps:                 []string{tailcfg.CapabilityHTTPS},
+			wantErr:              `Funnel not available; "funnel" node attribute not set. See https://tailscale.com/s/no-funnel.`,
+		},
+		{
+			name:                 "fallback-flow-enabled",
+			queryFeatureResponse: mockQueryFeatureResponse{resp: nil, err: errors.New("not-allowed")},
+			caps:                 []string{tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel},
+			wantErr:              "", // no error, success
+		},
+		{
+			name: "not-allowed-to-enable",
+			queryFeatureResponse: mockQueryFeatureResponse{resp: &tailcfg.QueryFeatureResponse{
+				Complete:   false,
+				Text:       "You don't have permission to enable this feature.",
+				ShouldWait: false,
+			}, err: nil},
+			wantErr:   "",
+			wantPanic: "unexpected call to os.Exit(0) during test", // os.Exit(0) should be called to end process
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := context.Background()
+			lc.setQueryFeatureResponse(tt.queryFeatureResponse)
+
+			if tt.caps != nil {
+				oldCaps := fakeStatus.Self.Capabilities
+				defer func() { fakeStatus.Self.Capabilities = oldCaps }() // reset after test
+				fakeStatus.Self.Capabilities = tt.caps
+			}
+			st, err := e.getLocalClientStatus(ctx)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			defer func() {
+				r := recover()
+				var gotPanic string
+				if r != nil {
+					gotPanic = fmt.Sprint(r)
+				}
+				if gotPanic != tt.wantPanic {
+					t.Errorf("wrong panic; got=%s, want=%s", gotPanic, tt.wantPanic)
+				}
+			}()
+			gotErr := e.verifyFunnelEnabled(ctx, st, 443)
+			var got string
+			if gotErr != nil {
+				got = gotErr.Error()
+			}
+			if got != tt.wantErr {
+				t.Errorf("wrong error; got=%s, want=%s", gotErr, tt.wantErr)
+			}
+		})
+	}
+}
+
 // fakeLocalServeClient is a fake tailscale.LocalClient for tests.
 // It's not a full implementation, just enough to test the serve command.
 //
 // The fake client is stateful, and is used to test manipulating
 // ServeConfig state. This implementation cannot be used concurrently.
 type fakeLocalServeClient struct {
-	config   *ipn.ServeConfig
-	setCount int // counts calls to SetServeConfig
+	config               *ipn.ServeConfig
+	setCount             int                       // counts calls to SetServeConfig
+	queryFeatureResponse *mockQueryFeatureResponse // mock response to QueryFeature calls
 }
 
 // fakeStatus is a fake ipnstate.Status value for tests.
@@ -714,6 +875,31 @@ func (lc *fakeLocalServeClient) SetServeConfig(ctx context.Context, config *ipn.
 	return nil
 }
 
+type mockQueryFeatureResponse struct {
+	resp *tailcfg.QueryFeatureResponse
+	err  error
+}
+
+func (lc *fakeLocalServeClient) setQueryFeatureResponse(resp mockQueryFeatureResponse) {
+	lc.queryFeatureResponse = &resp
+}
+
+func (lc *fakeLocalServeClient) QueryFeature(ctx context.Context, feature string) (*tailcfg.QueryFeatureResponse, error) {
+	if resp := lc.queryFeatureResponse; resp != nil {
+		// If we're testing QueryFeature, use the response value set for the test.
+		return resp.resp, resp.err
+	}
+	return &tailcfg.QueryFeatureResponse{Complete: true}, nil // fallback to already enabled
+}
+
+func (lc *fakeLocalServeClient) WatchIPNBus(ctx context.Context, mask ipn.NotifyWatchOpt) (*tailscale.IPNBusWatcher, error) {
+	return nil, nil // unused in tests
+}
+
+func (lc *fakeLocalServeClient) IncrementCounter(ctx context.Context, name string, delta int) error {
+	return nil // unused in tests
+}
+
 // exactError returns an error checker that wants exactly the provided want error.
 // If optName is non-empty, it's used in the error message.
 func exactErr(want error, optName ...string) func(error) string {

cmd/tailscale/cli/set.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/ipn"
+	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/safesocket"
 )
@@ -159,11 +160,11 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 // setArgs is the parsed command-line arguments.
 func calcAdvertiseRoutesForSet(advertiseExitNodeSet, advertiseRoutesSet bool, curPrefs *ipn.Prefs, setArgs setArgsT) (routes []netip.Prefix, err error) {
 	if advertiseExitNodeSet && advertiseRoutesSet {
-		return calcAdvertiseRoutes(setArgs.advertiseRoutes, setArgs.advertiseDefaultRoute)
+		return netutil.CalcAdvertiseRoutes(setArgs.advertiseRoutes, setArgs.advertiseDefaultRoute)
 
 	}
 	if advertiseRoutesSet {
-		return calcAdvertiseRoutes(setArgs.advertiseRoutes, curPrefs.AdvertisesExitNode())
+		return netutil.CalcAdvertiseRoutes(setArgs.advertiseRoutes, curPrefs.AdvertisesExitNode())
 	}
 	if advertiseExitNodeSet {
 		alreadyAdvertisesExitNode := curPrefs.AdvertisesExitNode()

cmd/tailscale/cli/status.go

@@ -200,6 +200,8 @@ func runStatus(ctx context.Context, args []string) error {
 	if statusArgs.self && st.Self != nil {
 		printPS(st.Self)
 	}
+
+	locBasedExitNode := false
 	if statusArgs.peers {
 		var peers []*ipnstate.PeerStatus
 		for _, peer := range st.Peers() {
@@ -207,6 +209,12 @@ func runStatus(ctx context.Context, args []string) error {
 			if ps.ShareeNode {
 				continue
 			}
+			if ps.Location != nil && ps.ExitNodeOption && !ps.ExitNode {
+				// Location based exit nodes are only shown with the
+				// `exit-node list` command.
+				locBasedExitNode = true
+				continue
+			}
 			peers = append(peers, ps)
 		}
 		ipnstate.SortPeers(peers)
@@ -218,6 +226,10 @@ func runStatus(ctx context.Context, args []string) error {
 		}
 	}
 	Stdout.Write(buf.Bytes())
+	if locBasedExitNode {
+		println()
+		println("# To see the full list of exit nodes, including location-based exit nodes, run `tailscale exit-node list`  \n")
+	}
 	if len(st.Health) > 0 {
 		outln()
 		printHealth()

cmd/tailscale/cli/up.go

@@ -6,18 +6,19 @@ package cli
 import (
 	"context"
 	"encoding/base64"
-	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
 	"log"
 	"net/netip"
+	"net/url"
 	"os"
 	"os/signal"
 	"reflect"
 	"runtime"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"syscall"
@@ -26,14 +27,17 @@ import (
 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
+	"golang.org/x/oauth2/clientcredentials"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/tsaddr"
+	"tailscale.com/net/netutil"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/preftype"
+	"tailscale.com/util/dnsname"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@@ -86,8 +90,6 @@ func acceptRouteDefault(goos string) bool {
 
 var upFlagSet = newUpFlagSet(effectiveGOOS(), &upArgsGlobal, "up")
 
-func inTest() bool { return flag.Lookup("test.v") != nil }
-
 // newUpFlagSet returns a new flag set for the "up" and "login" commands.
 func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
 	if cmd != "up" && cmd != "login" {
@@ -217,82 +219,6 @@ func warnf(format string, args ...any) {
 	printf("Warning: "+format+"\n", args...)
 }
 
-var (
-	ipv4default = netip.MustParsePrefix("0.0.0.0/0")
-	ipv6default = netip.MustParsePrefix("::/0")
-)
-
-func validateViaPrefix(ipp netip.Prefix) error {
-	if !tsaddr.IsViaPrefix(ipp) {
-		return fmt.Errorf("%v is not a 4-in-6 prefix", ipp)
-	}
-	if ipp.Bits() < (128 - 32) {
-		return fmt.Errorf("%v 4-in-6 prefix must be at least a /%v", ipp, 128-32)
-	}
-	a := ipp.Addr().As16()
-	// The first 64 bits of a are the via prefix.
-	// The next 32 bits are the "site ID".
-	// The last 32 bits are the IPv4.
-	// For now, we reserve the top 3 bytes of the site ID,
-	// and only allow users to use site IDs 0-255.
-	siteID := binary.BigEndian.Uint32(a[8:12])
-	if siteID > 0xFF {
-		return fmt.Errorf("route %v contains invalid site ID %08x; must be 0xff or less", ipp, siteID)
-	}
-	return nil
-}
-
-func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netip.Prefix, error) {
-	routeMap := map[netip.Prefix]bool{}
-	if advertiseRoutes != "" {
-		var default4, default6 bool
-		advroutes := strings.Split(advertiseRoutes, ",")
-		for _, s := range advroutes {
-			ipp, err := netip.ParsePrefix(s)
-			if err != nil {
-				return nil, fmt.Errorf("%q is not a valid IP address or CIDR prefix", s)
-			}
-			if ipp != ipp.Masked() {
-				return nil, fmt.Errorf("%s has non-address bits set; expected %s", ipp, ipp.Masked())
-			}
-			if tsaddr.IsViaPrefix(ipp) {
-				if err := validateViaPrefix(ipp); err != nil {
-					return nil, err
-				}
-			}
-			if ipp == ipv4default {
-				default4 = true
-			} else if ipp == ipv6default {
-				default6 = true
-			}
-			routeMap[ipp] = true
-		}
-		if default4 && !default6 {
-			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv4default, ipv6default)
-		} else if default6 && !default4 {
-			return nil, fmt.Errorf("%s advertised without its IPv4 counterpart, please also advertise %s", ipv6default, ipv4default)
-		}
-	}
-	if advertiseDefaultRoute {
-		routeMap[netip.MustParsePrefix("0.0.0.0/0")] = true
-		routeMap[netip.MustParsePrefix("::/0")] = true
-	}
-	if len(routeMap) == 0 {
-		return nil, nil
-	}
-	routes := make([]netip.Prefix, 0, len(routeMap))
-	for r := range routeMap {
-		routes = append(routes, r)
-	}
-	sort.Slice(routes, func(i, j int) bool {
-		if routes[i].Bits() != routes[j].Bits() {
-			return routes[i].Bits() < routes[j].Bits()
-		}
-		return routes[i].Addr().Less(routes[j].Addr())
-	})
-	return routes, nil
-}
-
 // prefsFromUpArgs returns the ipn.Prefs for the provided args.
 //
 // Note that the parameters upArgs and warnf are named intentionally
@@ -300,7 +226,7 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 // function exists for testing and should have no side effects or
 // outside interactions (e.g. no making Tailscale LocalAPI calls).
 func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goos string) (*ipn.Prefs, error) {
-	routes, err := calcAdvertiseRoutes(upArgs.advertiseRoutes, upArgs.advertiseDefaultRoute)
+	routes, err := netutil.CalcAdvertiseRoutes(upArgs.advertiseRoutes, upArgs.advertiseDefaultRoute)
 	if err != nil {
 		return nil, err
 	}
@@ -320,8 +246,8 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		}
 	}
 
-	if len(upArgs.hostname) > 256 {
-		return nil, fmt.Errorf("hostname too long: %d bytes (max 256)", len(upArgs.hostname))
+	if err := dnsname.ValidHostname(upArgs.hostname); upArgs.hostname != "" && err != nil {
+		return nil, err
 	}
 
 	prefs := ipn.NewPrefs()
@@ -419,7 +345,7 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 
 	simpleUp = env.flagSet.NFlag() == 0 &&
 		curPrefs.Persist != nil &&
-		curPrefs.Persist.LoginName != "" &&
+		curPrefs.Persist.UserProfile.LoginName != "" &&
 		env.backendState != ipn.NeedsLogin.String()
 
 	justEdit := env.backendState == ipn.Running.String() &&
@@ -662,6 +588,10 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 		if err != nil {
 			return err
 		}
+		authKey, err = resolveAuthKey(ctx, authKey, upArgs.advertiseTags)
+		if err != nil {
+			return err
+		}
 		if err := localClient.Start(ctx, ipn.Options{
 			AuthKey:     authKey,
 			UpdatePrefs: prefs,
@@ -716,7 +646,8 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 // the health check, rather than just a string.
 func upWorthyWarning(s string) bool {
 	return strings.Contains(s, healthmsg.TailscaleSSHOnBut) ||
-		strings.Contains(s, healthmsg.WarnAcceptRoutesOff)
+		strings.Contains(s, healthmsg.WarnAcceptRoutesOff) ||
+		strings.Contains(s, healthmsg.LockedOut)
 }
 
