util/codegen: Remove year from copyright header.

Copyright notices in software are not supposed to update the year in the header. Because we have a CI check for `go generate`, we're failing CI until we go update all of the copyright headers in generated files to say 2023. Instead, relax the requirement to always have a year in the copyright header. Fixes https://github.com/tailscale/tailscale/issues/6865 Signed-off-by: Denton Gentry <dgentry@tailscale.com>
licenses: update android licenses
2023-01-01 16:36:10 -08:00 · 2022-12-29 21:01:02 -08:00 · 2022-12-24 18:17:24 -08:00 · 2022-12-24 15:40:22 -08:00 · 2022-12-24 15:22:41 -08:00 · 2022-12-24 15:22:41 -08:00
147 changed files with 6064 additions and 1536 deletions
--- a/.github/workflows/cross-loong64.yml
+++ b/.github/workflows/cross-loong64.yml
@@ -0,0 +1,57 @@
+name: Loongnix-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Loongnix build cmd
+      env:
+        GOOS: linux
+        GOARCH: loong64
+      run: go build ./cmd/...
+
+    - name: Loongnix build tests
+      env:
+        GOOS: linux
+        GOARCH: loong64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/15
+++ b/15
@@ -35,6 +35,9 @@ buildlinuxarm:
 buildwasm:
 	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli

+buildlinuxloong64:
+	GOOS=linux GOARCH=loong64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
+
 buildmultiarchimage:
 	./build_docker.sh

@@ -59,4 +62,14 @@ publishdevimage:
 	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	TAGS=latest REPOS=${REPO} PUSH=true ./build_docker.sh
+	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
+	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
+	TAGS=latest REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh
+
+publishdevoperator:
+	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
+	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
+	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
+	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
+	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
+	TAGS=latest REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.33.0
+1.35.0
--- a/api.md
+++ b/api.md
@@ -3,7 +3,7 @@
 The Tailscale API is a (mostly) RESTful API. Typically, POST bodies should be JSON encoded and responses will be JSON encoded.

 # Authentication
-Currently based on {some authentication method}. Visit the [admin panel](https://login.tailscale.com/admin) and navigate to the `Settings` page. Generate an API Key and keep it safe. Provide the key as the user key in basic auth when making calls to Tailscale API endpoints (leave the password blank).
+Currently based on {some authentication method}. Visit the [admin console](https://login.tailscale.com/admin) and navigate to the `Settings` page. Generate an API Key and keep it safe. Provide the key as the user key in basic auth when making calls to Tailscale API endpoints (leave the password blank).

 # APIs

--- a/build_docker.sh
+++ b/build_docker.sh
@@ -26,23 +26,46 @@ eval $(./build_dist.sh shellvars)
 DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
 DEFAULT_REPOS="tailscale/tailscale,ghcr.io/tailscale/tailscale"
 DEFAULT_BASE="ghcr.io/tailscale/alpine-base:3.16"
+DEFAULT_TARGET="client"

 PUSH="${PUSH:-false}"
 REPOS="${REPOS:-${DEFAULT_REPOS}}"
 TAGS="${TAGS:-${DEFAULT_TAGS}}"
 BASE="${BASE:-${DEFAULT_BASE}}"
+TARGET="${TARGET:-${DEFAULT_TARGET}}"

-go run github.com/tailscale/mkctr \
-  --gopaths="\
-    tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
-    tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled, \
-    tailscale.com/cmd/containerboot:/usr/local/bin/containerboot" \
-  --ldflags="\
-    -X tailscale.com/version.Long=${VERSION_LONG} \
-    -X tailscale.com/version.Short=${VERSION_SHORT} \
-    -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
-  --base="${BASE}" \
-  --tags="${TAGS}" \
-  --repos="${REPOS}" \
-  --push="${PUSH}" \
-  /usr/local/bin/containerboot
+case "$TARGET" in
+  client)
+    go run github.com/tailscale/mkctr \
+      --gopaths="\
+        tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
+        tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled, \
+        tailscale.com/cmd/containerboot:/usr/local/bin/containerboot" \
+      --ldflags="\
+        -X tailscale.com/version.Long=${VERSION_LONG} \
+        -X tailscale.com/version.Short=${VERSION_SHORT} \
+        -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
+      --base="${BASE}" \
+      --tags="${TAGS}" \
+      --repos="${REPOS}" \
+      --push="${PUSH}" \
+      /usr/local/bin/containerboot
+    ;;
+  operator)
+    go run github.com/tailscale/mkctr \
+      --gopaths="tailscale.com/cmd/k8s-operator:/usr/local/bin/operator" \
+      --ldflags="\
+        -X tailscale.com/version.Long=${VERSION_LONG} \
+        -X tailscale.com/version.Short=${VERSION_SHORT} \
+        -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
+      --base="${BASE}" \
+      --tags="${TAGS}" \
+      --repos="${REPOS}" \
+      --push="${PUSH}" \
+      /usr/local/bin/operator
+    ;;
+  *)
+    echo "unknown target: $TARGET"
+    exit 1
+    ;;
+esac
--- a/client/tailscale/keys.go
+++ b/client/tailscale/keys.go
@@ -0,0 +1,147 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+)
+
+// Key represents a Tailscale API or auth key.
+type Key struct {
+	ID           string          `json:"id"`
+	Created      time.Time       `json:"created"`
+	Expires      time.Time       `json:"expires"`
+	Capabilities KeyCapabilities `json:"capabilities"`
+}
+
+// KeyCapabilities are the capabilities of a Key.
+type KeyCapabilities struct {
+	Devices KeyDeviceCapabilities `json:"devices,omitempty"`
+}
+
+// KeyDeviceCapabilities are the device-related capabilities of a Key.
+type KeyDeviceCapabilities struct {
+	Create KeyDeviceCreateCapabilities `json:"create"`
+}
+
+// KeyDeviceCreateCapabilities are the device creation capabilities of a Key.
+type KeyDeviceCreateCapabilities struct {
+	Reusable      bool     `json:"reusable"`
+	Ephemeral     bool     `json:"ephemeral"`
+	Preauthorized bool     `json:"preauthorized"`
+	Tags          []string `json:"tags,omitempty"`
+}
+
+// Keys returns the list of keys for the current user.
+func (c *Client) Keys(ctx context.Context) ([]string, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var keys []struct {
+		ID string `json:"id"`
+	}
+	if err := json.Unmarshal(b, &keys); err != nil {
+		return nil, err
+	}
+	ret := make([]string, 0, len(keys))
+	for _, k := range keys {
+		ret = append(ret, k.ID)
+	}
+	return ret, nil
+}
+
+// CreateKey creates a new key for the current user. Currently, only auth keys
+// can be created. Returns the key itself, which cannot be retrieved again
+// later, and the key metadata.
+func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (string, *Key, error) {
+	keyRequest := struct {
+		Capabilities KeyCapabilities `json:"capabilities"`
+	}{caps}
+	bs, err := json.Marshal(keyRequest)
+	if err != nil {
+		return "", nil, err
+	}
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewReader(bs))
+	if err != nil {
+		return "", nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return "", nil, err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return "", nil, handleErrorResponse(b, resp)
+	}
+
+	var key struct {
+		Key
+		Secret string `json:"key"`
+	}
+	if err := json.Unmarshal(b, &key); err != nil {
+		return "", nil, err
+	}
+	return key.Secret, &key.Key, nil
+}
+
+// Key returns the metadata for the given key ID. Currently, capabilities are
+// only returned for auth keys, API keys only return general metadata.
+func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var key Key
+	if err := json.Unmarshal(b, &key); err != nil {
+		return nil, err
+	}
+	return &key, nil
+}
+
+// DeleteKey deletes the key with the given ID.
+func (c *Client) DeleteKey(ctx context.Context, id string) error {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
+	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
+	if err != nil {
+		return err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+	return nil
+}
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -805,7 +805,7 @@ func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key, disa
 }

 // NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
-func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
+func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) error {
 	var b bytes.Buffer
 	type modifyRequest struct {
 		AddKeys    []tka.Key
@@ -813,14 +813,13 @@ func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKey
 	}

 	if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
-		return nil, err
+		return err
 	}

-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 200, &b)
-	if err != nil {
-		return nil, fmt.Errorf("error: %w", err)
+	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 204, &b); err != nil {
+		return fmt.Errorf("error: %w", err)
 	}
-	return decodeJSON[*ipnstate.NetworkLockStatus](body)
+	return nil
 }

 // NetworkLockSign signs the specified node-key and transmits that signature to the control plane.
@@ -867,7 +866,6 @@ func (lc *LocalClient) NetworkLockForceLocalDisable(ctx context.Context) error {
 	return nil
 }

-
 // SetServeConfig sets or replaces the serving settings.
 // If config is nil, settings are cleared and serving is disabled.
 func (lc *LocalClient) SetServeConfig(ctx context.Context, config *ipn.ServeConfig) error {
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@@ -21,8 +21,85 @@ import (
 	"path/filepath"
 	"strings"
 	"time"
+
+	"tailscale.com/tailcfg"
+	"tailscale.com/util/multierr"
 )

+// checkSecretPermissions checks the secret access permissions of the current
+// pod. It returns an error if the basic permissions tailscale needs are
+// missing, and reports whether the patch permission is additionally present.
+//
+// Errors encountered during the access checking process are logged, but ignored
+// so that the pod tries to fail alive if the permissions exist and there's just
+// something wrong with SelfSubjectAccessReviews. There shouldn't be, pods
+// should always be able to use SSARs to assess their own permissions, but since
+// we didn't use to check permissions this way we'll be cautious in case some
+// old version of k8s deviates from the current behavior.
+func checkSecretPermissions(ctx context.Context, secretName string) (canPatch bool, err error) {
+	var errs []error
+	for _, verb := range []string{"get", "update"} {
+		ok, err := checkPermission(ctx, verb, secretName)
+		if err != nil {
+			log.Printf("error checking %s permission on secret %s: %v", verb, secretName, err)
+		} else if !ok {
+			errs = append(errs, fmt.Errorf("missing %s permission on secret %q", verb, secretName))
+		}
+	}
+	if len(errs) > 0 {
+		return false, multierr.New(errs...)
+	}
+	ok, err := checkPermission(ctx, "patch", secretName)
+	if err != nil {
+		log.Printf("error checking patch permission on secret %s: %v", secretName, err)
+		return false, nil
+	}
+	return ok, nil
+}
+
+// checkPermission reports whether the current pod has permission to use the
+// given verb (e.g. get, update, patch) on secretName.
+func checkPermission(ctx context.Context, verb, secretName string) (bool, error) {
+	sar := map[string]any{
+		"apiVersion": "authorization.k8s.io/v1",
+		"kind":       "SelfSubjectAccessReview",
+		"spec": map[string]any{
+			"resourceAttributes": map[string]any{
+				"namespace": kubeNamespace,
+				"verb":      verb,
+				"resource":  "secrets",
+				"name":      secretName,
+			},
+		},
+	}
+	bs, err := json.Marshal(sar)
+	if err != nil {
+		return false, err
+	}
+	req, err := http.NewRequest("POST", "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews", bytes.NewReader(bs))
+	if err != nil {
+		return false, err
+	}
+	resp, err := doKubeRequest(ctx, req)
+	if err != nil {
+		return false, err
+	}
+	defer resp.Body.Close()
+	bs, err = io.ReadAll(resp.Body)
+	if err != nil {
+		return false, err
+	}
+	var res struct {
+		Status struct {
+			Allowed bool `json:"allowed"`
+		} `json:"status"`
+	}
+	if err := json.Unmarshal(bs, &res); err != nil {
+		return false, err
+	}
+	return res.Status.Allowed, nil
+}
+
 // findKeyInKubeSecret inspects the kube secret secretName for a data
 // field called "authkey", and returns its value if present.
 func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error) {
@@ -64,9 +141,9 @@ func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error)
 	return "", nil
 }

-// storeDeviceID writes deviceID into the "device_id" data field of
-// the kube secret secretName.
-func storeDeviceID(ctx context.Context, secretName, deviceID string) error {
+// storeDeviceInfo writes deviceID into the "device_id" data field of the kube
+// secret secretName.
+func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string) error {
 	// First check if the secret exists at all. Even if running on
 	// kubernetes, we do not necessarily store state in a k8s secret.
 	req, err := http.NewRequest("GET", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", kubeNamespace, secretName), nil)
@@ -84,8 +161,9 @@ func storeDeviceID(ctx context.Context, secretName, deviceID string) error {
 	}

 	m := map[string]map[string]string{
-		"stringData": map[string]string{
-			"device_id": deviceID,
+		"stringData": {
+			"device_id":   string(deviceID),
+			"device_fqdn": fqdn,
 		},
 	}
 	var b bytes.Buffer
@@ -193,8 +271,8 @@ func doKubeRequest(ctx context.Context, r *http.Request) (*http.Response, error)
 	if err != nil {
 		return nil, err
 	}
-	if resp.StatusCode != http.StatusOK {
-		return resp, fmt.Errorf("got non-200 status code %d", resp.StatusCode)
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		return resp, fmt.Errorf("got non-200/201 status code %d", resp.StatusCode)
 	}
 	return resp, nil
 }
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -4,13 +4,13 @@

 //go:build linux

-// The containerboot binary is a wrapper for starting tailscaled in a
-// container. It handles reading the desired mode of operation out of
-// environment variables, bringing up and authenticating Tailscale,
-// and any other kubernetes-specific side jobs.
+// The containerboot binary is a wrapper for starting tailscaled in a container.
+// It handles reading the desired mode of operation out of environment
+// variables, bringing up and authenticating Tailscale, and any other
+// kubernetes-specific side jobs.
 //
-// As with most container things, configuration is passed through
-// environment variables. All configuration is optional.
+// As with most container things, configuration is passed through environment
+// variables. All configuration is optional.
 //
 //   - TS_AUTH_KEY: the authkey to use for login.
 //   - TS_ROUTES: subnet routes to advertise.
@@ -37,9 +37,13 @@
 //     compatibility), forcibly log in every time the
 //     container starts.
 //
-// When running on Kubernetes, TS_KUBE_SECRET takes precedence over
-// TS_STATE_DIR. Additionally, if TS_AUTH_KEY is not provided and the
-// TS_KUBE_SECRET contains an "authkey" field, that key is used.
+// When running on Kubernetes, containerboot defaults to storing state in the
+// "tailscale" kube secret. To store state on local disk instead, set
+// TS_KUBE_SECRET="" and TS_STATE_DIR=/path/to/storage/dir. The state dir should
+// be persistent storage.
+//
+// Additionally, if TS_AUTH_KEY is not set and the TS_KUBE_SECRET contains an
+// "authkey" field, that key is used as the tailscale authkey.
 package main

 import (
@@ -60,7 +64,8 @@ import (

 	"golang.org/x/sys/unix"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/ipn"
+	"tailscale.com/util/deephash"
 )

 func main() {
@@ -116,67 +121,190 @@ func main() {
 	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
 	defer cancel()

-	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.AuthKey == "" {
-		key, err := findKeyInKubeSecret(ctx, cfg.KubeSecret)
-		if err != nil {
-			log.Fatalf("Getting authkey from kube secret: %v", err)
-		}
-		if key != "" {
-			log.Print("Using authkey found in kube secret")
-			cfg.AuthKey = key
-		} else {
-			log.Print("No authkey found in kube secret and TS_AUTHKEY not provided, login will be interactive if needed.")
-		}
-	}
-
-	st, daemonPid, err := startAndAuthTailscaled(ctx, cfg)
-	if err != nil {
-		log.Fatalf("failed to bring up tailscale: %v", err)
-	}
-
-	if cfg.ProxyTo != "" {
-		if err := installIPTablesRule(ctx, cfg.ProxyTo, st.TailscaleIPs); err != nil {
-			log.Fatalf("installing proxy rules: %v", err)
-		}
-	}
 	if cfg.InKubernetes && cfg.KubeSecret != "" {
-		if err := storeDeviceID(ctx, cfg.KubeSecret, string(st.Self.ID)); err != nil {
-			log.Fatalf("storing device ID in kube secret: %v", err)
+		canPatch, err := checkSecretPermissions(ctx, cfg.KubeSecret)
+		if err != nil {
+			log.Fatalf("Some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
 		}
-		if cfg.AuthOnce {
-			// We were told to only auth once, so any secret-bound
-			// authkey is no longer needed. We don't strictly need to
-			// wipe it, but it's good hygiene.
-			log.Printf("Deleting authkey from kube secret")
-			if err := deleteAuthKey(ctx, cfg.KubeSecret); err != nil {
-				log.Fatalf("deleting authkey from kube secret: %v", err)
+		cfg.KubernetesCanPatch = canPatch
+
+		if cfg.AuthKey == "" {
+			key, err := findKeyInKubeSecret(ctx, cfg.KubeSecret)
+			if err != nil {
+				log.Fatalf("Getting authkey from kube secret: %v", err)
+			}
+			if key != "" {
+				// This behavior of pulling authkeys from kube secrets was added
+				// at the same time as the patch permission, so we can enforce
+				// that we must be able to patch out the authkey after
+				// authenticating if you want to use this feature. This avoids
+				// us having to deal with the case where we might leave behind
+				// an unnecessary reusable authkey in a secret, like a rake in
+				// the grass.
+				if !cfg.KubernetesCanPatch {
+					log.Fatalf("authkey found in TS_KUBE_SECRET, but the pod doesn't have patch permissions on the secret to manage the authkey.")
+				}
+				log.Print("Using authkey found in kube secret")
+				cfg.AuthKey = key
+			} else {
+				log.Print("No authkey found in kube secret and TS_AUTHKEY not provided, login will be interactive if needed.")
 			}
 		}
 	}

-	log.Println("Startup complete, waiting for shutdown signal")
-	// Reap all processes, since we are PID1 and need to collect
-	// zombies.
-	for {
-		var status unix.WaitStatus
-		pid, err := unix.Wait4(-1, &status, 0, nil)
-		if errors.Is(err, unix.EINTR) {
-			continue
+	client, daemonPid, err := startTailscaled(ctx, cfg)
+	if err != nil {
+		log.Fatalf("failed to bring up tailscale: %v", err)
+	}
+
+	w, err := client.WatchIPNBus(ctx, ipn.NotifyInitialNetMap|ipn.NotifyInitialPrefs|ipn.NotifyInitialState)
+	if err != nil {
+		log.Fatalf("failed to watch tailscaled for updates: %v", err)
+	}
+
+	// Because we're still shelling out to `tailscale up` to get access to its
+	// flag parser, we have to stop watching the IPN bus so that we can block on
+	// the subcommand without stalling anything. Then once it's done, we resume
+	// watching the bus.
+	//
+	// Depending on the requested mode of operation, this auth step happens at
+	// different points in containerboot's lifecycle, hence the helper function.
+	didLogin := false
+	authTailscale := func() error {
+		if didLogin {
+			return nil
 		}
+		didLogin = true
+		w.Close()
+		if err := tailscaleUp(ctx, cfg); err != nil {
+			return fmt.Errorf("failed to auth tailscale: %v", err)
+		}
+		w, err = client.WatchIPNBus(ctx, ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
 		if err != nil {
-			log.Fatalf("Waiting for exited processes: %v", err)
+			return fmt.Errorf("rewatching tailscaled for updates after auth: %v", err)
 		}
-		if pid == daemonPid {
-			log.Printf("Tailscaled exited")
-			os.Exit(0)
+		return nil
+	}
+
+	if !cfg.AuthOnce {
+		if err := authTailscale(); err != nil {
+			log.Fatalf("failed to auth tailscale: %v", err)
+		}
+	}
+
+authLoop:
+	for {
+		n, err := w.Next()
+		if err != nil {
+			log.Fatalf("failed to read from tailscaled: %v", err)
+		}
+
+		if n.State != nil {
+			switch *n.State {
+			case ipn.NeedsLogin:
+				if err := authTailscale(); err != nil {
+					log.Fatalf("failed to auth tailscale: %v", err)
+				}
+			case ipn.NeedsMachineAuth:
+				log.Printf("machine authorization required, please visit the admin panel")
+			case ipn.Running:
+				// Technically, all we want is to keep monitoring the bus for
+				// netmap updates. However, in order to make the container crash
+				// if tailscale doesn't initially come up, the watch has a
+				// startup deadline on it. So, we have to break out of this
+				// watch loop, cancel the watch, and watch again with no
+				// deadline to continue monitoring for changes.
+				break authLoop
+			default:
+				log.Printf("tailscaled in state %q, waiting", *n.State)
+			}
+		}
+	}
+
+	w.Close()
+
+	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && cfg.AuthOnce {
+		// We were told to only auth once, so any secret-bound
+		// authkey is no longer needed. We don't strictly need to
+		// wipe it, but it's good hygiene.
+		log.Printf("Deleting authkey from kube secret")
+		if err := deleteAuthKey(ctx, cfg.KubeSecret); err != nil {
+			log.Fatalf("deleting authkey from kube secret: %v", err)
+		}
+	}
+
+	w, err = client.WatchIPNBus(context.Background(), ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
+	if err != nil {
+		log.Fatalf("rewatching tailscaled for updates after auth: %v", err)
+	}
+
+	var (
+		wantProxy         = cfg.ProxyTo != ""
+		wantDeviceInfo    = cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch
+		startupTasksDone  = false
+		currentIPs        deephash.Sum // tailscale IPs assigned to device
+		currentDeviceInfo deephash.Sum // device ID and fqdn
+	)
+	for {
+		n, err := w.Next()
+		if err != nil {
+			log.Fatalf("failed to read from tailscaled: %v", err)
+		}
+
+		if n.State != nil && *n.State != ipn.Running {
+			// Something's gone wrong and we've left the authenticated state.
+			// Our container image never recovered gracefully from this, and the
+			// control flow required to make it work now is hard. So, just crash
+			// the container and rely on the container runtime to restart us,
+			// whereupon we'll go through initial auth again.
+			log.Fatalf("tailscaled left running state (now in state %q), exiting", *n.State)
+		}
+		if n.NetMap != nil {
+			if cfg.ProxyTo != "" && len(n.NetMap.Addresses) > 0 && deephash.Update(&currentIPs, &n.NetMap.Addresses) {
+				if err := installIPTablesRule(ctx, cfg.ProxyTo, n.NetMap.Addresses); err != nil {
+					log.Fatalf("installing proxy rules: %v", err)
+				}
+			}
+			deviceInfo := []any{n.NetMap.SelfNode.StableID, n.NetMap.SelfNode.Name}
+			if cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != "" && deephash.Update(&currentDeviceInfo, &deviceInfo) {
+				if err := storeDeviceInfo(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID, n.NetMap.SelfNode.Name); err != nil {
+					log.Fatalf("storing device ID in kube secret: %v", err)
+				}
+			}
+		}
+		if !startupTasksDone {
+			if (!wantProxy || currentIPs != deephash.Sum{}) && (!wantDeviceInfo || currentDeviceInfo != deephash.Sum{}) {
+				// This log message is used in tests to detect when all
+				// post-auth configuration is done.
+				log.Println("Startup complete, waiting for shutdown signal")
+				startupTasksDone = true
+
+				// Reap all processes, since we are PID1 and need to collect zombies. We can
+				// only start doing this once we've stopped shelling out to things
+				// `tailscale up`, otherwise this goroutine can reap the CLI subprocesses
+				// and wedge bringup.
+				go func() {
+					for {
+						var status unix.WaitStatus
+						pid, err := unix.Wait4(-1, &status, 0, nil)
+						if errors.Is(err, unix.EINTR) {
+							continue
+						}
+						if err != nil {
+							log.Fatalf("Waiting for exited processes: %v", err)
+						}
+						if pid == daemonPid {
+							log.Printf("Tailscaled exited")
+							os.Exit(0)
+						}
+					}
+				}()
+			}
 		}
 	}
 }

-// startAndAuthTailscaled starts the tailscale daemon and attempts to
-// auth it, according to the settings in cfg. If successful, returns
-// tailscaled's Status and pid.
-func startAndAuthTailscaled(ctx context.Context, cfg *settings) (*ipnstate.Status, int, error) {
+func startTailscaled(ctx context.Context, cfg *settings) (*tailscale.LocalClient, int, error) {
 	args := tailscaledArgs(cfg)
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, unix.SIGTERM, unix.SIGINT)
@@ -198,8 +326,7 @@ func startAndAuthTailscaled(ctx context.Context, cfg *settings) (*ipnstate.Statu
 		cmd.Process.Signal(unix.SIGTERM)
 	}()

-	// Wait for the socket file to appear, otherwise 'tailscale up'
-	// can fail.
+	// Wait for the socket file to appear, otherwise API ops will racily fail.
 	log.Printf("Waiting for tailscaled socket")
 	for {
 		if ctx.Err() != nil {
@@ -215,57 +342,12 @@ func startAndAuthTailscaled(ctx context.Context, cfg *settings) (*ipnstate.Statu
 		break
 	}

-	didLogin := false
-	if !cfg.AuthOnce {
-		if err := tailscaleUp(ctx, cfg); err != nil {
-			return nil, 0, fmt.Errorf("couldn't log in: %v", err)
-		}
-		didLogin = true
-	}
-
-	tsClient := tailscale.LocalClient{
+	tsClient := &tailscale.LocalClient{
 		Socket:        cfg.Socket,
 		UseSocketOnly: true,
 	}

-	// Poll for daemon state until it goes to either Running or
-	// NeedsLogin. The latter only happens if cfg.AuthOnce is true,
-	// because in that case we only try to auth when it's necessary to
-	// reach the running state.
-	for {
-		if ctx.Err() != nil {
-			return nil, 0, ctx.Err()
-		}
-
-		loopCtx, cancel := context.WithTimeout(ctx, time.Second)
-		st, err := tsClient.Status(loopCtx)
-		cancel()
-		if err != nil {
-			return nil, 0, fmt.Errorf("Getting tailscaled state: %w", err)
-		}
-
-		switch st.BackendState {
-		case "Running":
-			if len(st.TailscaleIPs) > 0 {
-				return st, cmd.Process.Pid, nil
-			}
-			log.Printf("No Tailscale IPs assigned yet")
-		case "NeedsLogin":
-			if !didLogin {
-				// Alas, we cannot currently trigger an authkey login from
-				// LocalAPI, so we still have to shell out to the
-				// tailscale CLI for this bit.
-				if err := tailscaleUp(ctx, cfg); err != nil {
-					return nil, 0, fmt.Errorf("couldn't log in: %v", err)
-				}
-				didLogin = true
-			}
-		default:
-			log.Printf("tailscaled in state %q, waiting", st.BackendState)
-		}
-
-		time.Sleep(100 * time.Millisecond)
-	}
+	return tsClient, cmd.Process.Pid, nil
 }

 // tailscaledArgs uses cfg to construct the argv for tailscaled.
@@ -275,7 +357,7 @@ func tailscaledArgs(cfg *settings) []string {
 	case cfg.InKubernetes && cfg.KubeSecret != "":
 		args = append(args, "--state=kube:"+cfg.KubeSecret, "--statedir=/tmp")
 	case cfg.StateDir != "":
-		args = append(args, "--state="+cfg.StateDir)
+		args = append(args, "--statedir="+cfg.StateDir)
 	default:
 		args = append(args, "--state=mem:", "--statedir=/tmp")
 	}
@@ -402,7 +484,7 @@ func ensureIPForwarding(root, proxyTo, routes string) error {
 	return nil
 }

-func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Addr) error {
+func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix) error {
 	dst, err := netip.ParseAddr(dstStr)
 	if err != nil {
 		return err
@@ -412,16 +494,22 @@ func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Addr)
 		argv0 = "ip6tables"
 	}
 	var local string
-	for _, ip := range tsIPs {
-		if ip.Is4() != dst.Is4() {
+	for _, pfx := range tsIPs {
+		if !pfx.IsSingleIP() {
 			continue
 		}
-		local = ip.String()
+		if pfx.Addr().Is4() != dst.Is4() {
+			continue
+		}
+		local = pfx.Addr().String()
 		break
 	}
 	if local == "" {
 		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstStr, tsIPs)
 	}
+	// Technically, if the control server ever changes the IPs assigned to this
+	// node, we'll slowly accumulate iptables rules. This shouldn't happen, so
+	// for now we'll live with it.
 	cmd := exec.CommandContext(ctx, argv0, "-t", "nat", "-I", "PREROUTING", "1", "-d", local, "-j", "DNAT", "--to-destination", dstStr)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
@@ -433,27 +521,28 @@ func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Addr)

 // settings is all the configuration for containerboot.
 type settings struct {
-	AuthKey         string
-	Routes          string
-	ProxyTo         string
-	DaemonExtraArgs string
-	ExtraArgs       string
-	InKubernetes    bool
-	UserspaceMode   bool
-	StateDir        string
-	AcceptDNS       bool
-	KubeSecret      string
-	SOCKSProxyAddr  string
-	HTTPProxyAddr   string
-	Socket          string
-	AuthOnce        bool
-	Root            string
+	AuthKey            string
+	Routes             string
+	ProxyTo            string
+	DaemonExtraArgs    string
+	ExtraArgs          string
+	InKubernetes       bool
+	UserspaceMode      bool
+	StateDir           string
+	AcceptDNS          bool
+	KubeSecret         string
+	SOCKSProxyAddr     string
+	HTTPProxyAddr      string
+	Socket             string
+	AuthOnce           bool
+	Root               string
+	KubernetesCanPatch bool
 }

 // defaultEnv returns the value of the given envvar name, or defVal if
 // unset.
 func defaultEnv(name, defVal string) string {
-	if v := os.Getenv(name); v != "" {
+	if v, ok := os.LookupEnv(name); ok {
 		return v
 	}
 	return defVal
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -31,8 +31,11 @@ import (

 	"github.com/google/go-cmp/cmp"
 	"golang.org/x/sys/unix"
-	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tstest"
+	"tailscale.com/types/netmap"
+	"tailscale.com/types/ptr"
 )

 func TestContainerBoot(t *testing.T) {
@@ -90,38 +93,54 @@ func TestContainerBoot(t *testing.T) {
 	}

 	argFile := filepath.Join(d, "args")
-	tsIPs := []netip.Addr{netip.MustParseAddr("100.64.0.1")}
 	runningSockPath := filepath.Join(d, "tmp/tailscaled.sock")

-	// TODO: refactor this 1-2 stuff if we ever need a third
-	// step. Right now all of containerboot's modes either converge
-	// with no further interaction needed, or with one extra step
-	// only.
-	tests := []struct {
-		Name           string
-		Env            map[string]string
-		KubeSecret     map[string]string
-		WantArgs1      []string        // Wait for containerboot to run these commands...
-		Status1        ipnstate.Status // ... then report this status in LocalAPI.
-		WantArgs2      []string        // If non-nil, wait for containerboot to run these additional commands...
-		Status2        ipnstate.Status // ... then report this status in LocalAPI.
+	type phase struct {
+		// If non-nil, send this IPN bus notification (and remember it as the
+		// initial update for any future new watchers, then wait for all the
+		// Waits below to be true before proceeding to the next phase.
+		Notify *ipn.Notify
+
+		// WantCmds is the commands that containerboot should run in this phase.
+		WantCmds []string
+		// WantKubeSecret is the secret keys/values that should exist in the
+		// kube secret.
 		WantKubeSecret map[string]string
-		WantFiles      map[string]string
+		// WantFiles files that should exist in the container and their
+		// contents.
+		WantFiles map[string]string
+	}
+	runningNotify := &ipn.Notify{
+		State: ptr.To(ipn.Running),
+		NetMap: &netmap.NetworkMap{
+			SelfNode: &tailcfg.Node{
+				StableID: tailcfg.StableNodeID("myID"),
+				Name:     "test-node.test.ts.net",
+			},
+			Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
+		},
+	}
+	tests := []struct {
+		Name          string
+		Env           map[string]string
+		KubeSecret    map[string]string
+		KubeDenyPatch bool
+		Phases        []phase
 	}{
 		{
 			// Out of the box default: runs in userspace mode, ephemeral storage, interactive login.
 			Name: "no_args",
 			Env:  nil,
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
-			},
-			// The tailscale up call blocks until auth is complete, so
-			// by the time it returns the next converged state is
-			// Running.
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
+					},
+				},
+				{
+					Notify: runningNotify,
+				},
 			},
 		},
 		{
@@ -130,13 +149,16 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"TS_AUTH_KEY": "tskey-key",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+				},
 			},
 		},
 		{
@@ -145,13 +167,16 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTH_KEY":  "tskey-key",
 				"TS_STATE_DIR": filepath.Join(d, "tmp"),
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=/tmp --tun=userspace-networking",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+				},
 			},
 		},
 		{
@@ -160,17 +185,20 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTH_KEY": "tskey-key",
 				"TS_ROUTES":   "1.2.3.0/24,10.20.30.0/24",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=1.2.3.0/24,10.20.30.0/24",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
-			},
-			WantFiles: map[string]string{
-				"proc/sys/net/ipv4/ip_forward":          "0",
-				"proc/sys/net/ipv6/conf/all/forwarding": "0",
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=1.2.3.0/24,10.20.30.0/24",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantFiles: map[string]string{
+						"proc/sys/net/ipv4/ip_forward":          "0",
+						"proc/sys/net/ipv6/conf/all/forwarding": "0",
+					},
+				},
 			},
 		},
 		{
@@ -180,17 +208,20 @@ func TestContainerBoot(t *testing.T) {
 				"TS_ROUTES":    "1.2.3.0/24,10.20.30.0/24",
 				"TS_USERSPACE": "false",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=1.2.3.0/24,10.20.30.0/24",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
-			},
-			WantFiles: map[string]string{
-				"proc/sys/net/ipv4/ip_forward":          "1",
-				"proc/sys/net/ipv6/conf/all/forwarding": "0",
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=1.2.3.0/24,10.20.30.0/24",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantFiles: map[string]string{
+						"proc/sys/net/ipv4/ip_forward":          "1",
+						"proc/sys/net/ipv6/conf/all/forwarding": "0",
+					},
+				},
 			},
 		},
 		{
@@ -200,17 +231,20 @@ func TestContainerBoot(t *testing.T) {
 				"TS_ROUTES":    "::/64,1::/64",
 				"TS_USERSPACE": "false",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=::/64,1::/64",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
-			},
-			WantFiles: map[string]string{
-				"proc/sys/net/ipv4/ip_forward":          "0",
-				"proc/sys/net/ipv6/conf/all/forwarding": "1",
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=::/64,1::/64",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantFiles: map[string]string{
+						"proc/sys/net/ipv4/ip_forward":          "0",
+						"proc/sys/net/ipv6/conf/all/forwarding": "1",
+					},
+				},
 			},
 		},
 		{
@@ -220,17 +254,20 @@ func TestContainerBoot(t *testing.T) {
 				"TS_ROUTES":    "::/64,1.2.3.0/24",
 				"TS_USERSPACE": "false",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=::/64,1.2.3.0/24",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
-			},
-			WantFiles: map[string]string{
-				"proc/sys/net/ipv4/ip_forward":          "1",
-				"proc/sys/net/ipv6/conf/all/forwarding": "1",
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=::/64,1.2.3.0/24",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantFiles: map[string]string{
+						"proc/sys/net/ipv4/ip_forward":          "1",
+						"proc/sys/net/ipv6/conf/all/forwarding": "1",
+					},
+				},
 			},
 		},
 		{
@@ -240,20 +277,19 @@ func TestContainerBoot(t *testing.T) {
 				"TS_DEST_IP":   "1.2.3.4",
 				"TS_USERSPACE": "false",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
-			},
-			WantArgs2: []string{
-				"/usr/bin/iptables -t nat -I PREROUTING 1 -d 100.64.0.1 -j DNAT --to-destination 1.2.3.4",
-			},
-			Status2: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/iptables -t nat -I PREROUTING 1 -d 100.64.0.1 -j DNAT --to-destination 1.2.3.4",
+					},
+				},
 			},
 		},
 		{
@@ -262,18 +298,23 @@ func TestContainerBoot(t *testing.T) {
 				"TS_AUTH_KEY":  "tskey-key",
 				"TS_AUTH_ONCE": "true",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "NeedsLogin",
-			},
-			WantArgs2: []string{
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-			},
-			Status2: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
+					},
+				},
+				{
+					Notify: &ipn.Notify{
+						State: ptr.To(ipn.NeedsLogin),
+					},
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+				},
 			},
 		},
 		{
@@ -285,20 +326,72 @@ func TestContainerBoot(t *testing.T) {
 			KubeSecret: map[string]string{
 				"authkey": "tskey-key",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
-				Self: &ipnstate.PeerStatus{
-					ID: tailcfg.StableNodeID("myID"),
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+					WantKubeSecret: map[string]string{
+						"authkey": "tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantKubeSecret: map[string]string{
+						"authkey":     "tskey-key",
+						"device_fqdn": "test-node.test.ts.net",
+						"device_id":   "myID",
+					},
 				},
 			},
-			WantKubeSecret: map[string]string{
-				"authkey":   "tskey-key",
-				"device_id": "myID",
+		},
+		{
+			Name: "kube_disk_storage",
+			Env: map[string]string{
+				"KUBERNETES_SERVICE_HOST":       kube.Host,
+				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
+				// Explicitly set to an empty value, to override the default of "tailscale".
+				"TS_KUBE_SECRET": "",
+				"TS_STATE_DIR":   filepath.Join(d, "tmp"),
+				"TS_AUTH_KEY":    "tskey-key",
+			},
+			KubeSecret: map[string]string{},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+					WantKubeSecret: map[string]string{},
+				},
+				{
+					Notify:         runningNotify,
+					WantKubeSecret: map[string]string{},
+				},
+			},
+		},
+		{
+			Name: "kube_storage_no_patch",
+			Env: map[string]string{
+				"KUBERNETES_SERVICE_HOST":       kube.Host,
+				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
+				"TS_AUTH_KEY":                   "tskey-key",
+			},
+			KubeSecret:    map[string]string{},
+			KubeDenyPatch: true,
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+					WantKubeSecret: map[string]string{},
+				},
+				{
+					Notify:         runningNotify,
+					WantKubeSecret: map[string]string{},
+				},
 			},
 		},
 		{
@@ -312,24 +405,79 @@ func TestContainerBoot(t *testing.T) {
 			KubeSecret: map[string]string{
 				"authkey": "tskey-key",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "NeedsLogin",
-			},
-			WantArgs2: []string{
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-			},
-			Status2: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
-				Self: &ipnstate.PeerStatus{
-					ID: tailcfg.StableNodeID("myID"),
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
+					},
+					WantKubeSecret: map[string]string{
+						"authkey": "tskey-key",
+					},
+				},
+				{
+					Notify: &ipn.Notify{
+						State: ptr.To(ipn.NeedsLogin),
+					},
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+					WantKubeSecret: map[string]string{
+						"authkey": "tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantKubeSecret: map[string]string{
+						"device_fqdn": "test-node.test.ts.net",
+						"device_id":   "myID",
+					},
 				},
 			},
-			WantKubeSecret: map[string]string{
-				"device_id": "myID",
+		},
+		{
+			Name: "kube_storage_updates",
+			Env: map[string]string{
+				"KUBERNETES_SERVICE_HOST":       kube.Host,
+				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
+			},
+			KubeSecret: map[string]string{
+				"authkey": "tskey-key",
+			},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+					WantKubeSecret: map[string]string{
+						"authkey": "tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantKubeSecret: map[string]string{
+						"authkey":     "tskey-key",
+						"device_fqdn": "test-node.test.ts.net",
+						"device_id":   "myID",
+					},
+				},
+				{
+					Notify: &ipn.Notify{
+						State: ptr.To(ipn.Running),
+						NetMap: &netmap.NetworkMap{
+							SelfNode: &tailcfg.Node{
+								StableID: tailcfg.StableNodeID("newID"),
+								Name:     "new-name.test.ts.net",
+							},
+							Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
+						},
+					},
+					WantKubeSecret: map[string]string{
+						"authkey":     "tskey-key",
+						"device_fqdn": "new-name.test.ts.net",
+						"device_id":   "newID",
+					},
+				},
 			},
 		},
 		{
@@ -338,16 +486,16 @@ func TestContainerBoot(t *testing.T) {
 				"TS_SOCKS5_SERVER":              "localhost:1080",
 				"TS_OUTBOUND_HTTP_PROXY_LISTEN": "localhost:8080",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --socks5-server=localhost:1080 --outbound-http-proxy-listen=localhost:8080",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
-			},
-			// The tailscale up call blocks until auth is complete, so
-			// by the time it returns the next converged state is
-			// Running.
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --socks5-server=localhost:1080 --outbound-http-proxy-listen=localhost:8080",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
+					},
+				},
+				{
+					Notify: runningNotify,
+				},
 			},
 		},
 		{
@@ -355,13 +503,16 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"TS_ACCEPT_DNS": "true",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=true",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=true",
+					},
+				},
+				{
+					Notify: runningNotify,
+				},
 			},
 		},
 		{
@@ -370,13 +521,15 @@ func TestContainerBoot(t *testing.T) {
 				"TS_EXTRA_ARGS":            "--widget=rotated",
 				"TS_TAILSCALED_EXTRA_ARGS": "--experiments=widgets",
 			},
-			WantArgs1: []string{
-				"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --experiments=widgets",
-				"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --widget=rotated",
-			},
-			Status1: ipnstate.Status{
-				BackendState: "Running",
-				TailscaleIPs: tsIPs,
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --experiments=widgets",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --widget=rotated",
+					},
+				}, {
+					Notify: runningNotify,
+				},
 			},
 		},
 	}
@@ -392,6 +545,7 @@ func TestContainerBoot(t *testing.T) {
 			for k, v := range test.KubeSecret {
 				kube.SetSecret(k, v)
 			}
+			kube.SetPatching(!test.KubeDenyPatch)

 			cmd := exec.Command(boot)
 			cmd.Env = []string{
@@ -419,35 +573,45 @@ func TestContainerBoot(t *testing.T) {
 				cmd.Process.Wait()
 			}()

