cmd/tailscale, ipn/ipn{local,server}: add start of CLI admin API + over Noise

Change-Id: I2936f6baf50e7eeac7190051adba493d4245b3ea Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
tsnet: fix format string/argument mismatch in log output
2022-03-20 13:01:18 -07:00 · 2022-03-19 20:24:33 -07:00 · 2022-03-19 18:54:33 -07:00 · 2022-03-19 18:38:32 -07:00 · 2022-03-19 13:02:38 -07:00 · 2022-03-19 12:59:51 -07:00
210 changed files with 5615 additions and 1647 deletions
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17
+        go-version: 1.18
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17
+        go-version: 1.18
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17
+        go-version: 1.18
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17
+        go-version: 1.18
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -16,7 +16,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17
+        go-version: 1.18

    - name: Check out code
      uses: actions/checkout@v1
--- a/.github/workflows/go-generate-without-stringer.sh
+++ b/.github/workflows/go-generate-without-stringer.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env sh
+#
+# This is a temporary hack to work around
+# https://github.com/golang/go/issues/51629 , wherein the stringer
+# generator doesn't work with generics.
+#
+# This script is the equivalent of `go generate ./...`, except that it
+# only runs generate on packages that don't try to use stringer.
+
+set -e
+
+find . -name '*.go' | xargs grep -l go:generate | xargs -n1 dirname | sort -u | while read dir; do
+	if ! egrep "cmd/(stringer|cloner)" $dir/*.go; then
+		set -x
+		go generate -tags=hermetic $dir
+		set +x
+	fi
+done
--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@@ -17,7 +17,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v2.1.5
        with:
-          go-version: 1.17
+          go-version: 1.18

      - name: Check out code
        uses: actions/checkout@v2
@@ -25,14 +25,13 @@ jobs:
          fetch-depth: 0

      - name: check 'go generate' is clean
+        # The shell script invocation below is a temporary hack for
+        # https://github.com/tailscale/tailscale/issues/4194. When
+        # that issue is fixed, replace its invocation with:
+        # go generate --tags=hermetic ./...
        run: |
-          if [[ "${{github.ref}}" == release-branch/* ]]
-          then
-            pkgs=$(go list ./... | grep -v dnsfallback)
-          else
-            pkgs=$(go list ./... | grep -v dnsfallback)
-          fi
-          go generate $pkgs
+          set -e
+          ./.github/workflows/go-generate-without-stringer.sh
          echo
          echo
          git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -16,7 +16,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17
+        go-version: 1.18

    - name: Check out code
      uses: actions/checkout@v1
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17
+        go-version: 1.18
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17
+        go-version: 1.18
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17
+        go-version: 1.18
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/staticcheck.yml
+++ b/.github/workflows/staticcheck.yml
@@ -16,7 +16,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17
+        go-version: 1.18

    - name: Check out code
      uses: actions/checkout@v1
--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -18,7 +18,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v2.1.5
        with:
-          go-version: 1.17
+          go-version: 1.18

      - name: Checkout Code
        uses: actions/checkout@v1
--- a/.github/workflows/windows-race.yml
+++ b/.github/workflows/windows-race.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Install Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17.x
+        go-version: 1.18.x

    - name: Checkout code
      uses: actions/checkout@v2
@@ -27,10 +27,21 @@ jobs:
    - name: Restore Cache
      uses: actions/cache@v2
      with:
-        path: ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
+        # Note: unlike some other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        # The -race- here ensures that non-race builds and race builds do not
+        # overwrite each others cache, as while they share some files, they
+        # differ in most by volume (build cache).
+        # TODO(raggi): add a go version here.
+        key: ${{ runner.os }}-go-2-race-${{ hashFiles('**/go.sum') }}

    - name: Test with -race flag
      # Don't use -bench=. -benchtime=1x.
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Install Go
      uses: actions/setup-go@v2.1.5
      with:
-        go-version: 1.17.x
+        go-version: 1.18.x

    - name: Checkout code
      uses: actions/checkout@v2
@@ -27,10 +27,18 @@ jobs:
    - name: Restore Cache
      uses: actions/cache@v2
      with:
-        path: ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
+        # Note: unlike some other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        # TODO(raggi): add a go version here.
+        key: ${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}

    - name: Test
      # Don't use -bench=. -benchtime=1x.
--- a/2
+++ b/2
@@ -32,7 +32,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.17-alpine AS build-env
+FROM golang:1.18-alpine AS build-env

 WORKDIR /go/src/tailscale

--- a/18
+++ b/18
@@ -6,24 +6,24 @@ usage:
 	echo "See Makefile"

 vet:
-	go vet ./...
+	./tool/go vet ./...

 updatedeps:
-	go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
-	go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale
+	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
+	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale

 depaware:
-	go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
-	go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
+	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale

 buildwindows:
-	GOOS=windows GOARCH=amd64 go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
+	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

 build386:
-	GOOS=linux GOARCH=386 go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
+	GOOS=linux GOARCH=386 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

 buildlinuxarm:
-	GOOS=linux GOARCH=arm go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
+	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

 buildmultiarchimage:
 	./build_docker.sh
@@ -31,7 +31,7 @@ buildmultiarchimage:
 check: staticcheck vet depaware buildwindows build386 buildlinuxarm

 staticcheck:
-	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)
+	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)

 spk:
 	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}
--- a/README.md
+++ b/README.md
@@ -44,7 +44,7 @@ If your distro has conventions that preclude the use of
 distro's way, so that bug reports contain useful version information.

 We only guarantee to support the latest Go release and any Go beta or
-release candidate builds (currently Go 1.17) in module mode. It might
+release candidate builds (currently Go 1.18) in module mode. It might
 work in earlier Go versions or in GOPATH mode, but we're making no
 effort to keep those working.

--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.21.0
+1.23.0
--- a/chirp/chirp.go
+++ b/chirp/chirp.go
@@ -80,7 +80,7 @@ func (b *BIRDClient) EnableProtocol(protocol string) error {
 // Reply codes starting with 0 stand for ‘action successfully completed’ messages,
 // 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.

-func (b *BIRDClient) exec(cmd string, args ...interface{}) (string, error) {
+func (b *BIRDClient) exec(cmd string, args ...any) (string, error) {
 	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
 		return "", err
 	}
--- a/client/tailscale/required_version.go
+++ b/client/tailscale/required_version.go
@@ -0,0 +1,12 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.18
+// +build !go1.18
+
+package tailscale
+
+func init() {
+	you_need_Go_1_18_to_compile_Tailscale()
+}
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build go1.18
+// +build go1.18
+
 // Package tailscale contains Tailscale client code.
 package tailscale

@@ -113,10 +116,7 @@ func doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
 	if ue, ok := err.(*url.Error); ok {
 		if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
 			path := req.URL.Path
-			pathPrefix := path
-			if i := strings.Index(path, "?"); i != -1 {
-				pathPrefix = path[:i]
-			}
+			pathPrefix, _, _ := strings.Cut(path, "?")
 			return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
 		}
 	}
@@ -517,8 +517,8 @@ func tailscaledConnectHint() string {
 	// SubState=dead
 	st := map[string]string{}
 	for _, line := range strings.Split(string(out), "\n") {
-		if i := strings.Index(line, "="); i != -1 {
-			st[line[:i]] = strings.TrimSpace(line[i+1:])
+		if k, v, ok := strings.Cut(line, "="); ok {
+			st[k] = strings.TrimSpace(v)
 		}
 	}
 	if st["LoadState"] == "loaded" &&
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -69,14 +69,14 @@ func main() {
 		gen(buf, imports, typ, pkg.Types)
 	}

-	w := func(format string, args ...interface{}) {
+	w := func(format string, args ...any) {
 		fmt.Fprintf(buf, format+"\n", args...)
 	}
 	if *flagCloneFunc {
 		w("// Clone duplicates src into dst and reports whether it succeeded.")
 		w("// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,")
 		w("// where T is one of %s.", *flagTypes)
-		w("func Clone(dst, src interface{}) bool {")
+		w("func Clone(dst, src any) bool {")
 		w("	switch src := src.(type) {")
 		for _, typeName := range typeNames {
 			w("	case *%s:", typeName)
@@ -158,7 +158,7 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 	fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
 	fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
 	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
-	writef := func(format string, args ...interface{}) {
+	writef := func(format string, args ...any) {
 		fmt.Fprintf(buf, "\t"+format+"\n", args...)
 	}
 	writef("if src == nil {")
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -39,7 +39,8 @@ import (
 var (
 	dev           = flag.Bool("dev", false, "run in localhost development mode")
 	addr          = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
-	httpPort      = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable")
+	httpPort      = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	stunPort      = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
 	configPath    = flag.String("c", "", "config file path")
 	certMode      = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
 	certDir       = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
@@ -212,7 +213,7 @@ func main() {
 	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))

 	if *runSTUN {
-		go serveSTUN(listenHost)
+		go serveSTUN(listenHost, *stunPort)
 	}

 	httpsrv := &http.Server{
@@ -322,8 +323,8 @@ func probeHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }

-func serveSTUN(host string) {
-	pc, err := net.ListenPacket("udp", net.JoinHostPort(host, "3478"))
+func serveSTUN(host string, port int) {
+	pc, err := net.ListenPacket("udp", net.JoinHostPort(host, fmt.Sprint(port)))
 	if err != nil {
 		log.Fatalf("failed to open STUN listener: %v", err)
 	}
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -19,7 +19,9 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"os"
 	"sort"
+	"strings"
 	"sync"
 	"time"

@@ -54,7 +56,15 @@ var (

 func main() {
 	flag.Parse()
+
+	// proactively load the DERP map. Nothing terrible happens if this fails, so we ignore
+	// the error. The Slack bot will print a notification that the DERP map was empty.
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	_, _ = getDERPMap(ctx)
+
 	go probeLoop()
+	go slackLoop()
 	log.Fatal(http.ListenAndServe(*listen, http.HandlerFunc(serve)))
 }

@@ -68,11 +78,11 @@ type overallStatus struct {
 	good, bad []string
 }

-func (st *overallStatus) addBadf(format string, a ...interface{}) {
+func (st *overallStatus) addBadf(format string, a ...any) {
 	st.bad = append(st.bad, fmt.Sprintf(format, a...))
 }

-func (st *overallStatus) addGoodf(format string, a ...interface{}) {
+func (st *overallStatus) addGoodf(format string, a ...any) {
 	st.good = append(st.good, fmt.Sprintf(format, a...))
 }

@@ -138,10 +148,14 @@ func getOverallStatus() (o overallStatus) {
 func serve(w http.ResponseWriter, r *http.Request) {
 	st := getOverallStatus()
 	summary := "All good"
-	if len(st.bad) > 0 {
+	if (float64(len(st.bad)) / float64(len(st.bad)+len(st.good))) > 0.25 {
+		// This will generate an alert and page a human.
+		// It also ends up in Slack, but as part of the alert handling pipeline not
+		// because we generated a Slack notification from here.
 		w.WriteHeader(500)
 		summary = fmt.Sprintf("%d problems", len(st.bad))
 	}
+
 	io.WriteString(w, "<html><head><style>.bad { font-weight: bold; color: #700; }</style></head>\n")
 	fmt.Fprintf(w, "<body><h1>derp probe</h1>\n%s:<ul>", summary)
 	for _, s := range st.bad {
@@ -153,6 +167,71 @@ func serve(w http.ResponseWriter, r *http.Request) {
 	io.WriteString(w, "</ul></body></html>\n")
 }

+func notifySlack(text string) error {
+	type SlackRequestBody struct {
+		Text string `json:"text"`
+	}
+
+	slackBody, err := json.Marshal(SlackRequestBody{Text: text})
+	if err != nil {
+		return err
+	}
+
+	webhookUrl := os.Getenv("SLACK_WEBHOOK")
+	if webhookUrl == "" {
+		return errors.New("No SLACK_WEBHOOK configured")
+	}
+
+	req, err := http.NewRequest("POST", webhookUrl, bytes.NewReader(slackBody))
+	if err != nil {
+		return err
+	}
+	req.Header.Add("Content-Type", "application/json")
+
+	client := &http.Client{Timeout: 10 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return errors.New(resp.Status)
+	}
+
+	body, _ := io.ReadAll(resp.Body)
+	if string(body) != "ok" {
+		return errors.New("Non-ok response returned from Slack")
+	}
+	return nil
+}
+
+// We only page a human if it looks like there is a significant outage across multiple regions.
+// To Slack, we report all failures great and small.
+func slackLoop() {
+	inBadState := false
+	for {
+		time.Sleep(time.Second * 30)
+		st := getOverallStatus()
+
+		if len(st.bad) > 0 && !inBadState {
+			err := notifySlack(strings.Join(st.bad, "\n"))
+			if err == nil {
+				inBadState = true
+			} else {
+				log.Printf("%d problems, notify Slack failed: %v", len(st.bad), err)
+			}
+		}
+
+		if len(st.bad) == 0 && inBadState {
+			err := notifySlack("All DERPs recovered.")
+			if err == nil {
+				inBadState = false
+			}
+		}
+	}
+}
+
 func sortedRegions(dm *tailcfg.DERPMap) []*tailcfg.DERPRegion {
 	ret := make([]*tailcfg.DERPRegion, 0, len(dm.Regions))
 	for _, r := range dm.Regions {
@@ -347,7 +426,7 @@ func probeNodePair(ctx context.Context, dm *tailcfg.DERPMap, from, to *tailcfg.D
 	}

 	// Receive the random packet.
-	recvc := make(chan interface{}, 1) // either derp.ReceivedPacket or error
+	recvc := make(chan any, 1) // either derp.ReceivedPacket or error
 	go func() {
 		for {
 			m, err := toc.Recv()
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -206,8 +206,6 @@ func root(w http.ResponseWriter, r *http.Request) {

 // firstLabel s up until the first period, if any.
 func firstLabel(s string) string {
-	if i := strings.Index(s, "."); i != -1 {
-		return s[:i]
-	}
+	s, _, _ = strings.Cut(s, ".")
 	return s
 }
--- a/cmd/tailscale/cli/admin.go
+++ b/cmd/tailscale/cli/admin.go
@@ -0,0 +1,231 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Admin commands.
+
+package cli
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"flag"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
+)
+
+var adminCmd = &ffcli.Command{
+	Name:     "admin",
+	Exec:     runAdmin,
+	LongHelp: `"tailscale admin" contains admin commands to manage a Tailscale network.`,
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("admin")
+		fs.StringVar(&adminArgs.apiBase, "api-server", "https://api.tailscale.com", "which Tailscale server instance to use. Ignored when --token-file is empty.")
+		fs.StringVar(&adminArgs.tokenFile, "token-file", "", "if non-empty, filename containing API token to use. If empty, authentication is done via the active Tailscale control plane connection.")
+		fs.StringVar(&adminArgs.tailnet, "tailnet", "", "Tailnet to query or edit. Required if token-file is used. Must be blank if token-file is blank, in which case the tailnet used is the same as the active tailnet.")
+		return fs
+	})(),
+	Subcommands: []*ffcli.Command{
+		newTailnetACLGetCmd(),
+		newTailnetDeviceListCmd(),
+		newTailnetKeyListCmd(),
+	},
+}
+
+var adminArgs struct {
+	tokenFile string
+	tailnet   string
+	apiBase   string
+}
+
+func runAdmin(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		return errors.New("unknown command; see 'tailscale admin --help'")
+	}
+	return errors.New("see 'tailscale admin --help'")
+}
+
+type adminClient struct {
+	apiBase string // e.g. "https://api.tailscale.com"
+	token   string // non-empty if using token-based auth
+	hc      *http.Client
+	tailnet string // always non-empty
+}
+
+func getAdminHTTPClient() (*adminClient, error) {
+	tokenFile := adminArgs.tokenFile
+	tailnet := adminArgs.tailnet
+	apiBase := adminArgs.apiBase
+	if (tokenFile != "") != (tailnet != "") {
+		return nil, errors.New("--token-file and --tailnet must both be blank or both be specified")
+	}
+	if tailnet == "" {
+		st, err := tailscale.StatusWithoutPeers(context.Background())
+		if err != nil {
+			return nil, err
+		}
+		if st.BackendState != "Running" {
+			return nil, fmt.Errorf("Tailscale must be running; currently in state %q", st.BackendState)
+		}
+		if st.CurrentTailnet == nil {
+			return nil, fmt.Errorf("no CurrentTailnet in status")
+		}
+		tailnet = st.CurrentTailnet.Name
+		// TODO(bradfitz): put apiBase in *ipnstate.TailnetStatus? update apiBase here?
+	}
+	ac := &adminClient{
+		tailnet: tailnet,
+		apiBase: apiBase,
+	}
+
+	if tokenFile != "" {
+		v, err := os.ReadFile(tokenFile)
+		if err != nil {
+			return nil, err
+		}
+		token := strings.TrimSpace(string(v))
+		if token == "" || strings.Contains(token, "\n") {
+			return nil, fmt.Errorf("expect exactly 1 line in API token file %v", tokenFile)
+		}
+		ac.token = token
+		ac.hc = http.DefaultClient
+	} else {
+		// Otherwise, proxy via the local tailscaled and use its identity.
+		ac.hc = &http.Client{Transport: apiViaTailscaledTransport{}}
+		ac.apiBase = "http://local-tailscaled.sock"
+	}
+	return ac, nil
+}
+
+func newTailnetDeviceListCmd() *ffcli.Command {
+	var fields string
+	const sub = "tailnet-device-list"
+	fs := newFlagSet(sub)
+	fs.StringVar(&fields, "fields", "default", "comma-separated fields to include in response or 'default', 'all'")
+	return &ffcli.Command{
+		Name:      sub,
+		ShortHelp: "list devices",
+		FlagSet:   fs,
+		Exec: func(ctx context.Context, args []string) error {
+			ac, err := getAdminHTTPClient()
+			if err != nil {
+				return err
+			}
+			q := url.Values{"fields": []string{fields}}
+			return writeResJSON(ac.hc.Get(ac.apiBase + "/api/v2/tailnet/" + ac.tailnet + "/devices?" + q.Encode()))
+		},
+	}
+}
+
+func newTailnetKeyListCmd() *ffcli.Command {
+	const sub = "tailnet-key-list"
+	return &ffcli.Command{
+		Name:      sub,
+		ShortHelp: "list keys or specific key (with keyID as argument)",
+		Exec: func(ctx context.Context, args []string) error {
+			var suf string
+			if len(args) == 1 {
+				suf = "/" + args[0]
+			} else if len(args) > 1 {
+				return errors.New("too many arguments")
+			}
+			ac, err := getAdminHTTPClient()
+			if err != nil {
+				return err
+			}
+			return writeResJSON(ac.hc.Get(ac.apiBase + "/api/v2/tailnet/" + ac.tailnet + "/keys" + suf))
+		},
+	}
+}
+
+func newTailnetACLGetCmd() *ffcli.Command {
+	var asJSON bool // true is JSON, false is HuJSON
+	const sub = "tailnet-acl-get"
+	fs := newFlagSet(sub)
+	fs.BoolVar(&asJSON, "json", false, "if true, return ACL is JSON format. The default of false means to use the original HuJSON JSON superset form that allows comments and trailing commas.")
+	return &ffcli.Command{
+		Name:      sub,
+		ShortHelp: "list Tailnet ACL/config policy",
+		FlagSet:   fs,
+		Exec: func(ctx context.Context, args []string) error {
+			ac, err := getAdminHTTPClient()
+			if err != nil {
+				return err
+			}
+			req, err := http.NewRequest("GET", ac.apiBase+"/api/v2/tailnet/"+ac.tailnet+"/acl", nil)
+			if err != nil {
+				return err
+			}
+			if asJSON {
+				req.Header.Set("Accept", "application/json")
+			}
+			res, err := ac.hc.Do(req)
+			if err != nil {
+				return err
+			}
+			if asJSON {
+				return writeResJSON(res, err)
+			}
+			defer res.Body.Close()
+			if res.StatusCode != 200 {
+				body, _ := io.ReadAll(res.Body)
+				return fmt.Errorf("%v: %s", res.Status, body)
+			}
+			all, err := io.ReadAll(res.Body)
+			if err != nil {
+				return err
+			}
+			var buf bytes.Buffer
+			buf.Write(all)
+			ensureTrailingNewline(&buf)
+			os.Stdout.Write(buf.Bytes())
+			return nil
+		},
+	}
+}
+
+// apiViaTailscaledTransport is an http.RoundTripper that makes
+// Tailscale API HTTP requests via the localapi to tailscaled,
+// which then forwards them on over Noise.
+type apiViaTailscaledTransport struct{}
+
+func (apiViaTailscaledTransport) RoundTrip(r *http.Request) (*http.Response, error) {
+	return tailscale.DoLocalRequest(r)
+}
+
+func ensureTrailingNewline(buf *bytes.Buffer) {
+	if buf.Len() > 0 && buf.Bytes()[buf.Len()-1] != '\n' {
+		buf.WriteByte('\n')
+	}
+}
+
+func writeResJSON(res *http.Response, err error) error {
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		return fmt.Errorf("%v: %s", res.Status, body)
+	}
+	all, err := io.ReadAll(res.Body)
+	if err != nil {
+		return err
+	}
+	var buf bytes.Buffer
+	if err := json.Indent(&buf, all, "", "\t"); err != nil {
+		return err
+	}
+	ensureTrailingNewline(&buf)
+	os.Stdout.Write(buf.Bytes())
+	return nil
+}
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -79,7 +79,7 @@ func runCert(ctx context.Context, args []string) error {
 	}
 	domain := args[0]

-	printf := func(format string, a ...interface{}) {
+	printf := func(format string, a ...any) {
 		printf(format, a...)
 	}
 	if certArgs.certFile == "-" || certArgs.keyFile == "-" {
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -35,7 +35,7 @@ import (
 var Stderr io.Writer = os.Stderr
 var Stdout io.Writer = os.Stdout

-func printf(format string, a ...interface{}) {
+func printf(format string, a ...any) {
 	fmt.Fprintf(Stdout, format, a...)
 }

@@ -44,7 +44,7 @@ func printf(format string, a ...interface{}) {
 //
 // It's not named println because that looks like the Go built-in
 // which goes to stderr and formats slightly differently.
-func outln(a ...interface{}) {
+func outln(a ...any) {
 	fmt.Fprintln(Stdout, a...)
 }

@@ -125,10 +125,22 @@ func CleanUpArgs(args []string) []string {
 }

 // Run runs the CLI. The args do not include the binary name.
-func Run(args []string) error {
+func Run(args []string) (err error) {
 	if len(args) == 1 && (args[0] == "-V" || args[0] == "--version") {
 		args = []string{"version"}
 	}
+	if runtime.GOOS == "linux" && distro.Get() == distro.Gokrazy &&
+		os.Getenv("GOKRAZY_FIRST_START") == "1" {
+		defer func() {
+			// Exit with 125 otherwise the CLI binary is restarted
+			// forever in a loop by the Gokrazy process supervisor.
+			// See https://gokrazy.org/userguide/process-interface/
+			if err != nil {
+				log.Println(err)
+			}
+			os.Exit(125)
+		}()
+	}

 	var warnOnce sync.Once
 	tailscale.SetVersionMismatchHandler(func(clientVer, serverVer string) {
@@ -163,6 +175,7 @@ change in the future.
 			fileCmd,
 			bugReportCmd,
 			certCmd,
+			adminCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
@@ -194,7 +207,7 @@ change in the future.
 		}
 	})

