Try running vm.yml on a 22.04 runner.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-09-27 20:11:43 -07:00
515 changed files with 7070 additions and 25584 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -1,12 +1,12 @@
 name: Bug report
-description: File a bug report. If you need help, contact support instead
+description: File a bug report
 labels: [needs-triage, bug]
 body:
  - type: markdown
    attributes:
      value: |
-        Need help with your tailnet? [Contact support](https://tailscale.com/contact/support) instead.
-        Otherwise, please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues) before filing a new one.
+        Please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues).
+        Have an urgent issue? Let us know by emailing us at <support@tailscale.com>.
  - type: textarea
    id: what-happened
    attributes:
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -5,4 +5,4 @@ contact_links:
    about: Contact us for support
  - name: Troubleshooting
    url: https://tailscale.com/kb/1023/troubleshooting
-    about: See the troubleshooting guide for help addressing common issues
+    about: Troubleshoot common issues
--- a/.github/workflows/cross-android.yml
+++ b/.github/workflows/cross-android.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.github/workflows/cross-wasm.yml
+++ b/.github/workflows/cross-wasm.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
@@ -40,7 +39,7 @@ jobs:
      # that depend on it.
      run: |
        ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
+        ./tool/go run ./cmd/tsconnect build-pkg

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.github/workflows/go-licenses.yml
+++ b/.github/workflows/go-licenses.yml
@@ -50,7 +50,7 @@ jobs:
          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}

      - name: Send pull request
-        uses: peter-evans/create-pull-request@ad43dccb4d726ca8514126628bec209b8354b6dd #v4.1.4
+        uses: peter-evans/create-pull-request@18f90432bedd2afd6a825469ffd38aa24712a91d #v4.1.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: License Updater <noreply@tailscale.com>
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
@@ -15,7 +14,7 @@ concurrency:

 jobs:
  build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

@@ -39,6 +38,10 @@ jobs:

    - name: Get QEMU
      run: |
+        # The qemu in Ubuntu 20.04 (Focal) is too old; we need 5.x something
+        # to run Go binaries. 5.2.0 (Debian bullseye) empirically works, and
+        # use this PPA which brings in a modern qemu.
+        sudo add-apt-repository -y ppa:jacob/virtualisation
        sudo apt-get -y update
        sudo apt-get -y install qemu-user

--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -4,7 +4,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
@@ -12,9 +11,9 @@ concurrency:

 jobs:
  ubuntu2004-LTS-cloud-base:
-    runs-on: [ self-hosted, linux, vm ]
+    runs-on: ubuntu-22.04

-    if: "(github.repository == 'tailscale/tailscale') && !contains(github.event.head_commit.message, '[ci skip]')"
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
      - name: Set GOPATH
@@ -33,7 +32,7 @@ jobs:
        env:
          HOME: "/tmp"
          TMPDIR: "/tmp"
-          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
+          XDG_CACHE_HOME: "$HOME/.cache"

      - uses: k0kubun/action-slack@v2.0.0
        with:
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - '*'
-      - 'release-branch/*'

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
--- a/.gitignore
+++ b/.gitignore
@@ -22,9 +22,3 @@ cmd/tailscaled/tailscaled
 # direnv config, this may be different for other people so it's probably safer
 # to make this nonspecific.
 .envrc
-
-# Ignore personal VS Code settings
-.vscode/
-
-# Ignore direnv nix-shell environment cache
-.direnv/
--- a/6
+++ b/6
@@ -66,12 +66,10 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
      -X tailscale.com/version.Long=$VERSION_LONG \
      -X tailscale.com/version.Short=$VERSION_SHORT \
      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
-      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot
+      -v ./cmd/tailscale ./cmd/tailscaled

 FROM alpine:3.16
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables

 COPY --from=build-env /go/bin/* /usr/local/bin/
-# For compat with the previous run.sh, although ideally you should be
-# using build_docker.sh which sets an entrypoint for the image.
-RUN ln -s /usr/local/bin/containerboot /tailscale/run.sh
+COPY --from=build-env /go/src/tailscale/docs/k8s/run.sh /usr/local/bin/
--- a/6
+++ b/6
@@ -54,9 +54,3 @@ pushspk: spk
 	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
 	scp tailscale.spk root@${SYNO_HOST}:
 	ssh root@${SYNO_HOST} /usr/syno/bin/synopkg install tailscale.spk
-
-publishdevimage:
-	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	TAGS=latest REPOS=${REPO} PUSH=true ./build_docker.sh
--- a/README.md
+++ b/README.md
@@ -59,9 +59,6 @@ We require [Developer Certificate of
 Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)
 `Signed-off-by` lines in commits.

-See `git log` for our commit message style. It's basically the same as
-[Go's style](https://github.com/golang/go/wiki/CommitMessage).
-
 ## About Us

 [Tailscale](https://tailscale.com/) is primarily developed by the
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.34.2
+1.31.0
--- a/api.md
+++ b/api.md
@@ -335,12 +335,11 @@ The response is 2xx on success. The response body is currently an empty JSON
 object.

 ## Tailnet
+A tailnet is the name of your Tailscale network.
+You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.

-A tailnet is your private network, composed of all the devices on it and their configuration. For more information on tailnets, see [our user-facing documentation](https://tailscale.com/kb/1136/tailnet/).

-When making API requests, your tailnet is identified by the organization name. You can find it on the [Settings page](https://login.tailscale.com/admin/settings) of the admin console.
-
-For example, if `alice@example.com` belongs to the `example.com` tailnet, they would use the following format for API calls:
+`alice@example.com` belongs to the `example.com` tailnet and would use the following format for API calls:

 ```
 GET /api/v2/tailnet/example.com/...
@@ -356,15 +355,10 @@ GET /api/v2/tailnet/alice@gmail.com/...
 curl https://api.tailscale.com/api/v2/tailnet/alice@gmail.com/...
 ```

-Alternatively, you can specify the value "-" to refer to the default tailnet of
-the authenticated user making the API call.  For example:
-```
-GET /api/v2/tailnet/-/...
-curl https://api.tailscale.com/api/v2/tailnet/-/...
-```
-
 Tailnets are a top-level resource. ACL is an example of a resource that is tied to a top-level tailnet.

+For more information on Tailscale networks/tailnets, click [here](https://tailscale.com/kb/1064/invite-team-members).
+
 ### ACL

 <a name=tailnet-acl-get></a>
@@ -402,20 +396,20 @@ Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"

 // Example/default ACLs for unrestricted connections.
 {
-    "tests": [],
+    "Tests": [],
    // Declare static groups of users beyond those in the identity service.
-    "groups": {
+    "Groups": {
        "group:example": [
            "user1@example.com",
            "user2@example.com"
        ],
    },
    // Declare convenient hostname aliases to use in place of IP addresses.
-    "hosts": {
+    "Hosts": {
        "example-host-1": "100.100.100.100",
    },
    // Access control lists.
-    "acls": [
+    "ACLs": [
        // Match absolutely everything. Comment out this section if you want
        // to define specific ACL restrictions.
        {
@@ -485,8 +479,6 @@ Returns the updated ACL in JSON or HuJSON according to the `Accept` header on su
 ###### Headers
 `If-Match` - A request header. Set this value to the ETag header provided in an `ACL GET` request to avoid missed updates.

-A special value `ts-default` will ensure that ACL will be set only if current ACL is the default one (created automatically for each tailnet).
-
 `Accept` - Sets the return type of the updated ACL. Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.

 ###### POST Body
@@ -494,14 +486,11 @@ A special value `ts-default` will ensure that ACL will be set only if current AC
 The POST body should be a JSON or [HuJSON](https://github.com/tailscale/hujson#hujson---human-json) formatted JSON object.
 An ACL policy may contain the following top-level properties:

-* `groups` - Static groups of users which can be used for ACL rules.
-* `hosts` - Hostname aliases to use in place of IP addresses or subnets.
-* `acls` - Access control lists.
-* `tagOwners` - Defines who is allowed to use which tags.
-* `tests` - Run on ACL updates to check correct functionality of defined ACLs.
-* `autoApprovers` - Defines which users can advertise routes or exit nodes without further approval.
-* `ssh` - Configures access policy for Tailscale SSH.
-* `nodeAttrs` - Defines which devices can use certain features.
+* `Groups` - Static groups of users which can be used for ACL rules.
+* `Hosts` - Hostname aliases to use in place of IP addresses or subnets.
+* `ACLs` - Access control lists.
+* `TagOwners` - Defines who is allowed to use which tags.
+* `Tests` - Run on ACL updates to check correct functionality of defined ACLs.

 See https://tailscale.com/kb/1018/acls for more information on those properties.

@@ -514,22 +503,22 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
  --data-binary '// Example/default ACLs for unrestricted connections.
 {
  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
-  "tests": [
-    // {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]},
+  "Tests": [
+    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
  ],
  // Declare static groups of users beyond those in the identity service.
-  "groups": {
+  "Groups": {
    "group:example": [ "user1@example.com", "user2@example.com" ],
  },
  // Declare convenient hostname aliases to use in place of IP addresses.
-  "hosts": {
+  "Hosts": {
    "example-host-1": "100.100.100.100",
  },
  // Access control lists.
-  "acls": [
+  "ACLs": [
    // Match absolutely everything. Comment out this section if you want
    // to define specific ACL restrictions.
-    { "action": "accept", "users": ["*"], "ports": ["*:*"] },
+    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
  ]
 }'
 ```
@@ -539,22 +528,22 @@ Response:
 // Example/default ACLs for unrestricted connections.
 {
  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
-  "tests": [
-    // {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]},
+  "Tests": [
+    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
  ],
  // Declare static groups of users beyond those in the identity service.
-  "groups": {
+  "Groups": {
    "group:example": [ "user1@example.com", "user2@example.com" ],
  },
  // Declare convenient hostname aliases to use in place of IP addresses.
-  "hosts": {
+  "Hosts": {
    "example-host-1": "100.100.100.100",
  },
  // Access control lists.
-  "acls": [
+  "ACLs": [
    // Match absolutely everything. Comment out this section if you want
    // to define specific ACL restrictions.
-    { "action": "accept", "users": ["*"], "ports": ["*:*"] },
+    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
  ]
 }
 ```
@@ -597,22 +586,22 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/preview?previewFo
  --data-binary '// Example/default ACLs for unrestricted connections.
 {
  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
-  "tests": [
-    // {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]},
+  "Tests": [
+    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
  ],
  // Declare static groups of users beyond those in the identity service.
-  "groups": {
+  "Groups": {
    "group:example": [ "user1@example.com", "user2@example.com" ],
  },
  // Declare convenient hostname aliases to use in place of IP addresses.
-  "hosts": {
+  "Hosts": {
    "example-host-1": "100.100.100.100",
  },
  // Access control lists.
-  "acls": [
+  "ACLs": [
    // Match absolutely everything. Comment out this section if you want
    // to define specific ACL restrictions.
-    { "action": "accept", "users": ["*"], "ports": ["*:*"] },
+    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
  ]
 }'
 ```
@@ -648,7 +637,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
  -u "tskey-yourapikey123:" \
  --data-binary '
  [
-    {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]}
+    {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]}
  ]'
 ```

@@ -659,10 +648,10 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
  -u "tskey-yourapikey123:" \
  --data-binary '
  {
-    "acls": [
-     { "action": "accept", "src": ["100.105.106.107"], "dst": ["1.2.3.4:*"] },
+    "ACLs": [
+     { "Action": "accept", "src": ["100.105.106.107"], "dst": ["1.2.3.4:*"] },
    ],
-    "tests", [
+    "Tests", [
      {"src": "100.105.106.107", "allow": ["1.2.3.4:80"]}
    ],
  }'
@@ -824,10 +813,6 @@ Supply the tailnet in the path.

 ###### POST Body
 `capabilities` - A mapping of resources to permissible actions.
-
-`expirySeconds` - (Optional) How long the key is valid for in seconds.
-                  Defaults to 90d.
-
 ```
 {
  "capabilities": {
@@ -841,8 +826,7 @@ Supply the tailnet in the path.
        ]
      }
    }
-  },
-  "expirySeconds": 1440
+  }
 }
 ```

--- a/build_dist.sh
+++ b/build_dist.sh
@@ -54,7 +54,7 @@ while [ "$#" -gt 1 ]; do
 	--extra-small)
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap"
+		tags="${tags:+$tags,}ts_omit_aws"
 		;;
 	--box)
 		shift
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -35,14 +35,14 @@ BASE="${BASE:-${DEFAULT_BASE}}"
 go run github.com/tailscale/mkctr \
  --gopaths="\
    tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
-    tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled, \
-    tailscale.com/cmd/containerboot:/usr/local/bin/containerboot" \
+    tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled" \
  --ldflags="\
    -X tailscale.com/version.Long=${VERSION_LONG} \
    -X tailscale.com/version.Short=${VERSION_SHORT} \
    -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
+  --files="docs/k8s/run.sh:/tailscale/run.sh" \
  --base="${BASE}" \
  --tags="${TAGS}" \
  --repos="${REPOS}" \
  --push="${PUSH}" \
-  /usr/local/bin/containerboot
+  /bin/sh /tailscale/run.sh
--- a/chirp/chirp_test.go
+++ b/chirp/chirp_test.go
@@ -106,10 +106,10 @@ func TestChirp(t *testing.T) {
 		t.Fatal(err)
 	}
 	if err := c.EnableProtocol("rando"); err == nil {
-		t.Fatalf("enabling %q succeeded", "rando")
+		t.Fatalf("enabling %q succeded", "rando")
 	}
 	if err := c.DisableProtocol("rando"); err == nil {
-		t.Fatalf("disabling %q succeeded", "rando")
+		t.Fatalf("disabling %q succeded", "rando")
 	}
 }

--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 package tailscale

@@ -458,7 +459,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 	}

 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responded with %d status code", resp.StatusCode)
+		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
 	}

 	// The test ran without fail
--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -2,14 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// Package apitype contains types for the Tailscale LocalAPI and control plane API.
+// Package apitype contains types for the Tailscale local API and control plane API.
 package apitype

 import "tailscale.com/tailcfg"

-// LocalAPIHost is the Host header value used by the LocalAPI.
-const LocalAPIHost = "local-tailscaled.sock"
-
 // WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
 type WhoIsResponse struct {
 	Node        *tailcfg.Node
@@ -24,7 +21,7 @@ type WhoIsResponse struct {
 type FileTarget struct {
 	Node *tailcfg.Node

-	// PeerAPI is the http://ip:port URL base of the node's PeerAPI,
+	// PeerAPI is the http://ip:port URL base of the node's peer API,
 	// without any path (not even a single slash).
 	PeerAPIURL string
 }
--- a/client/tailscale/apitype/controltype.go
+++ b/client/tailscale/apitype/controltype.go
@@ -11,6 +11,7 @@ type DNSConfig struct {
 	Domains           []string                 `json:"domains"`
 	Nameservers       []string                 `json:"nameservers"`
 	Proxied           bool                     `json:"proxied"`
+	PerDomain         bool                     `json:",omitempty"`
 }

 type DNSResolver struct {
--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 package tailscale