 func checkUpWarnings(ctx context.Context) {
@@ -1101,3 +1032,93 @@ func anyPeerAdvertisingRoutes(st *ipnstate.Status) bool {
 	}
 	return false
 }
+
+func init() {
+	// Required to use our client API. We're fine with the instability since the
+	// client lives in the same repo as this code.
+	tailscale.I_Acknowledge_This_API_Is_Unstable = true
+}
+
+// resolveAuthKey either returns v unchanged (in the common case) or, if it
+// starts with "tskey-client-" (as Tailscale OAuth secrets do) parses it like
+//
+//	tskey-client-xxxx[?ephemeral=false&bar&preauthorized=BOOL&baseURL=...]
+//
+// and does the OAuth2 dance to get and return an authkey. The "ephemeral"
+// property defaults to true if unspecified. The "preauthorized" defaults to
+// false. The "baseURL" defaults to https://api.tailscale.com.
+// The passed in tags are required, and must be non-empty. These will be
+// set on the authkey generated by the OAuth2 dance.
+func resolveAuthKey(ctx context.Context, v, tags string) (string, error) {
+	if !strings.HasPrefix(v, "tskey-client-") {
+		return v, nil
+	}
+	if tags == "" {
+		return "", errors.New("oauth authkeys require --advertise-tags")
+	}
+
+	clientSecret, named, _ := strings.Cut(v, "?")
+	attrs, err := url.ParseQuery(named)
+	if err != nil {
+		return "", err
+	}
+	for k := range attrs {
+		switch k {
+		case "ephemeral", "preauthorized", "baseURL":
+		default:
+			return "", fmt.Errorf("unknown attribute %q", k)
+		}
+	}
+	getBool := func(name string, def bool) (bool, error) {
+		v := attrs.Get(name)
+		if v == "" {
+			return def, nil
+		}
+		ret, err := strconv.ParseBool(v)
+		if err != nil {
+			return false, fmt.Errorf("invalid attribute boolean attribute %s value %q", name, v)
+		}
+		return ret, nil
+	}
+	ephemeral, err := getBool("ephemeral", true)
+	if err != nil {
+		return "", err
+	}
+	preauth, err := getBool("preauthorized", false)
+	if err != nil {
+		return "", err
+	}
+
+	baseURL := "https://api.tailscale.com"
+	if v := attrs.Get("baseURL"); v != "" {
+		baseURL = v
+	}
+
+	credentials := clientcredentials.Config{
+		ClientID:     "some-client-id", // ignored
+		ClientSecret: clientSecret,
+		TokenURL:     baseURL + "/api/v2/oauth/token",
+		Scopes:       []string{"device"},
+	}
+
+	tsClient := tailscale.NewClient("-", nil)
+	tsClient.HTTPClient = credentials.Client(ctx)
+	tsClient.BaseURL = baseURL
+
+	caps := tailscale.KeyCapabilities{
+		Devices: tailscale.KeyDeviceCapabilities{
+			Create: tailscale.KeyDeviceCreateCapabilities{
+				Reusable:      false,
+				Ephemeral:     ephemeral,
+				Preauthorized: preauth,
+				Tags:          strings.Split(tags, ","),
+			},
+		},
+	}
+
+	authkey, _, err := tsClient.CreateKey(ctx, caps)
+	if err != nil {
+		return "", err
+	}
+	return authkey, nil
+}

cmd/tailscale/cli/update.go

@@ -4,33 +4,15 @@
 package cli
 
 import (
-	"bufio"
-	"bytes"
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"regexp"
 	"runtime"
-	"strconv"
 	"strings"
-	"time"
 
-	"github.com/google/uuid"
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/net/tshttpproxy"
-	"tailscale.com/util/must"
-	"tailscale.com/util/winutil"
+	"tailscale.com/clientupdate"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@@ -44,137 +26,61 @@ var updateCmd = &ffcli.Command{
 		fs := newFlagSet("update")
 		fs.BoolVar(&updateArgs.yes, "yes", false, "update without interactive prompts")
 		fs.BoolVar(&updateArgs.dryRun, "dry-run", false, "print what update would do without doing it, or prompts")
-		fs.StringVar(&updateArgs.track, "track", "", `which track to check for updates: "stable" or "unstable" (dev); empty means same as current`)
-		fs.StringVar(&updateArgs.version, "version", "", `explicit version to update/downgrade to`)
+		fs.BoolVar(&updateArgs.appStore, "app-store", false, "HIDDEN: check the App Store for updates, even if this is not an App Store install (for testing only)")
+		// These flags are not supported on several systems that only provide
+		// the latest version of Tailscale:
+		//
+		//  - Arch (and other pacman-based distros)
+		//  - Alpine (and other apk-based distros)
+		//  - FreeBSD (and other pkg-based distros)
+		if distro.Get() != distro.Arch && distro.Get() != distro.Alpine && runtime.GOOS != "freebsd" {
+			fs.StringVar(&updateArgs.track, "track", "", `which track to check for updates: "stable" or "unstable" (dev); empty means same as current`)
+			fs.StringVar(&updateArgs.version, "version", "", `explicit version to update/downgrade to`)
+		}
 		return fs
 	})(),
 }
 
 var updateArgs struct {
-	yes     bool
-	dryRun  bool
-	track   string // explicit track; empty means same as current
-	version string // explicit version; empty means auto
+	yes      bool
+	dryRun   bool
+	appStore bool
+	track    string // explicit track; empty means same as current
+	version  string // explicit version; empty means auto
 }
 
-// winMSIEnv is the environment variable that, if set, is the MSI file for the
-// update command to install. It's passed like this so we can stop the
-// tailscale.exe process from running before the msiexec process runs and tries
-// to overwrite ourselves.
-const winMSIEnv = "TS_UPDATE_WIN_MSI"
-
 func runUpdate(ctx context.Context, args []string) error {
-	if msi := os.Getenv(winMSIEnv); msi != "" {
-		log.Printf("installing %v ...", msi)
-		if err := installMSI(msi); err != nil {
-			log.Printf("MSI install failed: %v", err)
-			return err
-		}
-		log.Printf("success.")
-		return nil
-	}
 	if len(args) > 0 {
 		return flag.ErrHelp
 	}
 	if updateArgs.version != "" && updateArgs.track != "" {
 		return errors.New("cannot specify both --version and --track")
 	}
-	up, err := newUpdater()
-	if err != nil {
-		return err
+	ver := updateArgs.version
+	if updateArgs.track != "" {
+		ver = updateArgs.track
 	}
-	return up.update()
+	err := clientupdate.Update(clientupdate.UpdateArgs{
+		Version:  ver,
+		AppStore: updateArgs.appStore,
+		Logf:     func(format string, args ...any) { fmt.Printf(format+"\n", args...) },
+		Confirm:  confirmUpdate,
+	})
+	if errors.Is(err, errors.ErrUnsupported) {
+		return errors.New("The 'update' command is not supported on this platform; see https://tailscale.com/s/client-updates")
+	}
+	return err
 }
 
-func versionIsStable(v string) (stable, wellFormed bool) {
-	_, rest, ok := strings.Cut(v, ".")
-	if !ok {
-		return false, false
-	}
-	minorStr, _, ok := strings.Cut(rest, ".")
-	if !ok {
-		return false, false
-	}
-	minor, err := strconv.Atoi(minorStr)
-	if err != nil {
-		return false, false
-	}
-	return minor%2 == 0, true
-}
-
-func newUpdater() (*updater, error) {
-	up := &updater{
-		track: updateArgs.track,
-	}
-	switch up.track {
-	case "stable", "unstable":
-	case "":
-		if version.IsUnstableBuild() {
-			up.track = "unstable"
-		} else {
-			up.track = "stable"
-		}
-		if updateArgs.version != "" {
-			stable, ok := versionIsStable(updateArgs.version)
-			if !ok {
-				return nil, fmt.Errorf("malformed version %q", updateArgs.version)
-			}
-			if stable {
-				up.track = "stable"
-			} else {
-				up.track = "unstable"
-			}
-		}
-	default:
-		return nil, fmt.Errorf("unknown track %q; must be 'stable' or 'unstable'", up.track)
-	}
-	switch runtime.GOOS {
-	case "windows":
-		up.update = up.updateWindows
-	case "linux":
-		switch distro.Get() {
-		case distro.Synology:
-			up.update = up.updateSynology
-		case distro.Debian: // includes Ubuntu
-			up.update = up.updateDebLike
-		}
-	case "darwin":
-		switch {
-		case !version.IsSandboxedMacOS():
-			return nil, errors.New("The 'update' command is not yet supported on this platform; see https://github.com/tailscale/tailscale/wiki/Tailscaled-on-macOS/ for now")
-		case strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
-			up.update = up.updateMacSys
-		default:
-			return nil, errors.New("This is the macOS App Store version of Tailscale; update in the App Store, or see https://tailscale.com/s/unstable-clients to use TestFlight or to install the non-App Store version")
-		}
-	}
-	if up.update == nil {
-		return nil, errors.New("The 'update' command is not supported on this platform; see https://tailscale.com/s/client-updates")
-	}
-	return up, nil
-}
-
-type updater struct {
-	track  string
-	update func() error
-}
-
-func (up *updater) currentOrDryRun(ver string) bool {
-	if version.Short() == ver {
-		fmt.Printf("already running %v; no update needed\n", ver)
+func confirmUpdate(ver string) bool {
+	if updateArgs.yes {
+		fmt.Printf("Updating Tailscale from %v to %v; --yes given, continuing without prompts.\n", version.Short(), ver)
 		return true
 	}
+
 	if updateArgs.dryRun {
 		fmt.Printf("Current: %v, Latest: %v\n", version.Short(), ver)
-		return true
-	}
-	return false
-}
-
-func (up *updater) confirm(ver string) error {
-	if updateArgs.yes {
-		log.Printf("Updating Tailscale from %v to %v; --yes given, continuing without prompts.\n", version.Short(), ver)
-		return nil
+		return false
 	}
 