-	err := rootCmd.Run(context.Background())
+	err = rootCmd.Run(context.Background())
 	if tailscale.IsAccessDeniedError(err) && os.Getuid() != 0 && runtime.GOOS != "windows" {
 		return fmt.Errorf("%v\n\nUse 'sudo tailscale %s' or 'tailscale up --operator=$USER' to not require root.", err, strings.Join(args, " "))
 	}
@@ -204,7 +217,7 @@ change in the future.
 	return err
 }

-func fatalf(format string, a ...interface{}) {
+func fatalf(format string, a ...any) {
 	if Fatalf != nil {
 		Fatalf(format, a...)
 		return
@@ -214,7 +227,7 @@ func fatalf(format string, a ...interface{}) {
 }

 // Fatalf, if non-nil, is used instead of log.Fatalf.
-var Fatalf func(format string, a ...interface{})
+var Fatalf func(format string, a ...any)

 var rootArgs struct {
 	socket string
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -19,7 +19,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tstest"
-	"tailscale.com/types/key"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
 	"tailscale.com/version/distro"
@@ -632,7 +631,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			st: &ipnstate.Status{
 				TailscaleIPs: []netaddr.IP{netaddr.MustParseIP("100.105.106.107")},
 			},
-			wantErr: `cannot use 100.105.106.107 as the exit node as it is a local IP address to this machine, did you mean --advertise-exit-node?`,
+			wantErr: `cannot use 100.105.106.107 as an exit node as it is a local IP address to this machine; did you mean --advertise-exit-node?`,
 		},
 		{
 			name: "warn_linux_netfilter_nodivert",
@@ -897,136 +896,6 @@ var cmpIP = cmp.Comparer(func(a, b netaddr.IP) bool {
 	return a == b
 })

-func TestExitNodeIPOfArg(t *testing.T) {
-	mustIP := netaddr.MustParseIP
-	tests := []struct {
-		name    string
-		arg     string
-		st      *ipnstate.Status
-		want    netaddr.IP
-		wantErr string
-	}{
-		{
-			name: "ip_while_stopped_okay",
-			arg:  "1.2.3.4",
-			st: &ipnstate.Status{
-				BackendState: "Stopped",
-			},
-			want: mustIP("1.2.3.4"),
-		},
-		{
-			name: "ip_not_found",
-			arg:  "1.2.3.4",
-			st: &ipnstate.Status{
-				BackendState: "Running",
-			},
-			wantErr: `no node found in netmap with IP 1.2.3.4`,
-		},
-		{
-			name: "ip_not_exit",
-			arg:  "1.2.3.4",
-			st: &ipnstate.Status{
-				BackendState: "Running",
-				Peer: map[key.NodePublic]*ipnstate.PeerStatus{
-					key.NewNode().Public(): {
-						TailscaleIPs: []netaddr.IP{mustIP("1.2.3.4")},
-					},
-				},
-			},
-			wantErr: `node 1.2.3.4 is not advertising an exit node`,
-		},
-		{
-			name: "ip",
-			arg:  "1.2.3.4",
-			st: &ipnstate.Status{
-				BackendState: "Running",
-				Peer: map[key.NodePublic]*ipnstate.PeerStatus{
-					key.NewNode().Public(): {
-						TailscaleIPs:   []netaddr.IP{mustIP("1.2.3.4")},
-						ExitNodeOption: true,
-					},
-				},
-			},
-			want: mustIP("1.2.3.4"),
-		},
-		{
-			name:    "no_match",
-			arg:     "unknown",
-			st:      &ipnstate.Status{MagicDNSSuffix: ".foo"},
-			wantErr: `invalid value "unknown" for --exit-node; must be IP or unique node name`,
-		},
-		{
-			name: "name",
-			arg:  "skippy",
-			st: &ipnstate.Status{
-				MagicDNSSuffix: ".foo",
-				Peer: map[key.NodePublic]*ipnstate.PeerStatus{
-					key.NewNode().Public(): {
-						DNSName:        "skippy.foo.",
-						TailscaleIPs:   []netaddr.IP{mustIP("1.0.0.2")},
-						ExitNodeOption: true,
-					},
-				},
-			},
-			want: mustIP("1.0.0.2"),
-		},
-		{
-			name: "name_not_exit",
-			arg:  "skippy",
-			st: &ipnstate.Status{
-				MagicDNSSuffix: ".foo",
-				Peer: map[key.NodePublic]*ipnstate.PeerStatus{
-					key.NewNode().Public(): {
-						DNSName:      "skippy.foo.",
-						TailscaleIPs: []netaddr.IP{mustIP("1.0.0.2")},
-					},
-				},
-			},
-			wantErr: `node "skippy" is not advertising an exit node`,
-		},
-		{
-			name: "ambiguous",
-			arg:  "skippy",
-			st: &ipnstate.Status{
-				MagicDNSSuffix: ".foo",
-				Peer: map[key.NodePublic]*ipnstate.PeerStatus{
-					key.NewNode().Public(): {
-						DNSName:        "skippy.foo.",
-						TailscaleIPs:   []netaddr.IP{mustIP("1.0.0.2")},
-						ExitNodeOption: true,
-					},
-					key.NewNode().Public(): {
-						DNSName:        "SKIPPY.foo.",
-						TailscaleIPs:   []netaddr.IP{mustIP("1.0.0.2")},
-						ExitNodeOption: true,
-					},
-				},
-			},
-			wantErr: `ambiguous exit node name "skippy"`,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := exitNodeIPOfArg(tt.arg, tt.st)
-			if err != nil {
-				if err.Error() == tt.wantErr {
-					return
-				}
-				if tt.wantErr == "" {
-					t.Fatal(err)
-				}
-				t.Fatalf("error = %#q; want %#q", err, tt.wantErr)
-			}
-			if tt.wantErr != "" {
-				t.Fatalf("got %v; want error %#q", got, tt.wantErr)
-			}
-			if got != tt.want {
-				t.Fatalf("got %v; want %v", got, tt.want)
-			}
-		})
-	}
-}
-
 func TestCleanUpArgs(t *testing.T) {
 	c := qt.New(t)
 	tests := []struct {
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -192,7 +192,7 @@ func runDebug(ctx context.Context, args []string) error {
 		// to subcommands.
 		return nil
 	}
-	return errors.New("see 'tailscale debug --help")
+	return errors.New("see 'tailscale debug --help'")
 }

 func runLocalCreds(ctx context.Context, args []string) error {
--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -15,6 +15,7 @@ import (
 	"mime"
 	"net/http"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"time"
@@ -286,22 +287,116 @@ func runCpTargets(ctx context.Context, args []string) error {
 	return nil
 }

+// onConflict is a flag.Value for the --conflict flag's three string options.
+type onConflict string
+
+const (
+	skipOnExist         onConflict = "skip"
+	overwriteExisting   onConflict = "overwrite" //  Overwrite any existing file at the target location
+	createNumberedFiles onConflict = "rename"    //  Create an alternately named file in the style of Chrome Downloads
+)
+
+func (v *onConflict) String() string { return string(*v) }
+
+func (v *onConflict) Set(s string) error {
+	if s == "" {
+		*v = skipOnExist
+		return nil
+	}
+	*v = onConflict(strings.ToLower(s))
+	if *v != skipOnExist && *v != overwriteExisting && *v != createNumberedFiles {
+		return fmt.Errorf("%q is not one of (skip|overwrite|rename)", s)
+	}
+	return nil
+}
+
 var fileGetCmd = &ffcli.Command{
 	Name:       "get",
-	ShortUsage: "file get [--wait] [--verbose] <target-directory>",
+	ShortUsage: "file get [--wait] [--verbose] [--conflict=(skip|overwrite|rename)] <target-directory>",
 	ShortHelp:  "Move files out of the Tailscale file inbox",
 	Exec:       runFileGet,
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("get")
 		fs.BoolVar(&getArgs.wait, "wait", false, "wait for a file to arrive if inbox is empty")
 		fs.BoolVar(&getArgs.verbose, "verbose", false, "verbose output")
+		fs.Var(&getArgs.conflict, "conflict", `behavior when a conflicting (same-named) file already exists in the target directory.
+	skip:       skip conflicting files: leave them in the taildrop inbox and print an error. get any non-conflicting files
+	overwrite:  overwrite existing file
+	rename:     write to a new number-suffixed filename`)
 		return fs
 	})(),
 }

-var getArgs struct {
-	wait    bool
-	verbose bool
+var getArgs = struct {
+	wait     bool
+	verbose  bool
+	conflict onConflict
+}{conflict: skipOnExist}
+
+func numberedFileName(dir, name string, i int) string {
+	ext := path.Ext(name)
+	return filepath.Join(dir, fmt.Sprintf("%s (%d)%s",
+		strings.TrimSuffix(name, ext),
+		i, ext))
+}
+
+func openFileOrSubstitute(dir, base string, action onConflict) (*os.File, error) {
+	targetFile := filepath.Join(dir, base)
+	f, err := os.OpenFile(targetFile, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0644)
+	if err == nil {
+		return f, nil
+	}
+	// Something went wrong trying to open targetFile as a new file for writing.
+	switch action {
+	default:
+		// This should not happen.
+		return nil, fmt.Errorf("file issue. how to resolve this conflict? no one knows.")
+	case skipOnExist:
+		if _, statErr := os.Stat(targetFile); statErr == nil {
+			// we can stat a file at that path: so it already exists.
+			return nil, fmt.Errorf("refusing to overwrite file: %w", err)
+		}
+		return nil, fmt.Errorf("failed to write; %w", err)
+	case overwriteExisting:
+		// remove the target file and create it anew so we don't fall for an 
+		// attacker who symlinks a known target name to a file he wants changed.
+		if err = os.Remove(targetFile); err != nil {
+			return nil, fmt.Errorf("unable to remove target file: %w", err)
+		}
+		if f, err = os.OpenFile(targetFile, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0644); err != nil {
+			return nil, fmt.Errorf("unable to overwrite: %w", err)
+		}
+		return f, nil
+	case createNumberedFiles:
+		// It's possible the target directory or filesystem isn't writable by us,
+		// not just that the target file(s) already exists.  For now, give up after
+		// a limited number of attempts.  In future, maybe distinguish this case
+		// and follow in the style of https://tinyurl.com/chromium100
+		maxAttempts := 100
+		for i := 1; i < maxAttempts; i++ {
+			if f, err = os.OpenFile(numberedFileName(dir, base, i), os.O_RDWR|os.O_CREATE|os.O_EXCL, 0644); err == nil {
+				return f, nil
+			}
+		}
+		return nil, fmt.Errorf("unable to find a name for writing %v, final attempt: %w", targetFile, err)
+	}
+}
+
+func receiveFile(ctx context.Context, wf apitype.WaitingFile, dir string) (targetFile string, size int64, err error) {
+	rc, size, err := tailscale.GetWaitingFile(ctx, wf.Name)
+	if err != nil {
+		return "", 0, fmt.Errorf("opening inbox file %q: %w", wf.Name, err)
+	}
+	f, err := openFileOrSubstitute(dir, wf.Name, getArgs.conflict)
+	if err != nil {
+		return "", 0, err
+	}
+	_, err = io.Copy(f, rc)
+	rc.Close()
+	if err != nil {
+		return "", 0, fmt.Errorf("failed to write %v: %v", f.Name(), err)
+	}
+	return f.Name(), size, f.Close()
 }

 func runFileGet(ctx context.Context, args []string) error {
@@ -330,47 +425,40 @@ func runFileGet(ctx context.Context, args []string) error {
 			break
 		}
 		if getArgs.verbose {
-			log.Printf("waiting for file...")
+			printf("waiting for file...")
 		}
 		if err := waitForFile(ctx); err != nil {
 			return err
 		}
 	}

+	var errs []error
 	deleted := 0
 	for _, wf := range wfs {
-		rc, size, err := tailscale.GetWaitingFile(ctx, wf.Name)
+		writtenFile, size, err := receiveFile(ctx, wf, dir)
 		if err != nil {
-			return fmt.Errorf("opening inbox file %q: %v", wf.Name, err)
-		}
-		targetFile := filepath.Join(dir, wf.Name)
-		of, err := os.OpenFile(targetFile, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0644)
-		if err != nil {
-			if _, err := os.Stat(targetFile); err == nil {
-				return fmt.Errorf("refusing to overwrite %v", targetFile)
-			}
-			return err
-		}
-		_, err = io.Copy(of, rc)
-		rc.Close()
-		if err != nil {
-			return fmt.Errorf("failed to write %v: %v", targetFile, err)
-		}
-		if err := of.Close(); err != nil {
-			return err
+			errs = append(errs, err)
+			continue
 		}
 		if getArgs.verbose {
-			log.Printf("wrote %v (%d bytes)", wf.Name, size)
+			printf("wrote %v as %v (%d bytes)\n", wf.Name, writtenFile, size)
 		}
-		if err := tailscale.DeleteWaitingFile(ctx, wf.Name); err != nil {
-			return fmt.Errorf("deleting %q from inbox: %v", wf.Name, err)
+		if err = tailscale.DeleteWaitingFile(ctx, wf.Name); err != nil {
+			errs = append(errs, fmt.Errorf("deleting %q from inbox: %v", wf.Name, err))
+			continue
 		}
 		deleted++
 	}
 	if getArgs.verbose {
-		log.Printf("moved %d files", deleted)
+		printf("moved %d/%d files\n", deleted, len(wfs))
 	}
-	return nil
+	if len(errs) == 0 {
+		return nil
+	}
+	for _, err := range errs[:len(errs)-1] {
+		outln(err)
+	}
+	return errs[len(errs)-1]
 }

 func wipeInbox(ctx context.Context) error {
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -136,7 +136,7 @@ func runStatus(ctx context.Context, args []string) error {
 	}

 	var buf bytes.Buffer
-	f := func(format string, a ...interface{}) { fmt.Fprintf(&buf, format, a...) }
+	f := func(format string, a ...any) { fmt.Fprintf(&buf, format, a...) }
 	printPS := func(ps *ipnstate.PeerStatus) {
 		f("%-15s %-20s %-12s %-7s ",
 			firstIPString(ps.TailscaleIPs),
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -31,7 +31,6 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/preftype"
-	"tailscale.com/util/dnsname"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@@ -193,7 +192,7 @@ type upOutputJSON struct {
 	Error        string `json:",omitempty"` // description of an error
 }

-func warnf(format string, args ...interface{}) {
+func warnf(format string, args ...any) {
 	printf("Warning: "+format+"\n", args...)
 }

@@ -245,65 +244,6 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 	return routes, nil
 }

-// peerWithTailscaleIP returns the peer in st with the provided
-// Tailscale IP.
-func peerWithTailscaleIP(st *ipnstate.Status, ip netaddr.IP) (ps *ipnstate.PeerStatus, ok bool) {
-	for _, ps := range st.Peer {
-		for _, ip2 := range ps.TailscaleIPs {
-			if ip == ip2 {
-				return ps, true
-			}
-		}
-	}
-	return nil, false
-}
-
-// exitNodeIPOfArg maps from a user-provided CLI flag value to an IP
-// address they want to use as an exit node.
-func exitNodeIPOfArg(arg string, st *ipnstate.Status) (ip netaddr.IP, err error) {
-	if arg == "" {
-		return ip, errors.New("invalid use of exitNodeIPOfArg with empty string")
-	}
-	ip, err = netaddr.ParseIP(arg)
-	if err == nil {
-		// If we're online already and have a netmap, double check that the IP
-		// address specified is valid.
-		if st.BackendState == "Running" {
-			ps, ok := peerWithTailscaleIP(st, ip)
-			if !ok {
-				return ip, fmt.Errorf("no node found in netmap with IP %v", ip)
-			}
-			if !ps.ExitNodeOption {
-				return ip, fmt.Errorf("node %v is not advertising an exit node", ip)
-			}
-		}
-		return ip, err
-	}
-	match := 0
-	for _, ps := range st.Peer {
-		baseName := dnsname.TrimSuffix(ps.DNSName, st.MagicDNSSuffix)
-		if !strings.EqualFold(arg, baseName) {
-			continue
-		}
-		match++
-		if len(ps.TailscaleIPs) == 0 {
-			return ip, fmt.Errorf("node %q has no Tailscale IP?", arg)
-		}
-		if !ps.ExitNodeOption {
-			return ip, fmt.Errorf("node %q is not advertising an exit node", arg)
-		}
-		ip = ps.TailscaleIPs[0]
-	}
-	switch match {
-	case 0:
-		return ip, fmt.Errorf("invalid value %q for --exit-node; must be IP or unique node name", arg)
-	case 1:
-		return ip, nil
-	default:
-		return ip, fmt.Errorf("ambiguous exit node name %q", arg)
-	}
-}
-
 // prefsFromUpArgs returns the ipn.Prefs for the provided args.
 //
 // Note that the parameters upArgs and warnf are named intentionally
@@ -316,25 +256,10 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		return nil, err
 	}

-	var exitNodeIP netaddr.IP
-	if upArgs.exitNodeIP != "" {
-		var err error
-		exitNodeIP, err = exitNodeIPOfArg(upArgs.exitNodeIP, st)
-		if err != nil {
-			return nil, err
-		}
-	} else if upArgs.exitNodeAllowLANAccess {
+	if upArgs.exitNodeIP == "" && upArgs.exitNodeAllowLANAccess {
 		return nil, fmt.Errorf("--exit-node-allow-lan-access can only be used with --exit-node")
 	}

-	if upArgs.exitNodeIP != "" {
-		for _, ip := range st.TailscaleIPs {
-			if exitNodeIP == ip {
-				return nil, fmt.Errorf("cannot use %s as the exit node as it is a local IP address to this machine, did you mean --advertise-exit-node?", upArgs.exitNodeIP)
-			}
-		}
-	}
-
 	var tags []string
 	if upArgs.advertiseTags != "" {
 		tags = strings.Split(upArgs.advertiseTags, ",")
@@ -354,7 +279,17 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 	prefs.ControlURL = upArgs.server
 	prefs.WantRunning = true
 	prefs.RouteAll = upArgs.acceptRoutes
-	prefs.ExitNodeIP = exitNodeIP
+
+	if upArgs.exitNodeIP != "" {
+		if err := prefs.SetExitNodeIP(upArgs.exitNodeIP, st); err != nil {
+			var e ipn.ExitNodeLocalIPError
+			if errors.As(err, &e) {
+				return nil, fmt.Errorf("%w; did you mean --advertise-exit-node?", err)
+			}
+			return nil, err
+		}
+	}
+
 	prefs.ExitNodeAllowLANAccess = upArgs.exitNodeAllowLANAccess
 	prefs.CorpDNS = upArgs.acceptDNS
 	prefs.AllowSingleHosts = upArgs.singleRoutes
@@ -888,8 +823,8 @@ func flagAppliesToOS(flag, goos string) bool {
 	return true
 }

-func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]interface{}) {
-	ret := make(map[string]interface{})
+func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]any) {
+	ret := make(map[string]any)

 	exitNodeIPStr := func() string {
 		if !prefs.ExitNodeIP.IsZero() {
@@ -906,7 +841,7 @@ func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]interfac
 		if preflessFlag(f.Name) {
 			return
 		}
-		set := func(v interface{}) {
+		set := func(v any) {
 			if flagAppliesToOS(f.Name, env.goos) {
 				ret[f.Name] = v
 			} else {
@@ -960,7 +895,7 @@ func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]interfac
 	return ret
 }

-func fmtFlagValueArg(flagName string, val interface{}) string {
+func fmtFlagValueArg(flagName string, val any) string {
 	if val == true {
 		return "--" + flagName
 	}
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -313,7 +313,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 			AdvertiseExitNode bool
 			Reauthenticate    bool
 		}
-		type mi map[string]interface{}
+		type mi map[string]any
 		if err := json.NewDecoder(r.Body).Decode(&postData); err != nil {
 			w.WriteHeader(400)
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -4,8 +4,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
+   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
   L    github.com/klauspost/compress/flate                          from nhooyr.io/websocket
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli+
        github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
        github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
@@ -31,7 +37,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com                                                from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
+        tailscale.com/client/tailscale/apitype                       from tailscale.com/cmd/tailscale/cli+
        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
        tailscale.com/control/controlknobs                           from tailscale.com/net/portmapper
        tailscale.com/derp                                           from tailscale.com/derp/derphttp
@@ -42,7 +48,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/kube                                           from tailscale.com/ipn
     💣 tailscale.com/metrics                                        from tailscale.com/derp
        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
@@ -59,7 +64,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
     💣 tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
-     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
@@ -77,6 +82,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/structs                                  from tailscale.com/ipn+
        tailscale.com/types/views                                    from tailscale.com/tailcfg+
        tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
+   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
@@ -95,8 +101,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/hkdf                                     from crypto/tls
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http+
        golang.org/x/net/http/httpproxy                              from net/http
@@ -180,6 +186,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        net/http/cgi                                                 from tailscale.com/cmd/tailscale/cli
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
        net/http/internal                                            from net/http
+        net/netip                                                    from net
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
@@ -191,7 +198,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/tailscale/goupnp/httpu+
        regexp/syntax                                                from regexp
-        runtime/debug                                                from golang.org/x/sync/singleflight
+        runtime/debug                                                from golang.org/x/sync/singleflight+
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
        strings                                                      from bufio+
--- a/cmd/tailscaled/childproc/childproc.go
+++ b/cmd/tailscaled/childproc/childproc.go
@@ -0,0 +1,20 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package childproc allows other packages to register "tailscaled be-child"
+// child process hook code. This avoids duplicating build tags in the
+// tailscaled package. Instead, the code that needs to fork/exec the self
+// executable (when it's tailscaled) can instead register the code
+// they want to run.
+package childproc
+
+var Code = map[string]func([]string) error{}
+
+// Add registers code f to run as 'tailscaled be-child <typ> [args]'.
+func Add(typ string, f func(args []string) error) {
+	if _, dup := Code[typ]; dup {
+		panic("dup hook " + typ)
+	}
+	Code[typ] = f
+}
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build go1.18
+// +build go1.18
+
 package main