--- a/client/tailscale/dns.go
+++ b/client/tailscale/dns.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 package tailscale

--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 package tailscale

@@ -28,7 +29,6 @@ import (

 	"go4.org/mem"
 	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/netutil"
@@ -36,14 +36,13 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
-	"tailscale.com/types/key"
 )

 // defaultLocalClient is the default LocalClient when using the legacy
 // package-level functions.
 var defaultLocalClient LocalClient

-// LocalClient is a client to Tailscale's "LocalAPI", communicating with the
+// LocalClient is a client to Tailscale's "local API", communicating with the
 // Tailscale daemon on the local machine. Its API is not necessarily stable and
 // subject to changes between releases. Some API calls have stricter
 // compatibility guarantees, once they've been widely adopted. See method docs
@@ -101,6 +100,9 @@ func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string)
 		}
 	}
 	s := safesocket.DefaultConnectionStrategy(lc.socket())
+	// The user provided a non-default tailscaled socket address.
+	// Connect only to exactly what they provided.
+	s.UseFallback(false)
 	return safesocket.Connect(s)
 }

@@ -130,8 +132,8 @@ func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error)
 func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
 	res, err := lc.DoLocalRequest(req)
 	if err == nil {
-		if server := res.Header.Get("Tailscale-Version"); server != "" && server != envknob.IPCVersion() && onVersionMismatch != nil {
-			onVersionMismatch(envknob.IPCVersion(), server)
+		if server := res.Header.Get("Tailscale-Version"); server != "" && server != ipn.IPCVersion() && onVersionMismatch != nil {
+			onVersionMismatch(ipn.IPCVersion(), server)
 		}
 		if res.StatusCode == 403 {
 			all, _ := io.ReadAll(res.Body)
@@ -195,10 +197,7 @@ func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
 }

 func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
-	if jr, ok := body.(jsonReader); ok && jr.err != nil {
-		return nil, jr.err // fail early if there was a JSON marshaling error
-	}
-	req, err := http.NewRequestWithContext(ctx, method, "http://"+apitype.LocalAPIHost+path, body)
+	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
 	if err != nil {
 		return nil, err
 	}
@@ -229,21 +228,20 @@ func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, erro
 	return defaultLocalClient.WhoIs(ctx, remoteAddr)
 }

-func decodeJSON[T any](b []byte) (ret T, err error) {
-	if err := json.Unmarshal(b, &ret); err != nil {
-		var zero T
-		return zero, fmt.Errorf("failed to unmarshal JSON into %T: %w", ret, err)
-	}
-	return ret, nil
-}
-
 // WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
 func (lc *LocalClient) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
 	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
 	if err != nil {
 		return nil, err
 	}
-	return decodeJSON[*apitype.WhoIsResponse](body)
+	r := new(apitype.WhoIsResponse)
+	if err := json.Unmarshal(body, r); err != nil {
+		if max := 200; len(body) > max {
+			body = append(body[:max], "..."...)
+		}
+		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
+	}
+	return r, nil
 }

 // Goroutines returns a dump of the Tailscale daemon's current goroutines.
@@ -257,8 +255,8 @@ func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
 	return lc.get200(ctx, "/localapi/v0/metrics")
 }

-// Pprof returns a pprof profile of the Tailscale daemon.
-func (lc *LocalClient) Pprof(ctx context.Context, pprofType string, sec int) ([]byte, error) {
+// Profile returns a pprof profile of the Tailscale daemon.
+func (lc *LocalClient) Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
 	var secArg string
 	if sec < 0 || sec > 300 {
 		return nil, errors.New("duration out of range")
@@ -266,7 +264,7 @@ func (lc *LocalClient) Pprof(ctx context.Context, pprofType string, sec int) ([]
 	if sec != 0 || pprofType == "profile" {
 		secArg = fmt.Sprint(sec)
 	}
-	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/pprof?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
+	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
 }

 // BugReportOpts contains options to pass to the Tailscale daemon when
@@ -278,12 +276,6 @@ type BugReportOpts struct {
 	// Diagnose specifies whether to print additional diagnostic information to
 	// the logs when generating this bugreport.
 	Diagnose bool
-
-	// Record specifies, if non-nil, whether to perform a bugreport
-	// "recording"–generating an initial log marker, then waiting for
-	// this channel to be closed before finishing the request, which
-	// generates another log marker.
-	Record <-chan struct{}
 }

 // BugReportWithOpts logs and returns a log marker that can be shared by the
@@ -292,40 +284,16 @@ type BugReportOpts struct {
 // The opts type specifies options to pass to the Tailscale daemon when
 // generating this bug report.
 func (lc *LocalClient) BugReportWithOpts(ctx context.Context, opts BugReportOpts) (string, error) {
-	qparams := make(url.Values)
+	var qparams url.Values
 	if opts.Note != "" {
 		qparams.Set("note", opts.Note)
 	}
 	if opts.Diagnose {
 		qparams.Set("diagnose", "true")
 	}
-	if opts.Record != nil {
-		qparams.Set("record", "true")
-	}

-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	var requestBody io.Reader
-	if opts.Record != nil {
-		pr, pw := io.Pipe()
-		requestBody = pr
-
-		// This goroutine waits for the 'Record' channel to be closed,
-		// and then closes the write end of our pipe to unblock the
-		// reader.
-		go func() {
-			defer pw.Close()
-			select {
-			case <-opts.Record:
-			case <-ctx.Done():
-			}
-		}()
-	}
-
-	// lc.send might block if opts.Record != nil; see above.
 	uri := fmt.Sprintf("/localapi/v0/bugreport?%s", qparams.Encode())
-	body, err := lc.send(ctx, "POST", uri, 200, requestBody)
+	body, err := lc.send(ctx, "POST", uri, 200, nil)
 	if err != nil {
 		return "", err
 	}
@@ -350,41 +318,6 @@ func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
 	return nil
 }

-// SetDevStoreKeyValue set a statestore key/value. It's only meant for development.
-// The schema (including when keys are re-read) is not a stable interface.
-func (lc *LocalClient) SetDevStoreKeyValue(ctx context.Context, key, value string) error {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/dev-set-state-store?"+(url.Values{
-		"key":   {key},
-		"value": {value},
-	}).Encode(), 200, nil)
-	if err != nil {
-		return fmt.Errorf("error %w: %s", err, body)
-	}
-	return nil
-}
-
-// SetComponentDebugLogging sets component's debug logging enabled for
-// the provided duration. If the duration is in the past, the debug logging
-// is disabled.
-func (lc *LocalClient) SetComponentDebugLogging(ctx context.Context, component string, d time.Duration) error {
-	body, err := lc.send(ctx, "POST",
-		fmt.Sprintf("/localapi/v0/component-debug-logging?component=%s&secs=%d",
-			url.QueryEscape(component), int64(d.Seconds())), 200, nil)
-	if err != nil {
-		return fmt.Errorf("error %w: %s", err, body)
-	}
-	var res struct {
-		Error string
-	}
-	if err := json.Unmarshal(body, &res); err != nil {
-		return err
-	}
-	if res.Error != "" {
-		return errors.New(res.Error)
-	}
-	return nil
-}
-
 // Status returns the Tailscale daemon's status.
 func Status(ctx context.Context) (*ipnstate.Status, error) {
 	return defaultLocalClient.Status(ctx)
@@ -410,7 +343,11 @@ func (lc *LocalClient) status(ctx context.Context, queryString string) (*ipnstat
 	if err != nil {
 		return nil, err
 	}
-	return decodeJSON[*ipnstate.Status](body)
+	st := new(ipnstate.Status)
+	if err := json.Unmarshal(body, st); err != nil {
+		return nil, err
+	}
+	return st, nil
 }

 // IDToken is a request to get an OIDC ID token for an audience.
@@ -421,27 +358,23 @@ func (lc *LocalClient) IDToken(ctx context.Context, aud string) (*tailcfg.TokenR
 	if err != nil {
 		return nil, err
 	}
-	return decodeJSON[*tailcfg.TokenResponse](body)
+	tr := new(tailcfg.TokenResponse)
+	if err := json.Unmarshal(body, tr); err != nil {
+		return nil, err
+	}
+	return tr, nil
 }

-// WaitingFiles returns the list of received Taildrop files that have been
-// received by the Tailscale daemon in its staging/cache directory but not yet
-// transferred by the user's CLI or GUI client and written to a user's home
-// directory somewhere.
 func (lc *LocalClient) WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
-	return lc.AwaitWaitingFiles(ctx, 0)
-}
-
-// AwaitWaitingFiles is like WaitingFiles but takes a duration to await for an answer.
-// If the duration is 0, it will return immediately. The duration is respected at second
-// granularity only. If no files are available, it returns (nil, nil).
-func (lc *LocalClient) AwaitWaitingFiles(ctx context.Context, d time.Duration) ([]apitype.WaitingFile, error) {
-	path := "/localapi/v0/files/?waitsec=" + fmt.Sprint(int(d.Seconds()))
-	body, err := lc.get200(ctx, path)
+	body, err := lc.get200(ctx, "/localapi/v0/files/")
 	if err != nil {
 		return nil, err
 	}
-	return decodeJSON[[]apitype.WaitingFile](body)
+	var wfs []apitype.WaitingFile
+	if err := json.Unmarshal(body, &wfs); err != nil {
+		return nil, err
+	}
+	return wfs, nil
 }

 func (lc *LocalClient) DeleteWaitingFile(ctx context.Context, baseName string) error {
@@ -450,7 +383,7 @@ func (lc *LocalClient) DeleteWaitingFile(ctx context.Context, baseName string) e
 }

 func (lc *LocalClient) GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+apitype.LocalAPIHost+"/localapi/v0/files/"+url.PathEscape(baseName), nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -475,7 +408,11 @@ func (lc *LocalClient) FileTargets(ctx context.Context) ([]apitype.FileTarget, e
 	if err != nil {
 		return nil, err
 	}
-	return decodeJSON[[]apitype.FileTarget](body)
+	var fts []apitype.FileTarget
+	if err := json.Unmarshal(body, &fts); err != nil {
+		return nil, fmt.Errorf("invalid JSON: %w", err)
+	}
+	return fts, nil
 }

 // PushFile sends Taildrop file r to target.
@@ -483,7 +420,7 @@ func (lc *LocalClient) FileTargets(ctx context.Context) ([]apitype.FileTarget, e
 // A size of -1 means unknown.
 // The name parameter is the original filename, not escaped.
 func (lc *LocalClient) PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name string, r io.Reader) error {
-	req, err := http.NewRequestWithContext(ctx, "PUT", "http://"+apitype.LocalAPIHost+"/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
+	req, err := http.NewRequestWithContext(ctx, "PUT", "http://local-tailscaled.sock/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
 	if err != nil {
 		return err
 	}
@@ -529,7 +466,11 @@ func (lc *LocalClient) CheckIPForwarding(ctx context.Context) error {
 // Note that EditPrefs does the same validation as this, so call CheckPrefs before
 // EditPrefs is not necessary.
 func (lc *LocalClient) CheckPrefs(ctx context.Context, p *ipn.Prefs) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/check-prefs", http.StatusOK, jsonBody(p))
+	pj, err := json.Marshal(p)
+	if err != nil {
+		return err
+	}
+	_, err = lc.send(ctx, "POST", "/localapi/v0/check-prefs", http.StatusOK, bytes.NewReader(pj))
 	return err
 }

@@ -546,27 +487,21 @@ func (lc *LocalClient) GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
 }

 func (lc *LocalClient) EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
-	body, err := lc.send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, jsonBody(mp))
+	mpj, err := json.Marshal(mp)
 	if err != nil {
 		return nil, err
 	}
-	return decodeJSON[*ipn.Prefs](body)
+	body, err := lc.send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
+	if err != nil {
+		return nil, err
+	}
+	var p ipn.Prefs
+	if err := json.Unmarshal(body, &p); err != nil {
+		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
+	}
+	return &p, nil
 }

-// StartLoginInteractive starts an interactive login.
-func (lc *LocalClient) StartLoginInteractive(ctx context.Context) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/login-interactive", http.StatusNoContent, nil)
-	return err
-}
-
-// Start applies the configuration specified in opts, and starts the
-// state machine.
-func (lc *LocalClient) Start(ctx context.Context, opts ipn.Options) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/start", http.StatusNoContent, jsonBody(opts))
-	return err
-}
-
-// Logout logs out the current node.
 func (lc *LocalClient) Logout(ctx context.Context) error {
 	_, err := lc.send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
 	return err
@@ -608,7 +543,7 @@ func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (n
 		},
 	}
 	ctx = httptrace.WithClientTrace(ctx, &trace)
-	req, err := http.NewRequestWithContext(ctx, "POST", "http://"+apitype.LocalAPIHost+"/localapi/v0/dial", nil)
+	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/dial", nil)
 	if err != nil {
 		return nil, err
 	}
@@ -739,14 +674,14 @@ func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate
 	return &cert, nil
 }

-// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
 //
 // Deprecated: use LocalClient.ExpandSNIName.
 func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	return defaultLocalClient.ExpandSNIName(ctx, name)
 }

-// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
 func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	st, err := lc.StatusWithoutPeers(ctx)
 	if err != nil {
@@ -770,7 +705,11 @@ func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg
 	if err != nil {
 		return nil, fmt.Errorf("error %w: %s", err, body)
 	}
-	return decodeJSON[*ipnstate.PingResult](body)
+	pr := new(ipnstate.PingResult)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
 }

 // NetworkLockStatus fetches information about the tailnet key authority, if one is configured.
@@ -779,21 +718,21 @@ func (lc *LocalClient) NetworkLockStatus(ctx context.Context) (*ipnstate.Network
 	if err != nil {
 		return nil, fmt.Errorf("error: %w", err)
 	}
-	return decodeJSON[*ipnstate.NetworkLockStatus](body)
+	pr := new(ipnstate.NetworkLockStatus)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
 }

 // NetworkLockInit initializes the tailnet key authority.
-//
-// TODO(tom): Plumb through disablement secrets.
-func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key, disablementValues [][]byte, supportDisablement []byte) (*ipnstate.NetworkLockStatus, error) {
+func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
 	var b bytes.Buffer
 	type initRequest struct {
-		Keys               []tka.Key
-		DisablementValues  [][]byte
-		SupportDisablement []byte
+		Keys []tka.Key
 	}

-	if err := json.NewEncoder(&b).Encode(initRequest{Keys: keys, DisablementValues: disablementValues, SupportDisablement: supportDisablement}); err != nil {
+	if err := json.NewEncoder(&b).Encode(initRequest{Keys: keys}); err != nil {
 		return nil, err
 	}

@@ -801,107 +740,12 @@ func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key, disa
 	if err != nil {
 		return nil, fmt.Errorf("error: %w", err)
 	}
-	return decodeJSON[*ipnstate.NetworkLockStatus](body)
-}

-// NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
-func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
-	var b bytes.Buffer
-	type modifyRequest struct {
-		AddKeys    []tka.Key
-		RemoveKeys []tka.Key
-	}
-
-	if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
+	pr := new(ipnstate.NetworkLockStatus)
+	if err := json.Unmarshal(body, pr); err != nil {
 		return nil, err
 	}
-
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 200, &b)
-	if err != nil {
-		return nil, fmt.Errorf("error: %w", err)
-	}
-	return decodeJSON[*ipnstate.NetworkLockStatus](body)
-}
-
-// NetworkLockSign signs the specified node-key and transmits that signature to the control plane.
-// rotationPublic, if specified, must be an ed25519 public key.
-func (lc *LocalClient) NetworkLockSign(ctx context.Context, nodeKey key.NodePublic, rotationPublic []byte) error {
-	var b bytes.Buffer
-	type signRequest struct {
-		NodeKey        key.NodePublic
-		RotationPublic []byte
-	}
-
-	if err := json.NewEncoder(&b).Encode(signRequest{NodeKey: nodeKey, RotationPublic: rotationPublic}); err != nil {
-		return err
-	}
-
-	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/sign", 200, &b); err != nil {
-		return fmt.Errorf("error: %w", err)
-	}
-	return nil
-}
-
-// NetworkLockLog returns up to maxEntries number of changes to network-lock state.
-func (lc *LocalClient) NetworkLockLog(ctx context.Context, maxEntries int) ([]ipnstate.NetworkLockUpdate, error) {
-	v := url.Values{}
-	v.Set("limit", fmt.Sprint(maxEntries))
-	body, err := lc.send(ctx, "GET", "/localapi/v0/tka/log?"+v.Encode(), 200, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error %w: %s", err, body)
-	}
-	return decodeJSON[[]ipnstate.NetworkLockUpdate](body)
-}
-
-// NetworkLockForceLocalDisable forcibly shuts down network lock on this node.
-func (lc *LocalClient) NetworkLockForceLocalDisable(ctx context.Context) error {
-	// This endpoint expects an empty JSON stanza as the payload.
-	var b bytes.Buffer
-	if err := json.NewEncoder(&b).Encode(struct{}{}); err != nil {
-		return err
-	}
-
-	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/force-local-disable", 200, &b); err != nil {
-		return fmt.Errorf("error: %w", err)
-	}
-	return nil
-}
-
-
-// SetServeConfig sets or replaces the serving settings.
-// If config is nil, settings are cleared and serving is disabled.
-func (lc *LocalClient) SetServeConfig(ctx context.Context, config *ipn.ServeConfig) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/serve-config", 200, jsonBody(config))
-	if err != nil {
-		return fmt.Errorf("sending serve config: %w", err)
-	}
-	return nil
-}
-
-// NetworkLockDisable shuts down network-lock across the tailnet.
-func (lc *LocalClient) NetworkLockDisable(ctx context.Context, secret []byte) error {
-	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/disable", 200, bytes.NewReader(secret)); err != nil {
-		return fmt.Errorf("error: %w", err)
-	}
-	return nil
-}
-
-// GetServeConfig return the current serve config.
-//
-// If the serve config is empty, it returns (nil, nil).
-func (lc *LocalClient) GetServeConfig(ctx context.Context) (*ipn.ServeConfig, error) {
-	body, err := lc.send(ctx, "GET", "/localapi/v0/serve-config", 200, nil)
-	if err != nil {
-		return nil, fmt.Errorf("getting serve config: %w", err)
-	}
-	return getServeConfigFromJSON(body)
-}
-
-func getServeConfigFromJSON(body []byte) (sc *ipn.ServeConfig, err error) {
-	if err := json.Unmarshal(body, &sc); err != nil {
-		return nil, err
-	}
-	return sc, nil
+	return pr, nil
 }

 // tailscaledConnectHint gives a little thing about why tailscaled (or
@@ -933,143 +777,3 @@ func tailscaledConnectHint() string {
 	}
 	return "not running?"
 }
-
-type jsonReader struct {
-	b   *bytes.Reader
-	err error // sticky JSON marshal error, if any
-}
-
-// jsonBody returns an io.Reader that marshals v as JSON and then reads it.
-func jsonBody(v any) jsonReader {
-	b, err := json.Marshal(v)
-	if err != nil {
-		return jsonReader{err: err}
-	}
-	return jsonReader{b: bytes.NewReader(b)}
-}
-
-func (r jsonReader) Read(p []byte) (n int, err error) {
-	if r.err != nil {
-		return 0, r.err
-	}
-	return r.b.Read(p)
-}
-
-// ProfileStatus returns the current profile and the list of all profiles.
-func (lc *LocalClient) ProfileStatus(ctx context.Context) (current ipn.LoginProfile, all []ipn.LoginProfile, err error) {
-	body, err := lc.send(ctx, "GET", "/localapi/v0/profiles/current", 200, nil)
-	if err != nil {
-		return
-	}
-	current, err = decodeJSON[ipn.LoginProfile](body)
-	if err != nil {
-		return
-	}
-	body, err = lc.send(ctx, "GET", "/localapi/v0/profiles/", 200, nil)
-	if err != nil {
-		return
-	}
-	all, err = decodeJSON[[]ipn.LoginProfile](body)
-	return current, all, err
-}
-
-// SwitchToEmptyProfile creates and switches to a new unnamed profile. The new
-// profile is not assigned an ID until it is persisted after a successful login.
-// In order to login to the new profile, the user must call LoginInteractive.
-func (lc *LocalClient) SwitchToEmptyProfile(ctx context.Context) error {
-	_, err := lc.send(ctx, "PUT", "/localapi/v0/profiles/", http.StatusCreated, nil)
-	return err
-}
-
-// SwitchProfile switches to the given profile.
-func (lc *LocalClient) SwitchProfile(ctx context.Context, profile ipn.ProfileID) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/profiles/"+url.PathEscape(string(profile)), 204, nil)
-	return err
-}
-
-// DeleteProfile removes the profile with the given ID.
-// If the profile is the current profile, an empty profile
-// will be selected as if SwitchToEmptyProfile was called.
-func (lc *LocalClient) DeleteProfile(ctx context.Context, profile ipn.ProfileID) error {
-	_, err := lc.send(ctx, "DELETE", "/localapi/v0/profiles"+url.PathEscape(string(profile)), http.StatusNoContent, nil)
-	return err
-}
-
-func (lc *LocalClient) DebugDERPRegion(ctx context.Context, regionIDOrCode string) (*ipnstate.DebugDERPRegionReport, error) {
-	v := url.Values{"region": {regionIDOrCode}}
-	body, err := lc.send(ctx, "POST", "/localapi/v0/debug-derp-region?"+v.Encode(), 200, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error %w: %s", err, body)
-	}
-	return decodeJSON[*ipnstate.DebugDERPRegionReport](body)
-}
-
-// WatchIPNBus subscribes to the IPN notification bus. It returns a watcher
-// once the bus is connected successfully.
-//
-// The context is used for the life of the watch, not just the call to
-// WatchIPNBus.
-//
-// The returned IPNBusWatcher's Close method must be called when done to release
-// resources.
-//
-// A default set of ipn.Notify messages are returned but the set can be modified by mask.
-func (lc *LocalClient) WatchIPNBus(ctx context.Context, mask ipn.NotifyWatchOpt) (*IPNBusWatcher, error) {
-	req, err := http.NewRequestWithContext(ctx, "GET",
-		"http://"+apitype.LocalAPIHost+"/localapi/v0/watch-ipn-bus?mask="+fmt.Sprint(mask),
-		nil)
-	if err != nil {
-		return nil, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != 200 {
-		res.Body.Close()
-		return nil, errors.New(res.Status)
-	}
-	dec := json.NewDecoder(res.Body)
-	return &IPNBusWatcher{
-		ctx:     ctx,
-		httpRes: res,
-		dec:     dec,
-	}, nil
-}
-
-// IPNBusWatcher is an active subscription (watch) of the local tailscaled IPN bus.
-// It's returned by LocalClient.WatchIPNBus.
-//
-// It must be closed when done.
-type IPNBusWatcher struct {
-	ctx     context.Context // from original WatchIPNBus call
-	httpRes *http.Response
-	dec     *json.Decoder
-
-	mu     sync.Mutex
-	closed bool
-}
-
-// Close stops the watcher and releases its resources.
-func (w *IPNBusWatcher) Close() error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	if w.closed {
-		return nil
-	}
-	w.closed = true
-	return w.httpRes.Body.Close()
-}
-
-// Next returns the next ipn.Notify from the stream.
-// If the context from LocalClient.WatchIPNBus is done, that error is returned.
-func (w *IPNBusWatcher) Next() (ipn.Notify, error) {
-	var n ipn.Notify
-	if err := w.dec.Decode(&n); err != nil {
-		if cerr := w.ctx.Err(); cerr != nil {
-			err = cerr
-		}
-		return ipn.Notify{}, err
-	}
-	return n, nil
-}
--- a/client/tailscale/localclient_test.go
+++ b/client/tailscale/localclient_test.go
@@ -1,28 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.19
-
-package tailscale
-
-import "testing"
-
-func TestGetServeConfigFromJSON(t *testing.T) {
-	sc, err := getServeConfigFromJSON([]byte("null"))
-	if sc != nil {
-		t.Errorf("want nil for null")
-	}
-	if err != nil {
-		t.Errorf("reading null: %v", err)
-	}
-
-	sc, err = getServeConfigFromJSON([]byte(`{"TCP":{}}`))
-	if err != nil {
-		t.Errorf("reading object: %v", err)
-	} else if sc == nil {
-		t.Errorf("want non-nil for object")
-	} else if sc.TCP == nil {
-		t.Errorf("want non-nil TCP for object")
-	}
-}
--- a/client/tailscale/required_version.go
+++ b/client/tailscale/required_version.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build !go1.19
+// +build !go1.19

 package tailscale

--- a/client/tailscale/routes.go
+++ b/client/tailscale/routes.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 package tailscale

--- a/client/tailscale/tailnet.go
+++ b/client/tailscale/tailnet.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 package tailscale

--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -3,8 +3,9 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

-// Package tailscale contains Go clients for the Tailscale LocalAPI and
+// Package tailscale contains Go clients for the Tailscale Local API and
 // Tailscale control plane API.
 //
 // Warning: this package is in development and makes no API compatibility
@@ -114,7 +115,7 @@ func (c *Client) Do(req *http.Request) (*http.Response, error) {
 	return c.httpClient().Do(req)
 }