 	fmt.Printf("This will update Tailscale from %v to %v. Continue? [y/n] ", version.Short(), ver)
@@ -183,405 +89,7 @@ func (up *updater) confirm(ver string) error {
 	resp = strings.ToLower(resp)
 	switch resp {
 	case "y", "yes", "sure":
-		return nil
+		return true
 	}
-	return errors.New("aborting update")
-}
-
-func (up *updater) updateSynology() error {
-	// TODO(bradfitz): detect, map GOARCH+CPU to the right Synology arch.
-	// TODO(bradfitz): add pkgs.tailscale.com endpoint to get release info
-	// TODO(bradfitz): require root/sudo
-	// TODO(bradfitz): run /usr/syno/bin/synopkg install tailscale.spk
-	return errors.New("The 'update' command is not yet implemented on Synology.")
-}
-
-func (up *updater) updateDebLike() error {
-	ver := updateArgs.version
-	if ver == "" {
-		res, err := http.Get("https://pkgs.tailscale.com/" + up.track + "/?mode=json")
-		if err != nil {
-			return err
-		}
-		var latest struct {
-			Tarballs map[string]string // ~goarch (ignoring "geode") => "tailscale_1.34.2_mips.tgz"
-		}
-		err = json.NewDecoder(res.Body).Decode(&latest)
-		res.Body.Close()
-		if err != nil {
-			return fmt.Errorf("decoding JSON: %v: %w", res.Status, err)
-		}
-		f, ok := latest.Tarballs[runtime.GOARCH]
-		if !ok {
-			return fmt.Errorf("can't update architecture %q", runtime.GOARCH)
-		}
-		ver, _, ok = strings.Cut(strings.TrimPrefix(f, "tailscale_"), "_")
-		if !ok {
-			return fmt.Errorf("can't parse version from %q", f)
-		}
-	}
-	if up.currentOrDryRun(ver) {
-		return nil
-	}
-
-	track := "unstable"
-	if stable, ok := versionIsStable(ver); !ok {
-		return fmt.Errorf("malformed version %q", ver)
-	} else if stable {
-		track = "stable"
-	}
-
-	if os.Geteuid() != 0 {
-		return errors.New("must be root; use sudo")
-	}
-
-	if updated, err := updateDebianAptSourcesList(track); err != nil {
-		return err
-	} else if updated {
-		fmt.Printf("Updated %s to use the %s track\n", aptSourcesFile, track)
-	}
-
-	cmd := exec.Command("apt-get", "update",
-		// Only update the tailscale repo, not the other ones, treating
-		// the tailscale.list file as the main "sources.list" file.
-		"-o", "Dir::Etc::SourceList=sources.list.d/tailscale.list",
-		// Disable the "sources.list.d" directory:
-		"-o", "Dir::Etc::SourceParts=-",
-		// Don't forget about packages in the other repos just because
-		// we're not updating them:
-		"-o", "APT::Get::List-Cleanup=0",
-	)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return err
-	}
-
-	cmd = exec.Command("apt-get", "install", "--yes", "--allow-downgrades", "tailscale="+ver)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-const aptSourcesFile = "/etc/apt/sources.list.d/tailscale.list"
-
-// updateDebianAptSourcesList updates the /etc/apt/sources.list.d/tailscale.list
-// file to make sure it has the provided track (stable or unstable) in it.
-//
-// If it already has the right track (including containing both stable and
-// unstable), it does nothing.
-func updateDebianAptSourcesList(dstTrack string) (rewrote bool, err error) {
-	was, err := os.ReadFile(aptSourcesFile)
-	if err != nil {
-		return false, err
-	}
-	newContent, err := updateDebianAptSourcesListBytes(was, dstTrack)
-	if err != nil {
-		return false, err
-	}
-	if bytes.Equal(was, newContent) {
-		return false, nil
-	}
-	return true, os.WriteFile(aptSourcesFile, newContent, 0644)
-}
-
-func updateDebianAptSourcesListBytes(was []byte, dstTrack string) (newContent []byte, err error) {
-	trackURLPrefix := []byte("https://pkgs.tailscale.com/" + dstTrack + "/")
-	var buf bytes.Buffer
-	var changes int
-	bs := bufio.NewScanner(bytes.NewReader(was))
-	hadCorrect := false
-	commentLine := regexp.MustCompile(`^\s*\#`)
-	pkgsURL := regexp.MustCompile(`\bhttps://pkgs\.tailscale\.com/((un)?stable)/`)
-	for bs.Scan() {
-		line := bs.Bytes()
-		if !commentLine.Match(line) {
-			line = pkgsURL.ReplaceAllFunc(line, func(m []byte) []byte {
-				if bytes.Equal(m, trackURLPrefix) {
-					hadCorrect = true
-				} else {
-					changes++
-				}
-				return trackURLPrefix
-			})
-		}
-		buf.Write(line)
-		buf.WriteByte('\n')
-	}
-	if hadCorrect || (changes == 1 && bytes.Equal(bytes.TrimSpace(was), bytes.TrimSpace(buf.Bytes()))) {
-		// Unchanged or close enough.
-		return was, nil
-	}
-	if changes != 1 {
-		// No changes, or an unexpected number of changes (what?). Bail.
-		// They probably editted it by hand and we don't know what to do.
-		return nil, fmt.Errorf("unexpected/unsupported %s contents", aptSourcesFile)
-	}
-	return buf.Bytes(), nil
-}
-
-func (up *updater) updateMacSys() error {
-	// use sparkle? do we have permissions from this context? does sudo help?
-	// We can at least fail with a command they can run to update from the shell.
-	// Like "tailscale update --macsys | sudo sh" or something.
-	//
-	// TODO(bradfitz,mihai): implement. But for now:
-	return errors.New("The 'update' command is not yet implemented on macOS.")
-}
-
-var (
-	verifyAuthenticode func(string) error // or nil on non-Windows
-	markTempFileFunc   func(string) error // or nil on non-Windows
-)
-
-func (up *updater) updateWindows() error {
-	ver := updateArgs.version
-	if ver == "" {
-		res, err := http.Get("https://pkgs.tailscale.com/" + up.track + "/?mode=json&os=windows")
-		if err != nil {
-			return err
-		}
-		var latest struct {
-			Version string
-		}
-		err = json.NewDecoder(res.Body).Decode(&latest)
-		res.Body.Close()
-		if err != nil {
-			return fmt.Errorf("decoding JSON: %v: %w", res.Status, err)
-		}
-		ver = latest.Version
-		if ver == "" {
-			return errors.New("no version found")
-		}
-	}
-	arch := runtime.GOARCH
-	if arch == "386" {
-		arch = "x86"
-	}
-	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", up.track, ver, arch)
-
-	if up.currentOrDryRun(ver) {
-		return nil
-	}
-	if !winutil.IsCurrentProcessElevated() {
-		return errors.New("must be run as Administrator")
-	}
-
-	tsDir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
-	msiDir := filepath.Join(tsDir, "MSICache")
-	if fi, err := os.Stat(tsDir); err != nil {
-		return fmt.Errorf("expected %s to exist, got stat error: %w", tsDir, err)
-	} else if !fi.IsDir() {
-		return fmt.Errorf("expected %s to be a directory; got %v", tsDir, fi.Mode())
-	}
-	if err := os.MkdirAll(msiDir, 0700); err != nil {
-		return err
-	}
-
-	if err := up.confirm(ver); err != nil {
-		return err
-	}
-	msiTarget := filepath.Join(msiDir, path.Base(url))
-	if err := downloadURLToFile(url, msiTarget); err != nil {
-		return err
-	}
-
-	log.Printf("verifying MSI authenticode...")
-	if err := verifyAuthenticode(msiTarget); err != nil {
-		return fmt.Errorf("authenticode verification of %s failed: %w", msiTarget, err)
-	}
-	log.Printf("authenticode verification succeeded")
-
-	log.Printf("making tailscale.exe copy to switch to...")
-	selfCopy, err := makeSelfCopy()
-	if err != nil {
-		return err
-	}
-	defer os.Remove(selfCopy)
-	log.Printf("running tailscale.exe copy for final install...")
-
-	cmd := exec.Command(selfCopy, "update")
-	cmd.Env = append(os.Environ(), winMSIEnv+"="+msiTarget)
-	cmd.Stdout = os.Stderr
-	cmd.Stderr = os.Stderr
-	cmd.Stdin = os.Stdin
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-	// Once it's started, exit ourselves, so the binary is free
-	// to be replaced.
-	os.Exit(0)
-	panic("unreachable")
-}
-
-func installMSI(msi string) error {
-	var err error
-	for tries := 0; tries < 2; tries++ {
-		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/promptrestart", "/qn")
-		cmd.Dir = filepath.Dir(msi)
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		cmd.Stdin = os.Stdin
-		err = cmd.Run()
-		if err == nil {
-			break
-		}
-		uninstallVersion := version.Short()
-		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
-			uninstallVersion = v
-		}
-		// Assume it's a downgrade, which msiexec won't permit. Uninstall our current version first.
-		log.Printf("Uninstalling current version %q for downgrade...", uninstallVersion)
-		cmd = exec.Command("msiexec.exe", "/x", msiUUIDForVersion(uninstallVersion), "/norestart", "/qn")
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		cmd.Stdin = os.Stdin
-		err = cmd.Run()
-		log.Printf("msiexec uninstall: %v", err)
-	}
-	return err
-}
-
-func msiUUIDForVersion(ver string) string {
-	arch := runtime.GOARCH
-	if arch == "386" {
-		arch = "x86"
-	}
-	track := "unstable"
-	if stable, ok := versionIsStable(ver); ok && stable {
-		track = "stable"
-	}
-	msiURL := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", track, ver, arch)
-	return "{" + strings.ToUpper(uuid.NewSHA1(uuid.NameSpaceURL, []byte(msiURL)).String()) + "}"
-}
-
-func makeSelfCopy() (tmpPathExe string, err error) {
-	selfExe, err := os.Executable()
-	if err != nil {
-		return "", err
-	}
-	f, err := os.Open(selfExe)
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-	f2, err := os.CreateTemp("", "tailscale-updater-*.exe")
-	if err != nil {
-		return "", err
-	}
-	if f := markTempFileFunc; f != nil {
-		if err := f(f2.Name()); err != nil {
-			return "", err
-		}
-	}
-	if _, err := io.Copy(f2, f); err != nil {
-		f2.Close()
-		return "", err
-	}
-	return f2.Name(), f2.Close()
-}
-
-func downloadURLToFile(urlSrc, fileDst string) (ret error) {
-	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.Proxy = tshttpproxy.ProxyFromEnvironment
-	defer tr.CloseIdleConnections()
-	c := &http.Client{Transport: tr}
-
-	quickCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-	headReq := must.Get(http.NewRequestWithContext(quickCtx, "HEAD", urlSrc, nil))
-
-	res, err := c.Do(headReq)
-	if err != nil {
-		return err
-	}
-	if res.StatusCode != http.StatusOK {
-		return fmt.Errorf("HEAD %s: %v", urlSrc, res.Status)
-	}
-	if res.ContentLength <= 0 {
-		return fmt.Errorf("HEAD %s: unexpected Content-Length %v", urlSrc, res.ContentLength)
-	}
-	log.Printf("Download size: %v", res.ContentLength)
-
-	hashReq := must.Get(http.NewRequestWithContext(quickCtx, "GET", urlSrc+".sha256", nil))
-	hashRes, err := c.Do(hashReq)
-	if err != nil {
-		return err
-	}
-	hashHex, err := io.ReadAll(io.LimitReader(hashRes.Body, 100))
-	hashRes.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		return fmt.Errorf("GET %s.sha256: %v", urlSrc, res.Status)
-	}
-	if err != nil {
-		return err
-	}
-	wantHash, err := hex.DecodeString(string(strings.TrimSpace(string(hashHex))))
-	if err != nil {
-		return err
-	}
-	hash := sha256.New()
-
-	dlReq := must.Get(http.NewRequestWithContext(context.Background(), "GET", urlSrc, nil))
-	dlRes, err := c.Do(dlReq)
-	if err != nil {
-		return err
-	}
-	// TODO(bradfitz): resume from existing partial file on disk
-	if dlRes.StatusCode != http.StatusOK {
-		return fmt.Errorf("GET %s: %v", urlSrc, dlRes.Status)
-	}
-
-	of, err := os.Create(fileDst)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if ret != nil {
-			of.Close()
-			// TODO(bradfitz): os.Remove(fileDst) too? or keep it to resume from/debug later.
-		}
-	}()
-	pw := &progressWriter{total: res.ContentLength}
-	n, err := io.Copy(io.MultiWriter(hash, of, pw), io.LimitReader(dlRes.Body, res.ContentLength))
-	if err != nil {
-		return err
-	}
-	if n != res.ContentLength {
-		return fmt.Errorf("downloaded %v; want %v", n, res.ContentLength)
-	}
-	if err := of.Close(); err != nil {
-		return err
-	}
-	pw.print()
-
-	if !bytes.Equal(hash.Sum(nil), wantHash) {
-		return fmt.Errorf("SHA-256 of downloaded MSI didn't match expected value")
-	}
-	log.Printf("hash matched")
-
-	return nil
-}
-
-type progressWriter struct {
-	done      int64
-	total     int64
-	lastPrint time.Time
-}
-
-func (pw *progressWriter) Write(p []byte) (n int, err error) {
-	pw.done += int64(len(p))
-	if time.Since(pw.lastPrint) > 2*time.Second {
-		pw.print()
-	}
-	return len(p), nil
-}
-
-func (pw *progressWriter) print() {
-	pw.lastPrint = time.Now()
-	log.Printf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
+	return false
 }

cmd/tailscale/cli/update_test.go

@@ -1,75 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import "testing"
-
-func TestUpdateDebianAptSourcesListBytes(t *testing.T) {
-	tests := []struct {
-		name    string
-		toTrack string
-		in      string
-		want    string // empty means want no change
-		wantErr string
-	}{
-		{
-			name:    "stable-to-unstable",
-			toTrack: "unstable",
-			in:      "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/stable/debian bullseye main\n",
-			want:    "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
-		},
-		{
-			name:    "stable-unchanged",
-			toTrack: "stable",
-			in:      "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/stable/debian bullseye main\n",
-		},
-		{
-			name:    "if-both-stable-and-unstable-dont-change",
-			toTrack: "stable",
-			in: "# Tailscale packages for debian buster\n" +
-				"deb https://pkgs.tailscale.com/stable/debian bullseye main\n" +
-				"deb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
-		},
-		{
-			name:    "if-both-stable-and-unstable-dont-change-unstable",
-			toTrack: "unstable",
-			in: "# Tailscale packages for debian buster\n" +
-				"deb https://pkgs.tailscale.com/stable/debian bullseye main\n" +
-				"deb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
-		},
-		{
-			name:    "signed-by-form",
-			toTrack: "unstable",
-			in:      "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/ubuntu jammy main\n",
-			want:    "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/unstable/ubuntu jammy main\n",
-		},
-		{
-			name:    "unsupported-lines",
-			toTrack: "unstable",
-			in:      "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/foobar/ubuntu jammy main\n",
-			wantErr: "unexpected/unsupported /etc/apt/sources.list.d/tailscale.list contents",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			newContent, err := updateDebianAptSourcesListBytes([]byte(tt.in), tt.toTrack)
-			if err != nil {
-				if err.Error() != tt.wantErr {
-					t.Fatalf("error = %v; want %q", err, tt.wantErr)
-				}
-				return
-			}
-			if tt.wantErr != "" {
-				t.Fatalf("got no error; want %q", tt.wantErr)
-			}
-			var gotChange string
-			if string(newContent) != tt.in {
-				gotChange = string(newContent)
-			}
-			if gotChange != tt.want {
-				t.Errorf("wrong result\n got: %q\nwant: %q", gotChange, tt.want)
-			}
-		})
-	}
-}

cmd/tailscale/cli/version.go

@@ -11,6 +11,7 @@ import (
 	"os"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/clientupdate"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/version"
 )
@@ -23,14 +24,16 @@ var versionCmd = &ffcli.Command{
 		fs := newFlagSet("version")
 		fs.BoolVar(&versionArgs.daemon, "daemon", false, "also print local node's daemon version")
 		fs.BoolVar(&versionArgs.json, "json", false, "output in JSON format")
+		fs.BoolVar(&versionArgs.upstream, "upstream", false, "fetch and print the latest upstream release version from pkgs.tailscale.com")
 		return fs
 	})(),
 	Exec: runVersion,
 }
 
 var versionArgs struct {
-	daemon bool // also check local node's daemon version
-	json   bool
+	daemon   bool // also check local node's daemon version
+	json     bool
+	upstream bool
 }
 
 func runVersion(ctx context.Context, args []string) error {
@@ -47,21 +50,42 @@ func runVersion(ctx context.Context, args []string) error {
 		}
 	}
 
+	var upstreamVer string
+	if versionArgs.upstream {
+		upstreamVer, err = clientupdate.LatestTailscaleVersion(clientupdate.CurrentTrack)
+		if err != nil {
+			return err
+		}
+	}
+
 	if versionArgs.json {
 		m := version.GetMeta()
 		if st != nil {
 			m.DaemonLong = st.Version
 		}
+		out := struct {
+			version.Meta
+			Upstream string `json:"upstream,omitempty"`
+		}{
+			Meta:     m,
+			Upstream: upstreamVer,
+		}
 		e := json.NewEncoder(os.Stdout)
 		e.SetIndent("", "\t")
-		return e.Encode(m)
+		return e.Encode(out)
 	}
 
 	if st == nil {
 		outln(version.String())
+		if versionArgs.upstream {
+			printf("  upstream: %s\n", upstreamVer)
+		}
 		return nil
 	}
 	printf("Client: %s\n", version.String())
 	printf("Daemon: %s\n", st.Version)
+	if versionArgs.upstream {
+		printf("Upstream: %s\n", upstreamVer)
+	}
 	return nil
 }

cmd/tailscale/cli/web.go

@@ -4,73 +4,23 @@
 package cli
 
 import (
-	"bytes"
 	"context"
 	"crypto/tls"
 	_ "embed"
-	"encoding/json"
-	"encoding/xml"
 	"flag"
 	"fmt"
-	"html/template"
-	"io"
 	"log"
 	"net"
 	"net/http"
 	"net/http/cgi"
-	"net/netip"
-	"net/url"
 	"os"
-	"os/exec"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/envknob"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/groupmember"
-	"tailscale.com/version/distro"
+	"tailscale.com/client/web"
+	"tailscale.com/util/cmpx"
 )
 
