api.md: add TOC

tailcfg: remove v6-overlay debug option.
It's about to become a no-op in control. Signed-off-by: David Anderson <danderson@tailscale.com>
2021-01-19 12:34:22 -08:00 · 2021-01-18 17:47:23 -08:00 · 2021-01-18 15:23:17 -08:00 · 2021-01-18 13:32:16 -08:00 · 2021-01-15 19:21:10 -08:00 · 2021-01-15 19:19:27 -08:00
286 changed files with 21221 additions and 8554 deletions
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -0,0 +1,48 @@
+name: Code Coverage
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.15
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+      # https://markphelps.me/2019/11/speed-up-your-go-builds-with-actions-cache/
+    - name: Restore Cache
+      uses: actions/cache@preview
+      id: cache
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-${{ hashFiles('**/go.sum') }}
+
+    - name: Basic build
+      run: go build ./cmd/...
+
+    - name: Run tests on linux with coverage data
+      run: go test -race -coverprofile=coverage.txt -bench=. -benchtime=1x ./...
+
+    - name: coveralls.io
+      uses: shogo82148/actions-goveralls@v1
+      env:
+        COVERALLS_TOKEN: ${{ secrets.COVERALLS_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.COVERALLS_BOT_PUBLIC_REPO_TOKEN }}
+      with:
+        path-to-profile: ./coverage.txt
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -0,0 +1,28 @@
+name: depaware
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.15
+
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: depaware tailscaled
+      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+
+    - name: depaware tailscale
+      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -16,7 +16,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15

    - name: Check out code
      uses: actions/checkout@v1
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/staticcheck.yml
+++ b/.github/workflows/staticcheck.yml
@@ -16,7 +16,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15

    - name: Check out code
      uses: actions/checkout@v1
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -0,0 +1,52 @@
+name: Windows
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  test:
+    runs-on: windows-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.15.x
+
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Restore Cache
+      uses: actions/cache@v2
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Test
+      run: go test ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.gitignore
+++ b/.gitignore
@@ -1,12 +1,11 @@
 # Binaries for programs and plugins
 *~
+*.tmp
 *.exe
 *.dll
 *.so
 *.dylib

-cmd/relaynode/relaynode
-cmd/taillogin/taillogin
 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled

@@ -18,3 +17,7 @@ cmd/tailscaled/tailscaled

 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+# direnv config, this may be different for other people so it's probably safer
+# to make this nonspecific.
+.envrc
--- a/19
+++ b/19
@@ -2,6 +2,23 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.

+############################################################################
+#
+# WARNING: Tailscale is not yet officially supported in Docker,
+# Kubernetes, etc.
+#
+# It might work, but we don't regularly test it, and it's not as polished as
+# our currently supported platforms. This is provided for people who know
+# how Tailscale works and what they're doing.
+#
+# Our tracking bug for officially support container use cases is:
+#    https://github.com/tailscale/tailscale/issues/504
+#
+# Also, see the various bugs tagged "containers":
+#    https://github.com/tailscale/tailscale/labels/containers
+#
+############################################################################
+
 # This Dockerfile includes all the tailscale binaries.
 #
 # To build the Dockerfile:
@@ -21,7 +38,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.14-alpine AS build-env
+FROM golang:1.15-alpine AS build-env

 WORKDIR /go/src/tailscale

--- a/13
+++ b/13
@@ -1,7 +1,18 @@
 usage:
 	echo "See Makefile"

-check: staticcheck
+vet:
+	go vet ./...
+
+updatedeps:
+	go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
+	go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale
+
+depaware:
+	go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+	go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
+
+check: staticcheck vet depaware

 staticcheck:
 	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)
--- a/README.md
+++ b/README.md
@@ -6,25 +6,44 @@ Private WireGuard® networks made easy

 ## Overview

-This repository contains all the open source Tailscale code.
-It currently includes the Linux client.
+This repository contains all the open source Tailscale client code and
+the `tailscaled` daemon and `tailscale` CLI tool. The `tailscaled`
+daemon runs primarily on Linux; it also works to varying degrees on
+FreeBSD, OpenBSD, Darwin, and Windows.

-The Linux client is currently `cmd/relaynode`, but will
-soon be replaced by `cmd/tailscaled`.
+The Android app is at https://github.com/tailscale/tailscale-android

 ## Using

 We serve packages for a variety of distros at
 https://pkgs.tailscale.com .

+## Other clients
+
+The [macOS, iOS, and Windows clients](https://tailscale.com/download)
+use the code in this repository but additionally include small GUI
+wrappers that are not open source.
+
 ## Building

 ```
 go install tailscale.com/cmd/tailscale{,d}
 ```

+If you're packaging Tailscale for distribution, use `build_dist.sh`
+instead, to burn commit IDs and version info into the binaries:
+
+```
+./build_dist.sh tailscale.com/cmd/tailscale
+./build_dist.sh tailscale.com/cmd/tailscaled
+```
+
+If your distro has conventions that preclude the use of
+`build_dist.sh`, please do the equivalent of what it does in your
+distro's way, so that bug reports contain useful version information.
+
 We only guarantee to support the latest Go release and any Go beta or
-release candidate builds (currently Go 1.14) in module mode. It might
+release candidate builds (currently Go 1.15) in module mode. It might
 work in earlier Go versions or in GOPATH mode, but we're making no
 effort to keep those working.

@@ -35,10 +54,8 @@ Please file any issues about this code or the hosted service on

 ## Contributing

-`under_construction.gif`
-
-PRs welcome, but we are still working out our contribution process and
-tooling.
+PRs welcome! But please file bugs. Commit messages should [reference
+bugs](https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls).

 We require [Developer Certificate of
 Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)
@@ -46,8 +63,13 @@ Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)

 ## About Us

-We are apenwarr, bradfitz, crawshaw, danderson, dfcarney,
-from Tailscale Inc.
-You can learn more about us from [our website](https://tailscale.com).
+[Tailscale](https://tailscale.com/) is primarily developed by the
+people at https://github.com/orgs/tailscale/people. For other contributors,
+see:
+
+* https://github.com/tailscale/tailscale/graphs/contributors
+* https://github.com/tailscale/tailscale-android/graphs/contributors
+
+## Legal

 WireGuard is a registered trademark of Jason A. Donenfeld.
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -0,0 +1 @@
+1.3.0
--- a/api.md
+++ b/api.md
@@ -0,0 +1,774 @@
+# Tailscale API
+
+The Tailscale API is a (mostly) RESTful API. Typically, POST bodies should be JSON encoded and responses will be JSON encoded.
+
+# Authentication
+Currently based on {some authentication method}. Visit the [admin panel](https://api.tailscale.com/admin) and navigate to the `Keys` page. Generate an API Key and keep it safe. Provide the key as the user key in basic auth when making calls to Tailscale API endpoints.
+
+# APIs
+
+* **[Devices](#device)**
+  - [GET device](#device-get)
+  - [DELETE device](#device-delete)
+  - Routes
+    - [GET device routes](#device-routes-get)
+    - [POST device routes](#device-routes-post)
+* **[Tailnets](#tailnet)**
+  - ACLs
+    - [GET tailnet ACL](#tailnet-acl-get)
+    - [POST tailnet ACL](#tailnet-acl-post): set ACL for a tailnet
+    - [POST tailnet ACL preview](#tailnet-acl-preview-post): preview rule matches on an ACL for a resource
+  - [Devices](#tailnet-devices)
+    - [GET tailnet devices](#tailnet-devices-get)
+  - [DNS](#tailnet-dns)
+    - [GET tailnet DNS nameservers](#tailnet-dns-nameservers-get)
+    - [POST tailnet DNS nameservers](#tailnet-dns-nameservers-post)
+    - [GET tailnet DNS preferences](#tailnet-dns-preferences-get)
+    - [POST tailnet DNS preferences](#tailnet-dns-preferences-post)
+    - [GET tailnet DNS searchpaths](#tailnet-dns-searchpaths-get)
+    - [POST tailnet DNS searchpaths](#tailnet-dns-searchpaths-post)
+
+## Device
+<!-- TODO: description about what devices are -->
+Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id". 
+You can use the deviceID to specify operations on a specific device, like retrieving its subnet routes.
+
+To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network. 
+Find the device you're looking for and get the "id" field.
+This is your deviceID. 
+
+<a name=device-get></div>
+
+#### `GET /api/v2/device/:deviceid` - lists the details for a device
+Returns the details for the specified device.
+Supply the device of interest in the path using its ID.
+Use the `fields` query parameter to explicitly indicate which fields are returned.
+
+
+##### Parameters
+##### Query Parameters
+`fields` - Controls which fields will be included in the returned response.
+Currently, supported options are: 
+* `all`: returns all fields in the response.
+* `default`: return all fields except:
+  * `enabledRoutes`
+  * `advertisedRoutes`
+  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
+
+Use commas to separate multiple options.
+If more than one option is indicated, then the union is used.
+For example, for `fields=default,all`, all fields are returned.
+If the `fields` parameter is not provided, then the default option is used.
+
+##### Example 
+```
+GET /api/v2/device/12345
+curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
+  -u "tskey-yourapikey123:"
+```
+
+Response
+```
+{
+  "addresses":[
+    "100.105.58.116"
+  ],
+  "id":"12345",
+  "user":"user1@example.com",
+  "name":"user1-device.example.com",
+  "hostname":"User1-Device",
+  "clientVersion":"date.20201107",
+  "updateAvailable":false,
+  "os":"macOS",
+  "created":"2020-11-20T20:56:49Z",
+  "lastSeen":"2020-11-20T16:15:55-05:00",
+  "keyExpiryDisabled":false,
+  "expires":"2021-05-19T20:56:49Z",
+  "authorized":true,
+  "isExternal":false,
+  "machineKey":"mkey:user1-machine-key",
+  "nodeKey":"nodekey:user1-node-key",
+  "blocksIncomingConnections":false,
+  "enabledRoutes":[
+    
+  ],
+  "advertisedRoutes":[
+    
+  ],
+  "clientConnectivity": {
+    "endpoints":[
+      "209.195.87.231:59128",
+      "192.168.0.173:59128"
+    ],
+    "derp":"",
+    "mappingVariesByDestIP":false,
+    "latency":{
+      "Dallas":{
+        "latencyMs":60.463043
+      },
+      "New York City":{
+        "preferred":true,
+        "latencyMs":31.323811
+      },
+      "San Francisco":{
+        "latencyMs":81.313389
+      }
+    },
+    "clientSupports":{
+      "hairPinning":false,
+      "ipv6":false,
+      "pcp":false,
+      "pmp":false,
+      "udp":true,
+      "upnp":false
+    }
+  }
+}
+```
+
+<a name=device-delete></div>
+
+#### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
+Deletes the provided device from its tailnet. 
+The device must belong to the user's tailnet.
+Deleting shared/external devices is not supported.
+Supply the device of interest in the path using its ID.
+
+
+##### Parameters
+No parameters.
+
+##### Example
+```
+DELETE /api/v2/device/12345
+curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
+  -u "tskey-yourapikey123:" -v
+```
+
+Response
+
+If successful, the response should be empty: 
+```
+< HTTP/1.1 200 OK
+...
+* Connection #0 to host left intact
+* Closing connection 0
+```
+
+If the device is not owned by your tailnet: 
+```
+< HTTP/1.1 501 Not Implemented
+...
+{"message":"cannot delete devices outside of your tailnet"}
+```
+
+
+<a name=device-routes-get></div>
+
+#### `GET /api/v2/device/:deviceID/routes` - fetch subnet routes that are advertised and enabled for a device
+
+Retrieves the list of subnet routes that a device is advertising, as well as those that are enabled for it. Enabled routes are not necessarily advertised (e.g. for pre-enabling), and likewise, advertised routes are not necessarily enabled.
+
+##### Parameters
+
+No parameters.
+
+##### Example
+
+```
+curl 'https://api.tailscale.com/api/v2/device/11055/routes' \
+-u "tskey-yourapikey123:"
+```
+
+Response
+```
+{
+   "advertisedRoutes" : [
+      "10.0.1.0/24",
+      "1.2.0.0/16",
+      "2.0.0.0/24"
+   ],
+   "enabledRoutes" : []
+}
+```
+
+<a name=device-routes-post></div>
+
+#### `POST /api/v2/device/:deviceID/routes` - set the subnet routes that are enabled for a device
+
+Sets which subnet routes are enabled to be routed by a device by replacing the existing list of subnet routes with the supplied parameters. Routes can be enabled without a device advertising them (e.g. for preauth). Returns a list of enabled subnet routes and a list of advertised subnet routes for a device.
+
+##### Parameters
+
+###### POST Body
+`routes` - The new list of enabled subnet routes in JSON.
+```
+{
+  "routes": ["10.0.1.0/24", "1.2.0.0/16", "2.0.0.0/24"]
+}
+```
+
+##### Example
+
+```
+curl 'https://api.tailscale.com/api/v2/device/11055/routes' \
+-u "tskey-yourapikey123:" \
+--data-binary '{"routes": ["10.0.1.0/24", "1.2.0.0/16", "2.0.0.0/24"]}'
+```
+
+Response
+
+```
+{
+   "advertisedRoutes" : [
+      "10.0.1.0/24",
+      "1.2.0.0/16",
+      "2.0.0.0/24"
+   ],
+   "enabledRoutes" : [
+      "10.0.1.0/24",
+      "1.2.0.0/16",
+      "2.0.0.0/24"
+   ]
+}
+```
+
+## Tailnet 
+A tailnet is the name of your Tailscale network. 
+You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
+
+
+`alice@example.com` belongs to the `example.com` tailnet and would use the following format for API calls:
+
+```
+GET /api/v2/tailnet/example.com/...
+curl https://api.tailscale.com/api/v2/tailnet/example.com/...
+```
+
+
+For solo plans, the tailnet is the email you signed up with.
+So `alice@gmail.com` has the tailnet `alice@gmail.com` since `@gmail.com` is a shared email host.
+Her API calls would have the following format:
+```
+GET /api/v2/tailnet/alice@gmail.com/...
+curl https://api.tailscale.com/api/v2/tailnet/alice@gmail.com/...
+```
+
+Tailnets are a top-level resource. ACL is an example of a resource that is tied to a top-level tailnet.
+
+For more information on Tailscale networks/tailnets, click [here](https://tailscale.com/kb/1064/invite-team-members).
+
+### ACL
+
+<a name=tailnet-acl-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/acl` - fetch ACL for a tailnet
+
+Retrieves the ACL that is currently set for the given tailnet. Supply the tailnet of interest in the path. This endpoint can send back either the HuJSON of the ACL or a parsed JSON, depending on the `Accept` header.
+
+##### Parameters
+
+###### Headers
+`Accept` - Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.
+
+##### Returns
+Returns the ACL HuJSON by default. Returns a parsed JSON of the ACL (sans comments) if the `Accept` type is explicitly set to `application/json`. An `ETag` header is also sent in the response, which can be optionally used in POST requests to avoid missed updates.
+<!-- TODO (chungdaniel): define error types and a set of docs for them -->
+
+##### Example
+
+###### Requesting a HuJSON response:
+```
+GET /api/v2/tailnet/example.com/acl
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
+  -u "tskey-yourapikey123:" \
+  -H "Accept: application/hujson" \
+  -v
+```
+
+Response
+```
+...
+Content-Type: application/hujson
+Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"
+...
+
+// Example/default ACLs for unrestricted connections.
+{
+    "Tests": [],
+    // Declare static groups of users beyond those in the identity service.
+    "Groups": {
+        "group:example": [
+            "user1@example.com",
+            "user2@example.com"
+        ],
+    },
+    // Declare convenient hostname aliases to use in place of IP addresses.
+    "Hosts": {
+        "example-host-1": "100.100.100.100",
+    },
+    // Access control lists.
+    "ACLs": [
+        // Match absolutely everything. Comment out this section if you want
+        // to define specific ACL restrictions.
+        {
+            "Action": "accept",
+            "Users": [
+                "*"
+            ],
+            "Ports": [
+                "*:*"
+            ]
+        },
+    ]
+}
+```
+
+###### Requesting a JSON response:
+```
+GET /api/v2/tailnet/example.com/acl
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
+  -u "tskey-yourapikey123:" \
+  -H "Accept: application/json" \
+  -v
+```
+
+Response
+```
+...
+Content-Type: application/json
+Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"
+...
+{
+   "acls" : [
+      {
+         "action" : "accept",
+         "ports" : [
+            "*:*"
+         ],
+         "users" : [
+            "*"
+         ]
+      }
+   ],
+   "groups" : {
+      "group:example" : [
+         "user1@example.com",
+         "user2@example.com"
+      ]
+   },
+   "hosts" : {
+      "example-host-1" : "100.100.100.100"
+   }
+}
+```
+
+<a name=tailnet-acl-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/acl` - set ACL for a tailnet
+
+Sets the ACL for the given tailnet. HuJSON and JSON are both accepted inputs. An `If-Match` header can be set to avoid missed updates.
+
+Returns error for invalid ACLs.
+Returns error if using an `If-Match` header and the ETag does not match.
+
+##### Parameters
+
+###### Headers
+`If-Match` - A request header. Set this value to the ETag header provided in an `ACL GET` request to avoid missed updates.
+
+`Accept` - Sets the return type of the updated ACL. Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.
+
+###### POST Body
+ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)
+
+##### Example
+```
+POST /api/v2/tailnet/example.com/acl
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
+  -u "tskey-yourapikey123:" \
+  -H "If-Match: \"e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c\""
+  --data-binary '// Example/default ACLs for unrestricted connections.
+{
+  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
+  "Tests": [
+    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
+  ],
+  // Declare static groups of users beyond those in the identity service.
+  "Groups": {
+    "group:example": [ "user1@example.com", "user2@example.com" ],
+  },
+  // Declare convenient hostname aliases to use in place of IP addresses.
+  "Hosts": {
+    "example-host-1": "100.100.100.100",
+  },
+  // Access control lists.
+  "ACLs": [
+    // Match absolutely everything. Comment out this section if you want
+    // to define specific ACL restrictions.
+    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
+  ]
+}'
+```
+
+Response
+```
+// Example/default ACLs for unrestricted connections.
+{
+  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
+  "Tests": [
+    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
+  ],
+  // Declare static groups of users beyond those in the identity service.
+  "Groups": {
+    "group:example": [ "user1@example.com", "user2@example.com" ],
+  },
+  // Declare convenient hostname aliases to use in place of IP addresses.
+  "Hosts": {
+    "example-host-1": "100.100.100.100",
+  },
+  // Access control lists.
+  "ACLs": [
+    // Match absolutely everything. Comment out this section if you want
+    // to define specific ACL restrictions.
+    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
+  ]
+}
+```
+
+<a name=tailnet-acl-preview-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/acl/preview` - preview rule matches on an ACL for a resource
+Determines what rules match for a user on an ACL without saving the ACL to the server.
+
+##### Parameters
+
+###### Query Parameters
+`user` - A user's email. The provided ACL is queried with this user to determine which rules match.
+
+###### POST Body
+ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)
+
+##### Example
+```
+POST /api/v2/tailnet/example.com/acl/preiew
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl?user=user1@example.com' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '// Example/default ACLs for unrestricted connections.
+{
+  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
+  "Tests": [
+    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
+  ],
+  // Declare static groups of users beyond those in the identity service.
+  "Groups": {
+    "group:example": [ "user1@example.com", "user2@example.com" ],
+  },
+  // Declare convenient hostname aliases to use in place of IP addresses.
+  "Hosts": {
+    "example-host-1": "100.100.100.100",
+  },
+  // Access control lists.
+  "ACLs": [
+    // Match absolutely everything. Comment out this section if you want
+    // to define specific ACL restrictions.
+    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
+  ]
+}'
+```
+
+Response
+```
+{"matches":[{"users":["*"],"ports":["*:*"],"lineNumber":19}],"user":"user1@example.com"}
+```
+
+<a name=tailnet-devices></a>
+
+### Devices
+
+<a name=tailnet-devices-get></a>
+
+#### <a name="getdevices"></a> `GET /api/v2/tailnet/:tailnet/devices` - list the devices for a tailnet
+Lists the devices in a tailnet. 
+Supply the tailnet of interest in the path.
+Use the `fields` query parameter to explicitly indicate which fields are returned.
+
+
+##### Parameters
+
+###### Query Parameters
+`fields` - Controls which fields will be included in the returned response.
+Currently, supported options are: 
+* `all`: Returns all fields in the response.
+* `default`: return all fields except:
+  * `enabledRoutes`
+  * `advertisedRoutes`
+  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
+
+Use commas to separate multiple options.
+If more than one option is indicated, then the union is used.
+For example, for `fields=default,all`, all fields are returned.
+If the `fields` parameter is not provided, then the default option is used.
+
+##### Example
+
+```
+GET /api/v2/tailnet/example.com/devices
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
+  -u "tskey-yourapikey123:"
+```
+
+Response 
+```
+{
+  "devices":[
+    {
+      "addresses":[
+        "100.68.203.125"
+      ],
+      "clientVersion":"date.20201107",
+      "os":"macOS",
+      "name":"user1-device.example.com",
+      "created":"2020-11-30T22:20:04Z",
+      "lastSeen":"2020-11-30T17:20:04-05:00",
+      "hostname":"User1-Device",
+      "machineKey":"mkey:user1-node-key",
+      "nodeKey":"nodekey:user1-node-key",
+      "id":"12345",
+      "user":"user1@example.com",
+      "expires":"2021-05-29T22:20:04Z",
+      "keyExpiryDisabled":false,
+      "authorized":false,
+      "isExternal":false,
+      "updateAvailable":false,
+      "blocksIncomingConnections":false,
+    },
+    {
+      "addresses":[
+        "100.111.63.90"
+      ],
+      "clientVersion":"date.20201107",
+      "os":"macOS",
+      "name":"user2-device.example.com",
+      "created":"2020-11-30T22:21:03Z",
+      "lastSeen":"2020-11-30T17:21:03-05:00",
+      "hostname":"User2-Device",
+      "machineKey":"mkey:user2-machine-key",
+      "nodeKey":"nodekey:user2-node-key",
+      "id":"48810",
+      "user":"user2@example.com",
+      "expires":"2021-05-29T22:21:03Z",
+      "keyExpiryDisabled":false,
+      "authorized":false,
+      "isExternal":false,
+      "updateAvailable":false,
+      "blocksIncomingConnections":false,
+    }
+  ]
+}
+```
+
+<a name=tailnet-dns></a>
+
+### DNS
+
+<a name=tailnet-dns-nameservers-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/dns/nameservers` - list the DNS nameservers for a tailnet
+Lists the DNS nameservers for a tailnet. 
+Supply the tailnet of interest in the path.
+
+##### Parameters
+No parameters.
+
+##### Example 
+
+```
+GET /api/v2/tailnet/example.com/dns/nameservers
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
+  -u "tskey-yourapikey123:"
+```
+
+Response 
+```
+{
+  "dns": ["8.8.8.8"],
+}
+```
+
+<a name=tailnet-dns-nameservers-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/dns/nameservers` - replaces the list of DNS nameservers for a tailnet
+Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user. 
+Supply the tailnet of interest in the path.
+Note that changing the list of DNS nameservers may also affect the status of MagicDNS (if MagicDNS is on).
+
+##### Parameters
+###### POST Body
+`dns` - The new list of DNS nameservers in JSON.
+```
+{
+  "dns":["8.8.8.8"]
+}
+```
+
+##### Returns
+Returns the new list of nameservers and the status of MagicDNS. 
+
+If all nameservers have been removed, MagicDNS will be automatically disabled (until explicitly turned back on by the user).
+
+##### Example
+###### Adding DNS nameservers with the MagicDNS on:
+```
+POST /api/v2/tailnet/example.com/dns/nameservers
+curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '{"dns": ["8.8.8.8"]}'
+```
+
+Response:
+```
+{
+  "dns":["8.8.8.8"],
+  "magicDNS":true,
+}
+```
+
+###### Removing all DNS nameservers with the MagicDNS on:
+```
+POST /api/v2/tailnet/example.com/dns/nameservers
+curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '{"dns": []}'
+```
+
+Response:
+```
+{
+  "dns":[],
+  "magicDNS": false,
+}
+```
+
+<a name=tailnet-dns-preferences-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/dns/preferences` - retrieves the DNS preferences for a tailnet
+Retrieves the DNS preferences that are currently set for the given tailnet.
+Supply the tailnet of interest in the path.
+
+##### Parameters
+No parameters. 
+
+##### Example
+```
+GET /api/v2/tailnet/example.com/dns/preferences
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
+  -u "tskey-yourapikey123:" 
+```
+
+Response:
+```
+{
+  "magicDNS":false, 
+}
+```
+
+<a name=tailnet-dns-preferences-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet 
+Replaces the DNS preferences for a tailnet, specifically, the MagicDNS setting.
+Note that MagicDNS is dependent on DNS servers. 
+
+If there is at least one DNS server, then MagicDNS can be enabled. 
+Otherwise, it returns an error.
+Note that removing all nameservers will turn off MagicDNS. 
+To reenable it, nameservers must be added back, and MagicDNS must be explicitly turned on.
+
+##### Parameters
+###### POST Body
+The DNS preferences in JSON. Currently, MagicDNS is the only setting available.
+`magicDNS` -  Automatically registers DNS names for devices in your tailnet.
+```
+{
+  "magicDNS": true
+}
+```
+
+##### Example
+```
+POST /api/v2/tailnet/example.com/dns/preferences
+curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '{"magicDNS": true}'
+```
+
+
+Response:
+
+If there are no DNS servers, it returns an error message:
+```
+{
+  "message":"need at least one nameserver to enable MagicDNS"
+}
+```
+
+If there are DNS servers: 
+```
+{
+  "magicDNS":true,
+}
+```
+
+<a name=tailnet-dns-searchpaths-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet 
+Retrieves the list of search paths that is currently set for the given tailnet. 
+Supply the tailnet of interest in the path.
+
+
+##### Parameters
+No parameters.
+
+##### Example
+```
+GET /api/v2/tailnet/example.com/dns/searchpaths
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
+  -u "tskey-yourapikey123:" 
+```
+
+Response:
+```
+{
+  "searchPaths": ["user1.example.com"],
+}
+```
+
+<a name=tailnet-dns-searchpaths-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet 
+Replaces the list of searchpaths with the list supplied by the user and returns an error otherwise.
+
+##### Parameters
+
+###### POST Body
+`searchPaths` - A list of searchpaths in JSON.
+```
+{
+  "searchPaths: ["user1.example.com", "user2.example.com"]
+}
+```
+
+##### Example
+```
+POST /api/v2/tailnet/example.com/dns/searchpaths
+curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '{"searchPaths": ["user1.example.com", "user2.example.com"]}'
+```
+
+Response:
+```
+{
+  "searchPaths": ["user1.example.com", "user2.example.com"],
+}
+```
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+#
+# Runs `go build` with flags configured for binary distribution. All
+# it does differently from `go build` is burn git commit and version
+# information into the binaries, so that we can track down user
+# issues.
+#
+# If you're packaging Tailscale for a distro, please consider using
+# this script, or executing equivalent commands in your
+# distro-specific build system.
+
+set -eu
+
+eval $(./version/version.sh)
+
+exec go build -tags xversion -ldflags "-X tailscale.com/version.Long=${VERSION_LONG} -X tailscale.com/version.Short=${VERSION_SHORT} -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" "$@"
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -33,6 +33,7 @@ var (
 	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
 	flagOutput    = flag.String("output", "", "output file; required")
 	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
+	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
 )

 func main() {
@@ -86,8 +87,8 @@ func main() {
 					}
 					pkg := typeNameObj.Pkg()
 					gen(buf, imports, typeName, typ, pkg)
+					found = true
 				}
-				found = true
 			}
 		}
 		if !found {
@@ -95,6 +96,31 @@ func main() {
 		}
 	}

+	w := func(format string, args ...interface{}) {
+		fmt.Fprintf(buf, format+"\n", args...)
+	}
+	if *flagCloneFunc {
+		w("// Clone duplicates src into dst and reports whether it succeeded.")
+		w("// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,")
+		w("// where T is one of %s.", *flagTypes)
+		w("func Clone(dst, src interface{}) bool {")
+		w("	switch src := src.(type) {")
+		for _, typeName := range typeNames {
+			w("	case *%s:", typeName)
+			w("		switch dst := dst.(type) {")
+			w("		case *%s:", typeName)
+			w("			*dst = *src.Clone()")
+			w("			return true")
+			w("		case **%s:", typeName)
+			w("			*dst = src.Clone()")
+			w("			return true")
+			w("		}")
+		}
+		w("	}")
+		w("	return false")
+		w("}")
+	}
+
 	contents := new(bytes.Buffer)
 	fmt.Fprintf(contents, header, *flagTypes, pkg.Name)
 	fmt.Fprintf(contents, "import (\n")
@@ -114,7 +140,7 @@ func main() {
 		flag.Usage()
 		os.Exit(2)
 	}
-	if err := ioutil.WriteFile(output, out, 0666); err != nil {
+	if err := ioutil.WriteFile(output, out, 0644); err != nil {
 		log.Fatal(err)
 	}
 }
@@ -143,7 +169,19 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types

 	switch t := typ.Underlying().(type) {
 	case *types.Struct:
-		_ = t
+		// We generate two bits of code simultaneously while we walk the struct.
+		// One is the Clone method itself, which we write directly to buf.
+		// The other is a variable assignment that will fail if the struct
+		// changes without the Clone method getting regenerated.
+		// We write that to regenBuf, and then append it to buf at the end.
+		regenBuf := new(bytes.Buffer)
+		writeRegen := func(format string, args ...interface{}) {
+			fmt.Fprintf(regenBuf, format+"\n", args...)
+		}
+		writeRegen("// A compilation failure here means this code must be regenerated, with command:")
+		writeRegen("//   tailscale.com/cmd/cloner -type %s", *flagTypes)
+		writeRegen("var _%sNeedsRegeneration = %s(struct {", name, name)
+
 		name := typ.Obj().Name()
 		fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
 		fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
@@ -159,6 +197,9 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types
 		for i := 0; i < t.NumFields(); i++ {
 			fname := t.Field(i).Name()
 			ft := t.Field(i).Type()
+
+			writeRegen("\t%s %s", fname, importedName(ft))
+
 			if !containsPointers(ft) {
 				continue
 			}
@@ -220,6 +261,10 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types
 		}
 		writef("return dst")
 		fmt.Fprintf(buf, "}\n\n")
+
+		writeRegen("}{})\n")
+
+		buf.Write(regenBuf.Bytes())
 	}
 }

--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -7,11 +7,13 @@ package main // import "tailscale.com/cmd/derper"

 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"expvar"
 	"flag"
 	"fmt"
+	"html"
 	"io"
 	"io/ioutil"
 	"log"
@@ -23,7 +25,6 @@ import (
 	"strings"
 	"time"

-	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/crypto/acme/autocert"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
@@ -33,6 +34,8 @@ import (
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
+	"tailscale.com/types/wgkey"
+	"tailscale.com/version"
 )

 var (
@@ -48,7 +51,7 @@ var (
 )

 type config struct {
-	PrivateKey wgcfg.PrivateKey
+	PrivateKey wgkey.Private
 }

 func loadConfig() config {
@@ -60,7 +63,7 @@ func loadConfig() config {
 	}
 	b, err := ioutil.ReadFile(*configPath)
 	switch {
-	case os.IsNotExist(err):
+	case errors.Is(err, os.ErrNotExist):
 		return writeNewConfig()
 	case err != nil:
 		log.Fatal(err)
@@ -74,8 +77,8 @@ func loadConfig() config {
 	}
 }

-func mustNewKey() wgcfg.PrivateKey {
-	key, err := wgcfg.NewPrivateKey()
+func mustNewKey() wgkey.Private {
+	key, err := wgkey.NewPrivate()
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -94,7 +97,7 @@ func writeNewConfig() config {
 	if err != nil {
 		log.Fatal(err)
 	}
-	if err := atomicfile.WriteFile(*configPath, b, 0666); err != nil {
+	if err := atomicfile.WriteFile(*configPath, b, 0600); err != nil {
 		log.Fatal(err)
 	}
 	return cfg
@@ -184,6 +187,15 @@ func main() {
 			certManager.Email = "security@tailscale.com"
 		}
 		httpsrv.TLSConfig = certManager.TLSConfig()
+		letsEncryptGetCert := httpsrv.TLSConfig.GetCertificate
+		httpsrv.TLSConfig.GetCertificate = func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			cert, err := letsEncryptGetCert(hi)
+			if err != nil {
+				return nil, err
+			}
+			cert.Certificate = append(cert.Certificate, s.MetaCert())
+			return cert, nil
+		}
 		go func() {
 			err := http.ListenAndServe(":80", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 			if err != nil {
@@ -218,9 +230,10 @@ func debugHandler(s *derp.Server) http.Handler {
 <h1>DERP debug</h1>
 <ul>
 `)
-		f("<li><b>Hostname:</b> %v</li>\n", *hostname)
+		f("<li><b>Hostname:</b> %v</li>\n", html.EscapeString(*hostname))
 		f("<li><b>Uptime:</b> %v</li>\n", tsweb.Uptime())
 		f("<li><b>Mesh Key:</b> %v</li>\n", s.HasMeshKey())
+		f("<li><b>Version:</b> %v</li>\n", html.EscapeString(version.Long))

 		f(`<li><a href="/debug/vars">/debug/vars</a> (Go)</li>
   <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>
--- a/cmd/microproxy/microproxy.go
+++ b/cmd/microproxy/microproxy.go
@@ -19,6 +19,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"

@@ -33,6 +34,7 @@ var (
 	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
 	nodeExporter  = flag.String("node-exporter", "http://localhost:9100", "URL of the local prometheus node exporter")
 	goVarsURL     = flag.String("go-vars-url", "http://localhost:8383/debug/vars", "URL of a local Go server's /debug/vars endpoint")
+	insecure      = flag.Bool("insecure", false, "serve over http, for development")
 )

 func main() {
@@ -65,12 +67,15 @@ func main() {
 	httpsrv := &http.Server{
 		Addr:    *addr,
 		Handler: mux,
-		TLSConfig: &tls.Config{
-			GetCertificate: ch.GetCertificate,
-		},
 	}

-	if err := httpsrv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
+	if !*insecure {
+		httpsrv.TLSConfig = &tls.Config{GetCertificate: ch.GetCertificate}
+		err = httpsrv.ListenAndServeTLS("", "")
+	} else {
+		err = httpsrv.ListenAndServe()
+	}
+	if err != nil && err != http.ErrServerClosed {
 		log.Fatal(err)
 	}
 }
@@ -88,7 +93,16 @@ func promPrint(w io.Writer, prefix string, obj map[string]interface{}) {
 		case map[string]interface{}:
 			promPrint(w, k, v)
 		case float64:
-			fmt.Fprintf(w, "%s %f\n", k, v)
+			const saveConfigReject = "control_save_config_rejected_"
+			const saveConfig = "control_save_config_"
+			switch {
+			case strings.HasPrefix(k, saveConfigReject):
+				fmt.Fprintf(w, "control_save_config_rejected{reason=%q} %f\n", k[len(saveConfigReject):], v)
+			case strings.HasPrefix(k, saveConfig):
+				fmt.Fprintf(w, "control_save_config{reason=%q} %f\n", k[len(saveConfig):], v)
+			default:
+				fmt.Fprintf(w, "%s %f\n", k, v)
+			}
 		default:
 			fmt.Fprintf(w, "# Skipping key %q, unhandled type %T\n", k, v)
 		}
--- a/cmd/relaynode/relaynode.od
+++ b/cmd/relaynode/relaynode.od
@@ -1 +0,0 @@
-# placeholder to work around redo bug
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -31,7 +31,8 @@ func ActLikeCLI() bool {
 		return false
 	}
 	switch os.Args[1] {
-	case "up", "status", "netcheck", "version",
+	case "up", "down", "status", "netcheck", "ping", "version",
+		"debug",
 		"-V", "--version", "-h", "--help":
 		return true
 	}
@@ -57,14 +58,21 @@ change in the future.
 `),
 		Subcommands: []*ffcli.Command{
 			upCmd,
+			downCmd,
 			netcheckCmd,
 			statusCmd,
+			pingCmd,
 			versionCmd,
 		},
 		FlagSet: rootfs,
 		Exec:    func(context.Context, []string) error { return flag.ErrHelp },
 	}

+	// Don't advertise the debug command, but it exists.
+	if strSliceContains(args, "debug") {
+		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
+	}
+
 	if err := rootCmd.Parse(args); err != nil {
 		return err
 	}
@@ -76,6 +84,11 @@ change in the future.
 	return err
 }

+func fatalf(format string, a ...interface{}) {
+	log.SetFlags(0)
+	log.Fatalf(format, a...)
+}
+
 var rootArgs struct {
 	socket string
 }
@@ -84,9 +97,9 @@ func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context
 	c, err := safesocket.Connect(rootArgs.socket, 41112)
 	if err != nil {
 		if runtime.GOOS != "windows" && rootArgs.socket == "" {
-			log.Fatalf("--socket cannot be empty")
+			fatalf("--socket cannot be empty")
 		}
-		log.Fatalf("Failed to connect to connect to tailscaled. (safesocket.Connect: %v)\n", err)
+		fatalf("Failed to connect to tailscaled. (safesocket.Connect: %v)\n", err)
 	}
 	clientToServer := func(b []byte) {
 		ipn.WriteMsg(c, b)
@@ -121,3 +134,12 @@ func pump(ctx context.Context, bc *ipn.BackendClient, conn net.Conn) {
 		bc.GotNotifyMsg(msg)
 	}
 }
+
+func strSliceContains(ss []string, s string) bool {
+	for _, v := range ss {
+		if v == s {
+			return true
+		}
+	}
+	return false
+}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -0,0 +1,175 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"flag"
+	"fmt"
+	"log"
+	"net/http"
+	"net/http/httptrace"
+	"net/url"
+	"os"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/derp/derphttp"
+	"tailscale.com/derp/derpmap"
+	"tailscale.com/net/interfaces"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+	"tailscale.com/wgengine/monitor"
+)
+
+var debugCmd = &ffcli.Command{
+	Name: "debug",
+	Exec: runDebug,
+	FlagSet: (func() *flag.FlagSet {
+		fs := flag.NewFlagSet("debug", flag.ExitOnError)
+		fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run link monitor forever. Precludes all other options.")
+		fs.StringVar(&debugArgs.getURL, "get-url", "", "If non-empty, fetch provided URL.")
+		fs.StringVar(&debugArgs.derpCheck, "derp", "", "if non-empty, test a DERP ping via named region code")
+		return fs
+	})(),
+}
+
+var debugArgs struct {
+	monitor   bool
+	getURL    string
+	derpCheck string
+}
+
+func runDebug(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		return errors.New("unknown arguments")
+	}
+	if debugArgs.derpCheck != "" {
+		return checkDerp(ctx, debugArgs.derpCheck)
+	}
+	if debugArgs.monitor {
+		return runMonitor(ctx)
+	}
+	if debugArgs.getURL != "" {
+		return getURL(ctx, debugArgs.getURL)
+	}
+	return errors.New("only --monitor is available at the moment")
+}
+
+func runMonitor(ctx context.Context) error {
+	dump := func() {
+		st, err := interfaces.GetState()
+		if err != nil {
+			log.Printf("error getting state: %v", err)
+			return
+		}
+		j, _ := json.MarshalIndent(st, "", "    ")
+		os.Stderr.Write(j)
+	}
+	mon, err := monitor.New(log.Printf, func() {
+		log.Printf("Link monitor fired. State:")
+		dump()
+	})
+	if err != nil {
+		return err
+	}
+	log.Printf("Starting link change monitor; initial state:")
+	dump()
+	mon.Start()
+	log.Printf("Started link change monitor; waiting...")
+	select {}
+}
+
+func getURL(ctx context.Context, urlStr string) error {
+	if urlStr == "login" {
+		urlStr = "https://login.tailscale.com"
+	}
+	log.SetOutput(os.Stdout)
+	ctx = httptrace.WithClientTrace(ctx, &httptrace.ClientTrace{
+		GetConn:           func(hostPort string) { log.Printf("GetConn(%q)", hostPort) },
+		GotConn:           func(info httptrace.GotConnInfo) { log.Printf("GotConn: %+v", info) },
+		DNSStart:          func(info httptrace.DNSStartInfo) { log.Printf("DNSStart: %+v", info) },
+		DNSDone:           func(info httptrace.DNSDoneInfo) { log.Printf("DNSDoneInfo: %+v", info) },
+		TLSHandshakeStart: func() { log.Printf("TLSHandshakeStart") },
+		TLSHandshakeDone:  func(cs tls.ConnectionState, err error) { log.Printf("TLSHandshakeDone: %+v, %v", cs, err) },
+		WroteRequest:      func(info httptrace.WroteRequestInfo) { log.Printf("WroteRequest: %+v", info) },
+	})
+	req, err := http.NewRequestWithContext(ctx, "GET", urlStr, nil)
+	if err != nil {
+		return fmt.Errorf("http.NewRequestWithContext: %v", err)
+	}
+	proxyURL, err := tshttpproxy.ProxyFromEnvironment(req)
+	if err != nil {
+		return fmt.Errorf("tshttpproxy.ProxyFromEnvironment: %v", err)
+	}
+	log.Printf("proxy: %v", proxyURL)
+	tr := &http.Transport{
+		Proxy:              func(*http.Request) (*url.URL, error) { return proxyURL, nil },
+		ProxyConnectHeader: http.Header{},
+		DisableKeepAlives:  true,
+	}
+	if proxyURL != nil {
+		auth, err := tshttpproxy.GetAuthHeader(proxyURL)
+		if err == nil && auth != "" {
+			tr.ProxyConnectHeader.Set("Proxy-Authorization", auth)
+		}
+		const truncLen = 20
+		if len(auth) > truncLen {
+			auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
+		}
+		log.Printf("tshttpproxy.GetAuthHeader(%v) for Proxy-Auth: = %q, %v", proxyURL, auth, err)
+	}
+	res, err := tr.RoundTrip(req)
+	if err != nil {
+		return fmt.Errorf("Transport.RoundTrip: %v", err)
+	}
+	defer res.Body.Close()
+	return res.Write(os.Stdout)
+}
+
+func checkDerp(ctx context.Context, derpRegion string) error {
+	dmap := derpmap.Prod()
+	getRegion := func() *tailcfg.DERPRegion {
+		for _, r := range dmap.Regions {
+			if r.RegionCode == derpRegion {
+				return r
+			}
+		}
+		for _, r := range dmap.Regions {
+			log.Printf("Known region: %q", r.RegionCode)
+		}
+		log.Fatalf("unknown region %q", derpRegion)
+		panic("unreachable")
+	}
+
+	priv1 := key.NewPrivate()
+	priv2 := key.NewPrivate()
+
+	c1 := derphttp.NewRegionClient(priv1, log.Printf, getRegion)
+	c2 := derphttp.NewRegionClient(priv2, log.Printf, getRegion)
+
+	c2.NotePreferred(true) // just to open it
+
+	m, err := c2.Recv()
+	log.Printf("c2 got %T, %v", m, err)
+
+	t0 := time.Now()
+	if err := c1.Send(priv2.Public(), []byte("hello")); err != nil {
+		return err
+	}
+	fmt.Println(time.Since(t0))
+
+	m, err = c2.Recv()
+	log.Printf("c2 got %T, %v", m, err)
+	if err != nil {
+		return err
+	}
+	log.Printf("ok")
+	return err
+}
--- a/cmd/tailscale/cli/down.go
+++ b/cmd/tailscale/cli/down.go
@@ -0,0 +1,66 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/ipn"
+)
+
+var downCmd = &ffcli.Command{
+	Name:       "down",
+	ShortUsage: "down",
+	ShortHelp:  "Disconnect from Tailscale",
+
+	Exec: runDown,
+}
+
+func runDown(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		log.Fatalf("too many non-flag arguments: %q", args)
+	}
+
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	timer := time.AfterFunc(5*time.Second, func() {
+		log.Fatalf("timeout running stop")
+	})
+	defer timer.Stop()
+
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			log.Fatal(*n.ErrMessage)
+		}
+		if n.Status != nil {
+			cur := n.Status.BackendState
+			switch cur {
+			case "Stopped":
+				log.Printf("already stopped")
+				cancel()
+			default:
+				log.Printf("was in state %q", cur)
+			}
+			return
+		}
+		if n.State != nil {
+			log.Printf("now in state %q", *n.State)
+			if *n.State == ipn.Stopped {
+				cancel()
+			}
+			return
+		}
+	})
+
+	bc.RequestStatus()
+	bc.SetWantRunning(false)
+	pump(ctx, bc, c)
+
+	return nil
+}
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -17,7 +17,6 @@ import (