-// sendRequest add the authentication key to the request and sends it. It
+// sendRequest add the authenication key to the request and sends it. It
 // receives the response and reads up to 10MB of it.
 func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
 	if !I_Acknowledge_This_API_Is_Unstable {
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@@ -1,276 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux
-
-package main
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"tailscale.com/util/multierr"
-)
-
-// checkSecretPermissions checks the secret access permissions of the current
-// pod. It returns an error if the basic permissions tailscale needs are
-// missing, and reports whether the patch permission is additionally present.
-//
-// Errors encountered during the access checking process are logged, but ignored
-// so that the pod tries to fail alive if the permissions exist and there's just
-// something wrong with SelfSubjectAccessReviews. There shouldn't be, pods
-// should always be able to use SSARs to assess their own permissions, but since
-// we didn't use to check permissions this way we'll be cautious in case some
-// old version of k8s deviates from the current behavior.
-func checkSecretPermissions(ctx context.Context, secretName string) (canPatch bool, err error) {
-	var errs []error
-	for _, verb := range []string{"get", "update"} {
-		ok, err := checkPermission(ctx, verb, secretName)
-		if err != nil {
-			log.Printf("error checking %s permission on secret %s: %v", verb, secretName, err)
-		} else if !ok {
-			errs = append(errs, fmt.Errorf("missing %s permission on secret %q", verb, secretName))
-		}
-	}
-	if len(errs) > 0 {
-		return false, multierr.New(errs...)
-	}
-	ok, err := checkPermission(ctx, "patch", secretName)
-	if err != nil {
-		log.Printf("error checking patch permission on secret %s: %v", secretName, err)
-		return false, nil
-	}
-	return ok, nil
-}
-
-// checkPermission reports whether the current pod has permission to use the
-// given verb (e.g. get, update, patch) on secretName.
-func checkPermission(ctx context.Context, verb, secretName string) (bool, error) {
-	sar := map[string]any{
-		"apiVersion": "authorization.k8s.io/v1",
-		"kind":       "SelfSubjectAccessReview",
-		"spec": map[string]any{
-			"resourceAttributes": map[string]any{
-				"namespace": kubeNamespace,
-				"verb":      verb,
-				"resource":  "secrets",
-				"name":      secretName,
-			},
-		},
-	}
-	bs, err := json.Marshal(sar)
-	if err != nil {
-		return false, err
-	}
-	req, err := http.NewRequest("POST", "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews", bytes.NewReader(bs))
-	if err != nil {
-		return false, err
-	}
-	resp, err := doKubeRequest(ctx, req)
-	if err != nil {
-		return false, err
-	}
-	defer resp.Body.Close()
-	bs, err = io.ReadAll(resp.Body)
-	if err != nil {
-		return false, err
-	}
-	var res struct {
-		Status struct {
-			Allowed bool `json:"allowed"`
-		} `json:"status"`
-	}
-	if err := json.Unmarshal(bs, &res); err != nil {
-		return false, err
-	}
-	return res.Status.Allowed, nil
-}
-
-// findKeyInKubeSecret inspects the kube secret secretName for a data
-// field called "authkey", and returns its value if present.
-func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error) {
-	req, err := http.NewRequest("GET", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", kubeNamespace, secretName), nil)
-	if err != nil {
-		return "", err
-	}
-	resp, err := doKubeRequest(ctx, req)
-	if err != nil {
-		if resp != nil && resp.StatusCode == http.StatusNotFound {
-			// Kube secret doesn't exist yet, can't have an authkey.
-			return "", nil
-		}
-		return "", err
-	}
-	defer resp.Body.Close()
-
-	bs, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", err
-	}
-
-	// We use a map[string]any here rather than import corev1.Secret,
-	// because we only do very limited things to the secret, and
-	// importing corev1 adds 12MiB to the compiled binary.
-	var s map[string]any
-	if err := json.Unmarshal(bs, &s); err != nil {
-		return "", err
-	}
-	if d, ok := s["data"].(map[string]any); ok {
-		if v, ok := d["authkey"].(string); ok {
-			bs, err := base64.StdEncoding.DecodeString(v)
-			if err != nil {
-				return "", err
-			}
-			return string(bs), nil
-		}
-	}
-	return "", nil
-}
-
-// storeDeviceID writes deviceID into the "device_id" data field of
-// the kube secret secretName.
-func storeDeviceID(ctx context.Context, secretName, deviceID string) error {
-	// First check if the secret exists at all. Even if running on
-	// kubernetes, we do not necessarily store state in a k8s secret.
-	req, err := http.NewRequest("GET", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", kubeNamespace, secretName), nil)
-	if err != nil {
-		return err
-	}
-	resp, err := doKubeRequest(ctx, req)
-	if err != nil {
-		if resp != nil && resp.StatusCode >= 400 && resp.StatusCode <= 499 {
-			// Assume the secret doesn't exist, or we don't have
-			// permission to access it.
-			return nil
-		}
-		return err
-	}
-
-	m := map[string]map[string]string{
-		"stringData": {
-			"device_id": deviceID,
-		},
-	}
-	var b bytes.Buffer
-	if err := json.NewEncoder(&b).Encode(m); err != nil {
-		return err
-	}
-	req, err = http.NewRequest("PATCH", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s?fieldManager=tailscale-container", kubeNamespace, secretName), &b)
-	if err != nil {
-		return err
-	}
-	req.Header.Set("Content-Type", "application/strategic-merge-patch+json")
-	if _, err := doKubeRequest(ctx, req); err != nil {
-		return err
-	}
-	return nil
-}
-
-// deleteAuthKey deletes the 'authkey' field of the given kube
-// secret. No-op if there is no authkey in the secret.
-func deleteAuthKey(ctx context.Context, secretName string) error {
-	// m is a JSON Patch data structure, see https://jsonpatch.com/ or RFC 6902.
-	m := []struct {
-		Op   string `json:"op"`
-		Path string `json:"path"`
-	}{
-		{
-			Op:   "remove",
-			Path: "/data/authkey",
-		},
-	}
-	var b bytes.Buffer
-	if err := json.NewEncoder(&b).Encode(m); err != nil {
-		return err
-	}
-	req, err := http.NewRequest("PATCH", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s?fieldManager=tailscale-container", kubeNamespace, secretName), &b)
-	if err != nil {
-		return err
-	}
-	req.Header.Set("Content-Type", "application/json-patch+json")
-	if resp, err := doKubeRequest(ctx, req); err != nil {
-		if resp != nil && resp.StatusCode == http.StatusUnprocessableEntity {
-			// This is kubernetes-ese for "the field you asked to
-			// delete already doesn't exist", aka no-op.
-			return nil
-		}
-		return err
-	}
-	return nil
-}
-
-var (
-	kubeHost      string
-	kubeNamespace string
-	kubeToken     string
-	kubeHTTP      *http.Transport
-)
-
-func initKube(root string) {
-	// If running in Kubernetes, set things up so that doKubeRequest
-	// can talk successfully to the kube apiserver.
-	if os.Getenv("KUBERNETES_SERVICE_HOST") == "" {
-		return
-	}
-
-	kubeHost = os.Getenv("KUBERNETES_SERVICE_HOST") + ":" + os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")
-
-	bs, err := os.ReadFile(filepath.Join(root, "var/run/secrets/kubernetes.io/serviceaccount/namespace"))
-	if err != nil {
-		log.Fatalf("Error reading kube namespace: %v", err)
-	}
-	kubeNamespace = strings.TrimSpace(string(bs))
-
-	bs, err = os.ReadFile(filepath.Join(root, "var/run/secrets/kubernetes.io/serviceaccount/token"))
-	if err != nil {
-		log.Fatalf("Error reading kube token: %v", err)
-	}
-	kubeToken = strings.TrimSpace(string(bs))
-
-	bs, err = os.ReadFile(filepath.Join(root, "var/run/secrets/kubernetes.io/serviceaccount/ca.crt"))
-	if err != nil {
-		log.Fatalf("Error reading kube CA cert: %v", err)
-	}
-	cp := x509.NewCertPool()
-	cp.AppendCertsFromPEM(bs)
-	kubeHTTP = &http.Transport{
-		TLSClientConfig: &tls.Config{
-			RootCAs: cp,
-		},
-		IdleConnTimeout: time.Second,
-	}
-}
-
-// doKubeRequest sends r to the kube apiserver.
-func doKubeRequest(ctx context.Context, r *http.Request) (*http.Response, error) {
-	if kubeHTTP == nil {
-		panic("not in kubernetes")
-	}
-
-	r.URL.Scheme = "https"
-	r.URL.Host = kubeHost
-	r.Header.Set("Authorization", "Bearer "+kubeToken)
-	r.Header.Set("Accept", "application/json")
-
-	resp, err := kubeHTTP.RoundTrip(r)
-	if err != nil {
-		return nil, err
-	}
-	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
-		return resp, fmt.Errorf("got non-200/201 status code %d", resp.StatusCode)
-	}
-	return resp, nil
-}
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -1,498 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux
-
-// The containerboot binary is a wrapper for starting tailscaled in a
-// container. It handles reading the desired mode of operation out of
-// environment variables, bringing up and authenticating Tailscale,
-// and any other kubernetes-specific side jobs.
-//
-// As with most container things, configuration is passed through
-// environment variables. All configuration is optional.
-//
-//   - TS_AUTH_KEY: the authkey to use for login.
-//   - TS_ROUTES: subnet routes to advertise.
-//   - TS_DEST_IP: proxy all incoming Tailscale traffic to the given
-//     destination.
-//   - TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
-//   - TS_EXTRA_ARGS: extra arguments to 'tailscale up'.
-//   - TS_USERSPACE: run with userspace networking (the default)
-//     instead of kernel networking.
-//   - TS_STATE_DIR: the directory in which to store tailscaled
-//     state. The data should persist across container
-//     restarts.
-//   - TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration.
-//   - TS_KUBE_SECRET: the name of the Kubernetes secret in which to
-//     store tailscaled state.
-//   - TS_SOCKS5_SERVER: the address on which to listen for SOCKS5
-//     proxying into the tailnet.
-//   - TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen
-//     for HTTP proxying into the tailnet.
-//   - TS_SOCKET: the path where the tailscaled LocalAPI socket should
-//     be created.
-//   - TS_AUTH_ONCE: if true, only attempt to log in if not already
-//     logged in. If false (the default, for backwards
-//     compatibility), forcibly log in every time the
-//     container starts.
-//
-// When running on Kubernetes, TS_KUBE_SECRET takes precedence over
-// TS_STATE_DIR. Additionally, if TS_AUTH_KEY is not provided and the
-// TS_KUBE_SECRET contains an "authkey" field, that key is used.
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io/fs"
-	"log"
-	"net/netip"
-	"os"
-	"os/exec"
-	"os/signal"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"syscall"
-	"time"
-
-	"golang.org/x/sys/unix"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn/ipnstate"
-)
-
-func main() {
-	log.SetPrefix("boot: ")
-	tailscale.I_Acknowledge_This_API_Is_Unstable = true
-
-	cfg := &settings{
-		AuthKey:         defaultEnv("TS_AUTH_KEY", ""),
-		Routes:          defaultEnv("TS_ROUTES", ""),
-		ProxyTo:         defaultEnv("TS_DEST_IP", ""),
-		DaemonExtraArgs: defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
-		ExtraArgs:       defaultEnv("TS_EXTRA_ARGS", ""),
-		InKubernetes:    os.Getenv("KUBERNETES_SERVICE_HOST") != "",
-		UserspaceMode:   defaultBool("TS_USERSPACE", true),
-		StateDir:        defaultEnv("TS_STATE_DIR", ""),
-		AcceptDNS:       defaultBool("TS_ACCEPT_DNS", false),
-		KubeSecret:      defaultEnv("TS_KUBE_SECRET", "tailscale"),
-		SOCKSProxyAddr:  defaultEnv("TS_SOCKS5_SERVER", ""),
-		HTTPProxyAddr:   defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
-		Socket:          defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
-		AuthOnce:        defaultBool("TS_AUTH_ONCE", false),
-		Root:            defaultEnv("TS_TEST_ONLY_ROOT", "/"),
-	}
-
-	if cfg.ProxyTo != "" && cfg.UserspaceMode {
-		log.Fatal("TS_DEST_IP is not supported with TS_USERSPACE")
-	}
-
-	if !cfg.UserspaceMode {
-		if err := ensureTunFile(cfg.Root); err != nil {
-			log.Fatalf("Unable to create tuntap device file: %v", err)
-		}
-		if cfg.ProxyTo != "" || cfg.Routes != "" {
-			if err := ensureIPForwarding(cfg.Root, cfg.ProxyTo, cfg.Routes); err != nil {
-				log.Printf("Failed to enable IP forwarding: %v", err)
-				log.Printf("To run tailscale as a proxy or router container, IP forwarding must be enabled.")
-				if cfg.InKubernetes {
-					log.Fatalf("You can either set the sysctls as a privileged initContainer, or run the tailscale container with privileged=true.")
-				} else {
-					log.Fatalf("You can fix this by running the container with privileged=true, or the equivalent in your container runtime that permits access to sysctls.")
-				}
-			}
-		}
-	}
-
-	if cfg.InKubernetes {
-		initKube(cfg.Root)
-	}
-
-	// Context is used for all setup stuff until we're in steady
-	// state, so that if something is hanging we eventually time out
-	// and crashloop the container.
-	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
-	defer cancel()
-
-	if cfg.InKubernetes && cfg.KubeSecret != "" {
-		canPatch, err := checkSecretPermissions(ctx, cfg.KubeSecret)
-		if err != nil {
-			log.Fatalf("Some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
-		}
-		cfg.KubernetesCanPatch = canPatch
-
-		if cfg.AuthKey == "" {
-			key, err := findKeyInKubeSecret(ctx, cfg.KubeSecret)
-			if err != nil {
-				log.Fatalf("Getting authkey from kube secret: %v", err)
-			}
-			if key != "" {
-				// This behavior of pulling authkeys from kube secrets was added
-				// at the same time as the patch permission, so we can enforce
-				// that we must be able to patch out the authkey after
-				// authenticating if you want to use this feature. This avoids
-				// us having to deal with the case where we might leave behind
-				// an unnecessary reusable authkey in a secret, like a rake in
-				// the grass.
-				if !cfg.KubernetesCanPatch {
-					log.Fatalf("authkey found in TS_KUBE_SECRET, but the pod doesn't have patch permissions on the secret to manage the authkey.")
-				}
-				log.Print("Using authkey found in kube secret")
-				cfg.AuthKey = key
-			} else {
-				log.Print("No authkey found in kube secret and TS_AUTHKEY not provided, login will be interactive if needed.")
-			}
-		}
-	}
-
-	client, daemonPid, err := startTailscaled(ctx, cfg)
-	if err != nil {
-		log.Fatalf("failed to bring up tailscale: %v", err)
-	}
-
-	st, err := authTailscaled(ctx, client, cfg)
-	if err != nil {
-		log.Fatalf("failed to auth tailscale: %v", err)
-	}
-
-	if cfg.ProxyTo != "" {
-		if err := installIPTablesRule(ctx, cfg.ProxyTo, st.TailscaleIPs); err != nil {
-			log.Fatalf("installing proxy rules: %v", err)
-		}
-	}
-	if cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != "" {
-		if err := storeDeviceID(ctx, cfg.KubeSecret, string(st.Self.ID)); err != nil {
-			log.Fatalf("storing device ID in kube secret: %v", err)
-		}
-		if cfg.AuthOnce {
-			// We were told to only auth once, so any secret-bound
-			// authkey is no longer needed. We don't strictly need to
-			// wipe it, but it's good hygiene.
-			log.Printf("Deleting authkey from kube secret")
-			if err := deleteAuthKey(ctx, cfg.KubeSecret); err != nil {
-				log.Fatalf("deleting authkey from kube secret: %v", err)
-			}
-		}
-	}
-
-	log.Println("Startup complete, waiting for shutdown signal")
-	// Reap all processes, since we are PID1 and need to collect
-	// zombies.
-	for {
-		var status unix.WaitStatus
-		pid, err := unix.Wait4(-1, &status, 0, nil)
-		if errors.Is(err, unix.EINTR) {
-			continue
-		}
-		if err != nil {
-			log.Fatalf("Waiting for exited processes: %v", err)
-		}
-		if pid == daemonPid {
-			log.Printf("Tailscaled exited")
-			os.Exit(0)
-		}
-	}
-}
-
-func startTailscaled(ctx context.Context, cfg *settings) (*tailscale.LocalClient, int, error) {
-	args := tailscaledArgs(cfg)
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, unix.SIGTERM, unix.SIGINT)
-	// tailscaled runs without context, since it needs to persist
-	// beyond the startup timeout in ctx.
-	cmd := exec.Command("tailscaled", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Setpgid: true,
-	}
-	log.Printf("Starting tailscaled")
-	if err := cmd.Start(); err != nil {
-		return nil, 0, fmt.Errorf("starting tailscaled failed: %v", err)
-	}
-	go func() {
-		<-sigCh
-		log.Printf("Received SIGTERM from container runtime, shutting down tailscaled")
-		cmd.Process.Signal(unix.SIGTERM)
-	}()
-
-	// Wait for the socket file to appear, otherwise API ops will racily fail.
-	log.Printf("Waiting for tailscaled socket")
-	for {
-		if ctx.Err() != nil {
-			log.Fatalf("Timed out waiting for tailscaled socket")
-		}
-		_, err := os.Stat(cfg.Socket)
-		if errors.Is(err, fs.ErrNotExist) {
-			time.Sleep(100 * time.Millisecond)
-			continue
-		} else if err != nil {
-			log.Fatalf("Waiting for tailscaled socket: %v", err)
-		}
-		break
-	}
-
-	tsClient := &tailscale.LocalClient{
-		Socket:        cfg.Socket,
-		UseSocketOnly: true,
-	}
-
-	return tsClient, cmd.Process.Pid, nil
-}
-
-// startAndAuthTailscaled starts the tailscale daemon and attempts to
-// auth it, according to the settings in cfg. If successful, returns
-// tailscaled's Status and pid.
-func authTailscaled(ctx context.Context, client *tailscale.LocalClient, cfg *settings) (*ipnstate.Status, error) {
-	didLogin := false
-	if !cfg.AuthOnce {
-		if err := tailscaleUp(ctx, cfg); err != nil {
-			return nil, fmt.Errorf("couldn't log in: %v", err)
-		}
-		didLogin = true
-	}
-
-	// Poll for daemon state until it goes to either Running or
-	// NeedsLogin. The latter only happens if cfg.AuthOnce is true,
-	// because in that case we only try to auth when it's necessary to
-	// reach the running state.
-	for {
-		if ctx.Err() != nil {
-			return nil, ctx.Err()
-		}
-
-		loopCtx, cancel := context.WithTimeout(ctx, time.Second)
-		st, err := client.Status(loopCtx)
-		cancel()
-		if err != nil {
-			return nil, fmt.Errorf("Getting tailscaled state: %w", err)
-		}
-
-		switch st.BackendState {
-		case "Running":
-			if len(st.TailscaleIPs) > 0 {
-				return st, nil
-			}
-			log.Printf("No Tailscale IPs assigned yet")
-		case "NeedsLogin":
-			if !didLogin {
-				// Alas, we cannot currently trigger an authkey login from
-				// LocalAPI, so we still have to shell out to the
-				// tailscale CLI for this bit.
-				if err := tailscaleUp(ctx, cfg); err != nil {
-					return nil, fmt.Errorf("couldn't log in: %v", err)
-				}
-				didLogin = true
-			}
-		default:
-			log.Printf("tailscaled in state %q, waiting", st.BackendState)
-		}
-
-		time.Sleep(100 * time.Millisecond)
-	}
-}
-
-// tailscaledArgs uses cfg to construct the argv for tailscaled.
-func tailscaledArgs(cfg *settings) []string {
-	args := []string{"--socket=" + cfg.Socket}
-	switch {
-	case cfg.InKubernetes && cfg.KubeSecret != "":
-		args = append(args, "--state=kube:"+cfg.KubeSecret, "--statedir=/tmp")
-	case cfg.StateDir != "":
-		args = append(args, "--statedir="+cfg.StateDir)
-	default:
-		args = append(args, "--state=mem:", "--statedir=/tmp")
-	}
-
-	if cfg.UserspaceMode {
-		args = append(args, "--tun=userspace-networking")
-	} else if err := ensureTunFile(cfg.Root); err != nil {
-		log.Fatalf("ensuring that /dev/net/tun exists: %v", err)
-	}
-
-	if cfg.SOCKSProxyAddr != "" {
-		args = append(args, "--socks5-server="+cfg.SOCKSProxyAddr)
-	}
-	if cfg.HTTPProxyAddr != "" {
-		args = append(args, "--outbound-http-proxy-listen="+cfg.HTTPProxyAddr)
-	}
-	if cfg.DaemonExtraArgs != "" {
-		args = append(args, strings.Fields(cfg.DaemonExtraArgs)...)
-	}
-	return args
-}
-
-// tailscaleUp uses cfg to run 'tailscale up'.
-func tailscaleUp(ctx context.Context, cfg *settings) error {
-	args := []string{"--socket=" + cfg.Socket, "up"}
-	if cfg.AcceptDNS {
-		args = append(args, "--accept-dns=true")
-	} else {
-		args = append(args, "--accept-dns=false")
-	}
-	if cfg.AuthKey != "" {
-		args = append(args, "--authkey="+cfg.AuthKey)
-	}
-	if cfg.Routes != "" {
-		args = append(args, "--advertise-routes="+cfg.Routes)
-	}
-	if cfg.ExtraArgs != "" {
-		args = append(args, strings.Fields(cfg.ExtraArgs)...)
-	}
-	log.Printf("Running 'tailscale up'")
-	cmd := exec.CommandContext(ctx, "tailscale", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("tailscale up failed: %v", err)
-	}
-	return nil
-}
-
-// ensureTunFile checks that /dev/net/tun exists, creating it if
-// missing.
-func ensureTunFile(root string) error {
-	// Verify that /dev/net/tun exists, in some container envs it
-	// needs to be mknod-ed.
-	if _, err := os.Stat(filepath.Join(root, "dev/net")); errors.Is(err, fs.ErrNotExist) {
-		if err := os.MkdirAll(filepath.Join(root, "dev/net"), 0755); err != nil {
-			return err
-		}
-	}
-	if _, err := os.Stat(filepath.Join(root, "dev/net/tun")); errors.Is(err, fs.ErrNotExist) {
-		dev := unix.Mkdev(10, 200) // tuntap major and minor
-		if err := unix.Mknod(filepath.Join(root, "dev/net/tun"), 0600|unix.S_IFCHR, int(dev)); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// ensureIPForwarding enables IPv4/IPv6 forwarding for the container.
-func ensureIPForwarding(root, proxyTo, routes string) error {
-	var (
-		v4Forwarding, v6Forwarding bool
-	)
-	if proxyTo != "" {
-		proxyIP, err := netip.ParseAddr(proxyTo)
-		if err != nil {
-			return fmt.Errorf("invalid proxy destination IP: %v", err)
-		}
-		if proxyIP.Is4() {
-			v4Forwarding = true
-		} else {
-			v6Forwarding = true
-		}
-	}
-	if routes != "" {
-		for _, route := range strings.Split(routes, ",") {
-			cidr, err := netip.ParsePrefix(route)
-			if err != nil {
-				return fmt.Errorf("invalid subnet route: %v", err)
-			}
-			if cidr.Addr().Is4() {
-				v4Forwarding = true
-			} else {
-				v6Forwarding = true
-			}
-		}
-	}
-
-	var paths []string
-	if v4Forwarding {
-		paths = append(paths, filepath.Join(root, "proc/sys/net/ipv4/ip_forward"))
-	}
-	if v6Forwarding {
-		paths = append(paths, filepath.Join(root, "proc/sys/net/ipv6/conf/all/forwarding"))
-	}
-
-	// In some common configurations (e.g. default docker,
-	// kubernetes), the container environment denies write access to
-	// most sysctls, including IP forwarding controls. Check the
-	// sysctl values before trying to change them, so that we
-	// gracefully do nothing if the container's already been set up
-	// properly by e.g. a k8s initContainer.
-	for _, path := range paths {
-		bs, err := os.ReadFile(path)
-		if err != nil {
-			return fmt.Errorf("reading %q: %w", path, err)
-		}
-		if v := strings.TrimSpace(string(bs)); v != "1" {
-			if err := os.WriteFile(path, []byte("1"), 0644); err != nil {
-				return fmt.Errorf("enabling %q: %w", path, err)
-			}
-		}
-	}
-	return nil
-}
-
-func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Addr) error {
-	dst, err := netip.ParseAddr(dstStr)
-	if err != nil {
-		return err
-	}
-	argv0 := "iptables"
-	if dst.Is6() {
-		argv0 = "ip6tables"
-	}
-	var local string
-	for _, ip := range tsIPs {
-		if ip.Is4() != dst.Is4() {
-			continue
-		}
-		local = ip.String()
-		break
-	}
-	if local == "" {
-		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstStr, tsIPs)
-	}
-	cmd := exec.CommandContext(ctx, argv0, "-t", "nat", "-I", "PREROUTING", "1", "-d", local, "-j", "DNAT", "--to-destination", dstStr)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("executing iptables failed: %w", err)
-	}
-	return nil
-}
-