-			waitArgs(t, 2*time.Second, d, argFile, strings.Join(test.WantArgs1, "\n"))
-			lapi.SetStatus(test.Status1)
-			if test.WantArgs2 != nil {
-				waitArgs(t, 2*time.Second, d, argFile, strings.Join(append(test.WantArgs1, test.WantArgs2...), "\n"))
-				lapi.SetStatus(test.Status2)
+			var wantCmds []string
+			for _, p := range test.Phases {
+				lapi.Notify(p.Notify)
+				wantCmds = append(wantCmds, p.WantCmds...)
+				waitArgs(t, 2*time.Second, d, argFile, strings.Join(wantCmds, "\n"))
+				err := tstest.WaitFor(2*time.Second, func() error {
+					if p.WantKubeSecret != nil {
+						got := kube.Secret()
+						if diff := cmp.Diff(got, p.WantKubeSecret); diff != "" {
+							return fmt.Errorf("unexpected kube secret data (-got+want):\n%s", diff)
+						}
+					} else {
+						got := kube.Secret()
+						if len(got) > 0 {
+							return fmt.Errorf("kube secret unexpectedly not empty, got %#v", got)
+						}
+					}
+					return nil
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
+				err = tstest.WaitFor(2*time.Second, func() error {
+					for path, want := range p.WantFiles {
+						gotBs, err := os.ReadFile(filepath.Join(d, path))
+						if err != nil {
+							return fmt.Errorf("reading wanted file %q: %v", path, err)
+						}
+						if got := strings.TrimSpace(string(gotBs)); got != want {
+							return fmt.Errorf("wrong file contents for %q, got %q want %q", path, got, want)
+						}
+					}
+					return nil
+				})
+				if err != nil {
+					t.Fatal(err)
+				}
 			}
 			waitLogLine(t, 2*time.Second, cbOut, "Startup complete, waiting for shutdown signal")
-
-			if test.WantKubeSecret != nil {
-				got := kube.Secret()
-				if diff := cmp.Diff(got, test.WantKubeSecret); diff != "" {
-					t.Fatalf("unexpected kube secret data (-got+want):\n%s", diff)
-				}
-			} else {
-				got := kube.Secret()
-				if len(got) != 0 {
-					t.Fatalf("kube secret unexpectedly not empty, got %#v", got)
-				}
-			}
-
-			for path, want := range test.WantFiles {
-				gotBs, err := os.ReadFile(filepath.Join(d, path))
-				if err != nil {
-					t.Fatalf("reading wanted file %q: %v", path, err)
-				}
-				if got := strings.TrimSpace(string(gotBs)); got != want {
-					t.Errorf("wrong file contents for %q, got %q want %q", path, got, want)
-				}
-			}
 		})
 	}
 }
@@ -547,7 +711,8 @@ type localAPI struct {
 	srv *http.Server

 	sync.Mutex
-	status ipnstate.Status
+	cond   *sync.Cond
+	notify *ipn.Notify
 }

 func (l *localAPI) Start() error {
@@ -565,6 +730,7 @@ func (l *localAPI) Start() error {
 		Handler: l,
 	}
 	l.Path = path
+	l.cond = sync.NewCond(&l.Mutex)
 	go l.srv.Serve(ln)
 	return nil
 }
@@ -574,29 +740,49 @@ func (l *localAPI) Close() {
 }

 func (l *localAPI) Reset() {
-	l.SetStatus(ipnstate.Status{
-		BackendState: "NoState",
-	})
-}
-
-func (l *localAPI) SetStatus(st ipnstate.Status) {
 	l.Lock()
 	defer l.Unlock()
-	l.status = st
+	l.notify = nil
+	l.cond.Broadcast()
+}
+
+func (l *localAPI) Notify(n *ipn.Notify) {
+	if n == nil {
+		return
+	}
+	l.Lock()
+	defer l.Unlock()
+	l.notify = n
+	l.cond.Broadcast()
 }

 func (l *localAPI) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if r.Method != "GET" {
 		panic(fmt.Sprintf("unsupported method %q", r.Method))
 	}
-	if r.URL.Path != "/localapi/v0/status" {
-		panic(fmt.Sprintf("unsupported localAPI path %q", r.URL.Path))
+	if r.URL.Path != "/localapi/v0/watch-ipn-bus" {
+		panic(fmt.Sprintf("unsupported path %q", r.URL.Path))
 	}
+
 	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	if f, ok := w.(http.Flusher); ok {
+		f.Flush()
+	}
+	enc := json.NewEncoder(w)
 	l.Lock()
 	defer l.Unlock()
-	if err := json.NewEncoder(w).Encode(l.status); err != nil {
-		panic("json encode failed")
+	for {
+		if l.notify != nil {
+			if err := enc.Encode(l.notify); err != nil {
+				// Usually broken pipe as the test client disconnects.
+				return
+			}
+			if f, ok := w.(http.Flusher); ok {
+				f.Flush()
+			}
+		}
+		l.cond.Wait()
 	}
 }

@@ -612,7 +798,8 @@ type kubeServer struct {
 	srv *httptest.Server

 	sync.Mutex
-	secret map[string]string
+	secret   map[string]string
+	canPatch bool
 }

 func (k *kubeServer) Secret() map[string]string {
@@ -631,6 +818,12 @@ func (k *kubeServer) SetSecret(key, val string) {
 	k.secret[key] = val
 }

+func (k *kubeServer) SetPatching(canPatch bool) {
+	k.Lock()
+	defer k.Unlock()
+	k.canPatch = canPatch
+}
+
 func (k *kubeServer) Reset() {
 	k.Lock()
 	defer k.Unlock()
@@ -674,10 +867,39 @@ func (k *kubeServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if r.Header.Get("Authorization") != "Bearer bearer_token" {
 		panic("client didn't provide bearer token in request")
 	}
-	if r.URL.Path != "/api/v1/namespaces/default/secrets/tailscale" {
+	switch r.URL.Path {
+	case "/api/v1/namespaces/default/secrets/tailscale":
+		k.serveSecret(w, r)
+	case "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews":
+		k.serveSSAR(w, r)
+	default:
 		panic(fmt.Sprintf("unhandled fake kube api path %q", r.URL.Path))
 	}
+}

+func (k *kubeServer) serveSSAR(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		Spec struct {
+			ResourceAttributes struct {
+				Verb string `json:"verb"`
+			} `json:"resourceAttributes"`
+		} `json:"spec"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		panic(fmt.Sprintf("decoding SSAR request: %v", err))
+	}
+	ok := true
+	if req.Spec.ResourceAttributes.Verb == "patch" {
+		k.Lock()
+		defer k.Unlock()
+		ok = k.canPatch
+	}
+	// Just say yes to all SARs, we don't enforce RBAC.
+	w.Header().Set("Content-Type", "application/json")
+	fmt.Fprintf(w, `{"status":{"allowed":%v}}`, ok)
+}
+
+func (k *kubeServer) serveSecret(w http.ResponseWriter, r *http.Request) {
 	bs, err := io.ReadAll(r.Body)
 	if err != nil {
 		http.Error(w, fmt.Sprintf("reading request body: %v", err), http.StatusInternalServerError)
@@ -688,7 +910,7 @@ func (k *kubeServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case "GET":
 		w.Header().Set("Content-Type", "application/json")
 		ret := map[string]map[string]string{
-			"data": map[string]string{},
+			"data": {},
 		}
 		k.Lock()
 		defer k.Unlock()
@@ -703,6 +925,11 @@ func (k *kubeServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			panic("encode failed")
 		}
 	case "PATCH":
+		k.Lock()
+		defer k.Unlock()
+		if !k.canPatch {
+			panic("containerboot tried to patch despite not being allowed")
+		}
 		switch r.Header.Get("Content-Type") {
 		case "application/json-patch+json":
 			req := []struct {
@@ -712,8 +939,6 @@ func (k *kubeServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			if err := json.Unmarshal(bs, &req); err != nil {
 				panic(fmt.Sprintf("json decode failed: %v. Body:\n\n%s", err, string(bs)))
 			}
-			k.Lock()
-			defer k.Unlock()
 			for _, op := range req {
 				if op.Op != "remove" {
 					panic(fmt.Sprintf("unsupported json-patch op %q", op.Op))
@@ -730,8 +955,6 @@ func (k *kubeServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			if err := json.Unmarshal(bs, &req); err != nil {
 				panic(fmt.Sprintf("json decode failed: %v. Body:\n\n%s", err, string(bs)))
 			}
-			k.Lock()
-			defer k.Unlock()
 			for key, val := range req.Data {
 				k.secret[key] = val
 			}
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -11,7 +11,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+  LW    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
@@ -78,7 +78,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
        tailscale.com/util/mak                                       from tailscale.com/syncs
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
@@ -102,7 +101,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr
+        golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr+
   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -31,6 +31,7 @@ var (
 	cacheFname   = rootFlagSet.String("cache-file", "./version-cache.json", "filename for the previous known version hash")
 	timeout      = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run")
 	githubSyntax = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)")
+	apiServer    = rootFlagSet.String("api-server", "api.tailscale.com", "API server to contact")
 )

 func modifiedExternallyError() {
@@ -234,7 +235,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
 	}
 	defer fin.Close()

-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl", tailnet), fin)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), fin)
 	if err != nil {
 		return err
 	}
@@ -274,7 +275,7 @@ func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error
 		return err
 	}

-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), bytes.NewBuffer(data))
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl/validate", *apiServer, tailnet), bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}
@@ -346,7 +347,7 @@ type ACLTestErrorDetail struct {
 }

 func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl", tailnet), nil)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
 	if err != nil {
 		return "", err
 	}
--- a/cmd/k8s-operator/manifests/operator.yaml
+++ b/cmd/k8s-operator/manifests/operator.yaml
@@ -0,0 +1,155 @@
+# Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: proxies
+  namespace: tailscale
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: proxies
+  namespace: tailscale
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: proxies
+  namespace: tailscale
+subjects:
+- kind: ServiceAccount
+  name: proxies
+  namespace: tailscale
+roleRef:
+  kind: Role
+  name: proxies
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: operator
+  namespace: tailscale
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale-operator
+rules:
+- apiGroups: [""]
+  resources: ["services", "services/status"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale-operator
+subjects:
+- kind: ServiceAccount
+  name: operator
+  namespace: tailscale
+roleRef:
+  kind: ClusterRole
+  name: tailscale-operator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: operator
+  namespace: tailscale
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+- apiGroups: ["apps"]
+  resources: ["statefulsets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: operator
+  namespace: tailscale
+subjects:
+- kind: ServiceAccount
+  name: operator
+  namespace: tailscale
+roleRef:
+  kind: Role
+  name: operator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: operator-oauth
+  namespace: tailscale
+stringData:
+  client_id: # SET CLIENT ID HERE
+  client_secret: # SET CLIENT SECRET HERE
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: operator
+  namespace: tailscale
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: operator
+  template:
+    metadata:
+      labels:
+        app: operator
+    spec:
+      serviceAccountName: operator
+      volumes:
+      - name: oauth
+        secret:
+          secretName: operator-oauth
+      containers:
+        - name: operator
+          image: tailscale/k8s-operator:latest
+          resources:
+            requests:
+              cpu: 500m
+              memory: 100Mi
+          env:
+            - name: OPERATOR_HOSTNAME
+              value: tailscale-operator
+            - name: OPERATOR_SECRET
+              value: operator
+            - name: OPERATOR_LOGGING
+              value: info
+            - name: OPERATOR_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: CLIENT_ID_FILE
+              value: /oauth/client_id
+            - name: CLIENT_SECRET_FILE
+              value: /oauth/client_secret
+            - name: PROXY_IMAGE
+              value: tailscale/tailscale:latest
+            - name: PROXY_TAGS
+              value: tag:k8s
+          volumeMounts:
+          - name: oauth
+            mountPath: /oauth
+            readOnly: true
--- a/cmd/k8s-operator/manifests/proxy.yaml
+++ b/cmd/k8s-operator/manifests/proxy.yaml
@@ -0,0 +1,37 @@
+# This file is not a complete manifest, it's a skeleton that the operator embeds
+# at build time and then uses to construct Tailscale proxy pods.
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+spec:
+  replicas: 1
+  template:
+    metadata:
+      deletionGracePeriodSeconds: 10
+    spec:
+      serviceAccountName: proxies
+      initContainers:
+        - name: sysctler
+          image: busybox
+          securityContext:
+            privileged: true
+          command: ["/bin/sh"]
+          args:
+            - -c
+            - sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
+      resources:
+        requests:
+          cpu: 1m
+          memory: 1Mi
+      containers:
+        - name: tailscale
+          imagePullPolicy: Always
+          env:
+            - name: TS_USERSPACE
+              value: "false"
+            - name: TS_AUTH_ONCE
+              value: "true"
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -0,0 +1,685 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// tailscale-operator provides a way to expose services running in a Kubernetes
+// cluster to your Tailnet.
+package main
+
+import (
+	"context"
+	_ "embed"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/go-logr/zapr"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+	"golang.org/x/exp/slices"
+	"golang.org/x/oauth2/clientcredentials"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	kzap "sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+	"sigs.k8s.io/yaml"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/store/kubestore"
+	"tailscale.com/tsnet"
+	"tailscale.com/types/logger"
+)
+
+func main() {
+	// Required to use our client API. We're fine with the instability since the
+	// client lives in the same repo as this code.
+	tailscale.I_Acknowledge_This_API_Is_Unstable = true
+
+	var (
+		hostname         = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
+		kubeSecret       = defaultEnv("OPERATOR_SECRET", "")
+		operatorTags     = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
+		tsNamespace      = defaultEnv("OPERATOR_NAMESPACE", "")
+		tslogging        = defaultEnv("OPERATOR_LOGGING", "info")
+		clientIDPath     = defaultEnv("CLIENT_ID_FILE", "")
+		clientSecretPath = defaultEnv("CLIENT_SECRET_FILE", "")
+		image            = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
+		tags             = defaultEnv("PROXY_TAGS", "tag:k8s")
+	)
+
+	var opts []kzap.Opts
+	switch tslogging {
+	case "info":
+		opts = append(opts, kzap.Level(zapcore.InfoLevel))
+	case "debug":
+		opts = append(opts, kzap.Level(zapcore.DebugLevel))
+	case "dev":
+		opts = append(opts, kzap.UseDevMode(true), kzap.Level(zapcore.DebugLevel))
+	}
+	zlog := kzap.NewRaw(opts...).Sugar()
+	logf.SetLogger(zapr.NewLogger(zlog.Desugar()))
+	startlog := zlog.Named("startup")
+
+	if clientIDPath == "" || clientSecretPath == "" {
+		startlog.Fatalf("CLIENT_ID_FILE and CLIENT_SECRET_FILE must be set")
+	}
+	clientID, err := os.ReadFile(clientIDPath)
+	if err != nil {
+		startlog.Fatalf("reading client ID %q: %v", clientIDPath, err)
+	}
+	clientSecret, err := os.ReadFile(clientSecretPath)
+	if err != nil {
+		startlog.Fatalf("reading client secret %q: %v", clientSecretPath, err)
+	}
+	credentials := clientcredentials.Config{
+		ClientID:     string(clientID),
+		ClientSecret: string(clientSecret),
+		TokenURL:     "https://login.tailscale.com/api/v2/oauth/token",
+	}
+	tsClient := tailscale.NewClient("-", nil)
+	tsClient.HTTPClient = credentials.Client(context.Background())
+	s := &tsnet.Server{
+		Hostname: hostname,
+		Logf:     zlog.Named("tailscaled").Debugf,
+	}
+	if kubeSecret != "" {
+		st, err := kubestore.New(logger.Discard, kubeSecret)
+		if err != nil {
+			startlog.Fatalf("creating kube store: %v", err)
+		}
+		s.Store = st
+	}
+	if err := s.Start(); err != nil {
+		startlog.Fatalf("starting tailscale server: %v", err)
+	}
+	defer s.Close()
+	lc, err := s.LocalClient()
+	if err != nil {
+		startlog.Fatalf("getting local client: %v", err)
+	}
+
+	ctx := context.Background()
+	loginDone := false
+	machineAuthShown := false
+waitOnline:
+	for {
+		startlog.Debugf("querying tailscaled status")
+		st, err := lc.StatusWithoutPeers(ctx)
+		if err != nil {
+			startlog.Fatalf("getting status: %v", err)
+		}
+		switch st.BackendState {
+		case "Running":
+			break waitOnline
+		case "NeedsLogin":
+			if loginDone {
+				break
+			}
+			caps := tailscale.KeyCapabilities{
+				Devices: tailscale.KeyDeviceCapabilities{
+					Create: tailscale.KeyDeviceCreateCapabilities{
+						Reusable:      false,
+						Preauthorized: true,
+						Tags:          strings.Split(operatorTags, ","),
+					},
+				},
+			}
+			authkey, _, err := tsClient.CreateKey(ctx, caps)
+			if err != nil {
+				startlog.Fatalf("creating operator authkey: %v", err)
+			}
+			if err := lc.Start(ctx, ipn.Options{
+				AuthKey: authkey,
+			}); err != nil {
+				startlog.Fatalf("starting tailscale: %v", err)
+			}
+			if err := lc.StartLoginInteractive(ctx); err != nil {
+				startlog.Fatalf("starting login: %v", err)
+			}
+			startlog.Debugf("requested login by authkey")
+			loginDone = true
+		case "NeedsMachineAuth":
+			if !machineAuthShown {
+				startlog.Infof("Machine authorization required, please visit the admin panel to authorize")
+				machineAuthShown = true
+			}
+		default:
+			startlog.Debugf("waiting for tailscale to start: %v", st.BackendState)
+		}
+		time.Sleep(time.Second)
+	}
+
+	sr := &ServiceReconciler{
+		tsClient:          tsClient,
+		defaultTags:       strings.Split(tags, ","),
+		operatorNamespace: tsNamespace,
+		proxyImage:        image,
+		logger:            zlog.Named("service-reconciler"),
+	}
+
+	// For secrets and statefulsets, we only get permission to touch the objects
+	// in the controller's own namespace. This cannot be expressed by
+	// .Watches(...) below, instead you have to add a per-type field selector to
+	// the cache that sits a few layers below the builder stuff, which will
+	// implicitly filter what parts of the world the builder code gets to see at
+	// all.
+	nsFilter := cache.ObjectSelector{
+		Field: fields.SelectorFromSet(fields.Set{"metadata.namespace": tsNamespace}),
+	}
+	mgr, err := manager.New(config.GetConfigOrDie(), manager.Options{
+		NewCache: cache.BuilderWithOptions(cache.Options{
+			SelectorsByObject: map[client.Object]cache.ObjectSelector{
+				&corev1.Secret{}:      nsFilter,
+				&appsv1.StatefulSet{}: nsFilter,
+			},
+		}),
+	})
+	if err != nil {
+		startlog.Fatalf("could not create manager: %v", err)
+	}
+
+	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(o client.Object) []reconcile.Request {
+		ls := o.GetLabels()
+		if ls[LabelManaged] != "true" {
+			return nil
+		}
+		if ls[LabelParentType] != "svc" {
+			return nil
+		}
+		return []reconcile.Request{
+			{
+				NamespacedName: types.NamespacedName{
+					Namespace: ls[LabelParentNamespace],
+					Name:      ls[LabelParentName],
+				},
+			},
+		}
+	})
+	err = builder.
+		ControllerManagedBy(mgr).
+		For(&corev1.Service{}).
+		Watches(&source.Kind{Type: &appsv1.StatefulSet{}}, reconcileFilter).
+		Watches(&source.Kind{Type: &corev1.Secret{}}, reconcileFilter).
+		Complete(sr)
+	if err != nil {
+		startlog.Fatalf("could not create controller: %v", err)
+	}
+
+	startlog.Infof("Startup complete, operator running")
+	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
+		startlog.Fatalf("could not start manager: %v", err)
+	}
+}
+
+const (
+	LabelManaged         = "tailscale.com/managed"
+	LabelParentType      = "tailscale.com/parent-resource-type"
+	LabelParentName      = "tailscale.com/parent-resource"
+	LabelParentNamespace = "tailscale.com/parent-resource-ns"
+
+	FinalizerName = "tailscale.com/finalizer"
+
+	AnnotationExpose = "tailscale.com/expose"
+	AnnotationTags   = "tailscale.com/tags"
+)
+
+// ServiceReconciler is a simple ControllerManagedBy example implementation.
+type ServiceReconciler struct {
+	client.Client
+	tsClient          tsClient
+	defaultTags       []string
+	operatorNamespace string
+	proxyImage        string
+	logger            *zap.SugaredLogger
+}
+
+type tsClient interface {
+	CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error)
+	DeleteDevice(ctx context.Context, id string) error
+}
+
+func childResourceLabels(parent *corev1.Service) map[string]string {
+	// You might wonder why we're using owner references, since they seem to be
+	// built for exactly this. Unfortunately, Kubernetes does not support
+	// cross-namespace ownership, by design. This means we cannot make the
+	// service being exposed the owner of the implementation details of the
+	// proxying. Instead, we have to do our own filtering and tracking with
+	// labels.
+	return map[string]string{
+		LabelManaged:         "true",
+		LabelParentName:      parent.GetName(),
+		LabelParentNamespace: parent.GetNamespace(),
+		LabelParentType:      "svc",
+	}
+}
+
+func (a *ServiceReconciler) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, err error) {
+	logger := a.logger.With("service-ns", req.Namespace, "service-name", req.Name)
+	logger.Debugf("starting reconcile")
+	defer logger.Debugf("reconcile finished")
+
+	svc := new(corev1.Service)
+	err = a.Get(ctx, req.NamespacedName, svc)
+	if apierrors.IsNotFound(err) {
+		// Request object not found, could have been deleted after reconcile request.
+		logger.Debugf("service not found, assuming it was deleted")
+		return reconcile.Result{}, nil
+	} else if err != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to get svc: %w", err)
+	}
+	if !svc.DeletionTimestamp.IsZero() || !a.shouldExpose(svc) {
+		logger.Debugf("service is being deleted or should not be exposed, cleaning up")
+		return reconcile.Result{}, a.maybeCleanup(ctx, logger, svc)
+	}
+
+	return reconcile.Result{}, a.maybeProvision(ctx, logger, svc)
+}
+
+// maybeCleanup removes any existing resources related to serving svc over tailscale.
+//
+// This function is responsible for removing the finalizer from the service,
+// once all associated resources are gone.
+func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) error {
+	ix := slices.Index(svc.Finalizers, FinalizerName)
+	if ix < 0 {
+		logger.Debugf("no finalizer, nothing to do")
+		return nil
+	}
+
+	ml := childResourceLabels(svc)
+
+	// Need to delete the StatefulSet first, and delete it with foreground
+	// cascading deletion. That way, the pod that's writing to the Secret will
+	// stop running before we start looking at the Secret's contents, and
+	// assuming k8s ordering semantics don't mess with us, that should avoid
+	// tailscale device deletion races where we fail to notice a device that
+	// should be removed.
+	sts, err := getSingleObject[appsv1.StatefulSet](ctx, a.Client, a.operatorNamespace, ml)
+	if err != nil {
+		return fmt.Errorf("getting statefulset: %w", err)
+	}
+	if sts != nil {
+		if !sts.GetDeletionTimestamp().IsZero() {
+			// Deletion in progress, check again later. We'll get another
+			// notification when the deletion is complete.
+			logger.Debugf("waiting for statefulset %s/%s deletion", sts.GetNamespace(), sts.GetName())
+			return nil
+		}
+		err := a.DeleteAllOf(ctx, &appsv1.StatefulSet{}, client.InNamespace(a.operatorNamespace), client.MatchingLabels(ml), client.PropagationPolicy(metav1.DeletePropagationForeground))
+		if err != nil {
+			return fmt.Errorf("deleting statefulset: %w", err)
+		}
+		logger.Debugf("started deletion of statefulset %s/%s", sts.GetNamespace(), sts.GetName())
+		return nil
+	}
+
+	id, _, err := a.getDeviceInfo(ctx, svc)
+	if err != nil {
+		return fmt.Errorf("getting device info: %w", err)
+	}
+	if id != "" {
+		// TODO: handle case where the device is already deleted, but the secret
+		// is still around.
+		if err := a.tsClient.DeleteDevice(ctx, id); err != nil {
+			return fmt.Errorf("deleting device: %w", err)
+		}
+	}
+
+	types := []client.Object{
+		&corev1.Service{},
+		&corev1.Secret{},
+	}
+	for _, typ := range types {
+		if err := a.DeleteAllOf(ctx, typ, client.InNamespace(a.operatorNamespace), client.MatchingLabels(ml)); err != nil {
+			return err
+		}
+	}
+
+	svc.Finalizers = append(svc.Finalizers[:ix], svc.Finalizers[ix+1:]...)
+	if err := a.Update(ctx, svc); err != nil {
+		return fmt.Errorf("failed to remove finalizer: %w", err)
+	}
+
+	// Unlike most log entries in the reconcile loop, this will get printed
+	// exactly once at the very end of cleanup, because the final step of
+	// cleanup removes the tailscale finalizer, which will make all future
+	// reconciles exit early.
+	logger.Infof("unexposed service from tailnet")
+	return nil
+}
+
+// maybeProvision ensures that svc is exposed over tailscale, taking any actions
+// necessary to reach that state.
+//
+// This function adds a finalizer to svc, ensuring that we can handle orderly
+// deprovisioning later.
+func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) error {
+	if !slices.Contains(svc.Finalizers, FinalizerName) {
+		// This log line is printed exactly once during initial provisioning,
+		// because once the finalizer is in place this block gets skipped. So,
+		// this is a nice place to tell the operator that the high level,
+		// multi-reconcile operation is underway.
+		logger.Infof("exposing service over tailscale")
+		svc.Finalizers = append(svc.Finalizers, FinalizerName)
+		if err := a.Update(ctx, svc); err != nil {
+			return fmt.Errorf("failed to add finalizer: %w", err)
+		}
+	}
+
+	// Do full reconcile.
+	hsvc, err := a.reconcileHeadlessService(ctx, logger, svc)
+	if err != nil {
+		return fmt.Errorf("failed to reconcile headless service: %w", err)
+	}
+
+	tags := a.defaultTags
+	if tstr, ok := svc.Annotations[AnnotationTags]; ok {
+		tags = strings.Split(tstr, ",")
+	}
+	secretName, err := a.createOrGetSecret(ctx, logger, svc, hsvc, tags)
+	if err != nil {
+		return fmt.Errorf("failed to create or get API key secret: %w", err)
+	}
+	_, err = a.reconcileSTS(ctx, logger, svc, hsvc, secretName)
+	if err != nil {
+		return fmt.Errorf("failed to reconcile statefulset: %w", err)
+	}
+
+	if !a.hasLoadBalancerClass(svc) {
+		logger.Debugf("service is not a LoadBalancer, so not updating ingress")
+		return nil
+	}
+
+	_, tsHost, err := a.getDeviceInfo(ctx, svc)
+	if err != nil {
+		return fmt.Errorf("failed to get device ID: %w", err)
+	}
+	if tsHost == "" {
+		logger.Debugf("no Tailscale hostname known yet, waiting for proxy pod to finish auth")
+		// No hostname yet. Wait for the proxy pod to auth.
+		svc.Status.LoadBalancer.Ingress = nil
+		if err := a.Status().Update(ctx, svc); err != nil {
+			return fmt.Errorf("failed to update service status: %w", err)
+		}
+		return nil
+	}
+
+	logger.Debugf("setting ingress hostname to %q", tsHost)
+	svc.Status.LoadBalancer.Ingress = []corev1.LoadBalancerIngress{
+		{
+			Hostname: tsHost,
+		},
+	}
+	if err := a.Status().Update(ctx, svc); err != nil {
+		return fmt.Errorf("failed to update service status: %w", err)
+	}
+	return nil
+}
+
+func (a *ServiceReconciler) shouldExpose(svc *corev1.Service) bool {
+	// Headless services can't be exposed, since there is no ClusterIP to
+	// forward to.
+	if svc.Spec.ClusterIP == "" || svc.Spec.ClusterIP == "None" {
+		return false
+	}
+
+	return a.hasLoadBalancerClass(svc) || a.hasAnnotation(svc)
+}
+
+func (a *ServiceReconciler) hasLoadBalancerClass(svc *corev1.Service) bool {
+	return svc != nil &&
+		svc.Spec.Type == corev1.ServiceTypeLoadBalancer &&
+		svc.Spec.LoadBalancerClass != nil &&
+		*svc.Spec.LoadBalancerClass == "tailscale"
+}
+
+func (a *ServiceReconciler) hasAnnotation(svc *corev1.Service) bool {
+	return svc != nil &&
+		svc.Annotations[AnnotationExpose] == "true"
+}
+
+func (a *ServiceReconciler) reconcileHeadlessService(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) (*corev1.Service, error) {
+	hsvc := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "ts-" + svc.Name + "-",
+			Namespace:    a.operatorNamespace,
+			Labels:       childResourceLabels(svc),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "None",
+			Selector: map[string]string{
+				"app": string(svc.UID),
+			},
+		},
+	}
+	logger.Debugf("reconciling headless service for StatefulSet")
+	return createOrUpdate(ctx, a.Client, a.operatorNamespace, hsvc, func(svc *corev1.Service) { svc.Spec = hsvc.Spec })
+}
+
+func (a *ServiceReconciler) createOrGetSecret(ctx context.Context, logger *zap.SugaredLogger, svc, hsvc *corev1.Service, tags []string) (string, error) {
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			// Hardcode a -0 suffix so that in future, if we support
+			// multiple StatefulSet replicas, we can provision -N for
+			// those.
+			Name:      hsvc.Name + "-0",
+			Namespace: a.operatorNamespace,
+			Labels:    childResourceLabels(svc),
+		},
+	}
+	if err := a.Get(ctx, client.ObjectKeyFromObject(secret), secret); err == nil {
+		logger.Debugf("secret %s/%s already exists", secret.GetNamespace(), secret.GetName())
+		return secret.Name, nil
+	} else if !apierrors.IsNotFound(err) {
+		return "", err
+	}
+
+	// Secret doesn't exist yet, create one. Initially it contains
+	// only the Tailscale authkey, but once Tailscale starts it'll
+	// also store the daemon state.
+	sts, err := getSingleObject[appsv1.StatefulSet](ctx, a.Client, a.operatorNamespace, childResourceLabels(svc))
+	if err != nil {
+		return "", err
+	}
+	if sts != nil {
+		// StatefulSet exists, so we have already created the secret.
+		// If the secret is missing, they should delete the StatefulSet.
+		logger.Errorf("Tailscale proxy secret doesn't exist, but the corresponding StatefulSet %s/%s already does. Something is wrong, please delete the StatefulSet.", sts.GetNamespace(), sts.GetName())
+		return "", nil
+	}
+	// Create API Key secret which is going to be used by the statefulset
+	// to authenticate with Tailscale.
+	logger.Debugf("creating authkey for new tailscale proxy")
+	authKey, err := a.newAuthKey(ctx, tags)
+	if err != nil {
+		return "", err
+	}
+
+	secret.StringData = map[string]string{
+		"authkey": authKey,
+	}
+	if err := a.Create(ctx, secret); err != nil {
+		return "", err
+	}
+	return secret.Name, nil
+}
+
+func (a *ServiceReconciler) getDeviceInfo(ctx context.Context, svc *corev1.Service) (id, hostname string, err error) {
+	sec, err := getSingleObject[corev1.Secret](ctx, a.Client, a.operatorNamespace, childResourceLabels(svc))
+	if err != nil {
+		return "", "", err
+	}
+	id = string(sec.Data["device_id"])
+	if id == "" {
+		return "", "", nil
+	}
+	// Kubernetes chokes on well-formed FQDNs with the trailing dot, so we have
+	// to remove it.
+	hostname = strings.TrimSuffix(string(sec.Data["device_fqdn"]), ".")
+	if hostname == "" {
+		return "", "", nil
+	}
+	return id, hostname, nil
+}
+
+func (a *ServiceReconciler) newAuthKey(ctx context.Context, tags []string) (string, error) {
+	caps := tailscale.KeyCapabilities{
+		Devices: tailscale.KeyDeviceCapabilities{
+			Create: tailscale.KeyDeviceCreateCapabilities{
+				Reusable:      false,
+				Preauthorized: true,
+				Tags:          tags,
+			},
+		},
+	}
+	key, _, err := a.tsClient.CreateKey(ctx, caps)
+	if err != nil {
+		return "", err
+	}
+	return key, nil
+}
+
+//go:embed manifests/proxy.yaml
+var proxyYaml []byte
+
+func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, parentSvc, headlessSvc *corev1.Service, authKeySecret string) (*appsv1.StatefulSet, error) {
+	var ss appsv1.StatefulSet
+	if err := yaml.Unmarshal(proxyYaml, &ss); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal proxy spec: %w", err)
+	}
+	container := &ss.Spec.Template.Spec.Containers[0]
+	container.Image = a.proxyImage
+	container.Env = append(container.Env,
+		corev1.EnvVar{
+			Name:  "TS_DEST_IP",
+			Value: parentSvc.Spec.ClusterIP,
+		},
+		corev1.EnvVar{
+			Name:  "TS_KUBE_SECRET",
+			Value: authKeySecret,
+		})
+	ss.ObjectMeta = metav1.ObjectMeta{
+		Name:      headlessSvc.Name,
+		Namespace: a.operatorNamespace,
+		Labels:    childResourceLabels(parentSvc),
+	}
+	ss.Spec.ServiceName = headlessSvc.Name
+	ss.Spec.Selector = &metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			"app": string(parentSvc.UID),
+		},
+	}
+	ss.Spec.Template.ObjectMeta.Labels = map[string]string{
+		"app": string(parentSvc.UID),
+	}
+	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
+	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
+}
+
+func (a *ServiceReconciler) InjectClient(c client.Client) error {
+	a.Client = c
+	return nil
+}
+
+// ptrObject is a type constraint for pointer types that implement
+// client.Object.
+type ptrObject[T any] interface {
+	client.Object
+	*T
+}
+
+// createOrUpdate adds obj to the k8s cluster, unless the object already exists,
+// in which case update is called to make changes to it. If update is nil, the
+// existing object is returned unmodified.
+//
+// obj is looked up by its Name and Namespace if Name is set, otherwise it's
+// looked up by labels.
+func createOrUpdate[T any, O ptrObject[T]](ctx context.Context, c client.Client, ns string, obj O, update func(O)) (O, error) {
+	var (
+		existing O
+		err      error
+	)
+	if obj.GetName() != "" {
+		existing = new(T)
+		existing.SetName(obj.GetName())
+		existing.SetNamespace(obj.GetNamespace())
+		err = c.Get(ctx, client.ObjectKeyFromObject(obj), existing)
+	} else {
+		existing, err = getSingleObject[T, O](ctx, c, ns, obj.GetLabels())
+	}
+	if err == nil && existing != nil {
+		if update != nil {
+			update(existing)
+			if err := c.Update(ctx, existing); err != nil {
+				return nil, err
+			}
+		}
+		return existing, nil
+	}
+	if err != nil && !apierrors.IsNotFound(err) {
+		return nil, fmt.Errorf("failed to get object: %w", err)
+	}
+	if err := c.Create(ctx, obj); err != nil {
+		return nil, err
+	}
+	return obj, nil
+}
+
+// getSingleObject searches for k8s objects of type T
+// (e.g. corev1.Service) with the given labels, and returns
+// it. Returns nil if no objects match the labels, and an error if
+// more than one object matches.
+func getSingleObject[T any, O ptrObject[T]](ctx context.Context, c client.Client, ns string, labels map[string]string) (O, error) {
+	ret := O(new(T))
+	kinds, _, err := c.Scheme().ObjectKinds(ret)
+	if err != nil {
+		return nil, err
+	}
+	if len(kinds) != 1 {
+		// TODO: the runtime package apparently has a "pick the best
+		// GVK" function somewhere that might be good enough?
+		return nil, fmt.Errorf("more than 1 GroupVersionKind for %T", ret)
+	}
+
+	gvk := kinds[0]
+	gvk.Kind += "List"
+	lst := unstructured.UnstructuredList{}
+	lst.SetGroupVersionKind(gvk)
+	if err := c.List(ctx, &lst, client.InNamespace(ns), client.MatchingLabels(labels)); err != nil {
+		return nil, err
+	}
+
+	if len(lst.Items) == 0 {
+		return nil, nil
+	}
+	if len(lst.Items) > 1 {
+		return nil, fmt.Errorf("found multiple matching %T objects", ret)
+	}
+	if err := c.Scheme().Convert(&lst.Items[0], ret, nil); err != nil {
+		return nil, err
+	}
+	return ret, nil
+}
+
+func defaultEnv(envName, defVal string) string {
+	v := os.Getenv(envName)
+	if v == "" {
+		return defVal
+	}
+	return v
+}
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -0,0 +1,739 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"context"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"go.uber.org/zap"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/types/ptr"
+)
+
+func TestLoadBalancerClass(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sr := &ServiceReconciler{
+		Client:            fc,
+		tsClient:          ft,
+		defaultTags:       []string{"tag:k8s"},
+		operatorNamespace: "operator-ns",
+		proxyImage:        "tailscale/tailscale",
+		logger:            zl.Sugar(),
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP:         "10.20.30.40",
+			Type:              corev1.ServiceTypeLoadBalancer,
+			LoadBalancerClass: ptr.To("tailscale"),
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test")
+
+	expectEqual(t, fc, expectedSecret(fullName))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))
+
+	// Normally the Tailscale proxy pod would come up here and write its info
+	// into the secret. Simulate that, then verify reconcile again and verify
+	// that we get to the end.
+	mustUpdate(t, fc, "operator-ns", fullName, func(s *corev1.Secret) {
+		if s.Data == nil {
+			s.Data = map[string][]byte{}
+		}
+		s.Data["device_id"] = []byte("ts-id-1234")
+		s.Data["device_fqdn"] = []byte("tailscale.device.name.")
+	})
+	expectReconciled(t, sr, "default", "test")
+	want := &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test",
+			Namespace:  "default",
+			Finalizers: []string{"tailscale.com/finalizer"},
+			UID:        types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP:         "10.20.30.40",
+			Type:              corev1.ServiceTypeLoadBalancer,
+			LoadBalancerClass: ptr.To("tailscale"),
+		},
+		Status: corev1.ServiceStatus{
+			LoadBalancer: corev1.LoadBalancerStatus{
+				Ingress: []corev1.LoadBalancerIngress{
+					{
+						Hostname: "tailscale.device.name",
+					},
+				},
+			},
+		},
+	}
+	expectEqual(t, fc, want)
+
+	// Turn the service back into a ClusterIP service, which should make the
+	// operator clean up.
+	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
+		s.Spec.Type = corev1.ServiceTypeClusterIP
+		s.Spec.LoadBalancerClass = nil
+		// Fake client doesn't automatically delete the LoadBalancer status when
+		// changing away from the LoadBalancer type, we have to do
+		// controller-manager's work by hand.
+		s.Status = corev1.ServiceStatus{}
+	})
+	// synchronous StatefulSet deletion triggers a requeue. But, the StatefulSet
+	// didn't create any child resources since this is all faked, so the
+	// deletion goes through immediately.
+	expectReconciled(t, sr, "default", "test")
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	// The deletion triggers another reconcile, to finish the cleanup.
+	expectReconciled(t, sr, "default", "test")
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
+	want = &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			UID:       types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	}
+	expectEqual(t, fc, want)
+}
+
+func TestAnnotations(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sr := &ServiceReconciler{
+		Client:            fc,
+		tsClient:          ft,
+		defaultTags:       []string{"tag:k8s"},
+		operatorNamespace: "operator-ns",
+		proxyImage:        "tailscale/tailscale",
+		logger:            zl.Sugar(),
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+			Annotations: map[string]string{
+				"tailscale.com/expose": "true",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test")
+
+	expectEqual(t, fc, expectedSecret(fullName))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))
+	want := &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test",
+			Namespace:  "default",
+			Finalizers: []string{"tailscale.com/finalizer"},
+			UID:        types.UID("1234-UID"),
+			Annotations: map[string]string{
+				"tailscale.com/expose": "true",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	}
+	expectEqual(t, fc, want)
+
+	// Turn the service back into a ClusterIP service, which should make the
+	// operator clean up.
+	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
+		delete(s.ObjectMeta.Annotations, "tailscale.com/expose")
+	})
+	// synchronous StatefulSet deletion triggers a requeue. But, the StatefulSet
+	// didn't create any child resources since this is all faked, so the
+	// deletion goes through immediately.
+	expectReconciled(t, sr, "default", "test")
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	// Second time around, the rest of cleanup happens.
+	expectReconciled(t, sr, "default", "test")
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
+	want = &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			UID:       types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	}
+	expectEqual(t, fc, want)
+}
+
+func TestAnnotationIntoLB(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sr := &ServiceReconciler{
+		Client:            fc,
+		tsClient:          ft,
+		defaultTags:       []string{"tag:k8s"},
+		operatorNamespace: "operator-ns",
+		proxyImage:        "tailscale/tailscale",
+		logger:            zl.Sugar(),
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+			Annotations: map[string]string{
+				"tailscale.com/expose": "true",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test")
+
+	expectEqual(t, fc, expectedSecret(fullName))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))
+
+	// Normally the Tailscale proxy pod would come up here and write its info
+	// into the secret. Simulate that, since it would have normally happened at
+	// this point and the LoadBalancer is going to expect this.
+	mustUpdate(t, fc, "operator-ns", fullName, func(s *corev1.Secret) {
+		if s.Data == nil {
+			s.Data = map[string][]byte{}
+		}
+		s.Data["device_id"] = []byte("ts-id-1234")
+		s.Data["device_fqdn"] = []byte("tailscale.device.name.")
+	})
+	expectReconciled(t, sr, "default", "test")
+	want := &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test",
+			Namespace:  "default",
+			Finalizers: []string{"tailscale.com/finalizer"},
+			UID:        types.UID("1234-UID"),
+			Annotations: map[string]string{
+				"tailscale.com/expose": "true",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	}
+	expectEqual(t, fc, want)
+
+	// Remove Tailscale's annotation, and at the same time convert the service
+	// into a tailscale LoadBalancer.
+	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
+		delete(s.ObjectMeta.Annotations, "tailscale.com/expose")
+		s.Spec.Type = corev1.ServiceTypeLoadBalancer
+		s.Spec.LoadBalancerClass = ptr.To("tailscale")
+	})
+	expectReconciled(t, sr, "default", "test")
+	// None of the proxy machinery should have changed...
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))
+	// ... but the service should have a LoadBalancer status.
+
+	want = &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test",
+			Namespace:  "default",
+			Finalizers: []string{"tailscale.com/finalizer"},
+			UID:        types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP:         "10.20.30.40",
+			Type:              corev1.ServiceTypeLoadBalancer,
+			LoadBalancerClass: ptr.To("tailscale"),
+		},
+		Status: corev1.ServiceStatus{
+			LoadBalancer: corev1.LoadBalancerStatus{
+				Ingress: []corev1.LoadBalancerIngress{
+					{
+						Hostname: "tailscale.device.name",
+					},
+				},
+			},
+		},
+	}
+	expectEqual(t, fc, want)
+}
+
+func TestLBIntoAnnotation(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sr := &ServiceReconciler{
+		Client:            fc,
+		tsClient:          ft,
+		defaultTags:       []string{"tag:k8s"},
+		operatorNamespace: "operator-ns",
+		proxyImage:        "tailscale/tailscale",
+		logger:            zl.Sugar(),
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP:         "10.20.30.40",
+			Type:              corev1.ServiceTypeLoadBalancer,
+			LoadBalancerClass: ptr.To("tailscale"),
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test")
+
+	expectEqual(t, fc, expectedSecret(fullName))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))
+
+	// Normally the Tailscale proxy pod would come up here and write its info
+	// into the secret. Simulate that, then verify reconcile again and verify
+	// that we get to the end.
+	mustUpdate(t, fc, "operator-ns", fullName, func(s *corev1.Secret) {
+		if s.Data == nil {
+			s.Data = map[string][]byte{}
+		}
+		s.Data["device_id"] = []byte("ts-id-1234")
+		s.Data["device_fqdn"] = []byte("tailscale.device.name.")
+	})
+	expectReconciled(t, sr, "default", "test")
+	want := &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test",
+			Namespace:  "default",
+			Finalizers: []string{"tailscale.com/finalizer"},
+			UID:        types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP:         "10.20.30.40",
+			Type:              corev1.ServiceTypeLoadBalancer,
+			LoadBalancerClass: ptr.To("tailscale"),
+		},
+		Status: corev1.ServiceStatus{
+			LoadBalancer: corev1.LoadBalancerStatus{
+				Ingress: []corev1.LoadBalancerIngress{
+					{
+						Hostname: "tailscale.device.name",
+					},
+				},
+			},
+		},
+	}
+	expectEqual(t, fc, want)
+
+	// Turn the service back into a ClusterIP service, but also add the
+	// tailscale annotation.
+	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
+		s.ObjectMeta.Annotations = map[string]string{
+			"tailscale.com/expose": "true",
+		}
+		s.Spec.Type = corev1.ServiceTypeClusterIP
+		s.Spec.LoadBalancerClass = nil
+		// Fake client doesn't automatically delete the LoadBalancer status when
+		// changing away from the LoadBalancer type, we have to do
+		// controller-manager's work by hand.
+		s.Status = corev1.ServiceStatus{}
+	})
+	expectReconciled(t, sr, "default", "test")
+
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))
+
+	want = &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test",
+			Namespace:  "default",
+			Finalizers: []string{"tailscale.com/finalizer"},
+			Annotations: map[string]string{
+				"tailscale.com/expose": "true",
+			},
+			UID: types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	}
+	expectEqual(t, fc, want)
+}
+
+func expectedSecret(name string) *corev1.Secret {
+	return &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Secret",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   "default",
+				"tailscale.com/parent-resource-type": "svc",
+			},
+		},
+		StringData: map[string]string{
+			"authkey": "secret-authkey",
+		},
+	}
+}
+
+func expectedHeadlessService(name string) *corev1.Service {
+	return &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:         name,
+			GenerateName: "ts-test-",
+			Namespace:    "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   "default",
+				"tailscale.com/parent-resource-type": "svc",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			Selector: map[string]string{
+				"app": "1234-UID",
+			},
+			ClusterIP: "None",
+		},
+	}
+}
+
+func expectedSTS(stsName, secretName string) *appsv1.StatefulSet {
+	return &appsv1.StatefulSet{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "StatefulSet",
+			APIVersion: "apps/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      stsName,
+			Namespace: "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   "default",
+				"tailscale.com/parent-resource-type": "svc",
+			},
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Replicas: ptr.To[int32](1),
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"app": "1234-UID"},
+			},
+			ServiceName: stsName,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					DeletionGracePeriodSeconds: ptr.To[int64](10),
+					Labels:                     map[string]string{"app": "1234-UID"},
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: "proxies",
+					InitContainers: []corev1.Container{
+						{
+							Name:    "sysctler",
+							Image:   "busybox",
+							Command: []string{"/bin/sh"},
+							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
+							SecurityContext: &corev1.SecurityContext{
+								Privileged: ptr.To(true),
+							},
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:  "tailscale",
+							Image: "tailscale/tailscale",
+							Env: []v1.EnvVar{
+								{Name: "TS_USERSPACE", Value: "false"},
+								{Name: "TS_AUTH_ONCE", Value: "true"},
+								{Name: "TS_DEST_IP", Value: "10.20.30.40"},
+								{Name: "TS_KUBE_SECRET", Value: secretName},
+							},
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Add: []corev1.Capability{"NET_ADMIN"},
+								},
+							},
+							ImagePullPolicy: "Always",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func findGenName(t *testing.T, client client.Client, ns, name string) (full, noSuffix string) {
+	t.Helper()
+	labels := map[string]string{
+		LabelManaged:         "true",
+		LabelParentName:      name,
+		LabelParentNamespace: ns,
+		LabelParentType:      "svc",
+	}
+	s, err := getSingleObject[corev1.Secret](context.Background(), client, "operator-ns", labels)
+	if err != nil {
+		t.Fatalf("finding secret for %q: %v", name, err)
+	}
+	return s.GetName(), strings.TrimSuffix(s.GetName(), "-0")
+}
+
+func mustCreate(t *testing.T, client client.Client, obj client.Object) {
+	t.Helper()
+	if err := client.Create(context.Background(), obj); err != nil {
+		t.Fatalf("creating %q: %v", obj.GetName(), err)
+	}
+}
+
+func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); err != nil {
+		t.Fatalf("getting %q: %v", name, err)
+	}
+	update(obj)
+	if err := client.Update(context.Background(), obj); err != nil {
+		t.Fatalf("updating %q: %v", name, err)
+	}
+}
+
+func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
+	t.Helper()
+	got := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      want.GetName(),
+		Namespace: want.GetNamespace(),
+	}, got); err != nil {
+		t.Fatalf("getting %q: %v", want.GetName(), err)
+	}
+	// The resource version changes eagerly whenever the operator does even a
+	// no-op update. Asserting a specific value leads to overly brittle tests,
+	// so just remove it from both got and want.
+	got.SetResourceVersion("")
+	want.SetResourceVersion("")
+	if diff := cmp.Diff(got, want); diff != "" {
+		t.Fatalf("unexpected object (-got +want):\n%s", diff)
+	}
+}
+
+func expectMissing[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); !apierrors.IsNotFound(err) {
+		t.Fatalf("object %s/%s unexpectedly present, wanted missing", ns, name)
+	}
+}
+
+func expectReconciled(t *testing.T, sr *ServiceReconciler, ns, name string) {
+	t.Helper()
+	req := reconcile.Request{
+		NamespacedName: types.NamespacedName{
+			Name:      name,
+			Namespace: ns,
+		},
+	}
+	res, err := sr.Reconcile(context.Background(), req)
+	if err != nil {
+		t.Fatalf("Reconcile: unexpected error: %v", err)
+	}
+	if res.Requeue {
+		t.Fatalf("unexpected immediate requeue")
+	}
+	if res.RequeueAfter != 0 {
+		t.Fatalf("unexpected timed requeue (%v)", res.RequeueAfter)
+	}
+}
+
+func expectRequeue(t *testing.T, sr *ServiceReconciler, ns, name string) {
+	t.Helper()
+	req := reconcile.Request{
+		NamespacedName: types.NamespacedName{
+			Name:      name,
+			Namespace: ns,
+		},
+	}
+	res, err := sr.Reconcile(context.Background(), req)
+	if err != nil {
+		t.Fatalf("Reconcile: unexpected error: %v", err)
+	}
+	if res.Requeue {
+		t.Fatalf("unexpected immediate requeue")
+	}
+	if res.RequeueAfter == 0 {
+		t.Fatalf("expected timed requeue, got success")
+	}
+}
+
+type fakeTSClient struct {
+	sync.Mutex
+	keyRequests []tailscale.KeyCapabilities
+	deleted     []string
+}
+
+func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error) {
+	c.Lock()
+	defer c.Unlock()
+	c.keyRequests = append(c.keyRequests, caps)
+	k := &tailscale.Key{
+		ID:           "key",
+		Created:      time.Now(),
+		Expires:      time.Now().Add(24 * time.Hour),
+		Capabilities: caps,
+	}
+	return "secret-authkey", k, nil
+}
+
+func (c *fakeTSClient) DeleteDevice(ctx context.Context, deviceID string) error {
+	c.Lock()
+	defer c.Unlock()
+	c.deleted = append(c.deleted, deviceID)
+	return nil
+}
+
+func (c *fakeTSClient) KeyRequests() []tailscale.KeyCapabilities {
+	c.Lock()
+	defer c.Unlock()
+	return c.keyRequests
+}
+
+func (c *fakeTSClient) Deleted() []string {
+	c.Lock()
+	defer c.Unlock()
+	return c.deleted
+}
--- a/cmd/nardump/README.md
+++ b/cmd/nardump/README.md
@@ -0,0 +1,7 @@
+# nardump
+
+nardump is like nix-store --dump, but in Go, writing a NAR file (tar-like,
+but focused on being reproducible) to stdout or to a hash with the --sri flag.
+
+It lets us calculate the Nix sha256 in shell.nix without the person running
+git-pull-oss.sh having Nix available.
--- a/cmd/nardump/nardump.go
+++ b/cmd/nardump/nardump.go
@@ -0,0 +1,185 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// nardump is like nix-store --dump, but in Go, writing a NAR
+// file (tar-like, but focused on being reproducible) to stdout
+// or to a hash with the --sri flag.
+//
+// It lets us calculate a Nix sha256 without the person running
+// git-pull-oss.sh having Nix available.
+package main
+
+// For the format, see:
+// See https://gist.github.com/jbeda/5c79d2b1434f0018d693
+
+import (
+	"bufio"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/binary"
+	"flag"
+	"fmt"
+	"io"
+	"io/fs"
+	"log"
+	"os"
+	"path"
+	"sort"
+)
+
+var sri = flag.Bool("sri", false, "print SRI")
+
+func main() {
+	flag.Parse()
+	if flag.NArg() != 1 {
+		log.Fatal("usage: nardump <dir>")
+	}
+	arg := flag.Arg(0)
+	if err := os.Chdir(arg); err != nil {
+		log.Fatal(err)
+	}
+	if *sri {
+		hash := sha256.New()
+		if err := writeNAR(hash, os.DirFS(".")); err != nil {
+			log.Fatal(err)
+		}
+		fmt.Printf("sha256-%s\n", base64.StdEncoding.EncodeToString(hash.Sum(nil)))
+		return
+	}
+	bw := bufio.NewWriter(os.Stdout)
+	if err := writeNAR(bw, os.DirFS(".")); err != nil {
+		log.Fatal(err)
+	}
+	bw.Flush()
+}
+
+// writeNARError is a sentinel panic type that's recovered by writeNAR
+// and converted into the wrapped error.
+type writeNARError struct{ err error }
+
+// narWriter writes NAR files.
+type narWriter struct {
+	w  io.Writer
+	fs fs.FS
+}
+
+// writeNAR writes a NAR file to w from the root of fs.
+func writeNAR(w io.Writer, fs fs.FS) (err error) {
+	defer func() {
+		if e := recover(); e != nil {
+			if we, ok := e.(writeNARError); ok {
+				err = we.err
+				return
+			}
+			panic(e)
+		}
+	}()
+	nw := &narWriter{w: w, fs: fs}
+	nw.str("nix-archive-1")
+	return nw.writeDir(".")
+}
+
+func (nw *narWriter) writeDir(dirPath string) error {
+	ents, err := fs.ReadDir(nw.fs, dirPath)
+	if err != nil {
+		return err
+	}
+	sort.Slice(ents, func(i, j int) bool {
+		return ents[i].Name() < ents[j].Name()
+	})
+	nw.str("(")
+	nw.str("type")
+	nw.str("directory")
+	for _, ent := range ents {
+		nw.str("entry")
+		nw.str("(")
+		nw.str("name")
+		nw.str(ent.Name())
+		nw.str("node")
+		mode := ent.Type()
+		sub := path.Join(dirPath, ent.Name())
+		var err error
+		switch {
+		case mode.IsRegular():
+			err = nw.writeRegular(sub)
+		case mode.IsDir():
+			err = nw.writeDir(sub)
+		default:
+			// TODO(bradfitz): symlink, but requires fighting io/fs a bit
+			// to get at Readlink or the osFS via fs. But for now
+			// we don't need symlinks because they're not in Go's archive.
+			return fmt.Errorf("unsupported file type %v at %q", sub, mode)
+		}
+		if err != nil {
+			return err
+		}
+		nw.str(")")
+	}
+	nw.str(")")
+	return nil
+}
+
+func (nw *narWriter) writeRegular(path string) error {
+	nw.str("(")
+	nw.str("type")
+	nw.str("regular")
+	fi, err := fs.Stat(nw.fs, path)
+	if err != nil {
+		return err
+	}
+	if fi.Mode()&0111 != 0 {
+		nw.str("executable")
+		nw.str("")
+	}
+	contents, err := fs.ReadFile(nw.fs, path)
+	if err != nil {
+		return err
+	}
+	nw.str("contents")
+	if err := writeBytes(nw.w, contents); err != nil {
+		return err
+	}
+	nw.str(")")
+	return nil
+}
+
+func (nw *narWriter) str(s string) {
+	if err := writeString(nw.w, s); err != nil {
+		panic(writeNARError{err})
+	}
+}
+
+func writeString(w io.Writer, s string) error {
+	var buf [8]byte
+	binary.LittleEndian.PutUint64(buf[:], uint64(len(s)))
+	if _, err := w.Write(buf[:]); err != nil {
+		return err
+	}
+	if _, err := io.WriteString(w, s); err != nil {
+		return err
+	}
+	return writePad(w, len(s))
+}
+
+func writeBytes(w io.Writer, b []byte) error {
+	var buf [8]byte
+	binary.LittleEndian.PutUint64(buf[:], uint64(len(b)))
+	if _, err := w.Write(buf[:]); err != nil {
+		return err
+	}
+	if _, err := w.Write(b); err != nil {
+		return err
+	}
+	return writePad(w, len(b))
+}
+
+func writePad(w io.Writer, n int) error {
+	pad := n % 8
+	if pad == 0 {
+		return nil
+	}
+	var zeroes [8]byte
+	_, err := w.Write(zeroes[:8-pad])
+	return err
+}
--- a/cmd/printdep/printdep.go
+++ b/cmd/printdep/printdep.go
@@ -19,6 +19,7 @@ import (
 var (
 	goToolchain    = flag.Bool("go", false, "print the supported Go toolchain git hash (a github.com/tailscale/go commit)")
 	goToolchainURL = flag.Bool("go-url", false, "print the URL to the tarball of the Tailscale Go toolchain")
+	goToolchainSRI = flag.Bool("go-sri", false, "print the SRI hash of the Tailscale Go toolchain")
 	alpine         = flag.Bool("alpine", false, "print the tag of alpine docker image")
 )