 	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/derp/derpmap"
-	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netcheck"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
@@ -44,9 +43,7 @@ var netcheckArgs struct {
 }

 func runNetcheck(ctx context.Context, args []string) error {
-	c := &netcheck.Client{
-		DNSCache: dnscache.Get(),
-	}
+	c := &netcheck.Client{}
 	if netcheckArgs.verbose {
 		c.Logf = logger.WithPrefix(log.Printf, "netcheck: ")
 		c.Verbose = true
@@ -125,20 +122,35 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	if len(report.RegionLatency) == 0 {
 		fmt.Printf("\t* Nearest DERP: unknown (no response to latency probes)\n")
 	} else {
-		fmt.Printf("\t* Nearest DERP: %v (%v)\n", report.PreferredDERP, dm.Regions[report.PreferredDERP].RegionCode)
+		fmt.Printf("\t* Nearest DERP: %v\n", dm.Regions[report.PreferredDERP].RegionName)
 		fmt.Printf("\t* DERP latency:\n")
 		var rids []int
 		for rid := range dm.Regions {
 			rids = append(rids, rid)
 		}
-		sort.Ints(rids)
+		sort.Slice(rids, func(i, j int) bool {
+			l1, ok1 := report.RegionLatency[rids[i]]
+			l2, ok2 := report.RegionLatency[rids[j]]
+			if ok1 != ok2 {
+				return ok1 // defined things sort first
+			}
+			if !ok1 {
+				return rids[i] < rids[j]
+			}
+			return l1 < l2
+		})
 		for _, rid := range rids {
 			d, ok := report.RegionLatency[rid]
 			var latency string
 			if ok {
 				latency = d.Round(time.Millisecond / 10).String()
 			}
-			fmt.Printf("\t\t- %v, %3s = %s\n", rid, dm.Regions[rid].RegionCode, latency)
+			r := dm.Regions[rid]
+			var derpNum string
+			if netcheckArgs.verbose {
+				derpNum = fmt.Sprintf("derp%d, ", rid)
+			}
+			fmt.Printf("\t\t- %3s: %-7s (%s%s)\n", r.RegionCode, latency, derpNum, r.RegionName)
 		}
 	}
 	return nil
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -0,0 +1,130 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"log"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+)
+
+var pingCmd = &ffcli.Command{
+	Name:       "ping",
+	ShortUsage: "ping <hostname-or-IP>",
+	ShortHelp:  "Ping a host at the Tailscale layer, see how it routed",
+	LongHelp: strings.TrimSpace(`
+
+The 'tailscale ping' command pings a peer node at the Tailscale layer
+and reports which route it took for each response. The first ping or
+so will likely go over DERP (Tailscale's TCP relay protocol) while NAT
+traversal finds a direct path through.
+
+If 'tailscale ping' works but a normal ping does not, that means one
+side's operating system firewall is blocking packets; 'tailscale ping'
+does not inject packets into either side's TUN devices.
+
+By default, 'tailscale ping' stops after 10 pings or once a direct
+(non-DERP) path has been established, whichever comes first.
+
+The provided hostname must resolve to or be a Tailscale IP
+(e.g. 100.x.y.z) or a subnet IP advertised by a Tailscale
+relay node.
+
+`),
+	Exec: runPing,
+	FlagSet: (func() *flag.FlagSet {
+		fs := flag.NewFlagSet("ping", flag.ExitOnError)
+		fs.BoolVar(&pingArgs.verbose, "verbose", false, "verbose output")
+		fs.BoolVar(&pingArgs.untilDirect, "until-direct", true, "stop once a direct path is established")
+		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
+		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
+		return fs
+	})(),
+}
+
+var pingArgs struct {
+	num         int
+	untilDirect bool
+	verbose     bool
+	timeout     time.Duration
+}
+
+func runPing(ctx context.Context, args []string) error {
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	if len(args) != 1 {
+		return errors.New("usage: ping <hostname-or-IP>")
+	}
+	hostOrIP := args[0]
+	var ip string
+	var res net.Resolver
+	if addrs, err := res.LookupHost(ctx, hostOrIP); err != nil {
+		return fmt.Errorf("error looking up IP of %q: %v", hostOrIP, err)
+	} else if len(addrs) == 0 {
+		return fmt.Errorf("no IPs found for %q", hostOrIP)
+	} else {
+		ip = addrs[0]
+	}
+	if pingArgs.verbose && ip != hostOrIP {
+		log.Printf("lookup %q => %q", hostOrIP, ip)
+	}
+
+	ch := make(chan *ipnstate.PingResult, 1)
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			log.Fatal(*n.ErrMessage)
+		}
+		if pr := n.PingResult; pr != nil && pr.IP == ip {
+			ch <- pr
+		}
+	})
+	go pump(ctx, bc, c)
+
+	n := 0
+	anyPong := false
+	for {
+		n++
+		bc.Ping(ip)
+		timer := time.NewTimer(pingArgs.timeout)
+		select {
+		case <-timer.C:
+			fmt.Printf("timeout waiting for ping reply\n")
+		case pr := <-ch:
+			timer.Stop()
+			if pr.Err != "" {
+				return errors.New(pr.Err)
+			}
+			latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
+			via := pr.Endpoint
+			if pr.DERPRegionID != 0 {
+				via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
+			}
+			anyPong = true
+			fmt.Printf("pong from %s (%s) via %v in %v\n", pr.NodeName, pr.NodeIP, via, latency)
+			if pr.Endpoint != "" && pingArgs.untilDirect {
+				return nil
+			}
+			time.Sleep(time.Second)
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+		if n == pingArgs.num {
+			if !anyPong {
+				return errors.New("no reply")
+			}
+			return nil
+		}
+	}
+}
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -14,6 +14,8 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"sort"
+	"strings"
 	"time"

 	"github.com/peterbourgon/ff/v2/ffcli"
@@ -21,6 +23,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/util/dnsname"
 )

 var statusCmd = &ffcli.Command{
@@ -33,6 +36,8 @@ var statusCmd = &ffcli.Command{
 		fs.BoolVar(&statusArgs.json, "json", false, "output in JSON format (WARNING: format subject to change)")
 		fs.BoolVar(&statusArgs.web, "web", false, "run webserver with HTML showing status")
 		fs.BoolVar(&statusArgs.active, "active", false, "filter output to only peers with active sessions (not applicable to web mode)")
+		fs.BoolVar(&statusArgs.self, "self", true, "show status of local machine")
+		fs.BoolVar(&statusArgs.peers, "peers", true, "show status of peers")
 		fs.StringVar(&statusArgs.listen, "listen", "127.0.0.1:8384", "listen address; use port 0 for automatic")
 		fs.BoolVar(&statusArgs.browser, "browser", true, "Open a browser in web mode")
 		return fs
@@ -45,6 +50,8 @@ var statusArgs struct {
 	listen  string // in web mode, webserver address to listen on, empty means auto
 	browser bool   // in web mode, whether to open browser
 	active  bool   // in CLI mode, filter output to only peers with active sessions
+	self    bool   // in CLI mode, show status of local machine
+	peers   bool   // in CLI mode, show status of peer machines
 }

 func runStatus(ctx context.Context, args []string) error {
@@ -125,41 +132,64 @@ func runStatus(ctx context.Context, args []string) error {
 		return err
 	}

+	if st.BackendState == ipn.Stopped.String() {
+		fmt.Println("Tailscale is stopped.")
+		os.Exit(1)
+	}
+
 	var buf bytes.Buffer
 	f := func(format string, a ...interface{}) { fmt.Fprintf(&buf, format, a...) }
-	for _, peer := range st.Peers() {
-		ps := st.Peer[peer]
+	printPS := func(ps *ipnstate.PeerStatus) {
 		active := peerActive(ps)
-		if statusArgs.active && !active {
-			continue
-		}
-		f("%s %-7s %-15s %-18s tx=%8d rx=%8d ",
-			peer.ShortString(),
-			ps.OS,
+		f("%-15s %-20s %-12s %-7s ",
 			ps.TailAddr,
-			ps.SimpleHostName(),
-			ps.TxBytes,
-			ps.RxBytes,
+			dnsOrQuoteHostname(st, ps),
+			ownerLogin(st, ps),
+			ps.OS,
 		)
 		relay := ps.Relay
-		if active && relay != "" && ps.CurAddr == "" {
-			relay = "*" + relay + "*"
-		} else {
-			relay = " " + relay
-		}
-		f("%-6s", relay)
-		for i, addr := range ps.Addrs {
-			if i != 0 {
-				f(", ")
-			}
-			if addr == ps.CurAddr {
-				f("*%s*", addr)
+		anyTraffic := ps.TxBytes != 0 || ps.RxBytes != 0
+		if !active {
+			if anyTraffic {
+				f("idle")
 			} else {
-				f("%s", addr)
+				f("-")
 			}
+		} else {
+			f("active; ")
+			if relay != "" && ps.CurAddr == "" {
+				f("relay %q", relay)
+			} else if ps.CurAddr != "" {
+				f("direct %s", ps.CurAddr)
+			}
+		}
+		if anyTraffic {
+			f(", tx %d rx %d", ps.TxBytes, ps.RxBytes)
 		}
 		f("\n")
 	}
+
+	if statusArgs.self && st.Self != nil {
+		printPS(st.Self)
+	}
+	if statusArgs.peers {
+		var peers []*ipnstate.PeerStatus
+		for _, peer := range st.Peers() {
+			ps := st.Peer[peer]
+			if ps.ShareeNode {
+				continue
+			}
+			peers = append(peers, ps)
+		}
+		sort.Slice(peers, func(i, j int) bool { return sortKey(peers[i]) < sortKey(peers[j]) })
+		for _, ps := range peers {
+			active := peerActive(ps)
+			if statusArgs.active && !active {
+				continue
+			}
+			printPS(ps)
+		}
+	}
 	os.Stdout.Write(buf.Bytes())
 	return nil
 }
@@ -170,3 +200,37 @@ func runStatus(ctx context.Context, args []string) error {
 func peerActive(ps *ipnstate.PeerStatus) bool {
 	return !ps.LastWrite.IsZero() && time.Since(ps.LastWrite) < 2*time.Minute
 }
+
+func dnsOrQuoteHostname(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
+	if i := strings.Index(ps.DNSName, "."); i != -1 && dnsname.HasSuffix(ps.DNSName, st.MagicDNSSuffix) {
+		return ps.DNSName[:i]
+	}
+	if ps.DNSName != "" {
+		return strings.TrimRight(ps.DNSName, ".")
+	}
+	return fmt.Sprintf("(%q)", strings.ReplaceAll(ps.SimpleHostName(), " ", "_"))
+}
+
+func sortKey(ps *ipnstate.PeerStatus) string {
+	if ps.DNSName != "" {
+		return ps.DNSName
+	}
+	if ps.HostName != "" {
+		return ps.HostName
+	}
+	return ps.TailAddr
+}
+
+func ownerLogin(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
+	if ps.UserID.IsZero() {
+		return "-"
+	}
+	u, ok := st.User[ps.UserID]
+	if !ok {
+		return fmt.Sprint(ps.UserID)
+	}
+	if i := strings.Index(u.LoginName, "@"); i != -1 {
+		return u.LoginName[:i+1]
+	}
+	return u.LoginName
+}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -7,6 +7,7 @@ package cli
 import (
 	"bytes"
 	"context"
+	"errors"
 	"flag"
 	"fmt"
 	"log"
@@ -15,23 +16,17 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"sync"

 	"github.com/peterbourgon/ff/v2/ffcli"
-	"github.com/tailscale/wireguard-go/wgcfg"
+	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
+	"tailscale.com/version"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/router"
 )

-// globalStateKey is the ipn.StateKey that tailscaled loads on
-// startup.
-//
-// We have to support multiple state keys for other OSes (Windows in
-// particular), but right now Unix daemons run with a single
-// node-global state. To keep open the option of having per-user state
-// later, the global state key doesn't look like a username.
-const globalStateKey = "_daemon"
-
 var upCmd = &ffcli.Command{
 	Name:       "up",
 	ShortUsage: "up [flags]",
@@ -51,76 +46,60 @@ specify any flags, options are reset to their default.
 		upf.BoolVar(&upArgs.acceptDNS, "accept-dns", true, "accept DNS configuration from the admin panel")
 		upf.BoolVar(&upArgs.singleRoutes, "host-routes", true, "install host routes to other Tailscale nodes")
 		upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
+		upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication")
 		upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "ACL tags to request (comma-separated, e.g. eng,montreal,ssh)")
 		upf.StringVar(&upArgs.authKey, "authkey", "", "node authorization key")
 		upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
-		upf.BoolVar(&upArgs.enableDERP, "enable-derp", true, "enable the use of DERP servers")
-		if runtime.GOOS == "linux" || isBSD(runtime.GOOS) {
+		if runtime.GOOS == "linux" || isBSD(runtime.GOOS) || version.OS() == "macOS" {
 			upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. 10.0.0.0/8,192.168.0.0/24)")
 		}
 		if runtime.GOOS == "linux" {
-			upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with -advertise-routes")
-			upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", "on", "netfilter mode (one of on, nodivert, off)")
+			upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with --advertise-routes")
+			upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", defaultNetfilterMode(), "netfilter mode (one of on, nodivert, off)")
 		}
 		return upf
 	})(),
 	Exec: runUp,
 }

+func defaultNetfilterMode() string {
+	if distro.Get() == distro.Synology {
+		return "off"
+	}
+	return "on"
+}
+
 var upArgs struct {
 	server          string
 	acceptRoutes    bool
 	acceptDNS       bool
 	singleRoutes    bool
 	shieldsUp       bool
+	forceReauth     bool
 	advertiseRoutes string
 	advertiseTags   string
-	enableDERP      bool
 	snat            bool
 	netfilterMode   string
 	authKey         string
 	hostname        string
 }

-// parseIPOrCIDR parses an IP address or a CIDR prefix. If the input
-// is an IP address, it is returned in CIDR form with a /32 mask for
-// IPv4 or a /128 mask for IPv6.
-func parseIPOrCIDR(s string) (wgcfg.CIDR, bool) {
-	if strings.Contains(s, "/") {
-		ret, err := wgcfg.ParseCIDR(s)
-		if err != nil {
-			return wgcfg.CIDR{}, false
-		}
-		return ret, true
-	}
-
-	ip, ok := wgcfg.ParseIP(s)
-	if !ok {
-		return wgcfg.CIDR{}, false
-	}
-	if ip.Is4() {
-		return wgcfg.CIDR{IP: ip, Mask: 32}, true
-	} else {
-		return wgcfg.CIDR{IP: ip, Mask: 128}, true
-	}
-}
-
 func isBSD(s string) bool {
 	return s == "dragonfly" || s == "freebsd" || s == "netbsd" || s == "openbsd"
 }

-func warning(format string, args ...interface{}) {
+func warnf(format string, args ...interface{}) {
 	fmt.Printf("Warning: "+format+"\n", args...)
 }

-// checkIPForwarding prints warnings on linux if IP forwarding is not
+// checkIPForwarding prints warnings if IP forwarding is not
 // enabled, or if we were unable to verify the state of IP forwarding.
 func checkIPForwarding() {
 	var key string

 	if runtime.GOOS == "linux" {
 		key = "net.ipv4.ip_forward"
-	} else if isBSD(runtime.GOOS) {
+	} else if isBSD(runtime.GOOS) || version.OS() == "macOS" {
 		key = "net.inet.ip.forwarding"
 	} else {
 		return
@@ -128,16 +107,16 @@ func checkIPForwarding() {

 	bs, err := exec.Command("sysctl", "-n", key).Output()
 	if err != nil {
-		warning("couldn't check %s (%v).\nSubnet routes won't work without IP forwarding.", key, err)
+		warnf("couldn't check %s (%v).\nSubnet routes won't work without IP forwarding.", key, err)
 		return
 	}
 	on, err := strconv.ParseBool(string(bytes.TrimSpace(bs)))
 	if err != nil {
-		warning("couldn't parse %s (%v).\nSubnet routes won't work without IP forwarding.", key, err)
+		warnf("couldn't parse %s (%v).\nSubnet routes won't work without IP forwarding.", key, err)
 		return
 	}
 	if !on {
-		warning("%s is disabled. Subnet routes won't work.", key)
+		warnf("%s is disabled. Subnet routes won't work.", key)
 	}
 }

@@ -146,17 +125,33 @@ func runUp(ctx context.Context, args []string) error {
 		log.Fatalf("too many non-flag arguments: %q", args)
 	}

-	var routes []wgcfg.CIDR
+	if distro.Get() == distro.Synology {
+		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
+		if upArgs.advertiseRoutes != "" {
+			return errors.New("--advertise-routes is " + notSupported)
+		}
+		if upArgs.acceptRoutes {
+			return errors.New("--accept-routes is " + notSupported)
+		}
+		if upArgs.netfilterMode != "off" {
+			return errors.New("--netfilter-mode values besides \"off\" " + notSupported)
+		}
+	}
+
+	var routes []netaddr.IPPrefix
 	if upArgs.advertiseRoutes != "" {
-		checkIPForwarding()
 		advroutes := strings.Split(upArgs.advertiseRoutes, ",")
 		for _, s := range advroutes {
-			cidr, ok := parseIPOrCIDR(s)
-			if !ok {
-				log.Fatalf("%q is not a valid IP address or CIDR prefix", s)
+			ipp, err := netaddr.ParseIPPrefix(s)
+			if err != nil {
+				fatalf("%q is not a valid IP address or CIDR prefix", s)
 			}
-			routes = append(routes, cidr)
+			if ipp != ipp.Masked() {
+				fatalf("%s has non-address bits set; expected %s", ipp, ipp.Masked())
+			}
+			routes = append(routes, ipp)
 		}
+		checkIPForwarding()
 	}

 	var tags []string
@@ -165,17 +160,16 @@ func runUp(ctx context.Context, args []string) error {
 		for _, tag := range tags {
 			err := tailcfg.CheckTag(tag)
 			if err != nil {
-				log.Fatalf("tag: %q: %s", tag, err)
+				fatalf("tag: %q: %s", tag, err)
 			}
 		}
 	}

 	if len(upArgs.hostname) > 256 {
-		log.Fatalf("hostname too long: %d bytes (max 256)", len(upArgs.hostname))
+		fatalf("hostname too long: %d bytes (max 256)", len(upArgs.hostname))
 	}

 	// TODO(apenwarr): fix different semantics between prefs and uflags
-	// TODO(apenwarr): allow setting/using CorpDNS
 	prefs := ipn.NewPrefs()
 	prefs.ControlURL = upArgs.server
 	prefs.WantRunning = true
@@ -186,20 +180,21 @@ func runUp(ctx context.Context, args []string) error {
 	prefs.AdvertiseRoutes = routes
 	prefs.AdvertiseTags = tags
 	prefs.NoSNAT = !upArgs.snat
-	prefs.DisableDERP = !upArgs.enableDERP
 	prefs.Hostname = upArgs.hostname
+	prefs.ForceDaemon = (runtime.GOOS == "windows")
+
 	if runtime.GOOS == "linux" {
 		switch upArgs.netfilterMode {
 		case "on":
 			prefs.NetfilterMode = router.NetfilterOn
 		case "nodivert":
 			prefs.NetfilterMode = router.NetfilterNoDivert
-			warning("netfilter=nodivert; add iptables calls to ts-* chains manually.")
+			warnf("netfilter=nodivert; add iptables calls to ts-* chains manually.")
 		case "off":
 			prefs.NetfilterMode = router.NetfilterOff
-			warning("netfilter=off; configure iptables yourself.")
+			warnf("netfilter=off; configure iptables yourself.")
 		default:
-			log.Fatalf("invalid value --netfilter-mode: %q", upArgs.netfilterMode)
+			fatalf("invalid value --netfilter-mode: %q", upArgs.netfilterMode)
 		}
 	}

@@ -207,20 +202,23 @@ func runUp(ctx context.Context, args []string) error {
 	defer cancel()

 	var printed bool
+	var loginOnce sync.Once
+	startLoginInteractive := func() { loginOnce.Do(func() { bc.StartLoginInteractive() }) }

 	bc.SetPrefs(prefs)
+
 	opts := ipn.Options{
-		StateKey: globalStateKey,
+		StateKey: ipn.GlobalDaemonStateKey,
 		AuthKey:  upArgs.authKey,
 		Notify: func(n ipn.Notify) {
 			if n.ErrMessage != nil {
-				log.Fatalf("backend error: %v\n", *n.ErrMessage)
+				fatalf("backend error: %v\n", *n.ErrMessage)
 			}
 			if s := n.State; s != nil {
 				switch *s {
 				case ipn.NeedsLogin:
 					printed = true
-					bc.StartLoginInteractive()
+					startLoginInteractive()
 				case ipn.NeedsMachineAuth:
 					printed = true
 					fmt.Fprintf(os.Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s/admin/machines\n\n", upArgs.server)
@@ -238,6 +236,22 @@ func runUp(ctx context.Context, args []string) error {
 			}
 		},
 	}
+
+	// On Windows, we still run in mostly the "legacy" way that
+	// predated the server's StateStore. That is, we send an empty
+	// StateKey and send the prefs directly. Although the Windows
+	// supports server mode, though, the transition to StateStore
+	// is only half complete. Only server mode uses it, and the
+	// Windows service (~tailscaled) is the one that computes the
+	// StateKey based on the connection idenity. So for now, just
+	// do as the Windows GUI's always done:
+	if runtime.GOOS == "windows" {
+		// The Windows service will set this as needed based
+		// on our connection's identity.
+		opts.StateKey = ""
+		opts.Prefs = prefs
+	}
+
 	// We still have to Start right now because it's the only way to
 	// set up notifications and whatnot. This causes a bunch of churn
 	// every time the CLI touches anything.
@@ -246,6 +260,10 @@ func runUp(ctx context.Context, args []string) error {
 	// ephemeral frontends that read/modify/write state, once
 	// Windows/Mac state is moved into backend.
 	bc.Start(opts)
+	if upArgs.forceReauth {
+		printed = true
+		startLoginInteractive()
+	}
 	pump(ctx, bc, c)

 	return nil
--- a/cmd/tailscale/cli/version.go
+++ b/cmd/tailscale/cli/version.go
@@ -36,10 +36,11 @@ func runVersion(ctx context.Context, args []string) error {
 		log.Fatalf("too many non-flag arguments: %q", args)
 	}
 	if !versionArgs.daemon {
-		fmt.Println(version.LONG)
+		fmt.Println(version.String())
 		return nil
 	}
-	fmt.Printf("Client: %s\n", version.LONG)
+
+	fmt.Printf("Client: %s\n", version.String())

 	c, bc, ctx, cancel := connect(ctx)
 	defer cancel()
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -0,0 +1,213 @@
+tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)
+
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+        github.com/apenwarr/fixconsole                               from tailscale.com/cmd/tailscale
+   W 💣 github.com/apenwarr/w32                                      from github.com/apenwarr/fixconsole
+   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+  LW    github.com/go-multierror/multierror                          from tailscale.com/wgengine/router
+   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
+   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
+   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/wgengine/router/dns
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
+   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
+        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
+        github.com/peterbourgon/ff/v2/ffcli                          from tailscale.com/cmd/tailscale/cli
+     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
+     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
+        github.com/tailscale/wireguard-go/device/tokenbucket         from github.com/tailscale/wireguard-go/device
+     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
+   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
+        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
+     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
+        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/device+
+        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
+        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
+     💣 go4.org/intern                                               from inet.af/netaddr
+     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
+        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
+        rsc.io/goversion/version                                     from tailscale.com/version
+        tailscale.com/atomicfile                                     from tailscale.com/ipn+
+        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
+        tailscale.com/control/controlclient                          from tailscale.com/ipn+
+        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
+        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/derp/derpmap                                   from tailscale.com/cmd/tailscale/cli
+        tailscale.com/disco                                          from tailscale.com/derp+
+        tailscale.com/internal/deepprint                             from tailscale.com/ipn+
+        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/ipn/policy                                     from tailscale.com/ipn
+        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
+        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
+        tailscale.com/metrics                                        from tailscale.com/derp
+        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
+        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/net/netns                                      from tailscale.com/control/controlclient+
+        tailscale.com/net/packet                                     from tailscale.com/wgengine+
+        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
+        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
+        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
+     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli
+        tailscale.com/portlist                                       from tailscale.com/ipn
+        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli
+     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
+   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
+        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
+        tailscale.com/types/key                                      from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
+        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
+        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
+        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
+        tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
+        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
+  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
+        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
+        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
+        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/wgengine                                       from tailscale.com/ipn
+        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
+        tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine
+     💣 tailscale.com/wgengine/monitor                               from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
+        tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
+        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine
+   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
+        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
+        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
+        golang.org/x/crypto/curve25519                               from crypto/tls+
+        golang.org/x/crypto/hkdf                                     from crypto/tls
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
+        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+        golang.org/x/net/context/ctxhttp                             from golang.org/x/oauth2/internal
+        golang.org/x/net/dns/dnsmessage                              from net+
+        golang.org/x/net/http/httpguts                               from net/http
+        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
+        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
+        golang.org/x/net/proxy                                       from tailscale.com/net/netns
+   D    golang.org/x/net/route                                       from net
+        golang.org/x/oauth2                                          from tailscale.com/control/controlclient+
+        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2
+        golang.org/x/sync/errgroup                                   from tailscale.com/derp
+        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
+  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
+   W    golang.org/x/sys/windows                                     from github.com/apenwarr/fixconsole+
+   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
+        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
+        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
+        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
+        golang.org/x/time/rate                                       from tailscale.com/types/logger+
+        bufio                                                        from compress/flate+
+        bytes                                                        from bufio+
+        compress/flate                                               from compress/gzip+
+        compress/gzip                                                from net/http+
+        compress/zlib                                                from debug/elf+
+        container/list                                               from crypto/tls+
+        context                                                      from crypto/tls+
+        crypto                                                       from crypto/ecdsa+
+        crypto/aes                                                   from crypto/ecdsa+
+        crypto/cipher                                                from crypto/aes+
+        crypto/des                                                   from crypto/tls+
+        crypto/dsa                                                   from crypto/x509
+        crypto/ecdsa                                                 from crypto/tls+
+        crypto/ed25519                                               from crypto/tls+
+        crypto/elliptic                                              from crypto/ecdsa+
+        crypto/hmac                                                  from crypto/tls+
+        crypto/md5                                                   from crypto/tls+
+        crypto/rand                                                  from crypto/ed25519+
+        crypto/rc4                                                   from crypto/tls
+        crypto/rsa                                                   from crypto/tls+
+        crypto/sha1                                                  from crypto/tls+
+        crypto/sha256                                                from crypto/tls+
+        crypto/sha512                                                from crypto/ecdsa+
+        crypto/subtle                                                from crypto/aes+
+        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
+        crypto/x509                                                  from crypto/tls+
+        crypto/x509/pkix                                             from crypto/x509+
+        debug/dwarf                                                  from debug/elf+
+        debug/elf                                                    from rsc.io/goversion/version
+        debug/macho                                                  from rsc.io/goversion/version
+        debug/pe                                                     from rsc.io/goversion/version
+        encoding                                                     from encoding/json+
+        encoding/asn1                                                from crypto/x509+
+        encoding/base64                                              from encoding/json+
+        encoding/binary                                              from compress/gzip+
+        encoding/hex                                                 from crypto/x509+
+        encoding/json                                                from expvar+
+        encoding/pem                                                 from crypto/tls+
+        errors                                                       from bufio+
+        expvar                                                       from tailscale.com/derp+
+        flag                                                         from github.com/peterbourgon/ff/v2+
+        fmt                                                          from compress/flate+
+        hash                                                         from compress/zlib+
+        hash/adler32                                                 from compress/zlib
+        hash/crc32                                                   from compress/gzip+
+        hash/fnv                                                     from tailscale.com/wgengine/magicsock
+        hash/maphash                                                 from go4.org/mem
+        html                                                         from tailscale.com/ipn/ipnstate
+        io                                                           from bufio+
+        io/ioutil                                                    from crypto/tls+
+        log                                                          from expvar+
+        math                                                         from compress/flate+
+        math/big                                                     from crypto/dsa+
+        math/bits                                                    from compress/flate+
+        math/rand                                                    from github.com/mdlayher/netlink+
+        mime                                                         from golang.org/x/oauth2/internal+
+        mime/multipart                                               from net/http
+        mime/quotedprintable                                         from mime/multipart
+        net                                                          from crypto/tls+
+        net/http                                                     from expvar+
+        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
+        net/http/internal                                            from net/http
+        net/textproto                                                from golang.org/x/net/http/httpguts+
+        net/url                                                      from crypto/x509+
+        os                                                           from crypto/rand+
+        os/exec                                                      from github.com/coreos/go-iptables/iptables+
+        os/signal                                                    from tailscale.com/cmd/tailscale/cli
+   L    os/user                                                      from github.com/godbus/dbus/v5
+        path                                                         from debug/dwarf+
+        path/filepath                                                from crypto/x509+
+        reflect                                                      from crypto/x509+
+        regexp                                                       from github.com/coreos/go-iptables/iptables+
+        regexp/syntax                                                from regexp
+        runtime/debug                                                from golang.org/x/sync/singleflight
+        runtime/pprof                                                from tailscale.com/log/logheap+
+        sort                                                         from compress/flate+
+        strconv                                                      from compress/flate+
+        strings                                                      from bufio+
+        sync                                                         from compress/flate+
+        sync/atomic                                                  from context+
+        syscall                                                      from crypto/rand+
+        text/tabwriter                                               from github.com/peterbourgon/ff/v2/ffcli+
+        time                                                         from compress/gzip+
+        unicode                                                      from bytes+
+        unicode/utf16                                                from encoding/asn1+
+        unicode/utf8                                                 from bufio+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -0,0 +1,261 @@
+tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)
+
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+        github.com/apenwarr/fixconsole                               from tailscale.com/cmd/tailscaled
+   W 💣 github.com/apenwarr/w32                                      from github.com/apenwarr/fixconsole
+   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+  LW    github.com/go-multierror/multierror                          from tailscale.com/wgengine/router
+   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
+   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
+   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/wgengine/router/dns
+        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
+   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
+        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
+        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/snappy                         from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
+        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
+     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
+     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
+        github.com/tailscale/wireguard-go/device/tokenbucket         from github.com/tailscale/wireguard-go/device
+     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
+   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
+        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
+     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
+        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/device+
+        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
+     💣 go4.org/intern                                               from inet.af/netaddr
+     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
+        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire
+        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
+        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
+     💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
+     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/tcpip+
+        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
+     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
+     💣 gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/buffer                           from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/link/channel+
+        gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/link/channel                     from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/network/fragmentation            from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
+        gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
+        gvisor.dev/gvisor/pkg/tcpip/network/ip                       from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
+        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
+        gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/transport/icmp                   from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/transport/packet                 from gvisor.dev/gvisor/pkg/tcpip/transport/raw
+        gvisor.dev/gvisor/pkg/tcpip/transport/raw                    from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+     💣 gvisor.dev/gvisor/pkg/tcpip/transport/tcp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
+        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/tcpip+
+        inet.af/netaddr                                              from tailscale.com/control/controlclient+
+        rsc.io/goversion/version                                     from tailscale.com/version
+        tailscale.com/atomicfile                                     from tailscale.com/ipn+
+        tailscale.com/control/controlclient                          from tailscale.com/ipn+
+        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
+        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
+        tailscale.com/disco                                          from tailscale.com/derp+
+        tailscale.com/internal/deepprint                             from tailscale.com/ipn+
+        tailscale.com/ipn                                            from tailscale.com/ipn/ipnserver
+        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/ipn+
+        tailscale.com/ipn/policy                                     from tailscale.com/ipn
+        tailscale.com/log/filelogger                                 from tailscale.com/ipn/ipnserver
+        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
+        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled
+        tailscale.com/logtail                                        from tailscale.com/logpolicy
+        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
+        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
+        tailscale.com/metrics                                        from tailscale.com/derp
+        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
+        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/ipn+
+        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
+        tailscale.com/net/netns                                      from tailscale.com/control/controlclient+
+     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
+        tailscale.com/net/packet                                     from tailscale.com/wgengine+
+        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
+        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
+        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
+     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
+        tailscale.com/paths                                          from tailscale.com/cmd/tailscaled+
+        tailscale.com/portlist                                       from tailscale.com/ipn
+        tailscale.com/safesocket                                     from tailscale.com/ipn/ipnserver
+        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
+     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
+   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
+        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
+        tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
+        tailscale.com/types/key                                      from tailscale.com/derp+
+        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscaled+
+        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
+        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
+        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
+        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
+        tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
+        tailscale.com/util/dnsname                                   from tailscale.com/control/controlclient+
+  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
+        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
+        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
+        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
+        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
+        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
+        tailscale.com/version/distro                                 from tailscale.com/control/controlclient+
+        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
+        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
+        tailscale.com/wgengine/magicsock                             from tailscale.com/cmd/tailscaled+
+     💣 tailscale.com/wgengine/monitor                               from tailscale.com/wgengine
+        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
+        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscaled+
+        tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
+        tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
+        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine+
+   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
+        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
+        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
+        golang.org/x/crypto/curve25519                               from crypto/tls+
+        golang.org/x/crypto/hkdf                                     from crypto/tls
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
+        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+        golang.org/x/net/context/ctxhttp                             from golang.org/x/oauth2/internal
+        golang.org/x/net/dns/dnsmessage                              from net+
+        golang.org/x/net/http/httpguts                               from net/http
+        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
+        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
+        golang.org/x/net/proxy                                       from tailscale.com/net/netns
+   D    golang.org/x/net/route                                       from net
+        golang.org/x/oauth2                                          from tailscale.com/control/controlclient+
+        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2
+        golang.org/x/sync/errgroup                                   from tailscale.com/derp
+        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
+  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
+   W    golang.org/x/sys/windows                                     from github.com/apenwarr/fixconsole+
+   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+        golang.org/x/term                                            from tailscale.com/logpolicy
+        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
+        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
+        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
+        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
+        golang.org/x/time/rate                                       from tailscale.com/types/logger+
+        bufio                                                        from compress/flate+
+        bytes                                                        from bufio+
+        compress/flate                                               from compress/gzip+
+        compress/gzip                                                from internal/profile+
+        compress/zlib                                                from debug/elf+
+        container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
+        container/list                                               from crypto/tls+
+        context                                                      from crypto/tls+
+        crypto                                                       from crypto/ecdsa+
+        crypto/aes                                                   from crypto/ecdsa+
+        crypto/cipher                                                from crypto/aes+
+        crypto/des                                                   from crypto/tls+
+        crypto/dsa                                                   from crypto/x509
+        crypto/ecdsa                                                 from crypto/tls+
+        crypto/ed25519                                               from crypto/tls+
+        crypto/elliptic                                              from crypto/ecdsa+
+        crypto/hmac                                                  from crypto/tls+
+        crypto/md5                                                   from crypto/tls+
+        crypto/rand                                                  from crypto/ed25519+
+        crypto/rc4                                                   from crypto/tls
+        crypto/rsa                                                   from crypto/tls+
+        crypto/sha1                                                  from crypto/tls+
+        crypto/sha256                                                from crypto/tls+
+        crypto/sha512                                                from crypto/ecdsa+
+        crypto/subtle                                                from crypto/aes+
+        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
+        crypto/x509                                                  from crypto/tls+
+        crypto/x509/pkix                                             from crypto/x509+
+        debug/dwarf                                                  from debug/elf+
+        debug/elf                                                    from rsc.io/goversion/version
+        debug/macho                                                  from rsc.io/goversion/version
+        debug/pe                                                     from rsc.io/goversion/version
+        encoding                                                     from encoding/json+
+        encoding/asn1                                                from crypto/x509+
+        encoding/base64                                              from encoding/json+
+        encoding/binary                                              from compress/gzip+
+        encoding/hex                                                 from crypto/x509+
+        encoding/json                                                from expvar+
+        encoding/pem                                                 from crypto/tls+
+        errors                                                       from bufio+
+        expvar                                                       from tailscale.com/derp+
+        flag                                                         from tailscale.com/cmd/tailscaled+
+        fmt                                                          from compress/flate+
+        hash                                                         from compress/zlib+
+        hash/adler32                                                 from compress/zlib
+        hash/crc32                                                   from compress/gzip+
+        hash/fnv                                                     from tailscale.com/wgengine/magicsock
+        hash/maphash                                                 from go4.org/mem
+        html                                                         from html/template+
+        html/template                                                from net/http/pprof
+        io                                                           from bufio+
+        io/ioutil                                                    from crypto/tls+
+        log                                                          from expvar+
+        math                                                         from compress/flate+
+        math/big                                                     from crypto/dsa+
+        math/bits                                                    from compress/flate+
+        math/rand                                                    from github.com/mdlayher/netlink+
+        mime                                                         from golang.org/x/oauth2/internal+
+        mime/multipart                                               from net/http
+        mime/quotedprintable                                         from mime/multipart
+        net                                                          from crypto/tls+
+        net/http                                                     from expvar+
+        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
+        net/http/internal                                            from net/http
+        net/http/pprof                                               from tailscale.com/cmd/tailscaled
+        net/textproto                                                from golang.org/x/net/http/httpguts+
+        net/url                                                      from crypto/x509+
+        os                                                           from crypto/rand+
+        os/exec                                                      from github.com/coreos/go-iptables/iptables+
+        os/signal                                                    from tailscale.com/cmd/tailscaled+
+        os/user                                                      from github.com/godbus/dbus/v5+
+        path                                                         from debug/dwarf+
+        path/filepath                                                from crypto/x509+
+        reflect                                                      from crypto/x509+
+        regexp                                                       from github.com/coreos/go-iptables/iptables+
+        regexp/syntax                                                from regexp
+        runtime/debug                                                from github.com/klauspost/compress/zstd+
+        runtime/pprof                                                from net/http/pprof+
+        runtime/trace                                                from net/http/pprof
+        sort                                                         from compress/flate+
+        strconv                                                      from compress/flate+
+        strings                                                      from bufio+
+        sync                                                         from compress/flate+
+        sync/atomic                                                  from context+
+        syscall                                                      from crypto/rand+
+        text/tabwriter                                               from runtime/pprof
+        text/template                                                from html/template
+        text/template/parse                                          from html/template+
+        time                                                         from compress/gzip+
+        unicode                                                      from bytes+
+        unicode/utf16                                                from encoding/asn1+
+        unicode/utf8                                                 from bufio+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -11,6 +11,8 @@ package main // import "tailscale.com/cmd/tailscaled"

 import (
 	"context"
+	"flag"
+	"fmt"
 	"log"
 	"net/http"
 	"net/http/pprof"
@@ -18,17 +20,20 @@ import (
 	"os/signal"
 	"runtime"
 	"runtime/debug"
+	"strconv"
 	"syscall"
 	"time"

 	"github.com/apenwarr/fixconsole"
-	"github.com/pborman/getopt/v2"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
 	"tailscale.com/paths"
+	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
+	"tailscale.com/version"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/magicsock"
+	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
 )

@@ -60,6 +65,7 @@ var args struct {
 	port       uint16
 	statepath  string
 	socketpath string
+	verbose    int
 }

 func main() {
@@ -71,28 +77,30 @@ func main() {
 		debug.SetGCPercent(10)
 	}

-	// Set default values for getopt.
-	args.tunname = defaultTunName()
-	args.port = magicsock.DefaultPort
-	args.statepath = paths.DefaultTailscaledStateFile()
-	args.socketpath = paths.DefaultTailscaledSocket()
-
-	getopt.FlagLong(&args.cleanup, "cleanup", 0, "clean up system state and exit")
-	getopt.FlagLong(&args.fake, "fake", 0, "fake tunnel+routing instead of tuntap")
-	getopt.FlagLong(&args.debug, "debug", 0, "address of debug server")
-	getopt.FlagLong(&args.tunname, "tun", 0, "tunnel interface name")
-	getopt.FlagLong(&args.port, "port", 'p', "WireGuard port (0=autoselect)")
-	getopt.FlagLong(&args.statepath, "state", 0, "path of state file")
-	getopt.FlagLong(&args.socketpath, "socket", 's', "path of the service unix socket")
+	printVersion := false
+	flag.IntVar(&args.verbose, "verbose", 0, "log verbosity level; 0 is default, 1 or higher are increasingly verbose")
+	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
+	flag.BoolVar(&args.fake, "fake", false, "use userspace fake tunnel+routing instead of kernel TUN interface")
+	flag.StringVar(&args.debug, "debug", "", "listen address ([ip]:port) of optional debug server")
+	flag.StringVar(&args.tunname, "tun", defaultTunName(), "tunnel interface name")
+	flag.Var(flagtype.PortValue(&args.port, magicsock.DefaultPort), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
+	flag.StringVar(&args.statepath, "state", paths.DefaultTailscaledStateFile(), "path of state file")
+	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
+	flag.BoolVar(&printVersion, "version", false, "print version information and exit")

 	err := fixconsole.FixConsoleIfNeeded()
 	if err != nil {
 		log.Fatalf("fixConsoleOutput: %v", err)
 	}

-	getopt.Parse()
-	if len(getopt.Args()) > 0 {
-		log.Fatalf("too many non-flag arguments: %#v", getopt.Args()[0])
+	flag.Parse()
+	if flag.NArg() > 0 {
+		log.Fatalf("tailscaled does not take non-flag arguments: %q", flag.Args())
+	}
+
+	if printVersion {
+		fmt.Println(version.String())
+		os.Exit(0)
 	}

 	if args.statepath == "" {
@@ -113,6 +121,7 @@ func run() error {
 	var err error

 	pol := logpolicy.New("tailnode.log.tailscale.io")
+	pol.SetVerbosityLevel(args.verbose)
 	defer func() {
 		// Finish uploading logs after closing everything else.
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
@@ -120,7 +129,10 @@ func run() error {
 		pol.Shutdown(ctx)
 	}()

-	logf := wgengine.RusagePrefixLog(log.Printf)
+	var logf logger.Logf = log.Printf
+	if v, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_MEMORY")); v {
+		logf = logger.RusagePrefixLog(logf)
+	}
 	logf = logger.RateLimitedFn(logf, 5*time.Second, 5, 100)

 	if args.cleanup {
@@ -136,7 +148,11 @@ func run() error {

 	var e wgengine.Engine
 	if args.fake {
-		e, err = wgengine.NewFakeUserspaceEngine(logf, 0)
+		var impl wgengine.FakeImplFunc
+		if args.tunname == "userspace-networking" {
+			impl = netstack.Impl
+		}
+		e, err = wgengine.NewFakeUserspaceEngine(logf, 0, impl)
 	} else {
 		e, err = wgengine.NewUserspaceEngine(logf, args.tunname, args.port)
 	}
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -6,6 +6,7 @@ After=network-pre.target

 [Service]
 EnvironmentFile=/etc/default/tailscaled
+ExecStartPre=/usr/sbin/tailscaled --cleanup
 ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port $PORT $FLAGS
 ExecStopPost=/usr/sbin/tailscaled --cleanup

@@ -17,6 +18,24 @@ StateDirectory=tailscale
 StateDirectoryMode=0750
 CacheDirectory=tailscale
 CacheDirectoryMode=0750
+Type=notify
+
+DeviceAllow=/dev/net/tun
+DeviceAllow=/dev/null
+DeviceAllow=/dev/random
+DeviceAllow=/dev/urandom
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/etc/
+RestrictSUIDSGID=true
+SystemCallArchitectures=native

 [Install]
 WantedBy=multi-user.target
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -17,13 +17,13 @@ import (
 	"sync"
 	"time"

-	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/oauth2"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/structs"
+	"tailscale.com/types/wgkey"
 )

 // State is the high-level state of the client. It is used only in
@@ -117,13 +117,16 @@ type Client struct {
 	mu         sync.Mutex   // mutex guards the following fields
 	statusFunc func(Status) // called to update Client status

-	loggedIn     bool       // true if currently logged in
-	loginGoal    *LoginGoal // non-nil if some login activity is desired
-	synced       bool       // true if our netmap is up-to-date
-	hostinfo     *tailcfg.Hostinfo
-	inPollNetMap bool // true if currently running a PollNetMap
-	inSendStatus int  // number of sendStatus calls currently in progress
-	state        State
+	paused          bool // whether we should stop making HTTP requests
+	unpauseWaiters  []chan struct{}
+	loggedIn        bool       // true if currently logged in
+	loginGoal       *LoginGoal // non-nil if some login activity is desired
+	synced          bool       // true if our netmap is up-to-date
+	hostinfo        *tailcfg.Hostinfo
+	inPollNetMap    bool // true if currently running a PollNetMap
+	inLiteMapUpdate bool // true if a lite (non-streaming) map request is outstanding
+	inSendStatus    int  // number of sendStatus calls currently in progress
+	state           State

 	authCtx    context.Context // context used for auth requests
 	mapCtx     context.Context // context used for netmap requests
@@ -169,6 +172,28 @@ func NewNoStart(opts Options) (*Client, error) {
 	return c, nil
 }

+// SetPaused controls whether HTTP activity should be paused.
+//
+// The client can be paused and unpaused repeatedly, unlike Start and Shutdown, which can only be used once.
+func (c *Client) SetPaused(paused bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if paused == c.paused {
+		return
+	}
+	c.paused = paused
+	if paused {
+		// Only cancel the map routine. (The auth routine isn't expensive
+		// so it's fine to keep it running.)
+		c.cancelMapLocked()
+	} else {
+		for _, ch := range c.unpauseWaiters {
+			close(ch)
+		}
+		c.unpauseWaiters = nil
+	}
+}
+
 // Start starts the client's goroutines.
 //
 // It should only be called for clients created by NewNoStart.
@@ -177,6 +202,50 @@ func (c *Client) Start() {
 	go c.mapRoutine()
 }

+// sendNewMapRequest either sends a new OmitPeers, non-streaming map request
+// (to just send Hostinfo/Netinfo/Endpoints info, while keeping an existing
+// streaming response open), or start a new streaming one if necessary.
+//
+// It should be called whenever there's something new to tell the server.
+func (c *Client) sendNewMapRequest() {
+	c.mu.Lock()
+
+	// If we're not already streaming a netmap, or if we're already stuck
+	// in a lite update, then tear down everything and start a new stream
+	// (which starts by sending a new map request)
+	if !c.inPollNetMap || c.inLiteMapUpdate {
+		c.mu.Unlock()
+		c.cancelMapSafely()
+		return
+	}
+
+	// Otherwise, send a lite update that doesn't keep a
+	// long-running stream response.
+	defer c.mu.Unlock()
+	c.inLiteMapUpdate = true
+	ctx, cancel := context.WithTimeout(c.mapCtx, 10*time.Second)
+	go func() {
+		defer cancel()
+		t0 := time.Now()
+		err := c.direct.SendLiteMapUpdate(ctx)
+		d := time.Since(t0).Round(time.Millisecond)
+		c.mu.Lock()
+		c.inLiteMapUpdate = false
+		c.mu.Unlock()
+		if err == nil {
+			c.logf("[v1] successful lite map update in %v", d)
+			return
+		}
+		if ctx.Err() == nil {
+			c.logf("lite map update after %v: %v", d, err)
+		}
+		// Fall back to restarting the long-polling map
+		// request (the old heavy way) if the lite update
+		// failed for any reason.
+		c.cancelMapSafely()
+	}()
+}
+
 func (c *Client) cancelAuth() {
 	c.mu.Lock()
 	if c.authCancel != nil {
@@ -207,7 +276,7 @@ func (c *Client) cancelMapSafely() {
 	c.mu.Lock()
 	defer c.mu.Unlock()

-	c.logf("cancelMapSafely: synced=%v", c.synced)
+	c.logf("[v1] cancelMapSafely: synced=%v", c.synced)

 	if c.inPollNetMap {
 		// received at least one netmap since the last
@@ -229,88 +298,57 @@ func (c *Client) cancelMapSafely() {
 		// request.
 		select {
 		case c.newMapCh <- struct{}{}:
-			c.logf("cancelMapSafely: wrote to channel")
+			c.logf("[v1] cancelMapSafely: wrote to channel")
 		default:
 			// if channel write failed, then there was already
 			// an outstanding newMapCh request. One is enough,
 			// since it'll always use the latest endpoints.
-			c.logf("cancelMapSafely: channel was full")
+			c.logf("[v1] cancelMapSafely: channel was full")
 		}
 	}
 }

 func (c *Client) authRoutine() {
 	defer close(c.authDone)
-	bo := backoff.NewBackoff("authRoutine", c.logf)
+	bo := backoff.NewBackoff("authRoutine", c.logf, 30*time.Second)

 	for {
 		c.mu.Lock()
-		c.logf("authRoutine: %s", c.state)
-		expiry := c.expiry
 		goal := c.loginGoal
 		ctx := c.authCtx
-		synced := c.synced
+		if goal != nil {
+			c.logf("authRoutine: %s; wantLoggedIn=%v", c.state, goal.wantLoggedIn)
+		} else {
+			c.logf("authRoutine: %s; goal=nil", c.state)
+		}
 		c.mu.Unlock()

 		select {
 		case <-c.quit:
-			c.logf("authRoutine: quit")
+			c.logf("[v1] authRoutine: quit")
 			return
 		default:
 		}

 		report := func(err error, msg string) {
-			c.logf("%s: %v", msg, err)
+			c.logf("[v1] %s: %v", msg, err)
 			err = fmt.Errorf("%s: %v", msg, err)
 			// don't send status updates for context errors,
 			// since context cancelation is always on purpose.
 			if ctx.Err() == nil {
-				c.sendStatus("authRoutine1", err, "", nil)
+				c.sendStatus("authRoutine-report", err, "", nil)
 			}
 		}

 		if goal == nil {
-			// Wait for something interesting to happen
-			var exp <-chan time.Time
-			if expiry != nil && !expiry.IsZero() {
-				// if expiry is in the future, don't delay
-				// past that time.
-				// If it's in the past, then it's already
-				// being handled by someone, so no need to
-				// wake ourselves up again.
-				now := c.timeNow()
-				if expiry.Before(now) {
-					delay := expiry.Sub(now)
-					if delay > 5*time.Second {
-						delay = time.Second
-					}
-					exp = time.After(delay)
-				}
-			}
-			select {
-			case <-ctx.Done():
-				c.logf("authRoutine: context done.")
-			case <-exp:
-				// Unfortunately the key expiry isn't provided
-				// by the control server until mapRequest.
-				// So we have to do some hackery with c.expiry
-				// in here.
-				// TODO(apenwarr): add a key expiry field in RegisterResponse.
-				c.logf("authRoutine: key expiration check.")
-				if synced && expiry != nil && !expiry.IsZero() && expiry.Before(c.timeNow()) {
-					c.logf("Key expired; setting loggedIn=false.")
+			// Wait for user to Login or Logout.
+			<-ctx.Done()
+			c.logf("[v1] authRoutine: context done.")
+			continue
+		}