 import (
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -3,10 +3,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-   L    github.com/anmitsu/go-shlex                                  from github.com/gliderlabs/ssh
+  LD    github.com/anmitsu/go-shlex                                  from github.com/tailscale/ssh
   L    github.com/aws/aws-sdk-go-v2                                 from github.com/aws/aws-sdk-go-v2/internal/ini
   L    github.com/aws/aws-sdk-go-v2/aws                             from github.com/aws/aws-sdk-go-v2/aws/middleware+
-   L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/aws
+   L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/awsstore
   L    github.com/aws/aws-sdk-go-v2/aws/middleware                  from github.com/aws/aws-sdk-go-v2/aws/retry+
   L    github.com/aws/aws-sdk-go-v2/aws/protocol/query              from github.com/aws/aws-sdk-go-v2/service/sts
   L    github.com/aws/aws-sdk-go-v2/aws/protocol/restjson           from github.com/aws/aws-sdk-go-v2/service/ssm+
@@ -16,7 +16,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4          from github.com/aws/aws-sdk-go-v2/aws/signer/v4
   L    github.com/aws/aws-sdk-go-v2/aws/signer/v4                   from github.com/aws/aws-sdk-go-v2/service/internal/presigned-url+
   L    github.com/aws/aws-sdk-go-v2/aws/transport/http              from github.com/aws/aws-sdk-go-v2/config+
-   L    github.com/aws/aws-sdk-go-v2/config                          from tailscale.com/ipn/store/aws
+   L    github.com/aws/aws-sdk-go-v2/config                          from tailscale.com/ipn/store/awsstore
   L    github.com/aws/aws-sdk-go-v2/credentials                     from github.com/aws/aws-sdk-go-v2/config
   L    github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds        from github.com/aws/aws-sdk-go-v2/config
   L    github.com/aws/aws-sdk-go-v2/credentials/endpointcreds       from github.com/aws/aws-sdk-go-v2/config
@@ -36,7 +36,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/aws-sdk-go-v2/internal/sync/singleflight      from github.com/aws/aws-sdk-go-v2/aws
   L    github.com/aws/aws-sdk-go-v2/internal/timeconv               from github.com/aws/aws-sdk-go-v2/aws/retry
   L    github.com/aws/aws-sdk-go-v2/service/internal/presigned-url  from github.com/aws/aws-sdk-go-v2/service/sts
-   L    github.com/aws/aws-sdk-go-v2/service/ssm                     from tailscale.com/ipn/store/aws
+   L    github.com/aws/aws-sdk-go-v2/service/ssm                     from tailscale.com/ipn/store/awsstore
   L    github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/aws/aws-sdk-go-v2/service/ssm/types               from github.com/aws/aws-sdk-go-v2/service/ssm+
   L    github.com/aws/aws-sdk-go-v2/service/sso                     from github.com/aws/aws-sdk-go-v2/config+
@@ -61,11 +61,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
-   L 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
-   L    github.com/gliderlabs/ssh                                    from tailscale.com/ssh/tailssh
+  LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
-   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
+   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns+
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
@@ -74,7 +73,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/insomniacslk/dhcp/rfc1035label                    from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/jmespath/go-jmespath                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
   L    github.com/klauspost/compress/flate                          from nhooyr.io/websocket
@@ -83,6 +82,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
+   L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
@@ -97,7 +97,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
   L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router
+  LD    github.com/tailscale/ssh                                     from tailscale.com/ssh/tailssh
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
+  LD    github.com/u-root/u-root/pkg/termios                         from tailscale.com/ssh/tailssh
   L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/u-root/uio/ubinary                                from github.com/u-root/uio/uio
   L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
@@ -168,7 +170,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
  LD    tailscale.com/chirp                                          from tailscale.com/cmd/tailscaled
        tailscale.com/client/tailscale                               from tailscale.com/derp
        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
-        tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
+        tailscale.com/cmd/tailscaled/childproc                       from tailscale.com/cmd/tailscaled+
+        tailscale.com/control/controlbase                            from tailscale.com/control/controlclient+
+        tailscale.com/control/controlclient                          from tailscale.com/cmd/tailscaled+
+        tailscale.com/control/controlhttp                            from tailscale.com/control/controlclient
        tailscale.com/control/controlknobs                           from tailscale.com/control/controlclient+
        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/tailscaled+
@@ -183,24 +188,27 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
-        tailscale.com/ipn/store/aws                                  from tailscale.com/ipn/ipnserver
-        tailscale.com/kube                                           from tailscale.com/ipn
+        tailscale.com/ipn/store                                      from tailscale.com/cmd/tailscaled
+   L    tailscale.com/ipn/store/awsstore                             from tailscale.com/ipn/store
+   L    tailscale.com/ipn/store/kubestore                            from tailscale.com/ipn/store
+        tailscale.com/ipn/store/mem                                  from tailscale.com/ipn/store+
+   L    tailscale.com/kube                                           from tailscale.com/ipn/store/kubestore
        tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled+
-        tailscale.com/logtail                                        from tailscale.com/logpolicy+
+        tailscale.com/logtail                                        from tailscale.com/cmd/tailscaled+
        tailscale.com/logtail/backoff                                from tailscale.com/cmd/tailscaled+
        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
     💣 tailscale.com/metrics                                        from tailscale.com/derp+
        tailscale.com/net/dns                                        from tailscale.com/cmd/tailscaled+
        tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
-        tailscale.com/net/dns/resolver                               from tailscale.com/net/dns+
+        tailscale.com/net/dns/resolver                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient+
        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscaled+
        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
-        tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
+        tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
        tailscale.com/net/netknob                                    from tailscale.com/logpolicy+
        tailscale.com/net/netns                                      from tailscale.com/cmd/tailscaled+
     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
@@ -211,7 +219,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
-        tailscale.com/net/tsaddr                                     from tailscale.com/ipn/ipnlocal+
+        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
        tailscale.com/net/tsdial                                     from tailscale.com/cmd/tailscaled+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/cmd/tailscaled+
        tailscale.com/net/tstun                                      from tailscale.com/cmd/tailscaled+
@@ -219,8 +227,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
-   L 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/wgengine/netstack
-     💣 tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
+  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/wgengine/netstack
+        tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
@@ -240,15 +248,16 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
-        tailscale.com/types/views                                    from tailscale.com/tailcfg+
-        tailscale.com/util/clientmetric                              from tailscale.com/ipn/localapi+
-   L    tailscale.com/util/cmpver                                    from tailscale.com/net/dns
+        tailscale.com/types/views                                    from tailscale.com/ipn/ipnlocal+
+        tailscale.com/util/clientmetric                              from tailscale.com/cmd/tailscaled+
+  LW    tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
        tailscale.com/util/multierr                                  from tailscale.com/cmd/tailscaled+
+        tailscale.com/util/netconv                                   from tailscale.com/wgengine/magicsock
        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
@@ -261,7 +270,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-        tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine+
+        tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/monitor                               from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscaled+
@@ -271,34 +280,34 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device
-   L    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
+        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
+  LD    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from crypto/tls+
-   L    golang.org/x/crypto/ed25519                                  from golang.org/x/crypto/ssh
-        golang.org/x/crypto/hkdf                                     from crypto/tls
+  LD    golang.org/x/crypto/ed25519                                  from golang.org/x/crypto/ssh
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
+        golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-   L    golang.org/x/crypto/ssh                                      from github.com/gliderlabs/ssh+
-        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+  LD    golang.org/x/crypto/ssh                                      from github.com/tailscale/ssh+
+        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
-        golang.org/x/net/http/httpguts                               from net/http+
+        golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2                                       from golang.org/x/net/http2/h2c+
        golang.org/x/net/http2/h2c                                   from tailscale.com/ipn/ipnlocal
-        golang.org/x/net/http2/hpack                                 from net/http+
+        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device
        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
-        golang.org/x/sync/errgroup                                   from github.com/tailscale/goupnp/httpu+
-        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
+        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
+        golang.org/x/sync/singleflight                               from tailscale.com/control/controlclient+
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
  LD    golang.org/x/sys/unix                                        from github.com/insomniacslk/dhcp/interfaces+
   W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
@@ -314,7 +323,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
        compress/flate                                               from compress/gzip+
-        compress/gzip                                                from internal/profile+
+        compress/gzip                                                from golang.org/x/net/http2+
        container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
@@ -338,7 +347,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
-        embed                                                        from tailscale.com/net/dns+
+        embed                                                        from crypto/elliptic+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
        encoding/base64                                              from encoding/json+
@@ -360,6 +369,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        io/fs                                                        from crypto/rand+
        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
        log                                                          from expvar+
+  LD    log/syslog                                                   from tailscale.com/ssh/tailssh
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
@@ -373,6 +383,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
        net/http/internal                                            from net/http+
        net/http/pprof                                               from tailscale.com/cmd/tailscaled+
+        net/netip                                                    from golang.zx2c4.com/wireguard/conn+
        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
--- a/cmd/tailscaled/install_darwin.go
+++ b/cmd/tailscaled/install_darwin.go
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build go1.18
+// +build go1.18
+
 package main

 import (
--- a/cmd/tailscaled/install_windows.go
+++ b/cmd/tailscaled/install_windows.go
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build go1.18
+// +build go1.18
+
 package main

 import (
--- a/cmd/tailscaled/proxy.go
+++ b/cmd/tailscaled/proxy.go
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build go1.18
+// +build go1.18
+
 // HTTP proxy code

 package main
--- a/cmd/tailscaled/required_version.go
+++ b/cmd/tailscaled/required_version.go
@@ -0,0 +1,12 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.18
+// +build !go1.18
+
+package main
+
+func init() {
+	you_need_Go_1_18_to_compile_Tailscale()
+}
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build go1.18
+// +build go1.18
+
 // The tailscaled program is the Tailscale client daemon. It's configured
 // and controlled via the tailscale CLI program.
 //
@@ -28,10 +31,12 @@ import (
 	"time"

 	"inet.af/netaddr"
+	"tailscale.com/cmd/tailscaled/childproc"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnserver"
+	"tailscale.com/ipn/store"
 	"tailscale.com/logpolicy"
 	"tailscale.com/logtail"
 	"tailscale.com/net/dns"
@@ -68,11 +73,27 @@ func defaultTunName() string {
 		// as a magic value that uses/creates any free number.
 		return "utun"
 	case "linux":
-		if distro.Get() == distro.Synology {
+		switch distro.Get() {
+		case distro.Synology:
 			// Try TUN, but fall back to userspace networking if needed.
 			// See https://github.com/tailscale/tailscale-synology/issues/35
 			return "tailscale0,userspace-networking"
+		case distro.Gokrazy:
+			// Gokrazy doesn't yet work in tun mode because the whole
+			// Gokrazy thing is no C code, and Tailscale currently
+			// depends on the iptables binary for Linux's
+			// wgengine/router.
+			// But on Gokrazy there's no legacy iptables, so we could use netlink
+			// to program nft-iptables directly. It just isn't done yet;
+			// see https://github.com/tailscale/tailscale/issues/391
+			//
+			// But Gokrazy does have the tun module built-in, so users
+			// can stil run --tun=tailscale0 if they wish, if they
+			// arrange for iptables to be present or run in "tailscale
+			// up --netfilter-mode=off" mode, perhaps. Untested.
+			return "userspace-networking"
 		}
+
 	}
 	return "tailscale0"
 }
@@ -105,6 +126,7 @@ var subCommands = map[string]*func([]string) error{
 	"install-system-daemon":   &installSystemDaemon,
 	"uninstall-system-daemon": &uninstallSystemDaemon,
 	"debug":                   &debugModeFunc,
+	"be-child":                &beChildFunc,
 }

 func main() {
@@ -159,6 +181,9 @@ func main() {
 		os.Exit(0)
 	}

+	if runtime.GOOS == "darwin" && runtime.Version() == "go1.18" {
+		log.Fatalf("tailscaled is broken on macOS with go1.18 due to upstream bug https://github.com/golang/go/issues/51759; use 1.18.1+ or Tailscale's Go fork")
+	}
 	if runtime.GOOS == "darwin" && os.Getuid() != 0 && !strings.Contains(args.tunname, "userspace-networking") && !args.cleanup {
 		log.SetFlags(0)
 		log.Fatalf("tailscaled requires root; use sudo tailscaled (or use --tun=userspace-networking)")
@@ -392,9 +417,9 @@ func run() error {

 	opts := ipnServerOpts()

-	store, err := ipnserver.StateStore(statePathOrDefault(), logf)
+	store, err := store.New(logf, statePathOrDefault())
 	if err != nil {
-		return fmt.Errorf("ipnserver.StateStore: %w", err)
+		return fmt.Errorf("store.New: %w", err)
 	}
 	srv, err := ipnserver.New(logf, pol.PublicID.String(), store, e, dialer, nil, opts)
 	if err != nil {
@@ -601,3 +626,17 @@ func mustStartProxyListeners(socksAddr, httpAddr string) (socksListener, httpLis

 	return socksListener, httpListener
 }
+
+var beChildFunc = beChild
+
+func beChild(args []string) error {
+	if len(args) == 0 {
+		return errors.New("missing mode argument")
+	}
+	typ := args[0]
+	f, ok := childproc.Code[typ]
+	if !ok {
+		return fmt.Errorf("unknown be-child mode %q", typ)
+	}
+	return f(args[1:])
+}
--- a/cmd/tailscaled/tailscaled_bird.go
+++ b/cmd/tailscaled/tailscaled_bird.go
@@ -2,7 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux || darwin || freebsd || openbsd
+//go:build go1.18 && (linux || darwin || freebsd || openbsd)
+// +build go1.18
 // +build linux darwin freebsd openbsd

 package main
--- a/cmd/tailscaled/tailscaled_notwindows.go
+++ b/cmd/tailscaled/tailscaled_notwindows.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
-// +build !windows
+//go:build !windows && go1.18
+// +build !windows,go1.18

 package main // import "tailscale.com/cmd/tailscaled"

--- a/cmd/tailscaled/tailscaled_test.go
+++ b/cmd/tailscaled/tailscaled_test.go
@@ -0,0 +1,13 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main // import "tailscale.com/cmd/tailscaled"
+
+import "testing"
+
+func TestNothing(t *testing.T) {
+	// This test does nothing on purpose, so we can run
+	// GODEBUG=memprofilerate=1 go test -v -run=Nothing -memprofile=prof.mem
+	// without any errors about no matching tests.
+}
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build go1.18
+// +build go1.18
+
 package main // import "tailscale.com/cmd/tailscaled"

 // TODO: check if administrator, like tswin does.
@@ -31,6 +34,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnserver"
+	"tailscale.com/ipn/store"
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/tsdial"
@@ -335,8 +339,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 			return nil, fmt.Errorf("%w\n\nlogid: %v", res.Err, logid)
 		}
 	}
-
-	store, err := ipnserver.StateStore(statePathOrDefault(), logf)
+	store, err := store.New(logf, statePathOrDefault())
 	if err != nil {
 		return err
 	}
--- a/cmd/testcontrol/testcontrol.go
+++ b/cmd/testcontrol/testcontrol.go
@@ -46,10 +46,10 @@ type fakeTB struct {
 }

 func (t fakeTB) Cleanup(_ func()) {}
-func (t fakeTB) Error(args ...interface{}) {
+func (t fakeTB) Error(args ...any) {
 	t.Fatal(args...)
 }
-func (t fakeTB) Errorf(format string, args ...interface{}) {
+func (t fakeTB) Errorf(format string, args ...any) {
 	t.Fatalf(format, args...)
 }
 func (t fakeTB) Fail() {
@@ -61,17 +61,17 @@ func (t fakeTB) FailNow() {
 func (t fakeTB) Failed() bool {
 	return false
 }
-func (t fakeTB) Fatal(args ...interface{}) {
+func (t fakeTB) Fatal(args ...any) {
 	log.Fatal(args...)
 }
-func (t fakeTB) Fatalf(format string, args ...interface{}) {
+func (t fakeTB) Fatalf(format string, args ...any) {
 	log.Fatalf(format, args...)
 }
 func (t fakeTB) Helper() {}
-func (t fakeTB) Log(args ...interface{}) {
+func (t fakeTB) Log(args ...any) {
 	log.Print(args...)
 }
-func (t fakeTB) Logf(format string, args ...interface{}) {
+func (t fakeTB) Logf(format string, args ...any) {
 	log.Printf(format, args...)
 }
 func (t fakeTB) Name() string {
@@ -80,13 +80,13 @@ func (t fakeTB) Name() string {
 func (t fakeTB) Setenv(key string, value string) {
 	panic("not implemented")
 }
-func (t fakeTB) Skip(args ...interface{}) {
+func (t fakeTB) Skip(args ...any) {
 	t.Fatal("skipped")
 }
 func (t fakeTB) SkipNow() {
 	t.Fatal("skipnow")
 }
-func (t fakeTB) Skipf(format string, args ...interface{}) {
+func (t fakeTB) Skipf(format string, args ...any) {
 	t.Logf(format, args...)
 	t.Fatal("skipped")
 }
--- a/cmd/tsshd/tsshd.go
+++ b/cmd/tsshd/tsshd.go
@@ -31,7 +31,7 @@ import (
 	"unsafe"

 	"github.com/creack/pty"
-	"github.com/gliderlabs/ssh"
+	"github.com/tailscale/ssh"
 	gossh "golang.org/x/crypto/ssh"
 	"inet.af/netaddr"
 	"tailscale.com/net/interfaces"
--- a/control/controlbase/conn.go
+++ b/control/controlbase/conn.go
@@ -267,18 +267,16 @@ func (c *Conn) Write(bs []byte) (n int, err error) {

 		ciphertext, err := c.encryptLocked(toSend)
 		if err != nil {
-			return 0, err
+			return sent, err
 		}
-
-		n, err := c.conn.Write(ciphertext)
-		sent += n
-		if err != nil {
+		if _, err := c.conn.Write(ciphertext); err != nil {
 			// Return the raw error on the Write that actually
 			// failed. For future writes, return that error wrapped in
 			// a desync error.
 			c.tx.err = errPartialWrite{err}
 			return sent, err
 		}
+		sent += len(toSend)
 	}
 	return sent, nil
 }
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -7,6 +7,7 @@ package controlclient
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"sync"
 	"time"

@@ -91,7 +92,7 @@ func NewNoStart(opts Options) (*Auto, error) {
 		return nil, err
 	}
 	if opts.Logf == nil {
-		opts.Logf = func(fmt string, args ...interface{}) {}
+		opts.Logf = func(fmt string, args ...any) {}
 	}
 	if opts.TimeNow == nil {
 		opts.TimeNow = time.Now
@@ -657,6 +658,10 @@ func (c *Auto) Logout(ctx context.Context) error {
 	}
 }

+func (c *Auto) SetExpirySooner(ctx context.Context, expiry time.Time) error {
+	return c.direct.SetExpirySooner(ctx, expiry)
+}
+
 // UpdateEndpoints sets the client's discovered endpoints and sends
 // them to the control server if they've changed.
 //
@@ -677,6 +682,7 @@ func (c *Auto) Shutdown() {
 	c.mu.Lock()
 	inSendStatus := c.inSendStatus
 	closed := c.closed
+	direct := c.direct
 	if !closed {
 		c.closed = true
 		c.statusFunc = nil
@@ -691,6 +697,9 @@ func (c *Auto) Shutdown() {
 		<-c.authDone
 		c.cancelMapUnsafely()
 		<-c.mapDone
+		if direct != nil {
+			direct.Close()
+		}
 		c.logf("Client.Shutdown done.")
 	}
 }
@@ -717,3 +726,7 @@ func (c *Auto) TestOnlyTimeNow() time.Time {
 func (c *Auto) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
 	return c.direct.SetDNS(ctx, req)
 }
+
+func (c *Auto) DoNoiseRequest(req *http.Request) (*http.Response, error) {
+	return c.direct.DoNoiseRequest(req)
+}
--- a/control/controlclient/client.go
+++ b/control/controlclient/client.go
@@ -11,6 +11,8 @@ package controlclient

 import (
 	"context"
+	"net/http"
+	"time"

 	"tailscale.com/tailcfg"
 )
@@ -45,6 +47,9 @@ type Client interface {
 	// Logout starts a synchronous logout process. It doesn't return
 	// until the logout operation has been completed.
 	Logout(context.Context) error
+	// SetExpirySooner sets the node's expiry time via the controlclient,
+	// as long as it's shorter than the current expiry time.
+	SetExpirySooner(context.Context, time.Time) error
 	// SetPaused pauses or unpauses the controlclient activity as much
 	// as possible, without losing its internal state, to minimize
 	// unnecessary network activity.
@@ -78,6 +83,9 @@ type Client interface {
 	// SetDNS sends the SetDNSRequest request to the control plane server,
 	// requesting a DNS record be created or updated.
 	SetDNS(context.Context, *tailcfg.SetDNSRequest) error
+	// DoNoiseRequest sends an HTTP request to the control plane
+	// over the Noise transport.
+	DoNoiseRequest(*http.Request) (*http.Response, error)
 }

 // UserVisibleError is an error that should be shown to users.
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -27,6 +27,7 @@ import (
 	"time"

 	"go4.org/mem"
+	"golang.org/x/sync/singleflight"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlknobs"
 	"tailscale.com/envknob"
@@ -47,6 +48,7 @@ import (
 	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/multierr"
 	"tailscale.com/util/systemd"
 	"tailscale.com/wgengine/monitor"
 )
@@ -68,8 +70,13 @@ type Direct struct {
 	skipIPForwardingCheck  bool
 	pinger                 Pinger

-	mu           sync.Mutex // mutex guards the following fields
-	serverKey    key.MachinePublic
+	mu             sync.Mutex        // mutex guards the following fields
+	serverKey      key.MachinePublic // original ("legacy") nacl crypto_box-based public key
+	serverNoiseKey key.MachinePublic
+
+	sfGroup     singleflight.Group // protects noiseClient creation.
+	noiseClient *noiseClient
+
 	persist      persist.Persist
 	authKey      string
 	tryingNewKey key.NodePrivate
@@ -200,6 +207,19 @@ func NewDirect(opts Options) (*Direct, error) {
 	return c, nil
 }

+// Close closes the underlying Noise connection(s).
+func (c *Direct) Close() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.noiseClient != nil {
+		if err := c.noiseClient.Close(); err != nil {
+			return err
+		}
+	}
+	c.noiseClient = nil
+	return nil
+}
+
 // SetHostinfo clones the provided Hostinfo and remembers it for the
 // next update. It reports whether the Hostinfo has changed.
 func (c *Direct) SetHostinfo(hi *tailcfg.Hostinfo) bool {
@@ -282,12 +302,33 @@ func (c *Direct) doLoginOrRegen(ctx context.Context, opt loginOpt) (newURL strin
 	return url, err
 }

+// SetExpirySooner attempts to shorten the expiry to the specified time.
+func (c *Direct) SetExpirySooner(ctx context.Context, expiry time.Time) error {
+	c.logf("[v1] direct.SetExpirySooner()")
+
+	newURL, err := c.doLoginOrRegen(ctx, loginOpt{Expiry: &expiry})
+	c.logf("[v1] SetExpirySooner control response: newURL=%v, err=%v", newURL, err)
+
+	return err
+}
+
 type loginOpt struct {
 	Token  *tailcfg.Oauth2Token
 	Flags  LoginFlags
-	Regen  bool
+	Regen  bool // generate a new nodekey, can be overridden in doLogin
 	URL    string
-	Logout bool
+	Logout bool // set the expiry to the far past, expiring the node
+	// Expiry, if non-nil, attempts to set the node expiry to the
+	// specified time and cannot be used to extend the expiry.
+	// It is ignored if Logout is set since Logout works by setting a
+	// expiry time in the far past.
+	Expiry *time.Time
+}
+
+// httpClient provides a common interface for the noiseClient and
+// the NaCl box http.Client.
+type httpClient interface {
+	Do(req *http.Request) (*http.Response, error)
 }

 func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, err error) {
@@ -295,6 +336,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	persist := c.persist
 	tryingNewKey := c.tryingNewKey
 	serverKey := c.serverKey
+	serverNoiseKey := c.serverNoiseKey
 	authKey := c.authKey
 	hi := c.hostinfo.Clone()
 	backendLogID := hi.BackendLogID
@@ -326,18 +368,27 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new

 	c.logf("doLogin(regen=%v, hasUrl=%v)", regen, opt.URL != "")
 	if serverKey.IsZero() {
-		var err error
-		serverKey, err = loadServerKey(ctx, c.httpc, c.serverURL)
+		keys, err := loadServerPubKeys(ctx, c.httpc, c.serverURL)
 		if err != nil {
 			return regen, opt.URL, err
 		}
 		c.logf("control server key %s from %s", serverKey.ShortString(), c.serverURL)

 		c.mu.Lock()
-		c.serverKey = serverKey
+		c.serverKey = keys.LegacyPublicKey
+		c.serverNoiseKey = keys.PublicKey
 		c.mu.Unlock()
-	}
+		serverKey = keys.LegacyPublicKey
+		serverNoiseKey = keys.PublicKey