-//go:embed web.html
-var webHTML string
-
-//go:embed web.css
-var webCSS string
-
-//go:embed auth-redirect.html
-var authenticationRedirectHTML string
-
-var tmpl *template.Template
-
-func init() {
-	tmpl = template.Must(template.New("web.html").Parse(webHTML))
-	template.Must(tmpl.New("web.css").Parse(webCSS))
-}
-
-type tmplData struct {
-	Profile           tailcfg.UserProfile
-	SynologyUser      string
-	Status            string
-	DeviceName        string
-	IP                string
-	AdvertiseExitNode bool
-	AdvertiseRoutes   string
-	LicensesURL       string
-	TUNMode           bool
-	IsSynology        bool
-	DSMVersion        int // 6 or 7, if IsSynology=true
-	IPNVersion        string
-}
-
-type postedData struct {
-	AdvertiseRoutes   string
-	AdvertiseExitNode bool
-	Reauthenticate    bool
-	ForceLogout       bool
-}
-
 var webCmd = &ffcli.Command{
 	Name:       "web",
 	ShortUsage: "web [flags]",
@@ -88,6 +38,7 @@ Tailscale, as opposed to a CLI or a native app.
 		webf := newFlagSet("web")
 		webf.StringVar(&webArgs.listen, "listen", "localhost:8088", "listen address; use port 0 for automatic")
 		webf.BoolVar(&webArgs.cgi, "cgi", false, "run as CGI script")
+		webf.BoolVar(&webArgs.dev, "dev", false, "run web client in developer mode [this flag is in development, use is unsupported]")
 		return webf
 	})(),
 	Exec: runWeb,
@@ -96,6 +47,7 @@ Tailscale, as opposed to a CLI or a native app.
 var webArgs struct {
 	listen string
 	cgi    bool
+	dev    bool
 }
 
 func tlsConfigFromEnvironment() *tls.Config {
@@ -126,8 +78,11 @@ func runWeb(ctx context.Context, args []string) error {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}
 
+	webServer, cleanup := web.NewServer(webArgs.dev, nil)
+	defer cleanup()
+
 	if webArgs.cgi {
-		if err := cgi.Serve(http.HandlerFunc(webHandler)); err != nil {
+		if err := cgi.Serve(webServer); err != nil {
 			log.Printf("tailscale.cgi: %v", err)
 			return err
 		}
@@ -139,389 +94,19 @@ func runWeb(ctx context.Context, args []string) error {
 		server := &http.Server{
 			Addr:      webArgs.listen,
 			TLSConfig: tlsConfig,
-			Handler:   http.HandlerFunc(webHandler),
+			Handler:   webServer,
 		}
 
 		log.Printf("web server running on: https://%s", server.Addr)
 		return server.ListenAndServeTLS("", "")
 	} else {
 		log.Printf("web server running on: %s", urlOfListenAddr(webArgs.listen))
-		return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
+		return http.ListenAndServe(webArgs.listen, webServer)
 	}
 }
 
 // urlOfListenAddr parses a given listen address into a formatted URL
 func urlOfListenAddr(addr string) string {
 	host, port, _ := net.SplitHostPort(addr)
-	if host == "" {
-		host = "127.0.0.1"
-	}
-	return fmt.Sprintf("http://%s", net.JoinHostPort(host, port))
-}
-
-// authorize returns the name of the user accessing the web UI after verifying
-// whether the user has access to the web UI. The function will write the
-// error to the provided http.ResponseWriter.
-// Note: This is different from a tailscale user, and is typically the local
-// user on the node.
-func authorize(w http.ResponseWriter, r *http.Request) (string, error) {
-	switch distro.Get() {
-	case distro.Synology:
-		user, err := synoAuthn()
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return "", err
-		}
-		if err := authorizeSynology(user); err != nil {
-			http.Error(w, err.Error(), http.StatusForbidden)
-			return "", err
-		}
-		return user, nil
-	case distro.QNAP:
-		user, resp, err := qnapAuthn(r)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return "", err
-		}
-		if resp.IsAdmin == 0 {
-			http.Error(w, err.Error(), http.StatusForbidden)
-			return "", err
-		}
-		return user, nil
-	}
-	return "", nil
-}
-
-// authorizeSynology checks whether the provided user has access to the web UI
-// by consulting the membership of the "administrators" group.
-func authorizeSynology(name string) error {
-	yes, err := groupmember.IsMemberOfGroup("administrators", name)
-	if err != nil {
-		return err
-	}
-	if !yes {
-		return fmt.Errorf("not a member of administrators group")
-	}
-	return nil
-}
-
-type qnapAuthResponse struct {
-	AuthPassed int    `xml:"authPassed"`
-	IsAdmin    int    `xml:"isAdmin"`
-	AuthSID    string `xml:"authSid"`
-	ErrorValue int    `xml:"errorValue"`
-}
-
-func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
-	user, err := r.Cookie("NAS_USER")
-	if err != nil {
-		return "", nil, err
-	}
-	token, err := r.Cookie("qtoken")
-	if err == nil {
-		return qnapAuthnQtoken(r, user.Value, token.Value)
-	}
-	sid, err := r.Cookie("NAS_SID")
-	if err == nil {
-		return qnapAuthnSid(r, user.Value, sid.Value)
-	}
-	return "", nil, fmt.Errorf("not authenticated by any mechanism")
-}
-
-// qnapAuthnURL returns the auth URL to use by inferring where the UI is
-// running based on the request URL. This is necessary because QNAP has so
-// many options, see https://github.com/tailscale/tailscale/issues/7108
-// and https://github.com/tailscale/tailscale/issues/6903
-func qnapAuthnURL(requestUrl string, query url.Values) string {
-	in, err := url.Parse(requestUrl)
-	scheme := ""
-	host := ""
-	if err != nil || in.Scheme == "" {
-		log.Printf("Cannot parse QNAP login URL %v", err)
-
-		// try localhost and hope for the best
-		scheme = "http"
-		host = "localhost"
-	} else {
-		scheme = in.Scheme
-		host = in.Host
-	}
-
-	u := url.URL{
-		Scheme:   scheme,
-		Host:     host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-
-	return u.String()
-}
-
-func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"qtoken": []string{token},
-		"user":   []string{user},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"sid": []string{sid},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
-	// QNAP Force HTTPS mode uses a self-signed certificate. Even importing
-	// the QNAP root CA isn't enough, the cert doesn't have a usable CN nor
-	// SAN. See https://github.com/tailscale/tailscale/issues/6903
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: tr}
-	resp, err := client.Get(url)
-	if err != nil {
-		return "", nil, err
-	}
-	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", nil, err
-	}
-	authResp := &qnapAuthResponse{}
-	if err := xml.Unmarshal(out, authResp); err != nil {
-		return "", nil, err
-	}
-	if authResp.AuthPassed == 0 {
-		return "", nil, fmt.Errorf("not authenticated")
-	}
-	return user, authResp, nil
-}
-
-func synoAuthn() (string, error) {
-	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return "", fmt.Errorf("auth: %v: %s", err, out)
-	}
-	return strings.TrimSpace(string(out)), nil
-}
-
-func authRedirect(w http.ResponseWriter, r *http.Request) bool {
-	if distro.Get() == distro.Synology {
-		return synoTokenRedirect(w, r)
-	}
-	return false
-}
-
-func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
-	if r.Header.Get("X-Syno-Token") != "" {
-		return false
-	}
-	if r.URL.Query().Get("SynoToken") != "" {
-		return false
-	}
-	if r.Method == "POST" && r.FormValue("SynoToken") != "" {
-		return false
-	}
-	// We need a SynoToken for authenticate.cgi.
-	// So we tell the client to get one.
-	_, _ = fmt.Fprint(w, synoTokenRedirectHTML)
-	return true
-}
-
-const synoTokenRedirectHTML = `<html><body>
-Redirecting with session token...
-<script>
-var serverURL = window.location.protocol + "//" + window.location.host;
-var req = new XMLHttpRequest();
-req.overrideMimeType("application/json");
-req.open("GET", serverURL + "/webman/login.cgi", true);
-req.onload = function() {
-	var jsonResponse = JSON.parse(req.responseText);
-	var token = jsonResponse["SynoToken"];
-	document.location.href = serverURL + "/webman/3rdparty/Tailscale/?SynoToken=" + token;
-};
-req.send(null);
-</script>
-</body></html>
-`
-
-func webHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	if authRedirect(w, r) {
-		return
-	}
-
-	user, err := authorize(w, r)
-	if err != nil {
-		return
-	}
-
-	if r.URL.Path == "/redirect" || r.URL.Path == "/redirect/" {
-		io.WriteString(w, authenticationRedirectHTML)
-		return
-	}
-
-	st, err := localClient.StatusWithoutPeers(ctx)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	prefs, err := localClient.GetPrefs(ctx)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	if r.Method == "POST" {
-		defer r.Body.Close()
-		var postData postedData
-		type mi map[string]any
-		if err := json.NewDecoder(r.Body).Decode(&postData); err != nil {
-			w.WriteHeader(400)
-			json.NewEncoder(w).Encode(mi{"error": err.Error()})
-			return
-		}
-
-		routes, err := calcAdvertiseRoutes(postData.AdvertiseRoutes, postData.AdvertiseExitNode)
-		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-			json.NewEncoder(w).Encode(mi{"error": err.Error()})
-			return
-		}
-		mp := &ipn.MaskedPrefs{
-			AdvertiseRoutesSet: true,
-			WantRunningSet:     true,
-		}
-		mp.Prefs.WantRunning = true
-		mp.Prefs.AdvertiseRoutes = routes
-		log.Printf("Doing edit: %v", mp.Pretty())
-
-		if _, err := localClient.EditPrefs(ctx, mp); err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-			json.NewEncoder(w).Encode(mi{"error": err.Error()})
-			return
-		}
-
-		w.Header().Set("Content-Type", "application/json")
-		var reauth, logout bool
-		if postData.Reauthenticate {
-			reauth = true
-		}
-		if postData.ForceLogout {
-			logout = true
-		}
-		log.Printf("tailscaleUp(reauth=%v, logout=%v) ...", reauth, logout)
-		url, err := tailscaleUp(r.Context(), st, postData)
-		log.Printf("tailscaleUp = (URL %v, %v)", url != "", err)
-		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-			json.NewEncoder(w).Encode(mi{"error": err.Error()})
-			return
-		}
-		if url != "" {
-			json.NewEncoder(w).Encode(mi{"url": url})
-		} else {
-			io.WriteString(w, "{}")
-		}
-		return
-	}
-
-	profile := st.User[st.Self.UserID]
-	deviceName := strings.Split(st.Self.DNSName, ".")[0]
-	versionShort := strings.Split(st.Version, "-")[0]
-	data := tmplData{
-		SynologyUser: user,
-		Profile:      profile,
-		Status:       st.BackendState,
-		DeviceName:   deviceName,
-		LicensesURL:  licensesURL(),
-		TUNMode:      st.TUN,
-		IsSynology:   distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
-		DSMVersion:   distro.DSMVersion(),
-		IPNVersion:   versionShort,
-	}
-	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
-	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
-	for _, r := range prefs.AdvertiseRoutes {
-		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
-			data.AdvertiseExitNode = true
-		} else {
-			if data.AdvertiseRoutes != "" {
-				data.AdvertiseRoutes += ","
-			}
-			data.AdvertiseRoutes += r.String()
-		}
-	}
-	if len(st.TailscaleIPs) != 0 {
-		data.IP = st.TailscaleIPs[0].String()
-	}
-
-	buf := new(bytes.Buffer)
-	if err := tmpl.Execute(buf, data); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	w.Write(buf.Bytes())
-}
-
-func tailscaleUp(ctx context.Context, st *ipnstate.Status, postData postedData) (authURL string, retErr error) {
-	if postData.ForceLogout {
-		if err := localClient.Logout(ctx); err != nil {
-			return "", fmt.Errorf("Logout error: %w", err)
-		}
-		return "", nil
-	}
-
-	origAuthURL := st.AuthURL
-	isRunning := st.BackendState == ipn.Running.String()
-
-	forceReauth := postData.Reauthenticate
-	if !forceReauth {
-		if origAuthURL != "" {
-			return origAuthURL, nil
-		}
-		if isRunning {
-			return "", nil
-		}
-	}
-
-	// printAuthURL reports whether we should print out the
-	// provided auth URL from an IPN notify.
-	printAuthURL := func(url string) bool {
-		return url != origAuthURL
-	}
-
-	watchCtx, cancelWatch := context.WithCancel(ctx)
-	defer cancelWatch()
-	watcher, err := localClient.WatchIPNBus(watchCtx, 0)
-	if err != nil {
-		return "", err
-	}
-	defer watcher.Close()
-
-	go func() {
-		if !isRunning {
-			localClient.Start(ctx, ipn.Options{})
-		}
-		if forceReauth {
-			localClient.StartLoginInteractive(ctx)
-		}
-	}()
-
-	for {
-		n, err := watcher.Next()
-		if err != nil {
-			return "", err
-		}
-		if n.ErrMessage != nil {
-			msg := *n.ErrMessage
-			return "", fmt.Errorf("backend error: %v", msg)
-		}
-		if url := n.BrowseToURL; url != nil && printAuthURL(*url) {
-			return *url, nil
-		}
-	}
+	return fmt.Sprintf("http://%s", net.JoinHostPort(cmpx.Or(host, "127.0.0.1"), port))
 }

cmd/tailscale/cli/web_test.go

@@ -4,7 +4,6 @@
 package cli
 
 import (
-	"net/url"
 	"testing"
 )
 