-					c.mu.Lock()
-					c.loginGoal = &LoginGoal{
-						wantLoggedIn: c.loggedIn,
-					}
-					c.loggedIn = false
-					c.expiry = nil
-					c.mu.Unlock()
-				}
-			}
-		} else if !goal.wantLoggedIn {
-			err := c.direct.TryLogout(c.authCtx)
+		if !goal.wantLoggedIn {
+			err := c.direct.TryLogout(ctx)
 			if err != nil {
 				report(err, "TryLogout")
 				bo.BackOff(ctx, err)
@@ -325,7 +363,7 @@ func (c *Client) authRoutine() {
 			c.synced = false
 			c.mu.Unlock()

-			c.sendStatus("authRoutine2", nil, "", nil)
+			c.sendStatus("authRoutine-wantout", nil, "", nil)
 			bo.BackOff(ctx, nil)
 		} else { // ie. goal.wantLoggedIn
 			c.mu.Lock()
@@ -366,7 +404,7 @@ func (c *Client) authRoutine() {
 				c.synced = false
 				c.mu.Unlock()

-				c.sendStatus("authRoutine3", err, url, nil)
+				c.sendStatus("authRoutine-url", err, url, nil)
 				bo.BackOff(ctx, err)
 				continue
 			}
@@ -378,7 +416,7 @@ func (c *Client) authRoutine() {
 			c.state = StateAuthenticated
 			c.mu.Unlock()

-			c.sendStatus("authRoutine4", nil, "", nil)
+			c.sendStatus("authRoutine-success", nil, "", nil)
 			c.cancelMapSafely()
 			bo.BackOff(ctx, nil)
 		}
@@ -399,12 +437,35 @@ func (c *Client) Direct() *Direct {
 	return c.direct
 }

+// unpausedChanLocked returns a new channel that is closed when the
+// current Client pause is unpaused.
+//
+// c.mu must be held
+func (c *Client) unpausedChanLocked() <-chan struct{} {
+	unpaused := make(chan struct{})
+	c.unpauseWaiters = append(c.unpauseWaiters, unpaused)
+	return unpaused
+}
+
 func (c *Client) mapRoutine() {
 	defer close(c.mapDone)
-	bo := backoff.NewBackoff("mapRoutine", c.logf)
+	bo := backoff.NewBackoff("mapRoutine", c.logf, 30*time.Second)

 	for {
 		c.mu.Lock()
+		if c.paused {
+			unpaused := c.unpausedChanLocked()
+			c.mu.Unlock()
+			c.logf("mapRoutine: awaiting unpause")
+			select {
+			case <-unpaused:
+				c.logf("mapRoutine: unpaused")
+			case <-c.quit:
+				c.logf("mapRoutine: quit")
+				return
+			}
+			continue
+		}
 		c.logf("mapRoutine: %s", c.state)
 		loggedIn := c.loggedIn
 		ctx := c.mapCtx
@@ -418,7 +479,7 @@ func (c *Client) mapRoutine() {
 		}

 		report := func(err error, msg string) {
-			c.logf("%s: %v", msg, err)
+			c.logf("[v1] %s: %v", msg, err)
 			err = fmt.Errorf("%s: %v", msg, err)
 			// don't send status updates for context errors,
 			// since context cancelation is always on purpose.
@@ -453,7 +514,7 @@ func (c *Client) mapRoutine() {

 				select {
 				case <-c.newMapCh:
-					c.logf("mapRoutine: new map request during PollNetMap. canceling.")
+					c.logf("[v1] mapRoutine: new map request during PollNetMap. canceling.")
 					c.cancelMapLocked()

 					// Don't emit this netmap; we're
@@ -475,9 +536,9 @@ func (c *Client) mapRoutine() {

 				c.mu.Unlock()

-				c.logf("mapRoutine: netmap received: %s", state)
+				c.logf("[v1] mapRoutine: netmap received: %s", state)
 				if stillAuthed {
-					c.sendStatus("mapRoutine2", nil, "", nm)
+					c.sendStatus("mapRoutine-got-netmap", nil, "", nm)
 				}
 			})

@@ -487,8 +548,14 @@ func (c *Client) mapRoutine() {
 			if c.state == StateSynchronized {
 				c.state = StateAuthenticated
 			}
+			paused := c.paused
 			c.mu.Unlock()

+			if paused {
+				c.logf("mapRoutine: paused")
+				continue
+			}
+
 			if err != nil {
 				report(err, "PollNetMap")
 				bo.BackOff(ctx, err)
@@ -523,7 +590,7 @@ func (c *Client) SetHostinfo(hi *tailcfg.Hostinfo) {
 	c.logf("Hostinfo: %v", hi)

 	// Send new Hostinfo to server
-	c.cancelMapSafely()
+	c.sendNewMapRequest()
 }

 func (c *Client) SetNetInfo(ni *tailcfg.NetInfo) {
@@ -531,13 +598,12 @@ func (c *Client) SetNetInfo(ni *tailcfg.NetInfo) {
 		panic("nil NetInfo")
 	}
 	if !c.direct.SetNetInfo(ni) {
-		c.logf("[unexpected] duplicate NetInfo: %v", ni)
 		return
 	}
 	c.logf("NetInfo: %v", ni)

 	// Send new Hostinfo (which includes NetInfo) to server
-	c.cancelMapSafely()
+	c.sendNewMapRequest()
 }

 func (c *Client) sendStatus(who string, err error, url string, nm *NetworkMap) {
@@ -550,7 +616,7 @@ func (c *Client) sendStatus(who string, err error, url string, nm *NetworkMap) {
 	c.inSendStatus++
 	c.mu.Unlock()

-	c.logf("sendStatus: %s: %v", who, state)
+	c.logf("[v1] sendStatus: %s: %v", who, state)

 	var p *Persist
 	var fin *empty.Message
@@ -614,7 +680,7 @@ func (c *Client) Logout() {
 func (c *Client) UpdateEndpoints(localPort uint16, endpoints []string) {
 	changed := c.direct.SetEndpoints(localPort, endpoints)
 	if changed {
-		c.cancelMapSafely()
+		c.sendNewMapRequest()
 	}
 }

@@ -643,7 +709,7 @@ func (c *Client) Shutdown() {

 // NodePublicKey returns the node public key currently in use. This is
 // used exclusively in tests.
-func (c *Client) TestOnlyNodePublicKey() wgcfg.Key {
+func (c *Client) TestOnlyNodePublicKey() wgkey.Key {
 	priv := c.direct.GetPersist()
 	return priv.PrivateNodeKey.Public()
 }
--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -42,6 +42,11 @@ func TestStatusEqual(t *testing.T) {
 			&Status{},
 			false,
 		},
+		{
+			nil,
+			nil,
+			true,
+		},
 		{
 			&Status{},
 			&Status{},
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -0,0 +1,158 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlclient
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"testing"
+
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/wgkey"
+)
+
+func TestUndeltaPeers(t *testing.T) {
+	n := func(id tailcfg.NodeID, name string) *tailcfg.Node {
+		return &tailcfg.Node{ID: id, Name: name}
+	}
+	peers := func(nv ...*tailcfg.Node) []*tailcfg.Node { return nv }
+	tests := []struct {
+		name   string
+		mapRes *tailcfg.MapResponse
+		prev   []*tailcfg.Node
+		want   []*tailcfg.Node
+	}{
+		{
+			name: "full_peers",
+			mapRes: &tailcfg.MapResponse{
+				Peers: peers(n(1, "foo"), n(2, "bar")),
+			},
+			want: peers(n(1, "foo"), n(2, "bar")),
+		},
+		{
+			name: "full_peers_ignores_deltas",
+			mapRes: &tailcfg.MapResponse{
+				Peers:        peers(n(1, "foo"), n(2, "bar")),
+				PeersRemoved: []tailcfg.NodeID{2},
+			},
+			want: peers(n(1, "foo"), n(2, "bar")),
+		},
+		{
+			name: "add_and_update",
+			prev: peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{
+				PeersChanged: peers(n(0, "zero"), n(2, "bar2"), n(3, "three")),
+			},
+			want: peers(n(0, "zero"), n(1, "foo"), n(2, "bar2"), n(3, "three")),
+		},
+		{
+			name: "remove",
+			prev: peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{
+				PeersRemoved: []tailcfg.NodeID{1},
+			},
+			want: peers(n(2, "bar")),
+		},
+		{
+			name: "add_and_remove",
+			prev: peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{
+				PeersChanged: peers(n(1, "foo2")),
+				PeersRemoved: []tailcfg.NodeID{2},
+			},
+			want: peers(n(1, "foo2")),
+		},
+		{
+			name:   "unchanged",
+			prev:   peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{},
+			want:   peers(n(1, "foo"), n(2, "bar")),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			undeltaPeers(tt.mapRes, tt.prev)
+			if !reflect.DeepEqual(tt.mapRes.Peers, tt.want) {
+				t.Errorf("wrong results\n got: %s\nwant: %s", formatNodes(tt.mapRes.Peers), formatNodes(tt.want))
+			}
+		})
+	}
+}
+
+func formatNodes(nodes []*tailcfg.Node) string {
+	var sb strings.Builder
+	for i, n := range nodes {
+		if i > 0 {
+			sb.WriteString(", ")
+		}
+		fmt.Fprintf(&sb, "(%d, %q)", n.ID, n.Name)
+	}
+	return sb.String()
+}
+
+func TestNewDirect(t *testing.T) {
+	hi := NewHostinfo()
+	ni := tailcfg.NetInfo{LinkType: "wired"}
+	hi.NetInfo = &ni
+
+	key, err := wgkey.NewPrivate()
+	if err != nil {
+		t.Error(err)
+	}
+	opts := Options{ServerURL: "https://example.com", MachinePrivateKey: key, Hostinfo: hi}
+	c, err := NewDirect(opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if c.serverURL != opts.ServerURL {
+		t.Errorf("c.serverURL got %v want %v", c.serverURL, opts.ServerURL)
+	}
+
+	if !hi.Equal(c.hostinfo) {
+		t.Errorf("c.hostinfo got %v want %v", c.hostinfo, hi)
+	}
+
+	changed := c.SetNetInfo(&ni)
+	if changed {
+		t.Errorf("c.SetNetInfo(ni) want false got %v", changed)
+	}
+	ni = tailcfg.NetInfo{LinkType: "wifi"}
+	changed = c.SetNetInfo(&ni)
+	if !changed {
+		t.Errorf("c.SetNetInfo(ni) want true got %v", changed)
+	}
+
+	changed = c.SetHostinfo(hi)
+	if changed {
+		t.Errorf("c.SetHostinfo(hi) want false got %v", changed)
+	}
+	hi = NewHostinfo()
+	hi.Hostname = "different host name"
+	changed = c.SetHostinfo(hi)
+	if !changed {
+		t.Errorf("c.SetHostinfo(hi) want true got %v", changed)
+	}
+
+	endpoints := []string{"1", "2", "3"}
+	changed = c.newEndpoints(12, endpoints)
+	if !changed {
+		t.Errorf("c.newEndpoints(12) want true got %v", changed)
+	}
+	changed = c.newEndpoints(12, endpoints)
+	if changed {
+		t.Errorf("c.newEndpoints(12) want false got %v", changed)
+	}
+	changed = c.newEndpoints(13, endpoints)
+	if !changed {
+		t.Errorf("c.newEndpoints(13) want true got %v", changed)
+	}
+	endpoints = []string{"4", "5", "6"}
+	changed = c.newEndpoints(13, endpoints)
+	if !changed {
+		t.Errorf("c.newEndpoints(13) want true got %v", changed)
+	}
+}
--- a/control/controlclient/filter.go
+++ b/control/controlclient/filter.go
@@ -5,80 +5,16 @@
 package controlclient

 import (
-	"fmt"
-	"net"
 	"tailscale.com/tailcfg"
 	"tailscale.com/wgengine/filter"
 )

-func parseIP(host string, defaultBits int) (filter.Net, error) {
-	ip := net.ParseIP(host)
-	if ip != nil && ip.IsUnspecified() {
-		// For clarity, reject 0.0.0.0 as an input
-		return filter.NetNone, fmt.Errorf("ports=%#v: to allow all IP addresses, use *:port, not 0.0.0.0:port", host)
-	} else if ip == nil && host == "*" {
-		// User explicitly requested wildcard dst ip
-		return filter.NetAny, nil
-	} else {
-		if ip != nil {
-			ip = ip.To4()
-		}
-		if ip == nil || len(ip) != 4 {
-			return filter.NetNone, fmt.Errorf("ports=%#v: invalid IPv4 address", host)
-		}
-		return filter.Net{
-			IP:   filter.NewIP(ip),
-			Mask: filter.Netmask(defaultBits),
-		}, nil
-	}
-}
-
-// Parse a backward-compatible FilterRule used by control's wire format,
-// producing the most current filter.Matches format.
-func (c *Direct) parsePacketFilter(pf []tailcfg.FilterRule) filter.Matches {
-	mm := make([]filter.Match, 0, len(pf))
-	var erracc error
-
-	for _, r := range pf {
-		m := filter.Match{}
-
-		for i, s := range r.SrcIPs {
-			bits := 32
-			if len(r.SrcBits) > i {
-				bits = r.SrcBits[i]
-			}
-			net, err := parseIP(s, bits)
-			if err != nil && erracc == nil {
-				erracc = err
-				continue
-			}
-			m.Srcs = append(m.Srcs, net)
-		}
-
-		for _, d := range r.DstPorts {
-			bits := 32
-			if d.Bits != nil {
-				bits = *d.Bits
-			}
-			net, err := parseIP(d.IP, bits)
-			if err != nil && erracc == nil {
-				erracc = err
-				continue
-			}
-			m.Dsts = append(m.Dsts, filter.NetPortRange{
-				Net: net,
-				Ports: filter.PortRange{
-					First: d.Ports.First,
-					Last:  d.Ports.Last,
-				},
-			})
-		}
-
-		mm = append(mm, m)
-	}
-
-	if erracc != nil {
-		c.logf("parsePacketFilter: %s\n", erracc)
+// Parse a backward-compatible FilterRule used by control's wire
+// format, producing the most current filter format.
+func (c *Direct) parsePacketFilter(pf []tailcfg.FilterRule) []filter.Match {
+	mm, err := filter.MatchesFromFilterRules(pf)
+	if err != nil {
+		c.logf("parsePacketFilter: %s\n", err)
 	}
 	return mm
 }
--- a/control/controlclient/hostinfo_linux.go
+++ b/control/controlclient/hostinfo_linux.go
@@ -16,6 +16,7 @@ import (

 	"go4.org/mem"
 	"tailscale.com/util/lineread"
+	"tailscale.com/version/distro"
 )

 func init() {
@@ -23,13 +24,22 @@ func init() {
 }

 func osVersionLinux() string {
+	dist := distro.Get()
+	propFile := "/etc/os-release"
+	switch dist {
+	case distro.Synology:
+		propFile = "/etc.defaults/VERSION"
+	case distro.OpenWrt:
+		propFile = "/etc/openwrt_release"
+	}
+
 	m := map[string]string{}
-	lineread.File("/etc/os-release", func(line []byte) error {
+	lineread.File(propFile, func(line []byte) error {
 		eq := bytes.IndexByte(line, '=')
 		if eq == -1 {
 			return nil
 		}
-		k, v := string(line[:eq]), strings.Trim(string(line[eq+1:]), `"`)
+		k, v := string(line[:eq]), strings.Trim(string(line[eq+1:]), `"'`)
 		m[k] = v
 		return nil
 	})
@@ -63,7 +73,7 @@ func osVersionLinux() string {
 			return fmt.Sprintf("%s%s", bytes.TrimSpace(cr), attr)
 		}
 		fallthrough
-	case "fedora", "rhel", "alpine":
+	case "fedora", "rhel", "alpine", "nixos":
 		// Their PRETTY_NAME is fine as-is for all versions I tested.
 		fallthrough
 	default:
@@ -71,6 +81,12 @@ func osVersionLinux() string {
 			return fmt.Sprintf("%s%s", v, attr)
 		}
 	}
+	switch dist {
+	case distro.Synology:
+		return fmt.Sprintf("Synology %s%s", m["productversion"], attr)
+	case distro.OpenWrt:
+		return fmt.Sprintf("OpenWrt %s%s", m["DISTRIB_RELEASE"], attr)
+	}
 	return fmt.Sprintf("Other%s", attr)
 }

--- a/control/controlclient/hostinfo_windows.go
+++ b/control/controlclient/hostinfo_windows.go
@@ -21,6 +21,10 @@ func osVersionWindows() string {
 	s := strings.TrimSpace(string(out))
 	s = strings.TrimPrefix(s, "Microsoft Windows [")
 	s = strings.TrimSuffix(s, "]")
-	s = strings.TrimPrefix(s, "Version ") // is this localized? do it last in case.
-	return s                              // "10.0.19041.388", ideally
+
+	// "Version 10.x.y.z", with "Version" localized. Keep only stuff after the space.
+	if sp := strings.Index(s, " "); sp != -1 {
+		s = s[sp+1:]
+	}
+	return s // "10.0.19041.388", ideally
 }
--- a/control/controlclient/netmap.go
+++ b/control/controlclient/netmap.go
@@ -7,7 +7,6 @@ package controlclient
 import (
 	"encoding/json"
 	"fmt"
-	"log"
 	"net"
 	"reflect"
 	"strconv"
@@ -15,8 +14,11 @@ import (
 	"time"

 	"github.com/tailscale/wireguard-go/wgcfg"
+	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
+	"tailscale.com/types/wgkey"
+	"tailscale.com/util/dnsname"
 	"tailscale.com/wgengine/filter"
 )

@@ -24,17 +26,24 @@ type NetworkMap struct {
 	// Core networking

 	NodeKey    tailcfg.NodeKey
-	PrivateKey wgcfg.PrivateKey
+	PrivateKey wgkey.Private
 	Expiry     time.Time
 	// Name is the DNS name assigned to this node.
 	Name          string
-	Addresses     []wgcfg.CIDR
+	Addresses     []netaddr.IPPrefix
 	LocalPort     uint16 // used for debugging
 	MachineStatus tailcfg.MachineStatus
+	MachineKey    tailcfg.MachineKey
 	Peers         []*tailcfg.Node // sorted by Node.ID
 	DNS           tailcfg.DNSConfig
 	Hostinfo      tailcfg.Hostinfo
-	PacketFilter  filter.Matches
+	PacketFilter  []filter.Match
+
+	// CollectServices reports whether this node's Tailnet has
+	// requested that info about services be included in HostInfo.
+	// If set, Hostinfo.ShieldsUp blocks services collection; that
+	// takes precedence over this field.
+	CollectServices bool

 	// DERPMap is the last DERP server map received. It's reused
 	// between updates and should not be modified.
@@ -50,12 +59,34 @@ type NetworkMap struct {
 	// TODO(crawshaw): reduce UserProfiles to []tailcfg.UserProfile?
 	// There are lots of ways to slice this data, leave it up to users.
 	UserProfiles map[tailcfg.UserID]tailcfg.UserProfile
-	Roles        []tailcfg.Role
 	// TODO(crawshaw): Groups       []tailcfg.Group
 	// TODO(crawshaw): Capabilities []tailcfg.Capability
 }

-func (nm NetworkMap) String() string {
+// MagicDNSSuffix returns the domain's MagicDNS suffix, or empty if none.
+// If non-empty, it will neither start nor end with a period.
+func (nm *NetworkMap) MagicDNSSuffix() string {
+	searchPathUsedAsDNSSuffix := func(suffix string) bool {
+		if dnsname.HasSuffix(nm.Name, suffix) {
+			return true
+		}
+		for _, p := range nm.Peers {
+			if dnsname.HasSuffix(p.Name, suffix) {
+				return true
+			}
+		}
+		return false
+	}
+
+	for _, d := range nm.DNS.Domains {
+		if searchPathUsedAsDNSSuffix(d) {
+			return strings.Trim(d, ".")
+		}
+	}
+	return ""
+}
+
+func (nm *NetworkMap) String() string {
 	return nm.Concise()
 }

@@ -76,6 +107,15 @@ func (nm *NetworkMap) Concise() string {
 func (nm *NetworkMap) printConciseHeader(buf *strings.Builder) {
 	fmt.Fprintf(buf, "netmap: self: %v auth=%v",
 		nm.NodeKey.ShortString(), nm.MachineStatus)
+	login := nm.UserProfiles[nm.User].LoginName
+	if login == "" {
+		if nm.User.IsZero() {
+			login = "?"
+		} else {
+			login = fmt.Sprint(nm.User)
+		}
+	}
+	fmt.Fprintf(buf, " u=%s", login)
 	if nm.LocalPort != 0 {
 		fmt.Fprintf(buf, " port=%v", nm.LocalPort)
 	}
@@ -93,6 +133,7 @@ func (a *NetworkMap) equalConciseHeader(b *NetworkMap) bool {
 	if a.NodeKey != b.NodeKey ||
 		a.MachineStatus != b.MachineStatus ||
 		a.LocalPort != b.LocalPort ||
+		a.User != b.User ||
 		len(a.Addresses) != len(b.Addresses) {
 		return false
 	}
@@ -132,12 +173,18 @@ func printPeerConcise(buf *strings.Builder, p *tailcfg.Node) {
 	if strings.HasPrefix(derp, derpPrefix) {
 		derp = "D" + derp[len(derpPrefix):]
 	}
+	var discoShort string
+	if !p.DiscoKey.IsZero() {
+		discoShort = p.DiscoKey.ShortString() + " "
+	}

 	// Most of the time, aip is just one element, so format the
 	// table to look good in that case. This will also make multi-
 	// subnet nodes stand out visually.
-	fmt.Fprintf(buf, " %v %-2v %-15v : %v\n",
-		p.Key.ShortString(), derp,
+	fmt.Fprintf(buf, " %v %s%-2v %-15v : %v\n",
+		p.Key.ShortString(),
+		discoShort,
+		derp,
 		strings.Join(aip, " "),
 		strings.Join(ep, " "))
 }
@@ -146,6 +193,7 @@ func printPeerConcise(buf *strings.Builder, p *tailcfg.Node) {
 func nodeConciseEqual(a, b *tailcfg.Node) bool {
 	return a.Key == b.Key &&
 		a.DERP == b.DERP &&
+		a.DiscoKey == b.DiscoKey &&
 		eqCIDRsIgnoreNil(a.AllowedIPs, b.AllowedIPs) &&
 		eqStringsIgnoreNil(a.Endpoints, b.Endpoints)
 }
@@ -213,23 +261,8 @@ const (
 	AllowSingleHosts WGConfigFlags = 1 << iota
 	AllowSubnetRoutes
 	AllowDefaultRoute
-	HackDefaultRoute
 )

-// TODO(bradfitz): UAPI seems to only be used by the old confnode and
-// pingnode; delete this when those are deleted/rewritten?
-func (nm *NetworkMap) UAPI(flags WGConfigFlags) string {
-	wgcfg, err := nm.WGCfg(log.Printf, flags)
-	if err != nil {
-		log.Fatalf("WGCfg() failed unexpectedly: %v", err)
-	}
-	s, err := wgcfg.ToUAPI()
-	if err != nil {
-		log.Fatalf("ToUAPI() failed unexpectedly: %v", err)
-	}
-	return s
-}
-
 // EndpointDiscoSuffix is appended to the hex representation of a peer's discovery key
 // and is then the sole wireguard endpoint for peers with a non-zero discovery key.
 // This form is then recognize by magicsock's CreateEndpoint.
@@ -239,7 +272,7 @@ const EndpointDiscoSuffix = ".disco.tailscale:12345"
 func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Config, error) {
 	cfg := &wgcfg.Config{
 		Name:       "tailscale",
-		PrivateKey: nm.PrivateKey,
+		PrivateKey: wgcfg.PrivateKey(nm.PrivateKey),
 		Addresses:  nm.Addresses,
 		ListenPort: nm.LocalPort,
 		Peers:      make([]wgcfg.Peer, 0, len(nm.Peers)),
@@ -265,7 +298,7 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 			if err := appendEndpoint(cpeer, fmt.Sprintf("%x%s", peer.DiscoKey[:], EndpointDiscoSuffix)); err != nil {
 				return nil, err
 			}
-			cpeer.Endpoints = []wgcfg.Endpoint{{Host: fmt.Sprintf("%x.disco.tailscale", peer.DiscoKey[:]), Port: 12345}}
+			cpeer.Endpoints = fmt.Sprintf("%x.disco.tailscale:12345", peer.DiscoKey[:])
 		} else {
 			if err := appendEndpoint(cpeer, peer.DERP); err != nil {
 				return nil, err
@@ -277,18 +310,14 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 			}
 		}
 		for _, allowedIP := range peer.AllowedIPs {
-			if allowedIP.Mask == 0 {
+			if allowedIP.Bits == 0 {
 				if (flags & AllowDefaultRoute) == 0 {
-					logf("wgcfg: %v skipping default route", peer.Key.ShortString())
+					logf("[v1] wgcfg: %v skipping default route", peer.Key.ShortString())
 					continue
 				}
-				if (flags & HackDefaultRoute) != 0 {
-					allowedIP = wgcfg.CIDR{IP: wgcfg.IPv4(10, 0, 0, 0), Mask: 8}
-					logf("wgcfg: %v converting default route => %v", peer.Key.ShortString(), allowedIP.String())
-				}
-			} else if allowedIP.Mask < 32 {
+			} else if cidrIsSubnet(peer, allowedIP) {
 				if (flags & AllowSubnetRoutes) == 0 {
-					logf("wgcfg: %v skipping subnet route", peer.Key.ShortString())
+					logf("[v1] wgcfg: %v skipping subnet route", peer.Key.ShortString())
 					continue
 				}
 			}
@@ -299,19 +328,39 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 	return cfg, nil
 }

+// cidrIsSubnet reports whether cidr is a non-default-route subnet
+// exported by node that is not one of its own self addresses.
+func cidrIsSubnet(node *tailcfg.Node, cidr netaddr.IPPrefix) bool {
+	if cidr.Bits == 0 {
+		return false
+	}
+	if !cidr.IsSingleIP() {
+		return true
+	}
+	for _, selfCIDR := range node.Addresses {
+		if cidr == selfCIDR {
+			return false
+		}
+	}
+	return true
+}
+
 func appendEndpoint(peer *wgcfg.Peer, epStr string) error {
 	if epStr == "" {
 		return nil
 	}
-	host, port, err := net.SplitHostPort(epStr)
+	_, port, err := net.SplitHostPort(epStr)
 	if err != nil {
 		return fmt.Errorf("malformed endpoint %q for peer %v", epStr, peer.PublicKey.ShortString())
 	}
-	port16, err := strconv.ParseUint(port, 10, 16)
+	_, err = strconv.ParseUint(port, 10, 16)
 	if err != nil {
 		return fmt.Errorf("invalid port in endpoint %q for peer %v", epStr, peer.PublicKey.ShortString())
 	}
-	peer.Endpoints = append(peer.Endpoints, wgcfg.Endpoint{Host: host, Port: uint16(port16)})
+	if peer.Endpoints != "" {
+		peer.Endpoints += ","
+	}
+	peer.Endpoints += epStr
 	return nil
 }

@@ -331,7 +380,7 @@ func eqStringsIgnoreNil(a, b []string) bool {

 // eqCIDRsIgnoreNil reports whether a and b have the same length and
 // contents, but ignore whether a or b are nil.
-func eqCIDRsIgnoreNil(a, b []wgcfg.CIDR) bool {
+func eqCIDRsIgnoreNil(a, b []netaddr.IPPrefix) bool {
 	if len(a) != len(b) {
 		return false
 	}
--- a/control/controlclient/netmap_test.go
+++ b/control/controlclient/netmap_test.go
@@ -5,8 +5,11 @@
 package controlclient

 import (
+	"encoding/hex"
+	"encoding/json"
 	"testing"

+	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 )

@@ -17,6 +20,15 @@ func testNodeKey(b byte) (ret tailcfg.NodeKey) {
 	return
 }

+func testDiscoKey(hexPrefix string) (ret tailcfg.DiscoKey) {
+	b, err := hex.DecodeString(hexPrefix)
+	if err != nil {
+		panic(err)
+	}
+	copy(ret[:], b)
+	return
+}
+
 func TestNetworkMapConcise(t *testing.T) {
 	for _, tt := range []struct {
 		name string
@@ -40,7 +52,7 @@ func TestNetworkMapConcise(t *testing.T) {
 					},
 				},
 			},
-			want: "netmap: self: [AQEBA] auth=machine-unknown []\n [AgICA] D2                 :    192.168.0.100:12     192.168.0.100:12354\n [AwMDA] D4                 :       10.2.0.100:12        10.1.0.100:12345\n",
+			want: "netmap: self: [AQEBA] auth=machine-unknown u=? []\n [AgICA] D2                 :    192.168.0.100:12     192.168.0.100:12354\n [AwMDA] D4                 :       10.2.0.100:12        10.1.0.100:12345\n",
 		},
 		{
 			name: "debug_non_nil",
@@ -48,7 +60,7 @@ func TestNetworkMapConcise(t *testing.T) {
 				NodeKey: testNodeKey(1),
 				Debug:   &tailcfg.Debug{},
 			},
-			want: "netmap: self: [AQEBA] auth=machine-unknown debug={} []\n",
+			want: "netmap: self: [AQEBA] auth=machine-unknown u=? debug={} []\n",
 		},
 		{
 			name: "debug_values",
@@ -56,7 +68,7 @@ func TestNetworkMapConcise(t *testing.T) {
 				NodeKey: testNodeKey(1),
 				Debug:   &tailcfg.Debug{LogHeapPprof: true},
 			},
-			want: "netmap: self: [AQEBA] auth=machine-unknown debug={\"LogHeapPprof\":true} []\n",
+			want: "netmap: self: [AQEBA] auth=machine-unknown u=? debug={\"LogHeapPprof\":true} []\n",
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
@@ -124,7 +136,7 @@ func TestConciseDiffFrom(t *testing.T) {
 					},
 				},
 			},
-			want: "-netmap: self: [AQEBA] auth=machine-unknown []\n+netmap: self: [AgICA] auth=machine-unknown []\n",
+			want: "-netmap: self: [AQEBA] auth=machine-unknown u=? []\n+netmap: self: [AgICA] auth=machine-unknown u=? []\n",
 		},
 		{
 			name: "peer_add",
@@ -202,6 +214,62 @@ func TestConciseDiffFrom(t *testing.T) {
 			},
 			want: "- [AQEBA] D1                 :    192.168.0.100:12     192.168.0.100:12354\n- [AwMDA] D3                 :    192.168.0.100:12     192.168.0.100:12354\n",
 		},
+		{
+			name: "peer_port_change",
+			a: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:        2,
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "1.1.1.1:1"},
+					},
+				},
+			},
+			b: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:        2,
+						Key:       testNodeKey(2),
+						DERP:      "127.3.3.40:2",
+						Endpoints: []string{"192.168.0.100:12", "1.1.1.1:2"},
+					},
+				},
+			},
+			want: "- [AgICA] D2                 :    192.168.0.100:12             1.1.1.1:1  \n+ [AgICA] D2                 :    192.168.0.100:12             1.1.1.1:2  \n",
+		},
+		{
+			name: "disco_key_only_change",
+			a: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:         2,
+						Key:        testNodeKey(2),
+						DERP:       "127.3.3.40:2",
+						Endpoints:  []string{"192.168.0.100:41641", "1.1.1.1:41641"},
+						DiscoKey:   testDiscoKey("f00f00f00f"),
+						AllowedIPs: []netaddr.IPPrefix{{IP: netaddr.IPv4(100, 102, 103, 104), Bits: 32}},
+					},
+				},
+			},
+			b: &NetworkMap{
+				NodeKey: testNodeKey(1),
+				Peers: []*tailcfg.Node{
+					{
+						ID:         2,
+						Key:        testNodeKey(2),
+						DERP:       "127.3.3.40:2",
+						Endpoints:  []string{"192.168.0.100:41641", "1.1.1.1:41641"},
+						DiscoKey:   testDiscoKey("ba4ba4ba4b"),
+						AllowedIPs: []netaddr.IPPrefix{{IP: netaddr.IPv4(100, 102, 103, 104), Bits: 32}},
+					},
+				},
+			},
+			want: "- [AgICA] d:f00f00f00f000000 D2 100.102.103.104 :   192.168.0.100:41641         1.1.1.1:41641\n+ [AgICA] d:ba4ba4ba4b000000 D2 100.102.103.104 :   192.168.0.100:41641         1.1.1.1:41641\n",
+		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			var got string
@@ -215,3 +283,15 @@ func TestConciseDiffFrom(t *testing.T) {
 		})
 	}
 }
+
+func TestNewHostinfo(t *testing.T) {
+	hi := NewHostinfo()
+	if hi == nil {
+		t.Fatal("no Hostinfo")
+	}
+	j, err := json.MarshalIndent(hi, "  ", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("Got: %s", j)
+}
--- a/control/controlclient/persist_test.go
+++ b/control/controlclient/persist_test.go
@@ -8,18 +8,18 @@ import (
 	"reflect"
 	"testing"

-	"github.com/tailscale/wireguard-go/wgcfg"
+	"tailscale.com/types/wgkey"
 )

 func TestPersistEqual(t *testing.T) {
-	persistHandles := []string{"PrivateMachineKey", "PrivateNodeKey", "OldPrivateNodeKey", "Provider", "LoginName"}
+	persistHandles := []string{"LegacyFrontendPrivateMachineKey", "PrivateNodeKey", "OldPrivateNodeKey", "Provider", "LoginName"}
 	if have := fieldsOf(reflect.TypeOf(Persist{})); !reflect.DeepEqual(have, persistHandles) {
 		t.Errorf("Persist.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, persistHandles)
 	}

-	newPrivate := func() wgcfg.PrivateKey {
-		k, err := wgcfg.NewPrivateKey()
+	newPrivate := func() wgkey.Private {
+		k, err := wgkey.NewPrivate()
 		if err != nil {
 			panic(err)
 		}
@@ -36,13 +36,13 @@ func TestPersistEqual(t *testing.T) {
 		{&Persist{}, &Persist{}, true},

 		{
-			&Persist{PrivateMachineKey: k1},
-			&Persist{PrivateMachineKey: newPrivate()},
+			&Persist{LegacyFrontendPrivateMachineKey: k1},
+			&Persist{LegacyFrontendPrivateMachineKey: newPrivate()},
 			false,
 		},
 		{
-			&Persist{PrivateMachineKey: k1},
-			&Persist{PrivateMachineKey: k1},
+			&Persist{LegacyFrontendPrivateMachineKey: k1},
+			&Persist{LegacyFrontendPrivateMachineKey: k1},
 			true,
 		},

--- a/derp/derp.go
+++ b/derp/derp.go
@@ -39,14 +39,10 @@ const (
 	keepAlive      = 60 * time.Second
 )

-// protocolVersion is bumped whenever there's a wire-incompatible change.
+// ProtocolVersion is bumped whenever there's a wire-incompatible change.
 //   * version 1 (zero on wire): consistent box headers, in use by employee dev nodes a bit
 //   * version 2: received packets have src addrs in frameRecvPacket at beginning
-const protocolVersion = 2
-
-const (
-	protocolSrcAddrs = 2 // protocol version at which client expects src addresses
-)
+const ProtocolVersion = 2

 // frameType is the one byte frame type at the beginning of the frame
 // header.  The second field is a big-endian uint32 describing the
@@ -108,16 +104,31 @@ var bin = binary.BigEndian
 func writeUint32(bw *bufio.Writer, v uint32) error {
 	var b [4]byte
 	bin.PutUint32(b[:], v)
-	_, err := bw.Write(b[:])
-	return err
+	// Writing a byte at a time is a bit silly,
+	// but it causes b not to escape,
+	// which more than pays for the silliness.
+	for _, c := range &b {
+		err := bw.WriteByte(c)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }

 func readUint32(br *bufio.Reader) (uint32, error) {
-	b := make([]byte, 4)
-	if _, err := io.ReadFull(br, b); err != nil {
-		return 0, err
+	var b [4]byte
+	// Reading a byte at a time is a bit silly,
+	// but it causes b not to escape,
+	// which more than pays for the silliness.
+	for i := range &b {
+		c, err := br.ReadByte()
+		if err != nil {
+			return 0, err
+		}
+		b[i] = c
 	}
-	return bin.Uint32(b), nil
+	return bin.Uint32(b[:]), nil
 }

 func readFrameTypeHeader(br *bufio.Reader, wantType frameType) (frameLen uint32, err error) {
@@ -194,13 +205,6 @@ func writeFrame(bw *bufio.Writer, t frameType, b []byte) error {
 	return bw.Flush()
 }

-func minInt(a, b int) int {
-	if a < b {
-		return a
-	}
-	return b
-}
-
 func minUint32(a, b uint32) uint32 {
 	if a < b {
 		return a
--- a/derp/derp_client.go
+++ b/derp/derp_client.go
@@ -21,14 +21,13 @@ import (

 // Client is a DERP client.
 type Client struct {
-	serverKey    key.Public // of the DERP server; not a machine or node key
-	privateKey   key.Private
-	publicKey    key.Public // of privateKey
-	protoVersion int        // min of server+client
-	logf         logger.Logf
-	nc           Conn
-	br           *bufio.Reader
-	meshKey      string
+	serverKey  key.Public // of the DERP server; not a machine or node key
+	privateKey key.Private
+	publicKey  key.Public // of privateKey
+	logf       logger.Logf
+	nc         Conn
+	br         *bufio.Reader
+	meshKey    string

 	wmu sync.Mutex // hold while writing to bw
 	bw  *bufio.Writer
@@ -49,7 +48,8 @@ func (f clientOptFunc) update(o *clientOpt) { f(o) }

 // clientOpt are the options passed to newClient.
 type clientOpt struct {
-	MeshKey string
+	MeshKey   string
+	ServerPub key.Public
 }

 // MeshKey returns a ClientOpt to pass to the DERP server during connect to get
@@ -58,6 +58,12 @@ type clientOpt struct {
 // An empty key means to not use a mesh key.
 func MeshKey(key string) ClientOpt { return clientOptFunc(func(o *clientOpt) { o.MeshKey = key }) }

+// ServerPublicKey returns a ClientOpt to declare that the server's DERP public key is known.
+// If key is the zero value, the returned ClientOpt is a no-op.
+func ServerPublicKey(key key.Public) ClientOpt {
+	return clientOptFunc(func(o *clientOpt) { o.ServerPub = key })
+}
+
 func NewClient(privateKey key.Private, nc Conn, brw *bufio.ReadWriter, logf logger.Logf, opts ...ClientOpt) (*Client, error) {
 	var opt clientOpt
 	for _, o := range opts {
@@ -79,17 +85,16 @@ func newClient(privateKey key.Private, nc Conn, brw *bufio.ReadWriter, logf logg
 		bw:         brw.Writer,
 		meshKey:    opt.MeshKey,
 	}
-	if err := c.recvServerKey(); err != nil {
-		return nil, fmt.Errorf("derp.Client: failed to receive server key: %v", err)
+	if opt.ServerPub.IsZero() {
+		if err := c.recvServerKey(); err != nil {
+			return nil, fmt.Errorf("derp.Client: failed to receive server key: %v", err)
+		}
+	} else {
+		c.serverKey = opt.ServerPub
 	}
 	if err := c.sendClientKey(); err != nil {
 		return nil, fmt.Errorf("derp.Client: failed to send client key: %v", err)
 	}
-	info, err := c.recvServerInfo()
-	if err != nil {
-		return nil, fmt.Errorf("derp.Client: failed to receive server info: %v", err)
-	}
-	c.protoVersion = minInt(protocolVersion, info.Version)
 	return c, nil
 }

@@ -110,12 +115,9 @@ func (c *Client) recvServerKey() error {
 	return nil
 }

-func (c *Client) recvServerInfo() (*serverInfo, error) {
-	fl, err := readFrameTypeHeader(c.br, frameServerInfo)
-	if err != nil {
-		return nil, err
-	}
+func (c *Client) parseServerInfo(b []byte) (*serverInfo, error) {
 	const maxLength = nonceLen + maxInfoLen
+	fl := len(b)
 	if fl < nonceLen {
 		return nil, fmt.Errorf("short serverInfo frame")
 	}
@@ -124,33 +126,27 @@ func (c *Client) recvServerInfo() (*serverInfo, error) {
 	}
 	// TODO: add a read-nonce-and-box helper
 	var nonce [nonceLen]byte
-	if _, err := io.ReadFull(c.br, nonce[:]); err != nil {
-		return nil, fmt.Errorf("nonce: %v", err)
-	}
-	msgLen := fl - nonceLen
-	msgbox := make([]byte, msgLen)
-	if _, err := io.ReadFull(c.br, msgbox); err != nil {
-		return nil, fmt.Errorf("msgbox: %v", err)
-	}
+	copy(nonce[:], b)
+	msgbox := b[nonceLen:]
 	msg, ok := box.Open(nil, msgbox, &nonce, c.serverKey.B32(), c.privateKey.B32())
 	if !ok {
-		return nil, fmt.Errorf("msgbox: cannot open len=%d with server key %x", msgLen, c.serverKey[:])
+		return nil, fmt.Errorf("failed to open naclbox from server key %x", c.serverKey[:])
 	}
 	info := new(serverInfo)
 	if err := json.Unmarshal(msg, info); err != nil {
-		return nil, fmt.Errorf("msg: %v", err)
+		return nil, fmt.Errorf("invalid JSON: %v", err)
 	}
 	return info, nil
 }

 type clientInfo struct {
-	Version int // `json:"version,omitempty"`
+	Version int `json:"version,omitempty"`

 	// MeshKey optionally specifies a pre-shared key used by
 	// trusted clients.  It's required to subscribe to the
 	// connection list & forward packets. It's empty for regular
 	// users.
-	MeshKey string // `json:"meshKey,omitempty"`
+	MeshKey string `json:"meshKey,omitempty"`
 }

 func (c *Client) sendClientKey() error {
@@ -159,7 +155,7 @@ func (c *Client) sendClientKey() error {
 		return err
 	}
 	msg, err := json.Marshal(clientInfo{
-		Version: protocolVersion,
+		Version: ProtocolVersion,
 		MeshKey: c.meshKey,
 	})
 	if err != nil {
@@ -318,6 +314,11 @@ type PeerPresentMessage key.Public

 func (PeerPresentMessage) msg() {}

+// ServerInfoMessage is sent by the server upon first connect.
+type ServerInfoMessage struct{}
+
+func (ServerInfoMessage) msg() {}
+
 // Recv reads a message from the DERP server.
 //
 // The returned message may alias memory owned by the Client; it
@@ -364,7 +365,7 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 		// If the frame fits in our bufio.Reader buffer, just use it.
 		// In practice it's 4KB (from derphttp.Client's bufio.NewReader(httpConn)) and
 		// in practive, WireGuard packets (and thus DERP frames) are under 1.5KB.
-		// So This is the common path.
+		// So this is the common path.
 		if int(n) <= c.br.Size() {
 			b, err = c.br.Peek(int(n))
 			c.peeked = int(n)
@@ -382,6 +383,19 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 		switch t {
 		default:
 			continue
+		case frameServerInfo:
+			// Server sends this at start-up. Currently unused.
+			// Just has a JSON message saying "version: 2",
+			// but the protocol seems extensible enough as-is without
+			// needing to wait an RTT to discover the version at startup.
+			// We'd prefer to give the connection to the client (magicsock)
+			// to start writing as soon as possible.
+			_, err := c.parseServerInfo(b)
+			if err != nil {
+				return nil, fmt.Errorf("invalid server info frame: %v", err)
+			}
+			// TODO: add the results of parseServerInfo to ServerInfoMessage if we ever need it.
+			return ServerInfoMessage{}, nil
 		case frameKeepAlive:
 			// TODO: eventually we'll have server->client pings that
 			// require ack pongs.
@@ -406,16 +420,12 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro

 		case frameRecvPacket:
 			var rp ReceivedPacket
-			if c.protoVersion < protocolSrcAddrs {
-				rp.Data = b[:n]
-			} else {
-				if n < keyLen {
-					c.logf("[unexpected] dropping short packet from DERP server")
-					continue
-				}
-				copy(rp.Source[:], b[:keyLen])
-				rp.Data = b[keyLen:n]
+			if n < keyLen {
+				c.logf("[unexpected] dropping short packet from DERP server")
+				continue
 			}
+			copy(rp.Source[:], b[:keyLen])
+			rp.Data = b[keyLen:n]
 			return rp, nil
 		}
 	}
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -9,14 +9,19 @@ package derp
 import (
 	"bufio"
 	"context"
+	"crypto/ed25519"
 	crand "crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
 	"errors"
 	"expvar"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"math/big"
+	"math/rand"
 	"os"
 	"runtime"
 	"strconv"
@@ -24,15 +29,41 @@ import (
 	"sync"
 	"time"

+	"go4.org/mem"
 	"golang.org/x/crypto/nacl/box"
 	"golang.org/x/sync/errgroup"
+	"tailscale.com/disco"
 	"tailscale.com/metrics"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
+	"tailscale.com/version"
 )

 var debug, _ = strconv.ParseBool(os.Getenv("DERP_DEBUG_LOGS"))