+		// For servers supporting the Noise transport,
+		// proactively shut down our TLS TCP connection.
+		// We're not going to need it and it's nicer to the
+		// server.
+		if !serverNoiseKey.IsZero() {
+			c.httpc.CloseIdleConnections()
+		}
+	}
 	var oldNodeKey key.NodePublic
 	switch {
 	case opt.Logout:
@@ -378,6 +429,8 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	}
 	if opt.Logout {
 		request.Expiry = time.Unix(123, 0) // far in the past
+	} else if opt.Expiry != nil {
+		request.Expiry = *opt.Expiry
 	}
 	c.logf("RegisterReq: onode=%v node=%v fup=%v",
 		request.OldNodeKey.ShortString(),
@@ -405,22 +458,32 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		c.logf("RegisterRequest: %s", j)
 	}

-	bodyData, err := encode(request, serverKey, machinePrivKey)
+	// URL and httpc are protocol specific.
+	var url string
+	var httpc httpClient
+	if serverNoiseKey.IsZero() {
+		httpc = c.httpc
+		url = fmt.Sprintf("%s/machine/%s", c.serverURL, machinePrivKey.Public().UntypedHexString())
+	} else {
+		request.Version = tailcfg.CurrentCapabilityVersion
+		httpc, err = c.getNoiseClient()
+		if err != nil {
+			return regen, opt.URL, fmt.Errorf("getNoiseClient: %w", err)
+		}
+		url = fmt.Sprintf("%s/machine/register", c.serverURL)
+		url = strings.Replace(url, "http:", "https:", 1)
+	}
+	bodyData, err := encode(request, serverKey, serverNoiseKey, machinePrivKey)
 	if err != nil {
 		return regen, opt.URL, err
 	}
-	body := bytes.NewReader(bodyData)
-
-	u := fmt.Sprintf("%s/machine/%s", c.serverURL, machinePrivKey.Public().UntypedHexString())
-	req, err := http.NewRequest("POST", u, body)
+	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyData))
 	if err != nil {
 		return regen, opt.URL, err
 	}
-	req = req.WithContext(ctx)
-
-	res, err := c.httpc.Do(req)
+	res, err := httpc.Do(req)
 	if err != nil {
-		return regen, opt.URL, fmt.Errorf("register request: %v", err)
+		return regen, opt.URL, fmt.Errorf("register request: %w", err)
 	}
 	if res.StatusCode != 200 {
 		msg, _ := ioutil.ReadAll(res.Body)
@@ -429,7 +492,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			res.StatusCode, strings.TrimSpace(string(msg)))
 	}
 	resp := tailcfg.RegisterResponse{}
-	if err := decode(res, &resp, serverKey, machinePrivKey); err != nil {
+	if err := decode(res, &resp, serverKey, serverNoiseKey, machinePrivKey); err != nil {
 		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
 		return regen, opt.URL, fmt.Errorf("register request: %v", err)
 	}
@@ -576,6 +639,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	persist := c.persist
 	serverURL := c.serverURL
 	serverKey := c.serverKey
+	serverNoiseKey := c.serverNoiseKey
 	hi := c.hostinfo.Clone()
 	backendLogID := hi.BackendLogID
 	localPort := c.localPort
@@ -614,7 +678,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	}

 	request := &tailcfg.MapRequest{
-		Version:       tailcfg.CurrentMapRequestVersion,
+		Version:       tailcfg.CurrentCapabilityVersion,
 		KeepAlive:     c.keepAlive,
 		NodeKey:       persist.PrivateNodeKey.Public(),
 		DiscoKey:      c.discoPubKey,
@@ -658,7 +722,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		request.ReadOnly = true
 	}

-	bodyData, err := encode(request, serverKey, machinePrivKey)
+	bodyData, err := encode(request, serverKey, serverNoiseKey, machinePrivKey)
 	if err != nil {
 		vlogf("netmap: encode: %v", err)
 		return err
@@ -669,14 +733,28 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm

 	machinePubKey := machinePrivKey.Public()
 	t0 := time.Now()
-	u := fmt.Sprintf("%s/machine/%s/map", serverURL, machinePubKey.UntypedHexString())

-	req, err := http.NewRequestWithContext(ctx, "POST", u, bytes.NewReader(bodyData))
+	// Url and httpc are protocol specific.
+	var url string
+	var httpc httpClient
+	if serverNoiseKey.IsZero() {
+		httpc = c.httpc
+		url = fmt.Sprintf("%s/machine/%s/map", serverURL, machinePubKey.UntypedHexString())
+	} else {
+		httpc, err = c.getNoiseClient()
+		if err != nil {
+			return fmt.Errorf("getNoiseClient: %w", err)
+		}
+		url = fmt.Sprintf("%s/machine/map", serverURL)
+		url = strings.Replace(url, "http:", "https:", 1)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyData))
 	if err != nil {
 		return err
 	}

-	res, err := c.httpc.Do(req)
+	res, err := httpc.Do(req)
 	if err != nil {
 		vlogf("netmap: Do: %v", err)
 		return err
@@ -865,7 +943,9 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	return nil
 }

-func decode(res *http.Response, v interface{}, serverKey key.MachinePublic, mkey key.MachinePrivate) error {
+// decode JSON decodes the res.Body into v. If serverNoiseKey is not specified,
+// it uses the serverKey and mkey to decode the message from the NaCl-crypto-box.
+func decode(res *http.Response, v any, serverKey, serverNoiseKey key.MachinePublic, mkey key.MachinePrivate) error {
 	defer res.Body.Close()
 	msg, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
@@ -874,6 +954,9 @@ func decode(res *http.Response, v interface{}, serverKey key.MachinePublic, mkey
 	if res.StatusCode != 200 {
 		return fmt.Errorf("%d: %v", res.StatusCode, string(msg))
 	}
+	if !serverNoiseKey.IsZero() {
+		return json.Unmarshal(msg, v)
+	}
 	return decodeMsg(msg, v, serverKey, mkey)
 }

@@ -884,14 +967,24 @@ var (

 var jsonEscapedZero = []byte(`\u0000`)

-func (c *Direct) decodeMsg(msg []byte, v interface{}, machinePrivKey key.MachinePrivate) error {
+// decodeMsg is responsible for uncompressing msg and unmarshaling into v.
+// If c.serverNoiseKey is not specified, it uses the c.serverKey and mkey
+// to first the decrypt msg from the NaCl-crypto-box.
+func (c *Direct) decodeMsg(msg []byte, v any, mkey key.MachinePrivate) error {
 	c.mu.Lock()
 	serverKey := c.serverKey
+	serverNoiseKey := c.serverNoiseKey
 	c.mu.Unlock()

-	decrypted, ok := machinePrivKey.OpenFrom(serverKey, msg)
-	if !ok {
-		return errors.New("cannot decrypt response")
+	var decrypted []byte
+	if serverNoiseKey.IsZero() {
+		var ok bool
+		decrypted, ok = mkey.OpenFrom(serverKey, msg)
+		if !ok {
+			return errors.New("cannot decrypt response")
+		}
+	} else {
+		decrypted = msg
 	}
 	var b []byte
 	if c.newDecompressor == nil {
@@ -923,7 +1016,7 @@ func (c *Direct) decodeMsg(msg []byte, v interface{}, machinePrivKey key.Machine

 }

-func decodeMsg(msg []byte, v interface{}, serverKey key.MachinePublic, machinePrivKey key.MachinePrivate) error {
+func decodeMsg(msg []byte, v any, serverKey key.MachinePublic, machinePrivKey key.MachinePrivate) error {
 	decrypted, ok := machinePrivKey.OpenFrom(serverKey, msg)
 	if !ok {
 		return errors.New("cannot decrypt response")
@@ -937,7 +1030,9 @@ func decodeMsg(msg []byte, v interface{}, serverKey key.MachinePublic, machinePr
 	return nil
 }

-func encode(v interface{}, serverKey key.MachinePublic, mkey key.MachinePrivate) ([]byte, error) {
+// encode JSON encodes v. If serverNoiseKey is not specified, it uses the serverKey and mkey to
+// seal the message into a NaCl-crypto-box.
+func encode(v any, serverKey, serverNoiseKey key.MachinePublic, mkey key.MachinePrivate) ([]byte, error) {
 	b, err := json.Marshal(v)
 	if err != nil {
 		return nil, err
@@ -947,32 +1042,45 @@ func encode(v interface{}, serverKey key.MachinePublic, mkey key.MachinePrivate)
 			log.Printf("MapRequest: %s", b)
 		}
 	}
+	if !serverNoiseKey.IsZero() {
+		return b, nil
+	}
 	return mkey.SealTo(serverKey, b), nil
 }

-func loadServerKey(ctx context.Context, httpc *http.Client, serverURL string) (key.MachinePublic, error) {
-	req, err := http.NewRequest("GET", serverURL+"/key", nil)
+func loadServerPubKeys(ctx context.Context, httpc *http.Client, serverURL string) (*tailcfg.OverTLSPublicKeyResponse, error) {
+	keyURL := fmt.Sprintf("%v/key?v=%d", serverURL, tailcfg.CurrentCapabilityVersion)
+	req, err := http.NewRequestWithContext(ctx, "GET", keyURL, nil)
 	if err != nil {
-		return key.MachinePublic{}, fmt.Errorf("create control key request: %v", err)
+		return nil, fmt.Errorf("create control key request: %v", err)
 	}
-	req = req.WithContext(ctx)
 	res, err := httpc.Do(req)
 	if err != nil {
-		return key.MachinePublic{}, fmt.Errorf("fetch control key: %v", err)
+		return nil, fmt.Errorf("fetch control key: %v", err)
 	}
 	defer res.Body.Close()
-	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<16))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 64<<10))
 	if err != nil {
-		return key.MachinePublic{}, fmt.Errorf("fetch control key response: %v", err)
+		return nil, fmt.Errorf("fetch control key response: %v", err)
 	}
 	if res.StatusCode != 200 {
-		return key.MachinePublic{}, fmt.Errorf("fetch control key: %d: %s", res.StatusCode, string(b))
+		return nil, fmt.Errorf("fetch control key: %d", res.StatusCode)
 	}
+	var out tailcfg.OverTLSPublicKeyResponse
+	jsonErr := json.Unmarshal(b, &out)
+	if jsonErr == nil {
+		return &out, nil
+	}
+
+	// Some old control servers might not be updated to send the new format.
+	// Accept the old pre-JSON format too.
+	out = tailcfg.OverTLSPublicKeyResponse{}
 	k, err := key.ParseMachinePublicUntyped(mem.B(b))
 	if err != nil {
-		return key.MachinePublic{}, fmt.Errorf("fetch control key: %v", err)
+		return nil, multierr.New(jsonErr, err)
 	}
-	return k, nil
+	out.LegacyPublicKey = k
+	return &out, nil
 }

 // Debug contains temporary internal-only debug knobs.
@@ -1190,6 +1298,78 @@ func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<-
 	}
 }

+// getNoiseClient returns the noise client, creating one if one doesn't exist.
+func (c *Direct) getNoiseClient() (*noiseClient, error) {
+	c.mu.Lock()
+	serverNoiseKey := c.serverNoiseKey
+	nc := c.noiseClient
+	c.mu.Unlock()
+	if serverNoiseKey.IsZero() {
+		return nil, errors.New("zero serverNoiseKey")
+	}
+	if nc != nil {
+		return nc, nil
+	}
+	np, err, _ := c.sfGroup.Do("noise", func() (any, error) {
+		k, err := c.getMachinePrivKey()
+		if err != nil {
+			return nil, err
+		}
+
+		nc, err = newNoiseClient(k, serverNoiseKey, c.serverURL)
+		if err != nil {
+			return nil, err
+		}
+		c.mu.Lock()
+		defer c.mu.Unlock()
+		c.noiseClient = nc
+		return nc, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return np.(*noiseClient), nil
+}
+
+// setDNSNoise sends the SetDNSRequest request to the control plane server over Noise,
+// requesting a DNS record be created or updated.
+func (c *Direct) setDNSNoise(ctx context.Context, req *tailcfg.SetDNSRequest) error {
+	newReq := *req
+	newReq.Version = tailcfg.CurrentCapabilityVersion
+	np, err := c.getNoiseClient()
+	if err != nil {
+		return err
+	}
+	bodyData, err := json.Marshal(newReq)
+	if err != nil {
+		return err
+	}
+	res, err := np.Post(fmt.Sprintf("https://%v/%v", np.serverHost, "machine/set-dns"), "application/json", bytes.NewReader(bodyData))
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		msg, _ := ioutil.ReadAll(res.Body)
+		return fmt.Errorf("set-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
+	}
+	var setDNSRes tailcfg.SetDNSResponse
+	if err := json.NewDecoder(res.Body).Decode(&setDNSRes); err != nil {
+		c.logf("error decoding SetDNSResponse: %v", err)
+		return fmt.Errorf("set-dns-response: %w", err)
+	}
+
+	return nil
+}
+
+// noiseConfigured reports whether the client can communicate with Control
+// over Noise.
+func (c *Direct) noiseConfigured() bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return !c.serverNoiseKey.IsZero()
+}
+
 // SetDNS sends the SetDNSRequest request to the control plane server,
 // requesting a DNS record be created or updated.
 func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) (err error) {
@@ -1199,6 +1379,9 @@ func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) (err er
 			metricSetDNSError.Add(1)
 		}
 	}()
+	if c.noiseConfigured() {
+		return c.setDNSNoise(ctx, req)
+	}
 	c.mu.Lock()
 	serverKey := c.serverKey
 	c.mu.Unlock()
@@ -1214,7 +1397,9 @@ func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) (err er
 		return errors.New("getMachinePrivKey returned zero key")
 	}

-	bodyData, err := encode(req, serverKey, machinePrivKey)
+	// TODO(maisem): dedupe this codepath from SetDNSNoise.
+	var serverNoiseKey key.MachinePublic
+	bodyData, err := encode(req, serverKey, serverNoiseKey, machinePrivKey)
 	if err != nil {
 		return err
 	}
@@ -1234,15 +1419,23 @@ func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) (err er
 		msg, _ := ioutil.ReadAll(res.Body)
 		return fmt.Errorf("set-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
 	}
-	var setDNSRes struct{} // no fields yet
-	if err := decode(res, &setDNSRes, serverKey, machinePrivKey); err != nil {
+	var setDNSRes tailcfg.SetDNSResponse
+	if err := decode(res, &setDNSRes, serverKey, serverNoiseKey, machinePrivKey); err != nil {
 		c.logf("error decoding SetDNSResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
-		return fmt.Errorf("set-dns-response: %v", err)
+		return fmt.Errorf("set-dns-response: %w", err)
 	}

 	return nil
 }

+func (c *Direct) DoNoiseRequest(req *http.Request) (*http.Response, error) {
+	nc, err := c.getNoiseClient()
+	if err != nil {
+		return nil, err
+	}
+	return nc.Do(req)
+}
+
 // tsmpPing sends a Ping to pr.IP, and sends an http request back to pr.URL
 // with ping response data.
 func tsmpPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger) error {
--- a/control/controlclient/noise.go
+++ b/control/controlclient/noise.go
@@ -0,0 +1,159 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlclient
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+	"sync"
+	"time"
+
+	"golang.org/x/net/http2"
+	"tailscale.com/control/controlbase"
+	"tailscale.com/control/controlhttp"
+	"tailscale.com/types/key"
+	"tailscale.com/util/multierr"
+)
+
+// noiseConn is a wrapper around controlbase.Conn.
+// It allows attaching an ID to a connection to allow
+// cleaning up references in the pool when the connection
+// is closed.
+type noiseConn struct {
+	*controlbase.Conn
+	id   int
+	pool *noiseClient
+}
+
+func (c *noiseConn) Close() error {
+	if err := c.Conn.Close(); err != nil {
+		return err
+	}
+	c.pool.connClosed(c.id)
+	return nil
+}
+
+// noiseClient provides a http.Client to connect to tailcontrol over
+// the ts2021 protocol.
+type noiseClient struct {
+	*http.Client // HTTP client used to talk to tailcontrol
+	privKey      key.MachinePrivate
+	serverPubKey key.MachinePublic
+	serverHost   string // the host:port part of serverURL
+
+	// mu only protects the following variables.
+	mu       sync.Mutex
+	nextID   int
+	connPool map[int]*noiseConn // active connections not yet closed; see noiseConn.Close
+}
+
+// newNoiseClient returns a new noiseClient for the provided server and machine key.
+// serverURL is of the form https://<host>:<port> (no trailing slash).
+func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string) (*noiseClient, error) {
+	u, err := url.Parse(serverURL)
+	if err != nil {
+		return nil, err
+	}
+	var host string
+	if u.Port() != "" {
+		// If there is an explicit port specified use it.
+		host = u.Host
+	} else {
+		// Otherwise, controlhttp.Dial expects an http endpoint.
+		host = fmt.Sprintf("%v:80", u.Hostname())
+	}
+	np := &noiseClient{
+		serverPubKey: serverPubKey,
+		privKey:      priKey,
+		serverHost:   host,
+	}
+
+	// Create the HTTP/2 Transport using a net/http.Transport
+	// (which only does HTTP/1) because it's the only way to
+	// configure certain properties on the http2.Transport. But we
+	// never actually use the net/http.Transport for any HTTP/1
+	// requests.
+	h2Transport, err := http2.ConfigureTransports(&http.Transport{
+		IdleConnTimeout: time.Minute,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// Let the HTTP/2 Transport think it's dialing out using TLS,
+	// but it's actually our Noise dialer:
+	h2Transport.DialTLS = np.dial
+
+	// ConfigureTransports assumes it's being used to wire up an HTTP/1
+	// and HTTP/2 Transport together, so its returned http2.Transport
+	// has a ConnPool already initialized that's configured to not dial
+	// (assuming it's only called from the HTTP/1 Transport). But we
+	// want it to dial, so nil it out before use. On first use it has
+	// a sync.Once that lazily initializes the ConnPool to its default
+	// one that dials.
+	h2Transport.ConnPool = nil
+
+	np.Client = &http.Client{Transport: h2Transport}
+	return np, nil
+}
+
+// connClosed removes the connection with the provided ID from the pool
+// of active connections.
+func (nc *noiseClient) connClosed(id int) {
+	nc.mu.Lock()
+	defer nc.mu.Unlock()
+	delete(nc.connPool, id)
+}
+
+// Close closes all the underlying noise connections.
+// It is a no-op and returns nil if the connection is already closed.
+func (nc *noiseClient) Close() error {
+	nc.mu.Lock()
+	conns := nc.connPool
+	nc.connPool = nil
+	nc.mu.Unlock()
+
+	var errors []error
+	for _, c := range conns {
+		if err := c.Close(); err != nil {
+			errors = append(errors, err)
+		}
+	}
+	return multierr.New(errors...)
+}
+
+// dial opens a new connection to tailcontrol, fetching the server noise key
+// if not cached. It implements the signature needed by http2.Transport.DialTLS
+// but ignores all params as it only dials out to the server the noiseClient was
+// created for.
+func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
+	nc.mu.Lock()
+	connID := nc.nextID
+	if nc.connPool == nil {
+		nc.connPool = make(map[int]*noiseConn)
+	}
+	nc.nextID++
+	nc.mu.Unlock()
+
+	// Timeout is a little arbitrary, but plenty long enough for even the
+	// highest latency links.
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	conn, err := controlhttp.Dial(ctx, nc.serverHost, nc.privKey, nc.serverPubKey)
+	if err != nil {
+		return nil, err
+	}
+
+	nc.mu.Lock()
+	defer nc.mu.Unlock()
+	ncc := &noiseConn{Conn: conn, id: connID, pool: nc}
+	nc.connPool[ncc.id] = ncc
+	return ncc, nil
+}
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@@ -40,11 +40,19 @@ import (
 	"tailscale.com/types/key"
 )

-// upgradeHeader is the value of the Upgrade HTTP header used to
-// indicate the Tailscale control protocol.
 const (
-	upgradeHeaderValue  = "tailscale-control-protocol"
+	// upgradeHeader is the value of the Upgrade HTTP header used to
+	// indicate the Tailscale control protocol.
+	upgradeHeaderValue = "tailscale-control-protocol"
+
+	// handshakeHeaderName is the HTTP request header that can
+	// optionally contain base64-encoded initial handshake
+	// payload, to save an RTT.
 	handshakeHeaderName = "X-Tailscale-Handshake"
+
+	// serverUpgradePath is where the server-side HTTP handler to
+	// to do the protocol switch is located.
+	serverUpgradePath = "/ts2021"
 )

 // Dial connects to the HTTP server at addr, requests to switch to the
@@ -53,6 +61,9 @@ const (
 //
 // If Dial fails to connect using addr, it also tries to tunnel over
 // TLS to <addr's host>:443 as a compatibility fallback.
+//
+// The provided ctx is only used for the initial connection, until
+// Dial returns. It does not affect the connection once established.
 func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic) (*controlbase.Conn, error) {
 	host, port, err := net.SplitHostPort(addr)
 	if err != nil {
@@ -92,7 +103,7 @@ func (a *dialParams) dial() (*controlbase.Conn, error) {
 	u := &url.URL{
 		Scheme: "http",
 		Host:   net.JoinHostPort(a.host, a.httpPort),
-		Path:   "/switch",
+		Path:   serverUpgradePath,
 	}
 	conn, httpErr := a.tryURL(u, init)
 	if httpErr == nil {
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -453,6 +453,9 @@ func (s *Server) initMetacert() {
 		// Windows requires NotAfter and NotBefore set:
 		NotAfter:  time.Now().Add(30 * 24 * time.Hour),
 		NotBefore: time.Now().Add(-30 * 24 * time.Hour),
+		// Per https://github.com/golang/go/issues/51759#issuecomment-1071147836,
+		// macOS requires BasicConstraints when subject == issuer:
+		BasicConstraintsValid: true,
 	}
 	cert, err := x509.CreateCertificate(crand.Reader, tmpl, tmpl, pub, priv)
 	if err != nil {
@@ -1641,8 +1644,8 @@ func (m multiForwarder) ForwardPacket(src, dst key.NodePublic, payload []byte) e
 	return fwd.ForwardPacket(src, dst, payload)
 }