@@ -44,58 +43,3 @@ func TestUrlOfListenAddr(t *testing.T) {
 		})
 	}
 }
-
-func TestQnapAuthnURL(t *testing.T) {
-	query := url.Values{
-		"qtoken": []string{"token"},
-	}
-	tests := []struct {
-		name string
-		in   string
-		want string
-	}{
-		{
-			name: "localhost http",
-			in:   "http://localhost:8088/",
-			want: "http://localhost:8088/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "localhost https",
-			in:   "https://localhost:5000/",
-			want: "https://localhost:5000/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "IP http",
-			in:   "http://10.1.20.4:80/",
-			want: "http://10.1.20.4:80/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "IP6 https",
-			in:   "https://[ff7d:0:1:2::1]/",
-			want: "https://[ff7d:0:1:2::1]/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "hostname https",
-			in:   "https://qnap.example.com/",
-			want: "https://qnap.example.com/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "invalid URL",
-			in:   "This is not a URL, it is a really really really really really really really really really really really really long string to exercise the URL truncation code in the error path.",
-			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "err != nil",
-			in:   "http://192.168.0.%31/",
-			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			u := qnapAuthnURL(tt.in, query)
-			if u != tt.want {
-				t.Errorf("expected url: %q, got: %q", tt.want, u)
-			}
-		})
-	}
-}

cmd/tailscale/depaware.txt

@@ -3,17 +3,28 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
         filippo.io/edwards25519/field                                from filippo.io/edwards25519
    W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
+   W 💣 github.com/Microsoft/go-winio/internal/fs                    from github.com/Microsoft/go-winio
    W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
+   W    github.com/Microsoft/go-winio/internal/stringbuffer          from github.com/Microsoft/go-winio/internal/fs
    W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
+   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil/authenticode
+   W 💣 github.com/dblohm7/wingoes/pe                                from tailscale.com/util/winutil/authenticode
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
+   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
+   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
+   L    github.com/google/nftables/expr                              from github.com/google/nftables+
+   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
+   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
         github.com/google/uuid                                       from tailscale.com/util/quarantine+
         github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
    L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
         github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
         github.com/klauspost/compress/flate                          from nhooyr.io/websocket
@@ -21,7 +32,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
      💣 github.com/mattn/go-isatty                                   from github.com/mattn/go-colorable+
    L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
    L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
    L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
+        github.com/miekg/dns                                         from tailscale.com/net/dns/recursive
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli+
         github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
         github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
@@ -34,11 +47,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
         github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
         github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
+   L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
         github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
         github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
+   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
+   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
         github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
      💣 go4.org/mem                                                  from tailscale.com/derp+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter
+        go4.org/netipx                                               from tailscale.com/wgengine/filter+
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
         gopkg.in/yaml.v2                                             from sigs.k8s.io/yaml
         k8s.io/client-go/util/homedir                                from tailscale.com/cmd/tailscale/cli
@@ -52,7 +68,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/atomicfile                                     from tailscale.com/ipn+
         tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli+
         tailscale.com/client/tailscale/apitype                       from tailscale.com/cmd/tailscale/cli+
-     💣 tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
+        tailscale.com/client/web                                     from tailscale.com/cmd/tailscale/cli
+        tailscale.com/clientupdate                                   from tailscale.com/cmd/tailscale/cli
+        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
         tailscale.com/control/controlbase                            from tailscale.com/control/controlhttp
         tailscale.com/control/controlhttp                            from tailscale.com/cmd/tailscale/cli
         tailscale.com/control/controlknobs                           from tailscale.com/net/portmapper
@@ -65,7 +83,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
         tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
         tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/licenses                                       from tailscale.com/cmd/tailscale/cli+
         tailscale.com/metrics                                        from tailscale.com/derp
+        tailscale.com/net/dns/recursive                              from tailscale.com/net/dnsfallback
         tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp+
         tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp
         tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
@@ -74,13 +94,15 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
         tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
+        tailscale.com/net/netmon                                     from tailscale.com/net/sockstats+
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
         tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
-        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
+        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter+
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/sockstats                                  from tailscale.com/control/controlhttp+
         tailscale.com/net/stun                                       from tailscale.com/net/netcheck
+   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
         tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
         tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
@@ -91,8 +113,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
         tailscale.com/tka                                            from tailscale.com/client/tailscale+
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/tstime                                         from tailscale.com/control/controlhttp+
+        tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
         tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
         tailscale.com/types/empty                                    from tailscale.com/ipn
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
@@ -111,19 +134,23 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
         tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
    W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
+        tailscale.com/util/cmpx                                      from tailscale.com/cmd/tailscale/cli+
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
-        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
+        tailscale.com/util/groupmember                               from tailscale.com/client/web
+        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale+
         tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
+   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
         tailscale.com/util/mak                                       from tailscale.com/net/netcheck+
         tailscale.com/util/multierr                                  from tailscale.com/control/controlhttp+
-        tailscale.com/util/must                                      from tailscale.com/cmd/tailscale/cli
+        tailscale.com/util/must                                      from tailscale.com/cmd/tailscale/cli+
         tailscale.com/util/quarantine                                from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
         tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
+        tailscale.com/util/testenv                                   from tailscale.com/cmd/tailscale/cli
      💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
+   W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/clientupdate
         tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
         tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
         tailscale.com/wgengine/capture                               from tailscale.com/cmd/tailscale/cli
@@ -141,7 +168,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
+        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices+
+        golang.org/x/exp/maps                                        from tailscale.com/types/views+
         golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr+
         golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
         golang.org/x/net/dns/dnsmessage                              from net+
@@ -151,9 +179,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/net/icmp                                        from tailscale.com/net/ping
         golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
         golang.org/x/net/ipv4                                        from golang.org/x/net/icmp+
-        golang.org/x/net/ipv6                                        from golang.org/x/net/icmp
+        golang.org/x/net/ipv6                                        from golang.org/x/net/icmp+
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
    D    golang.org/x/net/route                                       from net+
+        golang.org/x/oauth2                                          from golang.org/x/oauth2/clientcredentials
+        golang.org/x/oauth2/clientcredentials                        from tailscale.com/cmd/tailscale/cli
+        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
         golang.org/x/sync/errgroup                                   from tailscale.com/derp+
         golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
   LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+
@@ -170,7 +201,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         bytes                                                        from bufio+
         compress/flate                                               from compress/gzip+
         compress/gzip                                                from net/http
-        compress/zlib                                                from image/png
+        compress/zlib                                                from image/png+
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdsa+
@@ -195,16 +226,18 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         crypto/x509                                                  from crypto/tls+
         crypto/x509/pkix                                             from crypto/x509+
         database/sql/driver                                          from github.com/google/uuid
+   W    debug/dwarf                                                  from debug/pe
+   W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
         embed                                                        from tailscale.com/cmd/tailscale/cli+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
+        encoding/base32                                              from tailscale.com/tka+
         encoding/base64                                              from encoding/json+
         encoding/binary                                              from compress/gzip+
         encoding/hex                                                 from crypto/x509+
         encoding/json                                                from expvar+
         encoding/pem                                                 from crypto/tls+
-        encoding/xml                                                 from tailscale.com/cmd/tailscale/cli+
+        encoding/xml                                                 from github.com/tailscale/goupnp+
         errors                                                       from bufio+
         expvar                                                       from tailscale.com/derp+
         flag                                                         from github.com/peterbourgon/ff/v3+
@@ -214,7 +247,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         hash/crc32                                                   from compress/gzip+
         hash/maphash                                                 from go4.org/mem
         html                                                         from tailscale.com/ipn/ipnstate+
-        html/template                                                from tailscale.com/cmd/tailscale/cli
+        html/template                                                from tailscale.com/client/web
         image                                                        from github.com/skip2/go-qrcode+
         image/color                                                  from github.com/skip2/go-qrcode+
         image/png                                                    from github.com/skip2/go-qrcode
@@ -222,6 +255,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         io/fs                                                        from crypto/x509+
         io/ioutil                                                    from golang.org/x/sys/cpu+
         log                                                          from expvar+
+        log/internal                                                 from log
         math                                                         from compress/flate+
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+
@@ -233,7 +267,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         net/http                                                     from expvar+
         net/http/cgi                                                 from tailscale.com/cmd/tailscale/cli
         net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
-        net/http/httputil                                            from tailscale.com/cmd/tailscale/cli
+        net/http/httputil                                            from tailscale.com/cmd/tailscale/cli+
         net/http/internal                                            from net/http+
         net/netip                                                    from net+
         net/textproto                                                from golang.org/x/net/http/httpguts+

cmd/tailscaled/debug.go

@@ -23,10 +23,10 @@ import (
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/ipn"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/wgengine/monitor"
 )
 
 var debugArgs struct {
@@ -42,7 +42,7 @@ var debugModeFunc = debugMode // so it can be addressable
 func debugMode(args []string) error {
 	fs := flag.NewFlagSet("debug", flag.ExitOnError)
 	fs.BoolVar(&debugArgs.ifconfig, "ifconfig", false, "If true, print network interface state")
-	fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run link monitor forever. Precludes all other options.")
+	fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run network monitor forever. Precludes all other options.")
 	fs.BoolVar(&debugArgs.portmap, "portmap", false, "If true, run portmap debugging. Precludes all other options.")
 	fs.StringVar(&debugArgs.getURL, "get-url", "", "If non-empty, fetch provided URL.")
 	fs.StringVar(&debugArgs.derpCheck, "derp", "", "if non-empty, test a DERP ping via named region code")
@@ -76,7 +76,7 @@ func runMonitor(ctx context.Context, loop bool) error {
 		j, _ := json.MarshalIndent(st, "", "    ")
 		os.Stderr.Write(j)
 	}
-	mon, err := monitor.New(log.Printf)
+	mon, err := netmon.New(log.Printf)
 	if err != nil {
 		return err
 	}
@@ -84,10 +84,10 @@ func runMonitor(ctx context.Context, loop bool) error {
 
 	mon.RegisterChangeCallback(func(changed bool, st *interfaces.State) {
 		if !changed {
-			log.Printf("Link monitor fired; no change")
+			log.Printf("Network monitor fired; no change")
 			return
 		}
-		log.Printf("Link monitor fired. New state:")
+		log.Printf("Network monitor fired. New state:")
 		dump(st)
 	})
 	if loop {
@@ -193,8 +193,8 @@ func checkDerp(ctx context.Context, derpRegion string) (err error) {
 	priv1 := key.NewNode()
 	priv2 := key.NewNode()
 
-	c1 := derphttp.NewRegionClient(priv1, log.Printf, getRegion)
-	c2 := derphttp.NewRegionClient(priv2, log.Printf, getRegion)
+	c1 := derphttp.NewRegionClient(priv1, log.Printf, nil, getRegion)
+	c2 := derphttp.NewRegionClient(priv2, log.Printf, nil, getRegion)
 	defer func() {
 		if err != nil {
 			c1.Close()