+// verboseDropKeys is the set of destination public keys that should
+// verbosely log whenever DERP drops a packet.
+var verboseDropKeys = map[key.Public]bool{}
+
+func init() {
+	keys := os.Getenv("TS_DEBUG_VERBOSE_DROPS")
+	if keys == "" {
+		return
+	}
+	for _, keyStr := range strings.Split(keys, ",") {
+		k, err := key.NewPublicFromHexMem(mem.S(keyStr))
+		if err != nil {
+			log.Printf("ignoring invalid debug key %q: %v", keyStr, err)
+		} else {
+			verboseDropKeys[k] = true
+		}
+	}
+}
+
+func init() {
+	rand.Seed(time.Now().UnixNano())
+}
+
 const (
 	perClientSendQueueDepth = 32 // packets buffered for sending
 	writeTimeout            = 2 * time.Second
@@ -51,16 +82,22 @@ type Server struct {
 	// before failing when writing to a client.
 	WriteTimeout time.Duration

-	privateKey key.Private
-	publicKey  key.Public
-	logf       logger.Logf
-	memSys0    uint64 // runtime.MemStats.Sys at start (or early-ish)
-	meshKey    string
+	privateKey  key.Private
+	publicKey   key.Public
+	logf        logger.Logf
+	memSys0     uint64 // runtime.MemStats.Sys at start (or early-ish)
+	meshKey     string
+	limitedLogf logger.Logf
+	metaCert    []byte // the encoded x509 cert to send after LetsEncrypt cert+intermediate

 	// Counters:
 	_                        [pad32bit]byte
 	packetsSent, bytesSent   expvar.Int
 	packetsRecv, bytesRecv   expvar.Int
+	packetsRecvByKind        metrics.LabelMap
+	packetsRecvDisco         *expvar.Int
+	packetsRecvOther         *expvar.Int
+	_                        [pad32bit]byte
 	packetsDropped           expvar.Int
 	packetsDroppedReason     metrics.LabelMap
 	packetsDroppedUnknown    *expvar.Int // unknown dst pubkey
@@ -135,6 +172,8 @@ func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 		privateKey:           privateKey,
 		publicKey:            privateKey.Public(),
 		logf:                 logf,
+		limitedLogf:          logger.RateLimitedFn(logf, 30*time.Second, 5, 100),
+		packetsRecvByKind:    metrics.LabelMap{Label: "kind"},
 		packetsDroppedReason: metrics.LabelMap{Label: "reason"},
 		clients:              map[key.Public]*sclient{},
 		clientsEver:          map[key.Public]bool{},
@@ -144,6 +183,9 @@ func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 		watchers:             map[*sclient]bool{},
 		sentTo:               map[key.Public]map[key.Public]int64{},
 	}
+	s.initMetacert()
+	s.packetsRecvDisco = s.packetsRecvByKind.Get("disco")
+	s.packetsRecvOther = s.packetsRecvByKind.Get("other")
 	s.packetsDroppedUnknown = s.packetsDroppedReason.Get("unknown_dest")
 	s.packetsDroppedFwdUnknown = s.packetsDroppedReason.Get("unknown_dest_on_fwd")
 	s.packetsDroppedGone = s.packetsDroppedReason.Get("gone")
@@ -235,6 +277,50 @@ func (s *Server) Accept(nc Conn, brw *bufio.ReadWriter, remoteAddr string) {
 	}
 }

+// initMetacert initialized s.metaCert with a self-signed x509 cert
+// encoding this server's public key and protocol version. cmd/derper
+// then sends this after the Let's Encrypt leaf + intermediate certs
+// after the ServerHello (encrypted in TLS 1.3, not that it matters
+// much).
+//
+// Then the client can save a round trip getting that and can start
+// speaking DERP right away. (We don't use ALPN because that's sent in
+// the clear and we're being paranoid to not look too weird to any
+// middleboxes, given that DERP is an ultimate fallback path). But
+// since the post-ServerHello certs are encrypted we can have the
+// client also use them as a signal to be able to start speaking DERP
+// right away, starting with its identity proof, encrypted to the
+// server's public key.
+//
+// This RTT optimization fails where there's a corp-mandated
+// TLS proxy with corp-mandated root certs on employee machines and
+// and TLS proxy cleans up unnecessary certs. In that case we just fall
+// back to the extra RTT.
+func (s *Server) initMetacert() {
+	pub, priv, err := ed25519.GenerateKey(crand.Reader)
+	if err != nil {
+		log.Fatal(err)
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(ProtocolVersion),
+		Subject: pkix.Name{
+			CommonName: fmt.Sprintf("derpkey%x", s.publicKey[:]),
+		},
+		// Windows requires NotAfter and NotBefore set:
+		NotAfter:  time.Now().Add(30 * 24 * time.Hour),
+		NotBefore: time.Now().Add(-30 * 24 * time.Hour),
+	}
+	cert, err := x509.CreateCertificate(crand.Reader, tmpl, tmpl, pub, priv)
+	if err != nil {
+		log.Fatalf("CreateCertificate: %v", err)
+	}
+	s.metaCert = cert
+}
+
+// MetaCert returns the server metadata cert that can be sent by the
+// TLS server to let the client skip a round trip during start-up.
+func (s *Server) MetaCert() []byte { return s.metaCert }
+
 // registerClient notes that client c is now authenticated and ready for packets.
 // If c's public key was already connected with a different connection, the prior one is closed.
 func (s *Server) registerClient(c *sclient) {
@@ -579,10 +665,8 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 	}

 	p := pkt{
-		bs: contents,
-	}
-	if dst.info.Version >= protocolSrcAddrs {
-		p.src = c.key
+		bs:  contents,
+		src: c.key,
 	}
 	return c.sendPkt(dst, p)
 }
@@ -615,6 +699,12 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 		case <-dst.sendQueue:
 			s.packetsDropped.Add(1)
 			s.packetsDroppedQueueHead.Add(1)
+			if verboseDropKeys[dstKey] {
+				// Generate a full string including src and dst, so
+				// the limiter kicks in once per src.
+				msg := fmt.Sprintf("tail drop %s -> %s", p.src.ShortString(), dstKey.ShortString())
+				c.s.limitedLogf(msg)
+			}
 			if debug {
 				c.logf("dropping packet from client %x queue head", dstKey)
 			}
@@ -626,6 +716,12 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 	// this case to keep reader unblocked.
 	s.packetsDropped.Add(1)
 	s.packetsDroppedQueueTail.Add(1)
+	if verboseDropKeys[dstKey] {
+		// Generate a full string including src and dst, so
+		// the limiter kicks in once per src.
+		msg := fmt.Sprintf("head drop %s -> %s", p.src.ShortString(), dstKey.ShortString())
+		c.s.limitedLogf(msg)
+	}
 	if debug {
 		c.logf("dropping packet from client %x queue tail", dstKey)
 	}
@@ -667,7 +763,7 @@ func (s *Server) sendServerKey(bw *bufio.Writer) error {
 }

 type serverInfo struct {
-	Version int // `json:"version,omitempty"`
+	Version int `json:"version,omitempty"`
 }

 func (s *Server) sendServerInfo(bw *bufio.Writer, clientKey key.Public) error {
@@ -675,7 +771,7 @@ func (s *Server) sendServerInfo(bw *bufio.Writer, clientKey key.Public) error {
 	if _, err := crand.Read(nonce[:]); err != nil {
 		return err
 	}
-	msg, err := json.Marshal(serverInfo{Version: protocolVersion})
+	msg, err := json.Marshal(serverInfo{Version: ProtocolVersion})
 	if err != nil {
 		return err
 	}
@@ -737,7 +833,7 @@ func (s *Server) recvPacket(br *bufio.Reader, frameLen uint32) (dstKey key.Publi
 	if frameLen < keyLen {
 		return zpub, nil, errors.New("short send packet frame")
 	}
-	if _, err := io.ReadFull(br, dstKey[:]); err != nil {
+	if err := readPublicKey(br, &dstKey); err != nil {
 		return zpub, nil, err
 	}
 	packetLen := frameLen - keyLen
@@ -750,6 +846,11 @@ func (s *Server) recvPacket(br *bufio.Reader, frameLen uint32) (dstKey key.Publi
 	}
 	s.packetsRecv.Add(1)
 	s.bytesRecv.Add(int64(len(contents)))
+	if disco.LooksLikeDiscoWrapper(contents) {
+		s.packetsRecvDisco.Add(1)
+	} else {
+		s.packetsRecvOther.Add(1)
+	}
 	return dstKey, contents, nil
 }

@@ -879,11 +980,7 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 		}
 	}()

-	jitterMs, err := crand.Int(crand.Reader, big.NewInt(5000))
-	if err != nil {
-		panic(err)
-	}
-	jitter := time.Duration(jitterMs.Int64()) * time.Millisecond
+	jitter := time.Duration(rand.Intn(5000)) * time.Millisecond
 	keepAliveTick := time.NewTicker(keepAlive + jitter)
 	defer keepAliveTick.Stop()

@@ -1039,7 +1136,8 @@ func (c *sclient) sendPacket(srcKey key.Public, contents []byte) (err error) {
 		return err
 	}
 	if withKey {
-		if _, err = c.bw.Write(srcKey[:]); err != nil {
+		err := writePublicKey(c.bw, &srcKey)
+		if err != nil {
 			return err
 		}
 	}
@@ -1180,6 +1278,7 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("bytes_sent", &s.bytesSent)
 	m.Set("packets_dropped", &s.packetsDropped)
 	m.Set("counter_packets_dropped_reason", &s.packetsDroppedReason)
+	m.Set("counter_packets_received_kind", &s.packetsRecvByKind)
 	m.Set("packets_sent", &s.packetsSent)
 	m.Set("packets_received", &s.packetsRecv)
 	m.Set("unknown_frames", &s.unknownFrames)
@@ -1191,6 +1290,9 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("multiforwarder_created", &s.multiForwarderCreated)
 	m.Set("multiforwarder_deleted", &s.multiForwarderDeleted)
 	m.Set("packet_forwarder_delete_other_value", &s.removePktForwardOther)
+	var expvarVersion expvar.String
+	expvarVersion.Set(version.Long)
+	m.Set("version", &expvarVersion)
 	return m
 }

@@ -1232,3 +1334,34 @@ func (s *Server) ConsistencyCheck() error {
 	}
 	return errors.New(strings.Join(errs, ", "))
 }
+
+// readPublicKey reads key from br.
+// It is ~4x slower than io.ReadFull(br, key),
+// but it prevents key from escaping and thus being allocated.
+// If io.ReadFull(br, key) does not cause key to escape, use that instead.
+func readPublicKey(br *bufio.Reader, key *key.Public) error {
+	// Do io.ReadFull(br, key), but one byte at a time, to avoid allocation.
+	for i := range key {
+		b, err := br.ReadByte()
+		if err != nil {
+			return err
+		}
+		key[i] = b
+	}
+	return nil
+}
+
+// writePublicKey writes key to bw.
+// It is ~3x slower than bw.Write(key[:]),
+// but it prevents key from escaping and thus being allocated.
+// If bw.Write(key[:]) does not cause key to escape, use that instead.
+func writePublicKey(bw *bufio.Writer, key *key.Public) error {
+	// Do bw.Write(key[:]), but one byte at a time to avoid allocation.
+	for _, b := range key {
+		err := bw.WriteByte(b)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -8,10 +8,14 @@ import (
 	"bufio"
 	"context"
 	crand "crypto/rand"
+	"crypto/x509"
+	"encoding/json"
 	"errors"
 	"expvar"
 	"fmt"
 	"io"
+	"io/ioutil"
+	"log"
 	"net"
 	"reflect"
 	"sync"
@@ -23,14 +27,30 @@ import (
 	"tailscale.com/types/logger"
 )

-func newPrivateKey(t *testing.T) (k key.Private) {
-	t.Helper()
+func newPrivateKey(tb testing.TB) (k key.Private) {
+	tb.Helper()
 	if _, err := crand.Read(k[:]); err != nil {
-		t.Fatal(err)
+		tb.Fatal(err)
 	}
 	return
 }

+func TestClientInfoUnmarshal(t *testing.T) {
+	for i, in := range []string{
+		`{"Version":5,"MeshKey":"abc"}`,
+		`{"version":5,"meshKey":"abc"}`,
+	} {
+		var got clientInfo
+		if err := json.Unmarshal([]byte(in), &got); err != nil {
+			t.Fatalf("[%d]: %v", i, err)
+		}
+		want := clientInfo{Version: 5, MeshKey: "abc"}
+		if got != want {
+			t.Errorf("[%d]: got %+v; want %+v", i, got, want)
+		}
+	}
+}
+
 func TestSendRecv(t *testing.T) {
 	serverPrivateKey := newPrivateKey(t)
 	s := NewServer(serverPrivateKey, t.Logf)
@@ -79,6 +99,8 @@ func TestSendRecv(t *testing.T) {
 		if err != nil {
 			t.Fatalf("client %d: %v", i, err)
 		}
+		waitConnect(t, c)
+
 		clients = append(clients, c)
 		recvChs = append(recvChs, make(chan []byte))
 		t.Logf("Connected client %d.", i)
@@ -118,7 +140,7 @@ func TestSendRecv(t *testing.T) {
 			if got := string(b); got != want {
 				t.Errorf("client1.Recv=%q, want %q", got, want)
 			}
-		case <-time.After(1 * time.Second):
+		case <-time.After(5 * time.Second):
 			t.Errorf("client%d.Recv, got nothing, want %q", i, want)
 		}
 	}
@@ -224,6 +246,7 @@ func TestSendFreeze(t *testing.T) {
 		if err != nil {
 			t.Fatal(err)
 		}
+		waitConnect(t, c)
 		return c, c2
 	}

@@ -502,7 +525,13 @@ func newTestClient(t *testing.T, ts *testServer, name string, newClient func(net
 func newRegularClient(t *testing.T, ts *testServer, name string) *testClient {
 	return newTestClient(t, ts, name, func(nc net.Conn, priv key.Private, logf logger.Logf) (*Client, error) {
 		brw := bufio.NewReadWriter(bufio.NewReader(nc), bufio.NewWriter(nc))
-		return NewClient(priv, nc, brw, logf)
+		c, err := NewClient(priv, nc, brw, logf)
+		if err != nil {
+			return nil, err
+		}
+		waitConnect(t, c)
+		return c, nil
+
 	})
 }

@@ -513,6 +542,7 @@ func newTestWatcher(t *testing.T, ts *testServer, name string) *testClient {
 		if err != nil {
 			return nil, err
 		}
+		waitConnect(t, c)
 		if err := c.WatchConnectionChanges(); err != nil {
 			return nil, err
 		}
@@ -742,3 +772,121 @@ func TestForwarderRegistration(t *testing.T) {
 		u1: testFwd(3),
 	})
 }
+
+func TestMetaCert(t *testing.T) {
+	priv := newPrivateKey(t)
+	pub := priv.Public()
+	s := NewServer(priv, t.Logf)
+
+	certBytes := s.MetaCert()
+	cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if fmt.Sprint(cert.SerialNumber) != fmt.Sprint(ProtocolVersion) {
+		t.Errorf("serial = %v; want %v", cert.SerialNumber, ProtocolVersion)
+	}
+	if g, w := cert.Subject.CommonName, fmt.Sprintf("derpkey%x", pub[:]); g != w {
+		t.Errorf("CommonName = %q; want %q", g, w)
+	}
+}
+
+func BenchmarkSendRecv(b *testing.B) {
+	for _, size := range []int{10, 100, 1000, 10000} {
+		b.Run(fmt.Sprintf("msgsize=%d", size), func(b *testing.B) { benchmarkSendRecvSize(b, size) })
+	}
+}
+
+func benchmarkSendRecvSize(b *testing.B, packetSize int) {
+	serverPrivateKey := newPrivateKey(b)
+	s := NewServer(serverPrivateKey, logger.Discard)
+	defer s.Close()
+
+	key := newPrivateKey(b)
+	clientKey := key.Public()
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer ln.Close()
+
+	connOut, err := net.Dial("tcp", ln.Addr().String())
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer connOut.Close()
+
+	connIn, err := ln.Accept()
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer connIn.Close()
+
+	brwServer := bufio.NewReadWriter(bufio.NewReader(connIn), bufio.NewWriter(connIn))
+	go s.Accept(connIn, brwServer, "test-client")
+
+	brw := bufio.NewReadWriter(bufio.NewReader(connOut), bufio.NewWriter(connOut))
+	client, err := NewClient(key, connOut, brw, logger.Discard)
+	if err != nil {
+		b.Fatalf("client: %v", err)
+	}
+
+	go func() {
+		for {
+			_, err := client.Recv()
+			if err != nil {
+				return
+			}
+		}
+	}()
+
+	msg := make([]byte, packetSize)
+	b.SetBytes(int64(len(msg)))
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		if err := client.Send(clientKey, msg); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkWriteUint32(b *testing.B) {
+	w := bufio.NewWriter(ioutil.Discard)
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		writeUint32(w, 0x0ba3a)
+	}
+}
+
+type nopRead struct{}
+
+func (r nopRead) Read(p []byte) (int, error) {
+	return len(p), nil
+}
+
+var sinkU32 uint32
+
+func BenchmarkReadUint32(b *testing.B) {
+	r := bufio.NewReader(nopRead{})
+	var err error
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		sinkU32, err = readUint32(r)
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func waitConnect(t testing.TB, c *Client) {
+	t.Helper()
+	if m, err := c.Recv(); err != nil {
+		t.Fatalf("client first Recv: %v", err)
+	} else if v, ok := m.(ServerInfoMessage); !ok {
+		t.Fatalf("client first Recv was unexpected type %T", v)
+	}
+}
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -14,21 +14,27 @@ import (
 	"bufio"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"net"
 	"net/http"
 	"net/url"
+	"os"
+	"strings"
 	"sync"
 	"time"

+	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/derp"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -252,14 +258,41 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 		}
 	}()

-	var httpConn net.Conn // a TCP conn or a TLS conn; what we speak HTTP to
+	var httpConn net.Conn    // a TCP conn or a TLS conn; what we speak HTTP to
+	var serverPub key.Public // or zero if unknown (if not using TLS or TLS middlebox eats it)
+	var serverProtoVersion int
 	if c.useHTTPS() {
-		httpConn = c.tlsClient(tcpConn, node)
+		tlsConn := c.tlsClient(tcpConn, node)
+		httpConn = tlsConn
+
+		// Force a handshake now (instead of waiting for it to
+		// be done implicitly on read/write) so we can check
+		// the ConnectionState.
+		if err := tlsConn.Handshake(); err != nil {
+			return nil, 0, err
+		}
+
+		// We expect to be using TLS 1.3 to our own servers, and only
+		// starting at TLS 1.3 are the server's returned certificates
+		// encrypted, so only look for and use our "meta cert" if we're
+		// using TLS 1.3. If we're not using TLS 1.3, it might be a user
+		// running cmd/derper themselves with a different configuration,
+		// in which case we can avoid this fast-start optimization.
+		// (If a corporate proxy is MITM'ing TLS 1.3 connections with
+		// corp-mandated TLS root certs than all bets are off anyway.)
+		// Note that we're not specifically concerned about TLS downgrade
+		// attacks. TLS handles that fine:
+		// https://blog.gypsyengineer.com/en/security/how-does-tls-1-3-protect-against-downgrade-attacks.html
+		connState := tlsConn.ConnectionState()
+		if connState.Version >= tls.VersionTLS13 {
+			serverPub, serverProtoVersion = parseMetaCert(connState.PeerCertificates)
+		}
 	} else {
 		httpConn = tcpConn
 	}

 	brw := bufio.NewReadWriter(bufio.NewReader(httpConn), bufio.NewWriter(httpConn))
+	var derpClient *derp.Client

 	req, err := http.NewRequest("GET", c.urlString(node), nil)
 	if err != nil {
@@ -268,24 +301,39 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 	req.Header.Set("Upgrade", "DERP")
 	req.Header.Set("Connection", "Upgrade")

-	if err := req.Write(brw); err != nil {
-		return nil, 0, err
-	}
-	if err := brw.Flush(); err != nil {
-		return nil, 0, err
-	}
+	if !serverPub.IsZero() && serverProtoVersion != 0 {
+		// parseMetaCert found the server's public key (no TLS
+		// middlebox was in the way), so skip the HTTP upgrade
+		// exchange.  See https://github.com/tailscale/tailscale/issues/693
+		// for an overview. We still send the HTTP request
+		// just to get routed into the server's HTTP Handler so it
+		// can Hijack the request, but we signal with a special header
+		// that we don't want to deal with its HTTP response.
+		req.Header.Set(fastStartHeader, "1") // suppresses the server's HTTP response
+		if err := req.Write(brw); err != nil {
+			return nil, 0, err
+		}
+		// No need to flush the HTTP request. the derp.Client's initial
+		// client auth frame will flush it.
+	} else {
+		if err := req.Write(brw); err != nil {
+			return nil, 0, err
+		}
+		if err := brw.Flush(); err != nil {
+			return nil, 0, err
+		}

-	resp, err := http.ReadResponse(brw.Reader, req)
-	if err != nil {
-		return nil, 0, err
+		resp, err := http.ReadResponse(brw.Reader, req)
+		if err != nil {
+			return nil, 0, err
+		}
+		if resp.StatusCode != http.StatusSwitchingProtocols {
+			b, _ := ioutil.ReadAll(resp.Body)
+			resp.Body.Close()
+			return nil, 0, fmt.Errorf("GET failed: %v: %s", err, b)
+		}
 	}
-	if resp.StatusCode != http.StatusSwitchingProtocols {
-		b, _ := ioutil.ReadAll(resp.Body)
-		resp.Body.Close()
-		return nil, 0, fmt.Errorf("GET failed: %v: %s", err, b)
-	}
-
-	derpClient, err := derp.NewClient(c.privateKey, httpConn, brw, c.logf, derp.MeshKey(c.MeshKey))
+	derpClient, err = derp.NewClient(c.privateKey, httpConn, brw, c.logf, derp.MeshKey(c.MeshKey), derp.ServerPublicKey(serverPub))
 	if err != nil {
 		return nil, 0, err
 	}
@@ -310,7 +358,7 @@ func (c *Client) dialURL(ctx context.Context) (net.Conn, error) {
 	dialer := netns.NewDialer()

 	if c.DNSCache != nil {
-		ip, err := c.DNSCache.LookupIP(ctx, host)
+		ip, _, err := c.DNSCache.LookupIP(ctx, host)
 		if err == nil {
 			hostOrIP = ip.String()
 		}
@@ -364,6 +412,14 @@ func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 			tlsdial.SetConfigExpectedCert(tlsConf, node.CertName)
 		}
 	}
+	if n := os.Getenv("SSLKEYLOGFILE"); n != "" {
+		f, err := os.OpenFile(n, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
+		if err != nil {
+			log.Fatal(err)
+		}
+		log.Printf("WARNING: writing to SSLKEYLOGFILE %v", n)
+		tlsConf.KeyLogWriter = f
+	}
 	return tls.Client(nc, tlsConf)
 }

@@ -420,6 +476,19 @@ const dialNodeTimeout = 1500 * time.Millisecond
 // TODO(bradfitz): longer if no options remain perhaps? ...  Or longer
 // overall but have dialRegion start overlapping races?
 func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, error) {
+	// First see if we need to use an HTTP proxy.
+	proxyReq := &http.Request{
+		Method: "GET", // doesn't really matter
+		URL: &url.URL{
+			Scheme: "https",
+			Host:   c.tlsServerName(n),
+			Path:   "/", // unused
+		},
+	}
+	if proxyURL, err := tshttpproxy.ProxyFromEnvironment(proxyReq); err == nil && proxyURL != nil {
+		return c.dialNodeUsingProxy(ctx, n, proxyURL)
+	}
+
 	type res struct {
 		c   net.Conn
 		err error
@@ -480,6 +549,77 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 	}
 }

+func firstStr(a, b string) string {
+	if a != "" {
+		return a
+	}
+	return b
+}
+
+// dialNodeUsingProxy connects to n using a CONNECT to the HTTP(s) proxy in proxyURL.
+func (c *Client) dialNodeUsingProxy(ctx context.Context, n *tailcfg.DERPNode, proxyURL *url.URL) (proxyConn net.Conn, err error) {
+	pu := proxyURL
+	if pu.Scheme == "https" {
+		var d tls.Dialer
+		proxyConn, err = d.DialContext(ctx, "tcp", net.JoinHostPort(pu.Hostname(), firstStr(pu.Port(), "443")))
+	} else {
+		var d net.Dialer
+		proxyConn, err = d.DialContext(ctx, "tcp", net.JoinHostPort(pu.Hostname(), firstStr(pu.Port(), "80")))
+	}
+	defer func() {
+		if err != nil && proxyConn != nil {
+			// In a goroutine in case it's a *tls.Conn (that can block on Close)
+			// TODO(bradfitz): track the underlying tcp.Conn and just close that instead.
+			go proxyConn.Close()
+		}
+	}()
+	if err != nil {
+		return nil, err
+	}
+
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-done:
+			return
+		case <-ctx.Done():
+			proxyConn.Close()
+		}
+	}()
+
+	target := net.JoinHostPort(n.HostName, "443")
+
+	var authHeader string
+	if v, err := tshttpproxy.GetAuthHeader(pu); err != nil {
+		c.logf("derphttp: error getting proxy auth header for %v: %v", proxyURL, err)
+	} else if v != "" {
+		authHeader = fmt.Sprintf("Proxy-Authorization: %s\r\n", v)
+	}
+
+	if _, err := fmt.Fprintf(proxyConn, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n%s\r\n", target, pu.Hostname(), authHeader); err != nil {
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
+		}
+		return nil, err
+	}
+
+	br := bufio.NewReader(proxyConn)
+	res, err := http.ReadResponse(br, nil)
+	if err != nil {
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
+		}
+		c.logf("derphttp: CONNECT dial to %s: %v", target, err)
+		return nil, err
+	}
+	c.logf("derphttp: CONNECT dial to %s: %v", target, res.Status)
+	if res.StatusCode != 200 {
+		return nil, fmt.Errorf("invalid response status from HTTP proxy %s on CONNECT to %s: %v", pu, target, res.Status)
+	}
+	return proxyConn, nil
+}
+
 func (c *Client) Send(dstKey key.Public, b []byte) error {
 	client, _, err := c.connect(context.TODO(), "derphttp.Client.Send")
 	if err != nil {
@@ -614,3 +754,16 @@ func (c *Client) closeForReconnect(brokenClient *derp.Client) {
 }

 var ErrClientClosed = errors.New("derphttp.Client closed")
+
+func parseMetaCert(certs []*x509.Certificate) (serverPub key.Public, serverProtoVersion int) {
+	for _, cert := range certs {
+		if cn := cert.Subject.CommonName; strings.HasPrefix(cn, "derpkey") {
+			var err error
+			serverPub, err = key.NewPublicFromHexMem(mem.S(strings.TrimPrefix(cn, "derpkey")))
+			if err == nil && cert.SerialNumber.BitLen() <= 8 { // supports up to version 255
+				return serverPub, int(cert.SerialNumber.Int64())
+			}
+		}
+	}
+	return key.Public{}, 0
+}
--- a/derp/derphttp/derphttp_server.go
+++ b/derp/derphttp/derphttp_server.go
@@ -5,33 +5,51 @@
 package derphttp

 import (
+	"fmt"
 	"log"
 	"net/http"

 	"tailscale.com/derp"
 )

+// fastStartHeader is the header (with value "1") that signals to the HTTP
+// server that the DERP HTTP client does not want the HTTP 101 response
+// headers and it will begin writing & reading the DERP protocol immediately
+// following its HTTP request.
+const fastStartHeader = "Derp-Fast-Start"
+
 func Handler(s *derp.Server) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if p := r.Header.Get("Upgrade"); p != "WebSocket" && p != "DERP" {
 			http.Error(w, "DERP requires connection upgrade", http.StatusUpgradeRequired)
 			return
 		}
-		w.Header().Set("Upgrade", "DERP")
-		w.Header().Set("Connection", "Upgrade")
-		w.WriteHeader(http.StatusSwitchingProtocols)
+		fastStart := r.Header.Get(fastStartHeader) == "1"

 		h, ok := w.(http.Hijacker)
 		if !ok {
 			http.Error(w, "HTTP does not support general TCP support", 500)
 			return
 		}
+
 		netConn, conn, err := h.Hijack()
 		if err != nil {
 			log.Printf("Hijack failed: %v", err)
 			http.Error(w, "HTTP does not support general TCP support", 500)
 			return
 		}
+
+		if !fastStart {
+			pubKey := s.PublicKey()
+			fmt.Fprintf(conn, "HTTP/1.1 101 Switching Protocols\r\n"+
+				"Upgrade: DERP\r\n"+
+				"Connection: Upgrade\r\n"+
+				"Derp-Version: %v\r\n"+
+				"Derp-Public-Key: %x\r\n\r\n",
+				derp.ProtocolVersion,
+				pubKey[:])
+		}
+
 		s.Accept(netConn, conn, netConn.RemoteAddr().String())
 	})
 }
--- a/derp/derphttp/derphttp_test.go
+++ b/derp/derphttp/derphttp_test.go
@@ -6,7 +6,6 @@ package derphttp

 import (
 	"context"
-	crand "crypto/rand"
 	"crypto/tls"
 	"net"
 	"net/http"
@@ -19,22 +18,15 @@ import (
 )

 func TestSendRecv(t *testing.T) {
+	serverPrivateKey := key.NewPrivate()
+
 	const numClients = 3
-	var serverPrivateKey key.Private
-	if _, err := crand.Read(serverPrivateKey[:]); err != nil {
-		t.Fatal(err)
-	}
 	var clientPrivateKeys []key.Private
-	for i := 0; i < numClients; i++ {
-		var key key.Private
-		if _, err := crand.Read(key[:]); err != nil {
-			t.Fatal(err)
-		}
-		clientPrivateKeys = append(clientPrivateKeys, key)
-	}
 	var clientKeys []key.Public
-	for _, privKey := range clientPrivateKeys {
-		clientKeys = append(clientKeys, privKey.Public())
+	for i := 0; i < numClients; i++ {
+		priv := key.NewPrivate()
+		clientPrivateKeys = append(clientPrivateKeys, priv)
+		clientKeys = append(clientKeys, priv.Public())
 	}

 	s := derp.NewServer(serverPrivateKey, t.Logf)
@@ -81,6 +73,7 @@ func TestSendRecv(t *testing.T) {
 		if err := c.Connect(context.Background()); err != nil {
 			t.Fatalf("client %d Connect: %v", i, err)
 		}
+		waitConnect(t, c)
 		clients = append(clients, c)
 		recvChs = append(recvChs, make(chan []byte))

@@ -95,6 +88,11 @@ func TestSendRecv(t *testing.T) {
 				}
 				m, err := c.Recv()
 				if err != nil {
+					select {
+					case <-done:
+						return
+					default:
+					}
 					t.Logf("client%d: %v", i, err)
 					break
 				}
@@ -118,7 +116,7 @@ func TestSendRecv(t *testing.T) {
 			if got := string(b); got != want {
 				t.Errorf("client1.Recv=%q, want %q", got, want)
 			}
-		case <-time.After(1 * time.Second):
+		case <-time.After(5 * time.Second):
 			t.Errorf("client%d.Recv, got nothing, want %q", i, want)
 		}
 	}
@@ -146,5 +144,13 @@ func TestSendRecv(t *testing.T) {
 	recv(2, string(msg2))
 	recvNothing(0)
 	recvNothing(1)
-
+}
+
+func waitConnect(t testing.TB, c *Client) {
+	t.Helper()
+	if m, err := c.Recv(); err != nil {
+		t.Fatalf("client first Recv: %v", err)
+	} else if v, ok := m.(derp.ServerInfoMessage); !ok {
+		t.Fatalf("client first Recv was unexpected type %T", v)
+	}
 }
--- a/derp/derpmap/derpmap.go
+++ b/derp/derpmap/derpmap.go
@@ -3,6 +3,13 @@
 // license that can be found in the LICENSE file.

 // Package derpmap contains information about Tailscale.com's production DERP nodes.
+//
+// This package is only used by the "tailscale netcheck" command for debugging.
+// In normal operation the Tailscale nodes get this sent to them from the control
+// server.
+//
+// TODO: remove this package and make "tailscale netcheck" get the
+// list from the control server too.
 package derpmap

 import (
@@ -21,9 +28,10 @@ func derpNode(suffix, v4, v6 string) *tailcfg.DERPNode {
 	}
 }

-func derpRegion(id int, code string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRegion {
+func derpRegion(id int, code, name string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRegion {
 	region := &tailcfg.DERPRegion{
 		RegionID:   id,
+		RegionName: name,
 		RegionCode: code,
 		Nodes:      nodes,
 	}
@@ -45,21 +53,36 @@ func derpRegion(id int, code string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRe
 func Prod() *tailcfg.DERPMap {
 	return &tailcfg.DERPMap{
 		Regions: map[int]*tailcfg.DERPRegion{
-			1: derpRegion(1, "nyc",
+			1: derpRegion(1, "nyc", "New York City",
 				derpNode("a", "159.89.225.99", "2604:a880:400:d1::828:b001"),
 			),
-			2: derpRegion(2, "sfo",
+			2: derpRegion(2, "sfo", "San Francisco",
 				derpNode("a", "167.172.206.31", "2604:a880:2:d1::c5:7001"),
 			),
-			3: derpRegion(3, "sin",
+			3: derpRegion(3, "sin", "Singapore",
 				derpNode("a", "68.183.179.66", "2400:6180:0:d1::67d:8001"),
 			),
-			4: derpRegion(4, "fra",
+			4: derpRegion(4, "fra", "Frankfurt",
 				derpNode("a", "167.172.182.26", "2a03:b0c0:3:e0::36e:9001"),
 			),
-			5: derpRegion(5, "syd",
+			5: derpRegion(5, "syd", "Sydney",
 				derpNode("a", "103.43.75.49", "2001:19f0:5801:10b7:5400:2ff:feaa:284c"),
 			),
+			6: derpRegion(6, "blr", "Bangalore",
+				derpNode("a", "68.183.90.120", "2400:6180:100:d0::982:d001"),
+			),
+			7: derpRegion(7, "tok", "Tokyo",
+				derpNode("a", "167.179.89.145", "2401:c080:1000:467f:5400:2ff:feee:22aa"),
+			),
+			8: derpRegion(8, "lhr", "London",
+				derpNode("a", "167.71.139.179", "2a03:b0c0:1:e0::3cc:e001"),
+			),
+			9: derpRegion(9, "dfw", "Dallas",
+				derpNode("a", "207.148.3.137", "2001:19f0:6401:1d9c:5400:2ff:feef:bb82"),
+			),
+			10: derpRegion(10, "sea", "Seattle",
+				derpNode("a", "137.220.36.168", "2001:19f0:8001:2d9:5400:2ff:feef:bbb1"),
+			),
 		},
 	}
 }
--- a/go.mod
+++ b/go.mod
@@ -1,38 +1,44 @@
 module tailscale.com

-go 1.14
+go 1.15

 require (
+	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5
 	github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect
 	github.com/apenwarr/fixconsole v0.0.0-20191012055117-5a9f6489cc29
 	github.com/coreos/go-iptables v0.4.5
 	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
 	github.com/gliderlabs/ssh v0.2.2
+	github.com/go-multierror/multierror v1.0.2
 	github.com/go-ole/go-ole v1.2.4
 	github.com/godbus/dbus/v5 v5.0.3
-	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
-	github.com/google/go-cmp v0.4.0
+	github.com/golang/protobuf v1.4.2 // indirect
+	github.com/google/go-cmp v0.5.4
 	github.com/goreleaser/nfpm v1.1.10
-	github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4
+	github.com/jsimonetti/rtnetlink v0.0.0-20201216134343-bde56ed16391
 	github.com/klauspost/compress v1.10.10
-	github.com/kr/pty v1.1.1
-	github.com/mdlayher/netlink v1.1.0
+	github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1
+	github.com/mdlayher/netlink v1.2.0
+	github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a
 	github.com/miekg/dns v1.1.30
 	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
-	github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f
-	github.com/tailscale/wireguard-go v0.0.0-20200724155040-d554a2a5e7e1
+	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
+	github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
-	go4.org/mem v0.0.0-20200706164138-185c595c3ecc
-	golang.org/x/crypto v0.0.0-20200317142112-1b76d66859c6
-	golang.org/x/net v0.0.0-20200301022130-244492dfa37a
+	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
+	golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392
+	golang.org/x/net v0.0.0-20201216054612-986b41b23924
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
-	golang.org/x/sys v0.0.0-20200501052902-10377860bb8e
+	golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9
+	golang.org/x/sys v0.0.0-20201218084310-7d0127a74742
+	golang.org/x/term v0.0.0-20201207232118-ee85cb95a76b
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0
-	golang.org/x/tools v0.0.0-20191216052735-49a3e744a425
-	honnef.co/go/tools v0.0.1-2020.1.4
-	inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c
+	golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58
+	golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8
+	gvisor.dev/gvisor v0.0.0-20210111185822-3ff3110fcdd6
+	honnef.co/go/tools v0.1.0
+	inet.af/netaddr v0.0.0-20210105212526-648fbc18a69d
 	rsc.io/goversion v1.2.0
 )
--- a/go.sum
+++ b/go.sum
@@ -1,14 +1,39 @@
+bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
+cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
+cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.52.1-0.20200122224058-0482b626c726/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
+cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
+dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
+github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
+github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
+github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
+github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Masterminds/semver/v3 v3.0.3 h1:znjIyLfpXEDQjOIEWh+ehwpTU14UzUPub3c3sm36u14=
 github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/alecthomas/kingpin v2.2.6+incompatible h1:5svnBTFgJjZvGKyYBtMB0+m5wvrbUHiqye8wRJMlnYI=
+github.com/Microsoft/go-winio v0.4.15-0.20200908182639-5b44b70ab3ab/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
+github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d h1:UQZhZ2O0vMHr2cI+DC1Mbh0TJxzA3RcLoMsFw+aXw7E=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5 h1:P5U+E4x5OkVEKQDklVPmzs71WM56RTTRqV4OrDC//Y4=
+github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5/go.mod h1:976q2ETgjT2snVCf2ZaBnyBbVoPERGjUz+0sofzEfro=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/apenwarr/fixconsole v0.0.0-20191012055117-5a9f6489cc29 h1:muXWUcay7DDy1/hEQWrYlBy+g0EuwT70sBHg65SeUc4=
@@ -19,155 +44,530 @@ github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb h1:m935MPodAbYS46DG4
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e h1:hHg27A0RSSp2Om9lubZpiMgVbvn39bsUmW9U5h0twqc=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
+github.com/cenkalti/backoff v1.1.1-0.20190506075156-2146c9339422/go.mod h1:b6Nc7NRH5C4aCISLry0tLnTjcuTEvoiqcWDdsU0sOGM=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
+github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/containerd/cgroups v0.0.0-20201119153540-4cbc285b3327/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE=
+github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
+github.com/containerd/containerd v1.3.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/continuity v0.0.0-20200928162600-f2cc35102c2a/go.mod h1:W0qIOTD7mp2He++YVq+kgfXezRYqzP1uDuMVH1bITDY=
+github.com/containerd/fifo v0.0.0-20191213151349-ff969a566b00/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
+github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g=
+github.com/containerd/ttrpc v0.0.0-20200121165050-0be804eadb15/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
+github.com/containerd/typeurl v0.0.0-20200205145503-b45ef1f1f737/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
 github.com/coreos/go-iptables v0.4.5 h1:DpHb9vJrZQEFMcVLFKAAGMUVX0XoRC0ptCthinRYm38=
 github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
+github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v1.4.2-0.20191028175130-9e7d5ac5ea55/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.3.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
+github.com/dpjacques/clockwork v0.1.1-0.20200827220843-c1f524b839be/go.mod h1:D8mP2A8vVT2GkXqPorSBmhnshhkFBYgzhA90KmJt25Y=
+github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/dvyukov/go-fuzz v0.0.0-20201127111758-49e582c6c23d/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
+github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-multierror/multierror v1.0.2 h1:AwsKbEXkmf49ajdFJgcFXqSG0aLo0HEyAE9zk9JguJo=
+github.com/go-multierror/multierror v1.0.2/go.mod h1:U7SZR/D9jHgt2nkSj8XcbCWdmVM2igraCHQ3HC1HiKY=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
+github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
+github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68FptL43tDKIq8FladmaTs3Xs7Z8=
+github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/gofrs/flock v0.6.1-0.20180915234121-886344bea079/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
+github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.3-0.20201020212313-ab46b8bd0abd/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-github/v28 v28.1.2-0.20191108005307-e555eab49ce8/go.mod h1:g82e6OHbJ0WYrYeOrid1MMfHAtqjxBz+N74tfAt9KrQ=
+github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
+github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0 h1:BW6OvS3kpT5UEPbCZ+KyX/OB4Ks9/MNMhWjqPPkZxsE=
 github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg=
+github.com/google/subcommands v1.0.2-0.20190508160503-636abe8753b8/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
+github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/goreleaser/nfpm v1.1.10 h1:0nwzKUJTcygNxTzVKq2Dh9wpVP1W2biUH6SNKmoxR3w=
 github.com/goreleaser/nfpm v1.1.10/go.mod h1:oOcoGRVwvKIODz57NUfiRwFWGfn00NXdgnn6MrYtO5k=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4 h1:nwOc1YaOrYJ37sEBrtWZrdqzK22hiJs3GpDmP3sR2Yw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
+github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
+github.com/jsimonetti/rtnetlink v0.0.0-20201216134343-bde56ed16391 h1:Dqu/4JhMV1vpXHDjzQCuDCEsjNi0xfuSmQlMOyqayKA=
+github.com/jsimonetti/rtnetlink v0.0.0-20201216134343-bde56ed16391/go.mod h1:cR77jAZG3Y3bsb8hF6fHJbFoyFukLFOkQ98S0pQz3xw=
+github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.10 h1:a/y8CglcM7gLGYmlbP/stPE5sR3hbhFRUjCBfd/0B3I=
 github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1 h1:zc0R6cOw98cMengLA0fvU55mqbnN7sd/tBMLzSejp+M=
+github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lxn/walk v0.0.0-20201110160827-18ea5e372cdb/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
+github.com/lxn/win v0.0.0-20201111105847-2a20daff6a55/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
+github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a/go.mod h1:M1qoD/MqPgTZIk0EWKB38wE28ACRfVcn+cU08jyArI0=
 github.com/mattn/go-zglob v0.0.1 h1:xsEx/XUoVlI6yXjqBK062zYhRTZltCNmYPx6v+8DNaY=
 github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
 github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
 github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M=
 github.com/mdlayher/netlink v1.1.0 h1:mpdLgm+brq10nI9zM1BpX1kpDbh3NLl3RSnVq6ZSkfg=
 github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY=
+github.com/mdlayher/netlink v1.1.1/go.mod h1:WTYpFb/WTvlRJAyKhZL5/uy69TDDpHHu2VZmb2XgV7o=
+github.com/mdlayher/netlink v1.2.0 h1:zPolhRjfuabdf8ofZsl56eoU+92cvSlAn13lw4veCZ0=
+github.com/mdlayher/netlink v1.2.0/go.mod h1:kwVW1io0AZy9A1E2YYgaD4Cj+C+GPkU6klXCMzIJ9p8=
+github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a h1:wMv2mvcHRH4jqIxaVL5t6gSq1hjPiaWH7TOcA0Z+uNo=
+github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a/go.mod h1:HtjVsQfsrBm1GDcDTUFn4ZXhftxTwO/hxrvEiRc61U4=
 github.com/miekg/dns v1.1.30 h1:Qww6FseFn8PRfw07jueqIXqodm0JKiiKuK0DeXSqfyo=
 github.com/miekg/dns v1.1.30/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mohae/deepcopy v0.0.0-20170308212314-bb9b5e7adda9/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.2-0.20181111125026-1722abf79c2f/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3 h1:YtFkrqsMEj7YqpIhRteVxJxCeC3jJBieuLr0d4C4rSA=
 github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
+github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
+github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/peterbourgon/ff/v2 v2.0.0 h1:lx0oYI5qr/FU1xnpNhQ+EZM04gKgn46jyYvGEEqBBbY=
 github.com/peterbourgon/ff/v2 v2.0.0/go.mod h1:xjwr+t+SjWm4L46fcj/D+Ap+6ME7+HqFzaP22pP5Ggk=
+github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7 h1:+/+DxvQaYifJ+grD4klzrS5y+KJXldn/2YTl5JG+vZ8=
+github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7/go.mod h1:zO8QMzTeZd5cpnIkz/Gn6iK0jDfGicM1nynOkkPIl28=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b h1:+gCnWOZV8Z/8jehJ2CdqB47Z3S+SREmQcuXkRFLNsiI=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
+github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
+github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f h1:uFj5bslHsMzxIM8UTjAhq4VXeo6GfNW91rpoh/WMJaY=
-github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f/go.mod h1:x880GWw5fvrl2DVTQ04ttXQD4DuppTt1Yz6wLibbjNE=
-github.com/tailscale/wireguard-go v0.0.0-20200724155040-d554a2a5e7e1 h1:Ga895WFYzI9VOXyps7t9ax9P5zSKsP5Yqpiv2euuyeU=
-github.com/tailscale/wireguard-go v0.0.0-20200724155040-d554a2a5e7e1/go.mod h1:JPm5cTfu1K+qDFRbiHy0sOlHUylYQbpl356sdYFD8V4=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027 h1:lK99QQdH3yBWY6aGilF+IRlQIdmhzLrsEmF6JgN+Ryw=
+github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
+github.com/tailscale/wireguard-go v0.0.0-20210109012254-dc30a1b9415e h1:ZXbXfVJOhSq4/Gt7TnqwXBPCctzYXkWXo3oQS7LZ40I=
+github.com/tailscale/wireguard-go v0.0.0-20210109012254-dc30a1b9415e/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
+github.com/tailscale/wireguard-go v0.0.0-20210113223737-a6213b5eaf98 h1:khwYPK1eT+4pmEFyCjpf6Br/0JWjdVT3uQ+ILFJPTRo=
+github.com/tailscale/wireguard-go v0.0.0-20210113223737-a6213b5eaf98/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
+github.com/tailscale/wireguard-go v0.0.0-20210114205708-a1377e83f551 h1:hjBVxvVa145kVflAFkVcTr/zwUzBO4SqfSS6xhbcMv8=
+github.com/tailscale/wireguard-go v0.0.0-20210114205708-a1377e83f551/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
+github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d h1:8GcGtZ4Ui+lzHm6gOq7s2Oe4ksxkbUYtS/JuoJ2Nce8=
+github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
 github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
 github.com/ulikunitz/xz v0.5.6 h1:jGHAfXawEGZQ3blwU5wnWKQJvAraT7Ftq9EXjnXYgt8=
 github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
+github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/vishvananda/netlink v1.0.1-0.20190930145447-2ec5bdc52b86/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
+github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
-go4.org/mem v0.0.0-20200706164138-185c595c3ecc h1:paujszgN6SpsO/UsXC7xax3gQAKz/XQKCYZLQdU34Tw=
-go4.org/mem v0.0.0-20200706164138-185c595c3ecc/go.mod h1:NEYvpHWemiG/E5UWfaN5QAIGZeT1sa0Z2UNk6oeMb/k=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go4.org/intern v0.0.0-20201223054237-ef8cbcb8edd7 h1:yeDrXaQ3VRXbTN7lHj70DxW4LdPow83MVwPPRjpP70U=
+go4.org/intern v0.0.0-20201223054237-ef8cbcb8edd7/go.mod h1:vLqJ+12kCw61iCWsPto0EOHhBS+o4rO5VIucbc9g2Cc=
+go4.org/intern v0.0.0-20201223061701-969c7e87e7cb h1:yuqO0E4bHRsTPUocDpRKXfLE40lwWplVxENQ2WOV7Gc=
+go4.org/intern v0.0.0-20201223061701-969c7e87e7cb/go.mod h1:vLqJ+12kCw61iCWsPto0EOHhBS+o4rO5VIucbc9g2Cc=
+go4.org/intern v0.0.0-20210101010959-7cab76ca296a h1:28p852HIWWaOS019DYK/A3yTmpm1HJaUce63pvll4C8=
+go4.org/intern v0.0.0-20210101010959-7cab76ca296a/go.mod h1:vLqJ+12kCw61iCWsPto0EOHhBS+o4rO5VIucbc9g2Cc=
+go4.org/mem v0.0.0-20201119185036-c04c5a6ff174 h1:vSug/WNOi2+4jrKdivxayTN/zd8EA1UrStjpWvvo1jk=
+go4.org/mem v0.0.0-20201119185036-c04c5a6ff174/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
+go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222175341-b30ae309168e h1:ExUmGi0ZsQmiVo9giDQqXkr7vreeXPMkOGIusfsfbzI=
+go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222175341-b30ae309168e/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
+go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222180813-1025295fd063 h1:1tk03FUNpulq2cuWpXZWj649rwJpk0d20rxWiopKRmc=
+go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222180813-1025295fd063/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
+golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200317142112-1b76d66859c6 h1:TjszyFsQsyZNHwdVdZ5m7bjmreu0znc2kRYsEml9/Ww=
-golang.org/x/crypto v0.0.0-20200317142112-1b76d66859c6/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392 h1:xYJJ3S178yv++9zXV/hnr29plCAGO9vAFG9dorqaFQc=
+golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.0 h1:8pl+sMODzuvGJkmj2W4kZihvVb5mKm8pB/X44PIQHv8=
+golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191003171128-d98b1b443823/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201216054612-986b41b23924 h1:QsnDpLLOKwHBBDa8nDws4DYNc/ryVW2vCpxCs09d4PY=
+golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190310054646-10058d7d4faa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191003212358-c178f38b412c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0=
+golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e h1:hq86ru83GdWTlfQFZGO4nZJTU4Bs2wfHl8oFHRaXsfc=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201107080550-4d91cf3a1aaf/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201118182958-a01c418693c7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201202213521-69691e467435/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201218084310-7d0127a74742 h1:+CBz4km/0KPU3RGTwARGh/noP3bEwtHcq+0YcBQM2JQ=
+golang.org/x/sys v0.0.0-20201218084310-7d0127a74742/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20201207232118-ee85cb95a76b h1:a0ErnNnPKmhDyIXQvdZr+Lq8dc8xpMeqkF8y5PgQU4Q=
+golang.org/x/term v0.0.0-20201207232118-ee85cb95a76b/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
+golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d h1:/iIZNFGxc/a7C3yWjGcnboV+Tkc7mxr+p6fDztwoxuM=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216052735-49a3e744a425 h1:VvQyQJN0tSuecqgcIxMWnnfG5kSmgy9KZR9sW3W5QeA=
+golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200609164405-eb789aa7ce50/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20201021000207-d49c4edd7d96/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
+golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58 h1:1Bs6RVeBFtLZ8Yi1Hk07DiOqzvwLD/4hln4iahvFlag=
+golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.zx2c4.com/wireguard v0.0.20200321-0.20201111175144-60b3766b89b9 h1:qowcZ56hhpeoESmWzI4Exhx4Y78TpCyXUJur4/c0CoE=
+golang.zx2c4.com/wireguard v0.0.20200321-0.20201111175144-60b3766b89b9/go.mod h1:LMeNfjlcPZTrBC1juwgbQyA4Zy2XVcsrdO/fIJxwyuA=
+golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8 h1:nlXPqGA98n+qcq1pwZ28KjM5EsFQvamKS00A+VUeVjs=
+golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8/go.mod h1:psva4yDnAHLuh7lUzOK7J7bLYxNFfo0iKWz+mi9gzkA=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
+google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
+google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.1-0.20201020201750-d3470999428b h1:jEdfCm+8YTWSYgU4L7Nq0jjU+q9RxIhi0cXLTY+Ih3A=
+google.golang.org/protobuf v1.25.1-0.20201020201750-d3470999428b/go.mod h1:hFxJC2f0epmp1elRCiEGJTKAWbwxZ2nvqZdHl3FQXCY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c h1:si3Owrfem175Ry6gKqnh59eOXxDojyBTIHxUKuvK/Eo=
-inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c/go.mod h1:qqYzz/2whtrbWJvt+DNWQyvekNN4ePQZcg2xc2/Yjww=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+gvisor.dev/gvisor v0.0.0-20210111185822-3ff3110fcdd6 h1:H5EvGkFG+pgAAbZMV8Me3Gy+HUYdaDcGXKWWixZ0EE8=
+gvisor.dev/gvisor v0.0.0-20210111185822-3ff3110fcdd6/go.mod h1:5DEMKRjYDiM24fvDUWPjBpABm9ROMcv/kEcox3fHtm0=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+honnef.co/go/tools v0.1.0 h1:AWNL1W1i7f0wNZ8VwOKNJ0sliKvOF/adn0EHenfUh+c=
+honnef.co/go/tools v0.1.0/go.mod h1:XtegFAyX/PfluP4921rXU5IkjkqBCDnUq4W8VCIoKvM=
+inet.af/netaddr v0.0.0-20201228234250-33d0a924ebbf h1:0eHZ8v6j5wIiOVyoYPd70ueZ/RPEQtRlzi60uneDbRU=
+inet.af/netaddr v0.0.0-20201228234250-33d0a924ebbf/go.mod h1:9NdhtHLglxJliAZB6aC5ws3mfnUArdAzHG/iJq7cB/o=
+inet.af/netaddr v0.0.0-20210105212526-648fbc18a69d h1:6f0242aW/6x2enQBOSKgDS8KQNw6Tp7IVR8eG3x0Jc8=
+inet.af/netaddr v0.0.0-20210105212526-648fbc18a69d/go.mod h1:jPZo7Jy4nke2cCgISa4fKJKa5T7+EO8k5fWwWghzneg=
+k8s.io/api v0.16.13/go.mod h1:QWu8UWSTiuQZMMeYjwLs6ILu5O74qKSJ0c+4vrchDxs=
+k8s.io/apimachinery v0.16.13/go.mod h1:4HMHS3mDHtVttspuuhrJ1GGr/0S9B6iWYWZ57KnnZqQ=
+k8s.io/apimachinery v0.16.14-rc.0/go.mod h1:4HMHS3mDHtVttspuuhrJ1GGr/0S9B6iWYWZ57KnnZqQ=
+k8s.io/client-go v0.16.13/go.mod h1:UKvVT4cajC2iN7DCjLgT0KVY/cbY6DGdUCyRiIfws5M=
+k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
+k8s.io/kube-openapi v0.0.0-20200410163147-594e756bea31/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
+k8s.io/utils v0.0.0-20190801114015-581e00157fb1/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=
 rsc.io/goversion v1.2.0/go.mod h1:Eih9y/uIBS3ulggl7KNJ09xGSLcuNaLgmvvqa07sgfo=
+sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
+sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
--- a/internal/deepprint/deepprint_test.go
+++ b/internal/deepprint/deepprint_test.go
@@ -37,16 +37,11 @@ func getVal() []interface{} {
 	return []interface{}{
 		&wgcfg.Config{
 			Name:       "foo",
-			Addresses:  []wgcfg.CIDR{{Mask: 5, IP: wgcfg.IP{Addr: [16]byte{3: 3}}}},
+			Addresses:  []netaddr.IPPrefix{{Bits: 5, IP: netaddr.IPFrom16([16]byte{3: 3})}},
 			ListenPort: 5,
 			Peers: []wgcfg.Peer{
 				{
-					Endpoints: []wgcfg.Endpoint{
-						{
-							Host: "foo",
-							Port: 5,
-						},
-					},
+					Endpoints: "foo:5",
 				},
 			},
 		},
--- a/internal/tooldeps/tooldeps.go
+++ b/internal/tooldeps/tooldeps.go
@@ -0,0 +1,9 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tooldeps
+
+import (
+	_ "github.com/tailscale/depaware/depaware"
+)
--- a/ipn/backend.go
+++ b/ipn/backend.go
@@ -21,6 +21,7 @@ type State int