-func (s *Server) expVarFunc(f func() interface{}) expvar.Func {
-	return expvar.Func(func() interface{} {
+func (s *Server) expVarFunc(f func() any) expvar.Func {
+	return expvar.Func(func() any {
 		s.mu.Lock()
 		defer s.mu.Unlock()
 		return f()
@@ -1652,14 +1655,14 @@ func (s *Server) expVarFunc(f func() interface{}) expvar.Func {
 // ExpVar returns an expvar variable suitable for registering with expvar.Publish.
 func (s *Server) ExpVar() expvar.Var {
 	m := new(metrics.Set)
-	m.Set("gauge_memstats_sys0", expvar.Func(func() interface{} { return int64(s.memSys0) }))
-	m.Set("gauge_watchers", s.expVarFunc(func() interface{} { return len(s.watchers) }))
-	m.Set("gauge_current_file_descriptors", expvar.Func(func() interface{} { return metrics.CurrentFDs() }))
+	m.Set("gauge_memstats_sys0", expvar.Func(func() any { return int64(s.memSys0) }))
+	m.Set("gauge_watchers", s.expVarFunc(func() any { return len(s.watchers) }))
+	m.Set("gauge_current_file_descriptors", expvar.Func(func() any { return metrics.CurrentFDs() }))
 	m.Set("gauge_current_connections", &s.curClients)
 	m.Set("gauge_current_home_connections", &s.curHomeClients)
-	m.Set("gauge_clients_total", expvar.Func(func() interface{} { return len(s.clientsMesh) }))
-	m.Set("gauge_clients_local", expvar.Func(func() interface{} { return len(s.clients) }))
-	m.Set("gauge_clients_remote", expvar.Func(func() interface{} { return len(s.clientsMesh) - len(s.clients) }))
+	m.Set("gauge_clients_total", expvar.Func(func() any { return len(s.clientsMesh) }))
+	m.Set("gauge_clients_local", expvar.Func(func() any { return len(s.clients) }))
+	m.Set("gauge_clients_remote", expvar.Func(func() any { return len(s.clientsMesh) - len(s.clients) }))
 	m.Set("gauge_current_dup_client_keys", &s.dupClientKeys)
 	m.Set("gauge_current_dup_client_conns", &s.dupClientConns)
 	m.Set("counter_total_dup_client_conns", &s.dupClientConnTotal)
@@ -1683,7 +1686,7 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("multiforwarder_created", &s.multiForwarderCreated)
 	m.Set("multiforwarder_deleted", &s.multiForwarderDeleted)
 	m.Set("packet_forwarder_delete_other_value", &s.removePktForwardOther)
-	m.Set("average_queue_duration_ms", expvar.Func(func() interface{} {
+	m.Set("average_queue_duration_ms", expvar.Func(func() any {
 		return math.Float64frombits(atomic.LoadUint64(s.avgQueueDuration))
 	}))
 	var expvarVersion expvar.String
@@ -1813,7 +1816,7 @@ func (s *Server) ServeDebugTraffic(w http.ResponseWriter, r *http.Request) {
 }

 var bufioWriterPool = &sync.Pool{
-	New: func() interface{} {
+	New: func() any {
 		return bufio.NewWriterSize(ioutil.Discard, 2<<10)
 	},
 }
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -9,6 +9,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/x509"
+	"encoding/asn1"
 	"encoding/json"
 	"errors"
 	"expvar"
@@ -790,6 +791,17 @@ func TestMetaCert(t *testing.T) {
 	if g, w := cert.Subject.CommonName, fmt.Sprintf("derpkey%s", pub.UntypedHexString()); g != w {
 		t.Errorf("CommonName = %q; want %q", g, w)
 	}
+	if n := len(cert.Extensions); n != 1 {
+		t.Fatalf("got %d extensions; want 1", n)
+	}
+
+	// oidExtensionBasicConstraints is the Basic Constraints ID copied
+	// from the x509 package.
+	oidExtensionBasicConstraints := asn1.ObjectIdentifier{2, 5, 29, 19}
+
+	if id := cert.Extensions[0].Id; !id.Equal(oidExtensionBasicConstraints) {
+		t.Errorf("extension ID = %v; want %v", id, oidExtensionBasicConstraints)
+	}
 }

 type dummyNetConn struct {
@@ -802,7 +814,7 @@ func TestClientRecv(t *testing.T) {
 	tests := []struct {
 		name  string
 		input []byte
-		want  interface{}
+		want  any
 	}{
 		{
 			name: "ping",
--- a/envknob/envknob.go
+++ b/envknob/envknob.go
@@ -46,7 +46,7 @@ func noteEnv(k, v string) {
 // logf is logger.Logf, but logger depends on envknob, so for circular
 // dependency reasons, make a type alias (so it's still assignable,
 // but has nice docs here).
-type logf = func(format string, args ...interface{})
+type logf = func(format string, args ...any)

 // LogCurrent logs the currently set environment knobs.
 func LogCurrent(logf logf) {
--- a/go.mod
+++ b/go.mod
@@ -1,12 +1,11 @@
 module tailscale.com

-go 1.17
+go 1.18

 require (
 	filippo.io/mkcert v1.4.3
 	github.com/akutz/memconn v0.1.0
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
-	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/aws/aws-sdk-go-v2 v1.11.2
 	github.com/aws/aws-sdk-go-v2/config v1.11.0
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.7.4
@@ -16,7 +15,6 @@ require (
 	github.com/creack/pty v1.1.17
 	github.com/dave/jennifer v1.4.1
 	github.com/frankban/quicktest v1.14.0
-	github.com/gliderlabs/ssh v0.3.3
 	github.com/go-ole/go-ole v1.2.6
 	github.com/godbus/dbus/v5 v5.0.6
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
@@ -24,10 +22,11 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/goreleaser/nfpm v1.10.3
 	github.com/iancoleman/strcase v0.2.0
-	github.com/insomniacslk/dhcp v0.0.0-20211026125128-ad197bcd36fd
+	github.com/insomniacslk/dhcp v0.0.0-20211209223715-7d93572ebe8e
 	github.com/jsimonetti/rtnetlink v0.0.0-20211203074127-fd9a11f42291
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/klauspost/compress v1.13.6
+	github.com/mdlayher/genetlink v1.2.0
 	github.com/mdlayher/netlink v1.6.0
 	github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697
 	github.com/miekg/dns v1.1.43
@@ -36,28 +35,29 @@ require (
 	github.com/peterbourgon/ff/v3 v3.1.2
 	github.com/pkg/sftp v1.13.4
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
-	github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3
+	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
+	github.com/tailscale/ssh v0.3.4-0.20220313013419-be8b7add4057
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
-	github.com/ulikunitz/xz v0.5.10 // indirect
-	github.com/vishvananda/netlink v1.1.1-0.20211101163509-b10eb8fe5cf6
+	github.com/u-root/u-root v0.8.0
+	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
 	go4.org/mem v0.0.0-20210711025021-927187094b94
-	golang.org/x/crypto v0.0.0-20211202192323-5770296d904e
-	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd
+	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd
+	golang.org/x/net v0.0.0-20220225172249-27dd8689420f
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27
+	golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
-	golang.org/x/tools v0.1.8
-	golang.zx2c4.com/wireguard v0.0.0-20211116201604-de7c702ace45
+	golang.org/x/tools v0.1.10
+	golang.zx2c4.com/wireguard v0.0.0-20220317000134-95b48cdb3961
 	golang.zx2c4.com/wireguard/windows v0.4.10
 	gvisor.dev/gvisor v0.0.0-20220126021142-d8aa030b2591
-	honnef.co/go/tools v0.2.2
+	honnef.co/go/tools v0.3.0-0.dev.0.20220306074811-23e1086441d2
 	inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	inet.af/wf v0.0.0-20211204062712-86aaea0a7310
@@ -79,6 +79,7 @@ require (
 	github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
+	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/ashanbrown/forbidigo v1.2.0 // indirect
 	github.com/ashanbrown/makezero v0.0.0-20210520155254-b6261585ddde // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.0.0 // indirect
@@ -114,6 +115,7 @@ require (
 	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/fzipp/gocyclo v0.3.1 // indirect
+	github.com/gliderlabs/ssh v0.3.3 // indirect
 	github.com/go-critic/go-critic v0.6.1 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.3.1 // indirect
@@ -236,7 +238,8 @@ require (
 	github.com/timakin/bodyclose v0.0.0-20210704033933-f49887972144 // indirect
 	github.com/tomarrell/wrapcheck/v2 v2.4.0 // indirect
 	github.com/tommy-muehle/go-mnd/v2 v2.4.0 // indirect
-	github.com/u-root/uio v0.0.0-20210528114334-82958018845c // indirect
+	github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7 // indirect
+	github.com/ulikunitz/xz v0.5.10 // indirect
 	github.com/ultraware/funlen v0.0.3 // indirect
 	github.com/ultraware/whitespace v0.0.4 // indirect
 	github.com/uudashr/gocognit v1.0.5 // indirect
@@ -245,7 +248,8 @@ require (
 	github.com/yeya24/promlinter v0.1.0 // indirect
 	go4.org/intern v0.0.0-20211027215823-ae77deb06f29 // indirect
 	go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37 // indirect
-	golang.org/x/mod v0.5.1 // indirect
+	golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
--- a/go.sum
+++ b/go.sum
@@ -178,6 +178,7 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.11.1/go.mod h1:UV2N5HaPfdbDpkgkz4sRz
 github.com/aws/smithy-go v1.9.0 h1:c7FUdEqrQA1/UVKKCNDFQPNKGp4FQg3YW4Ck5SLTG58=
 github.com/aws/smithy-go v1.9.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
 github.com/bazelbuild/rules_go v0.27.0/go.mod h1:MC23Dc/wkXEyk3Wpq6lCqz0ZAYOZDw2DR5y3N1q2i7M=
+github.com/beevik/ntp v0.3.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -203,6 +204,7 @@ github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacM
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e h1:hHg27A0RSSp2Om9lubZpiMgVbvn39bsUmW9U5h0twqc=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
 github.com/cenkalti/backoff v1.1.1-0.20190506075156-2146c9339422/go.mod h1:b6Nc7NRH5C4aCISLry0tLnTjcuTEvoiqcWDdsU0sOGM=
+github.com/cenkalti/backoff/v4 v4.0.2/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
@@ -269,6 +271,7 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/daixiang0/gci v0.2.4/go.mod h1:+AV8KmHTGxxwp/pY84TLQfFKp2vuKXXJVzF3kD/hfR4=
@@ -340,6 +343,7 @@ github.com/gin-gonic/gin v1.6.3 h1:ahKqKTFpO5KTPHxWZjEdPScmYaGtLo8Y4DMHoEsnp14=
 github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
 github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
+github.com/gliderlabs/ssh v0.1.2-0.20181113160402-cbabf5414432/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/gliderlabs/ssh v0.3.3 h1:mBQ8NiOgDkINJrZtoizkC3nDNYgSaWtxyem6S2XHBtA=
 github.com/gliderlabs/ssh v0.3.3/go.mod h1:ZSS+CUoKHDrqVakTfTWUlKSr9MtMFkC4UvtQKD7O914=
@@ -435,6 +439,8 @@ github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5
 github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/gojuno/minimock/v3 v3.0.4/go.mod h1:HqeqnwV8mAABn3pO5hqF+RE7gjA0jsN8cbbSogoGrzI=
+github.com/gojuno/minimock/v3 v3.0.8/go.mod h1:TPKxc8tiB8O83YH2//pOzxvEjaI3TMhd6ev/GmlMiYA=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -525,6 +531,10 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI=
+github.com/google/go-tpm v0.2.1-0.20200615092505-5d8a91de9ae3/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw=
+github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0=
+github.com/google/goexpect v0.0.0-20191001010744-5b6988669ffa/go.mod h1:qtE5aAEkt0vOSA84DBh8aJsz6riL8ONfqfULY7lBjqc=
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/goterm v0.0.0-20190703233501-fc88cf888a3f/go.mod h1:nOFQdrUlIlx6M6ODdSpBj1NVA+VgLC6kmw60mkw34H4=
@@ -652,6 +662,8 @@ github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2p
 github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk=
+github.com/hexdigest/gowrap v1.1.7/go.mod h1:Z+nBFUDLa01iaNM+/jzoOA1JJ7sm51rnYFauKFUB5fs=
+github.com/hexdigest/gowrap v1.1.8/go.mod h1:H/JiFmQMp//tedlV8qt2xBdGzmne6bpbaSuiHmygnMw=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo=
 github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4=
@@ -671,8 +683,10 @@ github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/insomniacslk/dhcp v0.0.0-20211026125128-ad197bcd36fd h1:jupbuQFZtwOBg/3EmK91/rGaYFkqCb9bwHOnwn7Cav0=
-github.com/insomniacslk/dhcp v0.0.0-20211026125128-ad197bcd36fd/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
+github.com/insomniacslk/dhcp v0.0.0-20210817203519-d82598001386/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
+github.com/insomniacslk/dhcp v0.0.0-20211209223715-7d93572ebe8e h1:IQpunlq7T+NiJJMO7ODYV2YWBiv/KnObR3gofX0mWOo=
+github.com/insomniacslk/dhcp v0.0.0-20211209223715-7d93572ebe8e/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
+github.com/intel-go/cpuid v0.0.0-20200819041909-2aa72927c3e2/go.mod h1:RmeVYf9XrPRbRc3XIx0gLYA8qOFvNoPOfaEZduRlEp4=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
@@ -730,6 +744,7 @@ github.com/julz/importas v0.0.0-20210419104244-841f0c0fe66d/go.mod h1:oSFU2R4XK/
 github.com/julz/importas v0.0.0-20210922140945-27e0a5d4dee2 h1:3sSu9gZvOTazWE4B4wsND7ofCsn75BD8Iz1OCBUZISs=
 github.com/julz/importas v0.0.0-20210922140945-27e0a5d4dee2/go.mod h1:oSFU2R4XK/P7kNBrnL/FEQlDGN1/6WoxXEjSSXO0DV0=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=
+github.com/kaey/framebuffer v0.0.0-20140402104929-7b385489a1ff/go.mod h1:tS4qtlcKqtt3tCIHUflVSqeP3CLH5Qtv2szX9X2SyhU=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
@@ -744,12 +759,14 @@ github.com/kisielk/errcheck v1.6.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
+github.com/klauspost/compress v1.10.6/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.10.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.11.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
 github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc=
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/klauspost/pgzip v1.2.4/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -763,6 +780,7 @@ github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
@@ -839,6 +857,8 @@ github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7/go.mod h1:U6ZQob
 github.com/mdlayher/ethtool v0.0.0-20210210192532-2b88debcdd43/go.mod h1:+t7E0lkKfbBsebllff1xdTmyJt8lH37niI6kwFk9OTo=
 github.com/mdlayher/ethtool v0.0.0-20211028163843-288d040e9d60/go.mod h1:aYbhishWc4Ai3I2U4Gaa2n3kHWSwzme6EsG/46HRQbE=
 github.com/mdlayher/genetlink v1.0.0/go.mod h1:0rJ0h4itni50A86M2kHcgS85ttZazNt7a8H2a2cw0Gc=
+github.com/mdlayher/genetlink v1.2.0 h1:4yrIkRV5Wfk1WfpWTcoOlGmsWgQj3OtQN9ZsbrE+XtU=
+github.com/mdlayher/genetlink v1.2.0/go.mod h1:ra5LDov2KrUCZJiAtEvXXZBxGMInICMXIwshlJ+qRxQ=
 github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
 github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M=
 github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY=
@@ -967,7 +987,9 @@ github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5X
 github.com/opencontainers/runc v1.0.0-rc90/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20211123151946-c2389c3cb60a/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
+github.com/orangecms/go-framebuffer v0.0.0-20200613202404-a0700d90c330/go.mod h1:3Myb/UszJY32F2G7yGkUtcW/ejHpjlGfYLim7cv2uKA=
 github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
 github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
@@ -977,6 +999,7 @@ github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pborman/getopt v1.1.0 h1:eJ3aFZroQqq0bWmraivjQNt6Dmm5M0h2JcDW38/Azb0=
 github.com/pborman/getopt v1.1.0/go.mod h1:FxXoW1Re00sQG/+KIkuSqRL/LwQgSkv7uyac+STFsbk=
+github.com/pborman/getopt/v2 v2.1.0/go.mod h1:4NtW75ny4eBw9fO1bhtNdYTlZKYX5/tBLtsOpwKIKd0=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
@@ -990,6 +1013,7 @@ github.com/peterbourgon/ff/v3 v3.1.2 h1:0GNhbRhO9yHA4CC27ymskOsuRpmX0YQxwxM9UPiP
 github.com/peterbourgon/ff/v3 v3.1.2/go.mod h1:XNJLY8EIl6MjMVjBS4F0+G0LYoAqs0DTa4rmHHukKDE=
 github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d h1:CdDQnGF8Nq9ocOS/xlSptM1N3BbrA6/kmaep5ggwaIA=
 github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw=
+github.com/pierrec/lz4/v4 v4.1.11/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7/go.mod h1:zO8QMzTeZd5cpnIkz/Gn6iK0jDfGicM1nynOkkPIl28=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -1054,6 +1078,8 @@ github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95/go.mod h1:r
 github.com/quasilyte/regex/syntax v0.0.0-20200805063351-8f842688393c/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0=
 github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 h1:TCg2WBOl980XxGFEZSS6KlBGIV0diGdySzxATTWoqaU=
 github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0=
+github.com/rck/unit v0.0.3/go.mod h1:jTOnzP4s1OjIP1vdxb4n76b23QPKS4EurYg7sYMr2DM=
+github.com/rekby/gpt v0.0.0-20200219180433-a930afbc6edc/go.mod h1:scrOqOnnHVKCHENvFw8k9ajCb88uqLQDA4BvuJNJ2ew=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
@@ -1074,6 +1100,7 @@ github.com/ryancurrah/gomodguard v1.2.3/go.mod h1:rYbA/4Tg5c54mV1sv4sQTP5WOPBcoL
 github.com/ryanrolds/sqlclosecheck v0.3.0 h1:AZx+Bixh8zdUBxUA1NxbxVAS78vTPq4rCb8OUZI9xFw=
 github.com/ryanrolds/sqlclosecheck v0.3.0/go.mod h1:1gREqxyTGR3lVtpngyFo3hZAgk0KCtEdgEkHwDbigdA=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
+github.com/safchain/ethtool v0.0.0-20200218184317-f459e2d13664/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
 github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYIR88KRMEuODE=
 github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
 github.com/sanposhiho/wastedassign/v2 v2.0.7 h1:J+6nrY4VW+gC9xFzUc+XjPD3g3wF3je/NsJFwFK7Uxc=
@@ -1171,6 +1198,8 @@ github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3 h1:fEubocuQkrlcuYeXelhYq/YcKvVVe1Ah7saQEtj98Mo=
 github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3/go.mod h1:2P+hpOwd53e7JMX/L4f3VXkv1G+33ES6IWZSrkIeWNs=
+github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d h1:K3j02b5j2Iw1xoggN9B2DIEkhWGheqFOeDkdJdBrJI8=
+github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d/go.mod h1:2P+hpOwd53e7JMX/L4f3VXkv1G+33ES6IWZSrkIeWNs=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HPjrSuJYEkdZ+0ItmGQAQ75cRHIiftIyE=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
@@ -1181,6 +1210,8 @@ github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83 h1:f7nwzdAHTUUOJj
 github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83/go.mod h1:iTDXJsA6A2wNNjurgic2rk+is6uzU4U2NLm4T+edr6M=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
+github.com/tailscale/ssh v0.3.4-0.20220313013419-be8b7add4057 h1:aN1DLGpS7j6LLQaM33w4Lo6Otvq8Rx60D2ciI/UC1KQ=
+github.com/tailscale/ssh v0.3.4-0.20220313013419-be8b7add4057/go.mod h1:LC21Rp6xYOAc7NEeMhYN0xTXUB74MZAN60GRPegZLkg=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
 github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/tdakkota/asciicheck v0.0.0-20200416190851-d7f85be797a2/go.mod h1:yHp0ai0Z9gUljN3o0xMhYJnH/IcvkdTBOX2fmJ93JEM=
@@ -1217,8 +1248,13 @@ github.com/tommy-muehle/go-mnd/v2 v2.4.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
 github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c/go.mod h1:hzIxponao9Kjc7aWznkXaL4U4TWaDSs8zcsY4Ka08nM=
-github.com/u-root/uio v0.0.0-20210528114334-82958018845c h1:BFvcl34IGnw8yvJi8hlqLFo9EshRInwWBs2M5fGWzQA=
+github.com/twitchtv/twirp v5.8.0+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A=
+github.com/u-root/iscsinl v0.1.1-0.20210528121423-84c32645822a/go.mod h1:RWIgJWqm9/0gjBZ0Hl8iR6MVGzZ+yAda2uqqLmetE2I=
+github.com/u-root/u-root v0.8.0 h1:jqP7uPC2+0eRszYTrmdZ6UDyO1Dbuy0rpMo+BnPZ9cY=
+github.com/u-root/u-root v0.8.0/go.mod h1:But1FHzS4Ua4ywx6kZOaRzZTucUKIDKOPOLEKOckQ68=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
+github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7 h1:XMAtQHwKjWHIRwg+8Nj/rzUomQY1q6cM3ncA0wP8GU4=
+github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
@@ -1227,6 +1263,7 @@ github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljT
 github.com/ugorji/go/codec v1.1.7 h1:2SvQaVZ1ouYrrKKwoSk2pzd4A9evlKJb9oTL+OaLUSs=
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
 github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8=
 github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ultraware/funlen v0.0.3 h1:5ylVWm8wsNwH5aWo9438pwvsK0QiqVuUrt9bn7S/iLA=
@@ -1248,11 +1285,15 @@ github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
 github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE=
 github.com/vishvananda/netlink v1.0.1-0.20190930145447-2ec5bdc52b86/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
-github.com/vishvananda/netlink v1.1.1-0.20211101163509-b10eb8fe5cf6 h1:167a2omrzz+nN9Of6lN/0yOB9itzw+IOioRThNZ30jA=
-github.com/vishvananda/netlink v1.1.1-0.20211101163509-b10eb8fe5cf6/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
+github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
+github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54 h1:8mhqcHPqTMhSPoslhGYihEgSfc77+7La1P6kiB6+9So=
+github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
+github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vtolstov/go-ioctl v0.0.0-20151206205506-6be9cced4810/go.mod h1:dF0BBJ2YrV1+2eAIyEI+KeSidgA6HqoIP1u5XTlMq/o=
 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
 github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0=
 github.com/xanzy/ssh-agent v0.3.1 h1:AmzO1SSWxw73zxFZPRwaMN1MohDw8UyHnmuxyceTEGo=
@@ -1278,6 +1319,7 @@ github.com/ziutek/telnet v0.0.0-20180329124119-c3b780dc415b/go.mod h1:IZpXDfkJ6t
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
+go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
@@ -1340,8 +1382,10 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20211202192323-5770296d904e h1:MUP6MR3rJ7Gk9LEia0LP2ytiH6MuCfs7qYz+47jGdD8=
-golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000 h1:SL+8VVnkqyshUSz5iNnXtrBQzvFF2SkROm6t5RczFAE=
+golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd h1:XcWmESyNjXJMLahc3mqVQJcgSTDxFxhETVlfk9uGc38=
+golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1353,7 +1397,10 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5 h1:FR+oGxGfbQu1d+jglI3rCkjAjUnhRSZcUxr+DqlDLNo=
 golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw=
+golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e h1:qyrTQ++p1afMkO4DPEeLGq/3oTsdlvdH4vqZUBWzUKM=
+golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1385,6 +1432,8 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
+golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o=
+golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1457,6 +1506,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211201190559-0a0e4e1bb54c/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1513,6 +1564,7 @@ golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606122018-79a91cf218c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1534,6 +1586,7 @@ golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200121082415-34d275377bf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1596,6 +1649,7 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210816074244-15123e1e1f71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210820121016-41cdb8703e55/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210915083310-ed5796bab164/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1611,10 +1665,14 @@ golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 h1:XDXtA5hveEEV8JB2l7nhMTp3t3cHp9ZpwcdjqyEWLlo=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5 h1:y/woIyUBFbpQGKS0u1aHF/40WUDnek3fPOyD08H5Vng=
+golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86 h1:A9i04dxx7Cribqbs8jf3FQLogkL/CV2YN7hj9KWJCkc=
+golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210317153231-de623e64d2a6/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1656,6 +1714,7 @@ golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -1749,6 +1808,8 @@ golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.8-0.20211102182255-bb4add04ddef/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
 golang.org/x/tools v0.1.8 h1:P1HhGGuLW4aAclzjtmJdf0mJOjVUZUzOTqkAkWL+l6w=
 golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
+golang.org/x/tools v0.1.10 h1:QjFRCZxdOhBJ/UNgnBZLbNV13DlbnK0quyivTnXJM20=
+golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1759,6 +1820,8 @@ golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+D
 golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
 golang.zx2c4.com/wireguard v0.0.0-20211116201604-de7c702ace45 h1:mEVhdMPTuebD9IUXOUB5Q2sjZpcmzkahHWd6DrGpLHA=
 golang.zx2c4.com/wireguard v0.0.0-20211116201604-de7c702ace45/go.mod h1:evxZIqfCetExY5piKXGAxJYwvXWkps9zTCkWpkoGFxw=
+golang.zx2c4.com/wireguard v0.0.0-20220317000134-95b48cdb3961 h1:oIXcKhP1Ge6cRqdpQuldl0hf4mjIsNaXojabghlHuTs=
+golang.zx2c4.com/wireguard v0.0.0-20220317000134-95b48cdb3961/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U=
 golang.zx2c4.com/wireguard/windows v0.4.10 h1:HmjzJnb+G4NCdX+sfjsQlsxGPuYaThxRbZUZFLyR0/s=
 golang.zx2c4.com/wireguard/windows v0.4.10/go.mod h1:v7w/8FC48tTBm1IzScDVPEEb0/GjLta+T0ybpP9UWRg=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
@@ -1957,6 +2020,8 @@ honnef.co/go/tools v0.0.1-2020.1.6/go.mod h1:pyyisuGw24ruLjrr1ddx39WE0y9OooInRzE
 honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
 honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk=
 honnef.co/go/tools v0.2.2/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
+honnef.co/go/tools v0.3.0-0.dev.0.20220306074811-23e1086441d2 h1:utiSabORbG/JeX7MlmKMdmsjwom2+v8zmdb6SoBe4UY=
+honnef.co/go/tools v0.3.0-0.dev.0.20220306074811-23e1086441d2/go.mod h1:dZI0HmIvwDMW8owtLBJxTHoeX48yuF5p5pDy3y73jGU=
 howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
@@ -1992,6 +2057,7 @@ mvdan.cc/unparam v0.0.0-20211002134041-24922b6997ca h1:xzXXnoG5a3NUnKAcVMpE2cs3+
 mvdan.cc/unparam v0.0.0-20211002134041-24922b6997ca/go.mod h1:Mb96j26qXgU/+SOj6MSgC36X30UgAlRYaxckYuYyEmo=
 nhooyr.io/websocket v1.8.7 h1:usjR2uOr/zjjkVMy0lW+PPohFok7PCow5sDjLgX4P4g=
 nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
+pack.ag/tftp v1.0.1-0.20181129014014-07909dfbde3c/go.mod h1:N1Pyo5YG+K90XHoR2vfLPhpRuE8ziqbgMn/r/SghZas=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
@@ -2000,3 +2066,4 @@ sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20180114231543-2291e8f0f237/go.mod h1:/xvNRWUqm0+/ZMiF4EX00vrSCMsE4/NHb+Pt3freEeQ=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 h1:SqYE5+A2qvRhErbsXFfUEUmpWEKxxRSMgGLkvRAFOV4=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78/go.mod h1:B7Wf0Ya4DHF9Yw+qfZuJijQYkWicqDa+79Ytmmq3Kjg=
+src.elv.sh v0.16.3/go.mod h1:WxJAMoN8uQcg1ZwRvtjmbYAo6uKeJ8F7b25etVZ743w=
--- a/go.toolchain.branch
+++ b/go.toolchain.branch
@@ -1 +1 @@
-tailscale.go1.17
+tailscale.go1.18
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-fd6b85b80f5fbbfaddef34e7ab6ac83384c50e4d
+68c97fb924bbcacd951dc01b292c679aaeff5802
--- a/hostinfo/hostinfo_linux.go
+++ b/hostinfo/hostinfo_linux.go
@@ -113,6 +113,8 @@ func osVersionLinux() string {
 		return fmt.Sprintf("Synology %s%s", m["productversion"], attr)
 	case distro.OpenWrt:
 		return fmt.Sprintf("OpenWrt %s%s", m["DISTRIB_RELEASE"], attr)
+	case distro.Gokrazy:
+		return fmt.Sprintf("Gokrazy%s", attr)
 	}
 	return fmt.Sprintf("Other%s", attr)
 }
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -12,6 +12,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"os/exec"
 	"os/user"
@@ -444,10 +445,10 @@ func (b *LocalBackend) populatePeerStatusLocked(sb *ipnstate.StatusBuilder) {
 		exitNodeOption := tsaddr.PrefixesContainsFunc(p.AllowedIPs, func(r netaddr.IPPrefix) bool {
 			return r.Bits() == 0
 		})
-		var tags *views.StringSlice
+		var tags *views.Slice[string]
 		var primaryRoutes *views.IPPrefixSlice
 		if p.Tags != nil {
-			v := views.StringSliceOf(p.Tags)
+			v := views.SliceOf(p.Tags)
 			tags = &v
 		}
 		if p.PrimaryRoutes != nil {
@@ -1543,23 +1544,16 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err
 		return fmt.Errorf("PrefsFromBytes: %v", err)
 	}