-// settings is all the configuration for containerboot.
-type settings struct {
-	AuthKey            string
-	Routes             string
-	ProxyTo            string
-	DaemonExtraArgs    string
-	ExtraArgs          string
-	InKubernetes       bool
-	UserspaceMode      bool
-	StateDir           string
-	AcceptDNS          bool
-	KubeSecret         string
-	SOCKSProxyAddr     string
-	HTTPProxyAddr      string
-	Socket             string
-	AuthOnce           bool
-	Root               string
-	KubernetesCanPatch bool
-}
-
-// defaultEnv returns the value of the given envvar name, or defVal if
-// unset.
-func defaultEnv(name, defVal string) string {
-	if v := os.Getenv(name); v != "" {
-		return v
-	}
-	return defVal
-}
-
-// defaultBool returns the boolean value of the given envvar name, or
-// defVal if unset or not a bool.
-func defaultBool(name string, defVal bool) bool {
-	v := os.Getenv(name)
-	ret, err := strconv.ParseBool(v)
-	if err != nil {
-		return defVal
-	}
-	return ret
-}
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -1,922 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux
-
-package main
-
-import (
-	"bytes"
-	_ "embed"
-	"encoding/base64"
-	"encoding/json"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io"
-	"io/fs"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"net/netip"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/google/go-cmp/cmp"
-	"golang.org/x/sys/unix"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
-	"tailscale.com/tstest"
-)
-
-func TestContainerBoot(t *testing.T) {
-	d := t.TempDir()
-
-	lapi := localAPI{FSRoot: d}
-	if err := lapi.Start(); err != nil {
-		t.Fatal(err)
-	}
-	defer lapi.Close()
-
-	kube := kubeServer{FSRoot: d}
-	if err := kube.Start(); err != nil {
-		t.Fatal(err)
-	}
-	defer kube.Close()
-
-	dirs := []string{
-		"var/lib",
-		"usr/bin",
-		"tmp",
-		"dev/net",
-		"proc/sys/net/ipv4",
-		"proc/sys/net/ipv6/conf/all",
-	}
-	for _, path := range dirs {
-		if err := os.MkdirAll(filepath.Join(d, path), 0700); err != nil {
-			t.Fatal(err)
-		}
-	}
-	files := map[string][]byte{
-		"usr/bin/tailscaled":                    fakeTailscaled,
-		"usr/bin/tailscale":                     fakeTailscale,
-		"usr/bin/iptables":                      fakeTailscale,
-		"usr/bin/ip6tables":                     fakeTailscale,
-		"dev/net/tun":                           []byte(""),
-		"proc/sys/net/ipv4/ip_forward":          []byte("0"),
-		"proc/sys/net/ipv6/conf/all/forwarding": []byte("0"),
-	}
-	resetFiles := func() {
-		for path, content := range files {
-			// Making everything executable is a little weird, but the
-			// stuff that doesn't need to be executable doesn't care if we
-			// do make it executable.
-			if err := os.WriteFile(filepath.Join(d, path), content, 0700); err != nil {
-				t.Fatal(err)
-			}
-		}
-	}
-	resetFiles()
-
-	boot := filepath.Join(d, "containerboot")
-	if err := exec.Command("go", "build", "-o", boot, "tailscale.com/cmd/containerboot").Run(); err != nil {
-		t.Fatalf("Building containerboot: %v", err)
-	}
-
-	argFile := filepath.Join(d, "args")
-	tsIPs := []netip.Addr{netip.MustParseAddr("100.64.0.1")}
-	runningSockPath := filepath.Join(d, "tmp/tailscaled.sock")
-
-	// TODO: refactor this 1-2 stuff if we ever need a third
-	// step. Right now all of containerboot's modes either converge
-	// with no further interaction needed, or with one extra step
-	// only.
-	type phase struct {
-		// Make LocalAPI report this status, then wait for the Wants below to be
-		// satisfied. A zero Status is a valid state for a just-started
-		// tailscaled.
-		Status ipnstate.Status
-
-		// WantCmds is the commands that containerboot should run in this phase.
-		WantCmds []string
-		// WantKubeSecret is the secret keys/values that should exist in the
-		// kube secret.
-		WantKubeSecret map[string]string
-		// WantFiles files that should exist in the container and their
-		// contents.
-		WantFiles map[string]string
-	}
-	tests := []struct {
-		Name          string
-		Env           map[string]string
-		KubeSecret    map[string]string
-		KubeDenyPatch bool
-		Phases        []phase
-	}{
-		{
-			// Out of the box default: runs in userspace mode, ephemeral storage, interactive login.
-			Name: "no_args",
-			Env:  nil,
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-				},
-			},
-		},
-		{
-			// Userspace mode, ephemeral storage, authkey provided on every run.
-			Name: "authkey",
-			Env: map[string]string{
-				"TS_AUTH_KEY": "tskey-key",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-				},
-			},
-		},
-		{
-			Name: "authkey_disk_state",
-			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
-				"TS_STATE_DIR": filepath.Join(d, "tmp"),
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-				},
-			},
-		},
-		{
-			Name: "routes",
-			Env: map[string]string{
-				"TS_AUTH_KEY": "tskey-key",
-				"TS_ROUTES":   "1.2.3.0/24,10.20.30.0/24",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=1.2.3.0/24,10.20.30.0/24",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-					WantFiles: map[string]string{
-						"proc/sys/net/ipv4/ip_forward":          "0",
-						"proc/sys/net/ipv6/conf/all/forwarding": "0",
-					},
-				},
-			},
-		},
-		{
-			Name: "routes_kernel_ipv4",
-			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
-				"TS_ROUTES":    "1.2.3.0/24,10.20.30.0/24",
-				"TS_USERSPACE": "false",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=1.2.3.0/24,10.20.30.0/24",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-					WantFiles: map[string]string{
-						"proc/sys/net/ipv4/ip_forward":          "1",
-						"proc/sys/net/ipv6/conf/all/forwarding": "0",
-					},
-				},
-			},
-		},
-		{
-			Name: "routes_kernel_ipv6",
-			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
-				"TS_ROUTES":    "::/64,1::/64",
-				"TS_USERSPACE": "false",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=::/64,1::/64",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-					WantFiles: map[string]string{
-						"proc/sys/net/ipv4/ip_forward":          "0",
-						"proc/sys/net/ipv6/conf/all/forwarding": "1",
-					},
-				},
-			},
-		},
-		{
-			Name: "routes_kernel_all_families",
-			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
-				"TS_ROUTES":    "::/64,1.2.3.0/24",
-				"TS_USERSPACE": "false",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=::/64,1.2.3.0/24",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-					WantFiles: map[string]string{
-						"proc/sys/net/ipv4/ip_forward":          "1",
-						"proc/sys/net/ipv6/conf/all/forwarding": "1",
-					},
-				},
-			},
-		},
-		{
-			Name: "proxy",
-			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
-				"TS_DEST_IP":   "1.2.3.4",
-				"TS_USERSPACE": "false",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-					WantCmds: []string{
-						"/usr/bin/iptables -t nat -I PREROUTING 1 -d 100.64.0.1 -j DNAT --to-destination 1.2.3.4",
-					},
-				},
-			},
-		},
-		{
-			Name: "authkey_once",
-			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
-				"TS_AUTH_ONCE": "true",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "NeedsLogin",
-					},
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-				},
-			},
-		},
-		{
-			Name: "kube_storage",
-			Env: map[string]string{
-				"KUBERNETES_SERVICE_HOST":       kube.Host,
-				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
-			},
-			KubeSecret: map[string]string{
-				"authkey": "tskey-key",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-					WantKubeSecret: map[string]string{
-						"authkey": "tskey-key",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-						Self: &ipnstate.PeerStatus{
-							ID: tailcfg.StableNodeID("myID"),
-						},
-					},
-					WantKubeSecret: map[string]string{
-						"authkey":   "tskey-key",
-						"device_id": "myID",
-					},
-				},
-			},
-		},
-		{
-			Name: "kube_storage_no_patch",
-			Env: map[string]string{
-				"KUBERNETES_SERVICE_HOST":       kube.Host,
-				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
-				"TS_AUTH_KEY":                   "tskey-key",
-			},
-			KubeSecret:    map[string]string{},
-			KubeDenyPatch: true,
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-					WantKubeSecret: map[string]string{},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-						Self: &ipnstate.PeerStatus{
-							ID: tailcfg.StableNodeID("myID"),
-						},
-					},
-					WantKubeSecret: map[string]string{},
-				},
-			},
-		},
-		{
-			// Same as previous, but deletes the authkey from the kube secret.
-			Name: "kube_storage_auth_once",
-			Env: map[string]string{
-				"KUBERNETES_SERVICE_HOST":       kube.Host,
-				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
-				"TS_AUTH_ONCE":                  "true",
-			},
-			KubeSecret: map[string]string{
-				"authkey": "tskey-key",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-					},
-					WantKubeSecret: map[string]string{
-						"authkey": "tskey-key",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "NeedsLogin",
-					},
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-					WantKubeSecret: map[string]string{
-						"authkey": "tskey-key",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-						Self: &ipnstate.PeerStatus{
-							ID: tailcfg.StableNodeID("myID"),
-						},
-					},
-					WantKubeSecret: map[string]string{
-						"device_id": "myID",
-					},
-				},
-			},
-		},
-		{
-			Name: "proxies",
-			Env: map[string]string{
-				"TS_SOCKS5_SERVER":              "localhost:1080",
-				"TS_OUTBOUND_HTTP_PROXY_LISTEN": "localhost:8080",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --socks5-server=localhost:1080 --outbound-http-proxy-listen=localhost:8080",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
-					},
-				},
-				{
-					// The tailscale up call blocks until auth is complete, so
-					// by the time it returns the next converged state is
-					// Running.
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-				},
-			},
-		},
-		{
-			Name: "dns",
-			Env: map[string]string{
-				"TS_ACCEPT_DNS": "true",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=true",
-					},
-				},
-				{
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-				},
-			},
-		},
-		{
-			Name: "extra_args",
-			Env: map[string]string{
-				"TS_EXTRA_ARGS":            "--widget=rotated",
-				"TS_TAILSCALED_EXTRA_ARGS": "--experiments=widgets",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --experiments=widgets",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --widget=rotated",
-					},
-				}, {
-					Status: ipnstate.Status{
-						BackendState: "Running",
-						TailscaleIPs: tsIPs,
-					},
-				},
-			},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.Name, func(t *testing.T) {
-			lapi.Reset()
-			kube.Reset()
-			os.Remove(argFile)
-			os.Remove(runningSockPath)
-			resetFiles()
-
-			for k, v := range test.KubeSecret {
-				kube.SetSecret(k, v)
-			}
-			kube.SetPatching(!test.KubeDenyPatch)
-
-			cmd := exec.Command(boot)
-			cmd.Env = []string{
-				fmt.Sprintf("PATH=%s/usr/bin:%s", d, os.Getenv("PATH")),
-				fmt.Sprintf("TS_TEST_RECORD_ARGS=%s", argFile),
-				fmt.Sprintf("TS_TEST_SOCKET=%s", lapi.Path),
-				fmt.Sprintf("TS_SOCKET=%s", runningSockPath),
-				fmt.Sprintf("TS_TEST_ONLY_ROOT=%s", d),
-			}
-			for k, v := range test.Env {
-				cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", k, v))
-			}
-			cbOut := &lockingBuffer{}
-			defer func() {
-				if t.Failed() {
-					t.Logf("containerboot output:\n%s", cbOut.String())
-				}
-			}()
-			cmd.Stderr = cbOut
-			if err := cmd.Start(); err != nil {
-				t.Fatalf("starting containerboot: %v", err)
-			}
-			defer func() {
-				cmd.Process.Signal(unix.SIGTERM)
-				cmd.Process.Wait()
-			}()
-
-			var wantCmds []string
-			for _, p := range test.Phases {
-				lapi.SetStatus(p.Status)
-				wantCmds = append(wantCmds, p.WantCmds...)
-				waitArgs(t, 2*time.Second, d, argFile, strings.Join(wantCmds, "\n"))
-				err := tstest.WaitFor(2*time.Second, func() error {
-					if p.WantKubeSecret != nil {
-						got := kube.Secret()
-						if diff := cmp.Diff(got, p.WantKubeSecret); diff != "" {
-							return fmt.Errorf("unexpected kube secret data (-got+want):\n%s", diff)
-						}
-					} else {
-						got := kube.Secret()
-						if len(got) > 0 {
-							return fmt.Errorf("kube secret unexpectedly not empty, got %#v", got)
-						}
-					}
-					return nil
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-				err = tstest.WaitFor(2*time.Second, func() error {
-					for path, want := range p.WantFiles {
-						gotBs, err := os.ReadFile(filepath.Join(d, path))
-						if err != nil {
-							return fmt.Errorf("reading wanted file %q: %v", path, err)
-						}
-						if got := strings.TrimSpace(string(gotBs)); got != want {
-							return fmt.Errorf("wrong file contents for %q, got %q want %q", path, got, want)
-						}
-					}
-					return nil
-				})
-				if err != nil {
-					t.Fatal(err)
-				}
-			}
-			waitLogLine(t, 2*time.Second, cbOut, "Startup complete, waiting for shutdown signal")
-		})
-	}
-}
-
-type lockingBuffer struct {
-	sync.Mutex
-	b bytes.Buffer
-}
-
-func (b *lockingBuffer) Write(bs []byte) (int, error) {
-	b.Lock()
-	defer b.Unlock()
-	return b.b.Write(bs)
-}
-
-func (b *lockingBuffer) String() string {
-	b.Lock()
-	defer b.Unlock()
-	return b.b.String()
-}
-
-// waitLogLine looks for want in the contents of b.
-//
-// Only lines starting with 'boot: ' (the output of containerboot
-// itself) are considered, and the logged timestamp is ignored.
-//
-// waitLogLine fails the entire test if path doesn't contain want
-// before the timeout.
-func waitLogLine(t *testing.T, timeout time.Duration, b *lockingBuffer, want string) {
-	deadline := time.Now().Add(timeout)
-	for time.Now().Before(deadline) {
-		for _, line := range strings.Split(b.String(), "\n") {
-			if !strings.HasPrefix(line, "boot: ") {
-				continue
-			}
-			if strings.HasSuffix(line, " "+want) {
-				return
-			}
-		}
-		time.Sleep(100 * time.Millisecond)
-	}
-	t.Fatalf("timed out waiting for wanted output line %q. Output:\n%s", want, b.String())
-}
-
-// waitArgs waits until the contents of path matches wantArgs, a set
-// of command lines recorded by test_tailscale.sh and
-// test_tailscaled.sh.
-//
-// All occurrences of removeStr are removed from the file prior to
-// comparison. This is used to remove the varying temporary root
-// directory name from recorded commandlines, so that wantArgs can be
-// a constant value.
-//
-// waitArgs fails the entire test if path doesn't contain wantArgs
-// before the timeout.
-func waitArgs(t *testing.T, timeout time.Duration, removeStr, path, wantArgs string) {
-	t.Helper()
-	wantArgs = strings.TrimSpace(wantArgs)
-	deadline := time.Now().Add(timeout)
-	var got string
-	for time.Now().Before(deadline) {
-		bs, err := os.ReadFile(path)
-		if errors.Is(err, fs.ErrNotExist) {
-			// Don't bother logging that the file doesn't exist, it
-			// should start existing soon.
-			goto loop
-		} else if err != nil {
-			t.Logf("reading %q: %v", path, err)
-			goto loop
-		}
-		got = strings.TrimSpace(string(bs))
-		got = strings.ReplaceAll(got, removeStr, "")
-		if got == wantArgs {
-			return
-		}
-	loop:
-		time.Sleep(100 * time.Millisecond)
-	}
-	t.Fatalf("waiting for args file %q to have expected output, got:\n%s\n\nWant: %s", path, got, wantArgs)
-}
-
-//go:embed test_tailscaled.sh
-var fakeTailscaled []byte
-
-//go:embed test_tailscale.sh
-var fakeTailscale []byte
-
-// localAPI is a minimal fake tailscaled LocalAPI server that presents
-// just enough functionality for containerboot to function
-// correctly. In practice this means it only supports querying
-// tailscaled status, and panics on all other uses to make it very
-// obvious that something unexpected happened.
-type localAPI struct {
-	FSRoot string
-	Path   string // populated by Start
-
-	srv *http.Server
-
-	sync.Mutex
-	status ipnstate.Status
-}
-
-func (l *localAPI) Start() error {
-	path := filepath.Join(l.FSRoot, "tmp/tailscaled.sock.fake")
-	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
-		return err
-	}
-
-	ln, err := net.Listen("unix", path)
-	if err != nil {
-		return err
-	}
-
-	l.srv = &http.Server{
-		Handler: l,
-	}
-	l.Path = path
-	go l.srv.Serve(ln)
-	return nil
-}
-
-func (l *localAPI) Close() {
-	l.srv.Close()
-}
-
-func (l *localAPI) Reset() {
-	l.SetStatus(ipnstate.Status{
-		BackendState: "NoState",
-	})
-}
-
-func (l *localAPI) SetStatus(st ipnstate.Status) {
-	l.Lock()
-	defer l.Unlock()
-	l.status = st
-}
-
-func (l *localAPI) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if r.Method != "GET" {
-		panic(fmt.Sprintf("unsupported method %q", r.Method))
-	}
-	if r.URL.Path != "/localapi/v0/status" {
-		panic(fmt.Sprintf("unsupported localAPI path %q", r.URL.Path))
-	}
-	w.Header().Set("Content-Type", "application/json")
-	l.Lock()
-	defer l.Unlock()
-	if err := json.NewEncoder(w).Encode(l.status); err != nil {
-		panic("json encode failed")
-	}
-}
-
-// kubeServer is a minimal fake Kubernetes server that presents just
-// enough functionality for containerboot to function correctly. In
-// practice this means it only supports reading and modifying a single
-// kube secret, and panics on all other uses to make it very obvious
-// that something unexpected happened.
-type kubeServer struct {
-	FSRoot     string
-	Host, Port string // populated by Start
-
-	srv *httptest.Server
-
-	sync.Mutex
-	secret   map[string]string
-	canPatch bool
-}
-
-func (k *kubeServer) Secret() map[string]string {
-	k.Lock()
-	defer k.Unlock()
-	ret := map[string]string{}
-	for k, v := range k.secret {
-		ret[k] = v
-	}
-	return ret
-}
-
-func (k *kubeServer) SetSecret(key, val string) {
-	k.Lock()
-	defer k.Unlock()
-	k.secret[key] = val
-}
-
-func (k *kubeServer) SetPatching(canPatch bool) {
-	k.Lock()
-	defer k.Unlock()
-	k.canPatch = canPatch
-}
-
-func (k *kubeServer) Reset() {
-	k.Lock()
-	defer k.Unlock()
-	k.secret = map[string]string{}
-}
-
-func (k *kubeServer) Start() error {
-	root := filepath.Join(k.FSRoot, "var/run/secrets/kubernetes.io/serviceaccount")
-
-	if err := os.MkdirAll(root, 0700); err != nil {
-		return err
-	}
-
-	if err := os.WriteFile(filepath.Join(root, "namespace"), []byte("default"), 0600); err != nil {
-		return err
-	}
-	if err := os.WriteFile(filepath.Join(root, "token"), []byte("bearer_token"), 0600); err != nil {
-		return err
-	}
-
-	k.srv = httptest.NewTLSServer(k)
-	k.Host = k.srv.Listener.Addr().(*net.TCPAddr).IP.String()
-	k.Port = strconv.Itoa(k.srv.Listener.Addr().(*net.TCPAddr).Port)
-
-	var cert bytes.Buffer
-	if err := pem.Encode(&cert, &pem.Block{Type: "CERTIFICATE", Bytes: k.srv.Certificate().Raw}); err != nil {
-		return err
-	}
-	if err := os.WriteFile(filepath.Join(root, "ca.crt"), cert.Bytes(), 0600); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (k *kubeServer) Close() {
-	k.srv.Close()
-}
-
-func (k *kubeServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if r.Header.Get("Authorization") != "Bearer bearer_token" {
-		panic("client didn't provide bearer token in request")
-	}
-	switch r.URL.Path {
-	case "/api/v1/namespaces/default/secrets/tailscale":
-		k.serveSecret(w, r)
-	case "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews":
-		k.serveSSAR(w, r)
-	default:
-		panic(fmt.Sprintf("unhandled fake kube api path %q", r.URL.Path))
-	}
-}
-
-func (k *kubeServer) serveSSAR(w http.ResponseWriter, r *http.Request) {
-	var req struct {
-		Spec struct {
-			ResourceAttributes struct {
-				Verb string `json:"verb"`
-			} `json:"resourceAttributes"`
-		} `json:"spec"`
-	}
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		panic(fmt.Sprintf("decoding SSAR request: %v", err))
-	}
-	ok := true
-	if req.Spec.ResourceAttributes.Verb == "patch" {
-		k.Lock()
-		defer k.Unlock()
-		ok = k.canPatch
-	}
-	// Just say yes to all SARs, we don't enforce RBAC.
-	w.Header().Set("Content-Type", "application/json")
-	fmt.Fprintf(w, `{"status":{"allowed":%v}}`, ok)
-}
-
-func (k *kubeServer) serveSecret(w http.ResponseWriter, r *http.Request) {
-	bs, err := io.ReadAll(r.Body)
-	if err != nil {
-		http.Error(w, fmt.Sprintf("reading request body: %v", err), http.StatusInternalServerError)
-		return
-	}
-
-	switch r.Method {
-	case "GET":
-		w.Header().Set("Content-Type", "application/json")
-		ret := map[string]map[string]string{
-			"data": {},
-		}
-		k.Lock()
-		defer k.Unlock()
-		for k, v := range k.secret {
-			v := base64.StdEncoding.EncodeToString([]byte(v))
-			if err != nil {
-				panic("encode failed")
-			}
-			ret["data"][k] = v
-		}
-		if err := json.NewEncoder(w).Encode(ret); err != nil {
-			panic("encode failed")
-		}
-	case "PATCH":
-		k.Lock()
-		defer k.Unlock()
-		if !k.canPatch {
-			panic("containerboot tried to patch despite not being allowed")
-		}
-		switch r.Header.Get("Content-Type") {
-		case "application/json-patch+json":
-			req := []struct {
-				Op   string `json:"op"`
-				Path string `json:"path"`
-			}{}
-			if err := json.Unmarshal(bs, &req); err != nil {
-				panic(fmt.Sprintf("json decode failed: %v. Body:\n\n%s", err, string(bs)))
-			}
-			for _, op := range req {
-				if op.Op != "remove" {
-					panic(fmt.Sprintf("unsupported json-patch op %q", op.Op))
-				}
-				if !strings.HasPrefix(op.Path, "/data/") {
-					panic(fmt.Sprintf("unsupported json-patch path %q", op.Path))
-				}
-				delete(k.secret, strings.TrimPrefix(op.Path, "/data/"))
-			}
-		case "application/strategic-merge-patch+json":
-			req := struct {
-				Data map[string]string `json:"stringData"`
-			}{}
-			if err := json.Unmarshal(bs, &req); err != nil {
-				panic(fmt.Sprintf("json decode failed: %v. Body:\n\n%s", err, string(bs)))
-			}
-			for key, val := range req.Data {
-				k.secret[key] = val
-			}
-		default:
-			panic(fmt.Sprintf("unknown content type %q", r.Header.Get("Content-Type")))
-		}
-	default:
-		panic(fmt.Sprintf("unhandled HTTP method %q", r.Method))
-	}
-}
--- a/cmd/containerboot/test_tailscale.sh
+++ b/cmd/containerboot/test_tailscale.sh
@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-#
-# This is a fake tailscale CLI (and also iptables and ip6tables) that
-# records its arguments and exits successfully.
-#
-# It is used by main_test.go to test the behavior of containerboot.
-
-echo $0 $@ >>$TS_TEST_RECORD_ARGS
--- a/cmd/containerboot/test_tailscaled.sh
+++ b/cmd/containerboot/test_tailscaled.sh
@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-#
-# This is a fake tailscale CLI that records its arguments, symlinks a
-# fake LocalAPI socket into place, and does nothing until terminated.
-#
-# It is used by main_test.go to test the behavior of containerboot.
-
-set -eu
-
-echo $0 $@ >>$TS_TEST_RECORD_ARGS
-
-socket=""
-while [[ $# -gt 0 ]]; do
-	case $1 in
-		--socket=*)
-			socket="${1#--socket=}"
-			shift
-			;;
-		--socket)
-			shift
-			socket="$1"
-			shift
-			;;
-		*)
-			shift
-			;;
-	esac
-done
-
-if [[ -z "$socket" ]]; then
-	echo "didn't find socket path in args"
-	exit 1
-fi
-
-ln -s "$TS_TEST_SOCKET" "$socket"
-
-while true; do sleep 1; done
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -2,9 +2,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa

        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
        filippo.io/edwards25519/field                                from filippo.io/edwards25519
-   W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
-   W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
-   W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
@@ -37,7 +34,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
        tailscale.com/ipn                                            from tailscale.com/client/tailscale
        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
-        tailscale.com/metrics                                        from tailscale.com/cmd/derper+
+     💣 tailscale.com/metrics                                        from tailscale.com/cmd/derper+
        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
@@ -50,7 +47,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
-        tailscale.com/net/wsconn                                     from tailscale.com/cmd/derper+
        tailscale.com/paths                                          from tailscale.com/client/tailscale
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale
        tailscale.com/syncs                                          from tailscale.com/cmd/derper+
@@ -67,22 +63,19 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
+        tailscale.com/types/pad32                                    from tailscale.com/derp
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/ipn
-        tailscale.com/types/ptr                                      from tailscale.com/hostinfo
        tailscale.com/types/structs                                  from tailscale.com/ipn+
        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
-   W    tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy
        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-        tailscale.com/util/mak                                       from tailscale.com/syncs
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
+   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/derp+
        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
@@ -101,8 +94,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr
   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http
@@ -116,8 +107,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
@@ -187,7 +176,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
        os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-   W    os/user                                                      from tailscale.com/util/winutil
        path                                                         from golang.org/x/crypto/acme/autocert+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -325,31 +325,11 @@ func main() {
 	}
 }