 const (
 	NoState = State(iota)
+	InUseOtherUser
 	NeedsLogin
 	NeedsMachineAuth
 	Stopped
@@ -33,8 +34,14 @@ const (
 const GoogleIDTokenType = "ts_android_google_login"

 func (s State) String() string {
-	return [...]string{"NoState", "NeedsLogin", "NeedsMachineAuth",
-		"Stopped", "Starting", "Running"}[s]
+	return [...]string{
+		"NoState",
+		"InUseOtherUser",
+		"NeedsLogin",
+		"NeedsMachineAuth",
+		"Stopped",
+		"Starting",
+		"Running"}[s]
 }

 // EngineStatus contains WireGuard engine stats.
@@ -53,7 +60,7 @@ type EngineStatus struct {
 type Notify struct {
 	_             structs.Incomparable
 	Version       string                    // version number of IPN backend
-	ErrMessage    *string                   // critical error message, if any
+	ErrMessage    *string                   // critical error message, if any; for InUseOtherUser, the details
 	LoginFinished *empty.Message            // event: non-nil when login process succeeded
 	State         *State                    // current IPN state has changed
 	Prefs         *Prefs                    // preferences were changed
@@ -62,6 +69,7 @@ type Notify struct {
 	Status        *ipnstate.Status          // full status
 	BrowseToURL   *string                   // UI should open a browser right now
 	BackendLogID  *string                   // public logtail id used by backend
+	PingResult    *ipnstate.PingResult

 	// LocalTCPPort, if non-nil, informs the UI frontend which
 	// (non-zero) localhost TCP port it's listening on.
@@ -80,14 +88,14 @@ type Notify struct {
 // shared by several consecutive users. Ideally we would just use the
 // username of the connected frontend as the StateKey.
 //
-// However, on Windows, there seems to be no safe way to figure out
-// the owning user of a process connected over IPC mechanisms
-// (sockets, named pipes). So instead, on Windows, we use a
-// capability-oriented system where the frontend generates a random
-// identifier for itself, and uses that as the StateKey when talking
-// to the backend. That way, while we can't identify an OS user by
-// name, we can tell two different users apart, because they'll have
-// different opaque state keys (and no access to each others's keys).
+// Various platforms currently set StateKey in different ways:
+//
+// * the macOS/iOS GUI apps set it to "ipn-go-bridge"
+// * the Android app sets it to "ipn-android"
+// * on Windows, it's the empty string (in client mode) or, via
+//   LocalBackend.userID, a string like "user-$USER_ID" (used in
+//   server mode).
+// * on Linux/etc, it's always "_daemon" (ipn.GlobalDaemonStateKey)
 type StateKey string

 type Options struct {
@@ -96,7 +104,8 @@ type Options struct {
 	// StateKey and Prefs together define the state the backend should
 	// use:
 	//  - StateKey=="" && Prefs!=nil: use Prefs for internal state,
-	//    don't persist changes in the backend.
+	//    don't persist changes in the backend, except for the machine key
+	//    for migration purposes.
 	//  - StateKey!="" && Prefs==nil: load the given backend-side
 	//    state and use/update that.
 	//  - StateKey!="" && Prefs!=nil: like the previous case, but do
@@ -143,6 +152,9 @@ type Backend interface {
 	// WantRunning. This may cause the wireguard engine to
 	// reconfigure or stop.
 	SetPrefs(*Prefs)
+	// SetWantRunning is like SetPrefs but sets only the
+	// WantRunning field.
+	SetWantRunning(wantRunning bool)
 	// RequestEngineStatus polls for an update from the wireguard
 	// engine. Only needed if you want to display byte
 	// counts. Connection events are emitted automatically without
@@ -156,4 +168,8 @@ type Backend interface {
 	// make sure they react properly with keys that are going to
 	// expire.
 	FakeExpireAfter(x time.Duration)
+	// Ping attempts to start connecting to the given IP and sends a Notify
+	// with its PingResult. If the host is down, there might never
+	// be a PingResult sent. The cmd/tailscale CLI client adds a timeout.
+	Ping(ip string)
 }
--- a/ipn/fake_test.go
+++ b/ipn/fake_test.go
@@ -79,6 +79,10 @@ func (b *FakeBackend) SetPrefs(new *Prefs) {
 	}
 }

+func (b *FakeBackend) SetWantRunning(v bool) {
+	b.SetPrefs(&Prefs{WantRunning: v})
+}
+
 func (b *FakeBackend) RequestEngineStatus() {
 	b.notify(Notify{Engine: &EngineStatus{}})
 }
@@ -90,3 +94,7 @@ func (b *FakeBackend) RequestStatus() {
 func (b *FakeBackend) FakeExpireAfter(x time.Duration) {
 	b.notify(Notify{NetMap: &controlclient.NetworkMap{}})
 }
+
+func (b *FakeBackend) Ping(ip string) {
+	b.notify(Notify{PingResult: &ipnstate.PingResult{}})
+}
--- a/ipn/handle.go
+++ b/ipn/handle.go
@@ -8,8 +8,8 @@ import (
 	"sync"
 	"time"

-	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/oauth2"
+	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/types/logger"
 )
@@ -118,7 +118,7 @@ func (h *Handle) EngineStatus() EngineStatus {
 	return h.engineStatusCache
 }

-func (h *Handle) LocalAddrs() []wgcfg.CIDR {
+func (h *Handle) LocalAddrs() []netaddr.IPPrefix {
 	h.mu.Lock()
 	defer h.mu.Unlock()

@@ -126,7 +126,7 @@ func (h *Handle) LocalAddrs() []wgcfg.CIDR {
 	if nm != nil {
 		return nm.Addresses
 	}
-	return []wgcfg.CIDR{}
+	return []netaddr.IPPrefix{}
 }

 func (h *Handle) NetMap() *controlclient.NetworkMap {
--- a/ipn/ipnserver/conn_linux.go
+++ b/ipn/ipnserver/conn_linux.go
@@ -0,0 +1,49 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux
+
+package ipnserver
+
+import (
+	"net"
+
+	"golang.org/x/sys/unix"
+	"tailscale.com/types/logger"
+)
+
+func isReadonlyConn(c net.Conn, logf logger.Logf) (ro bool) {
+	ro = true // conservative default for naked returns below
+	uc, ok := c.(*net.UnixConn)
+	if !ok {
+		logf("unexpected connection type %T", c)
+		return
+	}
+	raw, err := uc.SyscallConn()
+	if err != nil {
+		logf("SyscallConn: %v", err)
+		return
+	}
+
+	var cred *unix.Ucred
+	cerr := raw.Control(func(fd uintptr) {
+		cred, err = unix.GetsockoptUcred(int(fd),
+			unix.SOL_SOCKET,
+			unix.SO_PEERCRED)
+	})
+	if cerr != nil {
+		logf("raw.Control: %v", err)
+		return
+	}
+	if err != nil {
+		logf("raw.Control: %v", err)
+		return
+	}
+	if cred.Uid == 0 {
+		// root is not read-only.
+		return false
+	}
+	logf("non-root connection from %v (read-only)", cred.Uid)
+	return true
+}
--- a/ipn/ipnserver/conn_no_ucred.go
+++ b/ipn/ipnserver/conn_no_ucred.go
@@ -0,0 +1,27 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !linux
+
+package ipnserver
+
+import (
+	"net"
+
+	"tailscale.com/types/logger"
+)
+
+func isReadonlyConn(c net.Conn, logf logger.Logf) bool {
+	// Windows doesn't need/use this mechanism, at least yet. It
+	// has a different last-user-wins auth model.
+
+	// And on Darwin, we're not using it yet, as the Darwin
+	// tailscaled port isn't yet done, and unix.Ucred and
+	// unix.GetsockoptUcred aren't in x/sys/unix.
+
+	// TODO(bradfitz): OpenBSD and FreeBSD should implement this too.
+	// But their x/sys/unix package is different than Linux, so
+	// I didn't include it for now.
+	return false
+}
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -7,23 +7,34 @@ package ipnserver
 import (
 	"bufio"
 	"context"
+	"errors"
 	"fmt"
+	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"os"
 	"os/exec"
 	"os/signal"
+	"os/user"
+	"runtime"
+	"strings"
 	"sync"
 	"syscall"
 	"time"

+	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn"
+	"tailscale.com/log/filelogger"
 	"tailscale.com/logtail/backoff"
+	"tailscale.com/net/netstat"
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/pidowner"
+	"tailscale.com/util/systemd"
 	"tailscale.com/version"
 	"tailscale.com/wgengine"
 )
@@ -61,6 +72,12 @@ type Options struct {
 	// its existing state, and accepts new frontend connections. If
 	// false, the server dumps its state and becomes idle.
 	//
+	// This is effectively whether the platform is in "server
+	// mode" by default. On Linux, it's true; on Windows, it's
+	// false. But on some platforms (currently only Windows), the
+	// "server mode" can be overridden at runtime with a change in
+	// Prefs.ForceDaemon/WantRunning.
+	//
 	// To support CLI connections (notably, "tailscale status"),
 	// the actual definition of "disconnect" is when the
 	// connection count transitions from 1 to 0.
@@ -74,29 +91,199 @@ type Options struct {
 // server is an IPN backend and its set of 0 or more active connections
 // talking to an IPN backend.
 type server struct {
-	resetOnZero bool // call bs.Reset on transition from 1->0 connections
+	b    *ipn.LocalBackend
+	logf logger.Logf
+	// resetOnZero is whether to call bs.Reset on transition from
+	// 1->0 connections.  That is, this is whether the backend is
+	// being run in "client mode" that requires an active GUI
+	// connection (such as on Windows by default).  Even if this
+	// is true, the ForceDaemon pref can override this.
+	resetOnZero bool

 	bsMu sync.Mutex // lock order: bsMu, then mu
 	bs   *ipn.BackendServer

-	mu      sync.Mutex
-	clients map[net.Conn]bool
+	mu             sync.Mutex
+	serverModeUser *user.User                   // or nil if not in server mode
+	lastUserID     string                       // tracks last userid; on change, Reset state for paranoia
+	allClients     map[net.Conn]connIdentity    // HTTP or IPN
+	clients        map[net.Conn]bool            // subset of allClients; only IPN protocol
+	disconnectSub  map[chan<- struct{}]struct{} // keys are subscribers of disconnects
+}
+
+// connIdentity represents the owner of a localhost TCP connection.
+type connIdentity struct {
+	Unknown bool
+	Pid     int
+	UserID  string
+	User    *user.User
+}
+
+// getConnIdentity returns the localhost TCP connection's identity information
+// (pid, userid, user). If it's not Windows (for now), it returns a nil error
+// and a ConnIdentity with Unknown set true. It's only an error if we expected
+// to be able to map it and couldn't.
+func (s *server) getConnIdentity(c net.Conn) (ci connIdentity, err error) {
+	if runtime.GOOS != "windows" { // for now; TODO: expand to other OSes
+		return connIdentity{Unknown: true}, nil
+	}
+	la, err := netaddr.ParseIPPort(c.LocalAddr().String())
+	if err != nil {
+		return ci, fmt.Errorf("parsing local address: %w", err)
+	}
+	ra, err := netaddr.ParseIPPort(c.RemoteAddr().String())
+	if err != nil {
+		return ci, fmt.Errorf("parsing local remote: %w", err)
+	}
+	if !la.IP.IsLoopback() || !ra.IP.IsLoopback() {
+		return ci, errors.New("non-loopback connection")
+	}
+	tab, err := netstat.Get()
+	if err != nil {
+		return ci, fmt.Errorf("failed to get local connection table: %w", err)
+	}
+	pid := peerPid(tab.Entries, la, ra)
+	if pid == 0 {
+		return ci, errors.New("no local process found matching localhost connection")
+	}
+	ci.Pid = pid
+	uid, err := pidowner.OwnerOfPID(pid)
+	if err != nil {
+		var hint string
+		if runtime.GOOS == "windows" {
+			hint = " (WSL?)"
+		}
+		return ci, fmt.Errorf("failed to map connection's pid to a user%s: %w", hint, err)
+	}
+	ci.UserID = uid
+	u, err := s.lookupUserFromID(uid)
+	if err != nil {
+		return ci, fmt.Errorf("failed to look up user from userid: %w", err)
+	}
+	ci.User = u
+	return ci, nil
+}
+
+func (s *server) lookupUserFromID(uid string) (*user.User, error) {
+	u, err := user.LookupId(uid)
+	if err != nil && runtime.GOOS == "windows" && errors.Is(err, syscall.Errno(0x534)) {
+		s.logf("[warning] issue 869: os/user.LookupId failed; ignoring")
+		// Work around https://github.com/tailscale/tailscale/issues/869 for
+		// now. We don't strictly need the username. It's just a nice-to-have.
+		// So make up a *user.User if their machine is broken in this way.
+		return &user.User{
+			Uid:      uid,
+			Username: "unknown-user-" + uid,
+			Name:     "unknown user " + uid,
+		}, nil
+	}
+	return u, err
+}
+
+// blockWhileInUse blocks while until either a Read from conn fails
+// (i.e. it's closed) or until the server is able to accept ci as a
+// user.
+func (s *server) blockWhileInUse(conn io.Reader, ci connIdentity) {
+	s.logf("blocking client while server in use; connIdentity=%v", ci)
+	connDone := make(chan struct{})
+	go func() {
+		io.Copy(ioutil.Discard, conn)
+		close(connDone)
+	}()
+	ch := make(chan struct{}, 1)
+	s.registerDisconnectSub(ch, true)
+	defer s.registerDisconnectSub(ch, false)
+	for {
+		select {
+		case <-connDone:
+			s.logf("blocked client Read completed; connIdentity=%v", ci)
+			return
+		case <-ch:
+			s.mu.Lock()
+			err := s.checkConnIdentityLocked(ci)
+			s.mu.Unlock()
+			if err == nil {
+				s.logf("unblocking client, server is free; connIdentity=%v", ci)
+				// Server is now available again for a new user.
+				// TODO(bradfitz): keep this connection alive. But for
+				// now just return and have our caller close the connection
+				// (which unblocks the io.Copy goroutine we started above)
+				// and then the client (e.g. Windows) will reconnect and
+				// discover that it works.
+				return
+			}
+		}
+	}
 }

 func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
-	s.addConn(c)
-	logf("incoming control connection")
+	// First see if it's an HTTP request.
+	br := bufio.NewReader(c)
+	c.SetReadDeadline(time.Now().Add(time.Second))
+	peek, _ := br.Peek(4)
+	c.SetReadDeadline(time.Time{})
+	isHTTPReq := string(peek) == "GET "
+
+	ci, err := s.addConn(c, isHTTPReq)
+	if err != nil {
+		if isHTTPReq {
+			fmt.Fprintf(c, "HTTP/1.0 500 Nope\r\nContent-Type: text/plain\r\nX-Content-Type-Options: nosniff\r\n\r\n%s\n", err.Error())
+			c.Close()
+			return
+		}
+		defer c.Close()
+		serverToClient := func(b []byte) { ipn.WriteMsg(c, b) }
+		bs := ipn.NewBackendServer(logf, nil, serverToClient)
+		_, occupied := err.(inUseOtherUserError)
+		if occupied {
+			bs.SendInUseOtherUserErrorMessage(err.Error())
+			s.blockWhileInUse(c, ci)
+		} else {
+			bs.SendErrorMessage(err.Error())
+			time.Sleep(time.Second)
+		}
+		return
+	}
+
+	// Tell the LocalBackend about the identity we're now running as.
+	s.b.SetCurrentUserID(ci.UserID)
+
+	if isHTTPReq {
+		httpServer := http.Server{
+			// Localhost connections are cheap; so only do
+			// keep-alives for a short period of time, as these
+			// active connections lock the server into only serving
+			// that user. If the user has this page open, we don't
+			// want another switching user to be locked out for
+			// minutes. 5 seconds is enough to let browser hit
+			// favicon.ico and such.
+			IdleTimeout: 5 * time.Second,
+			ErrorLog:    logger.StdLogger(logf),
+			Handler:     s.localhostHandler(ci),
+		}
+		httpServer.Serve(&oneConnListener{&protoSwitchConn{s: s, br: br, Conn: c}})
+		return
+	}
+
 	defer s.removeAndCloseConn(c)
+	logf("[v1] incoming control connection")
+
+	if isReadonlyConn(c, logf) {
+		ctx = ipn.ReadonlyContextOf(ctx)
+	}
+
 	for ctx.Err() == nil {
-		msg, err := ipn.ReadMsg(c)
+		msg, err := ipn.ReadMsg(br)
 		if err != nil {
-			if ctx.Err() == nil {
+			if errors.Is(err, io.EOF) {
+				logf("[v1] ReadMsg: %v", err)
+			} else if ctx.Err() == nil {
 				logf("ReadMsg: %v", err)
 			}
 			return
 		}
 		s.bsMu.Lock()
-		if err := s.bs.GotCommandMsg(msg); err != nil {
+		if err := s.bs.GotCommandMsg(ctx, msg); err != nil {
 			logf("GotCommandMsg: %v", err)
 		}
 		gotQuit := s.bs.GotQuit
@@ -107,25 +294,126 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 	}
 }

-func (s *server) addConn(c net.Conn) {
+// inUseOtherUserError is the error type for when the server is in use
+// by a different local user.
+type inUseOtherUserError struct{ error }
+
+func (e inUseOtherUserError) Unwrap() error { return e.error }
+
+// checkConnIdentityLocked checks whether the provided identity is
+// allowed to connect to the server.
+//
+// The returned error, when non-nil, will be of type inUseOtherUserError.
+//
+// s.mu must be held.
+func (s *server) checkConnIdentityLocked(ci connIdentity) error {
+	// If clients are already connected, verify they're the same user.
+	// This mostly matters on Windows at the moment.
+	if len(s.allClients) > 0 {
+		var active connIdentity
+		for _, active = range s.allClients {
+			break
+		}
+		if ci.UserID != active.UserID {
+			//lint:ignore ST1005 we want to capitalize Tailscale here
+			return inUseOtherUserError{fmt.Errorf("Tailscale already in use by %s, pid %d", active.User.Username, active.Pid)}
+		}
+	}
+	if su := s.serverModeUser; su != nil && ci.UserID != su.Uid {
+		//lint:ignore ST1005 we want to capitalize Tailscale here
+		return inUseOtherUserError{fmt.Errorf("Tailscale already in use by %s", su.Username)}
+	}
+	return nil
+}
+
+// registerDisconnectSub adds ch as a subscribe to connection disconnect
+// events. If add is false, the subscriber is removed.
+func (s *server) registerDisconnectSub(ch chan<- struct{}, add bool) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
+	if add {
+		if s.disconnectSub == nil {
+			s.disconnectSub = make(map[chan<- struct{}]struct{})
+		}
+		s.disconnectSub[ch] = struct{}{}
+	} else {
+		delete(s.disconnectSub, ch)
+	}
+
+}
+
+// addConn adds c to the server's list of clients.
+//
+// If the returned error is of type inUseOtherUserError then the
+// returned connIdentity is also valid.
+func (s *server) addConn(c net.Conn, isHTTP bool) (ci connIdentity, err error) {
+	ci, err = s.getConnIdentity(c)
+	if err != nil {
+		return
+	}
+
+	// If the connected user changes, reset the backend server state to make
+	// sure node keys don't leak between users.
+	var doReset bool
+	defer func() {
+		if doReset {
+			s.logf("identity changed; resetting server")
+			s.bsMu.Lock()
+			s.bs.Reset(context.TODO())
+			s.bsMu.Unlock()
+		}
+	}()
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
 	if s.clients == nil {
 		s.clients = map[net.Conn]bool{}
 	}
-	s.clients[c] = true
+	if s.allClients == nil {
+		s.allClients = map[net.Conn]connIdentity{}
+	}
+
+	if err := s.checkConnIdentityLocked(ci); err != nil {
+		return ci, err
+	}
+
+	if !isHTTP {
+		s.clients[c] = true
+	}
+	s.allClients[c] = ci
+
+	if s.lastUserID != ci.UserID {
+		if s.lastUserID != "" {
+			doReset = true
+		}
+		s.lastUserID = ci.UserID
+	}
+	return ci, nil
 }

 func (s *server) removeAndCloseConn(c net.Conn) {
 	s.mu.Lock()
 	delete(s.clients, c)
-	remain := len(s.clients)
+	delete(s.allClients, c)
+	remain := len(s.allClients)
+	for sub := range s.disconnectSub {
+		select {
+		case sub <- struct{}{}:
+		default:
+		}
+	}
 	s.mu.Unlock()

 	if remain == 0 && s.resetOnZero {
-		s.bsMu.Lock()
-		s.bs.Reset()
-		s.bsMu.Unlock()
+		if s.b.InServerMode() {
+			s.logf("client disconnected; staying alive in server mode")
+		} else {
+			s.logf("client disconnected; stopping server")
+			s.bsMu.Lock()
+			s.bs.Reset(context.TODO())
+			s.bsMu.Unlock()
+		}
 	}
 	c.Close()
 }
@@ -140,9 +428,48 @@ func (s *server) stopAll() {
 	s.clients = nil
 }

+// setServerModeUserLocked is called when we're in server mode but our s.serverModeUser is nil.
+//
+// s.mu must be held
+func (s *server) setServerModeUserLocked() {
+	var ci connIdentity
+	var ok bool
+	for _, ci = range s.allClients {
+		ok = true
+		break
+	}
+	if !ok {
+		s.logf("ipnserver: [unexpected] now in server mode, but no connected client")
+		return
+	}
+	if ci.Unknown {
+		return
+	}
+	if ci.User != nil {
+		s.logf("ipnserver: now in server mode; user=%v", ci.User.Username)
+		s.serverModeUser = ci.User
+	} else {
+		s.logf("ipnserver: [unexpected] now in server mode, but nil User")
+	}
+}
+
 func (s *server) writeToClients(b []byte) {
+	inServerMode := s.b.InServerMode()
+
 	s.mu.Lock()
 	defer s.mu.Unlock()
+
+	if inServerMode {
+		if s.serverModeUser == nil {
+			s.setServerModeUserLocked()
+		}
+	} else {
+		if s.serverModeUser != nil {
+			s.logf("ipnserver: no longer in server mode")
+			s.serverModeUser = nil
+		}
+	}
+
 	for c := range s.clients {
 		ipn.WriteMsg(c, b)
 	}
@@ -160,6 +487,7 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	}

 	server := &server{
+		logf:        logf,
 		resetOnZero: !opts.SurviveDisconnects,
 	}

@@ -175,13 +503,12 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	}()
 	logf("Listening on %v", listen.Addr())

-	bo := backoff.NewBackoff("ipnserver", logf)
-
+	bo := backoff.NewBackoff("ipnserver", logf, 30*time.Second)
 	var unservedConn net.Conn // if non-nil, accepted, but hasn't served yet

 	eng, err := getEngine()
 	if err != nil {
-		logf("Initial getEngine call: %v", err)
+		logf("ipnserver: initial getEngine call: %v", err)
 		for i := 1; ctx.Err() == nil; i++ {
 			c, err := listen.Accept()
 			if err != nil {
@@ -189,14 +516,14 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 				bo.BackOff(ctx, err)
 				continue
 			}
-			logf("%d: trying getEngine again...", i)
+			logf("ipnserver: try%d: trying getEngine again...", i)
 			eng, err = getEngine()
 			if err == nil {
 				logf("%d: GetEngine worked; exiting failure loop", i)
 				unservedConn = c
 				break
 			}
-			logf("%d: getEngine failed again: %v", i, err)
+			logf("ipnserver%d: getEngine failed again: %v", i, err)
 			errMsg := err.Error()
 			go func() {
 				defer c.Close()
@@ -217,6 +544,24 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 		if err != nil {
 			return fmt.Errorf("ipn.NewFileStore(%q): %v", opts.StatePath, err)
 		}
+		if opts.AutostartStateKey == "" {
+			autoStartKey, err := store.ReadState(ipn.ServerModeStartKey)
+			if err != nil && err != ipn.ErrStateNotExist {
+				return fmt.Errorf("calling ReadState on %s: %w", opts.StatePath, err)
+			}
+			key := string(autoStartKey)
+			if strings.HasPrefix(key, "user-") {
+				uid := strings.TrimPrefix(key, "user-")
+				u, err := server.lookupUserFromID(uid)
+				if err != nil {
+					logf("ipnserver: found server mode auto-start key %q; failed to load user: %v", key, err)
+				} else {
+					logf("ipnserver: found server mode auto-start key %q (user %s)", key, u.Username)
+					server.serverModeUser = u
+				}
+				opts.AutostartStateKey = ipn.StateKey(key)
+			}
+		}
 	} else {
 		store = &ipn.MemoryStore{}
 	}
@@ -232,18 +577,16 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (

 	if opts.DebugMux != nil {
 		opts.DebugMux.HandleFunc("/debug/ipn", func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			st := b.Status()
-			// TODO(bradfitz): add LogID and opts to st?
-			st.WriteHTML(w)
+			serveHTMLStatus(w, b)
 		})
 	}

+	server.b = b
 	server.bs = ipn.NewBackendServer(logf, b, server.writeToClients)

 	if opts.AutostartStateKey != "" {
-		server.bs.GotCommand(&ipn.Command{
-			Version: version.LONG,
+		server.bs.GotCommand(context.TODO(), &ipn.Command{
+			Version: version.Long,
 			Start: &ipn.StartArgs{
 				Opts: ipn.Options{
 					StateKey:         opts.AutostartStateKey,
@@ -253,6 +596,7 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 		})
 	}

+	systemd.Ready()
 	for i := 1; ctx.Err() == nil; i++ {
 		var c net.Conn
 		var err error
@@ -274,6 +618,11 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	return ctx.Err()
 }

+// BabysitProc runs the current executable as a child process with the
+// provided args, capturing its output, writing it to files, and
+// restarting the process on any crashes.
+//
+// It's only currently (2020-10-29) used on Windows.
 func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {

 	executable, err := os.Executable()
@@ -281,6 +630,14 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		panic("cannot determine executable: " + err.Error())
 	}

+	if runtime.GOOS == "windows" {
+		if len(args) != 2 && args[0] != "/subproc" {
+			panic(fmt.Sprintf("unexpected arguments %q", args))
+		}
+		logID := args[1]
+		logf = filelogger.New("tailscale-service", logID, logf)
+	}
+
 	var proc struct {
 		mu sync.Mutex
 		p  *os.Process
@@ -306,7 +663,7 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		proc.mu.Unlock()
 	}()

-	bo := backoff.NewBackoff("BabysitProc", logf)
+	bo := backoff.NewBackoff("BabysitProc", logf, 30*time.Second)

 	for {
 		startTime := time.Now()
@@ -375,6 +732,10 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		// pipe. We'll make a new one when we restart the subproc.
 		wStdin.Close()

+		if os.Getenv("TS_DEBUG_RESTART_CRASHED") == "0" {
+			log.Fatalf("Process ended.")
+		}
+
 		if time.Since(startTime) < 60*time.Second {
 			bo.BackOff(ctx, fmt.Errorf("subproc early exit: %v", err))
 		} else {
@@ -394,3 +755,69 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 func FixedEngine(eng wgengine.Engine) func() (wgengine.Engine, error) {
 	return func() (wgengine.Engine, error) { return eng, nil }
 }
+
+type dummyAddr string
+type oneConnListener struct {
+	conn net.Conn
+}
+
+func (l *oneConnListener) Accept() (c net.Conn, err error) {
+	c = l.conn
+	if c == nil {
+		err = io.EOF
+		return
+	}
+	err = nil
+	l.conn = nil
+	return
+}
+
+func (l *oneConnListener) Close() error { return nil }
+
+func (l *oneConnListener) Addr() net.Addr { return dummyAddr("unused-address") }
+
+func (a dummyAddr) Network() string { return string(a) }
+func (a dummyAddr) String() string  { return string(a) }
+
+// protoSwitchConn is a net.Conn that's we want to speak HTTP to but
+// it's already had a few bytes read from it to determine that it's
+// HTTP. So we Read from its bufio.Reader. On Close, we we tell the
+// server it's closed, so the server can account the who's connected.
+type protoSwitchConn struct {
+	s *server
+	net.Conn
+	br        *bufio.Reader
+	closeOnce sync.Once
+}
+
+func (psc *protoSwitchConn) Read(p []byte) (int, error) { return psc.br.Read(p) }
+func (psc *protoSwitchConn) Close() error {
+	psc.closeOnce.Do(func() { psc.s.removeAndCloseConn(psc.Conn) })
+	return nil
+}
+
+func (s *server) localhostHandler(ci connIdentity) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if ci.Unknown {
+			io.WriteString(w, "<html><title>Tailscale</title><body><h1>Tailscale</h1>This is the local Tailscale daemon.")
+			return
+		}
+		serveHTMLStatus(w, s.b)
+	})
+}
+
+func serveHTMLStatus(w http.ResponseWriter, b *ipn.LocalBackend) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	st := b.Status()
+	// TODO(bradfitz): add LogID and opts to st?
+	st.WriteHTML(w)
+}
+
+func peerPid(entries []netstat.Entry, la, ra netaddr.IPPort) int {
+	for _, e := range entries {
+		if e.Local == ra && e.Remote == la {
+			return e.Pid
+		}
+	}
+	return 0
+}
--- a/ipn/ipnserver/server_test.go
+++ b/ipn/ipnserver/server_test.go
@@ -7,8 +7,6 @@ package ipnserver_test
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
-	"os"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -25,11 +23,7 @@ func TestRunMultipleAccepts(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

-	td, err := ioutil.TempDir("", "TestRunMultipleAccepts")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(td)
+	td := t.TempDir()
 	socketPath := filepath.Join(td, "tailscale.sock")

 	logf := func(format string, args ...interface{}) {
@@ -62,7 +56,7 @@ func TestRunMultipleAccepts(t *testing.T) {
 		}
 	}

-	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
+	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -25,10 +25,13 @@ import (

 // Status represents the entire state of the IPN network.
 type Status struct {
-	BackendState string
-	TailscaleIPs []netaddr.IP // Tailscale IP(s) assigned to this node
-	Peer         map[key.Public]*PeerStatus
-	User         map[tailcfg.UserID]tailcfg.UserProfile
+	BackendState   string
+	TailscaleIPs   []netaddr.IP // Tailscale IP(s) assigned to this node
+	Self           *PeerStatus
+	MagicDNSSuffix string // e.g. "userfoo.tailscale.net" (no surrounding dots)
+
+	Peer map[key.Public]*PeerStatus
+	User map[tailcfg.UserID]tailcfg.UserProfile
 }

 func (s *Status) Peers() []key.Public {
@@ -43,6 +46,7 @@ func (s *Status) Peers() []key.Public {
 type PeerStatus struct {
 	PublicKey key.Public
 	HostName  string // HostInfo's Hostname (not a DNS name or necessarily unique)
+	DNSName   string
 	OS        string // HostInfo.OS
 	UserID    tailcfg.UserID

@@ -61,6 +65,12 @@ type PeerStatus struct {
 	LastHandshake time.Time // with local wireguard
 	KeepAlive     bool

+	// ShareeNode indicates this node exists in the netmap because
+	// it's owned by a shared-to user and that node might connect
+	// to us. These nodes should be hidden by "tailscale status"
+	// etc by default.
+	ShareeNode bool `json:",omitempty"`
+
 	// InNetworkMap means that this peer was seen in our latest network map.
 	// In theory, all of InNetworkMap and InMagicSock and InEngine should all be true.
 	InNetworkMap bool
@@ -88,6 +98,18 @@ type StatusBuilder struct {
 	st     Status
 }

+func (sb *StatusBuilder) SetBackendState(v string) {
+	sb.mu.Lock()
+	defer sb.mu.Unlock()
+	sb.st.BackendState = v
+}
+
+func (sb *StatusBuilder) SetMagicDNSSuffix(v string) {
+	sb.mu.Lock()
+	defer sb.mu.Unlock()
+	sb.st.MagicDNSSuffix = v
+}
+
 func (sb *StatusBuilder) Status() *Status {
 	sb.mu.Lock()
 	defer sb.mu.Unlock()
@@ -95,6 +117,13 @@ func (sb *StatusBuilder) Status() *Status {
 	return &sb.st
 }

+// SetSelfStatus sets the status of the local machine.
+func (sb *StatusBuilder) SetSelfStatus(ss *PeerStatus) {
+	sb.mu.Lock()
+	defer sb.mu.Unlock()
+	sb.st.Self = ss
+}
+
 // AddUser adds a user profile to the status.
 func (sb *StatusBuilder) AddUser(id tailcfg.UserID, up tailcfg.UserProfile) {
 	sb.mu.Lock()
@@ -151,6 +180,9 @@ func (sb *StatusBuilder) AddPeer(peer key.Public, st *PeerStatus) {
 	if v := st.HostName; v != "" {
 		e.HostName = v
 	}
+	if v := st.DNSName; v != "" {
+		e.DNSName = v
+	}
 	if v := st.Relay; v != "" {
 		e.Relay = v
 	}
@@ -199,6 +231,9 @@ func (sb *StatusBuilder) AddPeer(peer key.Public, st *PeerStatus) {
 	if st.KeepAlive {
 		e.KeepAlive = true
 	}
+	if st.ShareeNode {
+		e.ShareeNode = true
+	}
 }

 type StatusUpdater interface {
@@ -322,3 +357,21 @@ func osEmoji(os string) string {
 	}
 	return "👽"
 }
+
+// PingResult contains response information for the "tailscale ping" subcommand,
+// saying how Tailscale can reach a Tailscale IP or subnet-routed IP.
+type PingResult struct {
+	IP       string // ping destination
+	NodeIP   string // Tailscale IP of node handling IP (different for subnet routers)
+	NodeName string // DNS name base or (possibly not unique) hostname
+
+	Err            string
+	LatencySeconds float64
+
+	Endpoint string // ip:port if direct UDP was used
+
+	DERPRegionID   int    // non-zero if DERP was used
+	DERPRegionCode string // three-letter airport/region code if DERP was used
+
+	// TODO(bradfitz): details like whether port mapping was used on either side? (Once supported)
+}
--- a/ipn/local.go
+++ b/ipn/local.go
--- a/ipn/local_test.go
+++ b/ipn/local_test.go
@@ -0,0 +1,119 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipn
+
+import (
+	"inet.af/netaddr"
+	"tailscale.com/control/controlclient"
+	"tailscale.com/tailcfg"
+	"testing"
+)
+
+func TestNetworkMapCompare(t *testing.T) {
+	prefix1, err := netaddr.ParseIPPrefix("192.168.0.0/24")
+	if err != nil {
+		t.Fatal(err)
+	}
+	node1 := &tailcfg.Node{Addresses: []netaddr.IPPrefix{prefix1}}
+
+	prefix2, err := netaddr.ParseIPPrefix("10.0.0.0/8")
+	if err != nil {
+		t.Fatal(err)
+	}
+	node2 := &tailcfg.Node{Addresses: []netaddr.IPPrefix{prefix2}}
+
+	tests := []struct {
+		name string
+		a, b *controlclient.NetworkMap
+		want bool
+	}{
+		{
+			"both nil",
+			nil,
+			nil,
+			true,
+		},
+		{
+			"b nil",
+			&controlclient.NetworkMap{},
+			nil,
+			false,
+		},
+		{
+			"a nil",
+			nil,
+			&controlclient.NetworkMap{},
+			false,
+		},
+		{
+			"both default",
+			&controlclient.NetworkMap{},
+			&controlclient.NetworkMap{},
+			true,
+		},
+		{
+			"names identical",
+			&controlclient.NetworkMap{Name: "map1"},
+			&controlclient.NetworkMap{Name: "map1"},
+			true,
+		},
+		{
+			"names differ",
+			&controlclient.NetworkMap{Name: "map1"},
+			&controlclient.NetworkMap{Name: "map2"},
+			false,
+		},
+		{
+			"Peers identical",
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{}},
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{}},
+			true,
+		},
+		{
+			"Peer list length",
+			// length of Peers list differs
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{{}}},
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{}},
+			false,
+		},
+		{
+			"Node names identical",
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{Name: "A"}}},
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{Name: "A"}}},
+			true,
+		},
+		{
+			"Node names differ",
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{Name: "A"}}},
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{Name: "B"}}},
+			false,
+		},
+		{
+			"Node lists identical",
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{node1, node1}},
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{node1, node1}},
+			true,
+		},
+		{
+			"Node lists differ",
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{node1, node1}},
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{node1, node2}},
+			false,
+		},
+		{
+			"Node Users differ",
+			// User field is not checked.
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{User: 0}}},
+			&controlclient.NetworkMap{Peers: []*tailcfg.Node{&tailcfg.Node{User: 1}}},
+			true,
+		},
+	}
+	for _, tt := range tests {
+		got := dnsMapsEqual(tt.a, tt.b)
+		if got != tt.want {
+			t.Errorf("%s: Equal = %v; want %v", tt.name, got, tt.want)
+		}
+	}
+}
--- a/ipn/loglines_test.go
+++ b/ipn/loglines_test.go
@@ -0,0 +1,92 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipn
+
+import (
+	"reflect"
+	"testing"
+	"time"
+
+	"tailscale.com/control/controlclient"
+	"tailscale.com/logtail"
+	"tailscale.com/tailcfg"
+	"tailscale.com/tstest"
+	"tailscale.com/types/key"
+	"tailscale.com/wgengine"
+)
+
+// TestLocalLogLines tests to make sure that the log lines required for log parsing are
+// being logged by the expected functions. Update these tests if moving log lines between
+// functions.
+func TestLocalLogLines(t *testing.T) {
+	logListen := tstest.NewLogLineTracker(t.Logf, []string{
+		"SetPrefs: %v",
+		"[v1] peer keys: %s",
+		"[v1] v%v peers: %v",
+	})
+	defer logListen.Close()
+
+	logid := func(hex byte) logtail.PublicID {
+		var ret logtail.PublicID
+		for i := 0; i < len(ret); i++ {
+			ret[i] = hex
+		}
+		return ret
+	}
+	idA := logid(0xaa)
+
+	// set up a LocalBackend, super bare bones. No functional data.
+	store := &MemoryStore{
+		cache: make(map[StateKey][]byte),
+	}
+	e, err := wgengine.NewFakeUserspaceEngine(logListen.Logf, 0, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	lb, err := NewLocalBackend(logListen.Logf, idA.String(), store, e)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer lb.Shutdown()
+
+	// custom adjustments for required non-nil fields
+	lb.prefs = NewPrefs()
+	lb.hostinfo = &tailcfg.Hostinfo{}
+	// hacky manual override of the usual log-on-change behaviour of keylogf
+	lb.keyLogf = logListen.Logf
+
+	testWantRemain := func(wantRemain ...string) func(t *testing.T) {
+		return func(t *testing.T) {
+			if remain := logListen.Check(); !reflect.DeepEqual(remain, wantRemain) {
+				t.Errorf("remain %q, want %q", remain, wantRemain)
+			}
+		}
+	}
+
+	// log prefs line
+	persist := &controlclient.Persist{}
+	prefs := NewPrefs()
+	prefs.Persist = persist
+	lb.SetPrefs(prefs)
+
+	t.Run("after_prefs", testWantRemain("[v1] peer keys: %s", "[v1] v%v peers: %v"))
+
+	// log peers, peer keys
+	status := &wgengine.Status{
+		Peers: []wgengine.PeerStatus{wgengine.PeerStatus{
+			TxBytes:       10,
+			RxBytes:       10,
+			LastHandshake: time.Now(),
+			NodeKey:       tailcfg.NodeKey(key.NewPrivate()),
+		}},
+		LocalAddrs: []string{"idk an address"},
+	}
+	lb.mu.Lock()
+	lb.parseWgStatusLocked(status)
+	lb.mu.Unlock()
+
+	t.Run("after_peers", testWantRemain())
+}
--- a/ipn/message.go
+++ b/ipn/message.go
@@ -5,6 +5,8 @@
 package ipn

 import (
+	"bytes"
+	"context"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
@@ -19,6 +21,26 @@ import (
 	"tailscale.com/version"
 )