-	// On mobile platforms, ignore any old stored preferences for
-	// https://login.tailscale.com as the control server that
-	// would override the new default of controlplane.tailscale.com.
+	// Ignore any old stored preferences for https://login.tailscale.com
+	// as the control server that would override the new default of
+	// controlplane.tailscale.com.
 	// This makes sure that mobile clients go through the new
 	// frontends where we're (2021-10-02) doing battery
 	// optimization work ahead of turning down the old backends.
-	// TODO(bradfitz): make this the default for all platforms
-	// later. But mobile is a relatively small chunk (compared to
-	// Linux, Windows, macOS) and moving mobile early for battery
-	// gains is nice.
-	switch runtime.GOOS {
-	case "android", "ios":
-		if b.prefs != nil && b.prefs.ControlURL != "" &&
-			b.prefs.ControlURL != ipn.DefaultControlURL &&
-			ipn.IsLoginServerSynonym(b.prefs.ControlURL) {
-			b.prefs.ControlURL = ""
-		}
+	if b.prefs != nil && b.prefs.ControlURL != "" &&
+		b.prefs.ControlURL != ipn.DefaultControlURL &&
+		ipn.IsLoginServerSynonym(b.prefs.ControlURL) {
+		b.prefs.ControlURL = ""
 	}

 	b.logf("using backend prefs for %q: %s", key, b.prefs.Pretty())
@@ -2930,7 +2924,7 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 // friendly options to get HTTPS certs.
 func (b *LocalBackend) SetDNS(ctx context.Context, name, value string) error {
 	req := &tailcfg.SetDNSRequest{
-		Version: 1,
+		Version: 1, // TODO(bradfitz,maisem): use tailcfg.CurrentCapabilityVersion when using the Noise transport
 		Type:    "TXT",
 		Name:    name,
 		Value:   value,
@@ -3187,6 +3181,15 @@ func (b *LocalBackend) allowExitNodeDNSProxyToServeName(name string) bool {
 	return true
 }

+// SetExpiry updates the expiry of the current node key to t, as long as it's
+// only sooner than the old expiry.
+//
+// If t is in the past, the key is expired immediately.
+// If t is after the current expiry, an error is returned.
+func (b *LocalBackend) SetExpirySooner(ctx context.Context, expiry time.Time) error {
+	return b.cc.SetExpirySooner(ctx, expiry)
+}
+
 // exitNodeCanProxyDNS reports the DoH base URL ("http://foo/dns-query") without query parameters
 // to exitNodeID's DoH service, if available.
 //
@@ -3239,3 +3242,50 @@ func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
 	}
 	return mc, nil
 }
+
+// DoNoiseRequest sends a request to URL over the the control plane
+// Noise connection.
+func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error) {
+	b.mu.Lock()
+	cc := b.cc
+	b.mu.Unlock()
+	if cc == nil {
+		return nil, errors.New("no client")
+	}
+	return cc.DoNoiseRequest(req)
+}
+
+// ProxyAPIRequestOverNoise sends Tailscale API request r over the
+// Noise channel, authenticated as the current node+machine key, to
+// the control plane and copies its response back to w.
+func (b *LocalBackend) ProxyAPIRequestOverNoise(w http.ResponseWriter, r *http.Request) {
+	var nodePub key.NodePublic
+	b.mu.Lock()
+	if nm := b.netMap; nm != nil {
+		nodePub = nm.NodeKey
+	}
+	b.mu.Unlock()
+	if nodePub.IsZero() {
+		http.Error(w, "no node public key", http.StatusBadGateway)
+		return
+	}
+
+	outR := r.Clone(r.Context())
+	outR.RequestURI = ""
+	outR.URL.Scheme = "https"
+	outR.URL.Host = "unused"
+
+	outR.SetBasicAuth(url.QueryEscape(nodePub.String()), "")
+	res, err := b.DoNoiseRequest(outR)
+	if err != nil {
+		http.Error(w, "failed to make backend noise request: "+err.Error(), http.StatusBadGateway)
+		return
+	}
+	for k, vv := range res.Header {
+		for _, v := range vv {
+			w.Header().Add(k, v)
+		}
+	}
+	w.WriteHeader(res.StatusCode)
+	io.Copy(w, res.Body)
+}
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -14,6 +14,7 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/ipn"
+	"tailscale.com/ipn/store/mem"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
@@ -457,7 +458,7 @@ func TestLazyMachineKeyGeneration(t *testing.T) {
 	panicOnMachineKeyGeneration = true

 	var logf logger.Logf = logger.Discard
-	store := new(ipn.MemoryStore)
+	store := new(mem.Store)
 	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
--- a/ipn/ipnlocal/loglines_test.go
+++ b/ipn/ipnlocal/loglines_test.go
@@ -11,6 +11,7 @@ import (

 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/ipn/store/mem"
 	"tailscale.com/logtail"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
@@ -47,7 +48,7 @@ func TestLocalLogLines(t *testing.T) {
 	idA := logid(0xaa)

 	// set up a LocalBackend, super bare bones. No functional data.
-	store := &ipn.MemoryStore{}
+	store := new(mem.Store)
 	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatal(err)
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -519,7 +519,7 @@ type peerAPIHandler struct {
 	peerUser   tailcfg.UserProfile // profile of peerNode
 }

-func (h *peerAPIHandler) logf(format string, a ...interface{}) {
+func (h *peerAPIHandler) logf(format string, a ...any) {
 	h.ps.b.logf("peerapi: "+format, a...)
 }

--- a/ipn/ipnlocal/ssh.go
+++ b/ipn/ipnlocal/ssh.go
@@ -2,16 +2,26 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux
-// +build linux
+//go:build linux || (darwin && !ios)
+// +build linux darwin,!ios

 package ipnlocal

 import (
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 	"strings"
+	"sync"

 	"golang.org/x/crypto/ssh"
 	"tailscale.com/envknob"
@@ -19,17 +29,94 @@ import (

 var useHostKeys = envknob.Bool("TS_USE_SYSTEM_SSH_HOST_KEYS")

-func (b *LocalBackend) GetSSH_HostKeys() ([]ssh.Signer, error) {
-	// TODO(bradfitz): generate host keys, at least as needed if
-	// an existing SSH server didn't put them on disk. But also
-	// because people may want tailscale-specific ones. For now be
-	// lazy and reuse the host ones.
-	return b.getSystemSSH_HostKeys()
+// keyTypes are the SSH key types that we either try to read from the
+// system's OpenSSH keys or try to generate for ourselves when not
+// running as root.
+var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
+
+func (b *LocalBackend) GetSSH_HostKeys() (keys []ssh.Signer, err error) {
+	if os.Geteuid() == 0 {
+		keys, err = b.getSystemSSH_HostKeys()
+		if err != nil || len(keys) > 0 {
+			return keys, err
+		}
+		// Otherwise, perhaps they don't have OpenSSH etc installed.
+		// Generate our own keys...
+	}
+	return b.getTailscaleSSH_HostKeys()
+}
+
+func (b *LocalBackend) getTailscaleSSH_HostKeys() (keys []ssh.Signer, err error) {
+	root := b.TailscaleVarRoot()
+	if root == "" {
+		return nil, errors.New("no var root for ssh keys")
+	}
+	keyDir := filepath.Join(root, "ssh")
+	if err := os.MkdirAll(keyDir, 0700); err != nil {
+		return nil, err
+	}
+	for _, typ := range keyTypes {
+		hostKey, err := b.hostKeyFileOrCreate(keyDir, typ)
+		if err != nil {
+			return nil, err
+		}
+		signer, err := ssh.ParsePrivateKey(hostKey)
+		if err != nil {
+			return nil, err
+		}
+		keys = append(keys, signer)
+	}
+	return keys, nil
+}
+
+var keyGenMu sync.Mutex
+
+func (b *LocalBackend) hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
+	keyGenMu.Lock()
+	defer keyGenMu.Unlock()
+
+	path := filepath.Join(keyDir, "ssh_host_"+typ+"_key")
+	v, err := ioutil.ReadFile(path)
+	if err == nil {
+		return v, nil
+	}
+	if !os.IsNotExist(err) {
+		return nil, err
+	}
+	var priv any
+	switch typ {
+	default:
+		return nil, fmt.Errorf("unsupported key type %q", typ)
+	case "ed25519":
+		_, priv, err = ed25519.GenerateKey(rand.Reader)
+	case "ecdsa":
+		// curve is arbitrary. We pick whatever will at
+		// least pacify clients as the actual encryption
+		// doesn't matter: it's all over WireGuard anyway.
+		curve := elliptic.P256()
+		priv, err = ecdsa.GenerateKey(curve, rand.Reader)
+	case "rsa":
+		// keySize is arbitrary. We pick whatever will at
+		// least pacify clients as the actual encryption
+		// doesn't matter: it's all over WireGuard anyway.
+		const keySize = 2048
+		priv, err = rsa.GenerateKey(rand.Reader, keySize)
+	}
+	if err != nil {
+		return nil, err
+	}
+	mk, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, err
+	}
+	pemGen := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: mk})
+	err = os.WriteFile(path, pemGen, 0700)
+	return pemGen, err
 }

 func (b *LocalBackend) getSystemSSH_HostKeys() (ret []ssh.Signer, err error) {
 	// TODO(bradfitz): cache this?
-	for _, typ := range []string{"rsa", "ecdsa", "ed25519"} {
+	for _, typ := range keyTypes {
 		hostKey, err := ioutil.ReadFile("/etc/ssh/ssh_host_" + typ + "_key")
 		if os.IsNotExist(err) {
 			continue
@@ -43,9 +130,6 @@ func (b *LocalBackend) getSystemSSH_HostKeys() (ret []ssh.Signer, err error) {
 		}
 		ret = append(ret, signer)
 	}
-	if len(ret) == 0 {
-		return nil, errors.New("no system SSH host keys found")
-	}
 	return ret, nil
 }

--- a/ipn/ipnlocal/ssh_stub.go
+++ b/ipn/ipnlocal/ssh_stub.go
@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !linux
-// +build !linux
+//go:build ios || (!linux && !darwin)

 package ipnlocal

--- a/ipn/ipnlocal/ssh_test.go
+++ b/ipn/ipnlocal/ssh_test.go
@@ -0,0 +1,42 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux
+// +build linux
+
+package ipnlocal
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestSSHKeyGen(t *testing.T) {
+	dir := t.TempDir()
+	lb := &LocalBackend{varRoot: dir}
+	keys, err := lb.getTailscaleSSH_HostKeys()
+	if err != nil {
+		t.Fatal(err)
+	}
+	got := map[string]bool{}
+	for _, k := range keys {
+		got[k.PublicKey().Type()] = true
+	}
+	want := map[string]bool{
+		"ssh-rsa":             true,
+		"ecdsa-sha2-nistp256": true,
+		"ssh-ed25519":         true,
+	}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("keys = %v; want %v", got, want)
+	}
+
+	keys2, err := lb.getTailscaleSSH_HostKeys()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !reflect.DeepEqual(keys, keys2) {
+		t.Errorf("got different keys on second call")
+	}
+}
--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -6,6 +6,7 @@ package ipnlocal

 import (
 	"context"
+	"net/http"
 	"sync"
 	"testing"
 	"time"
@@ -14,6 +15,7 @@ import (

 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn"
+	"tailscale.com/ipn/store/mem"
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/empty"
@@ -105,7 +107,7 @@ func newMockControl(tb testing.TB) *mockControl {
 	}
 }

-func (cc *mockControl) logf(format string, args ...interface{}) {
+func (cc *mockControl) logf(format string, args ...any) {
 	if cc.preventLog.Get() || cc.logfActual == nil {
 		return
 	}
@@ -222,6 +224,12 @@ func (cc *mockControl) Logout(ctx context.Context) error {
 	return nil
 }

+func (cc *mockControl) SetExpirySooner(context.Context, time.Time) error {
+	cc.logf("SetExpirySooner")
+	cc.called("SetExpirySooner")
+	return nil
+}
+
 func (cc *mockControl) SetPaused(paused bool) {
 	cc.logf("SetPaused=%v", paused)
 	if paused {
@@ -259,6 +267,10 @@ func (*mockControl) SetDNS(context.Context, *tailcfg.SetDNSRequest) error {
 	panic("unexpected SetDNS call")
 }

+func (*mockControl) DoNoiseRequest(*http.Request) (*http.Response, error) {
+	panic("unexpected DoNoiseRequest call")
+}
+
 // A very precise test of the sequence of function calls generated by
 // ipnlocal.Local into its controlclient instance, and the events it
 // produces upstream into the UI.
@@ -922,7 +934,7 @@ func TestStateMachine(t *testing.T) {
 }

 type testStateStorage struct {
-	mem     ipn.MemoryStore
+	mem     mem.Store
 	written syncs.AtomicBool
 }

@@ -954,7 +966,7 @@ func TestWGEngineStatusRace(t *testing.T) {
 	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	c.Assert(err, qt.IsNil)
 	t.Cleanup(eng.Close)
-	b, err := NewLocalBackend(logf, "logid", new(ipn.MemoryStore), nil, eng, 0)
+	b, err := NewLocalBackend(logf, "logid", new(mem.Store), nil, eng, 0)
 	c.Assert(err, qt.IsNil)

 	cc := newMockControl(t)
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -36,12 +36,10 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/localapi"
-	"tailscale.com/ipn/store/aws"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/netstat"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsdial"
-	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
@@ -657,75 +655,6 @@ func (s *Server) writeToClients(n ipn.Notify) {
 	}
 }

-// tryWindowsAppDataMigration attempts to copy the Windows state file
-// from its old location to the new location. (Issue 2856)
-//
-// Tailscale 1.14 and before stored state under %LocalAppData%
-// (usually "C:\WINDOWS\system32\config\systemprofile\AppData\Local"
-// when tailscaled.exe is running as a non-user system service).
-// However it is frequently cleared for almost any reason: Windows
-// updates, System Restore, even various System Cleaner utilities.
-//
-// Returns a string of the path to use for the state file.
-// This will be a fallback %LocalAppData% path if migration fails,
-// a %ProgramData% path otherwise.
-func tryWindowsAppDataMigration(logf logger.Logf, path string) string {
-	if path != paths.DefaultTailscaledStateFile() {
-		// If they're specifying a non-default path, just trust that they know
-		// what they are doing.
-		return path
-	}
-	oldFile := paths.LegacyStateFilePath()
-	return paths.TryConfigFileMigration(logf, oldFile, path)
-}
-
-// StateStore returns a StateStore from path.
-//
-// The path should be an absolute path to a file.
-//
-// Special cases:
-//
-//   * empty string means to use an in-memory store
-//   * if the string begins with "mem:", the suffix
-//     is ignored and an in-memory store is used.
-//   * if the string begins with "kube:", the suffix
-//     is a Kubernetes secret name
-//   * if the string begins with "arn:", the value is
-//     an AWS ARN for an SSM.
-func StateStore(path string, logf logger.Logf) (ipn.StateStore, error) {
-	if path == "" {
-		return &ipn.MemoryStore{}, nil
-	}
-	const memPrefix = "mem:"
-	const kubePrefix = "kube:"
-	const arnPrefix = "arn:"
-	switch {
-	case strings.HasPrefix(path, memPrefix):
-		return &ipn.MemoryStore{}, nil
-	case strings.HasPrefix(path, kubePrefix):
-		secretName := strings.TrimPrefix(path, kubePrefix)
-		store, err := ipn.NewKubeStore(secretName)
-		if err != nil {
-			return nil, fmt.Errorf("ipn.NewKubeStore(%q): %v", secretName, err)
-		}
-		return store, nil
-	case strings.HasPrefix(path, arnPrefix):
-		store, err := aws.NewStore(path)
-		if err != nil {
-			return nil, fmt.Errorf("aws.NewStore(%q): %v", path, err)
-		}
-		return store, nil
-	}
-	if runtime.GOOS == "windows" {
-		path = tryWindowsAppDataMigration(logf, path)
-	}
-	store, err := ipn.NewFileStore(path)
-	if err != nil {
-		return nil, fmt.Errorf("ipn.NewFileStore(%q): %v", path, err)
-	}
-	return store, nil
-}
-
 // Run runs a Tailscale backend service.
 // The getEngine func is called repeatedly, once per connection, until it returns an engine successfully.
 //
@@ -1120,6 +1049,10 @@ func (s *Server) localhostHandler(ci connIdentity) http.Handler {
 			lah.ServeHTTP(w, r)
 			return
 		}
+		if strings.HasPrefix(r.URL.Path, "/api/") {
+			s.b.ProxyAPIRequestOverNoise(w, r)
+			return
+		}
 		if ci.NotWindows {
 			io.WriteString(w, "<html><title>Tailscale</title><body><h1>Tailscale</h1>This is the local Tailscale daemon.")
 			return
@@ -1250,7 +1183,7 @@ func loadExtraEnv() (env []string, err error) {
 		if line == "" || line[0] == '#' {
 			continue
 		}
-		k, v, ok := stringsCut(line, "=")
+		k, v, ok := strings.Cut(line, "=")
 		if !ok || k == "" {
 			continue
 		}
@@ -1267,12 +1200,3 @@ func loadExtraEnv() (env []string, err error) {
 	}
 	return env, nil
 }
-
-// stringsCut is Go 1.18's strings.Cut.
-// TODO(bradfitz): delete this when we depend on Go 1.18.
-func stringsCut(s, sep string) (before, after string, found bool) {
-	if i := strings.Index(s, sep); i >= 0 {
-		return s[:i], s[i+len(sep):], true
-	}
-	return s, "", false
-}
--- a/ipn/ipnserver/server_test.go
+++ b/ipn/ipnserver/server_test.go
@@ -13,6 +13,7 @@ import (