cmd/tailscaled/depaware.txt

@@ -3,7 +3,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
         filippo.io/edwards25519/field                                from filippo.io/edwards25519
    W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
+   W 💣 github.com/Microsoft/go-winio/internal/fs                    from github.com/Microsoft/go-winio
    W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
+   W    github.com/Microsoft/go-winio/internal/stringbuffer          from github.com/Microsoft/go-winio/internal/fs
    W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
@@ -12,7 +14,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/aws-sdk-go-v2                                 from github.com/aws/aws-sdk-go-v2/internal/ini
    L    github.com/aws/aws-sdk-go-v2/aws                             from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/awsstore
-   L    github.com/aws/aws-sdk-go-v2/aws/defaults                    from github.com/aws/aws-sdk-go-v2/service/ssm
+   L    github.com/aws/aws-sdk-go-v2/aws/defaults                    from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/aws/middleware                  from github.com/aws/aws-sdk-go-v2/aws/retry+
    L    github.com/aws/aws-sdk-go-v2/aws/protocol/query              from github.com/aws/aws-sdk-go-v2/service/sts
    L    github.com/aws/aws-sdk-go-v2/aws/protocol/restjson           from github.com/aws/aws-sdk-go-v2/service/ssm+
@@ -38,6 +40,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/aws-sdk-go-v2/internal/rand                   from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/aws-sdk-go-v2/internal/sdk                    from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/aws-sdk-go-v2/internal/sdkio                  from github.com/aws/aws-sdk-go-v2/credentials/processcreds
+   L    github.com/aws/aws-sdk-go-v2/internal/shareddefaults         from github.com/aws/aws-sdk-go-v2/config+
    L    github.com/aws/aws-sdk-go-v2/internal/strings                from github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4
    L    github.com/aws/aws-sdk-go-v2/internal/sync/singleflight      from github.com/aws/aws-sdk-go-v2/aws
    L    github.com/aws/aws-sdk-go-v2/internal/timeconv               from github.com/aws/aws-sdk-go-v2/aws/retry
@@ -48,16 +51,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/aws-sdk-go-v2/service/sso                     from github.com/aws/aws-sdk-go-v2/config+
    L    github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sso
    L    github.com/aws/aws-sdk-go-v2/service/sso/types               from github.com/aws/aws-sdk-go-v2/service/sso
+   L    github.com/aws/aws-sdk-go-v2/service/ssooidc                 from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints from github.com/aws/aws-sdk-go-v2/service/ssooidc
+   L    github.com/aws/aws-sdk-go-v2/service/ssooidc/types           from github.com/aws/aws-sdk-go-v2/service/ssooidc
    L    github.com/aws/aws-sdk-go-v2/service/sts                     from github.com/aws/aws-sdk-go-v2/config+
    L    github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sts
    L    github.com/aws/aws-sdk-go-v2/service/sts/types               from github.com/aws/aws-sdk-go-v2/credentials/stscreds+
    L    github.com/aws/smithy-go                                     from github.com/aws/aws-sdk-go-v2/aws/protocol/restjson+
-   L    github.com/aws/smithy-go/auth/bearer                         from github.com/aws/aws-sdk-go-v2/aws
+   L    github.com/aws/smithy-go/auth/bearer                         from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/smithy-go/context                             from github.com/aws/smithy-go/auth/bearer
    L    github.com/aws/smithy-go/document                            from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/smithy-go/encoding                            from github.com/aws/smithy-go/encoding/json+
    L    github.com/aws/smithy-go/encoding/httpbinding                from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
-   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm
+   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/smithy-go/encoding/xml                        from github.com/aws/aws-sdk-go-v2/service/sts
    L    github.com/aws/smithy-go/internal/sync/singleflight          from github.com/aws/smithy-go/auth/bearer
    L    github.com/aws/smithy-go/io                                  from github.com/aws/aws-sdk-go-v2/feature/ec2/imds+
@@ -69,16 +75,24 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/smithy-go/transport/http                      from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
    L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
   LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
-   W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com
+   W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com+
    W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/cmd/tailscaled
+   W    github.com/dblohm7/wingoes/internal                          from github.com/dblohm7/wingoes/com
+   W 💣 github.com/dblohm7/wingoes/pe                                from tailscale.com/util/osdiag+
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
    W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
    W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
    L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns+
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
         github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
+   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
+   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
+   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
+   L    github.com/google/nftables/expr                              from github.com/google/nftables+
+   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
+   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
         github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
    L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
@@ -93,7 +107,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/klauspost/compress/flate                          from nhooyr.io/websocket
         github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
         github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/internal/cpuinfo               from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/internal/cpuinfo               from github.com/klauspost/compress/zstd+
         github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
         github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
         github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
@@ -102,15 +116,23 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
    L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
    L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
    L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
    L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
+        github.com/miekg/dns                                         from tailscale.com/net/dns/recursive
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
+   L    github.com/pierrec/lz4/v4                                    from github.com/u-root/uio/uio
+   L    github.com/pierrec/lz4/v4/internal/lz4block                  from github.com/pierrec/lz4/v4+
+   L    github.com/pierrec/lz4/v4/internal/lz4errors                 from github.com/pierrec/lz4/v4+
+   L    github.com/pierrec/lz4/v4/internal/lz4stream                 from github.com/pierrec/lz4/v4
+   L    github.com/pierrec/lz4/v4/internal/xxh32                     from github.com/pierrec/lz4/v4/internal/lz4stream
    W    github.com/pkg/errors                                        from github.com/tailscale/certstore
   LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
   LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
    W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
+        github.com/tailscale/golang-x-crypto/acme                    from tailscale.com/ipn/ipnlocal
   LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
-  LD 💣 github.com/tailscale/golang-x-crypto/internal/subtle         from github.com/tailscale/golang-x-crypto/chacha20
+  LD 💣 github.com/tailscale/golang-x-crypto/internal/alias          from github.com/tailscale/golang-x-crypto/chacha20
   LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal+
   LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
         github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
@@ -154,6 +176,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
         gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
      💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
+     💣 gvisor.dev/gvisor/pkg/sync/locking                           from gvisor.dev/gvisor/pkg/tcpip/stack
         gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
         gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
         gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/bufferv2+
@@ -200,6 +223,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
         tailscale.com/disco                                          from tailscale.com/derp+
         tailscale.com/doctor                                         from tailscale.com/ipn/ipnlocal
+     💣 tailscale.com/doctor/permissions                             from tailscale.com/ipn/ipnlocal
         tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
         tailscale.com/envknob                                        from tailscale.com/control/controlclient+
         tailscale.com/health                                         from tailscale.com/control/controlclient+
@@ -228,6 +252,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/connstats                                  from tailscale.com/net/tstun+
         tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver+
+        tailscale.com/net/dns/recursive                              from tailscale.com/net/dnsfallback
         tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
         tailscale.com/net/dns/resolver                               from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
@@ -238,22 +263,25 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
         tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns+
+        tailscale.com/net/netmon                                     from tailscale.com/cmd/tailscaled+
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
      💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnauth+
         tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/packet                                     from tailscale.com/net/tstun+
-        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
+        tailscale.com/net/ping                                       from tailscale.com/net/netcheck+
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
         tailscale.com/net/routetable                                 from tailscale.com/doctor/routetable
         tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
         tailscale.com/net/sockstats                                  from tailscale.com/control/controlclient+
         tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
+   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
         tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
         tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
         tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
         tailscale.com/net/tstun                                      from tailscale.com/cmd/tailscaled+
+        tailscale.com/net/tstun/table                                from tailscale.com/net/tstun
         tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
         tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
      💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
@@ -262,13 +290,16 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
         tailscale.com/syncs                                          from tailscale.com/net/netcheck+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
+     💣 tailscale.com/tempfork/device                                from tailscale.com/net/tstun/table
   LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
+        tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
         tailscale.com/tka                                            from tailscale.com/ipn/ipnlocal+
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
-     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
-        tailscale.com/tsweb                                          from tailscale.com/cmd/tailscaled
+        tailscale.com/tsd                                            from tailscale.com/cmd/tailscaled+
+        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock+
+        tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
+        tailscale.com/tsweb/varz                                     from tailscale.com/cmd/tailscaled
         tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
         tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
         tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
@@ -290,6 +321,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/clientmetric                              from tailscale.com/control/controlclient+
         tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
   LW    tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
+        tailscale.com/util/cmpx                                      from tailscale.com/derp/derphttp+
      💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
@@ -298,9 +330,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
         tailscale.com/util/httpm                                     from tailscale.com/client/tailscale+
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
+   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns+
         tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
         tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
         tailscale.com/util/must                                      from tailscale.com/logpolicy
+     💣 tailscale.com/util/osdiag                                    from tailscale.com/cmd/tailscaled+
         tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
    W    tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnauth
         tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
@@ -308,10 +342,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
         tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
+        tailscale.com/util/sysresources                              from tailscale.com/wgengine/magicsock
         tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
+        tailscale.com/util/testenv                                   from tailscale.com/ipn/ipnlocal+
         tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock+
-        tailscale.com/util/vizerror                                  from tailscale.com/tsweb
      💣 tailscale.com/util/winutil                                   from tailscale.com/control/controlclient+
+   W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/util/osdiag
+   W    tailscale.com/util/winutil/policy                            from tailscale.com/ipn/ipnlocal
         tailscale.com/version                                        from tailscale.com/derp+
         tailscale.com/version/distro                                 from tailscale.com/hostinfo+
    W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
@@ -319,7 +356,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/wgengine/capture                               from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
      💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
-        tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
         tailscale.com/wgengine/netlog                                from tailscale.com/wgengine
         tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
         tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
@@ -328,7 +364,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 tailscale.com/wgengine/wgint                                 from tailscale.com/wgengine
         tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
    W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
-        golang.org/x/crypto/acme                                     from tailscale.com/ipn/ipnlocal
         golang.org/x/crypto/argon2                                   from tailscale.com/tka
         golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
         golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
@@ -345,13 +380,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/poly1305                                 from github.com/tailscale/golang-x-crypto/ssh+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
-        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/maps                                        from tailscale.com/wgengine
+        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices+
+        golang.org/x/exp/maps                                        from tailscale.com/wgengine+
         golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
         golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
-        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http/httpproxy                              from net/http+
         golang.org/x/net/http2                                       from golang.org/x/net/http2/h2c+
         golang.org/x/net/http2/h2c                                   from tailscale.com/ipn/ipnlocal
         golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
@@ -377,8 +412,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/time/rate                                       from gvisor.dev/gvisor/pkg/tcpip/stack+
         bufio                                                        from compress/flate+
         bytes                                                        from bufio+
+        cmp                                                          from slices
         compress/flate                                               from compress/gzip+
         compress/gzip                                                from golang.org/x/net/http2+
+   W    compress/zlib                                                from debug/pe
         container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
@@ -403,10 +440,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         crypto/tls                                                   from github.com/tcnksm/go-httpstat+
         crypto/x509                                                  from crypto/tls+
         crypto/x509/pkix                                             from crypto/x509+
+   W    debug/dwarf                                                  from debug/pe
+   W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
         embed                                                        from tailscale.com+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
+        encoding/base32                                              from tailscale.com/tka+
         encoding/base64                                              from encoding/json+
         encoding/binary                                              from compress/gzip+
         encoding/hex                                                 from crypto/x509+
@@ -418,7 +457,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         flag                                                         from net/http/httptest+
         fmt                                                          from compress/flate+
         hash                                                         from crypto+
-        hash/adler32                                                 from tailscale.com/ipn/ipnlocal
+        hash/adler32                                                 from tailscale.com/ipn/ipnlocal+
         hash/crc32                                                   from compress/gzip+
         hash/fnv                                                     from tailscale.com/wgengine/magicsock+
         hash/maphash                                                 from go4.org/mem
@@ -427,6 +466,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         io/fs                                                        from crypto/x509+
         io/ioutil                                                    from github.com/godbus/dbus/v5+
         log                                                          from expvar+
+        log/internal                                                 from log
   LD    log/syslog                                                   from tailscale.com/ssh/tailssh
         math                                                         from compress/flate+
         math/big                                                     from crypto/dsa+
@@ -457,6 +497,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         runtime/debug                                                from github.com/klauspost/compress/zstd+
         runtime/pprof                                                from tailscale.com/log/logheap+
         runtime/trace                                                from net/http/pprof
+        slices                                                       from tailscale.com/wgengine/magicsock
         sort                                                         from compress/flate+
         strconv                                                      from compress/flate+
         strings                                                      from bufio+

cmd/tailscaled/required_version.go

@@ -1,10 +1,10 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !go1.20
+//go:build !go1.21
 
 package main
 
 func init() {
-	you_need_Go_1_20_to_compile_Tailscale()
+	you_need_Go_1_21_to_compile_Tailscale()
 }

cmd/tailscaled/taildrop.go

@@ -18,7 +18,7 @@ import (
 func configureTaildrop(logf logger.Logf, lb *ipnlocal.LocalBackend) {
 	dg := distro.Get()
 	switch dg {
-	case distro.Synology, distro.TrueNAS, distro.QNAP:
+	case distro.Synology, distro.TrueNAS, distro.QNAP, distro.Unraid:
 		// See if they have a "Taildrop" share.
 		// See https://github.com/tailscale/tailscale/issues/2179#issuecomment-982821319
 		path, err := findTaildropDir(dg)
@@ -42,6 +42,8 @@ func findTaildropDir(dg distro.Distro) (string, error) {
 		return findTrueNASTaildropDir(name)
 	case distro.QNAP:
 		return findQnapTaildropDir(name)
+	case distro.Unraid:
+		return findUnraidTaildropDir(name)
 	}
 	return "", fmt.Errorf("%s is an unsupported distro for Taildrop dir", dg)
 }
@@ -103,3 +105,25 @@ func findQnapTaildropDir(name string) (string, error) {
 	}
 	return "", fmt.Errorf("shared folder %q not found", name)
 }
+
+// findUnraidTaildropDir looks for a directory linked at
+// /var/lib/tailscale/Taildrop. This is a symlink to the
+// path specified by the user in the Unraid Web UI
+func findUnraidTaildropDir(name string) (string, error) {
+	dir := fmt.Sprintf("/var/lib/tailscale/%s", name)
+	_, err := os.Stat(dir)
+	if err != nil {
+		return "", fmt.Errorf("symlink %q not found", name)
+	}
+
+	fullpath, err := filepath.EvalSymlinks(dir)
+	if err != nil {
+		return "", fmt.Errorf("symlink %q to shared folder not valid", name)
+	}
+
+	fi, err := os.Stat(fullpath)
+	if err == nil && fi.IsDir() {
+		return dir, nil // return the symlink
+	}
+	return "", fmt.Errorf("shared folder %q not found", name)
+}

cmd/tailscaled/tailscaled.go

@@ -39,16 +39,19 @@ import (
 	"tailscale.com/logtail"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/dnsfallback"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/proxymux"
 	"tailscale.com/net/socks5"
 	"tailscale.com/net/tsdial"
+	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/syncs"
-	"tailscale.com/tsweb"
+	"tailscale.com/tsd"
+	"tailscale.com/tsweb/varz"
 	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
@@ -58,7 +61,6 @@ import (
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
-	"tailscale.com/wgengine/monitor"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
 )
@@ -328,7 +330,19 @@ var logPol *logpolicy.Policy
 var debugMux *http.ServeMux
 
 func run() error {
-	pol := logpolicy.New(logtail.CollectionNode)
+	var logf logger.Logf = log.Printf
+
+	sys := new(tsd.System)
+
+	netMon, err := netmon.New(func(format string, args ...any) {
+		logf(format, args...)
+	})
+	if err != nil {
+		return fmt.Errorf("netmon.New: %w", err)
+	}
+	sys.Set(netMon)
+
+	pol := logpolicy.New(logtail.CollectionNode, netMon, nil /* use log.Printf */)
 	pol.SetVerbosityLevel(args.verbose)
 	logPol = pol
 	defer func() {
@@ -352,7 +366,6 @@ func run() error {
 		return nil
 	}
 
-	var logf logger.Logf = log.Printf
 	if envknob.Bool("TS_DEBUG_MEMORY") {
 		logf = logger.RusagePrefixLog(logf)
 	}
@@ -378,10 +391,10 @@ func run() error {
 		debugMux = newDebugMux()
 	}
 
-	return startIPNServer(context.Background(), logf, pol.PublicID)
+	return startIPNServer(context.Background(), logf, pol.PublicID, sys)
 }
 