+type readOnlyContextKey struct{}
+
+// IsReadonlyContext reports whether ctx is a read-only context, as currently used
+// by Unix non-root users running the "tailscale" CLI command. They can run "status",
+// but not much else.
+func IsReadonlyContext(ctx context.Context) bool {
+	return ctx.Value(readOnlyContextKey{}) != nil
+}
+
+// ReadonlyContextOf returns ctx wrapped with a context value that
+// will make IsReadonlyContext reports true.
+func ReadonlyContextOf(ctx context.Context) context.Context {
+	if IsReadonlyContext(ctx) {
+		return ctx
+	}
+	return context.WithValue(ctx, readOnlyContextKey{}, readOnlyContextKey{})
+}
+
+var jsonEscapedZero = []byte(`\u0000`)
+
 type NoArgs struct{}

 type StartArgs struct {
@@ -33,6 +55,10 @@ type FakeExpireAfterArgs struct {
 	Duration time.Duration
 }

+type PingArgs struct {
+	IP string
+}
+
 // Command is a command message that is JSON encoded and sent by a
 // frontend to a backend.
 type Command struct {
@@ -53,9 +79,11 @@ type Command struct {
 	Login                 *oauth2.Token
 	Logout                *NoArgs
 	SetPrefs              *SetPrefsArgs
+	SetWantRunning        *bool
 	RequestEngineStatus   *NoArgs
 	RequestStatus         *NoArgs
 	FakeExpireAfter       *FakeExpireAfterArgs
+	Ping                  *PingArgs
 }

 type BackendServer struct {
@@ -74,11 +102,14 @@ func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(b []byte))
 }

 func (bs *BackendServer) send(n Notify) {
-	n.Version = version.LONG
+	n.Version = version.Long
 	b, err := json.Marshal(n)
 	if err != nil {
 		log.Fatalf("Failed json.Marshal(notify): %v\n%#v", err, n)
 	}
+	if bytes.Contains(b, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in BackendServer.send notify message: %q", b)
+	}
 	bs.sendNotifyMsg(b)
 }

@@ -86,9 +117,20 @@ func (bs *BackendServer) SendErrorMessage(msg string) {
 	bs.send(Notify{ErrMessage: &msg})
 }

+// SendInUseOtherUserErrorMessage sends a Notify message to the client that
+// both sets the state to 'InUseOtherUser' and sets the associated reason
+// to msg.
+func (bs *BackendServer) SendInUseOtherUserErrorMessage(msg string) {
+	inUse := InUseOtherUser
+	bs.send(Notify{
+		State:      &inUse,
+		ErrMessage: &msg,
+	})
+}
+
 // GotCommandMsg parses the incoming message b as a JSON Command and
 // calls GotCommand with it.
-func (bs *BackendServer) GotCommandMsg(b []byte) error {
+func (bs *BackendServer) GotCommandMsg(ctx context.Context, b []byte) error {
 	cmd := &Command{}
 	if len(b) == 0 {
 		return nil
@@ -96,18 +138,18 @@ func (bs *BackendServer) GotCommandMsg(b []byte) error {
 	if err := json.Unmarshal(b, cmd); err != nil {
 		return err
 	}
-	return bs.GotCommand(cmd)
+	return bs.GotCommand(ctx, cmd)
 }

-func (bs *BackendServer) GotFakeCommand(cmd *Command) error {
-	cmd.Version = version.LONG
-	return bs.GotCommand(cmd)
+func (bs *BackendServer) GotFakeCommand(ctx context.Context, cmd *Command) error {
+	cmd.Version = version.Long
+	return bs.GotCommand(ctx, cmd)
 }

-func (bs *BackendServer) GotCommand(cmd *Command) error {
-	if cmd.Version != version.LONG && !cmd.AllowVersionSkew {
+func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
+	if cmd.Version != version.Long && !cmd.AllowVersionSkew {
 		vs := fmt.Sprintf("GotCommand: Version mismatch! frontend=%#v backend=%#v",
-			cmd.Version, version.LONG)
+			cmd.Version, version.Long)
 		bs.logf("%s", vs)
 		// ignore the command, but send a message back to the
 		// caller so it can realize the version mismatch too.
@@ -118,12 +160,33 @@ func (bs *BackendServer) GotCommand(cmd *Command) error {
 		})
 		return nil
 	}
+
+	// TODO(bradfitz): finish plumbing context down to all the methods below;
+	// currently we just check for read-only contexts in this method and
+	// then never use contexts again.
+
+	// Actions permitted with a read-only context:
+	if c := cmd.RequestEngineStatus; c != nil {
+		bs.b.RequestEngineStatus()
+		return nil
+	} else if c := cmd.RequestStatus; c != nil {
+		bs.b.RequestStatus()
+		return nil
+	} else if c := cmd.Ping; c != nil {
+		bs.b.Ping(c.IP)
+		return nil
+	}
+
+	if IsReadonlyContext(ctx) {
+		msg := "permission denied"
+		bs.send(Notify{ErrMessage: &msg})
+		return nil
+	}
+
 	if cmd.Quit != nil {
 		bs.GotQuit = true
 		return errors.New("Quit command received")
-	}
-
-	if c := cmd.Start; c != nil {
+	} else if c := cmd.Start; c != nil {
 		opts := c.Opts
 		opts.Notify = bs.send
 		return bs.b.Start(opts)
@@ -139,24 +202,20 @@ func (bs *BackendServer) GotCommand(cmd *Command) error {
 	} else if c := cmd.SetPrefs; c != nil {
 		bs.b.SetPrefs(c.New)
 		return nil
-	} else if c := cmd.RequestEngineStatus; c != nil {
-		bs.b.RequestEngineStatus()
-		return nil
-	} else if c := cmd.RequestStatus; c != nil {
-		bs.b.RequestStatus()
+	} else if c := cmd.SetWantRunning; c != nil {
+		bs.b.SetWantRunning(*c)
 		return nil
 	} else if c := cmd.FakeExpireAfter; c != nil {
 		bs.b.FakeExpireAfter(c.Duration)
 		return nil
-	} else {
-		return fmt.Errorf("BackendServer.Do: no command specified")
 	}
+	return fmt.Errorf("BackendServer.Do: no command specified")
 }

-func (bs *BackendServer) Reset() error {
+func (bs *BackendServer) Reset(ctx context.Context) error {
 	// Tell the backend we got a Logout command, which will cause it
 	// to forget all its authentication information.
-	return bs.GotFakeCommand(&Command{Logout: &NoArgs{}})
+	return bs.GotFakeCommand(ctx, &Command{Logout: &NoArgs{}})
 }

 type BackendClient struct {
@@ -181,13 +240,16 @@ func (bc *BackendClient) GotNotifyMsg(b []byte) {
 		// not interesting
 		return
 	}
+	if bytes.Contains(b, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in BackendClient.GotNotifyMsg message: %q", b)
+	}
 	n := Notify{}
 	if err := json.Unmarshal(b, &n); err != nil {
 		log.Fatalf("BackendClient.Notify: cannot decode message (length=%d)\n%#v", len(b), string(b))
 	}
-	if n.Version != version.LONG && !bc.AllowVersionSkew {
+	if n.Version != version.Long && !bc.AllowVersionSkew {
 		vs := fmt.Sprintf("GotNotify: Version mismatch! frontend=%#v backend=%#v",
-			version.LONG, n.Version)
+			version.Long, n.Version)
 		bc.logf("%s", vs)
 		// delete anything in the notification except the version,
 		// to prevent incorrect operation.
@@ -202,11 +264,14 @@ func (bc *BackendClient) GotNotifyMsg(b []byte) {
 }

 func (bc *BackendClient) send(cmd Command) {
-	cmd.Version = version.LONG
+	cmd.Version = version.Long
 	b, err := json.Marshal(cmd)
 	if err != nil {
 		log.Fatalf("Failed json.Marshal(cmd): %v\n%#v\n", err, cmd)
 	}
+	if bytes.Contains(b, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in BackendClient.send command: %q", b)
+	}
 	bc.sendCommandMsg(b)
 }

@@ -254,8 +319,16 @@ func (bc *BackendClient) FakeExpireAfter(x time.Duration) {
 	bc.send(Command{FakeExpireAfter: &FakeExpireAfterArgs{Duration: x}})
 }

+func (bc *BackendClient) Ping(ip string) {
+	bc.send(Command{Ping: &PingArgs{IP: ip}})
+}
+
+func (bc *BackendClient) SetWantRunning(v bool) {
+	bc.send(Command{SetWantRunning: &v})
+}
+
 // MaxMessageSize is the maximum message size, in bytes.
-const MaxMessageSize = 1 << 20
+const MaxMessageSize = 10 << 20

 // TODO(apenwarr): incremental json decode?
 //  That would let us avoid storing the whole byte array uselessly in RAM.
--- a/ipn/message_test.go
+++ b/ipn/message_test.go
@@ -6,6 +6,7 @@ package ipn

 import (
 	"bytes"
+	"context"
 	"testing"
 	"time"

@@ -81,7 +82,7 @@ func TestClientServer(t *testing.T) {
 		serverToClientCh <- append([]byte{}, b...)
 	}
 	clientToServer := func(b []byte) {
-		bs.GotCommandMsg(b)
+		bs.GotCommandMsg(context.TODO(), b)
 	}
 	slogf := func(fmt string, args ...interface{}) {
 		t.Logf("s: "+fmt, args...)
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -5,57 +5,73 @@
 package ipn

 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"os"
 	"path/filepath"
+	"runtime"
+	"strings"

-	"github.com/tailscale/wireguard-go/wgcfg"
+	"inet.af/netaddr"
 	"tailscale.com/atomicfile"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/wgengine/router"
 )

+//go:generate go run tailscale.com/cmd/cloner -type=Prefs -output=prefs_clone.go
+
 // Prefs are the user modifiable settings of the Tailscale node agent.
 type Prefs struct {
 	// ControlURL is the URL of the control server to use.
 	ControlURL string
+
 	// RouteAll specifies whether to accept subnet and default routes
 	// advertised by other nodes on the Tailscale network.
 	RouteAll bool
+
 	// AllowSingleHosts specifies whether to install routes for each
 	// node IP on the tailscale network, in addition to a route for
 	// the whole network.
+	// This corresponds to the "tailscale up --host-routes" value,
+	// which defaults to true.
 	//
 	// TODO(danderson): why do we have this? It dumps a lot of stuff
 	// into the routing table, and a single network route _should_ be
 	// all that we need. But when I turn this off in my tailscaled,
 	// packets stop flowing. What's up with that?
 	AllowSingleHosts bool
+
 	// CorpDNS specifies whether to install the Tailscale network's
 	// DNS configuration, if it exists.
 	CorpDNS bool
+
 	// WantRunning indicates whether networking should be active on
 	// this node.
 	WantRunning bool
+
 	// ShieldsUp indicates whether to block all incoming connections,
 	// regardless of the control-provided packet filter. If false, we
 	// use the packet filter as provided. If true, we block incoming
-	// connections.
+	// connections. This overrides tailcfg.Hostinfo's ShieldsUp.
 	ShieldsUp bool
+
 	// AdvertiseTags specifies groups that this node wants to join, for
 	// purposes of ACL enforcement. These can be referenced from the ACL
 	// security policy. Note that advertising a tag doesn't guarantee that
 	// the control server will allow you to take on the rights for that
 	// tag.
 	AdvertiseTags []string
+
 	// Hostname is the hostname to use for identifying the node. If
 	// not set, os.Hostname is used.
 	Hostname string
+
 	// OSVersion overrides tailcfg.Hostinfo's OSVersion.
 	OSVersion string
+
 	// DeviceModel overrides tailcfg.Hostinfo's DeviceModel.
 	DeviceModel string

@@ -67,15 +83,25 @@ type Prefs struct {
 	// users narrow it down a bit.
 	NotepadURLs bool

-	// DisableDERP prevents DERP from being used.
-	DisableDERP bool
+	// ForceDaemon specifies whether a platform that normally
+	// operates in "client mode" (that is, requires an active user
+	// logged in with the GUI app running) should keep running after the
+	// GUI ends and/or the user logs out.
+	//
+	// The only current applicable platform is Windows. This
+	// forced Windows to go into "server mode" where Tailscale is
+	// running even with no users logged in. This might also be
+	// used for macOS in the future. This setting has no effect
+	// for Linux/etc, which always operate in daemon mode.
+	ForceDaemon bool `json:"ForceDaemon,omitempty"`

 	// The following block of options only have an effect on Linux.

 	// AdvertiseRoutes specifies CIDR prefixes to advertise into the
 	// Tailscale network as reachable through the current
 	// node.
-	AdvertiseRoutes []wgcfg.CIDR
+	AdvertiseRoutes []netaddr.IPPrefix
+
 	// NoSNAT specifies whether to source NAT traffic going to
 	// destinations in AdvertiseRoutes. The default is to apply source
 	// NAT, which makes the traffic appear to come from the router
@@ -87,6 +113,7 @@ type Prefs struct {
 	//
 	// Linux-only.
 	NoSNAT bool
+
 	// NetfilterMode specifies how much to manage netfilter rules for
 	// Tailscale, if at all.
 	NetfilterMode router.NetfilterMode
@@ -102,16 +129,46 @@ type Prefs struct {
 // IsEmpty reports whether p is nil or pointing to a Prefs zero value.
 func (p *Prefs) IsEmpty() bool { return p == nil || p.Equals(&Prefs{}) }

-func (p *Prefs) Pretty() string {
-	var pp string
-	if p.Persist != nil {
-		pp = p.Persist.Pretty()
-	} else {
-		pp = "Persist=nil"
+func (p *Prefs) Pretty() string { return p.pretty(runtime.GOOS) }
+func (p *Prefs) pretty(goos string) string {
+	var sb strings.Builder
+	sb.WriteString("Prefs{")
+	fmt.Fprintf(&sb, "ra=%v ", p.RouteAll)
+	if !p.AllowSingleHosts {
+		sb.WriteString("mesh=false ")
 	}
-	return fmt.Sprintf("Prefs{ra=%v mesh=%v dns=%v want=%v notepad=%v derp=%v shields=%v routes=%v snat=%v nf=%v %v}",
-		p.RouteAll, p.AllowSingleHosts, p.CorpDNS, p.WantRunning,
-		p.NotepadURLs, !p.DisableDERP, p.ShieldsUp, p.AdvertiseRoutes, !p.NoSNAT, p.NetfilterMode, pp)
+	fmt.Fprintf(&sb, "dns=%v want=%v ", p.CorpDNS, p.WantRunning)
+	if p.ForceDaemon {
+		sb.WriteString("server=true ")
+	}
+	if p.NotepadURLs {
+		sb.WriteString("notepad=true ")
+	}
+	if p.ShieldsUp {
+		sb.WriteString("shields=true ")
+	}
+	if len(p.AdvertiseRoutes) > 0 || goos == "linux" {
+		fmt.Fprintf(&sb, "routes=%v ", p.AdvertiseRoutes)
+	}
+	if len(p.AdvertiseRoutes) > 0 || p.NoSNAT {
+		fmt.Fprintf(&sb, "snat=%v ", !p.NoSNAT)
+	}
+	if len(p.AdvertiseTags) > 0 {
+		fmt.Fprintf(&sb, "tags=%s ", strings.Join(p.AdvertiseTags, ","))
+	}
+	if goos == "linux" {
+		fmt.Fprintf(&sb, "nf=%v ", p.NetfilterMode)
+	}
+	if p.ControlURL != "" && p.ControlURL != "https://login.tailscale.com" {
+		fmt.Fprintf(&sb, "url=%q ", p.ControlURL)
+	}
+	if p.Persist != nil {
+		sb.WriteString(p.Persist.Pretty())
+	} else {
+		sb.WriteString("Persist=nil")
+	}
+	sb.WriteString("}")
+	return sb.String()
 }

 func (p *Prefs) ToBytes() []byte {
@@ -137,24 +194,24 @@ func (p *Prefs) Equals(p2 *Prefs) bool {
 		p.CorpDNS == p2.CorpDNS &&
 		p.WantRunning == p2.WantRunning &&
 		p.NotepadURLs == p2.NotepadURLs &&
-		p.DisableDERP == p2.DisableDERP &&
 		p.ShieldsUp == p2.ShieldsUp &&
 		p.NoSNAT == p2.NoSNAT &&
 		p.NetfilterMode == p2.NetfilterMode &&
 		p.Hostname == p2.Hostname &&
 		p.OSVersion == p2.OSVersion &&
 		p.DeviceModel == p2.DeviceModel &&
+		p.ForceDaemon == p2.ForceDaemon &&
 		compareIPNets(p.AdvertiseRoutes, p2.AdvertiseRoutes) &&
 		compareStrings(p.AdvertiseTags, p2.AdvertiseTags) &&
 		p.Persist.Equals(p2.Persist)
 }

-func compareIPNets(a, b []wgcfg.CIDR) bool {
+func compareIPNets(a, b []netaddr.IPPrefix) bool {
 	if len(a) != len(b) {
 		return false
 	}
 	for i := range a {
-		if !a[i].IP.Equal(b[i].IP) || a[i].Mask != b[i].Mask {
+		if a[i] != b[i] {
 			return false
 		}
 	}
@@ -213,26 +270,24 @@ func PrefsFromBytes(b []byte, enforceDefaults bool) (*Prefs, error) {
 	return p, err
 }

-// Clone returns a deep copy of p.
-func (p *Prefs) Clone() *Prefs {
-	// TODO: write a faster/non-Fatal-y Clone implementation?
-	p2, err := PrefsFromBytes(p.ToBytes(), false)
-	if err != nil {
-		log.Fatalf("Prefs was uncopyable: %v\n", err)
-	}
-	return p2
-}
-
 // LoadPrefs loads a legacy relaynode config file into Prefs
 // with sensible migration defaults set.
 func LoadPrefs(filename string) (*Prefs, error) {
 	data, err := ioutil.ReadFile(filename)
 	if err != nil {
-		return nil, fmt.Errorf("loading prefs from %q: %v", filename, err)
+		return nil, fmt.Errorf("LoadPrefs open: %w", err) // err includes path
+	}
+	if bytes.Contains(data, jsonEscapedZero) {
+		// Tailscale 1.2.0 - 1.2.8 on Windows had a memory corruption bug
+		// in the backend process that ended up sending NULL bytes over JSON
+		// to the frontend which wrote them out to JSON files on disk.
+		// So if we see one, treat is as corrupt and the user will need
+		// to log in again. (better than crashing)
+		return nil, os.ErrNotExist
 	}
 	p, err := PrefsFromBytes(data, false)
 	if err != nil {
-		return nil, fmt.Errorf("decoding prefs in %q: %v", filename, err)
+		return nil, fmt.Errorf("LoadPrefs(%q) decode: %w", filename, err)
 	}
 	return p, nil
 }
@@ -241,7 +296,7 @@ func SavePrefs(filename string, p *Prefs) {
 	log.Printf("Saving prefs %v %v\n", filename, p.Pretty())
 	data := p.ToBytes()
 	os.MkdirAll(filepath.Dir(filename), 0700)
-	if err := atomicfile.WriteFile(filename, data, 0666); err != nil {
+	if err := atomicfile.WriteFile(filename, data, 0600); err != nil {
 		log.Printf("SavePrefs: %v\n", err)
 	}
 }
--- a/ipn/prefs_clone.go
+++ b/ipn/prefs_clone.go
@@ -0,0 +1,51 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner -type Prefs; DO NOT EDIT.
+
+package ipn
+
+import (
+	"inet.af/netaddr"
+	"tailscale.com/control/controlclient"
+	"tailscale.com/wgengine/router"
+)
+
+// Clone makes a deep copy of Prefs.
+// The result aliases no memory with the original.
+func (src *Prefs) Clone() *Prefs {
+	if src == nil {
+		return nil
+	}
+	dst := new(Prefs)
+	*dst = *src
+	dst.AdvertiseTags = append(src.AdvertiseTags[:0:0], src.AdvertiseTags...)
+	dst.AdvertiseRoutes = append(src.AdvertiseRoutes[:0:0], src.AdvertiseRoutes...)
+	if dst.Persist != nil {
+		dst.Persist = new(controlclient.Persist)
+		*dst.Persist = *src.Persist
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with command:
+//   tailscale.com/cmd/cloner -type Prefs
+var _PrefsNeedsRegeneration = Prefs(struct {
+	ControlURL       string
+	RouteAll         bool
+	AllowSingleHosts bool
+	CorpDNS          bool
+	WantRunning      bool
+	ShieldsUp        bool
+	AdvertiseTags    []string
+	Hostname         string
+	OSVersion        string
+	DeviceModel      string
+	NotepadURLs      bool
+	ForceDaemon      bool
+	AdvertiseRoutes  []netaddr.IPPrefix
+	NoSNAT           bool
+	NetfilterMode    router.NetfilterMode
+	Persist          *controlclient.Persist
+}{})
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -5,12 +5,18 @@
 package ipn

 import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
 	"reflect"
 	"testing"
+	"time"

-	"github.com/tailscale/wireguard-go/wgcfg"
+	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/tstest"
+	"tailscale.com/types/wgkey"
 	"tailscale.com/wgengine/router"
 )

@@ -24,15 +30,15 @@ func fieldsOf(t reflect.Type) (fields []string) {
 func TestPrefsEqual(t *testing.T) {
 	tstest.PanicOnLog()

-	prefsHandles := []string{"ControlURL", "RouteAll", "AllowSingleHosts", "CorpDNS", "WantRunning", "ShieldsUp", "AdvertiseTags", "Hostname", "OSVersion", "DeviceModel", "NotepadURLs", "DisableDERP", "AdvertiseRoutes", "NoSNAT", "NetfilterMode", "Persist"}
+	prefsHandles := []string{"ControlURL", "RouteAll", "AllowSingleHosts", "CorpDNS", "WantRunning", "ShieldsUp", "AdvertiseTags", "Hostname", "OSVersion", "DeviceModel", "NotepadURLs", "ForceDaemon", "AdvertiseRoutes", "NoSNAT", "NetfilterMode", "Persist"}
 	if have := fieldsOf(reflect.TypeOf(Prefs{})); !reflect.DeepEqual(have, prefsHandles) {
 		t.Errorf("Prefs.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, prefsHandles)
 	}

-	nets := func(strs ...string) (ns []wgcfg.CIDR) {
+	nets := func(strs ...string) (ns []netaddr.IPPrefix) {
 		for _, s := range strs {
-			n, err := wgcfg.ParseCIDR(s)
+			n, err := netaddr.ParseIPPrefix(s)
 			if err != nil {
 				panic(err)
 			}
@@ -161,12 +167,12 @@ func TestPrefsEqual(t *testing.T) {

 		{
 			&Prefs{AdvertiseRoutes: nil},
-			&Prefs{AdvertiseRoutes: []wgcfg.CIDR{}},
+			&Prefs{AdvertiseRoutes: []netaddr.IPPrefix{}},
 			true,
 		},
 		{
-			&Prefs{AdvertiseRoutes: []wgcfg.CIDR{}},
-			&Prefs{AdvertiseRoutes: []wgcfg.CIDR{}},
+			&Prefs{AdvertiseRoutes: []netaddr.IPPrefix{}},
+			&Prefs{AdvertiseRoutes: []netaddr.IPPrefix{}},
 			true,
 		},
 		{
@@ -278,3 +284,114 @@ func TestPrefsPersist(t *testing.T) {
 	}
 	checkPrefs(t, p)
 }
+
+func TestPrefsPretty(t *testing.T) {
+	tests := []struct {
+		p    Prefs
+		os   string
+		want string
+	}{
+		{
+			Prefs{},
+			"linux",
+			"Prefs{ra=false mesh=false dns=false want=false routes=[] nf=off Persist=nil}",
+		},
+		{
+			Prefs{},
+			"windows",
+			"Prefs{ra=false mesh=false dns=false want=false Persist=nil}",
+		},
+		{
+			Prefs{ShieldsUp: true},
+			"windows",
+			"Prefs{ra=false mesh=false dns=false want=false shields=true Persist=nil}",
+		},
+		{
+			Prefs{AllowSingleHosts: true},
+			"windows",
+			"Prefs{ra=false dns=false want=false Persist=nil}",
+		},
+		{
+			Prefs{
+				NotepadURLs:      true,
+				AllowSingleHosts: true,
+			},
+			"windows",
+			"Prefs{ra=false dns=false want=false notepad=true Persist=nil}",
+		},
+		{
+			Prefs{
+				AllowSingleHosts: true,
+				WantRunning:      true,
+				ForceDaemon:      true, // server mode
+			},
+			"windows",
+			"Prefs{ra=false dns=false want=true server=true Persist=nil}",
+		},
+		{
+			Prefs{
+				AllowSingleHosts: true,
+				WantRunning:      true,
+				ControlURL:       "http://localhost:1234",
+				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
+			},
+			"darwin",
+			`Prefs{ra=false dns=false want=true tags=tag:foo,tag:bar url="http://localhost:1234" Persist=nil}`,
+		},
+		{
+			Prefs{
+				Persist: &controlclient.Persist{},
+			},
+			"linux",
+			`Prefs{ra=false mesh=false dns=false want=false routes=[] nf=off Persist{lm=, o=, n= u=""}}`,
+		},
+		{
+			Prefs{
+				Persist: &controlclient.Persist{
+					PrivateNodeKey: wgkey.Private{1: 1},
+				},
+			},
+			"linux",
+			`Prefs{ra=false mesh=false dns=false want=false routes=[] nf=off Persist{lm=, o=, n=[B1VKl] u=""}}`,
+		},
+	}
+	for i, tt := range tests {
+		got := tt.p.pretty(tt.os)
+		if got != tt.want {
+			t.Errorf("%d. wrong String:\n got: %s\nwant: %s\n", i, got, tt.want)
+		}
+	}
+}
+
+func TestLoadPrefsNotExist(t *testing.T) {
+	bogusFile := fmt.Sprintf("/tmp/not-exist-%d", time.Now().UnixNano())
+
+	p, err := LoadPrefs(bogusFile)
+	if errors.Is(err, os.ErrNotExist) {
+		// expected.
+		return
+	}
+	t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
+}
+
+// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs hanldes corrupted input files.
+// See issue #954 for details.
+func TestLoadPrefsFileWithZeroInIt(t *testing.T) {
+	f, err := ioutil.TempFile("", "TestLoadPrefsFileWithZeroInIt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	path := f.Name()
+	if _, err := f.Write(jsonEscapedZero); err != nil {
+		t.Fatal(err)
+	}
+	f.Close()
+	defer os.Remove(path)
+
+	p, err := LoadPrefs(path)
+	if errors.Is(err, os.ErrNotExist) {
+		// expected.
+		return
+	}
+	t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
+}
--- a/ipn/store.go
+++ b/ipn/store.go
@@ -5,9 +5,12 @@
 package ipn

 import (
+	"bytes"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
+	"log"
 	"os"
 	"path/filepath"
 	"sync"
@@ -19,6 +22,30 @@ import (
 // requested state ID doesn't exist.
 var ErrStateNotExist = errors.New("no state with given ID")

+const (
+	// MachineKeyStateKey is the key under which we store the machine key,
+	// in its wgkey.Private.MarshalText representation.
+	MachineKeyStateKey = StateKey("_machinekey")
+
+	// GlobalDaemonStateKey is the ipn.StateKey that tailscaled
+	// loads on startup.
+	//
+	// We have to support multiple state keys for other OSes (Windows in
+	// particular), but right now Unix daemons run with a single
+	// node-global state. To keep open the option of having per-user state
+	// later, the global state key doesn't look like a username.
+	GlobalDaemonStateKey = StateKey("_daemon")
+
+	// ServerModeStartKey's value, if non-empty, is the value of a
+	// StateKey containing the prefs to start with which to start the
+	// server.
+	//
+	// For example, the value might be "user-1234", meaning the
+	// the server should start with the Prefs JSON loaded from
+	// StateKey "user-1234".
+	ServerModeStartKey = StateKey("server-mode-start-key")
+)
+
 // StateStore persists state, and produces it back on request.
 type StateStore interface {
 	// ReadState returns the bytes associated with ID. Returns (nil,
@@ -34,6 +61,8 @@ type MemoryStore struct {
 	cache map[StateKey][]byte
 }

+func (s *MemoryStore) String() string { return "MemoryStore" }
+
 // ReadState implements the StateStore interface.
 func (s *MemoryStore) ReadState(id StateKey) ([]byte, error) {
 	s.mu.Lock()
@@ -67,9 +96,19 @@ type FileStore struct {
 	cache map[StateKey][]byte
 }

+func (s *FileStore) String() string { return fmt.Sprintf("FileStore(%q)", s.path) }
+
 // NewFileStore returns a new file store that persists to path.
 func NewFileStore(path string) (*FileStore, error) {
 	bs, err := ioutil.ReadFile(path)
+
+	// Treat an empty file as a missing file.
+	// (https://github.com/tailscale/tailscale/issues/895#issuecomment-723255589)
+	if err == nil && len(bs) == 0 {
+		log.Printf("ipn.NewFileStore(%q): file empty; treating it like a missing file [warning]", path)
+		err = os.ErrNotExist
+	}
+
 	if err != nil {
 		if os.IsNotExist(err) {
 			// Write out an initial file, to verify that we can write
@@ -112,6 +151,9 @@ func (s *FileStore) ReadState(id StateKey) ([]byte, error) {
 func (s *FileStore) WriteState(id StateKey, bs []byte) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
+	if bytes.Equal(s.cache[id], bs) {
+		return nil
+	}
 	s.cache[id] = append([]byte(nil), bs...)
 	bs, err := json.MarshalIndent(s.cache, "", "  ")
 	if err != nil {
--- a/log/filelogger/log.go
+++ b/log/filelogger/log.go
@@ -0,0 +1,199 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package filelogger provides localdisk log writing & rotation, primarily for Windows
+// clients. (We get this for free on other platforms.)
+package filelogger
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	"tailscale.com/types/logger"
+)
+
+const (
+	maxSize  = 100 << 20
+	maxFiles = 50
+)
+
+// New returns a logf wrapper that appends to local disk log
+// files on Windows, rotating old log files as needed to stay under
+// file count & byte limits.
+func New(fileBasePrefix, logID string, logf logger.Logf) logger.Logf {
+	if runtime.GOOS != "windows" {
+		panic("not yet supported on any platform except Windows")
+	}
+	if logf == nil {
+		panic("nil logf")
+	}
+	dir := filepath.Join(os.Getenv("LocalAppData"), "Tailscale", "Logs")
+
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		log.Printf("failed to create local log directory; not writing logs to disk: %v", err)
+		return logf
+	}
+	logf("local disk logdir: %v", dir)
+	lfw := &logFileWriter{
+		fileBasePrefix: fileBasePrefix,
+		logID:          logID,
+		dir:            dir,
+		wrappedLogf:    logf,
+	}
+	return lfw.Logf
+}
+
+// logFileWriter is the state for the log writer & rotator.
+type logFileWriter struct {
+	dir            string      // e.g. `C:\Users\FooBarUser\AppData\Local\Tailscale\Logs`
+	logID          string      // hex logID
+	fileBasePrefix string      // e.g. "tailscale-service" or "tailscale-gui"
+	wrappedLogf    logger.Logf // underlying logger to send to
+
+	mu   sync.Mutex   // guards following
+	buf  bytes.Buffer // scratch buffer to avoid allocs
+	fday civilDay     // day that f was opened; zero means no file yet open
+	f    *os.File     // file currently opened for append
+}
+
+// civilDay is a year, month, and day in the local timezone.
+// It's a comparable value type.
+type civilDay struct {
+	year  int
+	month time.Month
+	day   int
+}
+
+func dayOf(t time.Time) civilDay {
+	return civilDay{t.Year(), t.Month(), t.Day()}
+}
+
+func (w *logFileWriter) Logf(format string, a ...interface{}) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	w.buf.Reset()
+	fmt.Fprintf(&w.buf, format, a...)
+	if w.buf.Len() == 0 {
+		return
+	}
+	out := w.buf.Bytes()
+	w.wrappedLogf("%s", out)
+
+	// Make sure there's a final newline before we write to the log file.
+	if out[len(out)-1] != '\n' {
+		w.buf.WriteByte('\n')
+		out = w.buf.Bytes()
+	}
+
+	w.appendToFileLocked(out)
+}
+
+// out should end in a newline.
+// w.mu must be held.
+func (w *logFileWriter) appendToFileLocked(out []byte) {
+	now := time.Now()
+	day := dayOf(now)
+	if w.fday != day {
+		w.startNewFileLocked()
+	}
+	if w.f != nil {
+		// RFC3339Nano but with a fixed number (3) of nanosecond digits:
+		const formatPre = "2006-01-02T15:04:05"
+		const formatPost = "Z07:00"
+		fmt.Fprintf(w.f, "%s.%03d%s: %s",
+			now.Format(formatPre),
+			now.Nanosecond()/int(time.Millisecond/time.Nanosecond),
+			now.Format(formatPost),
+			out)
+	}
+}
+
+// startNewFileLocked opens a new log file for writing
+// and also cleans up any old files.
+//
+// w.mu must be held.
+func (w *logFileWriter) startNewFileLocked() {
+	var oldName string
+	if w.f != nil {
+		oldName = filepath.Base(w.f.Name())
+		w.f.Close()
+		w.f = nil
+		w.fday = civilDay{}
+	}
+	w.cleanLocked()
+
+	now := time.Now()
+	day := dayOf(now)
+	name := filepath.Join(w.dir, fmt.Sprintf("%s-%04d%02d%02dT%02d%02d%02d-%d.txt",
+		w.fileBasePrefix,
+		day.year,
+		day.month,
+		day.day,
+		now.Hour(),
+		now.Minute(),
+		now.Second(),
+		now.Unix()))
+	var err error
+	w.f, err = os.Create(name)
+	if err != nil {
+		w.wrappedLogf("failed to create log file: %v", err)
+		return
+	}
+	if oldName != "" {
+		fmt.Fprintf(w.f, "(logID %q; continued from log file %s)\n", w.logID, oldName)
+	} else {
+		fmt.Fprintf(w.f, "(logID %q)\n", w.logID)
+	}
+	w.fday = day
+}
+
+// cleanLocked cleans up old log files.
+//
+// w.mu must be held.
+func (w *logFileWriter) cleanLocked() {
+	fis, _ := ioutil.ReadDir(w.dir)
+	prefix := w.fileBasePrefix + "-"
+	fileSize := map[string]int64{}
+	var files []string
+	var sumSize int64
+	for _, fi := range fis {
+		baseName := filepath.Base(fi.Name())
+		if !strings.HasPrefix(baseName, prefix) {
+			continue
+		}
+		size := fi.Size()
+		fileSize[baseName] = size
+		sumSize += size
+		files = append(files, baseName)
+	}
+	if sumSize > maxSize {
+		w.wrappedLogf("cleaning log files; sum byte count %d > %d", sumSize, maxSize)
+	}
+	if len(files) > maxFiles {
+		w.wrappedLogf("cleaning log files; number of files %d > %d", len(files), maxFiles)
+	}
+	for (sumSize > maxSize || len(files) > maxFiles) && len(files) > 0 {
+		target := files[0]
+		files = files[1:]
+
+		targetSize := fileSize[target]
+		targetFull := filepath.Join(w.dir, target)
+		err := os.Remove(targetFull)
+		if err != nil {
+			w.wrappedLogf("error cleaning log file: %v", err)
+		} else {
+			sumSize -= targetSize
+			w.wrappedLogf("cleaned log file %s (size %d); new bytes=%v, files=%v", targetFull, targetSize, sumSize, len(files))
+		}
+	}
+}
--- a/log/logheap/logheap.go
+++ b/log/logheap/logheap.go
@@ -15,15 +15,18 @@ import (
 	"time"
 )

-// LogHeap writes a JSON logtail record with the base64 heap pprof to
-// os.Stderr.
+// LogHeap uploads a JSON logtail record with the base64 heap pprof by means
+// of an HTTP POST request to the endpoint referred to in postURL.
 func LogHeap(postURL string) {
 	if postURL == "" {
 		return
 	}
 	runtime.GC()
 	buf := new(bytes.Buffer)
-	pprof.WriteHeapProfile(buf)
+	if err := pprof.WriteHeapProfile(buf); err != nil {
+		log.Printf("LogHeap: %v", err)
+		return
+	}

 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -25,13 +25,17 @@ import (
 	"strings"
 	"time"

-	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/term"
 	"tailscale.com/atomicfile"
 	"tailscale.com/logtail"
 	"tailscale.com/logtail/filch"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/paths"
 	"tailscale.com/smallzstd"
+	"tailscale.com/types/logger"
+	"tailscale.com/util/racebuild"
 	"tailscale.com/version"
 )

@@ -45,7 +49,7 @@ type Config struct {
 // Policy is a logger and its public ID.
 type Policy struct {
 	// Logtail is the logger.
-	Logtail logtail.Logger
+	Logtail *logtail.Logger
 	// PublicID is the logger's instance identifier.
 	PublicID logtail.PublicID
 }
@@ -54,7 +58,7 @@ type Policy struct {
 func (c *Config) ToBytes() []byte {
 	data, err := json.MarshalIndent(c, "", "\t")
 	if err != nil {
-		log.Fatalf("logpolicy.Config marshal: %v\n", err)
+		log.Fatalf("logpolicy.Config marshal: %v", err)
 	}
 	return data
 }
@@ -101,21 +105,36 @@ func (l logWriter) Write(buf []byte) (int, error) {

 // logsDir returns the directory to use for log configuration and
 // buffer storage.
-func logsDir() string {
+func logsDir(logf logger.Logf) string {
+	// STATE_DIRECTORY is set by systemd 240+ but we support older
+	// systems-d. For example, Ubuntu 18.04 (Bionic Beaver) is 237.
 	systemdStateDir := os.Getenv("STATE_DIRECTORY")
 	if systemdStateDir != "" {
+		logf("logpolicy: using $STATE_DIRECTORY, %q", systemdStateDir)
 		return systemdStateDir
 	}

+	// Default to e.g. /var/lib/tailscale or /var/db/tailscale on Unix.
+	if d := paths.DefaultTailscaledStateFile(); d != "" {
+		d = filepath.Dir(d) // directory of e.g. "/var/lib/tailscale/tailscaled.state"
+		if err := os.MkdirAll(d, 0700); err == nil {
+			logf("logpolicy: using system state directory %q", d)
+			return d
+		}
+	}
+
 	cacheDir, err := os.UserCacheDir()
 	if err == nil {
-		return filepath.Join(cacheDir, "Tailscale")
+		d := filepath.Join(cacheDir, "Tailscale")
+		logf("logpolicy: using UserCacheDir, %q", d)
+		return d
 	}

 	// Use the current working directory, unless we're being run by a
 	// service manager that sets it to /.
 	wd, err := os.Getwd()
 	if err == nil && wd != "/" {
+		logf("logpolicy: using current directory, %q", wd)
 		return wd
 	}

@@ -126,6 +145,7 @@ func logsDir() string {
 	if err != nil {
 		panic("no safe place found to store log state")
 	}
+	logf("logpolicy: using temp directory, %q", tmp)
 	return tmp
 }

@@ -291,11 +311,14 @@ func tryFixLogStateLocation(dir, cmdname string) {
 // given collection name.
 func New(collection string) *Policy {
 	var lflags int
-	if terminal.IsTerminal(2) || runtime.GOOS == "windows" {
+	if term.IsTerminal(2) || runtime.GOOS == "windows" {
 		lflags = 0
 	} else {
 		lflags = log.LstdFlags
 	}
+	if v, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_LOG_TIME")); v {
+		lflags = log.LstdFlags | log.Lmicroseconds
+	}
 	if runningUnderSystemd() {
 		// If journalctl is going to prepend its own timestamp
 		// anyway, no need to add one.
@@ -303,7 +326,13 @@ func New(collection string) *Policy {
 	}
 	console := log.New(stderrWriter{}, "", lflags)

-	dir := logsDir()
+	var earlyErrBuf bytes.Buffer
+	earlyLogf := func(format string, a ...interface{}) {
+		fmt.Fprintf(&earlyErrBuf, format, a...)
+		earlyErrBuf.WriteByte('\n')
+	}
+
+	dir := logsDir(earlyLogf)

 	cmdName := version.CmdName()
 	tryFixLogStateLocation(dir, cmdName)
@@ -312,13 +341,13 @@ func New(collection string) *Policy {
 	var oldc *Config
 	data, err := ioutil.ReadFile(cfgPath)
 	if err != nil {
-		log.Printf("logpolicy.Read %v: %v\n", cfgPath, err)
+		earlyLogf("logpolicy.Read %v: %v", cfgPath, err)
 		oldc = &Config{}
 		oldc.Collection = collection
 	} else {
 		oldc, err = ConfigFromBytes(data)
 		if err != nil {
-			log.Printf("logpolicy.Config unmarshal: %v\n", err)
+			earlyLogf("logpolicy.Config unmarshal: %v", err)
 			oldc = &Config{}
 		}
 	}
@@ -331,7 +360,7 @@ func New(collection string) *Policy {
 		newc.PrivateID = logtail.PrivateID{}
 		newc.Collection = collection
 	}
-	if newc.PrivateID == (logtail.PrivateID{}) {
+	if newc.PrivateID.IsZero() {
 		newc.PrivateID, err = logtail.NewPrivateID()
 		if err != nil {
 			log.Fatalf("logpolicy: NewPrivateID() should never fail")
@@ -340,7 +369,7 @@ func New(collection string) *Policy {
 	newc.PublicID = newc.PrivateID.Public()
 	if newc != *oldc {
 		if err := newc.save(cfgPath); err != nil {
-			log.Printf("logpolicy.Config.Save: %v\n", err)
+			earlyLogf("logpolicy.Config.Save: %v", err)
 		}
 	}

@@ -362,18 +391,21 @@ func New(collection string) *Policy {
 	if filchBuf != nil {
 		c.Buffer = filchBuf
 	}
-	lw := logtail.Log(c, log.Printf)
+	lw := logtail.NewLogger(c, log.Printf)
 	log.SetFlags(0) // other logflags are set on console, not here
 	log.SetOutput(lw)

-	log.Printf("Program starting: v%v, Go %v: %#v\n",
-		version.LONG,
-		strings.TrimPrefix(runtime.Version(), "go"),
+	log.Printf("Program starting: v%v, Go %v: %#v",
+		version.Long,
+		goVersion(),
 		os.Args)
-	log.Printf("LogID: %v\n", newc.PublicID)
+	log.Printf("LogID: %v", newc.PublicID)
 	if filchErr != nil {
 		log.Printf("filch failed: %v", filchErr)
 	}
+	if earlyErrBuf.Len() != 0 {
+		log.Printf("%s", earlyErrBuf.Bytes())
+	}

 	return &Policy{
 		Logtail:  lw,
@@ -381,6 +413,15 @@ func New(collection string) *Policy {
 	}
 }

+// SetVerbosityLevel controls the verbosity level that should be
+// written to stderr. 0 is the default (not verbose). Levels 1 or higher
+// are increasingly verbose.
+//
+// It should not be changed concurrently with log writes.
+func (p *Policy) SetVerbosityLevel(level int) {
+	p.Logtail.SetVerbosityLevel(level)
+}
+
 // Close immediately shuts down the logger.
 func (p *Policy) Close() {
 	ctx, cancel := context.WithCancel(context.Background())
@@ -392,7 +433,7 @@ func (p *Policy) Close() {
 // log upload if it can be done before ctx is canceled.
 func (p *Policy) Shutdown(ctx context.Context) error {
 	if p.Logtail != nil {
-		log.Printf("flushing log.\n")
+		log.Printf("flushing log.")
 		return p.Logtail.Shutdown(ctx)
 	}
 	return nil
@@ -404,6 +445,9 @@ func newLogtailTransport(host string) *http.Transport {
 	// Start with a copy of http.DefaultTransport and tweak it a bit.
 	tr := http.DefaultTransport.(*http.Transport).Clone()

+	tr.Proxy = tshttpproxy.ProxyFromEnvironment
+	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
+
 	// We do our own zstd compression on uploads, and responses never contain any payload,
 	// so don't send "Accept-Encoding: gzip" to save a few bytes on the wire, since there
 	// will never be any body to decompress:
@@ -445,3 +489,11 @@ func newLogtailTransport(host string) *http.Transport {

 	return tr
 }
+
+func goVersion() string {
+	v := strings.TrimPrefix(runtime.Version(), "go")
+	if racebuild.On {
+		return v + "-race"
+	}
+	return v
+}
--- a/logtail/backoff/backoff.go
+++ b/logtail/backoff/backoff.go
@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+// Package backoff provides a back-off timer type.
 package backoff

 import (
@@ -12,54 +13,70 @@ import (
 	"tailscale.com/types/logger"
 )

-const MAX_BACKOFF_MSEC = 30000
-
+// Backoff tracks state the history of consecutive failures and sleeps
+// an increasing amount of time, up to a provided limit.
 type Backoff struct {
-	n int
+	n          int // number of consecutive failures
+	maxBackoff time.Duration
+
 	// Name is the name of this backoff timer, for logging purposes.
 	name string
 	// logf is the function used for log messages when backing off.
 	logf logger.Logf
-	// NewTimer is the function that acts like time.NewTimer().
-	// You can override this in unit tests.
-	NewTimer func(d time.Duration) *time.Timer
+
+	// NewTimer is the function that acts like time.NewTimer.
+	// It's for use in unit tests.
+	NewTimer func(time.Duration) *time.Timer
+
 	// LogLongerThan sets the minimum time of a single backoff interval
 	// before we mention it in the log.
 	LogLongerThan time.Duration
 }