 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnserver"
+	"tailscale.com/ipn/store/mem"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/safesocket"
 	"tailscale.com/wgengine"
@@ -27,7 +28,7 @@ func TestRunMultipleAccepts(t *testing.T) {
 	td := t.TempDir()
 	socketPath := filepath.Join(td, "tailscale.sock")

-	logf := func(format string, args ...interface{}) {
+	logf := func(format string, args ...any) {
 		format = strings.TrimRight(format, "\n")
 		println(fmt.Sprintf(format, args...))
 		t.Logf(format, args...)
@@ -51,7 +52,7 @@ func TestRunMultipleAccepts(t *testing.T) {
 		}
 	}

-	logTriggerTestf := func(format string, args ...interface{}) {
+	logTriggerTestf := func(format string, args ...any) {
 		logf(format, args...)
 		if strings.HasPrefix(format, "Listening on ") {
 			connect()
@@ -66,7 +67,7 @@ func TestRunMultipleAccepts(t *testing.T) {

 	opts := ipnserver.Options{}
 	t.Logf("pre-Run")
-	store := new(ipn.MemoryStore)
+	store := new(mem.Store)

 	ln, _, err := safesocket.Listen(socketPath, 0)
 	if err != nil {
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -112,7 +112,7 @@ type PeerStatus struct {

 	// Tags are the list of ACL tags applied to this node.
 	// See tailscale.com/tailcfg#Node.Tags for more information.
-	Tags *views.StringSlice `json:",omitempty"`
+	Tags *views.Slice[string] `json:",omitempty"`

 	// PrimaryRoutes are the routes this node is currently the primary
 	// subnet router for, as determined by the control plane. It does
@@ -342,7 +342,7 @@ type StatusUpdater interface {
 }

 func (st *Status) WriteHTML(w io.Writer) {
-	f := func(format string, args ...interface{}) { fmt.Fprintf(w, format, args...) }
+	f := func(format string, args ...any) { fmt.Fprintf(w, format, args...) }

 	f(`<!DOCTYPE html>
 <html lang="en">
--- a/ipn/localapi/cert.go
+++ b/ipn/localapi/cert.go
@@ -85,7 +85,7 @@ func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {

 	now := time.Now()
 	logf := logger.WithPrefix(h.logf, fmt.Sprintf("cert(%q): ", domain))
-	traceACME := func(v interface{}) {
+	traceACME := func(v any) {
 		if !acmeDebug {
 			return
 		}
@@ -164,7 +164,7 @@ func (h *Handler) getCertPEMCached(dir, domain string, now time.Time) (p *keyPai
 	return nil, false
 }

-func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME func(interface{}), dir, domain string, now time.Time) (*keyPair, error) {
+func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME func(any), dir, domain string, now time.Time) (*keyPair, error) {
 	acmeMu.Lock()
 	defer acmeMu.Unlock()

--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -122,6 +122,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveMetrics(w, r)
 	case "/localapi/v0/debug":
 		h.serveDebug(w, r)
+	case "/localapi/v0/set-expiry-sooner":
+		h.serveSetExpirySooner(w, r)
 	case "/":
 		io.WriteString(w, "tailscaled\n")
 	default:
@@ -446,12 +448,12 @@ func (h *Handler) serveFilePut(w http.ResponseWriter, r *http.Request) {
 	}

 	upath := strings.TrimPrefix(r.URL.EscapedPath(), "/localapi/v0/file-put/")
-	slash := strings.Index(upath, "/")
-	if slash == -1 {
+	stableIDStr, filenameEscaped, ok := strings.Cut(upath, "/")
+	if !ok {
 		http.Error(w, "bogus URL", 400)
 		return
 	}
-	stableID, filenameEscaped := tailcfg.StableNodeID(upath[:slash]), upath[slash+1:]
+	stableID := tailcfg.StableNodeID(stableIDStr)

 	var ft *apitype.FileTarget
 	for _, x := range fts {
@@ -511,6 +513,35 @@ func (h *Handler) serveDERPMap(w http.ResponseWriter, r *http.Request) {
 	e.Encode(h.b.DERPMap())
 }

+// serveSetExpirySooner sets the expiry date on the current machine, specified
+// by an `expiry` unix timestamp as POST or query param.
+func (h *Handler) serveSetExpirySooner(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "POST" {
+		http.Error(w, "POST required", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var expiryTime time.Time
+	if v := r.FormValue("expiry"); v != "" {
+		expiryInt, err := strconv.ParseInt(v, 10, 64)
+		if err != nil {
+			http.Error(w, "can't parse expiry time, expects a unix timestamp", http.StatusBadRequest)
+			return
+		}
+		expiryTime = time.Unix(expiryInt, 0)
+	} else {
+		http.Error(w, "missing 'expiry' parameter, a unix timestamp", http.StatusBadRequest)
+		return
+	}
+	err := h.b.SetExpirySooner(r.Context(), expiryTime)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	w.Header().Set("Content-Type", "text/plain")
+	io.WriteString(w, "done\n")
+}
+
 func defBool(a string, def bool) bool {
 	if a == "" {
 		return def
@@ -526,7 +557,7 @@ func defBool(a string, def bool) bool {
 // (currently only a slice or a map) and makes sure it's non-nil for
 // JSON serialization. (In particular, JavaScript clients usually want
 // the field to be defined after they decode the JSON.)
-func makeNonNil(ptr interface{}) {
+func makeNonNil(ptr any) {
 	if ptr == nil {
 		panic("nil interface")
 	}
--- a/ipn/message_test.go
+++ b/ipn/message_test.go
@@ -85,10 +85,10 @@ func TestClientServer(t *testing.T) {
 	clientToServer := func(b []byte) {
 		bs.GotCommandMsg(context.TODO(), b)
 	}
-	slogf := func(fmt string, args ...interface{}) {
+	slogf := func(fmt string, args ...any) {
 		t.Logf("s: "+fmt, args...)
 	}
-	clogf := func(fmt string, args ...interface{}) {
+	clogf := func(fmt string, args ...any) {
 		t.Logf("c: "+fmt, args...)
 	}
 	bs = NewBackendServer(slogf, b, serverToClient)
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -7,6 +7,7 @@ package ipn
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -18,9 +19,12 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/atomicfile"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
+	"tailscale.com/util/dnsname"
 )

 //go:generate go run tailscale.com/cmd/cloner -type=Prefs -output=prefs_clone.go
@@ -30,9 +34,15 @@ import (
 // The default control plane is the hosted version run by Tailscale.com.
 const DefaultControlURL = "https://controlplane.tailscale.com"

+var (
+	// ErrExitNodeIDAlreadySet is returned from (*Prefs).SetExitNodeIP when the
+	// Prefs.ExitNodeID field is already set.
+	ErrExitNodeIDAlreadySet = errors.New("cannot set ExitNodeIP when ExitNodeID is already set")
+)
+
 // IsLoginServerSynonym reports whether a URL is a drop-in replacement
 // for the primary Tailscale login server.
-func IsLoginServerSynonym(val interface{}) bool {
+func IsLoginServerSynonym(val any) bool {
 	return val == "https://login.tailscale.com" || val == "https://controlplane.tailscale.com"
 }

@@ -442,18 +452,7 @@ func (p *Prefs) AdvertisesExitNode() bool {
 	if p == nil {
 		return false
 	}
-	var v4, v6 bool
-	for _, r := range p.AdvertiseRoutes {
-		if r.Bits() != 0 {
-			continue
-		}
-		if r.IP().Is4() {
-			v4 = true
-		} else if r.IP().Is6() {
-			v6 = true
-		}
-	}
-	return v4 && v6
+	return tsaddr.ContainsExitRoutes(p.AdvertiseRoutes)
 }

 // SetAdvertiseExitNode mutates p (if non-nil) to add or remove the two
@@ -477,6 +476,109 @@ func (p *Prefs) SetAdvertiseExitNode(runExit bool) {
 		netaddr.IPPrefixFrom(netaddr.IPv6Unspecified(), 0))
 }

+// peerWithTailscaleIP returns the peer in st with the provided
+// Tailscale IP.
+func peerWithTailscaleIP(st *ipnstate.Status, ip netaddr.IP) (ps *ipnstate.PeerStatus, ok bool) {
+	for _, ps := range st.Peer {
+		for _, ip2 := range ps.TailscaleIPs {
+			if ip == ip2 {
+				return ps, true
+			}
+		}
+	}
+	return nil, false
+}
+
+func isRemoteIP(st *ipnstate.Status, ip netaddr.IP) bool {
+	for _, selfIP := range st.TailscaleIPs {
+		if ip == selfIP {
+			return false
+		}
+	}
+	return true
+}
+
+// ClearExitNode sets the ExitNodeID and ExitNodeIP to their zero values.
+func (p *Prefs) ClearExitNode() {
+	p.ExitNodeID = ""
+	p.ExitNodeIP = netaddr.IP{}
+}
+
+// ExitNodeLocalIPError is returned when the requested IP address for an exit
+// node belongs to the local machine.
+type ExitNodeLocalIPError struct {
+	hostOrIP string
+}
+
+func (e ExitNodeLocalIPError) Error() string {
+	return fmt.Sprintf("cannot use %s as an exit node as it is a local IP address to this machine", e.hostOrIP)
+}
+
+func exitNodeIPOfArg(s string, st *ipnstate.Status) (ip netaddr.IP, err error) {
+	if s == "" {
+		return ip, os.ErrInvalid
+	}
+	ip, err = netaddr.ParseIP(s)
+	if err == nil {
+		// If we're online already and have a netmap, double check that the IP
+		// address specified is valid.
+		if st.BackendState == "Running" {
+			ps, ok := peerWithTailscaleIP(st, ip)
+			if !ok {
+				return ip, fmt.Errorf("no node found in netmap with IP %v", ip)
+			}
+			if !ps.ExitNodeOption {
+				return ip, fmt.Errorf("node %v is not advertising an exit node", ip)
+			}
+		}
+		if !isRemoteIP(st, ip) {
+			return ip, ExitNodeLocalIPError{s}
+		}
+		return ip, nil
+	}
+	match := 0
+	for _, ps := range st.Peer {
+		baseName := dnsname.TrimSuffix(ps.DNSName, st.MagicDNSSuffix)
+		if !strings.EqualFold(s, baseName) {
+			continue
+		}
+		match++
+		if len(ps.TailscaleIPs) == 0 {
+			return ip, fmt.Errorf("node %q has no Tailscale IP?", s)
+		}
+		if !ps.ExitNodeOption {
+			return ip, fmt.Errorf("node %q is not advertising an exit node", s)
+		}
+		ip = ps.TailscaleIPs[0]
+	}
+	switch match {
+	case 0:
+		return ip, fmt.Errorf("invalid value %q for --exit-node; must be IP or unique node name", s)
+	case 1:
+		if !isRemoteIP(st, ip) {
+			return ip, ExitNodeLocalIPError{s}
+		}
+		return ip, nil
+	default:
+		return ip, fmt.Errorf("ambiguous exit node name %q", s)
+	}
+}
+
+// SetExitNodeIP validates and sets the ExitNodeIP from a user-provided string
+// specifying either an IP address or a MagicDNS base name ("foo", as opposed to
+// "foo.bar.beta.tailscale.net"). This method does not mutate ExitNodeID and
+// will fail if ExitNodeID is already set.
+func (p *Prefs) SetExitNodeIP(s string, st *ipnstate.Status) error {
+	if !p.ExitNodeID.IsZero() {
+		return ErrExitNodeIDAlreadySet
+	}
+	ip, err := exitNodeIPOfArg(s, st)
+	if err == nil {
+		p.ExitNodeIP = ip
+	}
+	return err
+}
+
 // PrefsFromBytes deserializes Prefs from a JSON blob. If
 // enforceDefaults is true, Prefs.RouteAll and Prefs.AllowSingleHosts
 // are forced on.
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -17,6 +17,7 @@ import (

 	"go4.org/mem"
 	"inet.af/netaddr"
+	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
 	"tailscale.com/types/key"
@@ -679,3 +680,133 @@ func TestPrefsExitNode(t *testing.T) {
 		t.Errorf("routes = %d; want %d", got, want)
 	}
 }
+
+func TestExitNodeIPOfArg(t *testing.T) {
+	mustIP := netaddr.MustParseIP
+	tests := []struct {
+		name    string
+		arg     string
+		st      *ipnstate.Status
+		want    netaddr.IP
+		wantErr string
+	}{
+		{
+			name: "ip_while_stopped_okay",
+			arg:  "1.2.3.4",
+			st: &ipnstate.Status{
+				BackendState: "Stopped",
+			},
+			want: mustIP("1.2.3.4"),
+		},
+		{
+			name: "ip_not_found",
+			arg:  "1.2.3.4",
+			st: &ipnstate.Status{
+				BackendState: "Running",
+			},
+			wantErr: `no node found in netmap with IP 1.2.3.4`,
+		},
+		{
+			name: "ip_not_exit",
+			arg:  "1.2.3.4",
+			st: &ipnstate.Status{
+				BackendState: "Running",
+				Peer: map[key.NodePublic]*ipnstate.PeerStatus{
+					key.NewNode().Public(): {
+						TailscaleIPs: []netaddr.IP{mustIP("1.2.3.4")},
+					},
+				},
+			},
+			wantErr: `node 1.2.3.4 is not advertising an exit node`,
+		},
+		{
+			name: "ip",
+			arg:  "1.2.3.4",
+			st: &ipnstate.Status{
+				BackendState: "Running",
+				Peer: map[key.NodePublic]*ipnstate.PeerStatus{
+					key.NewNode().Public(): {
+						TailscaleIPs:   []netaddr.IP{mustIP("1.2.3.4")},
+						ExitNodeOption: true,
+					},
+				},
+			},
+			want: mustIP("1.2.3.4"),
+		},
+		{
+			name:    "no_match",
+			arg:     "unknown",
+			st:      &ipnstate.Status{MagicDNSSuffix: ".foo"},
+			wantErr: `invalid value "unknown" for --exit-node; must be IP or unique node name`,
+		},
+		{
+			name: "name",
+			arg:  "skippy",
+			st: &ipnstate.Status{
+				MagicDNSSuffix: ".foo",
+				Peer: map[key.NodePublic]*ipnstate.PeerStatus{
+					key.NewNode().Public(): {
+						DNSName:        "skippy.foo.",
+						TailscaleIPs:   []netaddr.IP{mustIP("1.0.0.2")},
+						ExitNodeOption: true,
+					},
+				},
+			},
+			want: mustIP("1.0.0.2"),
+		},
+		{
+			name: "name_not_exit",
+			arg:  "skippy",
+			st: &ipnstate.Status{
+				MagicDNSSuffix: ".foo",
+				Peer: map[key.NodePublic]*ipnstate.PeerStatus{
+					key.NewNode().Public(): {
+						DNSName:      "skippy.foo.",
+						TailscaleIPs: []netaddr.IP{mustIP("1.0.0.2")},
+					},
+				},
+			},
+			wantErr: `node "skippy" is not advertising an exit node`,
+		},
+		{
+			name: "ambiguous",
+			arg:  "skippy",
+			st: &ipnstate.Status{
+				MagicDNSSuffix: ".foo",
+				Peer: map[key.NodePublic]*ipnstate.PeerStatus{
+					key.NewNode().Public(): {
+						DNSName:        "skippy.foo.",
+						TailscaleIPs:   []netaddr.IP{mustIP("1.0.0.2")},
+						ExitNodeOption: true,
+					},
+					key.NewNode().Public(): {
+						DNSName:        "SKIPPY.foo.",
+						TailscaleIPs:   []netaddr.IP{mustIP("1.0.0.2")},
+						ExitNodeOption: true,
+					},
+				},
+			},
+			wantErr: `ambiguous exit node name "skippy"`,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := exitNodeIPOfArg(tt.arg, tt.st)
+			if err != nil {
+				if err.Error() == tt.wantErr {
+					return
+				}
+				if tt.wantErr == "" {
+					t.Fatal(err)
+				}
+				t.Fatalf("error = %#q; want %#q", err, tt.wantErr)
+			}
+			if tt.wantErr != "" {
+				t.Fatalf("got %v; want error %#q", got, tt.wantErr)
+			}
+			if got != tt.want {
+				t.Fatalf("got %v; want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/ipn/store.go
+++ b/ipn/store.go
@@ -5,21 +5,7 @@
 package ipn

 import (
-	"bytes"
-	"context"
-	"encoding/json"
 	"errors"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"os"
-	"path/filepath"
-	"sync"
-	"time"
-
-	"tailscale.com/atomicfile"
-	"tailscale.com/kube"
-	"tailscale.com/paths"
 )

 // ErrStateNotExist is returned by StateStore.ReadState when the
@@ -58,203 +44,3 @@ type StateStore interface {
 	// WriteState saves bs as the state associated with ID.
 	WriteState(id StateKey, bs []byte) error
 }
-
-// KubeStore is a StateStore that uses a Kubernetes Secret for persistence.
-type KubeStore struct {
-	client     *kube.Client
-	secretName string
-}
-
-// NewKubeStore returns a new KubeStore that persists to the named secret.
-func NewKubeStore(secretName string) (*KubeStore, error) {
-	c, err := kube.New()
-	if err != nil {
-		return nil, err
-	}
-	return &KubeStore{
-		client:     c,
-		secretName: secretName,
-	}, nil
-}
-
-func (s *KubeStore) String() string { return "KubeStore" }
-
-// ReadState implements the StateStore interface.
-func (s *KubeStore) ReadState(id StateKey) ([]byte, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	secret, err := s.client.GetSecret(ctx, s.secretName)
-	if err != nil {
-		if st, ok := err.(*kube.Status); ok && st.Code == 404 {
-			return nil, ErrStateNotExist
-		}
-		return nil, err
-	}
-	b, ok := secret.Data[string(id)]
-	if !ok {
-		return nil, ErrStateNotExist
-	}
-	return b, nil
-}
-
-// WriteState implements the StateStore interface.
-func (s *KubeStore) WriteState(id StateKey, bs []byte) error {
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	secret, err := s.client.GetSecret(ctx, s.secretName)
-	if err != nil {
-		if st, ok := err.(*kube.Status); ok && st.Code == 404 {
-			return s.client.CreateSecret(ctx, &kube.Secret{
-				TypeMeta: kube.TypeMeta{
-					APIVersion: "v1",
-					Kind:       "Secret",
-				},
-				ObjectMeta: kube.ObjectMeta{
-					Name: s.secretName,
-				},
-				Data: map[string][]byte{
-					string(id): bs,
-				},
-			})
-		}
-		return err
-	}
-	secret.Data[string(id)] = bs
-	if err := s.client.UpdateSecret(ctx, secret); err != nil {
-		return err
-	}
-	return err
-}
-
-// MemoryStore is a store that keeps state in memory only.
-type MemoryStore struct {
-	mu    sync.Mutex
-	cache map[StateKey][]byte
-}
-
-func (s *MemoryStore) String() string { return "MemoryStore" }
-
-// ReadState implements the StateStore interface.
-func (s *MemoryStore) ReadState(id StateKey) ([]byte, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	bs, ok := s.cache[id]
-	if !ok {
-		return nil, ErrStateNotExist
-	}
-	return bs, nil
-}
-
-// WriteState implements the StateStore interface.
-func (s *MemoryStore) WriteState(id StateKey, bs []byte) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.cache == nil {
-		s.cache = map[StateKey][]byte{}
-	}
-	s.cache[id] = append([]byte(nil), bs...)
-	return nil
-}
-
-// LoadFromJSON attempts to unmarshal json content into the
-// in-memory cache.
-func (s *MemoryStore) LoadFromJSON(data []byte) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	return json.Unmarshal(data, &s.cache)
-}
-
-// ExportToJSON exports the content of the cache to
-// JSON formatted []byte.
-func (s *MemoryStore) ExportToJSON() ([]byte, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if len(s.cache) == 0 {
-		// Avoid "null" serialization.
-		return []byte("{}"), nil
-	}
-	return json.MarshalIndent(s.cache, "", "  ")
-}
-
-// FileStore is a StateStore that uses a JSON file for persistence.
-type FileStore struct {
-	path string
-
-	mu    sync.RWMutex
-	cache map[StateKey][]byte
-}
-
-// Path returns the path that NewFileStore was called with.
-func (s *FileStore) Path() string { return s.path }
-
-func (s *FileStore) String() string { return fmt.Sprintf("FileStore(%q)", s.path) }
-
-// NewFileStore returns a new file store that persists to path.
-func NewFileStore(path string) (*FileStore, error) {
-	// We unconditionally call this to ensure that our perms are correct
-	if err := paths.MkStateDir(filepath.Dir(path)); err != nil {
-		return nil, fmt.Errorf("creating state directory: %w", err)
-	}
-
-	bs, err := ioutil.ReadFile(path)
-
-	// Treat an empty file as a missing file.
-	// (https://github.com/tailscale/tailscale/issues/895#issuecomment-723255589)
-	if err == nil && len(bs) == 0 {
-		log.Printf("ipn.NewFileStore(%q): file empty; treating it like a missing file [warning]", path)
-		err = os.ErrNotExist
-	}
-
-	if err != nil {
-		if os.IsNotExist(err) {
-			// Write out an initial file, to verify that we can write
-			// to the path.
-			if err = atomicfile.WriteFile(path, []byte("{}"), 0600); err != nil {
-				return nil, err
-			}
-			return &FileStore{
-				path:  path,
-				cache: map[StateKey][]byte{},
-			}, nil
-		}
-		return nil, err
-	}
-
-	ret := &FileStore{
-		path:  path,
-		cache: map[StateKey][]byte{},
-	}
-	if err := json.Unmarshal(bs, &ret.cache); err != nil {
-		return nil, err
-	}
-
-	return ret, nil
-}
-
-// ReadState implements the StateStore interface.
-func (s *FileStore) ReadState(id StateKey) ([]byte, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	bs, ok := s.cache[id]
-	if !ok {
-		return nil, ErrStateNotExist
-	}
-	return bs, nil
-}
-
-// WriteState implements the StateStore interface.
-func (s *FileStore) WriteState(id StateKey, bs []byte) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if bytes.Equal(s.cache[id], bs) {
-		return nil
-	}
-	s.cache[id] = append([]byte(nil), bs...)
-	bs, err := json.MarshalIndent(s.cache, "", "  ")
-	if err != nil {
-		return err
-	}
-	return atomicfile.WriteFile(s.path, bs, 0600)
-}
--- a/ipn/store/awsstore/store_aws.go
+++ b/ipn/store/awsstore/store_aws.go
@@ -5,8 +5,8 @@
 //go:build linux
 // +build linux

-// Package aws contains an AWS SSM StateStore implementation.
-package aws
+// Package awsstore contains an ipn.StateStore implementation using AWS SSM.
+package awsstore

 import (
 	"context"
@@ -20,6 +20,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
 	ssmTypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
 	"tailscale.com/ipn"
+	"tailscale.com/ipn/store/mem"
+	"tailscale.com/types/logger"
 )

 const (
@@ -46,12 +48,12 @@ type awsStore struct {
 	ssmClient awsSSMClient
 	ssmARN    arn.ARN