-const (
-	noContentChallengeHeader = "X-Tailscale-Challenge"
-	noContentResponseHeader  = "X-Tailscale-Response"
-)
-
 // For captive portal detection
 func serveNoContent(w http.ResponseWriter, r *http.Request) {
-	if challenge := r.Header.Get(noContentChallengeHeader); challenge != "" {
-		badChar := strings.IndexFunc(challenge, func(r rune) bool {
-			return !isChallengeChar(r)
-		}) != -1
-		if len(challenge) <= 64 && !badChar {
-			w.Header().Set(noContentResponseHeader, "response "+challenge)
-		}
-	}
 	w.WriteHeader(http.StatusNoContent)
 }

-func isChallengeChar(c rune) bool {
-	// Semi-randomly chosen as a limited set of valid characters
-	return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z') ||
-		('0' <= c && c <= '9') ||
-		c == '.' || c == '-' || c == '_'
-}
-
 // probeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
 func probeHandler(w http.ResponseWriter, r *http.Request) {
--- a/cmd/derper/derper_test.go
+++ b/cmd/derper/derper_test.go
@@ -7,9 +7,6 @@ package main
 import (
 	"context"
 	"net"
-	"net/http"
-	"net/http/httptest"
-	"strings"
 	"testing"

 	"tailscale.com/net/stun"
@@ -70,62 +67,3 @@ func BenchmarkServerSTUN(b *testing.B) {
 	}

 }
-
-func TestNoContent(t *testing.T) {
-	testCases := []struct {
-		name  string
-		input string
-		want  string
-	}{
-		{
-			name: "no challenge",
-		},
-		{
-			name:  "valid challenge",
-			input: "input",
-			want:  "response input",
-		},
-		{
-			name:  "valid challenge hostname",
-			input: "ts_derp99b.tailscale.com",
-			want:  "response ts_derp99b.tailscale.com",
-		},
-		{
-			name:  "invalid challenge",
-			input: "foo\x00bar",
-			want:  "",
-		},
-		{
-			name:  "whitespace invalid challenge",
-			input: "foo bar",
-			want:  "",
-		},
-		{
-			name:  "long challenge",
-			input: strings.Repeat("x", 65),
-			want:  "",
-		},
-	}
-	for _, tt := range testCases {
-		t.Run(tt.name, func(t *testing.T) {
-			req, _ := http.NewRequest("GET", "https://localhost/generate_204", nil)
-			if tt.input != "" {
-				req.Header.Set(noContentChallengeHeader, tt.input)
-			}
-			w := httptest.NewRecorder()
-			serveNoContent(w, req)
-			resp := w.Result()
-
-			if tt.want == "" {
-				if h, found := resp.Header[noContentResponseHeader]; found {
-					t.Errorf("got %+v; expected no response header", h)
-				}
-				return
-			}
-
-			if got := resp.Header.Get(noContentResponseHeader); got != tt.want {
-				t.Errorf("got %q; want %q", got, tt.want)
-			}
-		})
-	}
-}
--- a/cmd/derper/mesh.go
+++ b/cmd/derper/mesh.go
@@ -17,7 +17,6 @@ import (
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/strs"
 )

 func startMesh(s *derp.Server) error {
@@ -51,7 +50,8 @@ func startMeshWithHost(s *derp.Server, host string) error {
 		}
 		var d net.Dialer
 		var r net.Resolver
-		if base, ok := strs.CutSuffix(host, ".tailscale.com"); ok && port == "443" {
+		if port == "443" && strings.HasSuffix(host, ".tailscale.com") {
+			base := strings.TrimSuffix(host, ".tailscale.com")
 			subCtx, cancel := context.WithTimeout(ctx, 2*time.Second)
 			defer cancel()
 			vpcHost := base + "-vpc.tailscale.com"
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -13,7 +13,6 @@ import (

 	"nhooyr.io/websocket"
 	"tailscale.com/derp"
-	"tailscale.com/net/wsconn"
 )

 var counterWebSocketAccepts = expvar.NewInt("derp_websocket_accepts")
@@ -24,7 +23,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		up := strings.ToLower(r.Header.Get("Upgrade"))

 		// Very early versions of Tailscale set "Upgrade: WebSocket" but didn't actually
-		// speak WebSockets (they still assumed DERP's binary framing). So to distinguish
+		// speak WebSockets (they still assumed DERP's binary framining). So to distinguish
 		// clients that actually want WebSockets, look for an explicit "derp" subprotocol.
 		if up != "websocket" || !strings.Contains(r.Header.Get("Sec-Websocket-Protocol"), "derp") {
 			base.ServeHTTP(w, r)
@@ -51,7 +50,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 			return
 		}
 		counterWebSocketAccepts.Add(1)
-		wc := wsconn.NetConn(r.Context(), c, websocket.MessageBinary)
+		wc := websocket.NetConn(r.Context(), c, websocket.MessageBinary)
 		brw := bufio.NewReadWriter(bufio.NewReader(wc), bufio.NewWriter(wc))
 		s.Accept(r.Context(), wc, brw, r.RemoteAddr)
 	})
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -35,7 +35,6 @@ import (
 var (
 	derpMapURL = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://)")
 	listen     = flag.String("listen", ":8030", "HTTP listen address")
-	probeOnce  = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
 )

 // certReissueAfter is the time after which we expect all certs to be
@@ -64,20 +63,6 @@ func main() {
 	defer cancel()
 	_, _ = getDERPMap(ctx)