-func NewBackoff(name string, logf logger.Logf) Backoff {
-	return Backoff{
-		name:     name,
-		logf:     logf,
-		NewTimer: time.NewTimer,
+// NewBackoff returns a new Backoff timer with the provided name (for logging), logger,
+// and max backoff time. By default, all failures (calls to BackOff with a non-nil err)
+// are logged unless the returned Backoff.LogLongerThan is adjusted.
+func NewBackoff(name string, logf logger.Logf, maxBackoff time.Duration) *Backoff {
+	return &Backoff{
+		name:       name,
+		logf:       logf,
+		maxBackoff: maxBackoff,
+		NewTimer:   time.NewTimer,
 	}
 }

+// Backoff sleeps an increasing amount of time if err is non-nil.
+// and the context is not a
+// It resets the backoff schedule once err is nil.
 func (b *Backoff) BackOff(ctx context.Context, err error) {
-	if ctx.Err() == nil && err != nil {
-		b.n++
-		// n^2 backoff timer is a little smoother than the
-		// common choice of 2^n.
-		msec := b.n * b.n * 10
-		if msec > MAX_BACKOFF_MSEC {
-			msec = MAX_BACKOFF_MSEC
-		}
-		// Randomize the delay between 0.5-1.5 x msec, in order
-		// to prevent accidental "thundering herd" problems.
-		msec = rand.Intn(msec) + msec/2
-		dur := time.Duration(msec) * time.Millisecond
-		if dur >= b.LogLongerThan {
-			b.logf("%s: backoff: %d msec\n", b.name, msec)
-		}
-		t := b.NewTimer(dur)
-		select {
-		case <-ctx.Done():
-			t.Stop()
-		case <-t.C:
-		}
-	} else {
-		// not a regular error
+	if err == nil {
+		// No error. Reset number of consecutive failures.
 		b.n = 0
+		return
+	}
+	if ctx.Err() != nil {
+		// Fast path.
+		return
+	}
+
+	b.n++
+	// n^2 backoff timer is a little smoother than the
+	// common choice of 2^n.
+	d := time.Duration(b.n*b.n) * 10 * time.Millisecond
+	if d > b.maxBackoff {
+		d = b.maxBackoff
+	}
+	// Randomize the delay between 0.5-1.5 x msec, in order
+	// to prevent accidental "thundering herd" problems.
+	d = time.Duration(float64(d) * (rand.Float64() + 0.5))
+
+	if d >= b.LogLongerThan {
+		b.logf("%s: backoff: %d msec", b.name, d.Milliseconds())
+	}
+	t := b.NewTimer(d)
+	select {
+	case <-ctx.Done():
+		t.Stop()
+	case <-t.C:
 	}
 }
--- a/logtail/example/logtail/logtail.go
+++ b/logtail/example/logtail/logtail.go
@@ -31,7 +31,7 @@ func main() {
 		log.Fatalf("logtail: bad -privateid: %v", err)
 	}

-	logger := logtail.Log(logtail.Config{
+	logger := logtail.NewLogger(logtail.Config{
 		Collection: *collection,
 		PrivateID:  id,
 	}, log.Printf)
--- a/logtail/filch/filch.go
+++ b/logtail/filch/filch.go
@@ -131,11 +131,11 @@ func New(filePrefix string, opts Options) (f *Filch, err error) {
 	path1 := filePrefix + ".log1.txt"
 	path2 := filePrefix + ".log2.txt"

-	f1, err = os.OpenFile(path1, os.O_CREATE|os.O_RDWR, 0666)
+	f1, err = os.OpenFile(path1, os.O_CREATE|os.O_RDWR, 0600)
 	if err != nil {
 		return nil, err
 	}
-	f2, err = os.OpenFile(path2, os.O_CREATE|os.O_RDWR, 0666)
+	f2, err = os.OpenFile(path2, os.O_CREATE|os.O_RDWR, 0600)
 	if err != nil {
 		return nil, err
 	}
--- a/logtail/filch/filch_test.go
+++ b/logtail/filch/filch_test.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 	"unicode"
@@ -56,19 +56,8 @@ func (f *filchTest) close(t *testing.T) {
 	}
 }

-func genFilePrefix(t *testing.T) (dir, prefix string) {
-	t.Helper()
-	dir, err := ioutil.TempDir("", "filch")
-	if err != nil {
-		t.Fatal(err)
-	}
-	return dir, filepath.Join(dir, "ringbuffer-")
-}
-
 func TestQueue(t *testing.T) {
-	td, filePrefix := genFilePrefix(t)
-	defer os.RemoveAll(td)
-
+	filePrefix := t.TempDir()
 	f := newFilchTest(t, filePrefix, Options{ReplaceStderr: false})

 	f.readEOF(t)
@@ -90,8 +79,7 @@ func TestQueue(t *testing.T) {

 func TestRecover(t *testing.T) {
 	t.Run("empty", func(t *testing.T) {
-		td, filePrefix := genFilePrefix(t)
-		defer os.RemoveAll(td)
+		filePrefix := t.TempDir()
 		f := newFilchTest(t, filePrefix, Options{ReplaceStderr: false})
 		f.write(t, "hello")
 		f.read(t, "hello")
@@ -104,8 +92,7 @@ func TestRecover(t *testing.T) {
 	})

 	t.Run("cur", func(t *testing.T) {
-		td, filePrefix := genFilePrefix(t)
-		defer os.RemoveAll(td)
+		filePrefix := t.TempDir()
 		f := newFilchTest(t, filePrefix, Options{ReplaceStderr: false})
 		f.write(t, "hello")
 		f.close(t)
@@ -123,8 +110,7 @@ func TestRecover(t *testing.T) {
 		filch_test.go:129: r.ReadLine()="hello", want "world"
 		*/

-		td, filePrefix := genFilePrefix(t)
-		defer os.RemoveAll(td)
+		filePrefix := t.TempDir()
 		f := newFilchTest(t, filePrefix, Options{ReplaceStderr: false})
 		f.write(t, "hello")
 		f.read(t, "hello")
@@ -143,6 +129,14 @@ func TestRecover(t *testing.T) {
 }

 func TestFilchStderr(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		// TODO(bradfitz): this is broken on Windows but not
+		// fully sure why. Investigate.  But notably, the
+		// stderrFD variable (defined in filch.go) and set
+		// below is only ever read in filch_unix.go. So just
+		// skip this for test for now.
+		t.Skip("test broken on Windows")
+	}
 	pipeR, pipeW, err := os.Pipe()
 	if err != nil {
 		t.Fatal(err)
@@ -155,8 +149,7 @@ func TestFilchStderr(t *testing.T) {
 		stderrFD = 2
 	}()

-	td, filePrefix := genFilePrefix(t)
-	defer os.RemoveAll(td)
+	filePrefix := t.TempDir()
 	f := newFilchTest(t, filePrefix, Options{ReplaceStderr: true})
 	f.write(t, "hello")
 	if _, err := fmt.Fprintf(pipeW, "filch\n"); err != nil {
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -14,6 +14,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
+	"strconv"
 	"time"

 	"tailscale.com/logtail/backoff"
@@ -24,34 +25,6 @@ import (
 // Config.BaseURL isn't provided.
 const DefaultHost = "log.tailscale.io"

-type Logger interface {
-	// Write logs an encoded JSON blob.
-	//
-	// If the []byte passed to Write is not an encoded JSON blob,
-	// then contents is fit into a JSON blob and written.
-	//
-	// This is intended as an interface for the stdlib "log" package.
-	Write([]byte) (int, error)
-
-	// Flush uploads all logs to the server.
-	// It blocks until complete or there is an unrecoverable error.
-	Flush() error
-
-	// Shutdown gracefully shuts down the logger while completing any
-	// remaining uploads.
-	//
-	// It will block, continuing to try and upload unless the passed
-	// context object interrupts it by being done.
-	// If the shutdown is interrupted, an error is returned.
-	Shutdown(context.Context) error
-
-	// Close shuts down this logger object, the background log uploader
-	// process, and any associated goroutines.
-	//
-	// DEPRECATED: use Shutdown
-	Close()
-}
-
 type Encoder interface {
 	EncodeAll(src, dst []byte) []byte
 	Close() error
@@ -66,15 +39,16 @@ type Config struct {
 	LowMemory      bool             // if true, logtail minimizes memory use
 	TimeNow        func() time.Time // if set, subsitutes uses of time.Now
 	Stderr         io.Writer        // if set, logs are sent here instead of os.Stderr
+	StderrLevel    int              // max verbosity level to write to stderr; 0 means the non-verbose messages only
 	Buffer         Buffer           // temp storage, if nil a MemoryBuffer
 	NewZstdEncoder func() Encoder   // if set, used to compress logs for transmission

-	// DrainLogs, if non-nil, disables autmatic uploading of new logs,
+	// DrainLogs, if non-nil, disables automatic uploading of new logs,
 	// so that logs are only uploaded when a token is sent to DrainLogs.
 	DrainLogs <-chan struct{}
 }

-func Log(cfg Config, logf tslogger.Logf) Logger {
+func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 	if cfg.BaseURL == "" {
 		cfg.BaseURL = "https://" + DefaultHost
 	}
@@ -94,8 +68,9 @@ func Log(cfg Config, logf tslogger.Logf) Logger {
 		}
 		cfg.Buffer = NewMemoryBuffer(pendingSize)
 	}
-	l := &logger{
+	l := &Logger{
 		stderr:         cfg.Stderr,
+		stderrLevel:    cfg.StderrLevel,
 		httpc:          cfg.HTTPC,
 		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String(),
 		lowMem:         cfg.LowMemory,
@@ -105,7 +80,7 @@ func Log(cfg Config, logf tslogger.Logf) Logger {
 		sentinel:       make(chan int32, 16),
 		drainLogs:      cfg.DrainLogs,
 		timeNow:        cfg.TimeNow,
-		bo:             backoff.NewBackoff("logtail", logf),
+		bo:             backoff.NewBackoff("logtail", logf, 30*time.Second),

 		shutdownStart: make(chan struct{}),
 		shutdownDone:  make(chan struct{}),
@@ -122,8 +97,11 @@ func Log(cfg Config, logf tslogger.Logf) Logger {
 	return l
 }

-type logger struct {
+// Logger writes logs, splitting them as configured between local
+// logging facilities and uploading to a log server.
+type Logger struct {
 	stderr         io.Writer
+	stderrLevel    int
 	httpc          *http.Client
 	url            string
 	lowMem         bool
@@ -133,7 +111,7 @@ type logger struct {
 	drainLogs      <-chan struct{} // if non-nil, external signal to attempt a drain
 	sentinel       chan int32
 	timeNow        func() time.Time
-	bo             backoff.Backoff
+	bo             *backoff.Backoff
 	zstdEncoder    Encoder
 	uploadCancel   func()

@@ -141,7 +119,22 @@ type logger struct {
 	shutdownDone  chan struct{} // closd when shutdown complete
 }

-func (l *logger) Shutdown(ctx context.Context) error {
+// SetVerbosityLevel controls the verbosity level that should be
+// written to stderr. 0 is the default (not verbose). Levels 1 or higher
+// are increasingly verbose.
+//
+// It should not be changed concurrently with log writes.
+func (l *Logger) SetVerbosityLevel(level int) {
+	l.stderrLevel = level
+}
+
+// Shutdown gracefully shuts down the logger while completing any
+// remaining uploads.
+//
+// It will block, continuing to try and upload unless the passed
+// context object interrupts it by being done.
+// If the shutdown is interrupted, an error is returned.
+func (l *Logger) Shutdown(ctx context.Context) error {
 	done := make(chan struct{})
 	go func() {
 		select {
@@ -163,7 +156,11 @@ func (l *logger) Shutdown(ctx context.Context) error {
 	return nil
 }

-func (l *logger) Close() {
+// Close shuts down this logger object, the background log uploader
+// process, and any associated goroutines.
+//
+// Deprecated: use Shutdown
+func (l *Logger) Close() {
 	l.Shutdown(context.Background())
 }

@@ -174,7 +171,7 @@ func (l *logger) Close() {
 //
 // If the caller provides a DrainLogs channel, then unblock-drain-on-Write
 // is disabled, and it is up to the caller to trigger unblock the drain.
-func (l *logger) drainBlock() (shuttingDown bool) {
+func (l *Logger) drainBlock() (shuttingDown bool) {
 	if l.drainLogs == nil {
 		select {
 		case <-l.shutdownStart:
@@ -193,7 +190,7 @@ func (l *logger) drainBlock() (shuttingDown bool) {

 // drainPending drains and encodes a batch of logs from the buffer for upload.
 // If no logs are available, drainPending blocks until logs are available.
-func (l *logger) drainPending() (res []byte) {
+func (l *Logger) drainPending() (res []byte) {
 	buf := new(bytes.Buffer)
 	entries := 0

@@ -254,13 +251,22 @@ func (l *logger) drainPending() (res []byte) {
 }

 // This is the goroutine that repeatedly uploads logs in the background.
-func (l *logger) uploading(ctx context.Context) {
+func (l *Logger) uploading(ctx context.Context) {
 	defer close(l.shutdownDone)

 	for {
 		body := l.drainPending()
-		if l.zstdEncoder != nil {
-			body = l.zstdEncoder.EncodeAll(body, nil)
+		origlen := -1 // sentinel value: uncompressed
+		// Don't attempt to compress tiny bodies; not worth the CPU cycles.
+		if l.zstdEncoder != nil && len(body) > 256 {
+			zbody := l.zstdEncoder.EncodeAll(body, nil)
+			// Only send it compressed if the bandwidth savings are sufficient.
+			// Just the extra headers associated with enabling compression
+			// are 50 bytes by themselves.
+			if len(body)-len(zbody) > 64 {
+				origlen = len(body)
+				body = zbody
+			}
 		}

 		for len(body) > 0 {
@@ -269,7 +275,7 @@ func (l *logger) uploading(ctx context.Context) {
 				return
 			default:
 			}
-			uploaded, err := l.upload(ctx, body)
+			uploaded, err := l.upload(ctx, body, origlen)
 			if err != nil {
 				fmt.Fprintf(l.stderr, "logtail: upload: %v\n", err)
 			}
@@ -287,7 +293,10 @@ func (l *logger) uploading(ctx context.Context) {
 	}
 }

-func (l *logger) upload(ctx context.Context, body []byte) (uploaded bool, err error) {
+// upload uploads body to the log server.
+// origlen indicates the pre-compression body length.
+// origlen of -1 indicates that the body is not compressed.
+func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (uploaded bool, err error) {
 	req, err := http.NewRequest("POST", l.url, bytes.NewReader(body))
 	if err != nil {
 		// I know of no conditions under which this could fail.
@@ -295,8 +304,9 @@ func (l *logger) upload(ctx context.Context, body []byte) (uploaded bool, err er
 		// TODO record logs to disk
 		panic("logtail: cannot build http request: " + err.Error())
 	}
-	if l.zstdEncoder != nil {
+	if origlen != -1 {
 		req.Header.Add("Content-Encoding", "zstd")
+		req.Header.Add("Orig-Content-Length", strconv.Itoa(origlen))
 	}
 	req.Header["User-Agent"] = nil // not worth writing one; save some bytes

@@ -306,7 +316,7 @@ func (l *logger) upload(ctx context.Context, body []byte) (uploaded bool, err er
 	req = req.WithContext(ctx)

 	compressedNote := "not-compressed"
-	if l.zstdEncoder != nil {
+	if origlen != -1 {
 		compressedNote = "compressed"
 	}

@@ -333,11 +343,13 @@ func (l *logger) upload(ctx context.Context, body []byte) (uploaded bool, err er
 	return true, nil
 }

-func (l *logger) Flush() error {
+// Flush uploads all logs to the server.
+// It blocks until complete or there is an unrecoverable error.
+func (l *Logger) Flush() error {
 	return nil
 }

-func (l *logger) send(jsonBlob []byte) (int, error) {
+func (l *Logger) send(jsonBlob []byte) (int, error) {
 	n, err := l.buffer.Write(jsonBlob)
 	if l.drainLogs == nil {
 		select {
@@ -350,7 +362,7 @@ func (l *logger) send(jsonBlob []byte) (int, error) {

 // TODO: instead of allocating, this should probably just append
 // directly into the output log buffer.
-func (l *logger) encodeText(buf []byte, skipClientTime bool) []byte {
+func (l *Logger) encodeText(buf []byte, skipClientTime bool) []byte {
 	now := l.timeNow()

 	// Factor in JSON encoding overhead to try to only do one alloc
@@ -406,7 +418,7 @@ func (l *logger) encodeText(buf []byte, skipClientTime bool) []byte {
 	return b
 }

-func (l *logger) encode(buf []byte) []byte {
+func (l *Logger) encode(buf []byte) []byte {
 	if buf[0] != '{' {
 		return l.encodeText(buf, l.skipClientTime) // text fast-path
 	}
@@ -447,11 +459,18 @@ func (l *logger) encode(buf []byte) []byte {
 	return b
 }

-func (l *logger) Write(buf []byte) (int, error) {
+// Write logs an encoded JSON blob.
+//
+// If the []byte passed to Write is not an encoded JSON blob,
+// then contents is fit into a JSON blob and written.
+//
+// This is intended as an interface for the stdlib "log" package.
+func (l *Logger) Write(buf []byte) (int, error) {
 	if len(buf) == 0 {
 		return 0, nil
 	}
-	if l.stderr != nil && l.stderr != ioutil.Discard {
+	level, buf := parseAndRemoveLogLevel(buf)
+	if l.stderr != nil && l.stderr != ioutil.Discard && level <= l.stderrLevel {
 		if buf[len(buf)-1] == '\n' {
 			l.stderr.Write(buf)
 		} else {
@@ -465,3 +484,23 @@ func (l *logger) Write(buf []byte) (int, error) {
 	_, err := l.send(b)
 	return len(buf), err
 }
+
+var (
+	openBracketV = []byte("[v")
+	v1           = []byte("[v1] ")
+	v2           = []byte("[v2] ")
+)
+
+// level 0 is normal (or unknown) level; 1+ are increasingly verbose
+func parseAndRemoveLogLevel(buf []byte) (level int, cleanBuf []byte) {
+	if len(buf) == 0 || buf[0] == '{' || !bytes.Contains(buf, openBracketV) {
+		return 0, buf
+	}
+	if bytes.Contains(buf, v1) {
+		return 1, bytes.ReplaceAll(buf, v1, nil)
+	}
+	if bytes.Contains(buf, v2) {
+		return 2, bytes.ReplaceAll(buf, v2, nil)
+	}
+	return 0, buf
+}
--- a/logtail/logtail_test.go
+++ b/logtail/logtail_test.go
@@ -6,6 +6,12 @@ package logtail

 import (
 	"context"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"strings"
 	"testing"
 	"time"
 )
@@ -14,16 +20,215 @@ func TestFastShutdown(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	cancel()

-	l := Log(Config{
-		BaseURL: "http://localhost:1234",
+	testServ := httptest.NewServer(http.HandlerFunc(
+		func(w http.ResponseWriter, r *http.Request) {}))
+	defer testServ.Close()
+
+	l := NewLogger(Config{
+		BaseURL: testServ.URL,
 	}, t.Logf)
-	l.Shutdown(ctx)
+	err := l.Shutdown(ctx)
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+// maximum number of times a test will call l.Write()
+const logLines = 3
+
+type LogtailTestServer struct {
+	srv      *httptest.Server // Log server
+	uploaded chan []byte
+}
+
+func NewLogtailTestHarness(t *testing.T) (*LogtailTestServer, *Logger) {
+	ts := LogtailTestServer{}
+
+	// max channel backlog = 1 "started" + #logLines x "log line" + 1 "closed"
+	ts.uploaded = make(chan []byte, 2+logLines)
+
+	ts.srv = httptest.NewServer(http.HandlerFunc(
+		func(w http.ResponseWriter, r *http.Request) {
+			body, err := ioutil.ReadAll(r.Body)
+			if err != nil {
+				t.Error("failed to read HTTP request")
+			}
+			ts.uploaded <- body
+		}))
+
+	t.Cleanup(ts.srv.Close)
+
+	l := NewLogger(Config{BaseURL: ts.srv.URL}, t.Logf)
+
+	// There is always an initial "logtail started" message
+	body := <-ts.uploaded
+	if !strings.Contains(string(body), "started") {
+		t.Errorf("unknown start logging statement: %q", string(body))
+	}
+
+	return &ts, l
+}
+
+func TestDrainPendingMessages(t *testing.T) {
+	ts, l := NewLogtailTestHarness(t)
+
+	for i := 0; i < logLines; i++ {
+		l.Write([]byte("log line"))
+	}
+
+	// all of the "log line" messages usually arrive at once, but poll if needed.
+	body := ""
+	for i := 0; i <= logLines; i++ {
+		body += string(<-ts.uploaded)
+		count := strings.Count(body, "log line")
+		if count == logLines {
+			break
+		}
+		// if we never find count == logLines, the test will eventually time out.
+	}
+
+	err := l.Shutdown(context.Background())
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+func TestEncodeAndUploadMessages(t *testing.T) {
+	ts, l := NewLogtailTestHarness(t)
+
+	tests := []struct {
+		name string
+		log  string
+		want string
+	}{
+		{
+			"plain text",
+			"log line",
+			"log line",
+		},
+		{
+			"simple JSON",
+			`{"text": "log line"}`,
+			"log line",
+		},
+	}
+
+	for _, tt := range tests {
+		io.WriteString(l, tt.log)
+		body := <-ts.uploaded
+
+		data := make(map[string]interface{})
+		err := json.Unmarshal(body, &data)
+		if err != nil {
+			t.Error(err)
+		}
+
+		got := data["text"]
+		if got != tt.want {
+			t.Errorf("%s: got %q; want %q", tt.name, got.(string), tt.want)
+		}
+
+		ltail, ok := data["logtail"]
+		if ok {
+			logtailmap := ltail.(map[string]interface{})
+			_, ok = logtailmap["client_time"]
+			if !ok {
+				t.Errorf("%s: no client_time present", tt.name)
+			}
+		} else {
+			t.Errorf("%s: no logtail map present", tt.name)
+		}
+	}
+
+	err := l.Shutdown(context.Background())
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+func TestEncodeSpecialCases(t *testing.T) {
+	ts, l := NewLogtailTestHarness(t)
+
+	// -------------------------------------------------------------------------
+
+	// JSON log message already contains a logtail field.
+	io.WriteString(l, `{"logtail": "LOGTAIL", "text": "text"}`)
+	body := <-ts.uploaded
+	data := make(map[string]interface{})
+	err := json.Unmarshal(body, &data)
+	if err != nil {
+		t.Error(err)
+	}
+	errorHasLogtail, ok := data["error_has_logtail"]
+	if ok {
+		if errorHasLogtail != "LOGTAIL" {
+			t.Errorf("error_has_logtail: got:%q; want:%q",
+				errorHasLogtail, "LOGTAIL")
+		}
+	} else {
+		t.Errorf("no error_has_logtail field: %v", data)
+	}
+
+	// -------------------------------------------------------------------------
+
+	// special characters
+	io.WriteString(l, "\b\f\n\r\t"+`"\`)
+	bodytext := string(<-ts.uploaded)
+	// json.Unmarshal would unescape the characters, we have to look at the encoded text
+	escaped := strings.Contains(bodytext, `\b\f\n\r\t\"\`)
+	if !escaped {
+		t.Errorf("special characters got %s", bodytext)
+	}
+
+	// -------------------------------------------------------------------------
+
+	// skipClientTime to omit the logtail metadata
+	l.skipClientTime = true
+	io.WriteString(l, "text")
+	body = <-ts.uploaded
+	data = make(map[string]interface{})
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		t.Error(err)
+	}
+	_, ok = data["logtail"]
+	if ok {
+		t.Errorf("skipClientTime: unexpected logtail map present: %v", data)
+	}
+
+	// -------------------------------------------------------------------------
+
+	// lowMem + long string
+	l.skipClientTime = false
+	l.lowMem = true
+	longStr := strings.Repeat("0", 512)
+	io.WriteString(l, longStr)
+	body = <-ts.uploaded
+	data = make(map[string]interface{})
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		t.Error(err)
+	}
+	text, ok := data["text"]
+	if !ok {
+		t.Errorf("lowMem: no text %v", data)
+	}
+	if n := len(text.(string)); n > 300 {
+		t.Errorf("lowMem: got %d chars; want <300 chars", n)
+	}
+
+	// -------------------------------------------------------------------------
+
+	err = l.Shutdown(context.Background())
+	if err != nil {
+		t.Error(err)
+	}
 }

 var sink []byte

 func TestLoggerEncodeTextAllocs(t *testing.T) {
-	lg := &logger{timeNow: time.Now}
+	lg := &Logger{timeNow: time.Now}
 	inBuf := []byte("some text to encode")
 	n := testing.AllocsPerRun(1000, func() {
 		sink = lg.encodeText(inBuf, false)
@@ -34,7 +239,7 @@ func TestLoggerEncodeTextAllocs(t *testing.T) {
 }

 func TestLoggerWriteLength(t *testing.T) {
-	lg := &logger{
+	lg := &Logger{
 		timeNow: time.Now,
 		buffer:  NewMemoryBuffer(1024),
 	}
@@ -47,3 +252,54 @@ func TestLoggerWriteLength(t *testing.T) {
 		t.Errorf("logger.Write wrote %d bytes, expected %d", n, len(inBuf))
 	}
 }
+
+func TestParseAndRemoveLogLevel(t *testing.T) {
+	tests := []struct {
+		log       string
+		wantLevel int
+		wantLog   string
+	}{
+		{
+			"no level",
+			0,
+			"no level",
+		},
+		{
+			"[v1] level 1",
+			1,
+			"level 1",
+		},
+		{
+			"level 1 [v1] ",
+			1,
+			"level 1 ",
+		},
+		{
+			"[v2] level 2",
+			2,
+			"level 2",
+		},
+		{
+			"level [v2] 2",
+			2,
+			"level 2",
+		},
+		{
+			"[v3] no level 3",
+			0,
+			"[v3] no level 3",
+		},
+	}
+
+	for _, tt := range tests {
+		gotLevel, gotLog := parseAndRemoveLogLevel([]byte(tt.log))
+		if gotLevel != tt.wantLevel {
+			t.Errorf("parseAndRemoveLogLevel(%q): got:%d; want %d",
+				tt.log, gotLevel, tt.wantLevel)
+		}
+		if string(gotLog) != tt.wantLog {
+			t.Errorf("parseAndRemoveLogLevel(%q): got:%q; want %q",
+				tt.log, gotLog, tt.wantLog)
+		}
+	}
+}
--- a/net/dnscache/dnscache.go
+++ b/net/dnscache/dnscache.go
@@ -9,8 +9,11 @@ package dnscache
 import (
 	"context"
 	"fmt"
+	"log"
 	"net"
+	"os"
 	"runtime"
+	"strconv"
 	"sync"
 	"time"

@@ -25,7 +28,7 @@ func preferGoResolver() bool {
 	// There does not appear to be a local resolver running
 	// on iOS, and NetworkExtension is good at isolating DNS.
 	// So do not use the Go resolver on macOS/iOS.
-	if runtime.GOOS == "darwin" {
+	if runtime.GOOS == "darwin" || runtime.GOOS == "ios" {
 		return false
 	}

@@ -42,8 +45,6 @@ func preferGoResolver() bool {
 // Get returns a caching Resolver singleton.
 func Get() *Resolver { return single }

-const fixedTTL = 10 * time.Minute
-
 // Resolver is a minimal DNS caching resolver.
 //
 // The TTL is always fixed for now. It's not intended for general use.
@@ -54,6 +55,15 @@ type Resolver struct {
 	// If nil, net.DefaultResolver is used.
 	Forward *net.Resolver

+	// TTL is how long to keep entries cached
+	//
+	// If zero, a default (currently 10 minutes) is used.
+	TTL time.Duration
+
+	// UseLastGood controls whether a cached entry older than TTL is used
+	// if a refresh fails.
+	UseLastGood bool
+
 	sf singleflight.Group

 	mu      sync.Mutex
@@ -61,7 +71,8 @@ type Resolver struct {
 }

 type ipCacheEntry struct {
-	ip      net.IP
+	ip      net.IP // either v4 or v6
+	ip6     net.IP // nil if no v4 or no v6
 	expires time.Time
 }

@@ -72,74 +83,160 @@ func (r *Resolver) fwd() *net.Resolver {
 	return net.DefaultResolver
 }

-// LookupIP returns the first IPv4 address found, otherwise the first IPv6 address.
-func (r *Resolver) LookupIP(ctx context.Context, host string) (net.IP, error) {
+func (r *Resolver) ttl() time.Duration {
+	if r.TTL > 0 {
+		return r.TTL
+	}
+	return 10 * time.Minute
+}
+
+var debug, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_DNS_CACHE"))
+
+// LookupIP returns the host's primary IP address (either IPv4 or
+// IPv6, but preferring IPv4) and optionally its IPv6 address, if
+// there is both IPv4 and IPv6.
+//
+// If err is nil, ip will be non-nil. The v6 address may be nil even
+// with a nil error.
+func (r *Resolver) LookupIP(ctx context.Context, host string) (ip, v6 net.IP, err error) {
 	if ip := net.ParseIP(host); ip != nil {
 		if ip4 := ip.To4(); ip4 != nil {
-			return ip4, nil
+			return ip4, nil, nil
 		}
-		return ip, nil
+		if debug {
+			log.Printf("dnscache: %q is an IP", host)
+		}
+		return ip, nil, nil
 	}

-	if ip, ok := r.lookupIPCache(host); ok {
-		return ip, nil
+	if ip, ip6, ok := r.lookupIPCache(host); ok {
+		if debug {
+			log.Printf("dnscache: %q = %v (cached)", host, ip)
+		}
+		return ip, ip6, nil
 	}

+	type ipPair struct {
+		ip, ip6 net.IP
+	}
 	ch := r.sf.DoChan(host, func() (interface{}, error) {
-		ip, err := r.lookupIP(host)
+		ip, ip6, err := r.lookupIP(host)
 		if err != nil {
 			return nil, err
 		}
-		return ip, nil
+		return ipPair{ip, ip6}, nil
 	})
 	select {
 	case res := <-ch:
 		if res.Err != nil {
-			return nil, res.Err
+			if r.UseLastGood {
+				if ip, ip6, ok := r.lookupIPCacheExpired(host); ok {
+					if debug {
+						log.Printf("dnscache: %q using %v after error", host, ip)
+					}
+					return ip, ip6, nil
+				}
+			}
+			if debug {
+				log.Printf("dnscache: error resolving %q: %v", host, res.Err)
+			}
+			return nil, nil, res.Err
 		}
-		return res.Val.(net.IP), nil
+		pair := res.Val.(ipPair)
+		return pair.ip, pair.ip6, nil
 	case <-ctx.Done():
-		return nil, ctx.Err()
+		if debug {
+			log.Printf("dnscache: context done while resolving %q: %v", host, ctx.Err())
+		}
+		return nil, nil, ctx.Err()
 	}
 }

-func (r *Resolver) lookupIPCache(host string) (ip net.IP, ok bool) {
+func (r *Resolver) lookupIPCache(host string) (ip, ip6 net.IP, ok bool) {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 	if ent, ok := r.ipCache[host]; ok && ent.expires.After(time.Now()) {
-		return ent.ip, true
+		return ent.ip, ent.ip6, true
 	}
-	return nil, false
+	return nil, nil, false
 }

-func (r *Resolver) lookupIP(host string) (net.IP, error) {
-	if ip, ok := r.lookupIPCache(host); ok {
-		return ip, nil
+func (r *Resolver) lookupIPCacheExpired(host string) (ip, ip6 net.IP, ok bool) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	if ent, ok := r.ipCache[host]; ok {
+		return ent.ip, ent.ip6, true
+	}
+	return nil, nil, false
+}
+
+func (r *Resolver) lookupTimeoutForHost(host string) time.Duration {
+	if r.UseLastGood {
+		if _, _, ok := r.lookupIPCacheExpired(host); ok {
+			// If we have some previous good value for this host,
+			// don't give this DNS lookup much time. If we're in a
+			// situation where the user's DNS server is unreachable
+			// (e.g. their corp DNS server is behind a subnet router
+			// that can't come up due to Tailscale needing to
+			// connect to itself), then we want to fail fast and let
+			// our caller (who set UseLastGood) fall back to using
+			// the last-known-good IP address.
+			return 3 * time.Second
+		}
+	}
+	return 10 * time.Second
+}
+
+func (r *Resolver) lookupIP(host string) (ip, ip6 net.IP, err error) {
+	if ip, ip6, ok := r.lookupIPCache(host); ok {
+		if debug {
+			log.Printf("dnscache: %q found in cache as %v", host, ip)
+		}
+		return ip, ip6, nil
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), r.lookupTimeoutForHost(host))
 	defer cancel()
 	ips, err := r.fwd().LookupIPAddr(ctx, host)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	if len(ips) == 0 {
-		return nil, fmt.Errorf("no IPs for %q found", host)
+		return nil, nil, fmt.Errorf("no IPs for %q found", host)
 	}

+	have4 := false
 	for _, ipa := range ips {
 		if ip4 := ipa.IP.To4(); ip4 != nil {
-			return r.addIPCache(host, ip4, fixedTTL), nil
+			if !have4 {
+				ip6 = ip
+				ip = ip4
+				have4 = true
+			}
+		} else {
+			if have4 {
+				ip6 = ipa.IP
+			} else {
+				ip = ipa.IP
+			}
 		}
 	}
-	return r.addIPCache(host, ips[0].IP, fixedTTL), nil
+	r.addIPCache(host, ip, ip6, r.ttl())
+	return ip, ip6, nil
 }

-func (r *Resolver) addIPCache(host string, ip net.IP, d time.Duration) net.IP {
+func (r *Resolver) addIPCache(host string, ip, ip6 net.IP, d time.Duration) {
 	if isPrivateIP(ip) {
 		// Don't cache obviously wrong entries from captive portals.
 		// TODO: use DoH or DoT for the forwarding resolver?
-		return ip
+		if debug {
+			log.Printf("dnscache: %q resolved to private IP %v; using but not caching", host, ip)
+		}
+		return
+	}
+
+	if debug {
+		log.Printf("dnscache: %q resolved to IP %v; caching", host, ip)
 	}

 	r.mu.Lock()
@@ -147,8 +244,7 @@ func (r *Resolver) addIPCache(host string, ip net.IP, d time.Duration) net.IP {
 	if r.ipCache == nil {
 		r.ipCache = make(map[string]ipCacheEntry)
 	}
-	r.ipCache[host] = ipCacheEntry{ip: ip, expires: time.Now().Add(d)}
-	return ip
+	r.ipCache[host] = ipCacheEntry{ip: ip, ip6: ip6, expires: time.Now().Add(d)}
 }

 func mustCIDR(s string) *net.IPNet {
@@ -168,3 +264,39 @@ var (
 	private2 = mustCIDR("172.16.0.0/12")
 	private3 = mustCIDR("192.168.0.0/16")
 )
+
+type DialContextFunc func(ctx context.Context, network, address string) (net.Conn, error)
+
+// Dialer returns a wrapped DialContext func that uses the provided dnsCache.
+func Dialer(fwd DialContextFunc, dnsCache *Resolver) DialContextFunc {
+	return func(ctx context.Context, network, address string) (net.Conn, error) {
+		host, port, err := net.SplitHostPort(address)
+		if err != nil {
+			// Bogus. But just let the real dialer return an error rather than
+			// inventing a similar one.
+			return fwd(ctx, network, address)
+		}
+		ip, ip6, err := dnsCache.LookupIP(ctx, host)
+		if err != nil {
+			return nil, fmt.Errorf("failed to resolve %q: %w", host, err)
+		}
+		dst := net.JoinHostPort(ip.String(), port)
+		if debug {
+			log.Printf("dnscache: dialing %s, %s for %s", network, dst, address)
+		}
+		c, err := fwd(ctx, network, dst)
+		if err == nil || ctx.Err() != nil || ip6 == nil {
+			return c, err
+		}
+		// Fall back to trying IPv6.
+		// TODO(bradfitz): this is a primarily for IPv6-only
+		// hosts; it's not supposed to be a real Happy
+		// Eyeballs implementation. We should use the net
+		// package's implementation of that by plumbing this
+		// dnscache impl into net.Dialer.Resolver.Dial and
+		// unmarshal/marshal DNS queries/responses to the net
+		// package. This works for v6-only hosts for now.
+		dst = net.JoinHostPort(ip6.String(), port)
+		return fwd(ctx, network, dst)
+	}
+}
--- a/net/flowtrack/flowtrack.go
+++ b/net/flowtrack/flowtrack.go
@@ -0,0 +1,104 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+//
+// Original implementation (from same author) from which this was derived was:
+// https://github.com/golang/groupcache/blob/5b532d6fd5efaf7fa130d4e859a2fde0fc3a9e1b/lru/lru.go
+// ... which was Apache licensed:
+// https://github.com/golang/groupcache/blob/master/LICENSE
+
+// Package flowtrack contains types for tracking TCP/UDP flows by 4-tuples.
+package flowtrack
+
+import (
+	"container/list"
+	"fmt"
+
+	"inet.af/netaddr"
+)
+
+// Tuple is a 4-tuple of source and destination IP and port.
+type Tuple struct {
+	Src netaddr.IPPort
+	Dst netaddr.IPPort
+}
+
+func (t Tuple) String() string {
+	return fmt.Sprintf("(%v => %v)", t.Src, t.Dst)
+}
+
+// Cache is an LRU cache keyed by Tuple.
+//
+// The zero value is valid to use.
+//
+// It is not safe for concurrent access.
+type Cache struct {
+	// MaxEntries is the maximum number of cache entries before
+	// an item is evicted. Zero means no limit.
+	MaxEntries int
+
+	ll *list.List
+	m  map[Tuple]*list.Element // of *entry
+}
+
+// entry is the container/list element type.
+type entry struct {
+	key   Tuple
+	value interface{}
+}
+
+// Add adds a value to the cache, set or updating its assoicated
+// value.
+//
+// If MaxEntries is non-zero and the length of the cache is greater
+// after any addition, the least recently used value is evicted.
+func (c *Cache) Add(key Tuple, value interface{}) {
+	if c.m == nil {
+		c.m = make(map[Tuple]*list.Element)
+		c.ll = list.New()
+	}
+	if ee, ok := c.m[key]; ok {
+		c.ll.MoveToFront(ee)
+		ee.Value.(*entry).value = value
+		return
+	}
+	ele := c.ll.PushFront(&entry{key, value})
+	c.m[key] = ele
+	if c.MaxEntries != 0 && c.Len() > c.MaxEntries {
+		c.RemoveOldest()
+	}
+}
+
+// Get looks up a key's value from the cache, also reporting
+// whether it was present.
+func (c *Cache) Get(key Tuple) (value interface{}, ok bool) {
+	if ele, hit := c.m[key]; hit {
+		c.ll.MoveToFront(ele)
+		return ele.Value.(*entry).value, true
+	}
+	return nil, false
+}
+
+// Remove removes the provided key from the cache if it was present.
+func (c *Cache) Remove(key Tuple) {
+	if ele, hit := c.m[key]; hit {
+		c.removeElement(ele)
+	}
+}
+
+// RemoveOldest removes the oldest item from the cache, if any.
+func (c *Cache) RemoveOldest() {
+	if c.ll != nil {
+		if ele := c.ll.Back(); ele != nil {
+			c.removeElement(ele)
+		}
+	}
+}
+
+func (c *Cache) removeElement(e *list.Element) {
+	c.ll.Remove(e)
+	delete(c.m, e.Value.(*entry).key)
+}
+
+// Len returns the number of items in the cache.
+func (c *Cache) Len() int { return len(c.m) }
--- a/net/flowtrack/flowtrack_test.go
+++ b/net/flowtrack/flowtrack_test.go
@@ -0,0 +1,82 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package flowtrack
+
+import (
+	"testing"
+
+	"inet.af/netaddr"
+)
+
+func TestCache(t *testing.T) {
+	c := &Cache{MaxEntries: 2}
+
+	k1 := Tuple{Src: netaddr.MustParseIPPort("1.1.1.1:1"), Dst: netaddr.MustParseIPPort("1.1.1.1:1")}
+	k2 := Tuple{Src: netaddr.MustParseIPPort("1.1.1.1:1"), Dst: netaddr.MustParseIPPort("2.2.2.2:2")}
+	k3 := Tuple{Src: netaddr.MustParseIPPort("1.1.1.1:1"), Dst: netaddr.MustParseIPPort("3.3.3.3:3")}
+	k4 := Tuple{Src: netaddr.MustParseIPPort("1.1.1.1:1"), Dst: netaddr.MustParseIPPort("4.4.4.4:4")}
+
+	wantLen := func(want int) {
+		t.Helper()
+		if got := c.Len(); got != want {
+			t.Fatalf("Len = %d; want %d", got, want)
+		}
+	}
+	wantVal := func(key Tuple, want interface{}) {
+		t.Helper()
+		got, ok := c.Get(key)
+		if !ok {
+			t.Fatalf("Get(%q) failed; want value %v", key, want)
+		}
+		if got != want {
+			t.Fatalf("Get(%q) = %v; want %v", key, got, want)
+		}
+	}
+	wantMissing := func(key Tuple) {
+		t.Helper()
+		if got, ok := c.Get(key); ok {
+			t.Fatalf("Get(%q) = %v; want absent from cache", key, got)
+		}
+	}
+
+	wantLen(0)
+	c.RemoveOldest() // shouldn't panic
+	c.Remove(k4)     // shouldn't panic
+
+	c.Add(k1, 1)
+	wantLen(1)
+	c.Add(k2, 2)
+	wantLen(2)
+	c.Add(k3, 3)
+	wantLen(2) // hit the max
+
+	wantMissing(k1)
+	c.Remove(k1)
+	wantLen(2) // no change; k1 should've been the deleted one per LRU
+
+	wantVal(k3, 3)
+
+	wantVal(k2, 2)
+	c.Remove(k2)
+	wantLen(1)
+	wantMissing(k2)
+
+	c.Add(k3, 30)
+	wantVal(k3, 30)
+	wantLen(1)
+
+	allocs := int(testing.AllocsPerRun(1000, func() {
+		got, ok := c.Get(k3)
+		if !ok {
+			t.Fatal("missing k3")
+		}
+		if got != 30 {
+			t.Fatalf("got = %d; want 30", got)
+		}
+	}))
+	if allocs != 0 {
+		t.Errorf("allocs = %v; want 0", allocs)
+	}
+}
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@@ -8,13 +8,20 @@ package interfaces
 import (
 	"fmt"
 	"net"
+	"net/http"
 	"reflect"
+	"sort"
 	"strings"

 	"inet.af/netaddr"
 	"tailscale.com/net/tsaddr"
+	"tailscale.com/net/tshttpproxy"
 )

+// LoginEndpointForProxyDetermination is the URL used for testing
+// which HTTP proxy the system should use.
+var LoginEndpointForProxyDetermination = "https://login.tailscale.com/"
+
 // Tailscale returns the current machine's Tailscale interface, if any.
 // If none is found, all zero values are returned.
 // A non-nil error is only returned on a problem listing the system interfaces.
@@ -43,7 +50,8 @@ func Tailscale() (net.IP, *net.Interface, error) {
 // maybeTailscaleInterfaceName reports whether s is an interface
 // name that might be used by Tailscale.
 func maybeTailscaleInterfaceName(s string) bool {
-	return strings.HasPrefix(s, "wg") ||
+	return s == "Tailscale" ||
+		strings.HasPrefix(s, "wg") ||
 		strings.HasPrefix(s, "ts") ||
 		strings.HasPrefix(s, "tailscale") ||
 		strings.HasPrefix(s, "utun")
@@ -86,11 +94,6 @@ func LocalAddresses() (regular, loopback []string, err error) {
 				if !ok {
 					continue
 				}
-				if ip.Is6() {
-					// TODO(crawshaw): IPv6 support.
-					// Easy to do here, but we need good endpoint ordering logic.
-					continue
-				}
 				// TODO(apenwarr): don't special case cgNAT.
 				// In the general wireguard case, it might
 				// very well be something we can route to
@@ -153,35 +156,118 @@ type State struct {
 	InterfaceUp  map[string]bool

 	// HaveV6Global is whether this machine has an IPv6 global address
-	// on some interface.
+	// on some non-Tailscale interface that's up.
 	HaveV6Global bool

-	// HaveV4 is whether the machine has some non-localhost IPv4 address.
+	// HaveV4 is whether the machine has some non-localhost,
+	// non-link-local IPv4 address on a non-Tailscale interface that's up.
 	HaveV4 bool

 	// IsExpensive is whether the current network interface is
 	// considered "expensive", which currently means LTE/etc
 	// instead of Wifi. This field is not populated by GetState.
 	IsExpensive bool
+
+	// DefaultRouteInterface is the interface name for the machine's default route.
+	// It is not yet populated on all OSes.
+	// Its exact value should not be assumed to be a map key for
+	// the Interface maps above; it's only used for debugging.
+	DefaultRouteInterface string
+
+	// HTTPProxy is the HTTP proxy to use.
+	HTTPProxy string
+
+	// PAC is the URL to the Proxy Autoconfig URL, if applicable.
+	PAC string
+}
+
+func (s *State) String() string {
+	var sb strings.Builder
+	fmt.Fprintf(&sb, "interfaces.State{defaultRoute=%v ifs={", s.DefaultRouteInterface)
+	ifs := make([]string, 0, len(s.InterfaceUp))
+	for k := range s.InterfaceUp {
+		if allLoopbackIPs(s.InterfaceIPs[k]) {
+			continue
+		}
+		ifs = append(ifs, k)
+	}
+	sort.Slice(ifs, func(i, j int) bool {
+		upi, upj := s.InterfaceUp[ifs[i]], s.InterfaceUp[ifs[j]]
+		if upi != upj {
+			// Up sorts before down.
+			return upi
+		}
+		return ifs[i] < ifs[j]
+	})
+	for i, ifName := range ifs {
+		if i > 0 {
+			sb.WriteString(" ")
+		}
+		if s.InterfaceUp[ifName] {
+			fmt.Fprintf(&sb, "%s:[", ifName)
+			needSpace := false
+			for _, ip := range s.InterfaceIPs[ifName] {
+				if ip.IsLinkLocalUnicast() {
+					continue
+				}
+				if needSpace {
+					sb.WriteString(" ")
+				}
+				fmt.Fprintf(&sb, "%s", ip)
+				needSpace = true
+			}
+			sb.WriteString("]")
+		} else {
+			fmt.Fprintf(&sb, "%s:down", ifName)
+		}
+	}
+	sb.WriteString("}")
+
+	if s.IsExpensive {
+		sb.WriteString(" expensive")
+	}
+	if s.HTTPProxy != "" {
+		fmt.Fprintf(&sb, " httpproxy=%s", s.HTTPProxy)
+	}
+	if s.PAC != "" {
+		fmt.Fprintf(&sb, " pac=%s", s.PAC)
+	}
+	fmt.Fprintf(&sb, " v4=%v v6global=%v}", s.HaveV4, s.HaveV6Global)
+	return sb.String()
 }

 func (s *State) Equal(s2 *State) bool {
 	return reflect.DeepEqual(s, s2)
 }

+func (s *State) HasPAC() bool { return s != nil && s.PAC != "" }
+
+// AnyInterfaceUp reports whether any interface seems like it has Internet access.
+func (s *State) AnyInterfaceUp() bool {
+	return s != nil && (s.HaveV4 || s.HaveV6Global)
+}
+
 // RemoveTailscaleInterfaces modifes s to remove any interfaces that
 // are owned by this process. (TODO: make this true; currently it
 // makes the Linux-only assumption that the interface is named
 // /^tailscale/)
 func (s *State) RemoveTailscaleInterfaces() {
 	for name := range s.InterfaceIPs {
-		if strings.HasPrefix(name, "tailscale") { // TODO: use --tun flag value, etc; see TODO in method doc
+		if isTailscaleInterfaceName(name) {
 			delete(s.InterfaceIPs, name)
 			delete(s.InterfaceUp, name)
 		}
 	}
 }

+func isTailscaleInterfaceName(name string) bool {
+	return name == "Tailscale" || // as it is on Windows
+		strings.HasPrefix(name, "tailscale") // TODO: use --tun flag value, etc; see TODO in method doc
+}
+
+// getPAC, if non-nil, returns the current PAC file URL.
+var getPAC func() string
+
 // GetState returns the state of all the current machine's network interfaces.
 //
 // It does not set the returned State.IsExpensive. The caller can populate that.
@@ -191,13 +277,31 @@ func GetState() (*State, error) {
 		InterfaceUp:  make(map[string]bool),
 	}
 	if err := ForeachInterfaceAddress(func(ni Interface, ip netaddr.IP) {
+		ifUp := ni.IsUp()
 		s.InterfaceIPs[ni.Name] = append(s.InterfaceIPs[ni.Name], ip)
-		s.InterfaceUp[ni.Name] = ni.IsUp()
-		s.HaveV6Global = s.HaveV6Global || isGlobalV6(ip)
-		s.HaveV4 = s.HaveV4 || (ip.Is4() && !ip.IsLoopback())
+		s.InterfaceUp[ni.Name] = ifUp
+		if ifUp && !ip.IsLoopback() && !ip.IsLinkLocalUnicast() && !isTailscaleInterfaceName(ni.Name) {
+			s.HaveV6Global = s.HaveV6Global || isGlobalV6(ip)
+			s.HaveV4 = s.HaveV4 || ip.Is4()
+		}
 	}); err != nil {
 		return nil, err
 	}
+	s.DefaultRouteInterface, _ = DefaultRouteInterface()
+
+	if s.AnyInterfaceUp() {
+		req, err := http.NewRequest("GET", LoginEndpointForProxyDetermination, nil)
+		if err != nil {
+			return nil, err
+		}
+		if u, err := tshttpproxy.ProxyFromEnvironment(req); err == nil && u != nil {
+			s.HTTPProxy = u.String()
+		}
+		if getPAC != nil {
+			s.PAC = getPAC()
+		}
+	}
+
 	return s, nil
 }

@@ -287,3 +391,15 @@ var (
 	linkLocalIPv4 = mustCIDR("169.254.0.0/16")
 	v6Global1     = mustCIDR("2000::/3")
 )
+
+func allLoopbackIPs(ips []netaddr.IP) bool {
+	if len(ips) == 0 {
+		return false
+	}
+	for _, ip := range ips {
+		if !ip.IsLoopback() {
+			return false
+		}
+	}
+	return true
+}
--- a/net/interfaces/interfaces_darwin.go
+++ b/net/interfaces/interfaces_darwin.go
@@ -5,6 +5,7 @@
 package interfaces

 import (
+	"errors"
 	"os/exec"

 	"go4.org/mem"
@@ -13,10 +14,6 @@ import (
 	"tailscale.com/version"
 )

-func init() {
-	likelyHomeRouterIP = likelyHomeRouterIPDarwin
-}
-
 /*
 Parse out 10.0.0.1 from:

@@ -32,12 +29,11 @@ default            link#14            UCSI         utun2
 ...