@@ -48,4 +49,7 @@ func main() {
 		}
 		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, suffix)
 	}
+	if *goToolchainSRI {
+		fmt.Println(strings.TrimSpace(ts.GoToolchainSRI))
+	}
 }
--- a/cmd/sync-containers/main.go
+++ b/cmd/sync-containers/main.go
@@ -0,0 +1,179 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The sync-containers command synchronizes container image tags from one
+// registry to another.
+//
+// It is intended as a workaround for ghcr.io's lack of good push credentials:
+// you can either authorize "classic" Personal Access Tokens in your org (which
+// are a common vector of very bad compromise), or you can get a short-lived
+// credential in a Github action.
+//
+// Since we publish to both Docker Hub and ghcr.io, we use this program in a
+// Github action to effectively rsync from docker hub into ghcr.io, so that we
+// can continue to forbid dangerous Personal Access Tokens in the tailscale org.
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log"
+	"sort"
+	"strings"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/name"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+)
+
+var (
+	src    = flag.String("src", "", "Source image")
+	dst    = flag.String("dst", "", "Destination image")
+	max    = flag.Int("max", 0, "Maximum number of tags to sync (0 for all tags)")
+	dryRun = flag.Bool("dry-run", true, "Don't actually sync anything")
+)
+
+func main() {
+	flag.Parse()
+
+	if *src == "" {
+		log.Fatalf("--src is required")
+	}
+	if *dst == "" {
+		log.Fatalf("--dst is required")
+	}
+
+	opts := []remote.Option{
+		remote.WithAuthFromKeychain(authn.DefaultKeychain),
+		remote.WithContext(context.Background()),
+	}
+
+	stags, err := listTags(*src, opts...)
+	if err != nil {
+		log.Fatalf("listing source tags: %v", err)
+	}
+	dtags, err := listTags(*dst, opts...)
+	if err != nil {
+		log.Fatalf("listing destination tags: %v", err)
+	}
+
+	add, remove := diffTags(stags, dtags)
+	if l := len(add); l > 0 {
+		log.Printf("%d tags to push: %s", len(add), strings.Join(add, ", "))
+		if *max > 0 && l > *max {
+			log.Printf("Limiting sync to %d tags", *max)
+			add = add[:*max]
+		}
+	}
+	for _, tag := range add {
+		if !*dryRun {
+			log.Printf("Syncing tag %q", tag)
+			if err := copyTag(*src, *dst, tag, opts...); err != nil {
+				log.Printf("Syncing tag %q: progress error: %v", tag, err)
+			}
+		} else {
+			log.Printf("Dry run: would sync tag %q", tag)
+		}
+	}
+
+	if len(remove) > 0 {
+		log.Printf("%d tags to remove: %s\n", len(remove), strings.Join(remove, ", "))
+		log.Printf("Not removing any tags for safety.\n")
+	}
+}
+
+func copyTag(srcStr, dstStr, tag string, opts ...remote.Option) error {
+	src, err := name.ParseReference(fmt.Sprintf("%s:%s", srcStr, tag))
+	if err != nil {
+		return err
+	}
+	dst, err := name.ParseReference(fmt.Sprintf("%s:%s", dstStr, tag))
+	if err != nil {
+		return err
+	}
+
+	desc, err := remote.Get(src)
+	if err != nil {
+		return err
+	}
+
+	ch := make(chan v1.Update, 10)
+	opts = append(opts, remote.WithProgress(ch))
+	progressDone := make(chan struct{})
+
+	go func() {
+		defer close(progressDone)
+		for p := range ch {
+			fmt.Printf("Syncing tag %q: %d%% (%d/%d)\n", tag, int(float64(p.Complete)/float64(p.Total)*100), p.Complete, p.Total)
+			if p.Error != nil {
+				fmt.Printf("error: %v\n", p.Error)
+			}
+		}
+	}()
+
+	switch desc.MediaType {
+	case types.OCIManifestSchema1, types.DockerManifestSchema2:
+		img, err := desc.Image()
+		if err != nil {
+			return err
+		}
+		if err := remote.Write(dst, img, opts...); err != nil {
+			return err
+		}
+	case types.OCIImageIndex, types.DockerManifestList:
+		idx, err := desc.ImageIndex()
+		if err != nil {
+			return err
+		}
+		if err := remote.WriteIndex(dst, idx, opts...); err != nil {
+			return err
+		}
+	}
+
+	<-progressDone
+	return nil
+}
+
+func listTags(repoStr string, opts ...remote.Option) ([]string, error) {
+	repo, err := name.NewRepository(repoStr)
+	if err != nil {
+		return nil, err
+	}
+
+	tags, err := remote.List(repo, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	sort.Strings(tags)
+	return tags, nil
+}
+
+func diffTags(src, dst []string) (add, remove []string) {
+	srcd := make(map[string]bool)
+	for _, tag := range src {
+		srcd[tag] = true
+	}
+	dstd := make(map[string]bool)
+	for _, tag := range dst {
+		dstd[tag] = true
+	}
+
+	for _, tag := range src {
+		if !dstd[tag] {
+			add = append(add, tag)
+		}
+	}
+	for _, tag := range dst {
+		if !srcd[tag] {
+			remove = append(remove, tag)
+		}
+	}
+	sort.Strings(add)
+	sort.Strings(remove)
+	return add, remove
+}
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -142,7 +142,7 @@ func Run(args []string) (err error) {
 	})

 	rootfs := newFlagSet("tailscale")
-	rootfs.StringVar(&rootArgs.socket, "socket", paths.DefaultTailscaledSocket(), "path to tailscaled's unix socket")
+	rootfs.StringVar(&rootArgs.socket, "socket", paths.DefaultTailscaledSocket(), "path to tailscaled socket")

 	rootCmd := &ffcli.Command{
 		Name:       "tailscale",
@@ -297,7 +297,14 @@ func usageFuncOpt(c *ffcli.Command, withDefaults bool) string {
 			s += "\n    \t"
 			s += strings.ReplaceAll(usage, "\n", "\n    \t")

-			if f.DefValue != "" && withDefaults {
+			showDefault := f.DefValue != "" && withDefaults
+			// Issue 6766: don't show the default Windows socket path. It's long
+			// and distracting. And people on on Windows aren't likely to ever
+			// change it anyway.
+			if runtime.GOOS == "windows" && f.Name == "socket" && strings.HasPrefix(f.DefValue, `\\.\pipe\ProtectedPrefix\`) {
+				showDefault = false
+			}
+			if showDefault {
 				s += fmt.Sprintf(" (default %s)", f.DefValue)
 			}

--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -19,9 +19,12 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"time"
 	"unicode/utf8"

+	"github.com/mattn/go-isatty"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/time/rate"
 	"tailscale.com/client/tailscale/apitype"
@@ -49,6 +52,17 @@ var fileCmd = &ffcli.Command{
 	},
 }

+type countingReader struct {
+	io.Reader
+	n atomic.Uint64
+}
+
+func (c *countingReader) Read(buf []byte) (int, error) {
+	n, err := c.Reader.Read(buf)
+	c.n.Add(uint64(n))
+	return n, err
+}
+
 var fileCpCmd = &ffcli.Command{
 	Name:       "cp",
 	ShortUsage: "file cp <files...> <target>:",
@@ -116,11 +130,11 @@ func runCp(ctx context.Context, args []string) error {
 	}

 	for _, fileArg := range files {
-		var fileContents io.Reader
+		var fileContents *countingReader
 		var name = cpArgs.name
 		var contentLength int64 = -1
 		if fileArg == "-" {
-			fileContents = os.Stdin
+			fileContents = &countingReader{Reader: os.Stdin}
 			if name == "" {
 				name, fileContents, err = pickStdinFilename()
 				if err != nil {
@@ -144,19 +158,29 @@ func runCp(ctx context.Context, args []string) error {
 				return errors.New("directories not supported")
 			}
 			contentLength = fi.Size()
-			fileContents = io.LimitReader(f, contentLength)
+			fileContents = &countingReader{Reader: io.LimitReader(f, contentLength)}
 			if name == "" {
 				name = filepath.Base(fileArg)
 			}

 			if envknob.Bool("TS_DEBUG_SLOW_PUSH") {
-				fileContents = &slowReader{r: fileContents}
+				fileContents = &countingReader{Reader: &slowReader{r: fileContents}}
 			}
 		}

 		if cpArgs.verbose {
 			log.Printf("sending %q to %v/%v/%v ...", name, target, ip, stableID)
 		}
+
+		var (
+			done = make(chan struct{}, 1)
+			wg   sync.WaitGroup
+		)
+		if isatty.IsTerminal(os.Stderr.Fd()) {
+			go printProgress(&wg, done, fileContents, name, contentLength)
+			wg.Add(1)
+		}
+
 		err := localClient.PushFile(ctx, stableID, contentLength, name, fileContents)
 		if err != nil {
 			return err
@@ -164,10 +188,61 @@ func runCp(ctx context.Context, args []string) error {
 		if cpArgs.verbose {
 			log.Printf("sent %q", name)
 		}
+		done <- struct{}{}
+		wg.Wait()
 	}
 	return nil
 }

+const vtRestartLine = "\r\x1b[K"
+
+func printProgress(wg *sync.WaitGroup, done <-chan struct{}, r *countingReader, name string, contentLength int64) {
+	defer wg.Done()
+	var lastBytesRead uint64
+
+	for {
+		select {
+		case <-done:
+			fmt.Fprintln(os.Stderr)
+			return
+		case <-time.After(time.Second):
+			n := r.n.Load()
+			contentLengthStr := "???"
+			if contentLength > 0 {
+				contentLengthStr = fmt.Sprint(contentLength / 1024)
+			}
+
+			fmt.Fprintf(os.Stderr, "%s%s\t\t%s", vtRestartLine, padTruncateString(name, 36), padTruncateString(fmt.Sprintf("%d/%s kb", n/1024, contentLengthStr), 16))
+			if contentLength > 0 {
+				fmt.Fprintf(os.Stderr, "\t%.02f%%", float64(n)/float64(contentLength)*100)
+			} else {
+				fmt.Fprintf(os.Stderr, "\t-------%%")
+			}
+			if lastBytesRead > 0 {
+				fmt.Fprintf(os.Stderr, "\t%d kb/s", (n-lastBytesRead)/1024)
+			} else {
+				fmt.Fprintf(os.Stderr, "\t-------")
+			}
+			lastBytesRead = n
+		}
+	}
+}
+
+func padTruncateString(str string, truncateAt int) string {
+	if len(str) <= truncateAt {
+		return str + strings.Repeat(" ", truncateAt-len(str))
+	}
+
+	// Truncate the string, but respect unicode codepoint boundaries.
+	// As of RFC3629 utf-8 codepoints can be at most 4 bytes wide.
+	for i := 1; i <= 4 && i < len(str)-truncateAt; i++ {
+		if utf8.ValidString(str[:truncateAt-i]) {
+			return str[:truncateAt-i] + "…"
+		}
+	}
+	return "" // Should be unreachable
+}
+
 func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNodeID, isOffline bool, err error) {
 	ip, err := netip.ParseAddr(ipStr)
 	if err != nil {
@@ -230,12 +305,12 @@ func ext(b []byte) string {
 // pickStdinFilename reads a bit of stdin to return a good filename
 // for its contents. The returned Reader is the concatenation of the
 // read and unread bits.
-func pickStdinFilename() (name string, r io.Reader, err error) {
+func pickStdinFilename() (name string, r *countingReader, err error) {
 	sniff, err := io.ReadAll(io.LimitReader(os.Stdin, maxSniff))
 	if err != nil {
 		return "", nil, err
 	}
-	return "stdin" + ext(sniff), io.MultiReader(bytes.NewReader(sniff), os.Stdin), nil
+	return "stdin" + ext(sniff), &countingReader{Reader: io.MultiReader(bytes.NewReader(sniff), os.Stdin)}, nil
 }

 type slowReader struct {
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -28,7 +28,7 @@ var netlockCmd = &ffcli.Command{
 	Name:       "lock",
 	ShortUsage: "lock <sub-command> <arguments>",
 	ShortHelp:  "Manage tailnet lock",
-	LongHelp:  "Manage tailnet lock",
+	LongHelp:   "Manage tailnet lock",
 	Subcommands: []*ffcli.Command{
 		nlInitCmd,
 		nlStatusCmd,
@@ -154,8 +154,8 @@ func runNetworkLockInit(ctx context.Context, args []string) error {
 var nlStatusCmd = &ffcli.Command{
 	Name:       "status",
 	ShortUsage: "status",
-	ShortHelp:  "Outputs the state of network lock",
-	LongHelp:  "Outputs the state of network lock",
+	ShortHelp:  "Outputs the state of tailnet lock",
+	LongHelp:   "Outputs the state of tailnet lock",
 	Exec:       runNetworkLockStatus,
 }

@@ -229,7 +229,7 @@ var nlAddCmd = &ffcli.Command{
 	Name:       "add",
 	ShortUsage: "add <public-key>...",
 	ShortHelp:  "Adds one or more trusted signing keys to tailnet lock",
-	LongHelp:  "Adds one or more trusted signing keys to tailnet lock",
+	LongHelp:   "Adds one or more trusted signing keys to tailnet lock",
 	Exec: func(ctx context.Context, args []string) error {
 		return runNetworkLockModify(ctx, args, nil)
 	},
@@ -239,7 +239,7 @@ var nlRemoveCmd = &ffcli.Command{
 	Name:       "remove",
 	ShortUsage: "remove <public-key>...",
 	ShortHelp:  "Removes one or more trusted signing keys from tailnet lock",
-	LongHelp:  "Removes one or more trusted signing keys from tailnet lock",
+	LongHelp:   "Removes one or more trusted signing keys from tailnet lock",
 	Exec: func(ctx context.Context, args []string) error {
 		return runNetworkLockModify(ctx, nil, args)
 	},
@@ -310,12 +310,9 @@ func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) err
 		return err
 	}

-	status, err := localClient.NetworkLockModify(ctx, addKeys, removeKeys)
-	if err != nil {
+	if err := localClient.NetworkLockModify(ctx, addKeys, removeKeys); err != nil {
 		return err
 	}
-
-	fmt.Printf("Status: %+v\n\n", status)
 	return nil
 }

@@ -323,7 +320,7 @@ var nlSignCmd = &ffcli.Command{
 	Name:       "sign",
 	ShortUsage: "sign <node-key> [<rotation-key>]",
 	ShortHelp:  "Signs a node key and transmits the signature to the coordination server",
-	LongHelp:  "Signs a node key and transmits the signature to the coordination server",
+	LongHelp:   "Signs a node key and transmits the signature to the coordination server",
 	Exec:       runNetworkLockSign,
 }

@@ -363,7 +360,7 @@ Once this secret is used, it has been distributed
 to all nodes in the tailnet and should be considered public.

 `),
-	Exec:       runNetworkLockDisable,
+	Exec: runNetworkLockDisable,
 }

 func runNetworkLockDisable(ctx context.Context, args []string) error {
@@ -392,7 +389,7 @@ that the current node will accept traffic from other nodes in the tailnet
 that are locked out.