-func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID) error {
+func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) error {
 	ln, err := safesocket.Listen(args.socketpath)
 	if err != nil {
 		return fmt.Errorf("safesocket.Listen: %v", err)
@@ -407,7 +420,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID)
 		}
 	}()
 
-	srv := ipnserver.New(logf, logID)
+	srv := ipnserver.New(logf, logID, sys.NetMon.Get())
 	if debugMux != nil {
 		debugMux.HandleFunc("/debug/ipn", srv.ServeHTMLStatus)
 	}
@@ -425,7 +438,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID)
 				return
 			}
 		}
-		lb, err := getLocalBackend(ctx, logf, logID)
+		lb, err := getLocalBackend(ctx, logf, logID, sys)
 		if err == nil {
 			logf("got LocalBackend in %v", time.Since(t0).Round(time.Millisecond))
 			srv.SetLocalBackend(lb)
@@ -449,35 +462,28 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID)
 	return nil
 }
 
-func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID) (_ *ipnlocal.LocalBackend, retErr error) {
-	linkMon, err := monitor.New(logf)
-	if err != nil {
-		return nil, fmt.Errorf("monitor.New: %w", err)
-	}
+func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) (_ *ipnlocal.LocalBackend, retErr error) {
 	if logPol != nil {
-		logPol.Logtail.SetLinkMonitor(linkMon)
+		logPol.Logtail.SetNetMon(sys.NetMon.Get())
 	}
 
 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)
 
 	dialer := &tsdial.Dialer{Logf: logf} // mutated below (before used)
-	e, onlyNetstack, err := createEngine(logf, linkMon, dialer)
+	sys.Set(dialer)
+
+	onlyNetstack, err := createEngine(logf, sys)
 	if err != nil {
 		return nil, fmt.Errorf("createEngine: %w", err)
 	}
-	if _, ok := e.(wgengine.ResolvingEngine).GetResolver(); !ok {
-		panic("internal error: exit node resolver not wired up")
-	}
 	if debugMux != nil {
-		if ig, ok := e.(wgengine.InternalsGetter); ok {
-			if _, mc, _, ok := ig.GetInternals(); ok {
-				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
-			}
+		if ms, ok := sys.MagicSock.GetOK(); ok {
+			debugMux.HandleFunc("/debug/magicsock", ms.ServeHTTPDebug)
 		}
 		go runDebugServer(debugMux, args.debug)
 	}
 
-	ns, err := newNetstack(logf, dialer, e)
+	ns, err := newNetstack(logf, sys)
 	if err != nil {
 		return nil, fmt.Errorf("newNetstack: %w", err)
 	}
@@ -485,6 +491,7 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 	ns.ProcessSubnets = onlyNetstack || handleSubnetsInNetstack()
 
 	if onlyNetstack {
+		e := sys.Engine.Get()
 		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
 			_, ok := e.PeerForIP(ip)
 			return ok
@@ -494,11 +501,13 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 		}
 	}
 	if socksListener != nil || httpProxyListener != nil {
+		var addrs []string
 		if httpProxyListener != nil {
 			hs := &http.Server{Handler: httpProxyHandler(dialer.UserDial)}
 			go func() {
 				log.Fatalf("HTTP proxy exited: %v", hs.Serve(httpProxyListener))
 			}()
+			addrs = append(addrs, httpProxyListener.Addr().String())
 		}
 		if socksListener != nil {
 			ss := &socks5.Server{
@@ -508,19 +517,20 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 			go func() {
 				log.Fatalf("SOCKS5 server exited: %v", ss.Serve(socksListener))
 			}()
+			addrs = append(addrs, socksListener.Addr().String())
 		}
+		tshttpproxy.SetSelfProxy(addrs...)
 	}
 
-	e = wgengine.NewWatchdog(e)
-
 	opts := ipnServerOpts()
 
 	store, err := store.New(logf, statePathOrDefault())
 	if err != nil {
 		return nil, fmt.Errorf("store.New: %w", err)
 	}
+	sys.Set(store)
 
-	lb, err := ipnlocal.NewLocalBackend(logf, logID, store, dialer, e, opts.LoginFlags)
+	lb, err := ipnlocal.NewLocalBackend(logf, logID, sys, opts.LoginFlags)
 	if err != nil {
 		return nil, fmt.Errorf("ipnlocal.NewLocalBackend: %w", err)
 	}
@@ -529,7 +539,7 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 		lb.SetLogFlusher(logPol.Logtail.StartFlush)
 	}
 	if root := lb.TailscaleVarRoot(); root != "" {
-		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"))
+		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"), logf)
 	}
 	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
 		return smallzstd.NewDecoder(nil)
@@ -546,21 +556,21 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 //
 // onlyNetstack is true if the user has explicitly requested that we use netstack
 // for all networking.
-func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer) (e wgengine.Engine, onlyNetstack bool, err error) {
+func createEngine(logf logger.Logf, sys *tsd.System) (onlyNetstack bool, err error) {
 	if args.tunname == "" {
-		return nil, false, errors.New("no --tun value specified")
+		return false, errors.New("no --tun value specified")
 	}
 	var errs []error
 	for _, name := range strings.Split(args.tunname, ",") {
 		logf("wgengine.NewUserspaceEngine(tun %q) ...", name)
-		e, onlyNetstack, err = tryEngine(logf, linkMon, dialer, name)
+		onlyNetstack, err = tryEngine(logf, sys, name)
 		if err == nil {
-			return e, onlyNetstack, nil
+			return onlyNetstack, nil
 		}
 		logf("wgengine.NewUserspaceEngine(tun %q) error: %v", name, err)
 		errs = append(errs, err)
 	}
-	return nil, false, multierr.New(errs...)
+	return false, multierr.New(errs...)
 }
 
 // handleSubnetsInNetstack reports whether netstack should handle subnet routers
@@ -585,21 +595,23 @@ func handleSubnetsInNetstack() bool {
 
 var tstunNew = tstun.New
 
-func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, name string) (e wgengine.Engine, onlyNetstack bool, err error) {
+func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack bool, err error) {
 	conf := wgengine.Config{
-		ListenPort:  args.port,
-		LinkMonitor: linkMon,
-		Dialer:      dialer,
+		ListenPort:   args.port,
+		NetMon:       sys.NetMon.Get(),
+		Dialer:       sys.Dialer.Get(),
+		SetSubsystem: sys.Set,
 	}
 
 	onlyNetstack = name == "userspace-networking"
+	netstackSubnetRouter := onlyNetstack // but mutated later on some platforms
 	netns.SetEnabled(!onlyNetstack)
 
 	if args.birdSocketPath != "" && createBIRDClient != nil {
 		log.Printf("Connecting to BIRD at %s ...", args.birdSocketPath)
 		conf.BIRDClient, err = createBIRDClient(args.birdSocketPath)
 		if err != nil {
-			return nil, false, fmt.Errorf("createBIRDClient: %w", err)
+			return false, fmt.Errorf("createBIRDClient: %w", err)
 		}
 	}
 	if onlyNetstack {
@@ -612,44 +624,55 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 			// TODO(bradfitz): add a Synology-specific DNS manager.
 			conf.DNS, err = dns.NewOSConfigurator(logf, "") // empty interface name
 			if err != nil {
-				return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+				return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 			}
 		}
 	} else {
 		dev, devName, err := tstunNew(logf, name)
 		if err != nil {
 			tstun.Diagnose(logf, name, err)
-			return nil, false, fmt.Errorf("tstun.New(%q): %w", name, err)
+			return false, fmt.Errorf("tstun.New(%q): %w", name, err)
 		}
 		conf.Tun = dev
 		if strings.HasPrefix(name, "tap:") {
 			conf.IsTAP = true
 			e, err := wgengine.NewUserspaceEngine(logf, conf)
-			return e, false, err
+			if err != nil {
+				return false, err
+			}
+			sys.Set(e)
+			return false, err
 		}
 
-		r, err := router.New(logf, dev, linkMon)
+		r, err := router.New(logf, dev, sys.NetMon.Get())
 		if err != nil {
 			dev.Close()
-			return nil, false, fmt.Errorf("creating router: %w", err)
+			return false, fmt.Errorf("creating router: %w", err)
 		}
+
 		d, err := dns.NewOSConfigurator(logf, devName)
 		if err != nil {
 			dev.Close()
 			r.Close()
-			return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+			return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 		}
 		conf.DNS = d
 		conf.Router = r
 		if handleSubnetsInNetstack() {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
+			netstackSubnetRouter = true
 		}
+		sys.Set(conf.Router)
 	}
-	e, err = wgengine.NewUserspaceEngine(logf, conf)
+	e, err := wgengine.NewUserspaceEngine(logf, conf)
 	if err != nil {
-		return nil, onlyNetstack, err
+		return onlyNetstack, err
 	}
-	return e, onlyNetstack, nil
+	e = wgengine.NewWatchdog(e)
+	sys.Set(e)
+	sys.NetstackRouter.Set(netstackSubnetRouter)
+
+	return onlyNetstack, nil
 }
 
 func newDebugMux() *http.ServeMux {
@@ -665,7 +688,7 @@ func newDebugMux() *http.ServeMux {
 
 func servePrometheusMetrics(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/plain")
-	tsweb.VarzHandler(w, r)
+	varz.Handler(w, r)
 	clientmetric.WritePrometheusExpositionFormat(w)
 }
 
@@ -679,12 +702,8 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 	}
 }
 
-func newNetstack(logf logger.Logf, dialer *tsdial.Dialer, e wgengine.Engine) (*netstack.Impl, error) {
-	tunDev, magicConn, dns, ok := e.(wgengine.InternalsGetter).GetInternals()
-	if !ok {
-		return nil, fmt.Errorf("%T is not a wgengine.InternalsGetter", e)
-	}
-	return netstack.Create(logf, tunDev, e, magicConn, dialer, dns)
+func newNetstack(logf logger.Logf, sys *tsd.System) (*netstack.Impl, error) {
+	return netstack.Create(logf, sys.Tun.Get(), sys.Engine.Get(), sys.MagicSock.Get(), sys.Dialer.Get(), sys.DNSManager.Get())
 }
 
 // mustStartProxyListeners creates listeners for local SOCKS and HTTP

cmd/tailscaled/tailscaled_test.go

@@ -3,10 +3,32 @@
 
 package main // import "tailscale.com/cmd/tailscaled"
 
-import "testing"
+import (
+	"testing"
+
+	"tailscale.com/tstest/deptest"
+)
 
 func TestNothing(t *testing.T) {
 	// This test does nothing on purpose, so we can run
 	// GODEBUG=memprofilerate=1 go test -v -run=Nothing -memprofile=prof.mem
 	// without any errors about no matching tests.
 }
+
+func TestDeps(t *testing.T) {
+	deptest.DepChecker{
+		GOOS:   "darwin",
+		GOARCH: "arm64",
+		BadDeps: map[string]string{
+			"gvisor.dev/gvisor/pkg/hostarch": "will crash on non-4K page sizes; see https://github.com/tailscale/tailscale/issues/8658",
+		},
+	}.Check(t)
+
+	deptest.DepChecker{
+		GOOS:   "linux",
+		GOARCH: "arm64",
+		BadDeps: map[string]string{
+			"gvisor.dev/gvisor/pkg/hostarch": "will crash on non-4K page sizes; see https://github.com/tailscale/tailscale/issues/8658",
+		},
+	}.Check(t)
+}

cmd/tailscaled/tailscaled_windows.go

@@ -45,9 +45,12 @@ import (
 	"tailscale.com/logpolicy"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/dns"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/tstun"
+	"tailscale.com/tsd"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
+	"tailscale.com/util/osdiag"
 	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/wf"
@@ -124,6 +127,10 @@ var syslogf logger.Logf = logger.Discard
 // At this point we're still the parent process that
 // Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
+	go func() {
+		osdiag.LogSupportInfo(logger.WithPrefix(log.Printf, "Support Info: "), osdiag.LogSupportInfoReasonStartup)
+	}()
+
 	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
 		syslog, err := eventlog.Open(serviceName)
 		if err == nil {
@@ -291,8 +298,15 @@ func beWindowsSubprocess() bool {
 		}
 	}()
 
+	sys := new(tsd.System)
+	netMon, err := netmon.New(log.Printf)
+	if err != nil {
+		log.Fatalf("Could not create netMon: %v", err)
+	}
+	sys.Set(netMon)
+
 	publicLogID, _ := logid.ParsePublicID(logID)
-	err := startIPNServer(ctx, log.Printf, publicLogID)
+	err = startIPNServer(ctx, log.Printf, publicLogID, sys)
 	if err != nil {
 		log.Fatalf("ipnserver: %v", err)
 	}

cmd/testwrapper/flakytest/flakytest.go

@@ -7,16 +7,20 @@
 package flakytest
 
 import (
+	"fmt"
 	"os"
 	"regexp"
 	"testing"
 )
 
-// InTestWrapper returns whether or not this binary is running under our test
-// wrapper.
-func InTestWrapper() bool {
-	return os.Getenv("TS_IN_TESTWRAPPER") != ""
-}
+// FlakyTestLogMessage is a sentinel value that is printed to stderr when a
+// flaky test is marked. This is used by cmd/testwrapper to detect flaky tests
+// and retry them.
+const FlakyTestLogMessage = "flakytest: this is a known flaky test"
+
+// FlakeAttemptEnv is an environment variable that is set by cmd/testwrapper
+// when a flaky test is retried. It contains the attempt number, starting at 1.
+const FlakeAttemptEnv = "TS_TESTWRAPPER_ATTEMPT"
 
 var issueRegexp = regexp.MustCompile(`\Ahttps://github\.com/tailscale/[a-zA-Z0-9_.-]+/issues/\d+\z`)
 