 */
-func likelyHomeRouterIPDarwin() (ret netaddr.IP, ok bool) {
+func likelyHomeRouterIPDarwinExec() (ret netaddr.IP, ok bool) {
 	if version.IsMobile() {
 		// Don't try to do subprocesses on iOS. Ends up with log spam like:
 		// kernel: "Sandbox: IPNExtension(86580) deny(1) process-fork"
-		// TODO(bradfitz): let our iOS app register a func with this package
-		// and have it call into C/Swift to get the routing table.
+		// This is why we have likelyHomeRouterIPDarwinSyscall.
 		return ret, false
 	}
 	cmd := exec.Command("/usr/sbin/netstat", "-r", "-n", "-f", "inet")
@@ -67,8 +63,12 @@ func likelyHomeRouterIPDarwin() (ret netaddr.IP, ok bool) {
 		ip, err := netaddr.ParseIP(string(mem.Append(nil, ipm)))
 		if err == nil && isPrivateIP(ip) {
 			ret = ip
+			// We've found what we're looking for.
+			return errStopReadingNetstatTable
 		}
 		return nil
 	})
 	return ret, !ret.IsZero()
 }
+
+var errStopReadingNetstatTable = errors.New("found private gateway")
--- a/net/interfaces/interfaces_darwin_cgo.go
+++ b/net/interfaces/interfaces_darwin_cgo.go
@@ -0,0 +1,124 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build darwin,cgo
+
+package interfaces
+
+/*
+#import "route.h"
+#import <netinet/in.h>
+#import <sys/sysctl.h>
+#import <stdlib.h>
+#import <stdio.h>
+
+// privateGatewayIPFromRoute returns the private gateway ip address from rtm, if it exists.
+// Otherwise, it returns 0.
+int privateGatewayIPFromRoute(struct rt_msghdr2 *rtm)
+{
+    // sockaddrs are after the message header
+    struct sockaddr* dst_sa = (struct sockaddr *)(rtm + 1);
+
+    if((rtm->rtm_addrs & (RTA_DST|RTA_GATEWAY)) != (RTA_DST|RTA_GATEWAY))
+        return 0; // missing dst or gateway addr
+    if (dst_sa->sa_family != AF_INET)
+        return 0; // dst not IPv4
+    if ((rtm->rtm_flags & RTF_GATEWAY) == 0)
+        return 0; // gateway flag not set
+
+    struct sockaddr_in* dst_si = (struct sockaddr_in *)dst_sa;
+    if (dst_si->sin_addr.s_addr != INADDR_ANY)
+        return 0; // not default route
+
+    #define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
+
+    struct sockaddr* gateway_sa = (struct sockaddr *)((char *)dst_sa + ROUNDUP(dst_sa->sa_len));
+    if (gateway_sa->sa_family != AF_INET)
+        return 0; // gateway not IPv4
+
+    struct sockaddr_in* gateway_si= (struct sockaddr_in *)gateway_sa;
+    int ip;
+    ip = gateway_si->sin_addr.s_addr;
+
+    unsigned char a, b;
+    a = (ip >> 0) & 0xff;
+    b = (ip >> 8) & 0xff;
+
+    // Check whether ip is private, that is, whether it is
+    // in one of 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
+    if (a == 10)
+        return ip; // matches 10.0.0.0/8
+    if (a == 172 && (b >> 4) == 1)
+        return ip; // matches 172.16.0.0/12
+    if (a == 192 && b == 168)
+        return ip; // matches 192.168.0.0/16
+
+    // Not a private IP.
+    return 0;
+}
+
+// privateGatewayIP returns the private gateway IP address, if it exists.
+// If no private gateway IP address was found, it returns 0.
+// On an error, it returns an error code in (0, 255].
+// Any private gateway IP address is > 255.
+int privateGatewayIP()
+{
+    size_t needed;
+    int mib[6];
+    char *buf;
+
+    mib[0] = CTL_NET;
+    mib[1] = PF_ROUTE;
+    mib[2] = 0;
+    mib[3] = 0;
+    mib[4] = NET_RT_DUMP2;
+    mib[5] = 0;
+
+    if (sysctl(mib, 6, NULL, &needed, NULL, 0) < 0)
+        return 1; // route dump size estimation failed
+    if ((buf = malloc(needed)) == 0)
+        return 2; // malloc failed
+    if (sysctl(mib, 6, buf, &needed, NULL, 0) < 0) {
+        free(buf);
+        return 3; // route dump failed
+    }
+
+    // Loop over all routes.
+    char *next, *lim;
+    lim = buf + needed;
+	struct rt_msghdr2 *rtm;
+    for (next = buf; next < lim; next += rtm->rtm_msglen) {
+        rtm = (struct rt_msghdr2 *)next;
+		int ip;
+        ip = privateGatewayIPFromRoute(rtm);
+        if (ip) {
+            free(buf);
+            return ip;
+        }
+    }
+    free(buf);
+    return 0; // no gateway found
+}
+*/
+import "C"
+
+import (
+	"encoding/binary"
+
+	"inet.af/netaddr"
+)
+
+func init() {
+	likelyHomeRouterIP = likelyHomeRouterIPDarwinSyscall
+}
+
+func likelyHomeRouterIPDarwinSyscall() (ret netaddr.IP, ok bool) {
+	ip := C.privateGatewayIP()
+	if ip < 255 {
+		return netaddr.IP{}, false
+	}
+	var q [4]byte
+	binary.LittleEndian.PutUint32(q[:], uint32(ip))
+	return netaddr.IPv4(q[0], q[1], q[2], q[3]), true
+}
--- a/net/interfaces/interfaces_darwin_cgo_test.go
+++ b/net/interfaces/interfaces_darwin_cgo_test.go
@@ -0,0 +1,20 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build cgo,darwin
+
+package interfaces
+
+import "testing"
+
+func TestLikelyHomeRouterIPSyscallExec(t *testing.T) {
+	syscallIP, syscallOK := likelyHomeRouterIPDarwinSyscall()
+	netstatIP, netstatOK := likelyHomeRouterIPDarwinExec()
+	if syscallOK != netstatOK || syscallIP != netstatIP {
+		t.Errorf("syscall() = %v, %v, netstat = %v, %v",
+			syscallIP, syscallOK,
+			netstatIP, netstatOK,
+		)
+	}
+}
--- a/net/interfaces/interfaces_darwin_nocgo.go
+++ b/net/interfaces/interfaces_darwin_nocgo.go
@@ -0,0 +1,11 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build darwin,!cgo
+
+package interfaces
+
+func init() {
+	likelyHomeRouterIP = likelyHomeRouterIPDarwinExec
+}
--- a/net/interfaces/interfaces_defaultrouteif_todo.go
+++ b/net/interfaces/interfaces_defaultrouteif_todo.go
@@ -0,0 +1,15 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !linux,!windows
+
+package interfaces
+
+import "errors"
+
+var errTODO = errors.New("TODO")
+
+func DefaultRouteInterface() (string, error) {
+	return "TODO", errTODO
+}
--- a/net/interfaces/interfaces_linux.go
+++ b/net/interfaces/interfaces_linux.go
@@ -5,10 +5,15 @@
 package interfaces

 import (
+	"bufio"
 	"bytes"
+	"errors"
+	"io"
 	"log"
+	"os"
 	"os/exec"
 	"runtime"
+	"strings"

 	"go4.org/mem"
 	"inet.af/netaddr"
@@ -115,3 +120,91 @@ func likelyHomeRouterIPAndroid() (ret netaddr.IP, ok bool) {
 	cmd.Wait()
 	return ret, !ret.IsZero()
 }
+
+// DefaultRouteInterface returns the name of the network interface that owns
+// the default route, not including any tailscale interfaces.
+func DefaultRouteInterface() (string, error) {
+	v, err := defaultRouteInterfaceProcNet()
+	if err == nil {
+		return v, nil
+	}
+	if runtime.GOOS == "android" {
+		return defaultRouteInterfaceAndroidIPRoute()
+	}
+	return v, err
+}
+
+var zeroRouteBytes = []byte("00000000")
+
+func defaultRouteInterfaceProcNet() (string, error) {
+	f, err := os.Open("/proc/net/route")
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	br := bufio.NewReaderSize(f, 128)
+	for {
+		line, err := br.ReadSlice('\n')
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return "", err
+		}
+		if !bytes.Contains(line, zeroRouteBytes) {
+			continue
+		}
+		fields := strings.Fields(string(line))
+		ifc := fields[0]
+		ip := fields[1]
+		netmask := fields[7]
+
+		if strings.HasPrefix(ifc, "tailscale") ||
+			strings.HasPrefix(ifc, "wg") {
+			continue
+		}
+		if ip == "00000000" && netmask == "00000000" {
+			// default route
+			return ifc, nil // interface name
+		}
+	}
+
+	return "", errors.New("no default routes found")
+
+}
+
+// defaultRouteInterfaceAndroidIPRoute tries to find the machine's default route interface name
+// by parsing the "ip route" command output. We use this on Android where /proc/net/route
+// can be missing entries or have locked-down permissions.
+// See also comments in https://github.com/tailscale/tailscale/pull/666.
+func defaultRouteInterfaceAndroidIPRoute() (ifname string, err error) {
+	cmd := exec.Command("/system/bin/ip", "route", "show", "table", "0")
+	out, err := cmd.StdoutPipe()
+	if err != nil {
+		return "", err
+	}
+	if err := cmd.Start(); err != nil {
+		log.Printf("interfaces: running /system/bin/ip: %v", err)
+		return "", err
+	}
+	// Search for line like "default via 10.0.2.2 dev radio0 table 1016 proto static mtu 1500 "
+	lineread.Reader(out, func(line []byte) error {
+		const pfx = "default via "
+		if !mem.HasPrefix(mem.B(line), mem.S(pfx)) {
+			return nil
+		}
+		ff := strings.Fields(string(line))
+		for i, v := range ff {
+			if i > 0 && ff[i-1] == "dev" && ifname == "" {
+				ifname = v
+			}
+		}
+		return nil
+	})
+	cmd.Process.Kill()
+	cmd.Wait()
+	if ifname == "" {
+		return "", errors.New("no default routes found")
+	}
+	return ifname, nil
+}
--- a/net/interfaces/interfaces_linux_test.go
+++ b/net/interfaces/interfaces_linux_test.go
@@ -0,0 +1,16 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package interfaces
+
+import "testing"
+
+func BenchmarkDefaultRouteInterface(b *testing.B) {
+	b.ReportAllocs()
+	for i := 0; i < b.N; i++ {
+		if _, err := DefaultRouteInterface(); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
--- a/net/interfaces/interfaces_test.go
+++ b/net/interfaces/interfaces_test.go
@@ -35,6 +35,7 @@ func TestGetState(t *testing.T) {
 		t.Fatal(err)
 	}
 	t.Logf("Got: %#v", st)
+	t.Logf("As string: %s", st)

 	st2, err := GetState()
 	if err != nil {
@@ -46,6 +47,9 @@ func TestGetState(t *testing.T) {
 		// the two GetState calls.
 		t.Fatal("two States back-to-back were not equal")
 	}
+
+	st.RemoveTailscaleInterfaces()
+	t.Logf("As string without Tailscale:\n\t%s", st)
 }

 func TestLikelyHomeRouterIP(t *testing.T) {
--- a/net/interfaces/interfaces_windows.go
+++ b/net/interfaces/interfaces_windows.go
@@ -5,16 +5,24 @@
 package interfaces

 import (
+	"fmt"
+	"log"
+	"net/url"
 	"os/exec"
 	"syscall"
+	"unsafe"

 	"go4.org/mem"
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"inet.af/netaddr"
+	"tailscale.com/tsconst"
 	"tailscale.com/util/lineread"
 )

 func init() {
 	likelyHomeRouterIP = likelyHomeRouterIPWindows
+	getPAC = getPACWindows
 }

 /*
@@ -71,3 +79,118 @@ func likelyHomeRouterIPWindows() (ret netaddr.IP, ok bool) {
 	})
 	return ret, !ret.IsZero()
 }
+
+// NonTailscaleMTUs returns a map of interface LUID to interface MTU,
+// for all interfaces except Tailscale tunnels.
+func NonTailscaleMTUs() (map[winipcfg.LUID]uint32, error) {
+	mtus := map[winipcfg.LUID]uint32{}
+	ifs, err := NonTailscaleInterfaces()
+	for luid, iface := range ifs {
+		mtus[luid] = iface.MTU
+	}
+	return mtus, err
+}
+
+// NonTailscaleInterfaces returns a map of interface LUID to interface
+// for all interfaces except Tailscale tunnels.
+func NonTailscaleInterfaces() (map[winipcfg.LUID]*winipcfg.IPAdapterAddresses, error) {
+	ifs, err := winipcfg.GetAdaptersAddresses(windows.AF_UNSPEC, winipcfg.GAAFlagIncludeAllInterfaces)
+	if err != nil {
+		return nil, err
+	}
+
+	ret := map[winipcfg.LUID]*winipcfg.IPAdapterAddresses{}
+	for _, iface := range ifs {
+		if iface.Description() == tsconst.WintunInterfaceDesc {
+			continue
+		}
+		ret[iface.LUID] = iface
+	}
+
+	return ret, nil
+}
+
+// GetWindowsDefault returns the interface that has the non-Tailscale
+// default route for the given address family.
+//
+// It returns (nil, nil) if no interface is found.
+func GetWindowsDefault(family winipcfg.AddressFamily) (*winipcfg.IPAdapterAddresses, error) {
+	ifs, err := NonTailscaleInterfaces()
+	if err != nil {
+		return nil, err
+	}
+
+	routes, err := winipcfg.GetIPForwardTable2(family)
+	if err != nil {
+		return nil, err
+	}
+
+	bestMetric := ^uint32(0)
+	var bestIface *winipcfg.IPAdapterAddresses
+	for _, route := range routes {
+		iface := ifs[route.InterfaceLUID]
+		if route.DestinationPrefix.PrefixLength != 0 || iface == nil {
+			continue
+		}
+		if iface.OperStatus == winipcfg.IfOperStatusUp && route.Metric < bestMetric {
+			bestMetric = route.Metric
+			bestIface = iface
+		}
+	}
+
+	return bestIface, nil
+}
+
+func DefaultRouteInterface() (string, error) {
+	iface, err := GetWindowsDefault(windows.AF_INET)
+	if err != nil {
+		return "", err
+	}
+	if iface == nil {
+		return "(none)", nil
+	}
+	return fmt.Sprintf("%s (%s)", iface.FriendlyName(), iface.Description()), nil
+}
+
+var (
+	winHTTP                  = windows.NewLazySystemDLL("winhttp.dll")
+	detectAutoProxyConfigURL = winHTTP.NewProc("WinHttpDetectAutoProxyConfigUrl")
+
+	kernel32   = windows.NewLazySystemDLL("kernel32.dll")
+	globalFree = kernel32.NewProc("GlobalFree")
+)
+
+const (
+	winHTTP_AUTO_DETECT_TYPE_DHCP  = 0x00000001
+	winHTTP_AUTO_DETECT_TYPE_DNS_A = 0x00000002
+)
+
+func getPACWindows() string {
+	var res *uint16
+	r, _, e := detectAutoProxyConfigURL.Call(
+		winHTTP_AUTO_DETECT_TYPE_DHCP|winHTTP_AUTO_DETECT_TYPE_DNS_A,
+		uintptr(unsafe.Pointer(&res)),
+	)
+	if r == 1 {
+		if res == nil {
+			log.Printf("getPACWindows: unexpected success with nil result")
+			return ""
+		}
+		defer globalFree.Call(uintptr(unsafe.Pointer(res)))
+		s := windows.UTF16PtrToString(res)
+		if _, err := url.Parse(s); err != nil {
+			log.Printf("getPACWindows: invalid URL %q from winhttp; ignoring", s)
+			return ""
+		}
+		return s
+	}
+	const (
+		ERROR_WINHTTP_AUTODETECTION_FAILED = 12180
+	)
+	if e == syscall.Errno(ERROR_WINHTTP_AUTODETECTION_FAILED) {
+		// Common case on networks without advertised PAC.
+		return ""
+	}
+	log.Printf("getPACWindows: %T=%v", e, e) // syscall.Errno=0x....
+	return ""
+}
--- a/net/interfaces/interfaces_windows_test.go
+++ b/net/interfaces/interfaces_windows_test.go
@@ -0,0 +1,17 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package interfaces
+
+import "testing"
+
+func BenchmarkGetPACWindows(b *testing.B) {
+	b.ReportAllocs()
+	for i := 0; i < b.N; i++ {
+		v := getPACWindows()
+		if i == 0 {
+			b.Logf("Got: %q", v)
+		}
+	}
+}
--- a/net/interfaces/route.h
+++ b/net/interfaces/route.h
@@ -0,0 +1,257 @@
+/*
+ * Copyright (c) 2000-2017 Apple Inc. All rights reserved.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ *
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
+ */
+/*
+ * Copyright (c) 1980, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)route.h	8.3 (Berkeley) 4/19/94
+ * $FreeBSD: src/sys/net/route.h,v 1.36.2.1 2000/08/16 06:14:23 jayanth Exp $
+ */
+
+#ifndef _NET_ROUTE_H_
+#define _NET_ROUTE_H_
+#include <sys/appleapiopts.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+/*
+ * These numbers are used by reliable protocols for determining
+ * retransmission behavior and are included in the routing structure.
+ */
+struct rt_metrics {
+	u_int32_t       rmx_locks;      /* Kernel leaves these values alone */
+	u_int32_t       rmx_mtu;        /* MTU for this path */
+	u_int32_t       rmx_hopcount;   /* max hops expected */
+	int32_t         rmx_expire;     /* lifetime for route, e.g. redirect */
+	u_int32_t       rmx_recvpipe;   /* inbound delay-bandwidth product */
+	u_int32_t       rmx_sendpipe;   /* outbound delay-bandwidth product */
+	u_int32_t       rmx_ssthresh;   /* outbound gateway buffer limit */
+	u_int32_t       rmx_rtt;        /* estimated round trip time */
+	u_int32_t       rmx_rttvar;     /* estimated rtt variance */
+	u_int32_t       rmx_pksent;     /* packets sent using this route */
+	u_int32_t       rmx_state;      /* route state */
+	u_int32_t       rmx_filler[3];  /* will be used for T/TCP later */
+};
+
+/*
+ * rmx_rtt and rmx_rttvar are stored as microseconds;
+ */
+#define RTM_RTTUNIT     1000000 /* units for rtt, rttvar, as units per sec */
+
+
+
+#define RTF_UP          0x1             /* route usable */
+#define RTF_GATEWAY     0x2             /* destination is a gateway */
+#define RTF_HOST        0x4             /* host entry (net otherwise) */
+#define RTF_REJECT      0x8             /* host or net unreachable */
+#define RTF_DYNAMIC     0x10            /* created dynamically (by redirect) */
+#define RTF_MODIFIED    0x20            /* modified dynamically (by redirect) */
+#define RTF_DONE        0x40            /* message confirmed */
+#define RTF_DELCLONE    0x80            /* delete cloned route */
+#define RTF_CLONING     0x100           /* generate new routes on use */
+#define RTF_XRESOLVE    0x200           /* external daemon resolves name */
+#define RTF_LLINFO      0x400           /* DEPRECATED - exists ONLY for backward
+	                                 *  compatibility */
+#define RTF_LLDATA      0x400           /* used by apps to add/del L2 entries */
+#define RTF_STATIC      0x800           /* manually added */
+#define RTF_BLACKHOLE   0x1000          /* just discard pkts (during updates) */
+#define RTF_NOIFREF     0x2000          /* not eligible for RTF_IFREF */
+#define RTF_PROTO2      0x4000          /* protocol specific routing flag */
+#define RTF_PROTO1      0x8000          /* protocol specific routing flag */
+
+#define RTF_PRCLONING   0x10000         /* protocol requires cloning */
+#define RTF_WASCLONED   0x20000         /* route generated through cloning */
+#define RTF_PROTO3      0x40000         /* protocol specific routing flag */
+                                        /* 0x80000 unused */
+#define RTF_PINNED      0x100000        /* future use */
+#define RTF_LOCAL       0x200000        /* route represents a local address */
+#define RTF_BROADCAST   0x400000        /* route represents a bcast address */
+#define RTF_MULTICAST   0x800000        /* route represents a mcast address */
+#define RTF_IFSCOPE     0x1000000       /* has valid interface scope */
+#define RTF_CONDEMNED   0x2000000       /* defunct; no longer modifiable */
+#define RTF_IFREF       0x4000000       /* route holds a ref to interface */
+#define RTF_PROXY       0x8000000       /* proxying, no interface scope */
+#define RTF_ROUTER      0x10000000      /* host is a router */
+#define RTF_DEAD        0x20000000      /* Route entry is being freed */
+                                        /* 0x40000000 and up unassigned */
+
+#define RTPRF_OURS      RTF_PROTO3      /* set on routes we manage */
+#define RTF_BITS \
+	"\020\1UP\2GATEWAY\3HOST\4REJECT\5DYNAMIC\6MODIFIED\7DONE" \
+	"\10DELCLONE\11CLONING\12XRESOLVE\13LLINFO\14STATIC\15BLACKHOLE" \
+	"\16NOIFREF\17PROTO2\20PROTO1\21PRCLONING\22WASCLONED\23PROTO3" \
+	"\25PINNED\26LOCAL\27BROADCAST\30MULTICAST\31IFSCOPE\32CONDEMNED" \
+	"\33IFREF\34PROXY\35ROUTER"
+
+#define IS_DIRECT_HOSTROUTE(rt) \
+	(((rt)->rt_flags & (RTF_HOST | RTF_GATEWAY)) == RTF_HOST)
+/*
+ * Routing statistics.
+ */
+struct  rtstat {
+	short   rts_badredirect;        /* bogus redirect calls */
+	short   rts_dynamic;            /* routes created by redirects */
+	short   rts_newgateway;         /* routes modified by redirects */
+	short   rts_unreach;            /* lookups which failed */
+	short   rts_wildcard;           /* lookups satisfied by a wildcard */
+	short   rts_badrtgwroute;       /* route to gateway is not direct */
+};
+
+/*
+ * Structures for routing messages.
+ */
+struct rt_msghdr {
+	u_short rtm_msglen;     /* to skip over non-understood messages */
+	u_char  rtm_version;    /* future binary compatibility */
+	u_char  rtm_type;       /* message type */
+	u_short rtm_index;      /* index for associated ifp */
+	int     rtm_flags;      /* flags, incl. kern & message, e.g. DONE */
+	int     rtm_addrs;      /* bitmask identifying sockaddrs in msg */
+	pid_t   rtm_pid;        /* identify sender */
+	int     rtm_seq;        /* for sender to identify action */
+	int     rtm_errno;      /* why failed */
+	int     rtm_use;        /* from rtentry */
+	u_int32_t rtm_inits;    /* which metrics we are initializing */
+	struct rt_metrics rtm_rmx; /* metrics themselves */
+};
+
+struct rt_msghdr2 {
+	u_short rtm_msglen;     /* to skip over non-understood messages */
+	u_char  rtm_version;    /* future binary compatibility */
+	u_char  rtm_type;       /* message type */
+	u_short rtm_index;      /* index for associated ifp */
+	int     rtm_flags;      /* flags, incl. kern & message, e.g. DONE */
+	int     rtm_addrs;      /* bitmask identifying sockaddrs in msg */
+	int32_t rtm_refcnt;     /* reference count */
+	int     rtm_parentflags; /* flags of the parent route */
+	int     rtm_reserved;   /* reserved field set to 0 */
+	int     rtm_use;        /* from rtentry */
+	u_int32_t rtm_inits;    /* which metrics we are initializing */
+	struct rt_metrics rtm_rmx; /* metrics themselves */
+};
+
+
+#define RTM_VERSION     5       /* Up the ante and ignore older versions */
+
+/*
+ * Message types.
+ */
+#define RTM_ADD         0x1     /* Add Route */
+#define RTM_DELETE      0x2     /* Delete Route */
+#define RTM_CHANGE      0x3     /* Change Metrics or flags */
+#define RTM_GET         0x4     /* Report Metrics */
+#define RTM_LOSING      0x5     /* RTM_LOSING is no longer generated by xnu
+	                         *  and is deprecated */
+#define RTM_REDIRECT    0x6     /* Told to use different route */
+#define RTM_MISS        0x7     /* Lookup failed on this address */
+#define RTM_LOCK        0x8     /* fix specified metrics */
+#define RTM_OLDADD      0x9     /* caused by SIOCADDRT */
+#define RTM_OLDDEL      0xa     /* caused by SIOCDELRT */
+#define RTM_RESOLVE     0xb     /* req to resolve dst to LL addr */
+#define RTM_NEWADDR     0xc     /* address being added to iface */
+#define RTM_DELADDR     0xd     /* address being removed from iface */
+#define RTM_IFINFO      0xe     /* iface going up/down etc. */
+#define RTM_NEWMADDR    0xf     /* mcast group membership being added to if */
+#define RTM_DELMADDR    0x10    /* mcast group membership being deleted */
+#define RTM_IFINFO2     0x12    /* */
+#define RTM_NEWMADDR2   0x13    /* */
+#define RTM_GET2        0x14    /* */
+
+/*
+ * Bitmask values for rtm_inits and rmx_locks.
+ */
+#define RTV_MTU         0x1     /* init or lock _mtu */
+#define RTV_HOPCOUNT    0x2     /* init or lock _hopcount */
+#define RTV_EXPIRE      0x4     /* init or lock _expire */
+#define RTV_RPIPE       0x8     /* init or lock _recvpipe */
+#define RTV_SPIPE       0x10    /* init or lock _sendpipe */
+#define RTV_SSTHRESH    0x20    /* init or lock _ssthresh */
+#define RTV_RTT         0x40    /* init or lock _rtt */
+#define RTV_RTTVAR      0x80    /* init or lock _rttvar */
+
+/*
+ * Bitmask values for rtm_addrs.
+ */
+#define RTA_DST         0x1     /* destination sockaddr present */
+#define RTA_GATEWAY     0x2     /* gateway sockaddr present */
+#define RTA_NETMASK     0x4     /* netmask sockaddr present */
+#define RTA_GENMASK     0x8     /* cloning mask sockaddr present */
+#define RTA_IFP         0x10    /* interface name sockaddr present */
+#define RTA_IFA         0x20    /* interface addr sockaddr present */
+#define RTA_AUTHOR      0x40    /* sockaddr for author of redirect */
+#define RTA_BRD         0x80    /* for NEWADDR, broadcast or p-p dest addr */
+
+/*
+ * Index offsets for sockaddr array for alternate internal encoding.
+ */
+#define RTAX_DST        0       /* destination sockaddr present */
+#define RTAX_GATEWAY    1       /* gateway sockaddr present */
+#define RTAX_NETMASK    2       /* netmask sockaddr present */
+#define RTAX_GENMASK    3       /* cloning mask sockaddr present */
+#define RTAX_IFP        4       /* interface name sockaddr present */
+#define RTAX_IFA        5       /* interface addr sockaddr present */
+#define RTAX_AUTHOR     6       /* sockaddr for author of redirect */
+#define RTAX_BRD        7       /* for NEWADDR, broadcast or p-p dest addr */
+#define RTAX_MAX        8       /* size of array to allocate */
+
+struct rt_addrinfo {
+	int     rti_addrs;
+	struct  sockaddr *rti_info[RTAX_MAX];
+};
+
+
+#endif /* _NET_ROUTE_H_ */
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -28,7 +28,6 @@ import (
 	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/derp/derphttp"
-	"tailscale.com/net/dnscache"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/stun"
@@ -134,10 +133,6 @@ func cloneDurationMap(m map[int]time.Duration) map[int]time.Duration {

 // Client generates a netcheck Report.
 type Client struct {
-	// DNSCache optionally specifies a DNSCache to use.
-	// If nil, a DNS cache is not used.
-	DNSCache *dnscache.Resolver
-
 	// Verbose enables verbose logging.
 	Verbose bool

@@ -156,6 +151,15 @@ type Client struct {
 	// GetSTUNConn6 is like GetSTUNConn4, but for IPv6.
 	GetSTUNConn6 func() STUNConn

+	// SkipExternalNetwork controls whether the client should not try
+	// to reach things other than localhost. This is set to true
+	// in tests to avoid probing the local LAN's router, etc.
+	SkipExternalNetwork bool
+
+	// UDPBindAddr, if non-empty, is the address to listen on for UDP.
+	// It defaults to ":0".
+	UDPBindAddr string
+
 	mu       sync.Mutex            // guards following
 	nextFull bool                  // do a full region scan, even if last != nil
 	prev     map[time.Time]*Report // some previous reports
@@ -171,6 +175,15 @@ type STUNConn interface {
 	ReadFrom([]byte) (int, net.Addr, error)
 }

+func (c *Client) enoughRegions() int {
+	if c.Verbose {
+		// Abuse verbose a bit here so netcheck can show all region latencies
+		// in verbose mode.
+		return 100
+	}
+	return 3
+}
+
 func (c *Client) logf(format string, a ...interface{}) {
 	if c.Logf != nil {
 		c.Logf(format, a...)
@@ -227,7 +240,6 @@ func (c *Client) ReceiveSTUNPacket(pkt []byte, src netaddr.IPPort) {

 	tx, addr, port, err := stun.ParseResponse(pkt)
 	if err != nil {
-		c.mu.Unlock()
 		if _, err := stun.ParseBindingRequest(pkt); err == nil {
 			// This was probably our own netcheck hairpin
 			// check probe coming in late. Ignore.
@@ -615,12 +627,13 @@ func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netaddr.IPPort
 	ret.UDP = true
 	updateLatency(ret.RegionLatency, node.RegionID, d)

-	// Once we've heard from 3 regions, start a timer to give up
-	// on the other ones.  The timer's duration is a function of
-	// whether this is our initial full probe or an incremental
-	// one. For incremental ones, wait for the duration of the
-	// slowest region. For initial ones, double that.
-	if len(ret.RegionLatency) == 3 {
+	// Once we've heard from enough regions (3), start a timer to
+	// give up on the other ones. The timer's duration is a
+	// function of whether this is our initial full probe or an
+	// incremental one. For incremental ones, wait for the
+	// duration of the slowest region. For initial ones, double
+	// that.
+	if len(ret.RegionLatency) == rs.c.enoughRegions() {
 		timeout := maxDurationValue(ret.RegionLatency)
 		if !rs.incremental {
 			timeout *= 2
@@ -679,7 +692,7 @@ func (rs *reportState) probePortMapServices() {
 	port1900 := netaddr.IPPort{IP: gw, Port: 1900}.UDPAddr()
 	port5351 := netaddr.IPPort{IP: gw, Port: 5351}.UDPAddr()

-	rs.c.logf("probePortMapServices: me %v -> gw %v", myIP, gw)
+	rs.c.logf("[v1] probePortMapServices: me %v -> gw %v", myIP, gw)

 	// Create a UDP4 socket used just for querying for UPnP, NAT-PMP, and PCP.
 	uc, err := netns.Listener().ListenPacket(context.Background(), "udp4", ":0")
@@ -697,6 +710,7 @@ func (rs *reportState) probePortMapServices() {
 	uc.WriteTo(pcpPacket(myIP, tempPort, false), port5351)

 	res := make([]byte, 1500)
+	sentPCPDelete := false
 	for {
 		n, addr, err := uc.ReadFrom(res)
 		if err != nil {
@@ -714,11 +728,14 @@ func (rs *reportState) probePortMapServices() {
 			if n == 60 && res[0] == 0x02 { // right length and version 2
 				rs.setOptBool(&rs.report.PCP, true)

-				// And now delete the mapping.
-				// (PCP is the only protocol of the three that requires
-				// we cause a side effect to detect whether it's present,
-				// so we need to redo that side effect now.)
-				uc.WriteTo(pcpPacket(myIP, tempPort, true), port5351)
+				if !sentPCPDelete {
+					sentPCPDelete = true
+					// And now delete the mapping.
+					// (PCP is the only protocol of the three that requires
+					// we cause a side effect to detect whether it's present,
+					// so we need to redo that side effect now.)
+					uc.WriteTo(pcpPacket(myIP, tempPort, true), port5351)
+				}
 			}
 		}
 	}
@@ -734,6 +751,7 @@ var uPnPPacket = []byte("M-SEARCH * HTTP/1.1\r\n" +

 var v4unspec, _ = netaddr.ParseIP("0.0.0.0")

+// pcpPacket generates a PCP packet with a MAP opcode.
 func pcpPacket(myIP netaddr.IP, mapToLocalPort int, delete bool) []byte {
 	const udpProtoNumber = 17
 	lifetimeSeconds := uint32(1)
@@ -741,17 +759,24 @@ func pcpPacket(myIP netaddr.IP, mapToLocalPort int, delete bool) []byte {
 		lifetimeSeconds = 0
 	}
 	const opMap = 1
+
+	// 24 byte header + 36 byte map opcode
 	pkt := make([]byte, (32+32+128)/8+(96+8+24+16+16+128)/8)
+
+	// The header (https://tools.ietf.org/html/rfc6887#section-7.1)
 	pkt[0] = 2 // version
 	pkt[1] = opMap
 	binary.BigEndian.PutUint32(pkt[4:8], lifetimeSeconds)
 	myIP16 := myIP.As16()
 	copy(pkt[8:], myIP16[:])
-	rand.Read(pkt[24 : 24+12])
-	pkt[36] = udpProtoNumber
-	binary.BigEndian.PutUint16(pkt[40:], uint16(mapToLocalPort))
+
+	// The map opcode body (https://tools.ietf.org/html/rfc6887#section-11.1)
+	mapOp := pkt[24:]
+	rand.Read(mapOp[:12]) // 96 bit mappping nonce
+	mapOp[12] = udpProtoNumber
+	binary.BigEndian.PutUint16(mapOp[16:], uint16(mapToLocalPort))
 	v4unspec16 := v4unspec.As16()
-	copy(pkt[40:], v4unspec16[:])
+	copy(mapOp[20:], v4unspec16[:])
 	return pkt
 }

@@ -763,6 +788,13 @@ func newReport() *Report {
 	}
 }

+func (c *Client) udpBindAddr() string {
+	if v := c.UDPBindAddr; v != "" {
+		return v
+	}
+	return ":0"
+}
+
 // GetReport gets a report.
 //
 // It may not be called concurrently with itself.
@@ -810,7 +842,7 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e

 	ifState, err := interfaces.GetState()
 	if err != nil {
-		c.logf("interfaces: %v", err)
+		c.logf("[v1] interfaces: %v", err)
 		return nil, err
 	}

@@ -822,8 +854,10 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e
 	}
 	defer rs.pc4Hair.Close()

-	rs.waitPortMap.Add(1)
-	go rs.probePortMapServices()
+	if !c.SkipExternalNetwork {
+		rs.waitPortMap.Add(1)
+		go rs.probePortMapServices()
+	}

 	// At least the Apple Airport Extreme doesn't allow hairpin
 	// sends from a private socket until it's seen traffic from
@@ -841,7 +875,7 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e
 	if f := c.GetSTUNConn4; f != nil {
 		rs.pc4 = f()
 	} else {
-		u4, err := netns.Listener().ListenPacket(ctx, "udp4", ":0")
+		u4, err := netns.Listener().ListenPacket(ctx, "udp4", c.udpBindAddr())
 		if err != nil {
 			c.logf("udp4: %v", err)
 			return nil, err
@@ -854,7 +888,7 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e
 		if f := c.GetSTUNConn6; f != nil {
 			rs.pc6 = f()
 		} else {
-			u6, err := netns.Listener().ListenPacket(ctx, "udp6", ":0")
+			u6, err := netns.Listener().ListenPacket(ctx, "udp6", c.udpBindAddr())
 			if err != nil {
 				c.logf("udp6: %v", err)
 			} else {
@@ -893,8 +927,10 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e

 	rs.waitHairCheck(ctx)
 	c.vlogf("hairCheck done")
-	rs.waitPortMap.Wait()
-	c.vlogf("portMap done")
+	if !c.SkipExternalNetwork {
+		rs.waitPortMap.Wait()
+		c.vlogf("portMap done")
+	}
 	rs.stopTimers()

 	// Try HTTPS latency check if all STUN probes failed due to UDP presumably being blocked.
@@ -915,7 +951,7 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e
 			go func(reg *tailcfg.DERPRegion) {
 				defer wg.Done()
 				if d, ip, err := c.measureHTTPSLatency(ctx, reg); err != nil {
-					c.logf("netcheck: measuring HTTPS latency of %v (%d): %v", reg.RegionCode, reg.RegionID, err)
+					c.logf("[v1] netcheck: measuring HTTPS latency of %v (%d): %v", reg.RegionCode, reg.RegionID, err)
 				} else {
 					rs.mu.Lock()
 					rs.report.RegionLatency[reg.RegionID] = d
@@ -1009,7 +1045,7 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 }

 func (c *Client) logConciseReport(r *Report, dm *tailcfg.DERPMap) {
-	c.logf("%v", logger.ArgWriter(func(w *bufio.Writer) {
+	c.logf("[v1] report: %v", logger.ArgWriter(func(w *bufio.Writer) {
 		fmt.Fprintf(w, "udp=%v", r.UDP)
 		if !r.IPv4 {
 			fmt.Fprintf(w, " v4=%v", r.IPv4)
@@ -1066,6 +1102,10 @@ func (c *Client) addReportHistoryAndSetPreferredDERP(r *Report) {
 	c.mu.Lock()
 	defer c.mu.Unlock()

+	var prevDERP int
+	if c.last != nil {
+		prevDERP = c.last.PreferredDERP
+	}
 	if c.prev == nil {
 		c.prev = map[time.Time]*Report{}
 	}
@@ -1083,9 +1123,9 @@ func (c *Client) addReportHistoryAndSetPreferredDERP(r *Report) {
 			delete(c.prev, t)
 			continue
 		}
-		for hp, d := range pr.RegionLatency {
-			if bd, ok := bestRecent[hp]; !ok || d < bd {
-				bestRecent[hp] = d
+		for regionID, d := range pr.RegionLatency {
+			if bd, ok := bestRecent[regionID]; !ok || d < bd {
+				bestRecent[regionID] = d
 			}
 		}
 	}
@@ -1093,13 +1133,27 @@ func (c *Client) addReportHistoryAndSetPreferredDERP(r *Report) {
 	// Then, pick which currently-alive DERP server from the
 	// current report has the best latency over the past maxAge.
 	var bestAny time.Duration
-	for hp := range r.RegionLatency {
-		best := bestRecent[hp]
+	var oldRegionCurLatency time.Duration
+	for regionID, d := range r.RegionLatency {
+		if regionID == prevDERP {
+			oldRegionCurLatency = d
+		}
+		best := bestRecent[regionID]
 		if r.PreferredDERP == 0 || best < bestAny {
 			bestAny = best
-			r.PreferredDERP = hp
+			r.PreferredDERP = regionID
 		}
 	}
+
+	// If we're changing our preferred DERP but the old one's still
+	// accessible and the new one's not much better, just stick with
+	// where we are.
+	if prevDERP != 0 &&
+		r.PreferredDERP != prevDERP &&
+		oldRegionCurLatency != 0 &&
+		bestAny > oldRegionCurLatency/3*2 {
+		r.PreferredDERP = prevDERP
+	}
 }

 func updateLatency(m map[int]time.Duration, regionID int, d time.Duration) {
--- a/net/netcheck/netcheck_test.go
+++ b/net/netcheck/netcheck_test.go
@@ -50,7 +50,8 @@ func TestBasic(t *testing.T) {
 	defer cleanup()

 	c := &Client{
-		Logf: t.Logf,
+		Logf:        t.Logf,
+		UDPBindAddr: "127.0.0.1:0",
 	}

 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
@@ -194,6 +195,24 @@ func TestAddReportHistoryAndSetPreferredDERP(t *testing.T) {
 			wantPrevLen: 1, // t=[0123]s all gone. (too old, older than 10 min)
 			wantDERP:    3, // only option
 		},
+		{
+			name: "preferred_derp_hysteresis_no_switch",
+			steps: []step{
+				{0 * time.Second, report("d1", 4, "d2", 5)},
+				{1 * time.Second, report("d1", 4, "d2", 3)},
+			},
+			wantPrevLen: 2,
+			wantDERP:    1, // 2 didn't get fast enough
+		},
+		{
+			name: "preferred_derp_hysteresis_do_switch",
+			steps: []step{
+				{0 * time.Second, report("d1", 4, "d2", 5)},
+				{1 * time.Second, report("d1", 4, "d2", 1)},
+			},
+			wantPrevLen: 2,
+			wantDERP:    2, // 2 got fast enough
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -553,9 +572,47 @@ func TestLogConciseReport(t *testing.T) {
 			var buf bytes.Buffer
 			c := &Client{Logf: func(f string, a ...interface{}) { fmt.Fprintf(&buf, f, a...) }}
 			c.logConciseReport(tt.r, dm)
-			if got := buf.String(); got != tt.want {
+			if got := strings.TrimPrefix(buf.String(), "[v1] report: "); got != tt.want {
 				t.Errorf("unexpected result.\n got: %#q\nwant: %#q\n", got, tt.want)
 			}
 		})
 	}
 }
+
+func TestSortRegions(t *testing.T) {
+	unsortedMap := &tailcfg.DERPMap{
+		Regions: map[int]*tailcfg.DERPRegion{},
+	}
+	for rid := 1; rid <= 5; rid++ {
+		var nodes []*tailcfg.DERPNode
+		nodes = append(nodes, &tailcfg.DERPNode{
+			Name:     fmt.Sprintf("%da", rid),
+			RegionID: rid,
+			HostName: fmt.Sprintf("derp%d-1", rid),
+			IPv4:     fmt.Sprintf("%d.0.0.1", rid),
+			IPv6:     fmt.Sprintf("%d::1", rid),
+		})
+		unsortedMap.Regions[rid] = &tailcfg.DERPRegion{
+			RegionID: rid,
+			Nodes:    nodes,
+		}
+	}
+	report := newReport()
+	report.RegionLatency[1] = time.Second * time.Duration(5)
+	report.RegionLatency[2] = time.Second * time.Duration(3)
+	report.RegionLatency[3] = time.Second * time.Duration(6)
+	report.RegionLatency[4] = time.Second * time.Duration(0)
+	report.RegionLatency[5] = time.Second * time.Duration(2)
+	sortedMap := sortRegions(unsortedMap, report)
+
+	// Sorting by latency this should result in rid: 5, 2, 1, 3
+	// rid 4 with latency 0 should be at the end
+	want := []int{5, 2, 1, 3, 4}
+	got := make([]int, len(sortedMap))
+	for i, r := range sortedMap {
+		got[i] = r.RegionID
+	}
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
+}
--- a/net/netns/netns_default.go
+++ b/net/netns/netns_default.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build !linux
+// +build !linux,!windows

 package netns

--- a/Show More
+++ b/Show More