 `),
-	Exec:       runNetworkLockLocalDisable,
+	Exec: runNetworkLockLocalDisable,
 }

 func runNetworkLockLocalDisable(ctx context.Context, args []string) error {
@@ -403,7 +400,7 @@ var nlDisablementKDFCmd = &ffcli.Command{
 	Name:       "disablement-kdf",
 	ShortUsage: "disablement-kdf <hex-encoded-disablement-secret>",
 	ShortHelp:  "Computes a disablement value from a disablement secret (advanced users only)",
-	LongHelp:  "Computes a disablement value from a disablement secret (advanced users only)",
+	LongHelp:   "Computes a disablement value from a disablement secret (advanced users only)",
 	Exec:       runNetworkLockDisablementKDF,
 }

@@ -427,7 +424,7 @@ var nlLogCmd = &ffcli.Command{
 	Name:       "log",
 	ShortUsage: "log [--limit N]",
 	ShortHelp:  "List changes applied to tailnet lock",
-	LongHelp:  "List changes applied to tailnet lock",
+	LongHelp:   "List changes applied to tailnet lock",
 	Exec:       runNetworkLockLog,
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("lock log")
--- a/cmd/tailscale/cli/serve.go
+++ b/cmd/tailscale/cli/serve.go
@@ -517,7 +517,7 @@ func printTCPStatusTree(ctx context.Context, sc *ipn.ServeConfig, st *ipnstate.S
 			tlsStatus = "TLS terminated"
 		}
 		fStatus := "tailnet only"
-		if sc.IsFunnelOn(hp) {
+		if sc.AllowFunnel[hp] {
 			fStatus = "Funnel on"
 		}
 		printf("|-- tcp://%s (%s, %s)\n", hp, tlsStatus, fStatus)
@@ -535,7 +535,7 @@ func printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) {
 		return
 	}
 	fStatus := "tailnet only"
-	if sc.IsFunnelOn(hp) {
+	if sc.AllowFunnel[hp] {
 		fStatus = "Funnel on"
 	}
 	host, portStr, _ := net.SplitHostPort(string(hp))
@@ -690,8 +690,7 @@ func (e *serveEnv) runServeFunnel(ctx context.Context, args []string) error {
 	}
 	dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
 	hp := ipn.HostPort(dnsName + ":" + srvPortStr)
-	isFun := sc.IsFunnelOn(hp)
-	if on && isFun || !on && !isFun {
+	if on == sc.AllowFunnel[hp] {
 		// Nothing to do.
 		return nil
 	}
--- a/cmd/tailscale/cli/ssh.go
+++ b/cmd/tailscale/cli/ssh.go
@@ -21,6 +21,7 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
+	"tailscale.com/paths"
 	"tailscale.com/version"
 )

@@ -37,7 +38,7 @@ most users running the Tailscale SSH server will prefer to just use the normal

 The 'tailscale ssh' wrapper adds a few things:

-* It resolves the destination server name in its arugments using MagicDNS,
+* It resolves the destination server name in its arguments using MagicDNS,
  even if --accept-dns=false.
 * It works in userspace-networking mode, by supplying a ProxyCommand to the
  system 'ssh' command that connects via a pipe through tailscaled.
@@ -110,10 +111,15 @@ func runSSH(ctx context.Context, args []string) error {
 	// So don't use it for now. MagicDNS is usually working on macOS anyway
 	// and they're not in userspace mode, so 'nc' isn't very useful.
 	if runtime.GOOS != "darwin" {
+		socketArg := ""
+		if rootArgs.socket != "" && rootArgs.socket != paths.DefaultTailscaledSocket() {
+			socketArg = fmt.Sprintf("--socket=%q", rootArgs.socket)
+		}
+
 		argv = append(argv,
-			"-o", fmt.Sprintf("ProxyCommand %q --socket=%q nc %%h %%p",
+			"-o", fmt.Sprintf("ProxyCommand %q %s nc %%h %%p",
 				tailscaleBin,
-				rootArgs.socket,
+				socketArg,
 			))
 	}

--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"net/netip"
 	"os"
+	"strconv"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
@@ -222,9 +223,44 @@ func runStatus(ctx context.Context, args []string) error {
 		outln()
 		printHealth()
 	}
+	printFunnelStatus(ctx)
 	return nil
 }

+// printFunnelStatus prints the status of the funnel, if it's running.
+// It prints nothing if the funnel is not running.
+func printFunnelStatus(ctx context.Context) {
+	sc, err := localClient.GetServeConfig(ctx)
+	if err != nil {
+		outln()
+		printf("# Funnel:\n")
+		printf("#     - Unable to get Funnel status: %v\n", err)
+		return
+	}
+	if !sc.IsFunnelOn() {
+		return
+	}
+	outln()
+	printf("# Funnel on:\n")
+	for hp, on := range sc.AllowFunnel {
+		if !on { // if present, should be on
+			continue
+		}
+		sni, portStr, _ := net.SplitHostPort(string(hp))
+		p, _ := strconv.ParseUint(portStr, 10, 16)
+		isTCP := sc.IsTCPForwardingOnPort(uint16(p))
+		url := "https://"
+		if isTCP {
+			url = "tcp://"
+		}
+		url += sni
+		if isTCP || p != 443 {
+			url += ":" + portStr
+		}
+		printf("#     - %s\n", url)
+	}
+}
+
 // isRunningOrStarting reports whether st is in state Running or Starting.
 // It also returns a description of the status suitable to display to a user.
 func isRunningOrStarting(st *ipnstate.Status) (description string, ok bool) {
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -330,7 +330,11 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 	prefs.ControlURL = upArgs.server
 	prefs.WantRunning = true
 	prefs.RouteAll = upArgs.acceptRoutes
-
+	if distro.Get() == distro.Synology {
+		// ipn.NewPrefs returns a non-zero Netfilter default. But Synology only
+		// supports "off" mode.
+		prefs.NetfilterMode = preftype.NetfilterOff
+	}
 	if upArgs.exitNodeIP != "" {
 		if err := prefs.SetExitNodeIP(upArgs.exitNodeIP, st); err != nil {
 			var e ipn.ExitNodeLocalIPError
@@ -879,6 +883,10 @@ func checkForAccidentalSettingReverts(newPrefs, curPrefs *ipn.Prefs, env upCheck
 			// Issue 3176. Old prefs had 'RouteAll: true' on disk, so ignore that.
 			continue
 		}
+		if flagName == "netfilter-mode" && valNew == preftype.NetfilterOn && env.goos == "linux" && env.distro == distro.Synology {
+			// Issue 6811. Ignore on Synology.
+			continue
+		}
 		missing = append(missing, fmtFlagValueArg(flagName, valCur))
 	}
 	if len(missing) == 0 {
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -12,7 +12,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
   D    github.com/google/uuid                                       from tailscale.com/util/quarantine
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+  LW    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
@@ -107,7 +107,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
-   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
        tailscale.com/util/mak                                       from tailscale.com/net/netcheck+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -82,7 +82,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/rfc1035label                    from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/jmespath/go-jmespath                              from github.com/aws/aws-sdk-go-v2/service/ssm
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+  LW    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
@@ -116,44 +116,43 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
   L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router+
+     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/conn/winrio                from github.com/tailscale/wireguard-go/conn
+     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/net/tstun+
+     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
+   W 💣 github.com/tailscale/wireguard-go/ipc/namedpipe              from github.com/tailscale/wireguard-go/ipc
+        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device
+     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
  LD    github.com/u-root/u-root/pkg/termios                         from tailscale.com/ssh/tailssh
   L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/u-root/uio/ubinary                                from github.com/u-root/uio/uio
   L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
     💣 go4.org/mem                                                  from tailscale.com/control/controlbase+
        go4.org/netipx                                               from tailscale.com/ipn/ipnlocal+
-   W 💣 golang.zx2c4.com/wintun                                      from golang.zx2c4.com/wireguard/tun
-     💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
-     💣 golang.zx2c4.com/wireguard/device                            from tailscale.com/net/tstun+
-     💣 golang.zx2c4.com/wireguard/ipc                               from golang.zx2c4.com/wireguard/device
-   W 💣 golang.zx2c4.com/wireguard/ipc/namedpipe                     from golang.zx2c4.com/wireguard/ipc
-        golang.zx2c4.com/wireguard/ratelimiter                       from golang.zx2c4.com/wireguard/device
-        golang.zx2c4.com/wireguard/replay                            from golang.zx2c4.com/wireguard/device
-        golang.zx2c4.com/wireguard/rwcancel                          from golang.zx2c4.com/wireguard/device+
-        golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device
-     💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/cmd/tailscaled+
+   W 💣 golang.zx2c4.com/wintun                                      from github.com/tailscale/wireguard-go/tun+
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/dns+
        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/tcpip+
        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/bufferv2
     💣 gvisor.dev/gvisor/pkg/bufferv2                               from gvisor.dev/gvisor/pkg/tcpip+
-        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs+
+        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs
     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
        gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
-        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/refsvfs2+
-        gvisor.dev/gvisor/pkg/refsvfs2                               from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/bufferv2+
     💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/bufferv2+
        gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
        gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
        gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
@@ -287,7 +286,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-  LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
        tailscale.com/util/goroutines                                from tailscale.com/control/controlclient+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnauth
     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
@@ -302,7 +300,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock+
-     💣 tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
+     💣 tailscale.com/util/winutil                                   from tailscale.com/control/controlclient+
        tailscale.com/version                                        from tailscale.com/derp+
        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
@@ -321,7 +319,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/acme                                     from tailscale.com/ipn/ipnlocal
        golang.org/x/crypto/argon2                                   from tailscale.com/tka
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
+        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
  LD    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf+
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
@@ -332,7 +330,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/hkdf                                     from crypto/tls+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device+
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/golang-x-crypto/ssh+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
@@ -347,15 +345,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device+
-        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
+        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/conn+
+        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/conn+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
  LD    golang.org/x/sys/unix                                        from github.com/insomniacslk/dhcp/interfaces+
   W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
-   W    golang.org/x/sys/windows/registry                            from golang.org/x/sys/windows/svc/eventlog+
+   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
   W    golang.org/x/sys/windows/svc/eventlog                        from tailscale.com/cmd/tailscaled
   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled+
@@ -407,6 +405,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        flag                                                         from tailscale.com/control/controlclient+
        fmt                                                          from compress/flate+
        hash                                                         from crypto+
+        hash/adler32                                                 from tailscale.com/ipn/ipnlocal
        hash/crc32                                                   from compress/gzip+
        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
        hash/maphash                                                 from go4.org/mem
@@ -430,7 +429,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
        net/http/internal                                            from net/http+
        net/http/pprof                                               from tailscale.com/cmd/tailscaled+
-        net/netip                                                    from golang.zx2c4.com/wireguard/conn+
+        net/netip                                                    from github.com/tailscale/wireguard-go/conn+
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -533,8 +533,7 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logid string) (_ *ip
 		return smallzstd.NewDecoder(nil)
 	})
 	configureTaildrop(logf, lb)
-	ns.SetLocalBackend(lb)
-	if err := ns.Start(); err != nil {
+	if err := ns.Start(lb); err != nil {
 		log.Fatalf("failed to start netstack: %v", err)
 	}
 	return lb, nil
@@ -584,15 +583,15 @@ func handleSubnetsInNetstack() bool {

 var tstunNew = tstun.New

-func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, name string) (e wgengine.Engine, onlyNetsack bool, err error) {
+func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, name string) (e wgengine.Engine, onlyNetstack bool, err error) {
 	conf := wgengine.Config{
 		ListenPort:  args.port,
 		LinkMonitor: linkMon,
 		Dialer:      dialer,
 	}

-	onlyNetsack = name == "userspace-networking"
-	netns.SetEnabled(!onlyNetsack)
+	onlyNetstack = name == "userspace-networking"
+	netns.SetEnabled(!onlyNetstack)

 	if args.birdSocketPath != "" && createBIRDClient != nil {
 		log.Printf("Connecting to BIRD at %s ...", args.birdSocketPath)
@@ -601,7 +600,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 			return nil, false, fmt.Errorf("createBIRDClient: %w", err)
 		}
 	}
-	if onlyNetsack {
+	if onlyNetstack {
 		if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
 			// On Synology in netstack mode, still init a DNS
 			// manager (directManager) to avoid the health check
@@ -646,9 +645,9 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 	}
 	e, err = wgengine.NewUserspaceEngine(logf, conf)
 	if err != nil {
-		return nil, onlyNetsack, err
+		return nil, onlyNetstack, err
 	}
-	return e, onlyNetsack, nil
+	return e, onlyNetstack, nil
 }

 func newDebugMux() *http.ServeMux {
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -25,6 +25,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"log"
 	"net/netip"
 	"os"
@@ -35,10 +36,11 @@ import (
 	"time"

 	"github.com/dblohm7/wingoes/com"
+	"github.com/tailscale/wireguard-go/tun"
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/svc"
 	"golang.org/x/sys/windows/svc/eventlog"
-	"golang.zx2c4.com/wireguard/tun"
+	"golang.zx2c4.com/wintun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/envknob"
 	"tailscale.com/logpolicy"
@@ -64,6 +66,12 @@ func init() {

 const serviceName = "Tailscale"

+// Application-defined command codes between 128 and 255
+// See https://web.archive.org/web/20221007222822/https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-controlservice
+const (
+	cmdUninstallWinTun = svc.Cmd(128 + iota)
+)
+
 func init() {
 	tstunNew = tstunNewWithWindowsRetries
 }
@@ -184,6 +192,26 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 				syslogf("Service session change notification")
 				handleSessionChange(cmd)
 				changes <- cmd.CurrentStatus
+			case cmdUninstallWinTun:
+				syslogf("Stopping tailscaled child process and uninstalling WinTun")
+				// At this point, doneCh is the channel which will be closed when the
+				// tailscaled subprocess exits. We save that to childDoneCh.
+				childDoneCh := doneCh
+				// We reset doneCh to a new channel that will keep the event loop
+				// running until the uninstallation is done.
+				doneCh = make(chan struct{})
+				// Trigger subprocess shutdown.
+				cancel()
+				go func() {
+					// When this goroutine completes, tell the service to break out of its
+					// event loop.
+					defer close(doneCh)
+					// Wait for the subprocess to shutdown.
+					<-childDoneCh
+					// Now uninstall WinTun.
+					uninstallWinTun(log.Printf)
+				}()
+				changes <- svc.Status{State: svc.StopPending}
 			}
 		}
 	}
@@ -221,6 +249,8 @@ func cmdName(c svc.Cmd) string {
 		return "SessionChange"
 	case svc.PreShutdown:
 		return "PreShutdown"
+	case cmdUninstallWinTun:
+		return "(Application Defined) Uninstall WinTun"
 	}
 	return fmt.Sprintf("Unknown-Service-Cmd-%d", c)
 }
@@ -244,17 +274,24 @@ func beWindowsSubprocess() bool {
 		log.Printf("Error reading environment config: %v", err)
 	}

+	ctx, cancel := context.WithCancel(context.Background())
 	go func() {
 		b := make([]byte, 16)
 		for {
 			_, err := os.Stdin.Read(b)
+			if err == io.EOF {
+				// Parent wants us to shut down gracefully.
+				log.Printf("subproc received EOF from stdin")
+				cancel()
+				return
+			}
 			if err != nil {
 				log.Fatalf("stdin err (parent process died): %v", err)
 			}
 		}
 	}()

-	err := startIPNServer(context.Background(), log.Printf, logid)
+	err := startIPNServer(ctx, log.Printf, logid)
 	if err != nil {
 		log.Fatalf("ipnserver: %v", err)
 	}
@@ -336,8 +373,9 @@ func babysitProc(ctx context.Context, args []string, logf logger.Logf) {
 	}

 	var proc struct {
-		mu sync.Mutex
-		p  *os.Process
+		mu     sync.Mutex
+		p      *os.Process
+		wStdin *os.File
 	}

 	done := make(chan struct{})
@@ -349,15 +387,18 @@ func babysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		case sig = <-interrupt:
 			logf("babysitProc: got signal: %v", sig)
 			close(done)
+			proc.mu.Lock()
+			proc.p.Signal(sig)
+			proc.mu.Unlock()
 		case <-ctx.Done():
 			logf("babysitProc: context done")
-			sig = os.Kill
 			close(done)
+			proc.mu.Lock()
+			// Closing wStdin gives the subprocess a chance to shut down cleanly,
+			// which is important for cleaning up DNS settings etc.
+			proc.wStdin.Close()
+			proc.mu.Unlock()
 		}
-
-		proc.mu.Lock()
-		proc.p.Signal(sig)
-		proc.mu.Unlock()
 	}()

 	bo := backoff.NewBackoff("babysitProc", logf, 30*time.Second)
@@ -419,6 +460,7 @@ func babysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		} else {
 			proc.mu.Lock()
 			proc.p = cmd.Process
+			proc.wStdin = wStdin
 			proc.mu.Unlock()

 			err = cmd.Wait()
@@ -447,3 +489,15 @@ func babysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		}
 	}
 }
+
+func uninstallWinTun(logf logger.Logf) {
+	dll := windows.NewLazyDLL("wintun.dll")
+	if err := dll.Load(); err != nil {
+		logf("Cannot load wintun.dll for uninstall: %v", err)
+		return
+	}
+
+	logf("Removing wintun driver...")
+	err := wintun.Uninstall()
+	logf("Uninstall: %v", err)
+}
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -115,9 +115,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 	}
 	ns.ProcessLocalIPs = true
 	ns.ProcessSubnets = true
-	if err := ns.Start(); err != nil {
-		log.Fatalf("failed to start netstack: %v", err)
-	}
+
 	dialer.UseNetstackForIP = func(ip netip.Addr) bool {
 		return true
 	}
@@ -127,16 +125,17 @@ func newIPN(jsConfig js.Value) map[string]any {

 	logid := lpc.PublicID.String()
 	srv := ipnserver.New(logf, logid)
-
 	lb, err := ipnlocal.NewLocalBackend(logf, logid, store, "wasm", dialer, eng, controlclient.LoginEphemeral)
 	if err != nil {
 		log.Fatalf("ipnlocal.NewLocalBackend: %v", err)
 	}
+	if err := ns.Start(lb); err != nil {
+		log.Fatalf("failed to start netstack: %v", err)
+	}
 	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
 		return smallzstd.NewDecoder(nil)
 	})
 	srv.SetLocalBackend(lb)
-	ns.SetLocalBackend(lb)

 	jsIPN := &jsIPN{
 		dialer:     dialer,
--- a/cmd/viewer/tests/tests_clone.go
+++ b/cmd/viewer/tests/tests_clone.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

--- a/cmd/viewer/tests/tests_view.go
+++ b/cmd/viewer/tests/tests_view.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

--- a/envknob/envknob.go
+++ b/envknob/envknob.go
@@ -29,6 +29,7 @@ import (
 	"strings"
 	"sync"
 	"sync/atomic"
+	"time"

 	"tailscale.com/types/opt"
 	"tailscale.com/version"
@@ -36,11 +37,12 @@ import (
 )

 var (
-	mu         sync.Mutex
-	set        = map[string]string{}
-	regStr     = map[string]*string{}
-	regBool    = map[string]*bool{}
-	regOptBool = map[string]*opt.Bool{}
+	mu          sync.Mutex
+	set         = map[string]string{}
+	regStr      = map[string]*string{}
+	regBool     = map[string]*bool{}
+	regOptBool  = map[string]*opt.Bool{}
+	regDuration = map[string]*time.Duration{}
 )

 func noteEnv(k, v string) {
@@ -97,6 +99,9 @@ func Setenv(envVar, val string) {
 	if p := regOptBool[envVar]; p != nil {
 		setOptBoolLocked(p, envVar, val)
 	}
+	if p := regDuration[envVar]; p != nil {
+		setDurationLocked(p, envVar, val)
+	}
 }

 // String returns the named environment variable, using os.Getenv.
@@ -159,6 +164,25 @@ func RegisterOptBool(envVar string) func() opt.Bool {
 	return func() opt.Bool { return *p }
 }

+// RegisterDuration returns a func that gets the named environment variable as a
+// duration, without a map lookup per call. It assumes that any mutations happen
+// via envknob.Setenv.
+func RegisterDuration(envVar string) func() time.Duration {
+	mu.Lock()
+	defer mu.Unlock()
+	p, ok := regDuration[envVar]
+	if !ok {
+		val := os.Getenv(envVar)
+		if val != "" {
+			noteEnvLocked(envVar, val)
+		}
+		p = new(time.Duration)
+		setDurationLocked(p, envVar, val)
+		regDuration[envVar] = p
+	}
+	return func() time.Duration { return *p }
+}
+
 func setBoolLocked(p *bool, envVar, val string) {
 	noteEnvLocked(envVar, val)
 	if val == "" {
@@ -185,6 +209,19 @@ func setOptBoolLocked(p *opt.Bool, envVar, val string) {
 	p.Set(b)
 }

+func setDurationLocked(p *time.Duration, envVar, val string) {
+	noteEnvLocked(envVar, val)
+	if val == "" {
+		*p = 0
+		return
+	}
+	var err error
+	*p, err = time.ParseDuration(val)
+	if err != nil {
+		log.Fatalf("invalid duration environment variable %s value %q", envVar, val)
+	}
+}
+
 // Bool returns the boolean value of the named environment variable.
 // If the variable is not set, it returns false.
 // An invalid value exits the binary with a failure.
--- a/flake.lock
+++ b/flake.lock
@@ -0,0 +1,60 @@
+{
+  "nodes": {
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1671848398,
+        "narHash": "sha256-cJIIPd1kvCI6ne/S0facbiBNH7sZUzk405GfdSJPwZE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "bb0359be0a1a08c8d74412fe8c69aa2ffb3f477e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@@ -0,0 +1,157 @@
+# flake.nix describes a Nix source repository that provides
+# development builds of Tailscale and the fork of the Go compiler
+# toolchain that Tailscale maintains. It also provides a development
+# environment for working on tailscale, for use with "nix develop".
+#
+# For more information about this and why this file is useful, see:
+# https://nixos.wiki/wiki/Flakes
+#
+# Also look into direnv: https://direnv.net/, this can make it so that you can
+# automatically get your environment set up when you change folders into the
+# project.
+#
+# WARNING: currently, the packages provided by this flake are brittle,
+# and importing this flake into your own Nix configs is likely to
+# leave you with broken builds periodically.
+#
+# The issue is that building Tailscale binaries uses the buildGoModule
+# helper from nixpkgs. This helper demands to know the content hash of
+# all of the Go dependencies of this repo, in the form of a Nix SRI
+# hash. This hash isn't automatically kept in sync with changes made
+# to go.mod yet, and so every time we update go.mod while hacking on
+# Tailscale, this flake ends up with a broken build due to hash
+# mismatches.
+#
+# Right now, this flake is intended for use by Tailscale developers,
+# who are aware of this mismatch and willing to live with it. At some
+# point, we'll add automation to keep the hashes more in sync, at
+# which point this caveat should go away.
+#
+# See https://github.com/tailscale/tailscale/issues/6845 for tracking
+# how to fix this mismatch.
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+    # Used by shell.nix as a compat shim.
+    flake-compat = {
+      url = "github:edolstra/flake-compat";
+      flake = false;
+    };
+  };
+
+  outputs = { self, nixpkgs, flake-utils, flake-compat }: let
+    # Grab a helper func out of the Nix language libraries. Annoyingly
+    # these are only accessible through legacyPackages right now,
+    # which forces us to indirect through a platform-specific
+    # path. The x86_64-linux in here doesn't really matter, since all
+    # we're grabbing is a pure Nix string manipulation function that
+    # doesn't build any software.
+    fileContents = nixpkgs.legacyPackages.x86_64-linux.lib.fileContents;
+
+    tailscale-go-rev = fileContents ./go.toolchain.rev;
+    tailscale-go-sri = fileContents ./go.toolchain.sri;
+
+    # pkgsWithTailscaleGo takes a nixpkgs package set, and replaces
+    # its Go 1.19 compiler with tailscale's fork.
+    #
+    # We need to do this because the buildGoModule helper function is
+    # constructed with legacy nix imports, so we cannot construct a
+    # buildGoModule variant that uses tailscale's toolchain. Instead,
+    # we have to replace the toolchain in nixpkgs, and let lazy
+    # evaluation propagate it into the nixpkgs instance of
+    # buildGoModule.
+    #
+    # This is a bit roundabout, but there doesn't seem to be a more
+    # elegant way of resolving the impedance mismatch between legacy
+    # nixpkgs style imports and flake semantics, unless upstream
+    # nixpkgs exposes the buildGoModule constructor func explicitly.
+    pkgsWithTailscaleGo = pkgs: pkgs.extend (final: prev: rec {
+      tailscale_go = prev.lib.overrideDerivation prev.go_1_19 (attrs: rec {
+        name = "tailscale-go-${version}";
+        version = tailscale-go-rev;
+        src = pkgs.fetchFromGitHub {
+          owner = "tailscale";
+          repo = "go";
+          rev = tailscale-go-rev;
+          sha256 = tailscale-go-sri;
+        };
+        nativeBuildInputs = attrs.nativeBuildInputs ++ [ pkgs.git ];
+		    # Remove dependency on xcbuild as that causes iOS/macOS builds to fail.
+        propagatedBuildInputs = [];
+        checkPhase = "";
+        TAILSCALE_TOOLCHAIN_REV = tailscale-go-rev;
+      });
+      # Override go_1_19 so that buildGo119Module below uses
+      # tailscale's toolchain as well.
+      go_1_19 = tailscale_go;
+    });
+
+    # tailscaleRev is the git commit at which this flake was imported,
+    # or the empty string when building from a local checkout of the
+    # tailscale repo.
+    tailscaleRev = if builtins.hasAttr "rev" self then self.rev else "";
+    # tailscale takes a nixpkgs package set, and builds Tailscale from
+    # the same commit as this flake. IOW, it provides "tailscale built
+    # from HEAD", where HEAD is "whatever commit you imported the
+    # flake at".
+    #
+    # This is currently unfortunately brittle, because we have to
+    # specify vendorSha256, and that sha changes any time we alter
+    # go.mod. We don't want to force a nix dependency on everyone
+    # hacking on Tailscale, so this flake is likely to have broken
+    # builds periodically until somoene comes through and manually
+    # fixes them up. I sure wish there was a way to express "please
+    # just trust the local go.mod, vendorSha256 has no benefit here",
+    # but alas.
+    #
+    # So really, this flake is for tailscale devs to dogfood with, if
+    # you're an end user you should be prepared for this flake to not
+    # build periodically.
+    tailscale = pkgs: pkgs.buildGo119Module rec {
+      name = "tailscale";
+
+      src = ./.;
+      vendorSha256 = fileContents ./go.mod.sri;
+      nativeBuildInputs = pkgs.lib.optionals pkgs.stdenv.isLinux [ pkgs.makeWrapper pkgs.git ];
+      ldflags = ["-X tailscale.com/version.GitCommit=${tailscaleRev}"];
+      CGO_ENABLED = 0;
+      subPackages = [ "cmd/tailscale" "cmd/tailscaled" ];
+      doCheck = false;
+      postInstall = pkgs.lib.optionalString pkgs.stdenv.isLinux ''
+        wrapProgram $out/bin/tailscaled --prefix PATH : ${pkgs.lib.makeBinPath [ pkgs.iproute2 pkgs.iptables pkgs.getent pkgs.shadow ]}
+        wrapProgram $out/bin/tailscale --suffix PATH : ${pkgs.lib.makeBinPath [ pkgs.procps ]}
+
+        sed -i -e "s#/usr/sbin#$out/bin#" -e "/^EnvironmentFile/d" ./cmd/tailscaled/tailscaled.service
+        install -D -m0444 -t $out/lib/systemd/system ./cmd/tailscaled/tailscaled.service
+      '';
+    };
+
+    # This whole blob makes the tailscale package available for all
+    # OS/CPU combos that nix supports, as well as a dev shell so that
+    # "nix develop" and "nix-shell" give you a dev env.
+    flakeForSystem = nixpkgs: system: let
+      upstreamPkgs = nixpkgs.legacyPackages.${system};
+      pkgs = pkgsWithTailscaleGo upstreamPkgs;
+      ts = tailscale pkgs;
+    in {
+      packages = {
+        tailscale-go = pkgs.tailscale-go;
+        tailscale = ts;
+      };
+      devShell = pkgs.mkShell {
+        packages = with upstreamPkgs; [
+          curl
+          git
+          gopls
+          gotools
+          graphviz
+          perl
+          pkgs.tailscale_go
+        ];
+      };
+    };
+  in
+    flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
+}
+# nix-direnv cache busting line: sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0=
--- a/go.mod
+++ b/go.mod
@@ -24,16 +24,19 @@ require (
 	github.com/frankban/quicktest v1.14.0
 	github.com/fxamacker/cbor/v2 v2.4.0
 	github.com/go-json-experiment/json v0.0.0-20221017203807-c5ed296b8c92
+	github.com/go-logr/zapr v1.2.3
 	github.com/go-ole/go-ole v1.2.6
 	github.com/godbus/dbus/v5 v5.0.6
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 	github.com/google/go-cmp v0.5.8
+	github.com/google/go-containerregistry v0.9.0
 	github.com/google/uuid v1.3.0
 	github.com/goreleaser/nfpm v1.10.3
 	github.com/hdevalence/ed25519consensus v0.0.0-20220222234857-c00d1f31bab3
 	github.com/iancoleman/strcase v0.2.0
 	github.com/illarion/gonotify v1.0.1
-	github.com/insomniacslk/dhcp v0.0.0-20211209223715-7d93572ebe8e
+	github.com/insomniacslk/dhcp v0.0.0-20221215072855-de60144f33f8
+	github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531
 	github.com/jsimonetti/rtnetlink v1.1.2-0.20220408201609-d380b505068b
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/klauspost/compress v1.15.4
@@ -57,28 +60,35 @@ require (
 	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
 	github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
+	github.com/tailscale/wireguard-go v0.0.0-20221219190806-4fa124729667
 	github.com/tc-hib/winres v0.1.6
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	github.com/u-root/u-root v0.9.1-0.20221111022710-6e9699743f5d
 	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
+	go.uber.org/zap v1.21.0
 	go4.org/mem v0.0.0-20210711025021-927187094b94
 	go4.org/netipx v0.0.0-20220725152314-7e7bdc8411bf
-	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
-	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
-	golang.org/x/net v0.1.0
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
-	golang.org/x/sys v0.1.0
-	golang.org/x/term v0.1.0
-	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
-	golang.org/x/tools v0.1.12
-	golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c
+	golang.org/x/crypto v0.3.0
+	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db
+	golang.org/x/net v0.2.0
+	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
+	golang.org/x/sync v0.1.0
+	golang.org/x/sys v0.3.1-0.20221220025402-2204b6615fb8
+	golang.org/x/term v0.2.0
+	golang.org/x/time v0.0.0-20220609170525-579cf78fd858
+	golang.org/x/tools v0.2.0
+	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5
+	gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0
 	honnef.co/go/tools v0.4.0-0.dev.0.20220517111757-f4a2f64ce238
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	inet.af/wf v0.0.0-20220728202103-50d96caab2f6
+	k8s.io/api v0.25.0
+	k8s.io/apimachinery v0.25.0
 	nhooyr.io/websocket v1.8.7
+	sigs.k8s.io/controller-runtime v0.13.1
+	sigs.k8s.io/yaml v1.3.0
 	software.sslmate.com/src/go-pkcs12 v0.2.0
 )