-	memory ipn.MemoryStore
+	memory mem.Store
 }

-// NewStore returns a new ipn.StateStore using the AWS SSM storage
+// New returns a new ipn.StateStore using the AWS SSM storage
 // location given by ssmARN.
-func NewStore(ssmARN string) (ipn.StateStore, error) {
+func New(_ logger.Logf, ssmARN string) (ipn.StateStore, error) {
 	return newStore(ssmARN, nil)
 }

--- a/ipn/store/awsstore/store_aws_stub.go
+++ b/ipn/store/awsstore/store_aws_stub.go
@@ -5,7 +5,7 @@
 //go:build !linux
 // +build !linux

-package aws
+package awsstore

 import (
 	"fmt"
--- a/ipn/store/awsstore/store_aws_test.go
+++ b/ipn/store/awsstore/store_aws_test.go
@@ -5,7 +5,7 @@
 //go:build linux
 // +build linux

-package aws
+package awsstore

 import (
 	"context"
--- a/ipn/store/kubestore/store_kube.go
+++ b/ipn/store/kubestore/store_kube.go
@@ -0,0 +1,85 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package kubestore contains an ipn.StateStore implementation using Kubernetes Secrets.
+
+package kubestore
+
+import (
+	"context"
+	"time"
+
+	"tailscale.com/ipn"
+	"tailscale.com/kube"
+	"tailscale.com/types/logger"
+)
+
+// Store is an ipn.StateStore that uses a Kubernetes Secret for persistence.
+type Store struct {
+	client     *kube.Client
+	secretName string
+}
+
+// New returns a new Store that persists to the named secret.
+func New(_ logger.Logf, secretName string) (*Store, error) {
+	c, err := kube.New()
+	if err != nil {
+		return nil, err
+	}
+	return &Store{
+		client:     c,
+		secretName: secretName,
+	}, nil
+}
+
+func (s *Store) String() string { return "kube.Store" }
+
+// ReadState implements the StateStore interface.
+func (s *Store) ReadState(id ipn.StateKey) ([]byte, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	secret, err := s.client.GetSecret(ctx, s.secretName)
+	if err != nil {
+		if st, ok := err.(*kube.Status); ok && st.Code == 404 {
+			return nil, ipn.ErrStateNotExist
+		}
+		return nil, err
+	}
+	b, ok := secret.Data[string(id)]
+	if !ok {
+		return nil, ipn.ErrStateNotExist
+	}
+	return b, nil
+}
+
+// WriteState implements the StateStore interface.
+func (s *Store) WriteState(id ipn.StateKey, bs []byte) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	secret, err := s.client.GetSecret(ctx, s.secretName)
+	if err != nil {
+		if st, ok := err.(*kube.Status); ok && st.Code == 404 {
+			return s.client.CreateSecret(ctx, &kube.Secret{
+				TypeMeta: kube.TypeMeta{
+					APIVersion: "v1",
+					Kind:       "Secret",
+				},
+				ObjectMeta: kube.ObjectMeta{
+					Name: s.secretName,
+				},
+				Data: map[string][]byte{
+					string(id): bs,
+				},
+			})
+		}
+		return err
+	}
+	secret.Data[string(id)] = bs
+	if err := s.client.UpdateSecret(ctx, secret); err != nil {
+		return err
+	}
+	return err
+}
--- a/ipn/store/mem/store_mem.go
+++ b/ipn/store/mem/store_mem.go
@@ -0,0 +1,69 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package mem provides an in-memory ipn.StateStore implementation.
+package mem
+
+import (
+	"encoding/json"
+	"sync"
+
+	"tailscale.com/ipn"
+	"tailscale.com/types/logger"
+)
+
+// New returns a new Store.
+func New(logger.Logf, string) (ipn.StateStore, error) {
+	return new(Store), nil
+}
+
+// Store is an ipn.StateStore that keeps state in memory only.
+type Store struct {
+	mu    sync.Mutex
+	cache map[ipn.StateKey][]byte
+}
+
+func (s *Store) String() string { return "mem.Store" }
+
+// ReadState implements the StateStore interface.
+func (s *Store) ReadState(id ipn.StateKey) ([]byte, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	bs, ok := s.cache[id]
+	if !ok {
+		return nil, ipn.ErrStateNotExist
+	}
+	return bs, nil
+}
+
+// WriteState implements the StateStore interface.
+func (s *Store) WriteState(id ipn.StateKey, bs []byte) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.cache == nil {
+		s.cache = map[ipn.StateKey][]byte{}
+	}
+	s.cache[id] = append([]byte(nil), bs...)
+	return nil
+}
+
+// LoadFromJSON attempts to unmarshal json content into the
+// in-memory cache.
+func (s *Store) LoadFromJSON(data []byte) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return json.Unmarshal(data, &s.cache)
+}
+
+// ExportToJSON exports the content of the cache to
+// JSON formatted []byte.
+func (s *Store) ExportToJSON() ([]byte, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if len(s.cache) == 0 {
+		// Avoid "null" serialization.
+		return []byte("{}"), nil
+	}
+	return json.MarshalIndent(s.cache, "", "  ")
+}
--- a/ipn/store/stores.go
+++ b/ipn/store/stores.go
@@ -0,0 +1,192 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package store provides various implementation of ipn.StateStore.
+package store
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+
+	"tailscale.com/atomicfile"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/store/mem"
+	"tailscale.com/paths"
+	"tailscale.com/types/logger"
+)
+
+// Provider returns a StateStore for the provided path.
+// The arg is of the form "prefix:rest", where prefix was previously registered with Register.
+type Provider func(logf logger.Logf, arg string) (ipn.StateStore, error)
+
+var regOnce sync.Once
+
+var registerAvailableExternalStores func()
+
+func registerDefaultStores() {
+	Register("mem:", mem.New)
+
+	if registerAvailableExternalStores != nil {
+		registerAvailableExternalStores()
+	}
+}
+
+var knownStores map[string]Provider
+
+// New returns a StateStore based on the provided arg
+// and registered stores.
+// The arg is of the form "prefix:rest", where prefix was previously
+// registered with Register.
+//
+// By default the following stores are registered:
+//
+//   * if the string begins with "mem:", the suffix
+//     is ignored and an in-memory store is used.
+//   * (Linux-only) if the string begins with "arn:",
+//     the suffix an AWS ARN for an SSM.
+//   * (Linux-only) if the string begins with "kube:",
+//     the suffix is a Kubernetes secret name
+//   * In all other cases, the path is treated as a filepath.
+func New(logf logger.Logf, path string) (ipn.StateStore, error) {
+	regOnce.Do(registerDefaultStores)
+	for prefix, sf := range knownStores {
+		if strings.HasPrefix(path, prefix) {
+			// We can't strip the prefix here as some NewStoreFunc (like arn:)
+			// expect the prefix.
+			return sf(logf, path)
+		}
+	}
+	if runtime.GOOS == "windows" {
+		path = TryWindowsAppDataMigration(logf, path)
+	}
+	return NewFileStore(logf, path)
+}
+
+// Register registers a prefix to be used for
+// NewStore. It panics if the prefix is empty, or if the
+// prefix is already registered.
+// The provided fn is called with the path passed to NewStore;
+// the prefix is not stripped.
+func Register(prefix string, fn Provider) {
+	if len(prefix) == 0 {
+		panic("prefix is empty")
+	}
+	if _, ok := knownStores[prefix]; ok {
+		panic(fmt.Sprintf("%q already registered", prefix))
+	}
+	if knownStores == nil {
+		knownStores = make(map[string]Provider)
+	}
+	knownStores[prefix] = fn
+}
+
+// TryWindowsAppDataMigration attempts to copy the Windows state file
+// from its old location to the new location. (Issue 2856)
+//
+// Tailscale 1.14 and before stored state under %LocalAppData%
+// (usually "C:\WINDOWS\system32\config\systemprofile\AppData\Local"
+// when tailscaled.exe is running as a non-user system service).
+// However it is frequently cleared for almost any reason: Windows
+// updates, System Restore, even various System Cleaner utilities.
+//
+// Returns a string of the path to use for the state file.
+// This will be a fallback %LocalAppData% path if migration fails,
+// a %ProgramData% path otherwise.
+func TryWindowsAppDataMigration(logf logger.Logf, path string) string {
+	if path != paths.DefaultTailscaledStateFile() {
+		// If they're specifying a non-default path, just trust that they know
+		// what they are doing.
+		return path
+	}
+	oldFile := paths.LegacyStateFilePath()
+	return paths.TryConfigFileMigration(logf, oldFile, path)
+}
+
+// FileStore is a StateStore that uses a JSON file for persistence.
+type FileStore struct {
+	path string
+
+	mu    sync.RWMutex
+	cache map[ipn.StateKey][]byte
+}
+
+// Path returns the path that NewFileStore was called with.
+func (s *FileStore) Path() string { return s.path }
+
+func (s *FileStore) String() string { return fmt.Sprintf("FileStore(%q)", s.path) }
+
+// NewFileStore returns a new file store that persists to path.
+func NewFileStore(logf logger.Logf, path string) (ipn.StateStore, error) {
+	// We unconditionally call this to ensure that our perms are correct
+	if err := paths.MkStateDir(filepath.Dir(path)); err != nil {
+		return nil, fmt.Errorf("creating state directory: %w", err)
+	}
+
+	bs, err := ioutil.ReadFile(path)
+
+	// Treat an empty file as a missing file.
+	// (https://github.com/tailscale/tailscale/issues/895#issuecomment-723255589)
+	if err == nil && len(bs) == 0 {
+		logf("store.NewFileStore(%q): file empty; treating it like a missing file [warning]", path)
+		err = os.ErrNotExist
+	}
+
+	if err != nil {
+		if os.IsNotExist(err) {
+			// Write out an initial file, to verify that we can write
+			// to the path.
+			if err = atomicfile.WriteFile(path, []byte("{}"), 0600); err != nil {
+				return nil, err
+			}
+			return &FileStore{
+				path:  path,
+				cache: map[ipn.StateKey][]byte{},
+			}, nil
+		}
+		return nil, err
+	}
+
+	ret := &FileStore{
+		path:  path,
+		cache: map[ipn.StateKey][]byte{},
+	}
+	if err := json.Unmarshal(bs, &ret.cache); err != nil {
+		return nil, err
+	}
+
+	return ret, nil
+}
+
+// ReadState implements the StateStore interface.
+func (s *FileStore) ReadState(id ipn.StateKey) ([]byte, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	bs, ok := s.cache[id]
+	if !ok {
+		return nil, ipn.ErrStateNotExist
+	}
+	return bs, nil
+}
+
+// WriteState implements the StateStore interface.
+func (s *FileStore) WriteState(id ipn.StateKey, bs []byte) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if bytes.Equal(s.cache[id], bs) {
+		return nil
+	}
+	s.cache[id] = append([]byte(nil), bs...)
+	bs, err := json.MarshalIndent(s.cache, "", "  ")
+	if err != nil {
+		return err
+	}
+	return atomicfile.WriteFile(s.path, bs, 0600)
+}
--- a/ipn/store/stores_linux.go
+++ b/ipn/store/stores_linux.go
@@ -0,0 +1,26 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package store
+
+import (
+	"strings"
+
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/store/awsstore"
+	"tailscale.com/ipn/store/kubestore"
+	"tailscale.com/types/logger"
+)
+
+func init() {
+	registerAvailableExternalStores = registerExternalStores
+}
+
+func registerExternalStores() {
+	Register("kube:", func(logf logger.Logf, path string) (ipn.StateStore, error) {
+		secretName := strings.TrimPrefix(path, "kube:")
+		return kubestore.New(logf, secretName)
+	})
+	Register("arn:", awsstore.New)
+}
--- a/ipn/store/stores_test.go
+++ b/ipn/store/stores_test.go
@@ -1,24 +1,84 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package ipn
+package store

 import (
 	"path/filepath"
 	"testing"

+	"tailscale.com/ipn"
+	"tailscale.com/ipn/store/mem"
 	"tailscale.com/tstest"
+	"tailscale.com/types/logger"
 )

-func testStoreSemantics(t *testing.T, store StateStore) {
+func TestNewStore(t *testing.T) {
+	regOnce.Do(registerDefaultStores)
+	t.Cleanup(func() {
+		knownStores = map[string]Provider{}
+		registerDefaultStores()
+	})
+	knownStores = map[string]Provider{}
+
+	type store1 struct {
+		ipn.StateStore
+		path string
+	}
+
+	type store2 struct {
+		ipn.StateStore
+		path string
+	}
+
+	Register("arn:", func(_ logger.Logf, path string) (ipn.StateStore, error) {
+		return &store1{new(mem.Store), path}, nil
+	})
+	Register("kube:", func(_ logger.Logf, path string) (ipn.StateStore, error) {
+		return &store2{new(mem.Store), path}, nil
+	})
+	Register("mem:", func(_ logger.Logf, path string) (ipn.StateStore, error) {
+		return new(mem.Store), nil
+	})
+
+	path := "mem:abcd"
+	if s, err := New(t.Logf, path); err != nil {
+		t.Fatalf("%q: %v", path, err)
+	} else if _, ok := s.(*mem.Store); !ok {
+		t.Fatalf("%q: got: %T, want: %T", path, s, new(mem.Store))
+	}
+
+	path = "arn:foo"
+	if s, err := New(t.Logf, path); err != nil {
+		t.Fatalf("%q: %v", path, err)
+	} else if _, ok := s.(*store1); !ok {
+		t.Fatalf("%q: got: %T, want: %T", path, s, new(store1))
+	}
+
+	path = "kube:abcd"
+	if s, err := New(t.Logf, path); err != nil {
+		t.Fatalf("%q: %v", path, err)
+	} else if _, ok := s.(*store2); !ok {
+		t.Fatalf("%q: got: %T, want: %T", path, s, new(store2))
+	}
+
+	path = filepath.Join(t.TempDir(), "state")
+	if s, err := New(t.Logf, path); err != nil {
+		t.Fatalf("%q: %v", path, err)
+	} else if _, ok := s.(*FileStore); !ok {
+		t.Fatalf("%q: got: %T, want: %T", path, s, new(FileStore))
+	}
+}
+
+func testStoreSemantics(t *testing.T, store ipn.StateStore) {
 	t.Helper()

 	tests := []struct {
 		// if true, data is data to write. If false, data is expected
 		// output of read.
 		write bool
-		id    StateKey
+		id    ipn.StateKey
 		data  string
 		// If write=false, true if we expect a not-exist error.
 		notExists bool
@@ -63,7 +123,7 @@ func testStoreSemantics(t *testing.T, store StateStore) {
 		} else {
 			bs, err := store.ReadState(test.id)
 			if err != nil {
-				if test.notExists && err == ErrStateNotExist {
+				if test.notExists && err == ipn.ErrStateNotExist {
 					continue
 				}
 				t.Errorf("reading %q: %v", test.id, err)
@@ -79,7 +139,7 @@ func testStoreSemantics(t *testing.T, store StateStore) {
 func TestMemoryStore(t *testing.T) {
 	tstest.PanicOnLog()

-	store := &MemoryStore{}
+	store := new(mem.Store)
 	testStoreSemantics(t, store)
 }

@@ -89,7 +149,7 @@ func TestFileStore(t *testing.T) {
 	dir := t.TempDir()
 	path := filepath.Join(dir, "test-file-store.conf")

-	store, err := NewFileStore(path)
+	store, err := NewFileStore(nil, path)
 	if err != nil {
 		t.Fatalf("creating file store failed: %v", err)
 	}
@@ -98,12 +158,12 @@ func TestFileStore(t *testing.T) {

 	// Build a brand new file store and check that both IDs written
 	// above are still there.
-	store, err = NewFileStore(path)
+	store, err = NewFileStore(nil, path)
 	if err != nil {
 		t.Fatalf("creating second file store failed: %v", err)
 	}

-	expected := map[StateKey]string{
+	expected := map[ipn.StateKey]string{
 		"foo": "bar",
 		"baz": "quux",
 	}
--- a/kube/client.go
+++ b/kube/client.go
@@ -110,7 +110,7 @@ func getError(resp *http.Response) error {
 	return st
 }

-func (c *Client) doRequest(ctx context.Context, method, url string, in, out interface{}) error {
+func (c *Client) doRequest(ctx context.Context, method, url string, in, out any) error {
 	tk, err := c.getOrRenewToken()
 	if err != nil {
 		return err
--- a/log/filelogger/log.go
+++ b/log/filelogger/log.go
@@ -77,7 +77,7 @@ func dayOf(t time.Time) civilDay {
 	return civilDay{t.Year(), t.Month(), t.Day()}
 }

-func (w *logFileWriter) Logf(format string, a ...interface{}) {
+func (w *logFileWriter) Logf(format string, a ...any) {
 	w.mu.Lock()
 	defer w.mu.Unlock()

--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -416,7 +416,7 @@ func New(collection string) *Policy {
 	console := log.New(stderrWriter{}, "", lflags)

 	var earlyErrBuf bytes.Buffer
-	earlyLogf := func(format string, a ...interface{}) {
+	earlyLogf := func(format string, a ...any) {
 		fmt.Fprintf(&earlyErrBuf, format, a...)
 		earlyErrBuf.WriteByte('\n')
 	}
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -84,6 +84,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 		cfg.Buffer = NewMemoryBuffer(pendingSize)
 	}
 	l := &Logger{
+		privateID:      cfg.PrivateID,
 		stderr:         cfg.Stderr,
 		stderrLevel:    int64(cfg.StderrLevel),
 		httpc:          cfg.HTTPC,
@@ -133,6 +134,7 @@ type Logger struct {
 	uploadCancel   func()
 	explainedRaw   bool
 	metricsDelta   func() string // or nil
+	privateID      PrivateID

 	shutdownStart chan struct{} // closed when shutdown begins
 	shutdownDone  chan struct{} // closed when shutdown complete
@@ -153,6 +155,11 @@ func (l *Logger) SetLinkMonitor(lm *monitor.Mon) {
 	l.linkMonitor = lm
 }

+// PrivateID returns the logger's private log ID.
+//
+// It exists for internal use only.
+func (l *Logger) PrivateID() PrivateID { return l.privateID }
+
 // Shutdown gracefully shuts down the logger while completing any
 // remaining uploads.
 //
@@ -508,7 +515,7 @@ func (l *Logger) encode(buf []byte, level int) []byte {

 	now := l.timeNow()

-	obj := make(map[string]interface{})
+	obj := make(map[string]any)
 	if err := json.Unmarshal(buf, &obj); err != nil {
 		for k := range obj {
 			delete(obj, k)
@@ -546,7 +553,7 @@ func (l *Logger) encode(buf []byte, level int) []byte {
 }

 // Logf logs to l using the provided fmt-style format and optional arguments.
-func (l *Logger) Logf(format string, args ...interface{}) {
+func (l *Logger) Logf(format string, args ...any) {
 	fmt.Fprintf(l, format, args...)
 }

--- a/logtail/logtail_test.go
+++ b/logtail/logtail_test.go
@@ -128,7 +128,7 @@ func TestEncodeAndUploadMessages(t *testing.T) {

 		ltail, ok := data["logtail"]
 		if ok {
-			logtailmap := ltail.(map[string]interface{})
+			logtailmap := ltail.(map[string]any)
 			_, ok = logtailmap["client_time"]
 			if !ok {
 				t.Errorf("%s: no client_time present", tt.name)
@@ -317,9 +317,9 @@ func TestPublicIDUnmarshalText(t *testing.T) {
 	}
 }

-func unmarshalOne(t *testing.T, body []byte) map[string]interface{} {
+func unmarshalOne(t *testing.T, body []byte) map[string]any {
 	t.Helper()
-	var entries []map[string]interface{}
+	var entries []map[string]any
 	err := json.Unmarshal(body, &entries)
 	if err != nil {
 		t.Error(err)
--- a/net/dns/manager_linux_test.go
+++ b/net/dns/manager_linux_test.go
@@ -258,7 +258,7 @@ func TestLinuxDNSMode(t *testing.T) {
 	}
 }

-type memFS map[string]interface{} // full path => string for regular files
+type memFS map[string]any // full path => string for regular files

 func (m memFS) Stat(name string) (isRegular bool, err error) {
 	v, ok := m[name]
--- a/net/dns/nm.go
+++ b/net/dns/nm.go
@@ -140,12 +140,12 @@ func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
 	// NetworkManager wipes out IPv6 address configuration unless we
 	// tell it explicitly to keep it. Read out the current interface
 	// settings and mirror them out to NetworkManager.
-	var addrs6 []map[string]interface{}
+	var addrs6 []map[string]any
 	addrs, _, err := interfaces.Tailscale()
 	if err == nil {
 		for _, a := range addrs {
 			if a.Is6() {
-				addrs6 = append(addrs6, map[string]interface{}{
+				addrs6 = append(addrs6, map[string]any{
 					"address": a.String(),
 					"prefix":  uint32(128),
 				})
--- a/net/dns/resolvconffile/resolvconffile.go
+++ b/net/dns/resolvconffile/resolvconffile.go
@@ -65,10 +65,7 @@ func Parse(r io.Reader) (*Config, error) {
 	scanner := bufio.NewScanner(r)
 	for scanner.Scan() {
 		line := scanner.Text()
-		i := strings.IndexByte(line, '#')
-		if i >= 0 {
-			line = line[:i]
-		}
+		line, _, _ = strings.Cut(line, "#") // remove any comments
 		line = strings.TrimSpace(line)

 		if strings.HasPrefix(line, "nameserver") {
--- a/net/dns/resolved.go
+++ b/net/dns/resolved.go
@@ -141,7 +141,7 @@ func (m *resolvedManager) resync(ctx context.Context, signals chan *dbus.Signal)
 			if signal.Path != dbusPath || signal.Name != dbusInterface+"."+dbusOwnerSignal {
 				continue
 			}
-			// signal.Body is a []interface{} of 3 strings: bus name, previous owner, new owner.
+			// signal.Body is a []any of 3 strings: bus name, previous owner, new owner.
 			if len(signal.Body) != 3 {
 				m.logf("[unexpectected] DBus NameOwnerChanged len(Body) = %d, want 3")
 			}
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -196,12 +196,11 @@ func maxDoHInFlight(goos string) int {
 		// Unknown iOS version, be cautious.
 		return 10
 	}
-	idx := strings.Index(ver, ".")
-	if idx == -1 {
+	major, _, ok := strings.Cut(ver, ".")
+	if !ok {
 		// Unknown iOS version, be cautious.
 		return 10
 	}
-	major := ver[:idx]
 	if m, err := strconv.Atoi(major); err != nil || m < 15 {
 		return 10
 	}
--- a/net/dns/resolver/forwarder_test.go
+++ b/net/dns/resolver/forwarder_test.go
@@ -37,13 +37,13 @@ func TestResolversWithDelays(t *testing.T) {
 	o := func(ss ...string) (rr []resolverAndDelay) {
 		for _, s := range ss {
 			var d time.Duration
-			if i := strings.Index(s, "+"); i != -1 {
+			s, durStr, hasPlus := strings.Cut(s, "+")
+			if hasPlus {
 				var err error
-				d, err = time.ParseDuration(s[i+1:])
+				d, err = time.ParseDuration(durStr)
 				if err != nil {
 					panic(fmt.Sprintf("parsing duration in %q: %v", s, err))
 				}
-				s = s[:i]
 			}
 			host, _, err := net.SplitHostPort(s)
 			if err != nil {
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .21.0
 .23.0