@@ -30,16 +34,6 @@ func Mark(t testing.TB, issue string) {
 		t.Fatalf("bad issue format: %q", issue)
 	}
 
-	if !InTestWrapper() {
-		return
-	}
-
-	t.Cleanup(func() {
-		if t.Failed() {
-			t.Logf("flakytest: signaling test wrapper to retry test")
-
-			// Signal to test wrapper that we should restart.
-			os.Exit(123)
-		}
-	})
+	fmt.Fprintln(os.Stderr, FlakyTestLogMessage) // sentinel value for testwrapper
+	t.Logf("flakytest: issue tracking this flaky test: %s", issue)
 }

cmd/testwrapper/flakytest/flakytest_test.go

@@ -3,7 +3,10 @@
 
 package flakytest
 
-import "testing"
+import (
+	"os"
+	"testing"
+)
 
 func TestIssueFormat(t *testing.T) {
 	testCases := []struct {
@@ -24,3 +27,17 @@ func TestIssueFormat(t *testing.T) {
 		}
 	}
 }
+
+// TestFlakeRun is a test that fails when run in the testwrapper
+// for the first time, but succeeds on the second run.
+// It's used to test whether the testwrapper retries flaky tests.
+func TestFlakeRun(t *testing.T) {
+	Mark(t, "https://github.com/tailscale/tailscale/issues/0") // random issue
+	e := os.Getenv(FlakeAttemptEnv)
+	if e == "" {
+		t.Skip("not running in testwrapper")
+	}
+	if e == "1" {
+		t.Fatal("First run in testwrapper, failing so that test is retried. This is expected.")
+	}
+}

cmd/testwrapper/testwrapper.go

@@ -1,62 +1,288 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-// testwrapper is a wrapper for retrying flaky tests, using the -exec flag of
-// 'go test'. Tests that are flaky can use the 'flakytest' subpackage to mark
-// themselves as flaky and be retried on failure.
+// testwrapper is a wrapper for retrying flaky tests. It is an alternative to
+// `go test` and re-runs failed marked flaky tests (using the flakytest pkg). It
+// takes different arguments than go test and requires the first positional
+// argument to be the pattern to test.
 package main
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
+	"flag"
+	"fmt"
+	"io"
 	"log"
 	"os"
 	"os/exec"
+	"sort"
+	"strings"
+	"time"
+
+	"golang.org/x/exp/maps"
+	"tailscale.com/cmd/testwrapper/flakytest"
 )
 
-const (
-	retryStatus   = 123
-	maxIterations = 3
-)
+const maxAttempts = 3
+
+type testAttempt struct {
+	name          testName
+	outcome       string // "pass", "fail", "skip"
+	logs          bytes.Buffer
+	isMarkedFlaky bool // set if the test is marked as flaky
+
+	pkgFinished bool
+}
+
+type testName struct {
+	pkg  string // "tailscale.com/types/key"
+	name string // "TestFoo"
+}
+
+type packageTests struct {
+	// pattern is the package pattern to run.
+	// Must be a single pattern, not a list of patterns.
+	pattern string // "./...", "./types/key"
+	// tests is a list of tests to run. If empty, all tests in the package are
+	// run.
+	tests []string // ["TestFoo", "TestBar"]
+}
+
+type goTestOutput struct {
+	Time    time.Time
+	Action  string
+	Package string
+	Test    string
+	Output  string
+}
+
+var debug = os.Getenv("TS_TESTWRAPPER_DEBUG") != ""
+
+// runTests runs the tests in pt and sends the results on ch. It sends a
+// testAttempt for each test and a final testAttempt per pkg with pkgFinished
+// set to true.
+// It calls close(ch) when it's done.
+func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []string, ch chan<- *testAttempt) {
+	defer close(ch)
+	args := []string{"test", "-json", pt.pattern}
+	args = append(args, otherArgs...)
+	if len(pt.tests) > 0 {
+		runArg := strings.Join(pt.tests, "|")
+		args = append(args, "-run", runArg)
+	}
+	if debug {
+		fmt.Println("running", strings.Join(args, " "))
+	}
+	cmd := exec.CommandContext(ctx, "go", args...)
+	r, err := cmd.StdoutPipe()
+	if err != nil {
+		log.Printf("error creating stdout pipe: %v", err)
+	}
+	defer r.Close()
+	cmd.Stderr = os.Stderr
+
+	cmd.Env = os.Environ()
+	cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%d", flakytest.FlakeAttemptEnv, attempt))
+
+	if err := cmd.Start(); err != nil {
+		log.Printf("error starting test: %v", err)
+		os.Exit(1)
+	}
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		cmd.Wait()
+	}()
+
+	jd := json.NewDecoder(r)
+	resultMap := make(map[testName]*testAttempt)
+	for {
+		var goOutput goTestOutput
+		if err := jd.Decode(&goOutput); err != nil {
+			if errors.Is(err, io.EOF) || errors.Is(err, os.ErrClosed) {
+				break
+			}
+
+			// `go test -json` outputs invalid JSON when a build fails.
+			// In that case, discard the the output and start reading again.
+			// The build error will be printed to stderr.
+			// See: https://github.com/golang/go/issues/35169
+			if _, ok := err.(*json.SyntaxError); ok {
+				jd = json.NewDecoder(r)
+				continue
+			}
+			panic(err)
+		}
+		if goOutput.Test == "" {
+			switch goOutput.Action {
+			case "fail", "pass", "skip":
+				ch <- &testAttempt{
+					name: testName{
+						pkg: goOutput.Package,
+					},
+					outcome:     goOutput.Action,
+					pkgFinished: true,
+				}
+			}
+			continue
+		}
+		name := testName{
+			pkg:  goOutput.Package,
+			name: goOutput.Test,
+		}
+		if test, _, isSubtest := strings.Cut(goOutput.Test, "/"); isSubtest {
+			name.name = test
+			if goOutput.Action == "output" {
+				resultMap[name].logs.WriteString(goOutput.Output)
+			}
+			continue
+		}
+		switch goOutput.Action {
+		case "start":
+			// ignore
+		case "run":
+			resultMap[name] = &testAttempt{
+				name: name,
+			}
+		case "skip", "pass", "fail":
+			resultMap[name].outcome = goOutput.Action
+			ch <- resultMap[name]
+		case "output":
+			if strings.TrimSpace(goOutput.Output) == flakytest.FlakyTestLogMessage {
+				resultMap[name].isMarkedFlaky = true
+			} else {
+				resultMap[name].logs.WriteString(goOutput.Output)
+			}
+		}
+	}
+	<-done
+}
 
 func main() {
 	ctx := context.Background()
-	debug := os.Getenv("TS_TESTWRAPPER_DEBUG") != ""
 
-	log.SetPrefix("testwrapper: ")
-	if !debug {
-		log.SetFlags(0)
+	// We only need to parse the -v flag to figure out whether to print the logs
+	// for a test. We don't need to parse any other flags, so we just use the
+	// flag package to parse the -v flag and then pass the rest of the args
+	// through to 'go test'.
+	// We run `go test -json` which returns the same information as `go test -v`,
+	// but in a machine-readable format. So this flag is only for testwrapper's
+	// output.
+	v := flag.Bool("v", false, "verbose")
+
+	flag.Usage = func() {
+		fmt.Println("usage: testwrapper [testwrapper-flags] [pattern] [build/test flags & test binary flags]")
+		fmt.Println()
+		fmt.Println("testwrapper-flags:")
+		flag.CommandLine.PrintDefaults()
+		fmt.Println()
+		fmt.Println("examples:")
+		fmt.Println("\ttestwrapper -v ./... -count=1")
+		fmt.Println("\ttestwrapper ./pkg/foo -run TestBar -count=1")
+		fmt.Println()
+		fmt.Println("Unlike 'go test', testwrapper requires a package pattern as the first positional argument and only supports a single pattern.")
+	}
+	flag.Parse()
+
+	args := flag.Args()
+	if len(args) < 1 || strings.HasPrefix(args[0], "-") {
+		fmt.Println("no pattern specified")
+		flag.Usage()
+		os.Exit(1)
+	} else if len(args) > 1 && !strings.HasPrefix(args[1], "-") {
+		fmt.Println("expected single pattern")
+		flag.Usage()
+		os.Exit(1)
+	}
+	pattern, otherArgs := args[0], args[1:]
+
+	type nextRun struct {
+		tests   []*packageTests
+		attempt int
 	}
 
-	for i := 1; i <= maxIterations; i++ {
-		if i > 1 {
-			log.Printf("retrying flaky tests (%d of %d)", i, maxIterations)
-		}
-		cmd := exec.CommandContext(ctx, os.Args[1], os.Args[2:]...)
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		cmd.Env = append(os.Environ(), "TS_IN_TESTWRAPPER=1")
-		err := cmd.Run()
-		if err == nil {
+	toRun := []*nextRun{
+		{
+			tests:   []*packageTests{{pattern: pattern}},
+			attempt: 1,
+		},
+	}
+	printPkgOutcome := func(pkg, outcome string, attempt int) {
+		if outcome == "skip" {
+			fmt.Printf("?\t%s [skipped/no tests] \n", pkg)
 			return
 		}
-
-		var exitErr *exec.ExitError
-		if !errors.As(err, &exitErr) {
-			if debug {
-				log.Printf("error isn't an ExitError")
-			}
-			os.Exit(1)
+		if outcome == "pass" {
+			outcome = "ok"
 		}
-
-		if code := exitErr.ExitCode(); code != retryStatus {
-			if debug {
-				log.Printf("code (%d) != retryStatus (%d)", code, retryStatus)
-			}
-			os.Exit(code)
+		if outcome == "fail" {
+			outcome = "FAIL"
 		}
+		if attempt > 1 {
+			fmt.Printf("%s\t%s [attempt=%d]\n", outcome, pkg, attempt)
+			return
+		}
+		fmt.Printf("%s\t%s\n", outcome, pkg)
 	}
 
-	log.Printf("test did not pass in %d iterations", maxIterations)
-	os.Exit(1)
+	for len(toRun) > 0 {
+		var thisRun *nextRun
+		thisRun, toRun = toRun[0], toRun[1:]
+
+		if thisRun.attempt >= maxAttempts {
+			fmt.Println("max attempts reached")
+			os.Exit(1)
+		}
+		if thisRun.attempt > 1 {
+			fmt.Printf("\n\nAttempt #%d: Retrying flaky tests:\n\n", thisRun.attempt)
+		}
+
+		failed := false
+		toRetry := make(map[string][]string) // pkg -> tests to retry
+		for _, pt := range thisRun.tests {
+			ch := make(chan *testAttempt)
+			go runTests(ctx, thisRun.attempt, pt, otherArgs, ch)
+			for tr := range ch {
+				if tr.pkgFinished {
+					printPkgOutcome(tr.name.pkg, tr.outcome, thisRun.attempt)
+					continue
+				}
+				if *v || tr.outcome == "fail" {
+					io.Copy(os.Stdout, &tr.logs)
+				}
+				if tr.outcome != "fail" {
+					continue
+				}
+				if tr.isMarkedFlaky {
+					toRetry[tr.name.pkg] = append(toRetry[tr.name.pkg], tr.name.name)
+				} else {
+					failed = true
+				}
+			}
+		}
+		if failed {
+			fmt.Println("\n\nNot retrying flaky tests because non-flaky tests failed.")
+			os.Exit(1)
+		}
+		if len(toRetry) == 0 {
+			continue
+		}
+		pkgs := maps.Keys(toRetry)
+		sort.Strings(pkgs)
+		nextRun := &nextRun{
+			attempt: thisRun.attempt + 1,
+		}
+		for _, pkg := range pkgs {
+			tests := toRetry[pkg]
+			sort.Strings(tests)
+			nextRun.tests = append(nextRun.tests, &packageTests{
+				pattern: pkg,
+				tests:   tests,
+			})
+		}
+		toRun = append(toRun, nextRun)
+	}
 }

cmd/tsconnect/common.go

@@ -32,6 +32,9 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 	if err != nil {
 		return nil, err
 	}
+	if *yarnPath == "" {
+		*yarnPath = path.Join(root, "tool", "yarn")
+	}
 	tsConnectDir := filepath.Join(root, "cmd", "tsconnect")
 	if err := os.Chdir(tsConnectDir); err != nil {
 		return nil, fmt.Errorf("Cannot change cwd: %w", err)
@@ -71,6 +74,9 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 }
 
 func findRepoRoot() (string, error) {
+	if *rootDir != "" {
+		return *rootDir, nil
+	}
 	cwd, err := os.Getwd()
 	if err != nil {
 		return "", err

cmd/tsconnect/tsconnect.go

@@ -20,9 +20,10 @@ var (
 	addr            = flag.String("addr", ":9090", "address to listen on")
 	distDir         = flag.String("distdir", "./dist", "path of directory to place build output in")
 	pkgDir          = flag.String("pkgdir", "./pkg", "path of directory to place NPM package build output in")
-	yarnPath        = flag.String("yarnpath", "../../tool/yarn", "path yarn executable used to install JavaScript dependencies")
+	yarnPath        = flag.String("yarnpath", "", "path yarn executable used to install JavaScript dependencies")
 	fastCompression = flag.Bool("fast-compression", false, "Use faster compression when building, to speed up build time. Meant to iterative/debugging use only.")
 	devControl      = flag.String("dev-control", "", "URL of a development control server to be used with dev. If provided without specifying dev, an error will be returned.")
+	rootDir         = flag.String("rootdir", "", "Root directory of repo. If not specified, will be inferred from the cwd.")
 )
 
 func main() {