@@ -87,7 +97,7 @@ require (
 	filippo.io/edwards25519 v1.0.0-rc.1 // indirect
 	github.com/Antonboom/errname v0.1.5 // indirect
 	github.com/Antonboom/nilnil v0.1.0 // indirect
-	github.com/BurntSushi/toml v1.1.0 // indirect
+	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/Djarvur/go-err113 v0.1.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
@@ -95,6 +105,8 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
 	github.com/OpenPeeDeeP/depguard v1.0.1 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3 // indirect
+	github.com/PuerkitoBio/purell v1.1.1 // indirect
+	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
 	github.com/ashanbrown/forbidigo v1.2.0 // indirect
@@ -130,18 +142,25 @@ require (
 	github.com/docker/distribution v2.8.1+incompatible // indirect
 	github.com/docker/docker v20.10.16+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/esimonov/ifshort v1.0.3 // indirect
 	github.com/ettle/strcase v0.1.1 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/fatih/structtag v1.2.0 // indirect
-	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/fzipp/gocyclo v0.3.1 // indirect
 	github.com/gliderlabs/ssh v0.3.3 // indirect
 	github.com/go-critic/go-critic v0.6.1 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.3.1 // indirect
 	github.com/go-git/go-git/v5 v5.4.2 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.19.5 // indirect
+	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/go-toolsmith/astcast v1.0.0 // indirect
 	github.com/go-toolsmith/astcopy v1.0.0 // indirect
 	github.com/go-toolsmith/astequal v1.0.1 // indirect
@@ -152,6 +171,7 @@ require (
 	github.com/go-xmlfmt/xmlfmt v0.0.0-20211206191508-7fd73a941850 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/flock v0.8.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2 // indirect
 	github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect
@@ -164,7 +184,8 @@ require (
 	github.com/golangci/revgrep v0.0.0-20210930125155-c22e5001d4f2 // indirect
 	github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4 // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/google/go-containerregistry v0.9.0 // indirect
+	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 // indirect
 	github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1 // indirect
 	github.com/gordonklaus/ineffassign v0.0.0-20210914165742-4cc7213b9bc8 // indirect
@@ -185,7 +206,7 @@ require (
 	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
 	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/josharian/native v1.0.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/julz/importas v0.0.0-20210922140945-27e0a5d4dee2 // indirect
 	github.com/kevinburke/ssh_config v1.1.0 // indirect
@@ -200,10 +221,11 @@ require (
 	github.com/ldez/gomoddirectives v0.2.2 // indirect
 	github.com/ldez/tagliatelle v0.2.0 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/maratori/testpackage v1.0.1 // indirect
 	github.com/matoous/godox v0.0.0-20210227103229-6504466cf951 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/mbilski/exhaustivestruct v1.2.0 // indirect
 	github.com/mdlayher/socket v0.2.3 // indirect
 	github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517 // indirect
@@ -212,7 +234,10 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/moricho/tparallel v0.2.1 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nakabonne/nestif v0.3.1 // indirect
 	github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
@@ -227,7 +252,7 @@ require (
 	github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/polyfloyd/go-errorlint v0.0.0-20211125173453-6d6d39c5bb8b // indirect
-	github.com/prometheus/client_golang v1.11.0 // indirect
+	github.com/prometheus/client_golang v1.12.2 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
@@ -262,7 +287,7 @@ require (
 	github.com/timakin/bodyclose v0.0.0-20210704033933-f49887972144 // indirect
 	github.com/tomarrell/wrapcheck/v2 v2.4.0 // indirect
 	github.com/tommy-muehle/go-mnd/v2 v2.4.0 // indirect
-	github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 // indirect
+	github.com/u-root/uio v0.0.0-20221213070652-c3537552635f // indirect
 	github.com/ulikunitz/xz v0.5.10 // indirect
 	github.com/ultraware/funlen v0.0.3 // indirect
 	github.com/ultraware/whitespace v0.0.4 // indirect
@@ -272,19 +297,31 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.1 // indirect
 	github.com/yeya24/promlinter v0.1.0 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20220328175248-053ad81199eb // indirect
 	golang.org/x/image v0.0.0-20201208152932-35266b937fa6 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
+	golang.org/x/mod v0.6.0 // indirect
 	golang.org/x/text v0.4.0 // indirect
-	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
+	k8s.io/apiextensions-apiserver v0.25.0 // indirect
+	k8s.io/client-go v0.25.0 // indirect
+	k8s.io/component-base v0.25.0 // indirect
+	k8s.io/klog/v2 v2.70.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
+	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
 	mvdan.cc/gofumpt v0.2.0 // indirect
 	mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect
 	mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect
 	mvdan.cc/unparam v0.0.0-20211002134041-24922b6997ca // indirect
+	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
--- a/go.mod.sri
+++ b/go.mod.sri
@@ -0,0 +1 @@
+sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0=
--- a/go.sum
+++ b/go.sum
@@ -61,8 +61,8 @@ github.com/Antonboom/nilnil v0.1.0 h1:DLDavmg0a6G/F4Lt9t7Enrbgb3Oph6LnDE6YVsmTt7
 github.com/Antonboom/nilnil v0.1.0/go.mod h1:PhHLvRPSghY5Y7mX4TW+BHZQYo1A8flE5H20D3IPZBo=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I=
-github.com/BurntSushi/toml v1.1.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
+github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Djarvur/go-err113 v0.0.0-20200511133814-5174e21577d5/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
@@ -92,6 +92,10 @@ github.com/OpenPeeDeeP/depguard v1.0.1/go.mod h1:xsIw86fROiiwelg+jB2uM9PiKihMMmU
 github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
 github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3 h1:XcF0cTDJeiuZ5NU8w7WUDge0HRwwNRmxj/GGk6KSA6g=
 github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
+github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
+github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
 github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8=
 github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
@@ -167,6 +171,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.11.1 h1:QKR7wy5e650q70PFKMfGF9sTo0rZ
 github.com/aws/aws-sdk-go-v2/service/sts v1.11.1/go.mod h1:UV2N5HaPfdbDpkgkz4sRzWCvQswZjdO1FfqCWl0t7RA=
 github.com/aws/smithy-go v1.9.0 h1:c7FUdEqrQA1/UVKKCNDFQPNKGp4FQg3YW4Ck5SLTG58=
 github.com/aws/smithy-go v1.9.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
+github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
+github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -263,10 +269,13 @@ github.com/docker/docker v20.10.16+incompatible h1:2Db6ZR/+FUR3hqPMwnogOPHFn405c
 github.com/docker/docker v20.10.16+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56WZ2Pwu/fKWtKuZB0o=
 github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c=
+github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dsnet/try v0.0.3 h1:ptR59SsrcFUYbT/FhAbKTV6iLkeD6O18qfIWRml2fqI=
 github.com/dsnet/try v0.0.3/go.mod h1:WBM8tRpUmnXXhY1U6/S8dt6UWdHTQ7y8A5YSkRCkq40=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/emicklei/go-restful/v3 v3.8.0 h1:eCZ8ulSerjdAiaNpF7GxXIE7ZCMo1moN1qX+S609eVw=
+github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -282,6 +291,11 @@ github.com/esimonov/ifshort v1.0.3 h1:JD6x035opqGec5fZ0TLjXeROD2p5H7oLGn8MKfy9HT
 github.com/esimonov/ifshort v1.0.3/go.mod h1:yZqNJUrNn20K8Q9n2CrjTKYyVEmX209Hgu+M1LBpeZE=
 github.com/ettle/strcase v0.1.1 h1:htFueZyVeE1XNnMEfbqp5r67qAN/4r6ya1ysq8Q+Zcw=
 github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY=
+github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
+github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
+github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/evanw/esbuild v0.14.53 h1:9uU73SZUmP1jRQhaC6hPm9aoqFGYlPwfk7OrhG6AhpQ=
 github.com/evanw/esbuild v0.14.53/go.mod h1:iINY06rn799hi48UqEnaQvVfZWe6W9bET78LbvN8VWk=
 github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
@@ -297,8 +311,9 @@ github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzP
 github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
 github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
+github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
+github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM=
 github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
 github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
@@ -340,10 +355,25 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
+github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A=
+github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4=
 github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
 github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM=
+github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
+github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q=
 github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
@@ -396,6 +426,7 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -468,6 +499,8 @@ github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs=
+github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54=
+github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -486,6 +519,8 @@ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-containerregistry v0.9.0 h1:5Ths7RjxyFV0huKChQTgY6fLzvHhZMpLTFNja8U0/0w=
 github.com/google/go-containerregistry v0.9.0/go.mod h1:9eq4BnSufyT1kHNffX+vSXVonaJ7yaIOulrKZejMxnQ=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 h1:CVuJwN34x4xM2aT4sIKhmeib40NeBPhRihNjQmpJsA4=
 github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2/go.mod h1:nOFQdrUlIlx6M6ODdSpBj1NVA+VgLC6kmw60mkw34H4=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@@ -626,8 +661,8 @@ github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/insomniacslk/dhcp v0.0.0-20211209223715-7d93572ebe8e h1:IQpunlq7T+NiJJMO7ODYV2YWBiv/KnObR3gofX0mWOo=
-github.com/insomniacslk/dhcp v0.0.0-20211209223715-7d93572ebe8e/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
+github.com/insomniacslk/dhcp v0.0.0-20221215072855-de60144f33f8 h1:Z72DOke2yOK0Ms4Z2LK1E1OrRJXOxSj5DllTz2FYTRg=
+github.com/insomniacslk/dhcp v0.0.0-20221215072855-de60144f33f8/go.mod h1:m5WMe03WCvWcXjRnhvaAbAAXdCnu20J5P+mmH44ZzpE=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
@@ -651,8 +686,11 @@ github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhB
 github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
-github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531 h1:3HNVAxEgGca1i23Ai/8DeCmibx02jBvTHAT11INaVfU=
+github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/txtarfs v0.0.0-20210218200122-0702f000015a/go.mod h1:izVPOvVRsHiKkeGCT6tYBNWyDVuzj9wAaBb5R9qamfw=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
@@ -743,6 +781,10 @@ github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czP
 github.com/magiconair/properties v1.8.4/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
+github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/maratori/testpackage v1.0.1 h1:QtJ5ZjqapShm0w5DosRjg0PRlSdAdlx+W6cCKoALdbQ=
 github.com/maratori/testpackage v1.0.1/go.mod h1:ddKdw+XG0Phzhx8BFDTKgpWP4i7MpApTE5fXSKAqwDU=
 github.com/matoous/godox v0.0.0-20190911065817-5d6d842e92eb/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s=
@@ -776,8 +818,9 @@ github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw=
-github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
+github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/mbilski/exhaustivestruct v1.1.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc=
 github.com/mbilski/exhaustivestruct v1.2.0 h1:wCBmUnSYufAHO6J4AVWY6ff+oxWxsVFrwgOdMUQePUo=
 github.com/mbilski/exhaustivestruct v1.2.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc=
@@ -846,6 +889,8 @@ github.com/moricho/tparallel v0.2.1/go.mod h1:fXEIZxG2vdfl0ZF8b42f5a78EhjjD5mX8q
 github.com/mozilla/scribe v0.0.0-20180711195314-fb71baf557c1/go.mod h1:FIczTrinKo8VaLxe6PWTPEXRXDIHz2QAwiaBaP5/4a8=
 github.com/mozilla/tls-observatory v0.0.0-20200317151703-4fa42e1c2dee/go.mod h1:SrKMQvPiws7F7iqYp8/TX+IhxCYhzr6N/1yb8cwHsGk=
 github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1:FUqVoUPHSEdDR0MnFM3Dh8AU0pZHLXUD127SAJGER/s=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-proto-validators v0.0.0-20180403085117-0950a7990007/go.mod h1:m2XC9Qq0AlmmVksL6FktJCdTYyLk7V3fKyp0sl1yWQo=
@@ -882,6 +927,7 @@ github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9k
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
+github.com/onsi/ginkgo/v2 v2.1.4 h1:GNapqRSid3zijZ9H77KrgVG4/8KqiyRsxcSxe+7ApXY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
@@ -938,8 +984,9 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
+github.com/prometheus/client_golang v1.12.2 h1:51L9cDoUHVrXx4zWYlcLQIZ+d+VXHgqnYKkIuq4g/34=
+github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -1042,6 +1089,7 @@ github.com/sourcegraph/go-diff v0.6.1 h1:hmA1LzxW0n1c3Q4YbrFgg4P99GSnebYa3x8gr0H
 github.com/sourcegraph/go-diff v0.6.1/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.4.1/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/afero v1.5.1/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY=
@@ -1072,6 +1120,7 @@ github.com/spf13/viper v1.9.0/go.mod h1:+i6ajR7OX2XaiBkrcZJFK21htRk7eDeLg7+O6bhU
 github.com/ssgreg/nlreturn/v2 v2.1.0/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I=
 github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YEwQ0=
 github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I=
+github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
@@ -1108,6 +1157,8 @@ github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89 h1:7xU7AFQE83h0wz/
 github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89/go.mod h1:OGMqrTzDqmJkGumUTtOv44Rp3/4xS+QFbE8Rn0AGlaU=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
+github.com/tailscale/wireguard-go v0.0.0-20221219190806-4fa124729667 h1:etWp6uUwKu8NEj37K2OuMBnZ7EnVMKA7gJg5AqPFy/o=
+github.com/tailscale/wireguard-go v0.0.0-20221219190806-4fa124729667/go.mod h1:iiClgxBTruKI+nmzlQxbFw6c3nB/wb4Td/WCyX2berY=
 github.com/tc-hib/winres v0.1.6 h1:qgsYHze+BxQPEYilxIz/KCQGaClvI2+yLBAZs+3+0B8=
 github.com/tc-hib/winres v0.1.6/go.mod h1:pe6dOR40VOrGz8PkzreVKNvEKnlE8t4yR8A8naL+t7A=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
@@ -1145,9 +1196,8 @@ github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9r
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
 github.com/u-root/u-root v0.9.1-0.20221111022710-6e9699743f5d h1:sT5Q2xFrqgm/3yrCkVLkVuEFpG07UXz9ALqxxN1SmZc=
 github.com/u-root/u-root v0.9.1-0.20221111022710-6e9699743f5d/go.mod h1:jMbuI3nENTNzHW9mYwQ57b8/DSuJTq+joYY18x/WGxE=
-github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
-github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 h1:hl6sK6aFgTLISijk6xIzeqnPzQcsLqqvL6vEfTPinME=
-github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
+github.com/u-root/uio v0.0.0-20221213070652-c3537552635f h1:dpx1PHxYqAnXzbryJrWP1NQLzEjwcVgFLhkknuFQ7ww=
+github.com/u-root/uio v0.0.0-20221213070652-c3537552635f/go.mod h1:IogEAUBXDEwX7oR/BMmCctShYs80ql4hF0ySdzGxf7E=
 github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
@@ -1226,15 +1276,23 @@ go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqe
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
+go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
+go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
+go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
+go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
+go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
+go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8=
+go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
 go4.org/intern v0.0.0-20211027215823-ae77deb06f29 h1:UXLjNohABv4S58tHmeuIZDO6e3mHpW2Dx33gaNt03LE=
 go4.org/mem v0.0.0-20210711025021-927187094b94 h1:OAAkygi2Js191AJP1Ds42MhJRgeofeKGjuoUqNp1QC4=
 go4.org/mem v0.0.0-20210711025021-927187094b94/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
@@ -1267,8 +1325,8 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f h1:OeJjE6G4dgCY4PIXvIRQbE8+RX+uXZyGhUy/ksMGJoc=
-golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1280,8 +1338,8 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw=
-golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
-golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA=
+golang.org/x/exp v0.0.0-20221205204356-47842c84f3db h1:D/cFflL63o2KSLJIwjlcIt8PR064j/xsmdEJL/YvY/o=
+golang.org/x/exp v0.0.0-20221205204356-47842c84f3db/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/exp/typeparams v0.0.0-20220328175248-053ad81199eb h1:fP6C8Xutcp5AlakmT/SkQot0pMicROAsEX7OfNPuG10=
 golang.org/x/exp/typeparams v0.0.0-20220328175248-053ad81199eb/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
@@ -1313,8 +1371,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I=
+golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1375,8 +1433,8 @@ golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1393,6 +1451,8 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 h1:OSnWWcOd/CtWQC2cYSBgbTSJv3ciqd8r54ySIW2y3RE=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1405,8 +1465,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1490,7 +1550,6 @@ golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1510,15 +1569,18 @@ golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.1-0.20221220025402-2204b6615fb8 h1:/VqMvhQCyzfuc826eNrpWmMb3AwD2Sxz/HMsYIhwcIs=
+golang.org/x/sys v0.3.1-0.20221220025402-2204b6615fb8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
-golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1535,8 +1597,8 @@ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 h1:GZokNIeuVkl3aZHJchRrr13WCsols02MLUcz1U9is6M=
-golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U=
+golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1648,18 +1710,18 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.8-0.20211102182255-bb4add04ddef/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
-golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE=
+golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c h1:Okh6a1xpnJslG9Mn84pId1Mn+Q8cvpo4HCeeFWHo0cA=
-golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c/go.mod h1:enML0deDxY1ux+B6ANGiwtg0yAJi1rctkTpcHNAVPyg=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
+gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY=
+gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1696,6 +1758,7 @@ google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww
 google.golang.org/appengine v1.6.2/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -1734,6 +1797,7 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
@@ -1812,6 +1876,8 @@ gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qS
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.63.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
@@ -1839,9 +1905,9 @@ gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
-gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5 h1:cv/zaNV0nr1mJzaeo4S5mHIm5va1W0/9J3/5prlsuRM=
-gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
+gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
+gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0 h1:Wobr37noukisGxpKo5jAsLREcpj61RxrWYzD8uwveOY=
+gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0/go.mod h1:Dn5idtptoW1dIos9U6A2rpebLs/MtTwFacjKb8jLdQA=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1860,6 +1926,23 @@ inet.af/peercred v0.0.0-20210906144145-0893ea02156a h1:qdkS8Q5/i10xU2ArJMKYhVa1D
 inet.af/peercred v0.0.0-20210906144145-0893ea02156a/go.mod h1:FjawnflS/udxX+SvpsMgZfdqx2aykOlkISeAsADi5IU=
 inet.af/wf v0.0.0-20220728202103-50d96caab2f6 h1:BfgDtKnWJTeu+xI1aOEweXdPwqOhB3IbQUDj1XuftcY=
 inet.af/wf v0.0.0-20220728202103-50d96caab2f6/go.mod h1:bSAQ38BYbY68uwpasXOTZo22dKGy9SNvI6PZFeKomZE=
+k8s.io/api v0.25.0 h1:H+Q4ma2U/ww0iGB78ijZx6DRByPz6/733jIuFpX70e0=
+k8s.io/api v0.25.0/go.mod h1:ttceV1GyV1i1rnmvzT3BST08N6nGt+dudGrquzVQWPk=
+k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY=
+k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E=
+k8s.io/apimachinery v0.25.0 h1:MlP0r6+3XbkUG2itd6vp3oxbtdQLQI94fD5gCS+gnoU=
+k8s.io/apimachinery v0.25.0/go.mod h1:qMx9eAk0sZQGsXGu86fab8tZdffHbwUfsvzqKn4mfB0=
+k8s.io/client-go v0.25.0 h1:CVWIaCETLMBNiTUta3d5nzRbXvY5Hy9Dpl+VvREpu5E=
+k8s.io/client-go v0.25.0/go.mod h1:lxykvypVfKilxhTklov0wz1FoaUZ8X4EwbhS6rpRfN8=
+k8s.io/component-base v0.25.0 h1:haVKlLkPCFZhkcqB6WCvpVxftrg6+FK5x1ZuaIDaQ5Y=
+k8s.io/component-base v0.25.0/go.mod h1:F2Sumv9CnbBlqrpdf7rKZTmmd2meJq0HizeyY/yAFxk=
+k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
+k8s.io/klog/v2 v2.70.1 h1:7aaoSdahviPmR+XkS7FyxlkkXs6tHISSG03RxleQAVQ=
+k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkIFQtZShWqoha7snGixVgEA=
+k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
+k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4=
+k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 mvdan.cc/gofumpt v0.0.0-20200802201014-ab5a8192947d/go.mod h1:bzrjFmaD6+xqohD3KYP0H2FEuxknnBmyyOxdhLdaIws=
 mvdan.cc/gofumpt v0.0.0-20201129102820-5c11c50e9475/go.mod h1:E4LOcu9JQEtnYXtB1Y51drqh2Qr2Ngk9J3YrRCwcbd0=
 mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
@@ -1878,7 +1961,15 @@ nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg=
+sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI=
+sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
+sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20180114231543-2291e8f0f237/go.mod h1:/xvNRWUqm0+/ZMiF4EX00vrSCMsE4/NHb+Pt3freEeQ=
 software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE=
 software.sslmate.com/src/go-pkcs12 v0.2.0/go.mod h1:23rNcYsMabIc1otwLpTkCCPwUq6kQsTyowttG/as0kQ=
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-3fd24dee31726924c1b61c8037a889b30b8aa0f6
+dc0ce6324d19b7539e8efebc64c94631615fd80a
--- a/go.toolchain.sri
+++ b/go.toolchain.sri
@@ -0,0 +1 @@
+sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI=
--- a/ipn/ipn_clone.go
+++ b/ipn/ipn_clone.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

--- a/ipn/ipn_view.go
+++ b/ipn/ipn_view.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -13,6 +13,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/http/httputil"
 	"net/netip"
 	"net/url"
 	"os"
@@ -206,7 +207,8 @@ type LocalBackend struct {
 	lastServeConfJSON mem.RO              // last JSON that was parsed into serveConfig
 	serveConfig       ipn.ServeConfigView // or !Valid if none

-	serveListeners map[netip.AddrPort]*serveListener // addrPort => serveListener
+	serveListeners     map[netip.AddrPort]*serveListener // addrPort => serveListener
+	serveProxyHandlers sync.Map                          // string (HTTPHandler.Proxy) => *httputil.ReverseProxy

 	// statusLock must be held before calling statusChanged.Wait() or
 	// statusChanged.Broadcast().
@@ -545,7 +547,7 @@ func (b *LocalBackend) sanitizedPrefsLocked() ipn.PrefsView {
 // Status returns the latest status of the backend and its
 // sub-components.
 func (b *LocalBackend) Status() *ipnstate.Status {
-	sb := new(ipnstate.StatusBuilder)
+	sb := &ipnstate.StatusBuilder{WantPeers: true}
 	b.UpdateStatus(sb)
 	return sb.Status()
 }
@@ -553,15 +555,19 @@ func (b *LocalBackend) Status() *ipnstate.Status {
 // StatusWithoutPeers is like Status but omits any details
 // of peers.
 func (b *LocalBackend) StatusWithoutPeers() *ipnstate.Status {
-	sb := new(ipnstate.StatusBuilder)
-	b.updateStatus(sb, nil)
+	sb := &ipnstate.StatusBuilder{WantPeers: false}
+	b.UpdateStatus(sb)
 	return sb.Status()
 }

 // UpdateStatus implements ipnstate.StatusUpdater.
 func (b *LocalBackend) UpdateStatus(sb *ipnstate.StatusBuilder) {
 	b.e.UpdateStatus(sb)
-	b.updateStatus(sb, b.populatePeerStatusLocked)
+	var extraLocked func(*ipnstate.StatusBuilder)
+	if sb.WantPeers {
+		extraLocked = b.populatePeerStatusLocked
+	}
+	b.updateStatus(sb, extraLocked)
 }

 // updateStatus populates sb with status.
@@ -829,7 +835,9 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		if err := b.pm.DeleteProfile(b.pm.CurrentProfile().ID); err != nil {
 			b.logf("error deleting profile: %v", err)
 		}
-		b.resetForProfileChangeLockedOnEntry()
+		if err := b.resetForProfileChangeLockedOnEntry(); err != nil {
+			b.logf("resetForProfileChangeLockedOnEntry err: %v", err)
+		}
 		return
 	}

@@ -851,9 +859,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		if !prefs.Persist.View().Equals(*st.Persist) {
 			prefsChanged = true
 			prefs.Persist = st.Persist.AsStruct()
-			if err := b.initTKALocked(); err != nil {
-				b.logf("initTKALocked: %v", err)
-			}
 		}
 	}
 	if st.URL != "" {
@@ -873,7 +878,26 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	if findExitNodeIDLocked(prefs, st.NetMap) {
 		prefsChanged = true
 	}
-	// Prefs will be written out; this is not safe unless locked or cloned.
+
+	// Perform all mutations of prefs based on the netmap here.
+	if st.NetMap != nil {
+		if b.updatePersistFromNetMapLocked(st.NetMap, prefs) {
+			prefsChanged = true
+		}
+	}
+	// Prefs will be written out if stale; this is not safe unless locked or cloned.
+	if prefsChanged {
+		if err := b.pm.SetPrefs(prefs.View()); err != nil {
+			b.logf("Failed to save new controlclient state: %v", err)
+		}
+	}
+	// initTKALocked is dependent on CurrentProfile.ID, which is initialized
+	// (for new profiles) on the first call to b.pm.SetPrefs.
+	if err := b.initTKALocked(); err != nil {
+		b.logf("initTKALocked: %v", err)
+	}
+
+	// Perform all reconfiguration based on the netmap here.
 	if st.NetMap != nil {
 		b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLockAlpha)

@@ -896,18 +920,9 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		if !envknob.TKASkipSignatureCheck() {
 			b.tkaFilterNetmapLocked(st.NetMap)
 		}
-		if b.updatePersistFromNetMapLocked(st.NetMap, prefs) {
-			prefsChanged = true
-		}
 		b.setNetMapLocked(st.NetMap)
 		b.updateFilterLocked(st.NetMap, prefs.View())
 	}
-
-	if prefsChanged {
-		if err := b.pm.SetPrefs(prefs.View()); err != nil {
-			b.logf("Failed to save new controlclient state: %v", err)
-		}
-	}
 	b.mu.Unlock()

 	// Now complete the lock-free parts of what we started while locked.
@@ -2353,6 +2368,9 @@ func (b *LocalBackend) checkPrefsLocked(p *ipn.Prefs) error {
 	if err := b.checkSSHPrefsLocked(p); err != nil {
 		errs = append(errs, err)
 	}
+	if err := b.checkExitNodePrefsLocked(p); err != nil {
+		errs = append(errs, err)
+	}
 	return multierr.New(errs...)
 }

@@ -2432,6 +2450,13 @@ func (b *LocalBackend) isDefaultServerLocked() bool {
 	return prefs.ControlURLOrDefault() == ipn.DefaultControlURL
 }

+func (b *LocalBackend) checkExitNodePrefsLocked(p *ipn.Prefs) error {
+	if (p.ExitNodeIP.IsValid() || p.ExitNodeID != "") && p.AdvertisesExitNode() {
+		return errors.New("Cannot advertise an exit node and use an exit node at the same time.")
+	}
+	return nil
+}
+
 func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (ipn.PrefsView, error) {
 	b.mu.Lock()
 	if mp.EggSet {
@@ -2818,8 +2843,8 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs ipn.PrefsView, logf logger.
 	}

 	// selfV6Only is whether we only have IPv6 addresses ourselves.
-	selfV6Only := tsaddr.PrefixesContainsFunc(nm.Addresses, tsaddr.PrefixIs6) &&
-		!tsaddr.PrefixesContainsFunc(nm.Addresses, tsaddr.PrefixIs4)
+	selfV6Only := slices.ContainsFunc(nm.Addresses, tsaddr.PrefixIs6) &&
+		!slices.ContainsFunc(nm.Addresses, tsaddr.PrefixIs4)
 	dcfg.OnlyIPv6 = selfV6Only

 	// Populate MagicDNS records. We do this unconditionally so that
@@ -2835,7 +2860,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs ipn.PrefsView, logf logger.
 		if err != nil {
 			return // TODO: propagate error?
 		}
-		have4 := tsaddr.PrefixesContainsFunc(addrs, tsaddr.PrefixIs4)
+		have4 := slices.ContainsFunc(addrs, tsaddr.PrefixIs4)
 		var ips []netip.Addr
 		for _, addr := range addrs {
 			if selfV6Only {
@@ -3249,7 +3274,7 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs ipn.PrefsView, oneC
 		}
 	}

-	if tsaddr.PrefixesContainsFunc(rs.LocalAddrs, tsaddr.PrefixIs4) {
+	if slices.ContainsFunc(rs.LocalAddrs, tsaddr.PrefixIs4) {
 		rs.Routes = append(rs.Routes, netip.PrefixFrom(tsaddr.TailscaleServiceIP(), 32))
 	}

@@ -3750,6 +3775,9 @@ func (b *LocalBackend) setTCPPortsInterceptedFromNetmapAndPrefsLocked(prefs ipn.
 			return true
 		})
 		handlePorts = append(handlePorts, servePorts...)
+
+		b.setServeProxyHandlersLocked()
+
 		// don't listen on netmap addresses if we're in userspace mode
 		if !wgengine.IsNetstack(b.e) {
 			b.updateServeTCPPortNetMapAddrListenersLocked(servePorts)
@@ -3765,6 +3793,49 @@ func (b *LocalBackend) setTCPPortsInterceptedFromNetmapAndPrefsLocked(prefs ipn.
 	b.setTCPPortsIntercepted(handlePorts)
 }

+// setServeProxyHandlersLocked ensures there is an http proxy handler for each
+// backend specified in serveConfig. It expects serveConfig to be valid and
+// up-to-date, so should be called after reloadServeConfigLocked.
+func (b *LocalBackend) setServeProxyHandlersLocked() {
+	if !b.serveConfig.Valid() {
+		return
+	}
+	var backends map[string]bool
+	b.serveConfig.Web().Range(func(_ ipn.HostPort, conf ipn.WebServerConfigView) (cont bool) {
+		conf.Handlers().Range(func(_ string, h ipn.HTTPHandlerView) (cont bool) {
+			backend := h.Proxy()
+			mak.Set(&backends, backend, true)
+			if _, ok := b.serveProxyHandlers.Load(backend); ok {
+				return true
+			}
+
+			b.logf("serve: creating a new proxy handler for %s", backend)
+			p, err := b.proxyHandlerForBackend(backend)
+			if err != nil {
+				// The backend endpoint (h.Proxy) should have been validated by expandProxyTarget
+				// in the CLI, so just log the error here.
+				b.logf("[unexpected] could not create proxy for %v: %s", backend, err)
+				return true
+			}
+			b.serveProxyHandlers.Store(backend, p)
+			return true
+		})
+		return true
+	})
+
+	// Clean up handlers for proxy backends that are no longer present
+	// in configuration.
+	b.serveProxyHandlers.Range(func(key, value any) bool {
+		backend := key.(string)
+		if !backends[backend] {
+			b.logf("serve: closing idle connections to %s", backend)
+			value.(*httputil.ReverseProxy).Transport.(*http.Transport).CloseIdleConnections()
+			b.serveProxyHandlers.Delete(backend)
+		}
+		return true
+	})
+}
+
 // operatorUserName returns the current pref's OperatorUser's name, or the
 // empty string if none.
 func (b *LocalBackend) operatorUserName() string {
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -14,11 +14,13 @@ import (
 	"time"

 	"go4.org/netipx"
+	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tstest"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/wgengine"
@@ -744,6 +746,45 @@ func TestPacketFilterPermitsUnlockedNodes(t *testing.T) {

 }

+func TestStatusWithoutPeers(t *testing.T) {
+	logf := tstest.WhileTestRunningLogger(t)
+	store := new(testStateStorage)
+	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
+	if err != nil {
+		t.Fatalf("NewFakeUserspaceEngine: %v", err)
+	}
+	t.Cleanup(e.Close)
+
+	b, err := NewLocalBackend(logf, "logid", store, "", nil, e, 0)
+	if err != nil {
+		t.Fatalf("NewLocalBackend: %v", err)
+	}
+	var cc *mockControl
+	b.SetControlClientGetterForTesting(func(opts controlclient.Options) (controlclient.Client, error) {
+		cc = newClient(t, opts)
+
+		t.Logf("ccGen: new mockControl.")
+		cc.called("New")
+		return cc, nil
+	})
+	b.Start(ipn.Options{})
+	b.Login(nil)
+	cc.send(nil, "", false, &netmap.NetworkMap{
+		MachineStatus: tailcfg.MachineAuthorized,
+		Addresses:     ipps("100.101.101.101"),
+		SelfNode: &tailcfg.Node{
+			Addresses: ipps("100.101.101.101"),
+		},
+	})
+	got := b.StatusWithoutPeers()
+	if got.TailscaleIPs == nil {
+		t.Errorf("got nil, expected TailscaleIPs value to not be nil")
+	}
+	if !reflect.DeepEqual(got.TailscaleIPs, got.Self.TailscaleIPs) {
+		t.Errorf("got %v, expected %v", got.TailscaleIPs, got.Self.TailscaleIPs)
+	}
+}
+
 // legacyBackend was the interface between Tailscale frontends
 // (e.g. cmd/tailscale, iOS/MacOS/Windows GUIs) and the tailscale
 // backend (e.g. cmd/tailscaled) running on the same machine.
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -300,6 +300,8 @@ func (b *LocalBackend) tkaApplyDisablementLocked(secret []byte) error {

 // chonkPathLocked returns the absolute path to the directory in which TKA
 // state (the 'tailchonk') is stored.
+//
+// b.mu must be held.
 func (b *LocalBackend) chonkPathLocked() string {
 	return filepath.Join(b.TailscaleVarRoot(), "tka-profiles", string(b.pm.CurrentProfile().ID))
 }
@@ -652,6 +654,9 @@ func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err err
 	if b.tka == nil {
 		return errNetworkLockNotActive
 	}
+	if !b.tka.authority.KeyTrusted(nlPriv.KeyID()) {
+		return errors.New("this node does not have a trusted tailnet lock key")
+	}

 	updater := b.tka.authority.NewUpdater(nlPriv)

--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"hash/adler32"
 	"hash/crc32"
 	"html"
 	"io"
@@ -47,6 +48,7 @@ import (
 	"tailscale.com/net/netutil"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/multierr"
 	"tailscale.com/util/strs"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
@@ -341,11 +343,68 @@ func (s *peerAPIServer) DeleteFile(baseName string) error {
 // accidentally logging actual filenames anywhere.
 const redacted = "redacted"

-func redactErr(err error) error {
-	if pe, ok := err.(*os.PathError); ok {
-		pe.Path = redacted
+type redactedErr struct {
+	msg   string
+	inner error
+}
+
+func (re *redactedErr) Error() string {
+	return re.msg
+}
+
+func (re *redactedErr) Unwrap() error {
+	return re.inner
+}
+
+func redactString(s string) string {
+	hash := adler32.Checksum([]byte(s))
+
+	var buf [len(redacted) + len(".12345678")]byte
+	b := append(buf[:0], []byte(redacted)...)
+	b = append(b, '.')
+	b = strconv.AppendUint(b, uint64(hash), 16)
+	return string(b)
+}
+
+func redactErr(root error) error {
+	// redactStrings is a list of sensitive strings that were redacted.
+	// It is not sufficient to just snub out sensitive fields in Go errors
+	// since some wrapper errors like fmt.Errorf pre-cache the error string,
+	// which would unfortunately remain unaffected.
+	var redactStrings []string
+
+	// Redact sensitive fields in known Go error types.
+	var unknownErrors int
+	multierr.Range(root, func(err error) bool {
+		switch err := err.(type) {
+		case *os.PathError:
+			redactStrings = append(redactStrings, err.Path)
+			err.Path = redactString(err.Path)
+		case *os.LinkError:
+			redactStrings = append(redactStrings, err.New, err.Old)
+			err.New = redactString(err.New)
+			err.Old = redactString(err.Old)
+		default:
+			unknownErrors++
+		}
+		return true
+	})
+
+	// If there are no redacted strings or no unknown error types,
+	// then we can return the possibly modified root error verbatim.
+	// Otherwise, we must replace redacted strings from any wrappers.
+	if len(redactStrings) == 0 || unknownErrors == 0 {
+		return root
 	}
-	return err
+
+	// Stringify and replace any paths that we found above, then return
+	// the error wrapped in a type that uses the newly-redacted string
+	// while also allowing Unwrap()-ing to the inner error type(s).
+	s := root.Error()
+	for _, toRedact := range redactStrings {
+		s = strings.ReplaceAll(s, toRedact, redactString(toRedact))
+	}
+	return &redactedErr{msg: s, inner: root}
 }

 func touchFile(path string) error {
@@ -607,6 +666,7 @@ func peerAPIRequestShouldGetSecurityHeaders(r *http.Request) bool {

 func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if err := h.validatePeerAPIRequest(r); err != nil {
+		metricInvalidRequests.Add(1)
 		h.logf("invalid request from %v: %v", h.remoteAddr, err)
 		http.Error(w, "invalid peerapi request", http.StatusForbidden)
 		return
@@ -617,10 +677,12 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 	}
 	if strings.HasPrefix(r.URL.Path, "/v0/put/") {
+		metricPutCalls.Add(1)
 		h.handlePeerPut(w, r)
 		return
 	}
 	if strings.HasPrefix(r.URL.Path, "/dns-query") {
+		metricDNSCalls.Add(1)
 		h.handleDNSQuery(w, r)
 		return
 	}
@@ -641,12 +703,14 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.handleServeDNSFwd(w, r)
 		return
 	case "/v0/wol":
+		metricWakeOnLANCalls.Add(1)
 		h.handleWakeOnLAN(w, r)
 		return
 	case "/v0/interfaces":
 		h.handleServeInterfaces(w, r)
 		return
 	case "/v0/ingress":
+		metricIngressCalls.Add(1)
 		h.handleServeIngress(w, r)
 		return
 	}
@@ -1370,3 +1434,13 @@ func (fl *fakePeerAPIListener) Accept() (net.Conn, error) {
 }

 func (fl *fakePeerAPIListener) Addr() net.Addr { return fl.addr }
+
+var (
+	metricInvalidRequests = clientmetric.NewCounter("peerapi_invalid_requests")
+
+	// Non-debug PeerAPI endpoints.
+	metricPutCalls       = clientmetric.NewCounter("peerapi_put")
+	metricDNSCalls       = clientmetric.NewCounter("peerapi_dns")
+	metricWakeOnLANCalls = clientmetric.NewCounter("peerapi_wol")
+	metricIngressCalls   = clientmetric.NewCounter("peerapi_ingress")
+)
--- a/ipn/ipnlocal/peerapi_test.go
+++ b/ipn/ipnlocal/peerapi_test.go
@@ -6,6 +6,7 @@ package ipnlocal

 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 	"io/fs"
@@ -685,3 +686,67 @@ func TestPeerAPIReplyToDNSQueries(t *testing.T) {
 		t.Errorf("unexpectedly IPv6 deny; wanted to be a DNS server")
 	}
 }
+
+func TestRedactErr(t *testing.T) {
+	testCases := []struct {
+		name string
+		err  func() error
+		want string
+	}{
+		{
+			name: "PathError",
+			err: func() error {
+				return &os.PathError{
+					Op:   "open",
+					Path: "/tmp/sensitive.txt",
+					Err:  fs.ErrNotExist,
+				}
+			},
+			want: `open redacted.41360718: file does not exist`,
+		},
+		{
+			name: "LinkError",
+			err: func() error {
+				return &os.LinkError{
+					Op:  "symlink",
+					Old: "/tmp/sensitive.txt",
+					New: "/tmp/othersensitive.txt",
+					Err: fs.ErrNotExist,
+				}
+			},
+			want: `symlink redacted.41360718 redacted.6bcf093a: file does not exist`,
+		},
+		{
+			name: "something else",
+			err:  func() error { return errors.New("i am another error type") },
+			want: `i am another error type`,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// For debugging
+			var i int
+			for err := tc.err(); err != nil; err = errors.Unwrap(err) {
+				t.Logf("%d: %T @ %p", i, err, err)
+				i++
+			}
+
+			t.Run("Root", func(t *testing.T) {
+				got := redactErr(tc.err()).Error()
+				if got != tc.want {
+					t.Errorf("err = %q; want %q", got, tc.want)
+				}
+			})
+			t.Run("Wrapped", func(t *testing.T) {
+				wrapped := fmt.Errorf("wrapped error: %w", tc.err())
+				want := "wrapped error: " + tc.want
+
+				got := redactErr(wrapped).Error()
+				if got != want {
+					t.Errorf("err = %q; want %q", got, want)
+				}
+			})
+		})
+	}
+}
--- a/ipn/ipnlocal/serve.go
+++ b/ipn/ipnlocal/serve.go
@@ -211,7 +211,6 @@ func (b *LocalBackend) SetServeConfig(config *ipn.ServeConfig) error {
 	}

 	b.setTCPPortsInterceptedFromNetmapAndPrefsLocked(b.pm.CurrentPrefs())
-
 	return nil
 }

@@ -389,6 +388,30 @@ func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView,
 	}
 }

+// proxyHandlerForBackend creates a new HTTP reverse proxy for a particular backend that
+// we serve requests for. `backend` is a HTTPHandler.Proxy string (url, hostport or just port).
+func (b *LocalBackend) proxyHandlerForBackend(backend string) (*httputil.ReverseProxy, error) {
+	targetURL, insecure := expandProxyArg(backend)
+	u, err := url.Parse(targetURL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid url %s: %w", targetURL, err)
+	}
+	rp := httputil.NewSingleHostReverseProxy(u)
+	rp.Transport = &http.Transport{
+		DialContext: b.dialer.SystemDial,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: insecure,
+		},
+		// Values for the following parameters have been copied from http.DefaultTransport.
+		ForceAttemptHTTP2:     true,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+	return rp, nil
+}
+
 func (b *LocalBackend) serveWebHandler(w http.ResponseWriter, r *http.Request) {
 	h, mountPoint, ok := b.getServeHandler(r)
 	if !ok {
@@ -405,23 +428,12 @@ func (b *LocalBackend) serveWebHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if v := h.Proxy(); v != "" {
-		// TODO(bradfitz): this is a lot of setup per HTTP request. We should
-		// build the whole http.Handler with all the muxing and child handlers
-		// only on start/config change. But this works for now (2022-11-09).
-		targetURL, insecure := expandProxyArg(v)
-		u, err := url.Parse(targetURL)
-		if err != nil {
-			http.Error(w, "bad proxy config", http.StatusInternalServerError)
+		p, ok := b.serveProxyHandlers.Load(v)
+		if !ok {
+			http.Error(w, "unknown proxy destination", http.StatusInternalServerError)
 			return
 		}
-		rp := httputil.NewSingleHostReverseProxy(u)
-		rp.Transport = &http.Transport{
-			DialContext: b.dialer.SystemDial,
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: insecure,
-			},
-		}
-		rp.ServeHTTP(w, r)
+		p.(http.Handler).ServeHTTP(w, r)
 		return
 	}

--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -516,6 +516,7 @@ func (s *Server) Run(ctx context.Context, ln net.Listener) error {
 		if err := ctx.Err(); err != nil {
 			return err
 		}
+		return err
 	}
 	return nil
 }
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -245,6 +245,8 @@ type PeerStatus struct {
 }

 type StatusBuilder struct {
+	WantPeers bool // whether caller wants peers
+
 	mu     sync.Mutex
 	locked bool
 	st     Status
--- a/ipn/ipnstate/ipnstate_clone.go
+++ b/ipn/ipnstate/ipnstate_clone.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -146,6 +146,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if r.Referer() != "" || r.Header.Get("Origin") != "" || !validHost(r.Host) {
+		metricInvalidRequests.Add(1)
 		http.Error(w, "invalid localapi request", http.StatusForbidden)
 		return
 	}
@@ -156,10 +157,12 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if h.RequiredPassword != "" {
 		_, pass, ok := r.BasicAuth()
 		if !ok {
+			metricInvalidRequests.Add(1)
 			http.Error(w, "auth required", http.StatusUnauthorized)
 			return
 		}
 		if pass != h.RequiredPassword {
+			metricInvalidRequests.Add(1)
 			http.Error(w, "bad password", http.StatusForbidden)
 			return
 		}
@@ -540,37 +543,32 @@ func (h *Handler) servePprof(w http.ResponseWriter, r *http.Request) {
 }

 func (h *Handler) serveServeConfig(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "serve config denied", http.StatusForbidden)
-		return
-	}
-
-	w.Header().Set("Content-Type", "application/json")
-
 	switch r.Method {
 	case "GET":
+		if !h.PermitRead {
+			http.Error(w, "serve config denied", http.StatusForbidden)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
 		config := h.b.ServeConfig()
 		json.NewEncoder(w).Encode(config)
 	case "POST":
-		configIn := new(ipn.ServeConfig)
-		if err := json.NewDecoder(r.Body).Decode(configIn); err != nil {
-			json.NewEncoder(w).Encode(struct {
-				Error error
-			}{
-				Error: fmt.Errorf("decoding config: %w", err),
-			})
+		if !h.PermitWrite {
+			http.Error(w, "serve config denied", http.StatusForbidden)
 			return
 		}
-		err := h.b.SetServeConfig(configIn)
-		if err != nil {
-			json.NewEncoder(w).Encode(struct {
-				Error error
-			}{
-				Error: fmt.Errorf("updating config: %w", err),
-			})
+		configIn := new(ipn.ServeConfig)
+		if err := json.NewDecoder(r.Body).Decode(configIn); err != nil {
+			writeErrorJSON(w, fmt.Errorf("decoding config: %w", err))
+			return
+		}
+		if err := h.b.SetServeConfig(configIn); err != nil {
+			writeErrorJSON(w, fmt.Errorf("updating config: %w", err))
 			return
 		}
 		w.WriteHeader(http.StatusOK)
+	default:
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 	}
 }

@@ -900,6 +898,8 @@ func (h *Handler) serveFileTargets(w http.ResponseWriter, r *http.Request) {
 //
 //   - PUT /localapi/v0/file-put/:stableID/:escaped-filename
 func (h *Handler) serveFilePut(w http.ResponseWriter, r *http.Request) {
+	metricFilePutCalls.Add(1)
+
 	if !h.PermitWrite {
 		http.Error(w, "file access denied", http.StatusForbidden)
 		return
@@ -1254,14 +1254,7 @@ func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
-
-	j, err := json.MarshalIndent(h.b.NetworkLockStatus(), "", "\t")
-	if err != nil {
-		http.Error(w, "JSON encoding error", 500)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	w.Write(j)
+	w.WriteHeader(204)
 }

 func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
@@ -1437,3 +1430,10 @@ func defBool(a string, def bool) bool {
 	}
 	return v
 }
+
+var (
+	metricInvalidRequests = clientmetric.NewCounter("localapi_invalid_requests")
+
+	// User-visible LocalAPI endpoints.
+	metricFilePutCalls = clientmetric.NewCounter("localapi_file_put")
+)
--- a/ipn/serve.go
+++ b/ipn/serve.go
@@ -81,15 +81,18 @@ func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool {
 // GetWebHandler returns the HTTPHandler for the given host:port and mount point.
 // Returns nil if the handler does not exist.
 func (sc *ServeConfig) GetWebHandler(hp HostPort, mount string) *HTTPHandler {
-	if sc.Web[hp] != nil {
-		return sc.Web[hp].Handlers[mount]
+	if sc == nil || sc.Web[hp] == nil {
+		return nil
 	}
-	return nil
+	return sc.Web[hp].Handlers[mount]
 }

 // GetTCPPortHandler returns the TCPPortHandler for the given port.
 // If the port is not configured, nil is returned.
 func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler {
+	if sc == nil {
+		return nil
+	}
 	return sc.TCP[port]
 }

@@ -97,7 +100,7 @@ func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler {
 // in TCPForward mode on any port.
 // This is exclusive of Web/HTTPS serving.
 func (sc *ServeConfig) IsTCPForwardingAny() bool {
-	if len(sc.TCP) == 0 {
+	if sc == nil || len(sc.TCP) == 0 {
 		return false
 	}
 	for _, h := range sc.TCP {
@@ -112,7 +115,7 @@ func (sc *ServeConfig) IsTCPForwardingAny() bool {
 // in TCPForward mode on the given port.
 // This is exclusive of Web/HTTPS serving.
 func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool {
-	if sc.TCP[port] == nil {
+	if sc == nil || sc.TCP[port] == nil {
 		return false
 	}
 	return !sc.TCP[port].HTTPS
@@ -122,14 +125,22 @@ func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool {
 // Web/HTTPS on the given port.
 // This is exclusive of TCPForwarding.
 func (sc *ServeConfig) IsServingWeb(port uint16) bool {
-	if sc.TCP[port] == nil {
+	if sc == nil || sc.TCP[port] == nil {
 		return false
 	}
 	return sc.TCP[port].HTTPS
 }

 // IsFunnelOn checks if ServeConfig is currently allowing
-// funnel traffic on for the given host:port.
-func (sc *ServeConfig) IsFunnelOn(hp HostPort) bool {
-	return sc.AllowFunnel[hp]
+// funnel traffic for any host:port.
+func (sc *ServeConfig) IsFunnelOn() bool {
+	if sc == nil {
+		return false
+	}
+	for _, b := range sc.AllowFunnel {
+		if b {
+			return true
+		}
+	}
+	return false
 }
--- a/licenses/android.md
+++ b/licenses/android.md
@@ -10,24 +10,23 @@ Client][].  See also the dependencies in the [Tailscale CLI][].

 - [eliasnaur.com/font/roboto](https://pkg.go.dev/eliasnaur.com/font/roboto) ([BSD-3-Clause](https://git.sr.ht/~eliasnaur/font/tree/832bb8fc08c3/LICENSE))
 - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0-rc.1/LICENSE))
- - [gioui.org](https://pkg.go.dev/gioui.org) ([MIT](https://git.sr.ht/~eliasnaur/gio/tree/a1b5ff059c07/LICENSE))
+ - [gioui.org](https://pkg.go.dev/gioui.org) ([MIT](https://git.sr.ht/~eliasnaur/gio/tree/aa2a948b863a/LICENSE))
 - [gioui.org/cpu](https://pkg.go.dev/gioui.org/cpu) ([MIT](https://git.sr.ht/~eliasnaur/gio-cpu/tree/8d6a761490d2/LICENSE))
 - [gioui.org/shader](https://pkg.go.dev/gioui.org/shader) ([MIT](https://git.sr.ht/~eliasnaur/gio-shader/tree/v1.0.6/LICENSE))
- - [github.com/benoitkugler/textlayout](https://pkg.go.dev/github.com/benoitkugler/textlayout) ([MIT](https://github.com/benoitkugler/textlayout/blob/v0.0.10/LICENSE))
- - [github.com/benoitkugler/textlayout/fonts](https://pkg.go.dev/github.com/benoitkugler/textlayout/fonts) ([MIT](https://github.com/benoitkugler/textlayout/blob/v0.0.10/fonts/LICENSE))
- - [github.com/benoitkugler/textlayout/graphite](https://pkg.go.dev/github.com/benoitkugler/textlayout/graphite) ([MIT](https://github.com/benoitkugler/textlayout/blob/v0.0.10/graphite/LICENSE))
- - [github.com/benoitkugler/textlayout/harfbuzz](https://pkg.go.dev/github.com/benoitkugler/textlayout/harfbuzz) ([MIT](https://github.com/benoitkugler/textlayout/blob/v0.0.10/harfbuzz/LICENSE))
+ - [github.com/benoitkugler/textlayout](https://pkg.go.dev/github.com/benoitkugler/textlayout) ([MIT](https://github.com/benoitkugler/textlayout/blob/v0.3.0/LICENSE))
+ - [github.com/benoitkugler/textlayout/fonts](https://pkg.go.dev/github.com/benoitkugler/textlayout/fonts) ([MIT](https://github.com/benoitkugler/textlayout/blob/v0.3.0/fonts/LICENSE))
+ - [github.com/benoitkugler/textlayout/graphite](https://pkg.go.dev/github.com/benoitkugler/textlayout/graphite) ([MIT](https://github.com/benoitkugler/textlayout/blob/v0.3.0/graphite/LICENSE))
+ - [github.com/benoitkugler/textlayout/harfbuzz](https://pkg.go.dev/github.com/benoitkugler/textlayout/harfbuzz) ([MIT](https://github.com/benoitkugler/textlayout/blob/v0.3.0/harfbuzz/LICENSE))
 - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.6.0/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
- - [github.com/gioui/uax](https://pkg.go.dev/github.com/gioui/uax) ([BSD-3-Clause](https://github.com/gioui/uax/blob/e3d987515a12/LICENSE))
- - [github.com/go-text/typesetting](https://pkg.go.dev/github.com/go-text/typesetting) ([BSD-3-Clause](https://github.com/go-text/typesetting/blob/58fe93c84506/LICENSE))
+ - [github.com/go-text/typesetting](https://pkg.go.dev/github.com/go-text/typesetting) ([BSD-3-Clause](https://github.com/go-text/typesetting/blob/0399769901d5/LICENSE))
 - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/v5.0.6/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.0.1/LICENSE))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
 - [github.com/illarion/gonotify](https://pkg.go.dev/github.com/illarion/gonotify) ([MIT](https://github.com/illarion/gonotify/blob/v1.0.1/LICENSE))
- - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/7d93572ebe8e/LICENSE))
- - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/v1.0.0/license))
+ - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/de60144f33f8/LICENSE))
+ - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/c1e37c09b531/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
 - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.4/LICENSE))
 - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.15.4/internal/snapref/LICENSE))
@@ -43,8 +42,9 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
 - [github.com/tailscale/tailscale-android](https://pkg.go.dev/github.com/tailscale/tailscale-android) ([BSD-3-Clause](https://github.com/tailscale/tailscale-android/blob/HEAD/LICENSE))
+ - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/4fa124729667/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
- - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/dac05f7d2cb4/LICENSE))
+ - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/c3537552635f/LICENSE))
 - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/650dca95af54/LICENSE))
 - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/50045581ed74/LICENSE))
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
@@ -52,18 +52,18 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/927187094b94/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
 - [go4.org/unsafe/assume-no-moving-gc](https://pkg.go.dev/go4.org/unsafe/assume-no-moving-gc) ([BSD-3-Clause](https://github.com/go4org/unsafe-assume-no-moving-gc/blob/928513b29760/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/eb4f295c:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
- - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/807a2327:shiny/LICENSE))
- - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/a66eb644:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.1.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.3.0:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47842c84:LICENSE))
+ - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/334a2380:shiny/LICENSE))
+ - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/062f8c9f:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.2.0:LICENSE))
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/886fb937:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.1.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.1.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.2.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.2.0:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.4.0:LICENSE))
- - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
- - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=b51010ba13f0))
+ - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE))
 - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/846276b3dbc5/LICENSE))
 - [inet.af/netaddr](https://pkg.go.dev/inet.af/netaddr) ([BSD-3-Clause](https://github.com/inetaf/netaddr/blob/097006376321/LICENSE))
+ - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
 - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -18,8 +18,8 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.0.1/LICENSE))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
 - [github.com/illarion/gonotify](https://pkg.go.dev/github.com/illarion/gonotify) ([MIT](https://github.com/illarion/gonotify/blob/v1.0.1/LICENSE))
- - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/1ca156eafb9f/LICENSE))
- - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/v1.0.0/license))
+ - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/de60144f33f8/LICENSE))
+ - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/c1e37c09b531/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
 - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.5/LICENSE))
 - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.15.5/internal/snapref/LICENSE))
@@ -33,23 +33,23 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/bc99ab8c2d17/LICENSE))
 - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
+ - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/4fa124729667/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
- - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/dac05f7d2cb4/LICENSE))
+ - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/c3537552635f/LICENSE))
 - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/650dca95af54/LICENSE))
 - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/50045581ed74/LICENSE))
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/6f7dac96:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.1.0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/886fb937:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.1.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.1.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.3.0:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47842c84:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.2.0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/2204b661:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.2.0:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.4.0:LICENSE))
- - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
- - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=bb719d3a6e2c))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/846276b3dbc5/LICENSE))
+ - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/703fd9b7fbc0/LICENSE))
 - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
 - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))
--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -14,6 +14,7 @@ Some packages may only be included on certain architectures or operating systems


 - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0-rc.1/LICENSE))
+ - [github.com/Microsoft/go-winio](https://pkg.go.dev/github.com/Microsoft/go-winio) ([MIT](https://github.com/Microsoft/go-winio/blob/v0.6.0/LICENSE))
 - [github.com/akutz/memconn](https://pkg.go.dev/github.com/akutz/memconn) ([Apache-2.0](https://github.com/akutz/memconn/blob/v0.1.0/LICENSE))
 - [github.com/alexbrainman/sspi](https://pkg.go.dev/github.com/alexbrainman/sspi) ([BSD-3-Clause](https://github.com/alexbrainman/sspi/blob/909beea2cc74/LICENSE))
 - [github.com/anmitsu/go-shlex](https://pkg.go.dev/github.com/anmitsu/go-shlex) ([MIT](https://github.com/anmitsu/go-shlex/blob/38f4b401e2be/LICENSE))
@@ -32,6 +33,7 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.9.0/LICENSE))
 - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.6.0/LICENSE))
 - [github.com/creack/pty](https://pkg.go.dev/github.com/creack/pty) ([MIT](https://github.com/creack/pty/blob/v1.1.17/LICENSE))
+ - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/6ac47ab19aa5/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
 - [github.com/go-ole/go-ole](https://pkg.go.dev/github.com/go-ole/go-ole) ([MIT](https://github.com/go-ole/go-ole/blob/v1.2.6/LICENSE))
 - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/v5.0.6/LICENSE))
@@ -40,9 +42,9 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.0/LICENSE))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
 - [github.com/illarion/gonotify](https://pkg.go.dev/github.com/illarion/gonotify) ([MIT](https://github.com/illarion/gonotify/blob/v1.0.1/LICENSE))
- - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/7d93572ebe8e/LICENSE))
+ - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/de60144f33f8/LICENSE))
 - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
- - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/v1.0.0/license))
+ - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/c1e37c09b531/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
 - [github.com/kballard/go-shellquote](https://pkg.go.dev/github.com/kballard/go-shellquote) ([MIT](https://github.com/kballard/go-shellquote/blob/95032a82bc51/LICENSE))
 - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.4/LICENSE))
@@ -64,27 +66,27 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/tailscale/certstore](https://pkg.go.dev/github.com/tailscale/certstore) ([MIT](https://github.com/tailscale/certstore/blob/78d6e1c49d8d/LICENSE.md))
 - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/bc99ab8c2d17/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
+ - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/4fa124729667/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
 - [github.com/toqueteos/webbrowser](https://pkg.go.dev/github.com/toqueteos/webbrowser) ([MIT](https://github.com/toqueteos/webbrowser/blob/v1.2.0/LICENSE.md))
 - [github.com/u-root/u-root/pkg/termios](https://pkg.go.dev/github.com/u-root/u-root/pkg/termios) ([BSD-3-Clause](https://github.com/u-root/u-root/blob/6e9699743f5d/LICENSE))
- - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/dac05f7d2cb4/LICENSE))
+ - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/c3537552635f/LICENSE))
 - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/650dca95af54/LICENSE))
 - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/50045581ed74/LICENSE))
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/927187094b94/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/eb4f295c:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.1.0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/886fb937:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.1.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.1.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.3.0:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47842c84:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.2.0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/2204b661:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.2.0:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.4.0:LICENSE))
- - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
+ - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
- - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=b51010ba13f0))
 - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/846276b3dbc5/LICENSE))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/703fd9b7fbc0/LICENSE))
 - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
 - [inet.af/wf](https://pkg.go.dev/inet.af/wf) ([BSD-3-Clause](https://github.com/inetaf/wf/blob/50d96caab2f6/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
--- a/licenses/windows.md
+++ b/licenses/windows.md
@@ -17,26 +17,26 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
- - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/v1.0.0/license))
+ - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/c1e37c09b531/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
 - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.5/LICENSE))
 - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.15.5/internal/snapref/LICENSE))
 - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.15.5/zstd/internal/xxhash/LICENSE.txt))
- - [github.com/lxn/walk](https://pkg.go.dev/github.com/lxn/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/f8b1a45b269d/LICENSE))
- - [github.com/lxn/win](https://pkg.go.dev/github.com/lxn/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/e8ccca099752/LICENSE))
 - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.6.0/LICENSE.md))
 - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.2.3/LICENSE.md))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
+ - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/df8c77379597/LICENSE))
+ - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/e8ccca099752/LICENSE))
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/6f7dac96:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.1.0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/886fb937:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.1.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.1.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.3.0:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47842c84:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.2.0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/2204b661:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.2.0:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
 - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
 - [gopkg.in/Knetic/govaluate.v3](https://pkg.go.dev/gopkg.in/Knetic/govaluate.v3) ([MIT](https://github.com/Knetic/govaluate/blob/v3.0.0/LICENSE))
--- a/net/connstats/stats.go
+++ b/net/connstats/stats.go
@@ -7,9 +7,12 @@
 package connstats

 import (
+	"context"
 	"net/netip"
 	"sync"
+	"time"

+	"golang.org/x/sync/errgroup"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/netlogtype"
 )
@@ -18,11 +21,64 @@ import (
 // All methods are safe for concurrent use.
 // The zero value is ready for use.
 type Statistics struct {
-	mu       sync.Mutex
+	maxConns int // immutable once set
+
+	mu sync.Mutex
+	connCnts
+
+	connCntsCh  chan connCnts
+	shutdownCtx context.Context
+	shutdown    context.CancelFunc
+	group       errgroup.Group
+}
+
+type connCnts struct {
+	start    time.Time
+	end      time.Time
 	virtual  map[netlogtype.Connection]netlogtype.Counts
 	physical map[netlogtype.Connection]netlogtype.Counts
 }

+// NewStatistics creates a data structure for tracking connection statistics
+// that periodically dumps the virtual and physical connection counts
+// depending on whether the maxPeriod or maxConns is exceeded.
+// The dump function is called from a single goroutine.
+// Shutdown must be called to cleanup resources.
+func NewStatistics(maxPeriod time.Duration, maxConns int, dump func(start, end time.Time, virtual, physical map[netlogtype.Connection]netlogtype.Counts)) *Statistics {
+	s := &Statistics{maxConns: maxConns}
+	s.connCntsCh = make(chan connCnts, 256)
+	s.shutdownCtx, s.shutdown = context.WithCancel(context.Background())
+	s.group.Go(func() error {
+		// TODO(joetsai): Using a ticker is problematic on mobile platforms
+		// where waking up a process every maxPeriod when there is no activity
+		// is a drain on battery life. Switch this instead to instead use
+		// a time.Timer that is triggered upon network activity.
+		ticker := new(time.Ticker)
+		if maxPeriod > 0 {
+			ticker := time.NewTicker(maxPeriod)
+			defer ticker.Stop()
+		}
+
+		for {
+			var cc connCnts
+			select {
+			case cc = <-s.connCntsCh:
+			case <-ticker.C:
+				cc = s.extract()
+			case <-s.shutdownCtx.Done():
+				cc = s.extract()
+			}
+			if len(cc.virtual)+len(cc.physical) > 0 && dump != nil {
+				dump(cc.start, cc.end, cc.virtual, cc.physical)
+			}
+			if s.shutdownCtx.Err() != nil {
+				return nil
+			}
+		}
+	})
+	return s
+}
+
 // UpdateTxVirtual updates the counters for a transmitted IP packet
 // The source and destination of the packet directly correspond with
 // the source and destination in netlogtype.Connection.
@@ -47,10 +103,10 @@ func (s *Statistics) updateVirtual(b []byte, receive bool) {

 	s.mu.Lock()
 	defer s.mu.Unlock()
-	if s.virtual == nil {
-		s.virtual = make(map[netlogtype.Connection]netlogtype.Counts)
+	cnts, found := s.virtual[conn]
+	if !found && !s.preInsertConn() {
+		return
 	}
-	cnts := s.virtual[conn]
 	if receive {
 		cnts.RxPackets++
 		cnts.RxBytes += uint64(len(b))
@@ -82,10 +138,10 @@ func (s *Statistics) updatePhysical(src netip.Addr, dst netip.AddrPort, n int, r

 	s.mu.Lock()
 	defer s.mu.Unlock()
-	if s.physical == nil {
-		s.physical = make(map[netlogtype.Connection]netlogtype.Counts)
+	cnts, found := s.physical[conn]
+	if !found && !s.preInsertConn() {
+		return
 	}
-	cnts := s.physical[conn]
 	if receive {
 		cnts.RxPackets++
 		cnts.RxBytes += uint64(n)
@@ -96,14 +152,57 @@ func (s *Statistics) updatePhysical(src netip.Addr, dst netip.AddrPort, n int, r
 	s.physical[conn] = cnts
 }

-// Extract extracts and resets the counters for all active connections.
-// It must be called periodically otherwise the memory used is unbounded.
-func (s *Statistics) Extract() (virtual, physical map[netlogtype.Connection]netlogtype.Counts) {
+// preInsertConn updates the maps to handle insertion of a new connection.
+// It reports false if insertion is not allowed (i.e., after shutdown).
+func (s *Statistics) preInsertConn() bool {
+	// Check whether insertion of a new connection will exceed maxConns.
+	if len(s.virtual)+len(s.physical) == s.maxConns && s.maxConns > 0 {
+		// Extract the current statistics and send it to the serializer.
+		// Avoid blocking the network packet handling path.
+		select {
+		case s.connCntsCh <- s.extractLocked():
+		default:
+			// TODO(joetsai): Log that we are dropping an entire connCounts.
+		}
+	}
+
+	// Initialize the maps if nil.
+	if s.virtual == nil && s.physical == nil {
+		s.start = time.Now().UTC()
+		s.virtual = make(map[netlogtype.Connection]netlogtype.Counts)
+		s.physical = make(map[netlogtype.Connection]netlogtype.Counts)
+	}
+
+	return s.shutdownCtx.Err() == nil
+}
+
+func (s *Statistics) extract() connCnts {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	virtual = s.virtual
-	s.virtual = make(map[netlogtype.Connection]netlogtype.Counts)
-	physical = s.physical
-	s.physical = make(map[netlogtype.Connection]netlogtype.Counts)
-	return virtual, physical
+	return s.extractLocked()
+}
+
+func (s *Statistics) extractLocked() connCnts {
+	if len(s.virtual)+len(s.physical) == 0 {
+		return connCnts{}
+	}
+	s.end = time.Now().UTC()
+	cc := s.connCnts
+	s.connCnts = connCnts{}
+	return cc
+}
+
+// TestExtract synchronously extracts the current network statistics map
+// and resets the counters. This should only be used for testing purposes.
+func (s *Statistics) TestExtract() (virtual, physical map[netlogtype.Connection]netlogtype.Counts) {
+	cc := s.extract()
+	return cc.virtual, cc.physical
+}
+
+// Shutdown performs a final flush of statistics.
+// Statistics for any subsequent calls to Update will be dropped.
+// It is safe to call Shutdown concurrently and repeatedly.
+func (s *Statistics) Shutdown(context.Context) error {
+	s.shutdown()
+	return s.group.Wait()
 }
--- a/net/connstats/stats_test.go
+++ b/net/connstats/stats_test.go
@@ -5,6 +5,7 @@
 package connstats

 import (
+	"context"
 	"encoding/binary"
 	"fmt"
 	"math/rand"
@@ -47,7 +48,20 @@ func testPacketV4(proto ipproto.Proto, srcAddr, dstAddr [4]byte, srcPort, dstPor
 func TestConcurrent(t *testing.T) {
 	c := qt.New(t)

-	var stats Statistics
+	const maxPeriod = 10 * time.Millisecond
+	const maxConns = 10
+	virtualAggregate := make(map[netlogtype.Connection]netlogtype.Counts)
+	stats := NewStatistics(maxPeriod, maxConns, func(start, end time.Time, virtual, physical map[netlogtype.Connection]netlogtype.Counts) {
+		c.Assert(start.IsZero(), qt.IsFalse)
+		c.Assert(end.IsZero(), qt.IsFalse)
+		c.Assert(end.Before(start), qt.IsFalse)
+		c.Assert(len(virtual) > 0 && len(virtual) <= maxConns, qt.IsTrue)
+		c.Assert(len(physical) == 0, qt.IsTrue)
+		for conn, cnts := range virtual {
+			virtualAggregate[conn] = virtualAggregate[conn].Add(cnts)
+		}
+	})
+	defer stats.Shutdown(context.Background())
 	var wants []map[netlogtype.Connection]netlogtype.Counts
 	gots := make([]map[netlogtype.Connection]netlogtype.Counts, runtime.NumCPU())
 	var group sync.WaitGroup
@@ -95,14 +109,9 @@ func TestConcurrent(t *testing.T) {
 			}
 		}(i)
 	}
-	for range gots {
-		virtual, _ := stats.Extract()
-		wants = append(wants, virtual)
-		time.Sleep(time.Millisecond)
-	}
 	group.Wait()
-	virtual, _ := stats.Extract()
-	wants = append(wants, virtual)
+	c.Assert(stats.Shutdown(context.Background()), qt.IsNil)
+	wants = append(wants, virtualAggregate)

 	got := make(map[netlogtype.Connection]netlogtype.Counts)
 	want := make(map[netlogtype.Connection]netlogtype.Counts)
@@ -126,7 +135,7 @@ func Benchmark(b *testing.B) {
 		b.ResetTimer()
 		b.ReportAllocs()
 		for i := 0; i < b.N; i++ {
-			var s Statistics
+			s := NewStatistics(0, 0, nil)
 			for j := 0; j < 1e3; j++ {
 				s.UpdateTxVirtual(p)
 			}
@@ -137,7 +146,7 @@ func Benchmark(b *testing.B) {
 		b.ResetTimer()
 		b.ReportAllocs()
 		for i := 0; i < b.N; i++ {
-			var s Statistics
+			s := NewStatistics(0, 0, nil)
 			for j := 0; j < 1e3; j++ {
 				binary.BigEndian.PutUint32(p[20:], uint32(j)) // unique port combination
 				s.UpdateTxVirtual(p)
@@ -149,7 +158,7 @@ func Benchmark(b *testing.B) {
 		b.ResetTimer()
 		b.ReportAllocs()
 		for i := 0; i < b.N; i++ {
-			var s Statistics
+			s := NewStatistics(0, 0, nil)
 			var group sync.WaitGroup
 			for j := 0; j < runtime.NumCPU(); j++ {
 				group.Add(1)
@@ -171,7 +180,7 @@ func Benchmark(b *testing.B) {
 		b.ResetTimer()
 		b.ReportAllocs()
 		for i := 0; i < b.N; i++ {
-			var s Statistics
+			s := NewStatistics(0, 0, nil)
 			var group sync.WaitGroup
 			for j := 0; j < runtime.NumCPU(); j++ {
 				group.Add(1)
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -427,8 +427,8 @@ const (
 	// The RFCs don't specify the max size of a TCP-based DNS query,
 	// but we want to keep this reasonable. Given payloads are typically
 	// much larger and all known client send a single query, I've arbitrarily
-	// chosen 2k.
-	maxReqSizeTCP = 2048
+	// chosen 4k.
+	maxReqSizeTCP = 4096
 )

 // dnsTCPSession services DNS requests sent over TCP.
@@ -447,9 +447,17 @@ type dnsTCPSession struct {

 func (s *dnsTCPSession) handleWrites() {
 	defer s.conn.Close()
-	defer close(s.responses)
 	defer s.closeCtx()

+	// NOTE(andrew): we explicitly do not close the 'responses' channel
+	// when this function exits. If we hit an error and return, we could
+	// still have outstanding 'handleQuery' goroutines running, and if we
+	// closed this channel they'd end up trying to send on a closed channel
+	// when they finish.
+	//
+	// Because we call closeCtx, those goroutines will not hang since they
+	// select on <-s.ctx.Done() as well as s.responses.
+
 	for {
 		select {
 		case <-s.readClosing:
@@ -476,6 +484,7 @@ func (s *dnsTCPSession) handleQuery(q []byte) {
 		return
 	}

+	// See note in handleWrites (above) regarding this select{}
 	select {
 	case <-s.ctx.Done():
 	case s.responses <- resp:
@@ -483,6 +492,7 @@ func (s *dnsTCPSession) handleQuery(q []byte) {
 }

 func (s *dnsTCPSession) handleReads() {
+	defer s.conn.Close()
 	defer close(s.readClosing)

 	for {
@@ -515,6 +525,11 @@ func (s *dnsTCPSession) handleReads() {
 			case <-s.ctx.Done():
 				return
 			default:
+				// NOTE: by kicking off the query handling in a
+				// new goroutine, it is possible that we'll
+				// deliver responses out-of-order. This is
+				// explicitly allowed by RFC7766, Section
+				// 6.2.1.1 ("Query Pipelining").
 				go s.handleQuery(buf)
 			}
 		}
--- a/net/dns/manager_tcp_test.go
+++ b/net/dns/manager_tcp_test.go
@@ -5,19 +5,23 @@
 package dns

 import (
+	"bytes"
 	"encoding/binary"
+	"errors"
 	"io"
 	"net"
 	"net/netip"
 	"testing"
+	"time"

 	"github.com/google/go-cmp/cmp"
 	dns "golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/net/tsdial"
+	"tailscale.com/tstest"
 	"tailscale.com/util/dnsname"
 )

-func mkDNSRequest(domain dnsname.FQDN, tp dns.Type) []byte {
+func mkDNSRequest(domain dnsname.FQDN, tp dns.Type, modify func(*dns.Builder)) []byte {
 	var dnsHeader dns.Header
 	question := dns.Question{
 		Name:  dns.MustNewName(domain.WithTrailingDot()),
@@ -37,6 +41,15 @@ func mkDNSRequest(domain dnsname.FQDN, tp dns.Type) []byte {
 		panic(err)
 	}

+	if modify != nil {
+		modify(&builder)
+	}
+	payload, _ := builder.Finish()
+
+	return payload
+}
+
+func addEDNS(builder *dns.Builder) {
 	ednsHeader := dns.ResourceHeader{
 		Name:  dns.MustNewName("."),
 		Type:  dns.TypeOPT,
@@ -46,10 +59,25 @@ func mkDNSRequest(domain dnsname.FQDN, tp dns.Type) []byte {
 	if err := builder.OPTResource(ednsHeader, dns.OPTResource{}); err != nil {
 		panic(err)
 	}
+}

-	payload, _ := builder.Finish()
+func mkLargeDNSRequest(domain dnsname.FQDN, tp dns.Type) []byte {
+	return mkDNSRequest(domain, tp, func(builder *dns.Builder) {
+		ednsHeader := dns.ResourceHeader{
+			Name:  dns.MustNewName("."),
+			Type:  dns.TypeOPT,
+			Class: dns.Class(4095),
+		}

-	return payload
+		if err := builder.OPTResource(ednsHeader, dns.OPTResource{
+			Options: []dns.Option{{
+				Code: 1234,
+				Data: bytes.Repeat([]byte("A"), maxReqSizeTCP),
+			}},
+		}); err != nil {
+			panic(err)
+		}
+	})
 }

 func TestDNSOverTCP(t *testing.T) {
@@ -82,7 +110,7 @@ func TestDNSOverTCP(t *testing.T) {
 	}

 	for domain, _ := range wantResults {
-		b := mkDNSRequest(domain, dns.TypeA)
+		b := mkDNSRequest(domain, dns.TypeA, addEDNS)
 		binary.Write(c, binary.BigEndian, uint16(len(b)))
 		c.Write(b)
 	}
@@ -134,3 +162,69 @@ func TestDNSOverTCP(t *testing.T) {
 		t.Errorf("wrong results (-got+want)\n%s", diff)
 	}
 }
+
+func TestDNSOverTCP_TooLarge(t *testing.T) {
+	log := tstest.WhileTestRunningLogger(t)
+
+	f := fakeOSConfigurator{
+		SplitDNS: true,
+		BaseConfig: OSConfig{
+			Nameservers:   mustIPs("8.8.8.8"),
+			SearchDomains: fqdns("coffee.shop"),
+		},
+	}
+	m := NewManager(log, &f, nil, new(tsdial.Dialer), nil)
+	m.resolver.TestOnlySetHook(f.SetResolver)
+	m.Set(Config{
+		Hosts:         hosts("andrew.ts.com.", "1.2.3.4"),
+		Routes:        upstreams("ts.com", ""),
+		SearchDomains: fqdns("tailscale.com"),
+	})
+	defer m.Down()
+
+	c, s := net.Pipe()
+	defer s.Close()
+	go m.HandleTCPConn(s, netip.AddrPort{})
+	defer c.Close()
+
+	var b []byte
+	domain := dnsname.FQDN("andrew.ts.com.")
+
+	// Write a successful request, then a large one that will fail; this
+	// exercises the data race in tailscale/tailscale#6725
+	b = mkDNSRequest(domain, dns.TypeA, addEDNS)
+	binary.Write(c, binary.BigEndian, uint16(len(b)))
+	if _, err := c.Write(b); err != nil {
+		t.Fatal(err)
+	}
+
+	c.SetWriteDeadline(time.Now().Add(5 * time.Second))
+
+	b = mkLargeDNSRequest(domain, dns.TypeA)
+	if err := binary.Write(c, binary.BigEndian, uint16(len(b))); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := c.Write(b); err != nil {
+		// It's possible that we get an error here, since the
+		// net.Pipe() implementation enforces synchronous reads. So,
+		// handleReads could read the size, then error, and this write
+		// fails. That's actually a success for this test!
+		if errors.Is(err, io.ErrClosedPipe) {
+			t.Logf("pipe (correctly) closed when writing large response")
+			return
+		}
+
+		t.Fatal(err)
+	}
+
+	t.Logf("reading responses")
+	c.SetReadDeadline(time.Now().Add(5 * time.Second))
+
+	// We expect an EOF now, since the connection will have been closed due
+	// to a too-large query.
+	var respLength uint16
+	err := binary.Read(c, binary.BigEndian, &respLength)
+	if !errors.Is(err, io.EOF) && !errors.Is(err, io.ErrClosedPipe) {
+		t.Errorf("expected EOF on large read; got %v", err)
+	}
+}
--- a/net/dns/nm.go
+++ b/net/dns/nm.go
@@ -14,9 +14,9 @@ import (
 	"time"

 	"github.com/godbus/dbus/v5"
+	"github.com/josharian/native"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/util/dnsname"
-	"tailscale.com/util/endian"
 )

 const (
@@ -130,7 +130,7 @@ func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
 	for _, ip := range config.Nameservers {
 		b := ip.As16()
 		if ip.Is4() {
-			dnsv4 = append(dnsv4, endian.Native.Uint32(b[12:]))
+			dnsv4 = append(dnsv4, native.Endian.Uint32(b[12:]))
 		} else {
 			dnsv6 = append(dnsv6, b[:])
 		}
--- a/net/dnscache/dnscache.go
+++ b/net/dnscache/dnscache.go
@@ -276,7 +276,7 @@ func (r *Resolver) lookupIP(host string) (ip, ip6 netip.Addr, allIPs []netip.Add
 		return netip.Addr{}, netip.Addr{}, nil, fmt.Errorf("no IPs for %q found", host)
 	}

-        // Unmap everything; LookupNetIP can return mapped addresses (see #5698)
+	// Unmap everything; LookupNetIP can return mapped addresses (see #5698)
 	for i := range ips {
 		ips[i] = ips[i].Unmap()
 	}
--- a/net/interfaces/interfaces_bsd.go
+++ b/net/interfaces/interfaces_bsd.go
@@ -20,6 +20,7 @@ import (
 	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"
 	"tailscale.com/net/netaddr"
+	"tailscale.com/syncs"
 )

 func defaultRoute() (d DefaultRouteDetails, err error) {
@@ -36,7 +37,17 @@ func defaultRoute() (d DefaultRouteDetails, err error) {
 	return d, nil
 }

+// DefaultRouteInterfaceIndex returns the index of the network interface that
+// owns the default route. It returns the first IPv4 or IPv6 default route it
+// finds (it does not prefer one or the other).
 func DefaultRouteInterfaceIndex() (int, error) {
+	if f := defaultRouteInterfaceIndexFunc.Load(); f != nil {
+		if ifIndex := f(); ifIndex != 0 {
+			return ifIndex, nil
+		}
+		// Fallthrough if we can't use the alternate implementation.
+	}
+
 	// $ netstat -nr
 	// Routing tables
 	// Internet:
@@ -71,6 +82,16 @@ func DefaultRouteInterfaceIndex() (int, error) {
 	return 0, errors.New("no gateway index found")
 }

+var defaultRouteInterfaceIndexFunc syncs.AtomicValue[func() int]
+
+// SetDefaultRouteInterfaceIndexFunc allows an alternate implementation of
+// DefaultRouteInterfaceIndex to be provided. If none is set, or if f() returns a 0
+// (indicating an unknown interface index), then the default implementation (that parses
+// the routing table) will be used.
+func SetDefaultRouteInterfaceIndexFunc(f func() int) {
+	defaultRouteInterfaceIndexFunc.Store(f)
+}
+
 func init() {
 	likelyHomeRouterIP = likelyHomeRouterIPBSDFetchRIB
 }
--- a/net/netns/netns_darwin_tailscaled.go
+++ b/net/netns/netns_darwin_tailscaled.go
@@ -2,12 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build darwin && !ts_macext
+//go:build darwin

 package netns

 import (
+	"errors"
 	"fmt"
+	"log"
+	"net"
 	"strings"
 	"syscall"

@@ -27,7 +30,7 @@ func control(logf logger.Logf) func(network, address string, c syscall.RawConn)
 // It's intentionally the same signature as net.Dialer.Control
 // and net.ListenConfig.Control.
 func controlLogf(logf logger.Logf, network, address string, c syscall.RawConn) error {
-	if strings.HasPrefix(address, "127.") || address == "::1" {
+	if isLocalhost(address) {
 		// Don't bind to an interface for localhost connections.
 		return nil
 	}
@@ -36,6 +39,26 @@ func controlLogf(logf logger.Logf, network, address string, c syscall.RawConn) e
 		logf("[unexpected] netns: DefaultRouteInterfaceIndex: %v", err)
 		return nil
 	}
+
+	return bindConnToInterface(c, network, address, idx, logf)
+}
+
+// SetListenConfigInterfaceIndex sets lc.Control such that sockets are bound
+// to the provided interface index.
+func SetListenConfigInterfaceIndex(lc *net.ListenConfig, ifIndex int) error {
+	if lc == nil {
+		return errors.New("nil ListenConfig")
+	}
+	if lc.Control != nil {
+		return errors.New("ListenConfig.Control already set")
+	}
+	lc.Control = func(network, address string, c syscall.RawConn) error {
+		return bindConnToInterface(c, network, address, ifIndex, log.Printf)
+	}
+	return nil
+}
+
+func bindConnToInterface(c syscall.RawConn, network, address string, ifIndex int, logf logger.Logf) error {
 	v6 := strings.Contains(address, "]:") || strings.HasSuffix(network, "6") // hacky test for v6
 	proto := unix.IPPROTO_IP
 	opt := unix.IP_BOUND_IF
@@ -45,14 +68,14 @@ func controlLogf(logf logger.Logf, network, address string, c syscall.RawConn) e
 	}

 	var sockErr error
-	err = c.Control(func(fd uintptr) {
-		sockErr = unix.SetsockoptInt(int(fd), proto, opt, idx)
+	err := c.Control(func(fd uintptr) {
+		sockErr = unix.SetsockoptInt(int(fd), proto, opt, ifIndex)
 	})
+	if sockErr != nil {
+		logf("[unexpected] netns: bindConnToInterface(%q, %q), v6=%v, index=%v: %v", network, address, v6, ifIndex, sockErr)
+	}
 	if err != nil {
 		return fmt.Errorf("RawConn.Control on %T: %w", c, err)
 	}
-	if sockErr != nil {
-		logf("[unexpected] netns: control(%q, %q), v6=%v, index=%v: %v", network, address, v6, idx, sockErr)
-	}
 	return sockErr
 }
--- a/net/netns/netns_default.go
+++ b/net/netns/netns_default.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build (!linux && !windows && !darwin) || (darwin && ts_macext)
+//go:build !linux && !windows && !darwin

 package netns

--- a/net/netns/netns_macios.go
+++ b/net/netns/netns_macios.go
@@ -1,53 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build darwin || ios
-
-package netns
-
-import (
-	"errors"
-	"log"
-	"net"
-	"strings"
-	"syscall"
-
-	"golang.org/x/sys/unix"
-)
-
-// SetListenConfigInterfaceIndex sets lc.Control such that sockets are bound
-// to the provided interface index.
-func SetListenConfigInterfaceIndex(lc *net.ListenConfig, ifIndex int) error {
-	if lc == nil {
-		return errors.New("nil ListenConfig")
-	}
-	if lc.Control != nil {
-		return errors.New("ListenConfig.Control already set")
-	}
-	lc.Control = func(network, address string, c syscall.RawConn) error {
-		var sockErr error
-		err := c.Control(func(fd uintptr) {
-			sockErr = bindInterface(fd, network, address, ifIndex)
-			if sockErr != nil {
-				log.Printf("netns: bind(%q, %q) on index %v: %v", network, address, ifIndex, sockErr)
-			}
-		})
-		if err != nil {
-			return err
-		}
-		return sockErr
-	}
-	return nil
-}
-
-func bindInterface(fd uintptr, network, address string, ifIndex int) error {
-	v6 := strings.Contains(address, "]:") || strings.HasSuffix(network, "6") // hacky test for v6
-	proto := unix.IPPROTO_IP
-	opt := unix.IP_BOUND_IF
-	if v6 {
-		proto = unix.IPPROTO_IPV6
-		opt = unix.IPV6_BOUND_IF
-	}
-	return unix.SetsockoptInt(int(fd), proto, opt, ifIndex)
-}
--- a/net/netns/netns_windows.go
+++ b/net/netns/netns_windows.go
@@ -9,11 +9,11 @@ import (
 	"strings"
 	"syscall"

+	"github.com/josharian/native"
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/endian"
 )

 func interfaceIndex(iface *winipcfg.IPAdapterAddresses) uint32 {
@@ -119,7 +119,7 @@ func bindSocket6(c syscall.RawConn, ifidx uint32) error {
 // representation, suitable for passing to Windows APIs that require a
 // mangled uint32.
 func nativeToBigEndian(i uint32) uint32 {
-	if endian.Big {
+	if native.IsBigEndian {
 		return i
 	}
 	return bits.ReverseBytes32(i)
--- a/net/netstat/netstat.go
+++ b/net/netstat/netstat.go
@@ -17,6 +17,7 @@ type Entry struct {
 	Local, Remote netip.AddrPort
 	Pid           int
 	State         string // TODO: type?
+	OSMetadata    OSMetadata
 }

 // Table contains local machine's TCP connection entries.
--- a/net/netstat/netstat_noimpl.go
+++ b/net/netstat/netstat_noimpl.go
@@ -6,6 +6,10 @@

 package netstat

+// OSMetadata includes any additional OS-specific information that may be
+// obtained during the retrieval of a given Entry.
+type OSMetadata struct{}
+
 func get() (*Table, error) {
 	return nil, ErrNotImplemented
 }
--- a/net/netstat/netstat_windows.go
+++ b/net/netstat/netstat_windows.go
@@ -10,45 +10,106 @@ import (
 	"fmt"
 	"math/bits"
 	"net/netip"
-	"syscall"
 	"unsafe"

+	"github.com/josharian/native"
 	"golang.org/x/sys/windows"
 	"tailscale.com/net/netaddr"
-	"tailscale.com/util/endian"
 )

+// OSMetadata includes any additional OS-specific information that may be
+// obtained during the retrieval of a given Entry.
+type OSMetadata interface {
+	GetModule() (string, error)
+}
+
 // See https://docs.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getextendedtcptable

-// TCP_TABLE_OWNER_PID_ALL means to include the PID info. The table type
+// TCP_TABLE_OWNER_MODULE_ALL means to include the PID and module. The table type
 // we get back from Windows depends on AF_INET vs AF_INET6:
-// MIB_TCPTABLE_OWNER_PID for v4 or MIB_TCP6TABLE_OWNER_PID for v6.
-const tcpTableOwnerPidAll = 5
+// MIB_TCPTABLE_OWNER_MODULE for v4 or MIB_TCP6TABLE_OWNER_MODULE for v6.
+const tcpTableOwnerModuleAll = 8
+
+// TCPIP_OWNER_MODULE_BASIC_INFO means to request "basic information" about the
+// owner module.
+const tcpipOwnerModuleBasicInfo = 0

 var (
-	iphlpapi    = syscall.NewLazyDLL("iphlpapi.dll")
-	getTCPTable = iphlpapi.NewProc("GetExtendedTcpTable")
+	iphlpapi                    = windows.NewLazySystemDLL("iphlpapi.dll")
+	getTCPTable                 = iphlpapi.NewProc("GetExtendedTcpTable")
+	getOwnerModuleFromTcpEntry  = iphlpapi.NewProc("GetOwnerModuleFromTcpEntry")
+	getOwnerModuleFromTcp6Entry = iphlpapi.NewProc("GetOwnerModuleFromTcp6Entry")
 	// TODO: GetExtendedUdpTable also? if/when needed.
 )

-type _MIB_TCPROW_OWNER_PID struct {
-	state      uint32
-	localAddr  uint32
-	localPort  uint32
-	remoteAddr uint32
-	remotePort uint32
-	pid        uint32
+// See https://web.archive.org/web/20221219211913/https://learn.microsoft.com/en-us/windows/win32/api/tcpmib/ns-tcpmib-mib_tcprow_owner_module
+type _MIB_TCPROW_OWNER_MODULE struct {
+	state            uint32
+	localAddr        uint32
+	localPort        uint32
+	remoteAddr       uint32
+	remotePort       uint32
+	pid              uint32
+	createTimestamp  int64
+	owningModuleInfo [16]uint64
 }

-type _MIB_TCP6ROW_OWNER_PID struct {
-	localAddr   [16]byte
-	localScope  uint32
-	localPort   uint32
-	remoteAddr  [16]byte
-	remoteScope uint32
-	remotePort  uint32
-	state       uint32
-	pid         uint32
+func (row *_MIB_TCPROW_OWNER_MODULE) asEntry() Entry {
+	return Entry{
+		Local:      ipport4(row.localAddr, port(&row.localPort)),
+		Remote:     ipport4(row.remoteAddr, port(&row.remotePort)),
+		Pid:        int(row.pid),
+		State:      state(row.state),
+		OSMetadata: row,
+	}
+}
+
+type _MIB_TCPTABLE_OWNER_MODULE struct {
+	numEntries uint32
+	table      _MIB_TCPROW_OWNER_MODULE
+}
+
+func (m *_MIB_TCPTABLE_OWNER_MODULE) getRows() []_MIB_TCPROW_OWNER_MODULE {
+	return unsafe.Slice(&m.table, m.numEntries)
+}
+
+// See https://web.archive.org/web/20221219212442/https://learn.microsoft.com/en-us/windows/win32/api/tcpmib/ns-tcpmib-mib_tcp6row_owner_module
+type _MIB_TCP6ROW_OWNER_MODULE struct {
+	localAddr        [16]byte
+	localScope       uint32
+	localPort        uint32
+	remoteAddr       [16]byte
+	remoteScope      uint32
+	remotePort       uint32
+	state            uint32
+	pid              uint32
+	createTimestamp  int64
+	owningModuleInfo [16]uint64
+}
+
+func (row *_MIB_TCP6ROW_OWNER_MODULE) asEntry() Entry {
+	return Entry{
+		Local:      ipport6(row.localAddr, row.localScope, port(&row.localPort)),
+		Remote:     ipport6(row.remoteAddr, row.remoteScope, port(&row.remotePort)),
+		Pid:        int(row.pid),
+		State:      state(row.state),
+		OSMetadata: row,
+	}
+}
+
+type _MIB_TCP6TABLE_OWNER_MODULE struct {
+	numEntries uint32
+	table      _MIB_TCP6ROW_OWNER_MODULE
+}
+
+func (m *_MIB_TCP6TABLE_OWNER_MODULE) getRows() []_MIB_TCP6ROW_OWNER_MODULE {
+	return unsafe.Slice(&m.table, m.numEntries)
+}
+
+// See https://web.archive.org/web/20221219213143/https://learn.microsoft.com/en-us/windows/win32/api/iprtrmib/ns-iprtrmib-tcpip_owner_module_basic_info
+type _TCPIP_OWNER_MODULE_BASIC_INFO struct {
+	moduleName *uint16
+	modulePath *uint16
 }

 func get() (*Table, error) {
@@ -72,13 +133,13 @@ func (t *Table) addEntries(fam int) error {
 			uintptr(unsafe.Pointer(&size)),
 			1, // sorted
 			uintptr(fam),
-			tcpTableOwnerPidAll,
+			tcpTableOwnerModuleAll,
 			0, // reserved; "must be zero"
 		)
 		if err == 0 {
 			break
 		}
-		if err == uintptr(syscall.ERROR_INSUFFICIENT_BUFFER) {
+		if err == uintptr(windows.ERROR_INSUFFICIENT_BUFFER) {
 			const maxSize = 10 << 20
 			if size > maxSize || size < 4 {
 				return fmt.Errorf("unreasonable kernel-reported size %d", size)
@@ -87,48 +148,28 @@ func (t *Table) addEntries(fam int) error {
 			addr = unsafe.Pointer(&buf[0])
 			continue
 		}
-		return syscall.Errno(err)
+		return windows.Errno(err)
 	}
 	if len(buf) < int(size) {
 		return errors.New("unexpected size growth from system call")
 	}
 	buf = buf[:size]

-	numEntries := endian.Native.Uint32(buf[:4])
-	buf = buf[4:]
-
-	var recSize int
 	switch fam {
 	case windows.AF_INET:
-		recSize = 6 * 4
-	case windows.AF_INET6:
-		recSize = 6*4 + 16*2
-	}
-	dataLen := numEntries * uint32(recSize)
-	if uint32(len(buf)) > dataLen {
-		buf = buf[:dataLen]
-	}
-	for len(buf) >= recSize {
-		switch fam {
-		case windows.AF_INET:
-			row := (*_MIB_TCPROW_OWNER_PID)(unsafe.Pointer(&buf[0]))
-			t.Entries = append(t.Entries, Entry{
-				Local:  ipport4(row.localAddr, port(&row.localPort)),
-				Remote: ipport4(row.remoteAddr, port(&row.remotePort)),
-				Pid:    int(row.pid),
-				State:  state(row.state),
-			})
-		case windows.AF_INET6:
-			row := (*_MIB_TCP6ROW_OWNER_PID)(unsafe.Pointer(&buf[0]))
-			t.Entries = append(t.Entries, Entry{
-				Local:  ipport6(row.localAddr, row.localScope, port(&row.localPort)),
-				Remote: ipport6(row.remoteAddr, row.remoteScope, port(&row.remotePort)),
-				Pid:    int(row.pid),
-				State:  state(row.state),
-			})
+		info := (*_MIB_TCPTABLE_OWNER_MODULE)(unsafe.Pointer(&buf[0]))
+		rows := info.getRows()
+		for _, row := range rows {
+			t.Entries = append(t.Entries, row.asEntry())
+		}
+	case windows.AF_INET6:
+		info := (*_MIB_TCP6TABLE_OWNER_MODULE)(unsafe.Pointer(&buf[0]))
+		rows := info.getRows()
+		for _, row := range rows {
+			t.Entries = append(t.Entries, row.asEntry())
 		}
-		buf = buf[recSize:]
 	}
+
 	return nil
 }

@@ -155,7 +196,7 @@ func state(v uint32) string {
 }

 func ipport4(addr uint32, port uint16) netip.AddrPort {
-	if !endian.Big {
+	if !native.IsBigEndian {
 		addr = bits.ReverseBytes32(addr)
 	}
 	return netip.AddrPortFrom(
@@ -173,8 +214,48 @@ func ipport6(addr [16]byte, scope uint32, port uint16) netip.AddrPort {
 }

 func port(v *uint32) uint16 {
-	if !endian.Big {
+	if !native.IsBigEndian {
 		return uint16(bits.ReverseBytes32(*v) >> 16)
 	}
 	return uint16(*v >> 16)
 }
+
+type moduleInfoConstraint interface {
+	_MIB_TCPROW_OWNER_MODULE | _MIB_TCP6ROW_OWNER_MODULE
+}
+
+func moduleInfo[entryType moduleInfoConstraint](entry *entryType, proc *windows.LazyProc) (string, error) {
+	var buf []byte
+	var desiredLen uint32
+	var addr unsafe.Pointer
+
+	for {
+		e, _, _ := proc.Call(
+			uintptr(unsafe.Pointer(entry)),
+			uintptr(tcpipOwnerModuleBasicInfo),
+			uintptr(addr),
+			uintptr(unsafe.Pointer(&desiredLen)),
+		)
+		err := windows.Errno(e)
+		if err == windows.ERROR_SUCCESS {
+			break
+		}
+		if err != windows.ERROR_INSUFFICIENT_BUFFER {
+			return "", err
+		}
+
+		buf = make([]byte, desiredLen)
+		addr = unsafe.Pointer(&buf[0])
+	}
+
+	basicInfo := (*_TCPIP_OWNER_MODULE_BASIC_INFO)(addr)
+	return windows.UTF16PtrToString(basicInfo.moduleName), nil
+}
+
+func (m *_MIB_TCPROW_OWNER_MODULE) GetModule() (string, error) {
+	return moduleInfo(m, getOwnerModuleFromTcpEntry)
+}
+
+func (m *_MIB_TCP6ROW_OWNER_MODULE) GetModule() (string, error) {
+	return moduleInfo(m, getOwnerModuleFromTcp6Entry)
+}
--- a/net/tsaddr/tsaddr.go
+++ b/net/tsaddr/tsaddr.go
@@ -207,17 +207,6 @@ func NewContainsIPFunc(addrs []netip.Prefix) func(ip netip.Addr) bool {
 	return func(ip netip.Addr) bool { return m[ip] }
 }

-// PrefixesContainsFunc reports whether f is true for any IPPrefix in
-// ipp.
-func PrefixesContainsFunc(ipp []netip.Prefix, f func(netip.Prefix) bool) bool {
-	for _, v := range ipp {
-		if f(v) {
-			return true
-		}
-	}
-	return false
-}
-
 // PrefixesContainsIP reports whether any prefix in ipp contains ip.
 func PrefixesContainsIP(ipp []netip.Prefix, ip netip.Addr) bool {
 	for _, r := range ipp {
@@ -228,16 +217,6 @@ func PrefixesContainsIP(ipp []netip.Prefix, ip netip.Addr) bool {
 	return false
 }

-// IPsContainsFunc reports whether f is true for any IP in ips.
-func IPsContainsFunc(ips []netip.Addr, f func(netip.Addr) bool) bool {
-	for _, v := range ips {
-		if f(v) {
-			return true
-		}
-	}
-	return false
-}
-
 // PrefixIs4 reports whether p is an IPv4 prefix.
 func PrefixIs4(p netip.Prefix) bool { return p.Addr().Is4() }

--- a/net/tstun/fake.go
+++ b/net/tstun/fake.go
@@ -8,7 +8,7 @@ import (
 	"io"
 	"os"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 )

 type fakeTUN struct {
@@ -34,21 +34,22 @@ func (t *fakeTUN) Close() error {
 	return nil
 }

-func (t *fakeTUN) Read(out []byte, offset int) (int, error) {
+func (t *fakeTUN) Read(out [][]byte, sizes []int, offset int) (int, error) {
 	<-t.closechan
 	return 0, io.EOF
 }

-func (t *fakeTUN) Write(b []byte, n int) (int, error) {
+func (t *fakeTUN) Write(b [][]byte, n int) (int, error) {
 	select {
 	case <-t.closechan:
 		return 0, ErrClosed
 	default:
 	}
-	return len(b), nil
+	return 1, nil
 }

-func (t *fakeTUN) Flush() error           { return nil }
-func (t *fakeTUN) MTU() (int, error)      { return 1500, nil }
-func (t *fakeTUN) Name() (string, error)  { return "FakeTUN", nil }
-func (t *fakeTUN) Events() chan tun.Event { return t.evchan }
+func (t *fakeTUN) Flush() error             { return nil }
+func (t *fakeTUN) MTU() (int, error)        { return 1500, nil }
+func (t *fakeTUN) Name() (string, error)    { return "FakeTUN", nil }
+func (t *fakeTUN) Events() <-chan tun.Event { return t.evchan }
+func (t *fakeTUN) BatchSize() int           { return 1 }
--- a/net/tstun/ifstatus_noop.go
+++ b/net/tstun/ifstatus_noop.go
@@ -9,7 +9,7 @@ package tstun
 import (
 	"time"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
 )

--- a/net/tstun/ifstatus_windows.go
+++ b/net/tstun/ifstatus_windows.go
@@ -9,7 +9,7 @@ import (
 	"sync"
 	"time"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/types/logger"
 )
--- a/net/tstun/linkattrs_linux.go
+++ b/net/tstun/linkattrs_linux.go
@@ -7,8 +7,8 @@ package tstun
 import (
 	"github.com/mdlayher/genetlink"
 	"github.com/mdlayher/netlink"
+	"github.com/tailscale/wireguard-go/tun"
 	"golang.org/x/sys/unix"
-	"golang.zx2c4.com/wireguard/tun"
 )

 // setLinkSpeed sets the advertised link speed of the TUN interface.
--- a/net/tstun/linkattrs_notlinux.go
+++ b/net/tstun/linkattrs_notlinux.go
@@ -6,7 +6,7 @@

 package tstun

-import "golang.zx2c4.com/wireguard/tun"
+import "github.com/tailscale/wireguard-go/tun"

 func setLinkAttrs(iface tun.Device) error {
 	return nil
--- a/net/tstun/tap_linux.go
+++ b/net/tstun/tap_linux.go
@@ -12,17 +12,20 @@ import (
 	"net/netip"
 	"os"
 	"os/exec"
+	"sync"

 	"github.com/insomniacslk/dhcp/dhcpv4"
+	"github.com/tailscale/wireguard-go/tun"
 	"golang.org/x/sys/unix"
-	"golang.zx2c4.com/wireguard/tun"
 	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/checksum"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
+	"tailscale.com/util/multierr"
 )

 // TODO: this was randomly generated once. Maybe do it per process start? But
@@ -69,13 +72,7 @@ func openDevice(fd int, tapName, bridgeName string) (tun.Device, error) {
 		}
 	}

-	// Also sets non-blocking I/O on fd when creating tun.Device.
-	dev, _, err := tun.CreateUnmonitoredTUNFromFD(fd) // TODO: MTU
-	if err != nil {
-		return nil, err
-	}
-
-	return dev, nil
+	return newTAPDevice(fd, tapName)
 }

 type etherType [2]byte
@@ -168,7 +165,8 @@ func (t *Wrapper) handleTAPFrame(ethBuf []byte) bool {
 			copy(res.HardwareAddressTarget(), req.HardwareAddressSender())
 			copy(res.ProtocolAddressTarget(), req.ProtocolAddressSender())

-			n, err := t.tdev.Write(buf, 0)
+			// TODO(raggi): reduce allocs!
+			n, err := t.tdev.Write([][]byte{buf}, 0)
 			if tapDebug {
 				t.logf("tap: wrote ARP reply %v, %v", n, err)
 			}
@@ -252,7 +250,9 @@ func (t *Wrapper) handleDHCPRequest(ethBuf []byte) bool {
 			netip.AddrPortFrom(netaddr.IPv4(100, 100, 100, 100), 67), // src
 			netip.AddrPortFrom(netaddr.IPv4(255, 255, 255, 255), 68), // dst
 		)
-		n, err := t.tdev.Write(pkt, 0)
+
+		// TODO(raggi): reduce allocs!
+		n, err := t.tdev.Write([][]byte{pkt}, 0)
 		if tapDebug {
 			t.logf("tap: wrote DHCP OFFER %v, %v", n, err)
 		}
@@ -279,7 +279,8 @@ func (t *Wrapper) handleDHCPRequest(ethBuf []byte) bool {
 			netip.AddrPortFrom(netaddr.IPv4(100, 100, 100, 100), 67), // src
 			netip.AddrPortFrom(netaddr.IPv4(255, 255, 255, 255), 68), // dst
 		)
-		n, err := t.tdev.Write(pkt, 0)
+		// TODO(raggi): reduce allocs!
+		n, err := t.tdev.Write([][]byte{pkt}, 0)
 		if tapDebug {
 			t.logf("tap: wrote DHCP ACK %v, %v", n, err)
 		}
@@ -327,7 +328,7 @@ func packLayer2UDP(payload []byte, srcMAC, dstMAC net.HardwareAddr, src, dst net
 	// Calculate the UDP pseudo-header checksum.
 	xsum := header.PseudoHeaderChecksum(udp.ProtocolNumber, srcIP, dstIP, uint16(len(u)))
 	// Calculate the UDP checksum and set it.
-	xsum = header.Checksum(payload, xsum)
+	xsum = checksum.Checksum(payload, xsum)
 	u.SetChecksum(^u.CalculateChecksum(xsum))
 	return []byte(buf)
 }
@@ -346,21 +347,108 @@ func (t *Wrapper) destMAC() [6]byte {
 	return t.destMACAtomic.Load()
 }

-func (t *Wrapper) tapWrite(buf []byte, offset int) (int, error) {
-	if offset < ethernetFrameSize {
-		return 0, fmt.Errorf("[unexpected] weird offset %d for TAP write", offset)
+func newTAPDevice(fd int, tapName string) (tun.Device, error) {
+	err := unix.SetNonblock(fd, true)
+	if err != nil {
+		return nil, err
 	}
-	eth := buf[offset-ethernetFrameSize:]
-	dst := t.destMAC()
-	copy(eth[:6], dst[:])
-	copy(eth[6:12], ourMAC[:])
-	et := etherTypeIPv4
-	if buf[offset]>>4 == 6 {
-		et = etherTypeIPv6
+	file := os.NewFile(uintptr(fd), "/dev/tap")
+	d := &tapDevice{
+		file:   file,
+		events: make(chan tun.Event),
+		name:   tapName,
 	}
-	eth[12], eth[13] = et[0], et[1]
-	if tapDebug {
-		t.logf("tap: tapWrite off=%v % x", offset, buf)
-	}
-	return t.tdev.Write(buf, offset-ethernetFrameSize)
+	return d, nil
+}
+
+var (
+	_ setWrapperer = &tapDevice{}
+)
+
+type tapDevice struct {
+	file      *os.File
+	events    chan tun.Event
+	name      string
+	wrapper   *Wrapper
+	closeOnce sync.Once
+}
+
+func (t *tapDevice) setWrapper(wrapper *Wrapper) {
+	t.wrapper = wrapper
+}
+
+func (t *tapDevice) File() *os.File {
+	return t.file
+}
+
+func (t *tapDevice) Name() (string, error) {
+	return t.name, nil
+}
+
+func (t *tapDevice) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
+	n, err := t.file.Read(buffs[0][offset:])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+func (t *tapDevice) Write(buffs [][]byte, offset int) (int, error) {
+	errs := make([]error, 0)
+	wrote := 0
+	for _, buff := range buffs {
+		if offset < ethernetFrameSize {
+			errs = append(errs, fmt.Errorf("[unexpected] weird offset %d for TAP write", offset))
+			return 0, multierr.New(errs...)
+		}
+		eth := buff[offset-ethernetFrameSize:]
+		dst := t.wrapper.destMAC()
+		copy(eth[:6], dst[:])
+		copy(eth[6:12], ourMAC[:])
+		et := etherTypeIPv4
+		if buff[offset]>>4 == 6 {
+			et = etherTypeIPv6
+		}
+		eth[12], eth[13] = et[0], et[1]
+		if tapDebug {
+			t.wrapper.logf("tap: tapWrite off=%v % x", offset, buff)
+		}
+		_, err := t.file.Write(buff[offset-ethernetFrameSize:])
+		if err != nil {
+			errs = append(errs, err)
+		} else {
+			wrote++
+		}
+	}
+	return wrote, multierr.New(errs...)
+}
+
+func (t *tapDevice) MTU() (int, error) {
+	ifr, err := unix.NewIfreq(t.name)
+	if err != nil {
+		return 0, err
+	}
+	err = unix.IoctlIfreq(int(t.file.Fd()), unix.SIOCGIFMTU, ifr)
+	if err != nil {
+		return 0, err
+	}
+	return int(ifr.Uint32()), nil
+}
+
+func (t *tapDevice) Events() <-chan tun.Event {
+	return t.events
+}
+
+func (t *tapDevice) Close() error {
+	var err error
+	t.closeOnce.Do(func() {
+		close(t.events)
+		err = t.file.Close()
+	})
+	return err
+}
+
+func (t *tapDevice) BatchSize() int {
+	return 1
 }
--- a/net/tstun/tap_unsupported.go
+++ b/net/tstun/tap_unsupported.go
@@ -6,5 +6,4 @@

 package tstun

-func (*Wrapper) handleTAPFrame([]byte) bool        { panic("unreachable") }
-func (*Wrapper) tapWrite([]byte, int) (int, error) { panic("unreachable") }
+func (*Wrapper) handleTAPFrame([]byte) bool { panic("unreachable") }
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -14,7 +14,7 @@ import (
 	"strings"
 	"time"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/envknob"
 	"tailscale.com/types/logger"
 )
@@ -25,6 +25,7 @@ var createTAP func(tapName, bridgeName string) (tun.Device, error)
 // New returns a tun.Device for the requested device name, along with
 // the OS-dependent name that was allocated to the device.
 func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
+	var disableTUNOffload = envknob.Bool("TS_DISABLE_TUN_OFFLOAD")
 	var dev tun.Device
 	var err error
 	if strings.HasPrefix(tunName, "tap:") {
@@ -51,6 +52,11 @@ func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
 			tunMTU = mtu
 		}
 		dev, err = tun.CreateTUN(tunName, tunMTU)
+		if err == nil && disableTUNOffload {
+			if do, ok := dev.(tun.DisableOffloader); ok {
+				do.DisableOffload()
+			}
+		}
 	}
 	if err != nil {
 		return nil, "", err
--- a/net/tstun/tun_notwindows.go
+++ b/net/tstun/tun_notwindows.go
@@ -6,7 +6,7 @@

 package tstun

-import "golang.zx2c4.com/wireguard/tun"
+import "github.com/tailscale/wireguard-go/tun"

 func interfaceName(dev tun.Device) (string, error) {
 	return dev.Name()
--- a/net/tstun/tun_windows.go
+++ b/net/tstun/tun_windows.go
@@ -5,8 +5,8 @@
 package tstun

 import (
+	"github.com/tailscale/wireguard-go/tun"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )

--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -17,9 +17,9 @@ import (
 	"sync/atomic"
 	"time"

+	"github.com/tailscale/wireguard-go/device"
+	"github.com/tailscale/wireguard-go/tun"
 	"go4.org/mem"
-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 	"tailscale.com/disco"
 	"tailscale.com/net/connstats"
@@ -88,25 +88,31 @@ type Wrapper struct {
 	destMACAtomic  syncs.AtomicValue[[6]byte]
 	discoKey       syncs.AtomicValue[key.DiscoPublic]

-	// buffer stores the oldest unconsumed packet from tdev.
-	// It is made a static buffer in order to avoid allocations.
-	buffer [maxBufferSize]byte
-	// bufferConsumedMu protects bufferConsumed from concurrent sends and closes.
-	// It does not prevent send-after-close, only data races.
+	// vectorBuffer stores the oldest unconsumed packet vector from tdev. It is
+	// allocated in wrap() and the underlying arrays should never grow.
+	vectorBuffer [][]byte
+	// bufferConsumedMu protects bufferConsumed from concurrent sends, closes,
+	// and send-after-close (by way of bufferConsumedClosed).
 	bufferConsumedMu sync.Mutex
-	// bufferConsumed synchronizes access to buffer (shared by Read and poll).
+	// bufferConsumedClosed is true when bufferConsumed has been closed. This is
+	// read by bufferConsumed writers to prevent send-after-close.
+	bufferConsumedClosed bool
+	// bufferConsumed synchronizes access to vectorBuffer (shared by Read() and
+	// pollVector()).
 	//
-	// Close closes bufferConsumed. There may be outstanding sends to bufferConsumed
-	// when that happens; we catch any resulting panics.
-	// This lets us avoid expensive multi-case selects.
+	// Close closes bufferConsumed and sets bufferConsumedClosed to true.
 	bufferConsumed chan struct{}

 	// closed signals poll (by closing) when the device is closed.
 	closed chan struct{}
-	// outboundMu protects outbound from concurrent sends and closes.
-	// It does not prevent send-after-close, only data races.
+	// outboundMu protects outbound and vectorOutbound from concurrent sends,
+	// closes, and send-after-close (by way of outboundClosed).
 	outboundMu sync.Mutex
-	// outbound is the queue by which packets leave the TUN device.
+	// outboundClosed is true when outbound or vectorOutbound have been closed.
+	// This is read by outbound and vectorOutbound writers to prevent
+	// send-after-close.
+	outboundClosed bool
+	// vectorOutbound is the queue by which packets leave the TUN device.
 	//
 	// The directions are relative to the network, not the device:
 	// inbound packets arrive via UDP and are written into the TUN device;
@@ -115,12 +121,10 @@ type Wrapper struct {
 	// the other direction must wait on a WireGuard goroutine to poll it.
 	//
 	// Empty reads are skipped by WireGuard, so it is always legal
-	// to discard an empty packet instead of sending it through t.outbound.
+	// to discard an empty packet instead of sending it through vectorOutbound.
 	//
-	// Close closes outbound. There may be outstanding sends to outbound
-	// when that happens; we catch any resulting panics.
-	// This lets us avoid expensive multi-case selects.
-	outbound chan tunReadResult
+	// Close closes vectorOutbound and sets outboundClosed to true.
+	vectorOutbound chan tunVectorReadResult

 	// eventsUpDown yields up and down tun.Events that arrive on a Wrapper's events channel.
 	eventsUpDown chan tun.Event
@@ -172,19 +176,31 @@ type Wrapper struct {
 	stats atomic.Pointer[connstats.Statistics]
 }

-// tunReadResult is the result of a TUN read, or an injected result pretending to be a TUN read.
-// The data is not interpreted in the usual way for a Read method.
-// See the comment in the middle of Wrap.Read.
-type tunReadResult struct {
-	// Only one of err, packet or data should be set, and are read in that order
-	// of precedence.
-	err    error
-	packet *stack.PacketBuffer
+// tunInjectedRead is an injected packet pretending to be a tun.Read().
+type tunInjectedRead struct {
+	// Only one of packet or data should be set, and are read in that order of
+	// precedence.
+	packet stack.PacketBufferPtr
 	data   []byte
+}

-	// injected is set if the read result was generated internally, and contained packets should not
-	// pass through filters.
-	injected bool
+// tunVectorReadResult is the result of a tun.Read(), or an injected packet
+// pretending to be a tun.Read().
+type tunVectorReadResult struct {
+	// When err AND data are nil, injected will be set with meaningful data
+	// (injected packet). If either err OR data is non-nil, injected should be
+	// ignored (a "real" tun.Read).
+	err      error
+	data     [][]byte
+	injected tunInjectedRead
+
+	dataOffset int
+}
+
+type setWrapperer interface {
+	// setWrapper enables the underlying TUN/TAP to have access to the Wrapper.
+	// It MUST be called only once during initialization, other usage is unsafe.
+	setWrapper(*Wrapper)
 }

 func WrapTAP(logf logger.Logf, tdev tun.Device) *Wrapper {
@@ -197,7 +213,7 @@ func Wrap(logf logger.Logf, tdev tun.Device) *Wrapper {

 func wrap(logf logger.Logf, tdev tun.Device, isTAP bool) *Wrapper {
 	logf = logger.WithPrefix(logf, "tstun: ")
-	tun := &Wrapper{
+	w := &Wrapper{
 		logf:        logf,
 		limitedLogf: logger.RateLimitedFn(logf, 1*time.Minute, 2, 10),
 		isTAP:       isTAP,
@@ -206,21 +222,30 @@ func wrap(logf logger.Logf, tdev tun.Device, isTAP bool) *Wrapper {
 		// a goroutine should not block when setting it, even with no listeners.
 		bufferConsumed: make(chan struct{}, 1),
 		closed:         make(chan struct{}),
-		// outbound can be unbuffered; the buffer is an optimization.
-		outbound:     make(chan tunReadResult, 1),
-		eventsUpDown: make(chan tun.Event),
-		eventsOther:  make(chan tun.Event),
+		// vectorOutbound can be unbuffered; the buffer is an optimization.
+		vectorOutbound: make(chan tunVectorReadResult, 1),
+		eventsUpDown:   make(chan tun.Event),
+		eventsOther:    make(chan tun.Event),
 		// TODO(dmytro): (highly rate-limited) hexdumps should happen on unknown packets.
 		filterFlags: filter.LogAccepts | filter.LogDrops,
 	}

-	go tun.poll()
-	go tun.pumpEvents()
-	// The buffer starts out consumed.
-	tun.bufferConsumed <- struct{}{}
-	tun.noteActivity()
+	w.vectorBuffer = make([][]byte, tdev.BatchSize())
+	for i := range w.vectorBuffer {
+		w.vectorBuffer[i] = make([]byte, maxBufferSize)
+	}
+	go w.pollVector()

-	return tun
+	go w.pumpEvents()
+	// The buffer starts out consumed.
+	w.bufferConsumed <- struct{}{}
+	w.noteActivity()
+
+	if sw, ok := w.tdev.(setWrapperer); ok {
+		sw.setWrapper(w)
+	}
+
+	return w
 }

 // SetDestIPActivityFuncs sets a map of funcs to run per packet
@@ -261,10 +286,12 @@ func (t *Wrapper) Close() error {
 	t.closeOnce.Do(func() {
 		close(t.closed)
 		t.bufferConsumedMu.Lock()
+		t.bufferConsumedClosed = true
 		close(t.bufferConsumed)
 		t.bufferConsumedMu.Unlock()
 		t.outboundMu.Lock()
-		close(t.outbound)
+		t.outboundClosed = true
+		close(t.vectorOutbound)
 		t.outboundMu.Unlock()
 		err = t.tdev.Close()
 	})
@@ -323,7 +350,7 @@ func (t *Wrapper) EventsUpDown() chan tun.Event {
 // Events returns a TUN event channel that contains all non-Up, non-Down events.
 // It is named Events because it is the set of events that we want to expose to wireguard-go,
 // and Events is the name specified by the wireguard-go tun.Device interface.
-func (t *Wrapper) Events() chan tun.Event {
+func (t *Wrapper) Events() <-chan tun.Event {
 	return t.eventsOther
 }

@@ -331,10 +358,6 @@ func (t *Wrapper) File() *os.File {
 	return t.tdev.File()
 }

-func (t *Wrapper) Flush() error {
-	return t.tdev.Flush()
-}
-
 func (t *Wrapper) MTU() (int, error) {
 	return t.tdev.MTU()
 }
@@ -343,94 +366,95 @@ func (t *Wrapper) Name() (string, error) {
 	return t.tdev.Name()
 }

-// allowSendOnClosedChannel suppresses panics due to sending on a closed channel.
-// This allows us to avoid synchronization between poll and Close.
-// Such synchronization (particularly multi-case selects) is too expensive
-// for code like poll or Read that is on the hot path of every packet.
-// If this makes you sad or angry, you may want to join our
-// weekly Go Performance Delinquents Anonymous meetings on Monday nights.
-func allowSendOnClosedChannel() {
-	r := recover()
-	if r == nil {
-		return
-	}
-	e, _ := r.(error)
-	if e != nil && e.Error() == "send on closed channel" {
-		return
-	}
-	panic(r)
-}
-
 const ethernetFrameSize = 14 // 2 six byte MACs, 2 bytes ethertype

-// poll polls t.tdev.Read, placing the oldest unconsumed packet into t.buffer.
-// This is needed because t.tdev.Read in general may block (it does on Windows),
-// so packets may be stuck in t.outbound if t.Read called t.tdev.Read directly.
-func (t *Wrapper) poll() {
+// pollVector polls t.tdev.Read(), placing the oldest unconsumed packet vector
+// into t.vectorBuffer. This is needed because t.tdev.Read() in general may
+// block (it does on Windows), so packets may be stuck in t.vectorOutbound if
+// t.Read() called t.tdev.Read() directly.
+func (t *Wrapper) pollVector() {
+	sizes := make([]int, len(t.vectorBuffer))
+	readOffset := PacketStartOffset
+	if t.isTAP {
+		readOffset = PacketStartOffset - ethernetFrameSize
+	}
+
 	for range t.bufferConsumed {
 	DoRead:
+		for i := range t.vectorBuffer {
+			t.vectorBuffer[i] = t.vectorBuffer[i][:cap(t.vectorBuffer[i])]
+		}
 		var n int
 		var err error
-		// Read may use memory in t.buffer before PacketStartOffset for mandatory headers.
-		// This is the rationale behind the tun.Wrapper.{Read,Write} interfaces
-		// and the reason t.buffer has size MaxMessageSize and not MaxContentSize.
-		// In principle, read errors are not fatal (but wireguard-go disagrees).
-		// We loop here until we get a non-empty (or failed) read.
-		// We don't need this loop for correctness,
-		// but wireguard-go will skip an empty read,
-		// so we might as well avoid the send through t.outbound.
 		for n == 0 && err == nil {
 			if t.isClosed() {
 				return
 			}
-			if t.isTAP {
-				n, err = t.tdev.Read(t.buffer[:], PacketStartOffset-ethernetFrameSize)
-				if tapDebug {
-					s := fmt.Sprintf("% x", t.buffer[:])
-					for strings.HasSuffix(s, " 00") {
-						s = strings.TrimSuffix(s, " 00")
-					}
-					t.logf("TAP read %v, %v: %s", n, err, s)
+			n, err = t.tdev.Read(t.vectorBuffer[:], sizes, readOffset)
+			if t.isTAP && tapDebug {
+				s := fmt.Sprintf("% x", t.vectorBuffer[0][:])
+				for strings.HasSuffix(s, " 00") {
+					s = strings.TrimSuffix(s, " 00")
 				}
-			} else {
-				n, err = t.tdev.Read(t.buffer[:], PacketStartOffset)
+				t.logf("TAP read %v, %v: %s", n, err, s)
 			}
 		}
+		for i := range sizes[:n] {
+			t.vectorBuffer[i] = t.vectorBuffer[i][:readOffset+sizes[i]]
+		}
 		if t.isTAP {
 			if err == nil {
-				ethernetFrame := t.buffer[PacketStartOffset-ethernetFrameSize:][:n]
+				ethernetFrame := t.vectorBuffer[0][readOffset:]
 				if t.handleTAPFrame(ethernetFrame) {
 					goto DoRead
 				}
 			}
 			// Fall through. We got an IP packet.
-			if n >= ethernetFrameSize {
-				n -= ethernetFrameSize
+			if sizes[0] >= ethernetFrameSize {
+				t.vectorBuffer[0] = t.vectorBuffer[0][:readOffset+sizes[0]-ethernetFrameSize]
 			}
 			if tapDebug {
-				t.logf("tap regular frame: %x", t.buffer[PacketStartOffset:PacketStartOffset+n])
+				t.logf("tap regular frame: %x", t.vectorBuffer[0][PacketStartOffset:PacketStartOffset+sizes[0]])
 			}
 		}
-		t.sendOutbound(tunReadResult{data: t.buffer[PacketStartOffset : PacketStartOffset+n], err: err})
+		t.sendVectorOutbound(tunVectorReadResult{
+			data:       t.vectorBuffer[:n],
+			dataOffset: PacketStartOffset,
+			err:        err,
+		})
 	}
 }

 // sendBufferConsumed does t.bufferConsumed <- struct{}{}.
-// It protects against any panics or data races that that send could cause.
 func (t *Wrapper) sendBufferConsumed() {
-	defer allowSendOnClosedChannel()
 	t.bufferConsumedMu.Lock()
 	defer t.bufferConsumedMu.Unlock()
+	if t.bufferConsumedClosed {
+		return
+	}
 	t.bufferConsumed <- struct{}{}
 }

-// sendOutbound does t.outboundMu <- r.
-// It protects against any panics or data races that that send could cause.
-func (t *Wrapper) sendOutbound(r tunReadResult) {
-	defer allowSendOnClosedChannel()
+// injectOutbound does t.vectorOutbound <- r
+func (t *Wrapper) injectOutbound(r tunInjectedRead) {
 	t.outboundMu.Lock()
 	defer t.outboundMu.Unlock()
-	t.outbound <- r
+	if t.outboundClosed {
+		return
+	}
+	t.vectorOutbound <- tunVectorReadResult{
+		injected: r,
+	}
+}
+
+// sendVectorOutbound does t.vectorOutbound <- r.
+func (t *Wrapper) sendVectorOutbound(r tunVectorReadResult) {
+	t.outboundMu.Lock()
+	defer t.outboundMu.Unlock()
+	if t.outboundClosed {
+		return
+	}
+	t.vectorOutbound <- r
 }

 var (
@@ -514,34 +538,80 @@ func (t *Wrapper) IdleDuration() time.Duration {
 	return mono.Since(t.lastActivityAtomic.LoadAtomic())
 }

-func (t *Wrapper) Read(buf []byte, offset int) (int, error) {
-	res, ok := <-t.outbound
+func (t *Wrapper) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
+	res, ok := <-t.vectorOutbound
+
 	if !ok {
-		// Wrapper is closed.
 		return 0, io.EOF
 	}
-	if res.err != nil {
+	if res.err != nil && len(res.data) == 0 {
 		return 0, res.err
 	}
+	if res.data == nil {
+		n, err := t.injectedRead(res.injected, buffs[0], offset)
+		sizes[0] = n
+		if err != nil && n == 0 {
+			return 0, err
+		}

+		return 1, err
+	}
+
+	metricPacketOut.Add(int64(len(res.data)))
+
+	var buffsPos int
+	p := parsedPacketPool.Get().(*packet.Parsed)
+	defer parsedPacketPool.Put(p)
+	for _, data := range res.data {
+		p.Decode(data[res.dataOffset:])
+		if m := t.destIPActivity.Load(); m != nil {
+			if fn := m[p.Dst.Addr()]; fn != nil {
+				fn()
+			}
+		}
+		if !t.disableFilter {
+			response := t.filterOut(p)
+			if response != filter.Accept {
+				metricPacketOutDrop.Add(1)
+				continue
+			}
+		}
+		n := copy(buffs[buffsPos][offset:], data[res.dataOffset:])
+		if n != len(data)-res.dataOffset {
+			panic(fmt.Sprintf("short copy: %d != %d", n, len(data)-res.dataOffset))
+		}
+		sizes[buffsPos] = n
+		if stats := t.stats.Load(); stats != nil {
+			stats.UpdateTxVirtual(data[res.dataOffset:])
+		}
+		buffsPos++
+	}
+
+	// t.vectorBuffer has a fixed location in memory.
+	// TODO(raggi): add an explicit field and possibly method to the tunVectorReadResult
+	// to signal when sendBufferConsumed should be called.
+	if &res.data[0] == &t.vectorBuffer[0] {
+		// We are done with t.buffer. Let poll() re-use it.
+		t.sendBufferConsumed()
+	}
+
+	t.noteActivity()
+	return buffsPos, res.err
+}
+
+// injectedRead handles injected reads, which bypass filters.
+func (t *Wrapper) injectedRead(res tunInjectedRead, buf []byte, offset int) (int, error) {
 	metricPacketOut.Add(1)

 	var n int
-	if res.packet != nil {
+	if !res.packet.IsNil() {

 		n = copy(buf[offset:], res.packet.NetworkHeader().Slice())
 		n += copy(buf[offset+n:], res.packet.TransportHeader().Slice())
 		n += copy(buf[offset+n:], res.packet.Data().AsRange().ToSlice())
-
 		res.packet.DecRef()
 	} else {
 		n = copy(buf[offset:], res.data)
-
-		// t.buffer has a fixed location in memory.
-		if &res.data[0] == &t.buffer[PacketStartOffset] {
-			// We are done with t.buffer. Let poll re-use it.
-			t.sendBufferConsumed()
-		}
 	}

 	p := parsedPacketPool.Get().(*packet.Parsed)
@@ -554,16 +624,6 @@ func (t *Wrapper) Read(buf []byte, offset int) (int, error) {
 		}
 	}

-	// Do not filter injected packets.
-	if !res.injected && !t.disableFilter {
-		response := t.filterOut(p)
-		if response != filter.Accept {
-			metricPacketOutDrop.Add(1)
-			// WireGuard considers read errors fatal; pretend nothing was read
-			return 0, nil
-		}
-	}
-
 	if stats := t.stats.Load(); stats != nil {
 		stats.UpdateTxVirtual(buf[offset:][:n])
 	}
@@ -571,11 +631,7 @@ func (t *Wrapper) Read(buf []byte, offset int) (int, error) {
 	return n, nil
 }

-func (t *Wrapper) filterIn(buf []byte) filter.Response {
-	p := parsedPacketPool.Get().(*packet.Parsed)
-	defer parsedPacketPool.Put(p)
-	p.Decode(buf)
-
+func (t *Wrapper) filterIn(p *packet.Parsed) filter.Response {
 	if p.IPProto == ipproto.TSMP {
 		if pingReq, ok := p.AsTSMPPing(); ok {
 			t.noteActivity()
@@ -668,42 +724,43 @@ func (t *Wrapper) filterIn(buf []byte) filter.Response {
 	return filter.Accept
 }

-// Write accepts an incoming packet. The packet begins at buf[offset:],
+// Write accepts incoming packets. The packets begins at buffs[:][offset:],
 // like wireguard-go/tun.Device.Write.
-func (t *Wrapper) Write(buf []byte, offset int) (int, error) {
-	metricPacketIn.Add(1)
+func (t *Wrapper) Write(buffs [][]byte, offset int) (int, error) {
+	metricPacketIn.Add(int64(len(buffs)))
+	i := 0
 	if !t.disableFilter {
-		if t.filterIn(buf[offset:]) != filter.Accept {
-			metricPacketInDrop.Add(1)
-			// If we're not accepting the packet, lie to wireguard-go and pretend
-			// that everything is okay with a nil error, so wireguard-go
-			// doesn't log about this Write "failure".
-			//
-			// We return len(buf), but the ill-defined wireguard-go/tun.Device.Write
-			// method doesn't specify how the offset affects the return value.
-			// In fact, the Linux implementation does one of two different things depending
-			// on how the /dev/net/tun was created. But fortunately the wireguard-go
-			// code ignores the int return and only looks at the error:
-			//
-			//     device/receive.go: _, err = device.tun.device.Write(....)
-			//
-			// TODO(bradfitz): fix upstream interface docs, implementation.
-			return len(buf), nil
+		p := parsedPacketPool.Get().(*packet.Parsed)
+		defer parsedPacketPool.Put(p)
+		for _, buff := range buffs {
+			p.Decode(buff[offset:])
+			if t.filterIn(p) != filter.Accept {
+				metricPacketInDrop.Add(1)
+			} else {
+				buffs[i] = buff
+				i++
+			}
 		}
+	} else {
+		i = len(buffs)
 	}
+	buffs = buffs[:i]

-	t.noteActivity()
-	return t.tdevWrite(buf, offset)
+	if len(buffs) > 0 {
+		t.noteActivity()
+		_, err := t.tdevWrite(buffs, offset)
+		return len(buffs), err
+	}
+	return 0, nil
 }

-func (t *Wrapper) tdevWrite(buf []byte, offset int) (int, error) {
+func (t *Wrapper) tdevWrite(buffs [][]byte, offset int) (int, error) {
 	if stats := t.stats.Load(); stats != nil {
-		stats.UpdateRxVirtual(buf[offset:])
+		for i := range buffs {
+			stats.UpdateRxVirtual((buffs)[i][offset:])
+		}
 	}
-	if t.isTAP {
-		return t.tapWrite(buf, offset)
-	}
-	return t.tdev.Write(buf, offset)
+	return t.tdev.Write(buffs, offset)
 }

 func (t *Wrapper) GetFilter() *filter.Filter {
@@ -721,7 +778,7 @@ func (t *Wrapper) SetFilter(filt *filter.Filter) {
 //
 // This path is typically used to deliver synthesized packets to the
 // host networking stack.
-func (t *Wrapper) InjectInboundPacketBuffer(pkt *stack.PacketBuffer) error {
+func (t *Wrapper) InjectInboundPacketBuffer(pkt stack.PacketBufferPtr) error {
 	buf := make([]byte, PacketStartOffset+pkt.Size())

 	n := copy(buf[PacketStartOffset:], pkt.NetworkHeader().Slice())
@@ -755,7 +812,7 @@ func (t *Wrapper) InjectInboundDirect(buf []byte, offset int) error {
 	}

 	// Write to the underlying device to skip filters.
-	_, err := t.tdevWrite(buf, offset)
+	_, err := t.tdevWrite([][]byte{buf}, offset) // TODO(jwhited): alloc?
 	return err
 }

@@ -813,14 +870,14 @@ func (t *Wrapper) InjectOutbound(packet []byte) error {
 	if len(packet) == 0 {
 		return nil
 	}
-	t.sendOutbound(tunReadResult{data: packet, injected: true})
+	t.injectOutbound(tunInjectedRead{data: packet})
 	return nil
 }

 // InjectOutboundPacketBuffer logically behaves as InjectOutbound. It takes ownership of one
 // reference count on the packet, and the packet may be mutated. The packet refcount will be
 // decremented after the injected buffer has been read.
-func (t *Wrapper) InjectOutboundPacketBuffer(packet *stack.PacketBuffer) error {
+func (t *Wrapper) InjectOutboundPacketBuffer(packet stack.PacketBufferPtr) error {
 	size := packet.Size()
 	if size > MaxPacketSize {
 		packet.DecRef()
@@ -830,10 +887,14 @@ func (t *Wrapper) InjectOutboundPacketBuffer(packet *stack.PacketBuffer) error {
 		packet.DecRef()
 		return nil
 	}
-	t.sendOutbound(tunReadResult{packet: packet, injected: true})
+	t.injectOutbound(tunInjectedRead{packet: packet})
 	return nil
 }

+func (t *Wrapper) BatchSize() int {
+	return t.tdev.BatchSize()
+}
+
 // Unwrap returns the underlying tun.Device.
 func (t *Wrapper) Unwrap() tun.Device {
 	return t.tdev
--- a/net/tstun/wrap_test.go
+++ b/net/tstun/wrap_test.go
@@ -6,18 +6,20 @@ package tstun

 import (
 	"bytes"
+	"context"
 	"encoding/binary"
 	"fmt"
 	"net/netip"
-	"reflect"
 	"strconv"
 	"strings"
 	"testing"
 	"unsafe"

+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/tailscale/wireguard-go/tun/tuntest"
 	"go4.org/mem"
 	"go4.org/netipx"
-	"golang.zx2c4.com/wireguard/tun/tuntest"
 	"tailscale.com/disco"
 	"tailscale.com/net/connstats"
 	"tailscale.com/net/netaddr"
@@ -208,16 +210,24 @@ func TestReadAndInject(t *testing.T) {

 	var buf [MaxPacketSize]byte
 	var seen = make(map[string]bool)
+	sizes := make([]int, 1)
 	// We expect the same packets back, in no particular order.
 	for i := 0; i < len(written)+len(injected); i++ {
-		n, err := tun.Read(buf[:], 0)
+		packet := buf[:]
+		buffs := [][]byte{packet}
+		numPackets, err := tun.Read(buffs, sizes, 0)
 		if err != nil {
 			t.Errorf("read %d: error: %v", i, err)
 		}
-		if n != size {
-			t.Errorf("read %d: got size %d; want %d", i, n, size)
+		if numPackets != 1 {
+			t.Fatalf("read %d packets, expected %d", numPackets, 1)
 		}
-		got := string(buf[:n])
+		packet = packet[:sizes[0]]
+		packetLen := len(packet)
+		if packetLen != size {
+			t.Errorf("read %d: got size %d; want %d", i, packetLen, size)
+		}
+		got := string(packet)
 		t.Logf("read %d: got %s", i, got)
 		seen[got] = true
 	}
@@ -245,13 +255,10 @@ func TestWriteAndInject(t *testing.T) {
 	go func() {
 		for _, packet := range written {
 			payload := []byte(packet)
-			n, err := tun.Write(payload, 0)
+			_, err := tun.Write([][]byte{payload}, 0)
 			if err != nil {
 				t.Errorf("%s: error: %v", packet, err)
 			}
-			if n != size {
-				t.Errorf("%s: got size %d; want %d", packet, n, size)
-			}
 		}
 	}()

@@ -332,15 +339,17 @@ func TestFilter(t *testing.T) {
 	}()

 	var buf [MaxPacketSize]byte
-	stats := new(connstats.Statistics)
+	stats := connstats.NewStatistics(0, 0, nil)
+	defer stats.Shutdown(context.Background())
 	tun.SetStatistics(stats)
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var n int
 			var err error
 			var filtered bool
+			sizes := make([]int, 1)

-			tunStats, _ := stats.Extract()
+			tunStats, _ := stats.TestExtract()
 			if len(tunStats) > 0 {
 				t.Errorf("connstats.Statistics.Extract = %v, want {}", stats)
 			}
@@ -352,11 +361,11 @@ func TestFilter(t *testing.T) {
 				// If it stays zero, nothing made it through
 				// to the wrapped TUN.
 				tun.lastActivityAtomic.StoreAtomic(0)
-				_, err = tun.Write(tt.data, 0)
+				_, err = tun.Write([][]byte{tt.data}, 0)
 				filtered = tun.lastActivityAtomic.LoadAtomic() == 0
 			} else {
 				chtun.Outbound <- tt.data
-				n, err = tun.Read(buf[:], 0)
+				n, err = tun.Read([][]byte{buf[:]}, sizes, 0)
 				// In the read direction, errors are fatal, so we return n = 0 instead.
 				filtered = (n == 0)
 			}
@@ -375,7 +384,7 @@ func TestFilter(t *testing.T) {
 				}
 			}

-			got, _ := stats.Extract()
+			got, _ := stats.TestExtract()
 			want := map[netlogtype.Connection]netlogtype.Counts{}
 			if !tt.drop {
 				var p packet.Parsed
@@ -389,8 +398,8 @@ func TestFilter(t *testing.T) {
 					want[conn] = netlogtype.Counts{TxPackets: 1, TxBytes: uint64(len(tt.data))}
 				}
 			}
-			if !reflect.DeepEqual(got, want) {
-				t.Errorf("tun.ExtractStatistics = %v, want %v", got, want)
+			if diff := cmp.Diff(got, want, cmpopts.EquateEmpty()); diff != "" {
+				t.Errorf("stats.TestExtract (-got +want):\n%s", diff)
 			}
 		})
 	}
@@ -400,7 +409,7 @@ func TestAllocs(t *testing.T) {
 	ftun, tun := newFakeTUN(t.Logf, false)
 	defer tun.Close()

-	buf := []byte{0x00}
+	buf := [][]byte{[]byte{0x00}}
 	err := tstest.MinAllocsPerRun(t, 0, func() {
 		_, err := ftun.Write(buf, 0)
 		if err != nil {
@@ -417,7 +426,7 @@ func TestAllocs(t *testing.T) {
 func TestClose(t *testing.T) {
 	ftun, tun := newFakeTUN(t.Logf, false)

-	data := udp4("1.2.3.4", "5.6.7.8", 98, 98)
+	data := [][]byte{udp4("1.2.3.4", "5.6.7.8", 98, 98)}
 	_, err := ftun.Write(data, 0)
 	if err != nil {
 		t.Error(err)
@@ -435,7 +444,7 @@ func BenchmarkWrite(b *testing.B) {
 	ftun, tun := newFakeTUN(b.Logf, true)
 	defer tun.Close()

-	packet := udp4("5.6.7.8", "1.2.3.4", 89, 89)
+	packet := [][]byte{udp4("5.6.7.8", "1.2.3.4", 89, 89)}
 	for i := 0; i < b.N; i++ {
 		_, err := ftun.Write(packet, 0)
 		if err != nil {
@@ -512,9 +521,11 @@ func TestPeerAPIBypass(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			p := new(packet.Parsed)
+			p.Decode(tt.pkt)
 			tt.w.SetFilter(tt.filter)
 			tt.w.disableTSMPRejected = true
-			if got := tt.w.filterIn(tt.pkt); got != tt.want {
+			if got := tt.w.filterIn(p); got != tt.want {
 				t.Errorf("got = %v; want %v", got, tt.want)
 			}
 		})
@@ -542,7 +553,9 @@ func TestFilterDiscoLoop(t *testing.T) {
 	uh.Marshal(pkt)
 	copy(pkt[uh.Len():], discoPayload)

-	got := tw.filterIn(pkt)
+	p := new(packet.Parsed)
+	p.Decode(pkt)
+	got := tw.filterIn(p)
 	if got != filter.DropSilently {
 		t.Errorf("got %v; want DropSilently", got)
 	}
--- a/portlist/portlist_windows.go
+++ b/portlist/portlist_windows.go
@@ -5,12 +5,8 @@
 package portlist

 import (
-	"path/filepath"
-	"strings"
-	"syscall"
 	"time"

-	"golang.org/x/sys/windows"
 	"tailscale.com/net/netstat"
 )

@@ -26,7 +22,7 @@ func init() {
 type famPort struct {
 	proto string
 	port  uint16
-	pid   uintptr
+	pid   uint32
 }

 type windowsImpl struct {
@@ -69,19 +65,25 @@ func (im *windowsImpl) AppendListeningPorts(base []Port) ([]Port, error) {
 		fp := famPort{
 			proto: "tcp", // TODO(bradfitz): UDP too; add to netstat
 			port:  e.Local.Port(),
-			pid:   uintptr(e.Pid),
+			pid:   uint32(e.Pid),
 		}
 		pm, ok := im.known[fp]
 		if ok {
 			pm.keep = true
 			continue
 		}
+		var process string
+		if e.OSMetadata != nil {
+			if module, err := e.OSMetadata.GetModule(); err == nil {
+				process = module
+			}
+		}
 		pm = &portMeta{
 			keep: true,
 			port: Port{
 				Proto:   "tcp",
 				Port:    e.Local.Port(),
-				Process: procNameOfPid(e.Pid),
+				Process: process,
 			},
 		}
 		im.known[fp] = pm
@@ -94,27 +96,6 @@ func (im *windowsImpl) AppendListeningPorts(base []Port) ([]Port, error) {
 		}
 		ret = append(ret, m.port)
 	}
+
 	return sortAndDedup(ret), nil
 }
-
-func procNameOfPid(pid int) string {
-	const da = windows.PROCESS_QUERY_LIMITED_INFORMATION
-	h, err := syscall.OpenProcess(da, false, uint32(pid))
-	if err != nil {
-		return ""
-	}
-	defer syscall.CloseHandle(h)
-
-	var buf [512]uint16
-	var size = uint32(len(buf))
-	if err := windows.QueryFullProcessImageName(windows.Handle(h), 0, &buf[0], &size); err != nil {
-		return ""
-	}
-	name := filepath.Base(windows.UTF16ToString(buf[:]))
-	if name == "." {
-		return ""
-	}
-	name = strings.TrimSuffix(name, ".exe")
-	name = strings.TrimSuffix(name, ".EXE")
-	return name
-}
--- a/pull-toolchain.sh
+++ b/pull-toolchain.sh
@@ -9,8 +9,9 @@ upstream=$(git ls-remote https://github.com/tailscale/go "$go_branch" | awk '{pr
 current=$(cat go.toolchain.rev)
 if [ "$upstream" != "$current" ]; then
 	echo "$upstream" >go.toolchain.rev
+	./update-flake.sh
 fi

-if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev)" ]; then
+if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.toolchain.sri go.mod.sri)" ]; then
    echo "pull-toolchain.sh: changes imported. Use git commit to make them permanent." >&2
 fi
--- a/scripts/check_license_headers.sh
+++ b/scripts/check_license_headers.sh
@@ -10,7 +10,7 @@
 check_file() {
    got=$1

-    for year in `seq 2019 2022`; do
+    for year in `seq 2019 2023`; do
        want=$(cat <<EOF
 // Copyright (c) $year Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
@@ -21,6 +21,19 @@ EOF
            return 0
        fi
    done
+
+    # For the benefit of generated files, we also allow no year in
+    # the header. https://github.com/tailscale/tailscale/issues/6865
+    want=$(cat <<EOF
+// Copyright (c) Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+EOF
+    )
+    if [ "$got" = "$want" ]; then
+        return 0
+    fi
+
    return 1
 }

--- a/scripts/installer.sh
+++ b/scripts/installer.sh
@@ -187,7 +187,7 @@ main() {
 				VERSION="$(echo "$VERSION_ID" | cut -f1 -d.)"
 				PACKAGETYPE="yum"
 				;;
-			opensuse-leap)
+			opensuse-leap|sles)
 				OS="opensuse"
 				VERSION="leap/$VERSION_ID"
 				PACKAGETYPE="zypper"
--- a/shell.nix
+++ b/shell.nix
@@ -1,7 +1,5 @@
-# This is a shell.nix file used to describe the environment that tailscale needs
-# for development. This includes a lot of the basic tools that you need in order
-# to get started. We hope this file will be useful for users of Nix on macOS or
-# Linux.
+# This is a shell.nix file used to describe the environment that
+# tailscale needs for development.
 #
 # For more information about this and why this file is useful, see here:
 # https://nixos.org/guides/nix-pills/developing-with-nix-shell.html
@@ -9,47 +7,13 @@
 # Also look into direnv: https://direnv.net/, this can make it so that you can
 # automatically get your environment set up when you change folders into the
 # project.
-
-{
-	pkgs ? import <nixpkgs> {},
-	tailscale-go-rev ? "fabd769a3703c88780c5a7fb543577992d5074d1",
-	tailscale-go-sha ? "sha256-BvwZ/90izw0Ip3lh8eNkJvU46LKnOOhEXF0axkBi/Es=",
-}:
-let
-	tailscale-go = pkgs.lib.overrideDerivation pkgs.go_1_18 (attrs: rec {
-		name = "tailscale-go-${version}";
-		version = tailscale-go-rev;
-		src = pkgs.fetchFromGitHub {
-		  owner = "tailscale";
-		  repo = "go";
-		  rev = tailscale-go-rev;
-		  sha256 = tailscale-go-sha;
-		};
-		nativeBuildInputs = attrs.nativeBuildInputs ++ [ pkgs.git ];
-		# Remove dependency on xcbuild as that causes iOS/macOS builds to fail.
-		propagatedBuildInputs = [];
-		# Remove custom nix patches, which are all related to fixing up
-		# tests. Some don't apply cleanly in 1.19.
-		# TODO: revert this once nix upstream has formal 1.19 support.
-		patches = [];
-		checkPhase = "";
-		# Our forked tailscale reads this env var to embed the git hash
-		# into the Go build version.
-		TAILSCALE_TOOLCHAIN_REV = tailscale-go-rev;
-	});
-in
-	pkgs.mkShell {
-	  # This specifies the tools that are needed for people to get started with
-	  # development. These tools include:
-	  #  - The Go compiler toolchain (and all additional tooling with it)
-	  #  - gotools for goimports, a robust formatting tool for Go source code
-	  #  - gopls, the language server for Go to increase editor integration
-	  #  - git, the version control program (used in some scripts)
-	  #  - graphviz, for 'go tool pprof'
-	  buildInputs = [
-	    pkgs.git
-	    pkgs.gotools pkgs.gopls
-	    tailscale-go
-	    pkgs.graphviz
-	  ];
-	}
+(import (
+  let
+    lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+  in fetchTarball {
+    url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+    sha256 = lock.nodes.flake-compat.locked.narHash; }
+) {
+  src =  ./.;
+}).shellNix
+# nix-direnv cache busting line: sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0=
--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@@ -31,11 +31,17 @@ import (
 	"github.com/creack/pty"
 	"github.com/pkg/sftp"
 	"github.com/u-root/u-root/pkg/termios"
+	"go4.org/mem"
 	gossh "golang.org/x/crypto/ssh"
 	"golang.org/x/sys/unix"
 	"tailscale.com/cmd/tailscaled/childproc"
+	"tailscale.com/envknob"
+	"tailscale.com/hostinfo"
 	"tailscale.com/tempfork/gliderlabs/ssh"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/lineread"
+	"tailscale.com/util/strs"
+	"tailscale.com/version/distro"
 )

 func init() {
@@ -59,7 +65,14 @@ var maybeStartLoginSession = func(logf logger.Logf, ia incubatorArgs) (close fun
 //
 // If ss.srv.tailscaledPath is empty, this method is equivalent to
 // exec.CommandContext.
-func (ss *sshSession) newIncubatorCommand() *exec.Cmd {
+//
+// The returned Cmd.Env is guaranteed to be nil; the caller populates it.
+func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) {
+	defer func() {
+		if cmd.Env != nil {
+			panic("internal error")
+		}
+	}()
 	var (
 		name    string
 		args    []string
@@ -270,7 +283,20 @@ func beIncubator(args []string) error {
 			Foreground: true,
 		}
 	}
-	return cmd.Run()
+	err = cmd.Run()
+	if ee, ok := err.(*exec.ExitError); ok {
+		ps := ee.ProcessState
+		code := ps.ExitCode()
+		if code < 0 {
+			// TODO(bradfitz): do we need to also check the syscall.WaitStatus
+			// and make our process look like it also died by signal/same signal
+			// as our child process? For now we just do the exit code.
+			fmt.Fprintf(os.Stderr, "[tailscale-ssh: process died: %v]\n", ps.String())
+			code = 1 // for now. so we don't exit with negative
+		}
+		os.Exit(code)
+	}
+	return err
 }

 // launchProcess launches an incubator process for the provided session.
@@ -292,7 +318,7 @@ func (ss *sshSession) launchProcess() error {
 	} else {
 		return err
 	}
-	cmd.Env = append(cmd.Env, envForUser(ss.conn.localUser)...)
+	cmd.Env = envForUser(ss.conn.localUser)
 	for _, kv := range ss.Environ() {
 		if acceptEnvPair(kv) {
 			cmd.Env = append(cmd.Env, kv)
@@ -567,9 +593,85 @@ func envForUser(u *user.User) []string {
 		fmt.Sprintf("SHELL=" + loginShell(u.Uid)),
 		fmt.Sprintf("USER=" + u.Username),
 		fmt.Sprintf("HOME=" + u.HomeDir),
+		fmt.Sprintf("PATH=" + defaultPathForUser(u)),
 	}
 }

+// defaultPathTmpl specifies the default PATH template to use for new sessions.
+//
+// If empty, a default value is used based on the OS & distro to match OpenSSH's
+// usually-hardcoded behavior. (see
+// https://github.com/tailscale/tailscale/issues/5285 for background).
+//
+// The template may contain @{HOME} or @{PAM_USER} which expand to the user's
+// home directory and username, respectively. (PAM is not used, despite the
+// name)
+var defaultPathTmpl = envknob.RegisterString("TAILSCALE_SSH_DEFAULT_PATH")
+
+func defaultPathForUser(u *user.User) string {
+	if s := defaultPathTmpl(); s != "" {
+		return expandDefaultPathTmpl(s, u)
+	}
+	isRoot := u.Uid == "0"
+	switch distro.Get() {
+	case distro.Debian:
+		hi := hostinfo.New()
+		if hi.Distro == "ubuntu" {
+			// distro.Get's Debian includes Ubuntu. But see if it's actually Ubuntu.
+			// Ubuntu doesn't empirically seem to distinguish between root and non-root for the default.
+			// And it includes /snap/bin.
+			return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
+		}
+		if isRoot {
+			return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+		}
+		return "/usr/local/bin:/usr/bin:/bin:/usr/bn/games"
+	case distro.NixOS:
+		return defaultPathForUserOnNixOS(u)
+	}
+	if isRoot {
+		return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+	}
+	return "/usr/local/bin:/usr/bin:/bin"
+}
+
+func defaultPathForUserOnNixOS(u *user.User) string {
+	var path string
+	lineread.File("/etc/pam/environment", func(lineb []byte) error {
+		if v := pathFromPAMEnvLine(lineb, u); v != "" {
+			path = v
+			return io.EOF // stop iteration
+		}
+		return nil
+	})
+	return path
+}
+
+func pathFromPAMEnvLine(line []byte, u *user.User) (path string) {
+	if !mem.HasPrefix(mem.B(line), mem.S("PATH")) {
+		return ""
+	}
+	rest := strings.TrimSpace(strings.TrimPrefix(string(line), "PATH"))
+	if quoted, ok := strs.CutPrefix(rest, "DEFAULT="); ok {
+		if path, err := strconv.Unquote(quoted); err == nil {
+			return expandDefaultPathTmpl(path, u)
+		}
+	}
+	return ""
+}
+
+func expandDefaultPathTmpl(t string, u *user.User) string {
+	p := strings.NewReplacer(
+		"@{HOME}", u.HomeDir,
+		"@{PAM_USER}", u.Username,
+	).Replace(t)
+	if strings.Contains(p, "@{") {
+		// If there are unknown expansions, conservatively fail closed.
+		return ""
+	}
+	return p
+}
+
 // updateStringInSlice mutates ss to change the first occurrence of a
 // to b.
 func updateStringInSlice(ss []string, a, b string) {
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -368,8 +368,8 @@ func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error {
 		}
 		lu, err := user.Lookup(localUser)
 		if err != nil {
-			c.logf("failed to lookup %v: %v", localUser, err)
-			ctx.SendAuthBanner(fmt.Sprintf("failed to lookup %v\r\n", localUser))
+			c.logf("failed to look up %v: %v", localUser, err)
+			ctx.SendAuthBanner(fmt.Sprintf("failed to look up %v\r\n", localUser))
 			return err
 		}
 		gids, err := lu.GroupIds()
--- a/ssh/tailssh/tailssh_test.go
+++ b/ssh/tailssh/tailssh_test.go
@@ -44,6 +44,7 @@ import (
 	"tailscale.com/util/lineread"
 	"tailscale.com/util/must"
 	"tailscale.com/util/strs"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 )

@@ -755,3 +756,63 @@ func TestAcceptEnvPair(t *testing.T) {
 		}
 	}
 }
+
+func TestPathFromPAMEnvLine(t *testing.T) {
+	u := &user.User{Username: "foo", HomeDir: "/Homes/Foo"}
+	tests := []struct {
+		line string
+		u    *user.User
+		want string
+	}{
+		{"", u, ""},
+		{`PATH   DEFAULT="/run/wrappers/bin:@{HOME}/.nix-profile/bin:/etc/profiles/per-user/@{PAM_USER}/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"`,
+			u, "/run/wrappers/bin:/Homes/Foo/.nix-profile/bin:/etc/profiles/per-user/foo/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"},
+		{`PATH   DEFAULT="@{SOMETHING_ELSE}:nope:@{HOME}"`,
+			u, ""},
+	}
+	for i, tt := range tests {
+		got := pathFromPAMEnvLine([]byte(tt.line), tt.u)
+		if got != tt.want {
+			t.Errorf("%d. got %q; want %q", i, got, tt.want)
+		}
+	}
+}
+
+func TestExpandDefaultPathTmpl(t *testing.T) {
+	u := &user.User{Username: "foo", HomeDir: "/Homes/Foo"}
+	tests := []struct {
+		t    string
+		u    *user.User
+		want string
+	}{
+		{"", u, ""},
+		{`/run/wrappers/bin:@{HOME}/.nix-profile/bin:/etc/profiles/per-user/@{PAM_USER}/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin`,
+			u, "/run/wrappers/bin:/Homes/Foo/.nix-profile/bin:/etc/profiles/per-user/foo/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"},
+		{`@{SOMETHING_ELSE}:nope:@{HOME}`, u, ""},
+	}
+	for i, tt := range tests {
+		got := expandDefaultPathTmpl(tt.t, tt.u)
+		if got != tt.want {
+			t.Errorf("%d. got %q; want %q", i, got, tt.want)
+		}
+	}
+}
+
+func TestPathFromPAMEnvLineOnNixOS(t *testing.T) {
+	if runtime.GOOS != "linux" {
+		t.Skip("skipping on non-linux")
+	}
+	if distro.Get() != distro.NixOS {
+		t.Skip("skipping on non-NixOS")
+	}
+	u, err := user.Current()
+	if err != nil {
+		t.Fatal(err)
+	}
+	got := defaultPathForUserOnNixOS(u)
+	if got == "" {
+		x, err := os.ReadFile("/etc/pam/environment")
+		t.Fatalf("no result. file was: err=%v, contents=%s", err, x)
+	}
+	t.Logf("success; got=%q", got)
+}
--- a/tailcfg/tailcfg_clone.go
+++ b/tailcfg/tailcfg_clone.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

--- a/tailcfg/tailcfg_view.go
+++ b/tailcfg/tailcfg_view.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

--- a/tsnet/example/tsnet-http-client/tsnet-http-client.go
+++ b/tsnet/example/tsnet-http-client/tsnet-http-client.go
@@ -0,0 +1,45 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The tshello server demonstrates how to use Tailscale as a library.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+
+	"tailscale.com/tsnet"
+)
+
+func main() {
+	flag.Usage = func() {
+		fmt.Fprintf(os.Stderr, "Usage: %s <url in tailnet>\n", filepath.Base(os.Args[0]))
+		os.Exit(2)
+	}
+	flag.Parse()
+
+	if flag.NArg() != 1 {
+		flag.Usage()
+	}
+	tailnetURL := flag.Arg(0)
+
+	s := new(tsnet.Server)
+	defer s.Close()
+
+	if err := s.Start(); err != nil {
+		log.Fatal(err)
+	}
+
+	cli := s.HTTPClient()
+
+	resp, err := cli.Get(tailnetURL)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	resp.Write(os.Stdout)
+}
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -116,6 +116,18 @@ func (s *Server) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return s.dialer.UserDial(ctx, network, address)
 }

+// HTTPClient returns an HTTP client that is configured to connect over Tailscale.
+//
+// This is useful if you need to have your tsnet services connect to other devices on
+// your tailnet.
+func (s *Server) HTTPClient() *http.Client {
+	return &http.Client{
+		Transport: &http.Transport{
+			DialContext: s.Dial,
+		},
+	}
+}
+
 // LocalClient returns a LocalClient that speaks to s.
 //
 // It will start the server if it has not been started yet. If the server's
@@ -305,9 +317,6 @@ func (s *Server) start() (reterr error) {
 	}
 	ns.ProcessLocalIPs = true
 	ns.ForwardTCPIn = s.forwardTCP
-	if err := ns.Start(); err != nil {
-		return fmt.Errorf("failed to start netstack: %w", err)
-	}
 	s.netstack = ns
 	s.dialer.UseNetstackForIP = func(ip netip.Addr) bool {
 		_, ok := eng.PeerForIP(ip)
@@ -337,6 +346,9 @@ func (s *Server) start() (reterr error) {
 	lb.SetVarRoot(s.rootPath)
 	logf("tsnet starting with hostname %q, varRoot %q", s.hostname, s.rootPath)
 	s.lb = lb
+	if err := ns.Start(lb); err != nil {
+		return fmt.Errorf("failed to start netstack: %w", err)
+	}
 	closePool.addFunc(func() { s.lb.Shutdown() })
 	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
 		return smallzstd.NewDecoder(nil)
--- a/tstest/integration/tailscaled_deps_test_windows.go
+++ b/tstest/integration/tailscaled_deps_test_windows.go
@@ -12,11 +12,12 @@ import (
 	// transitive deps when we run "go install tailscaled" in a child
 	// process and can cache a prior success when a dependency changes.
 	_ "github.com/dblohm7/wingoes/com"
+	_ "github.com/tailscale/wireguard-go/tun"
 	_ "golang.org/x/sys/windows"
 	_ "golang.org/x/sys/windows/svc"
 	_ "golang.org/x/sys/windows/svc/eventlog"
 	_ "golang.org/x/sys/windows/svc/mgr"
-	_ "golang.zx2c4.com/wireguard/tun"
+	_ "golang.zx2c4.com/wintun"
 	_ "golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	_ "tailscale.com/cmd/tailscaled/childproc"
 	_ "tailscale.com/control/controlclient"
--- a/tstest/iosdeps/iosdeps.go
+++ b/tstest/iosdeps/iosdeps.go
@@ -35,10 +35,10 @@ import (
 	_ "time"
 	_ "unsafe"

+	_ "github.com/tailscale/wireguard-go/device"
+	_ "github.com/tailscale/wireguard-go/tun"
 	_ "go4.org/mem"
 	_ "golang.org/x/sys/unix"
-	_ "golang.zx2c4.com/wireguard/device"
-	_ "golang.zx2c4.com/wireguard/tun"
 	_ "tailscale.com/hostinfo"
 	_ "tailscale.com/ipn"
 	_ "tailscale.com/ipn/ipnlocal"
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .33.0
 .35.0
				`@@ -0,0 +1 @@`
				`sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0=`
				`@@ -0,0 +1 @@`
				`sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI=`