-	if *probeOnce {
-		log.Printf("Starting probe (may take up to 1m)")
-		probe()
-		log.Printf("Probe results:")
-		st := getOverallStatus()
-		for _, s := range st.good {
-			log.Printf("good: %s", s)
-		}
-		for _, s := range st.bad {
-			log.Printf("bad: %s", s)
-		}
-		return
-	}
-
 	go probeLoop()
 	go slackLoop()
 	log.Fatal(http.ListenAndServe(*listen, http.HandlerFunc(serve)))
--- a/cmd/mkmanifest/main.go
+++ b/cmd/mkmanifest/main.go
@@ -1,52 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The mkmanifest command is a simple helper utility to create a '.syso' file
-// that contains a Windows manifest file.
-package main
-
-import (
-	"log"
-	"os"
-
-	"github.com/tc-hib/winres"
-)
-
-func main() {
-	if len(os.Args) != 4 {
-		log.Fatalf("usage: %s arch manifest.xml output.syso", os.Args[0])
-	}
-
-	arch := winres.Arch(os.Args[1])
-	switch arch {
-	case winres.ArchAMD64, winres.ArchARM64, winres.ArchI386, winres.ArchARM:
-	default:
-		log.Fatalf("unsupported arch: %s", arch)
-	}
-
-	manifest, err := os.ReadFile(os.Args[2])
-	if err != nil {
-		log.Fatalf("error reading manifest file %q: %v", os.Args[2], err)
-	}
-
-	out := os.Args[3]
-
-	// Start by creating an empty resource set
-	rs := winres.ResourceSet{}
-
-	// Add resources
-	rs.Set(winres.RT_MANIFEST, winres.ID(1), 0, manifest)
-
-	// Compile to a COFF object file
-	f, err := os.Create(out)
-	if err != nil {
-		log.Fatalf("error creating output file %q: %v", out, err)
-	}
-	if err := rs.WriteObject(f, arch); err != nil {
-		log.Fatalf("error writing object: %v", err)
-	}
-	if err := f.Close(); err != nil {
-		log.Fatalf("error writing output file %q: %v", out, err)
-	}
-}
--- a/cmd/netlogfmt/main.go
+++ b/cmd/netlogfmt/main.go
@@ -1,387 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// netlogfmt parses a stream of JSON log messages from stdin and
-// formats the network traffic logs produced by "tailscale.com/wgengine/netlog"
-// according to the schema in "tailscale.com/types/netlogtype.Message"
-// in a more humanly readable format.
-//
-// Example usage:
-//
-//	$ cat netlog.json | go run tailscale.com/cmd/netlogfmt
-//	=========================================================================================
-//	NodeID: n123456CNTRL
-//	Logged: 2022-10-13T20:23:10.165Z
-//	Window: 2022-10-13T20:23:09.644Z (5s)
-//	---------------------------------------------------  Tx[P/s]  Tx[B/s]  Rx[P/s]    Rx[B/s]
-//	VirtualTraffic:                                       16.80    1.64Ki   11.20      1.03Ki
-//	    TCP:    100.109.51.95:22 -> 100.85.80.41:42912    16.00    1.59Ki   10.40   1008.84
-//	    TCP: 100.109.51.95:21291 -> 100.107.177.2:53133    0.40   27.60      0.40     24.20
-//	    TCP: 100.109.51.95:21291 -> 100.107.177.2:53134    0.40   23.40      0.40     24.20
-//	PhysicalTraffic:                                      16.80    2.32Ki   11.20      1.48Ki
-//	                100.85.80.41 -> 192.168.0.101:41641   16.00    2.23Ki   10.40      1.40Ki
-//	               100.107.177.2 -> 192.168.0.100:41641    0.80   83.20      0.80     83.20
-//	=========================================================================================
-package main
-
-import (
-	"encoding/base64"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"math"
-	"net/http"
-	"net/netip"
-	"os"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/dsnet/try"
-	jsonv2 "github.com/go-json-experiment/json"
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
-	"tailscale.com/logtail"
-	"tailscale.com/types/netlogtype"
-	"tailscale.com/util/must"
-)
-
-var (
-	resolveNames = flag.Bool("resolve-names", false, "convert tailscale IP addresses to hostnames; must also specify --api-key and --tailnet-id")
-	apiKey       = flag.String("api-key", "", "API key to query the Tailscale API with; see https://login.tailscale.com/admin/settings/keys")
-	tailnetName  = flag.String("tailnet-name", "", "tailnet domain name to lookup devices in; see https://login.tailscale.com/admin/settings/general")
-)
-
-var namesByAddr map[netip.Addr]string
-
-func main() {
-	flag.Parse()
-	if *resolveNames {
-		namesByAddr = mustMakeNamesByAddr()
-	}
-
-	// The logic handles a stream of arbitrary JSON.
-	// So long as a JSON object seems like a network log message,
-	// then this will unmarshal and print it.
-	if err := processStream(os.Stdin); err != nil {
-		if err == io.EOF {
-			return
-		}
-		log.Fatalf("processStream: %v", err)
-	}
-}
-
-func processStream(r io.Reader) (err error) {
-	defer try.Handle(&err)
-	dec := jsonv2.NewDecoder(os.Stdin)
-	for {
-		processValue(dec)
-	}
-}
-
-func processValue(dec *jsonv2.Decoder) {
-	switch dec.PeekKind() {
-	case '[':
-		processArray(dec)
-	case '{':
-		processObject(dec)
-	default:
-		try.E(dec.SkipValue())
-	}
-}
-
-func processArray(dec *jsonv2.Decoder) {
-	try.E1(dec.ReadToken()) // parse '['
-	for dec.PeekKind() != ']' {
-		processValue(dec)
-	}
-	try.E1(dec.ReadToken()) // parse ']'
-}
-
-func processObject(dec *jsonv2.Decoder) {
-	var hasTraffic bool
-	var rawMsg []byte
-	try.E1(dec.ReadToken()) // parse '{'
-	for dec.PeekKind() != '}' {
-		// Capture any members that could belong to a network log message.
-		switch name := try.E1(dec.ReadToken()); name.String() {
-		case "virtualTraffic", "subnetTraffic", "exitTraffic", "physicalTraffic":
-			hasTraffic = true
-			fallthrough
-		case "logtail", "nodeId", "logged", "start", "end":
-			if len(rawMsg) == 0 {
-				rawMsg = append(rawMsg, '{')
-			} else {
-				rawMsg = append(rawMsg[:len(rawMsg)-1], ',')
-			}
-			rawMsg = append(append(append(rawMsg, '"'), name.String()...), '"')
-			rawMsg = append(rawMsg, ':')
-			rawMsg = append(rawMsg, try.E1(dec.ReadValue())...)
-			rawMsg = append(rawMsg, '}')
-		default:
-			processValue(dec)
-		}
-	}
-	try.E1(dec.ReadToken()) // parse '}'
-
-	// If this appears to be a network log message, then unmarshal and print it.
-	if hasTraffic {
-		var msg message
-		try.E(jsonv2.Unmarshal(rawMsg, &msg))
-		printMessage(msg)
-	}
-}
-
-type message struct {
-	Logtail struct {
-		ID     logtail.PublicID `json:"id"`
-		Logged time.Time        `json:"server_time"`
-	} `json:"logtail"`
-	Logged time.Time `json:"logged"`
-	netlogtype.Message
-}
-
-func printMessage(msg message) {
-	// Construct a table of network traffic per connection.
-	rows := [][7]string{{3: "Tx[P/s]", 4: "Tx[B/s]", 5: "Rx[P/s]", 6: "Rx[B/s]"}}
-	duration := msg.End.Sub(msg.Start)
-	addRows := func(heading string, traffic []netlogtype.ConnectionCounts) {
-		if len(traffic) == 0 {
-			return
-		}
-		slices.SortFunc(traffic, func(x, y netlogtype.ConnectionCounts) bool {
-			nx := x.TxPackets + x.TxBytes + x.RxPackets + x.RxBytes
-			ny := y.TxPackets + y.TxBytes + y.RxPackets + y.RxBytes
-			return nx > ny
-		})
-		var sum netlogtype.Counts
-		for _, cc := range traffic {
-			sum = sum.Add(cc.Counts)
-		}
-		rows = append(rows, [7]string{
-			0: heading + ":",
-			3: formatSI(float64(sum.TxPackets) / duration.Seconds()),
-			4: formatIEC(float64(sum.TxBytes) / duration.Seconds()),
-			5: formatSI(float64(sum.RxPackets) / duration.Seconds()),
-			6: formatIEC(float64(sum.RxBytes) / duration.Seconds()),
-		})
-		if len(traffic) == 1 && traffic[0].Connection.IsZero() {
-			return // this is already a summary counts
-		}
-		formatAddrPort := func(a netip.AddrPort) string {
-			if !a.IsValid() {
-				return ""
-			}
-			if name, ok := namesByAddr[a.Addr()]; ok {
-				if a.Port() == 0 {
-					return name
-				}
-				return name + ":" + strconv.Itoa(int(a.Port()))
-			}
-			if a.Port() == 0 {
-				return a.Addr().String()
-			}
-			return a.String()
-		}
-		for _, cc := range traffic {
-			row := [7]string{
-				0: "    ",
-				1: formatAddrPort(cc.Src),
-				2: formatAddrPort(cc.Dst),
-				3: formatSI(float64(cc.TxPackets) / duration.Seconds()),
-				4: formatIEC(float64(cc.TxBytes) / duration.Seconds()),
-				5: formatSI(float64(cc.RxPackets) / duration.Seconds()),
-				6: formatIEC(float64(cc.RxBytes) / duration.Seconds()),
-			}
-			if cc.Proto > 0 {
-				row[0] += cc.Proto.String() + ":"
-			}
-			rows = append(rows, row)
-		}
-	}
-	addRows("VirtualTraffic", msg.VirtualTraffic)
-	addRows("SubnetTraffic", msg.SubnetTraffic)
-	addRows("ExitTraffic", msg.ExitTraffic)
-	addRows("PhysicalTraffic", msg.PhysicalTraffic)
-
-	// Compute the maximum width of each field.
-	var maxWidths [7]int
-	for _, row := range rows {
-		for i, col := range row {
-			if maxWidths[i] < len(col) && !(i == 0 && !strings.HasPrefix(col, " ")) {
-				maxWidths[i] = len(col)
-			}
-		}
-	}
-	var maxSum int
-	for _, n := range maxWidths {
-		maxSum += n
-	}
-
-	// Output a table of network traffic per connection.
-	line := make([]byte, 0, maxSum+len(" ")+len(" -> ")+4*len("  "))
-	line = appendRepeatByte(line, '=', cap(line))
-	fmt.Println(string(line))
-	if !msg.Logtail.ID.IsZero() {
-		fmt.Printf("LogID:  %s\n", msg.Logtail.ID)
-	}
-	if msg.NodeID != "" {
-		fmt.Printf("NodeID: %s\n", msg.NodeID)
-	}
-	formatTime := func(t time.Time) string {
-		return t.In(time.Local).Format("2006-01-02 15:04:05.000")
-	}
-	switch {
-	case !msg.Logged.IsZero():
-		fmt.Printf("Logged: %s\n", formatTime(msg.Logged))
-	case !msg.Logtail.Logged.IsZero():
-		fmt.Printf("Logged: %s\n", formatTime(msg.Logtail.Logged))
-	}
-	fmt.Printf("Window: %s (%0.3fs)\n", formatTime(msg.Start), duration.Seconds())
-	for i, row := range rows {
-		line = line[:0]
-		isHeading := !strings.HasPrefix(row[0], " ")
-		for j, col := range row {
-			if isHeading && j == 0 {
-				col = "" // headings will be printed later
-			}
-			switch j {
-			case 0, 2: // left justified
-				line = append(line, col...)
-				line = appendRepeatByte(line, ' ', maxWidths[j]-len(col))
-			case 1, 3, 4, 5, 6: // right justified
-				line = appendRepeatByte(line, ' ', maxWidths[j]-len(col))
-				line = append(line, col...)
-			}
-			switch j {
-			case 0:
-				line = append(line, " "...)
-			case 1:
-				if row[1] == "" && row[2] == "" {
-					line = append(line, "    "...)
-				} else {
-					line = append(line, " -> "...)
-				}
-			case 2, 3, 4, 5:
-				line = append(line, "  "...)
-			}
-		}
-		switch {
-		case i == 0: // print dashed-line table heading
-			line = appendRepeatByte(line[:0], '-', maxWidths[0]+len(" ")+maxWidths[1]+len(" -> ")+maxWidths[2])[:cap(line)]
-		case isHeading:
-			copy(line[:], row[0])
-		}
-		fmt.Println(string(line))
-	}
-}
-
-func mustMakeNamesByAddr() map[netip.Addr]string {
-	switch {
-	case *apiKey == "":
-		log.Fatalf("--api-key must be specified with --resolve-names")
-	case *tailnetName == "":
-		log.Fatalf("--tailnet must be specified with --resolve-names")
-	}
-
-	// Query the Tailscale API for a list of devices in the tailnet.
-	const apiURL = "https://api.tailscale.com/api/v2"
-	req := must.Get(http.NewRequest("GET", apiURL+"/tailnet/"+*tailnetName+"/devices", nil))
-	req.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(*apiKey+":")))
-	resp := must.Get(http.DefaultClient.Do(req))
-	defer resp.Body.Close()
-	b := must.Get(io.ReadAll(resp.Body))
-	if resp.StatusCode != 200 {
-		log.Fatalf("http: %v: %s", http.StatusText(resp.StatusCode), b)
-	}
-
-	// Unmarshal the API response.
-	var m struct {
-		Devices []struct {
-			Name  string       `json:"name"`
-			Addrs []netip.Addr `json:"addresses"`
-		} `json:"devices"`
-	}
-	must.Do(json.Unmarshal(b, &m))
-
-	// Construct a unique mapping of Tailscale IP addresses to hostnames.
-	// For brevity, we start with the first segment of the name and
-	// use more segments until we find the shortest prefix that is unique
-	// for all names in the tailnet.
-	seen := make(map[string]bool)
-	namesByAddr := make(map[netip.Addr]string)
-retry:
-	for i := 0; i < 10; i++ {
-		maps.Clear(seen)
-		maps.Clear(namesByAddr)
-		for _, d := range m.Devices {
-			name := fieldPrefix(d.Name, i)
-			if seen[name] {
-				continue retry
-			}
-			seen[name] = true
-			for _, a := range d.Addrs {
-				namesByAddr[a] = name
-			}
-		}
-		return namesByAddr
-	}
-	panic("unable to produce unique mapping of address to names")
-}
-
-// fieldPrefix returns the first n number of dot-separated segments.
-//
-// Example:
-//
-//	fieldPrefix("foo.bar.baz", 0) returns ""
-//	fieldPrefix("foo.bar.baz", 1) returns "foo"
-//	fieldPrefix("foo.bar.baz", 2) returns "foo.bar"
-//	fieldPrefix("foo.bar.baz", 3) returns "foo.bar.baz"
-//	fieldPrefix("foo.bar.baz", 4) returns "foo.bar.baz"
-func fieldPrefix(s string, n int) string {
-	s0 := s
-	for i := 0; i < n && len(s) > 0; i++ {
-		if j := strings.IndexByte(s, '.'); j >= 0 {
-			s = s[j+1:]
-		} else {
-			s = ""
-		}
-	}
-	return strings.TrimSuffix(s0[:len(s0)-len(s)], ".")
-}
-
-func appendRepeatByte(b []byte, c byte, n int) []byte {
-	for i := 0; i < n; i++ {
-		b = append(b, c)
-	}
-	return b
-}
-
-func formatSI(n float64) string {
-	switch n := math.Abs(n); {
-	case n < 1e3:
-		return fmt.Sprintf("%0.2f ", n/(1e0))
-	case n < 1e6:
-		return fmt.Sprintf("%0.2fk", n/(1e3))
-	case n < 1e9:
-		return fmt.Sprintf("%0.2fM", n/(1e6))
-	default:
-		return fmt.Sprintf("%0.2fG", n/(1e9))
-	}
-}
-
-func formatIEC(n float64) string {
-	switch n := math.Abs(n); {
-	case n < 1<<10:
-		return fmt.Sprintf("%0.2f  ", n/(1<<0))
-	case n < 1<<20:
-		return fmt.Sprintf("%0.2fKi", n/(1<<10))
-	case n < 1<<30:
-		return fmt.Sprintf("%0.2fMi", n/(1<<20))
-	default:
-		return fmt.Sprintf("%0.2fGi", n/(1<<30))
-	}
-}
--- a/cmd/nginx-auth/README.md
+++ b/cmd/nginx-auth/README.md
@@ -1,7 +1,5 @@
 # nginx-auth

-[![status: experimental](https://img.shields.io/badge/status-experimental-blue)](https://tailscale.com/kb/1167/release-stages/#experimental)
-
 This is a tool that allows users to use Tailscale Whois authentication with
 NGINX as a reverse proxy. This allows users that already have a bunch of
 services hosted on an internal NGINX server to point those domains to the
--- a/cmd/nginx-auth/mkdeb.sh
+++ b/cmd/nginx-auth/mkdeb.sh
@@ -4,7 +4,7 @@ set -e

 CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o tailscale.nginx-auth .

-VERSION=0.1.2
+VERSION=0.1.1

 mkpkg \
    --out=tailscale-nginx-auth-${VERSION}-amd64.deb \
--- a/cmd/pgproxy/README.md
+++ b/cmd/pgproxy/README.md
@@ -1,42 +0,0 @@
-# pgproxy
-
-The pgproxy server is a proxy for the Postgres wire protocol. [Read
-more in our blog
-post](https://tailscale.com/blog/introducing-pgproxy/) about it!
-
-The proxy runs an in-process Tailscale instance, accepts postgres
-client connections over Tailscale only, and proxies them to the
-configured upstream postgres server.
-
-This proxy exists because postgres clients default to very insecure
-connection settings: either they "prefer" but do not require TLS; or
-they set sslmode=require, which merely requires that a TLS handshake
-took place, but don't verify the server's TLS certificate or the
-presented TLS hostname.  In other words, sslmode=require enforces that
-a TLS session is created, but that session can trivially be
-machine-in-the-middled to steal credentials, data, inject malicious
-queries, and so forth.
-
-Because this flaw is in the client's validation of the TLS session,
-you have no way of reliably detecting the misconfiguration
-server-side. You could fix the configuration of all the clients you
-know of, but the default makes it very easy to accidentally regress.
-
-Instead of trying to verify client configuration over time, this proxy
-removes the need for postgres clients to be configured correctly: the
-upstream database is configured to only accept connections from the
-proxy, and the proxy is only available to clients over Tailscale.
-
-Therefore, clients must use the proxy to connect to the database. The
-client<>proxy connection is secured end-to-end by Tailscale, which the
-proxy enforces by verifying that the connecting client is a known
-current Tailscale peer. The proxy<>server connection is established by
-the proxy itself, using strict TLS verification settings, and the
-client is only allowed to communicate with the server once we've
-established that the upstream connection is safe to use.
-
-A couple side benefits: because clients can only connect via
-Tailscale, you can use Tailscale ACLs as an extra layer of defense on
-top of the postgres user/password authentication. And, the proxy can
-maintain an audit log of who connected to the database, complete with
-the strongly authenticated Tailscale identity of the client.
--- a/cmd/pgproxy/pgproxy.go
+++ b/cmd/pgproxy/pgproxy.go
@@ -1,366 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The pgproxy server is a proxy for the Postgres wire protocol.
-package main
-
-import (
-	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	crand "crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"expvar"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"math/big"
-	"net"
-	"net/http"
-	"os"
-	"strings"
-	"time"
-
-	"tailscale.com/client/tailscale"
-	"tailscale.com/metrics"
-	"tailscale.com/tsnet"
-	"tailscale.com/tsweb"
-	"tailscale.com/types/logger"
-)
-
-var (
-	hostname     = flag.String("hostname", "", "Tailscale hostname to serve on")
-	port         = flag.Int("port", 5432, "Listening port for client connections")
-	debugPort    = flag.Int("debug-port", 80, "Listening port for debug/metrics endpoint")
-	upstreamAddr = flag.String("upstream-addr", "", "Address of the upstream Postgres server, in host:port format")
-	upstreamCA   = flag.String("upstream-ca-file", "", "File containing the PEM-encoded CA certificate for the upstream server")
-	tailscaleDir = flag.String("state-dir", "", "Directory in which to store the Tailscale auth state")
-)
-
-func main() {
-	flag.Parse()
-	if *hostname == "" {
-		log.Fatal("missing --hostname")
-	}
-	if *upstreamAddr == "" {
-		log.Fatal("missing --upstream-addr")
-	}
-	if *upstreamCA == "" {
-		log.Fatal("missing --upstream-ca-file")
-	}
-	if *tailscaleDir == "" {
-		log.Fatal("missing --state-dir")
-	}
-
-	ts := &tsnet.Server{
-		Dir:      *tailscaleDir,
-		Hostname: *hostname,
-		// Make the stdout logs a clean audit log of connections.
-		Logf: logger.Discard,
-	}
-
-	if os.Getenv("TS_AUTHKEY") == "" {
-		log.Print("Note: you need to run this with TS_AUTHKEY=... the first time, to join your tailnet of choice.")
-	}
-
-	tsclient, err := ts.LocalClient()
-	if err != nil {
-		log.Fatalf("getting tsnet API client: %v", err)
-	}
-
-	p, err := newProxy(*upstreamAddr, *upstreamCA, tsclient)
-	if err != nil {
-		log.Fatal(err)
-	}
-	expvar.Publish("pgproxy", p.Expvar())
-
-	if *debugPort != 0 {
-		mux := http.NewServeMux()
-		tsweb.Debugger(mux)
-		srv := &http.Server{
-			Handler: mux,
-		}
-		dln, err := ts.Listen("tcp", fmt.Sprintf(":%d", *debugPort))
-		if err != nil {
-			log.Fatal(err)
-		}
-		go func() {
-			log.Fatal(srv.Serve(dln))
-		}()
-	}
-
-	ln, err := ts.Listen("tcp", fmt.Sprintf(":%d", *port))
-	if err != nil {
-		log.Fatal(err)
-	}
-	log.Printf("serving access to %s on port %d", *upstreamAddr, *port)
-	log.Fatal(p.Serve(ln))
-}
-
-// proxy is a postgres wire protocol proxy, which strictly enforces
-// the security of the TLS connection to its upstream regardless of
-// what the client's TLS configuration is.
-type proxy struct {
-	upstreamAddr     string // "my.database.com:5432"
-	upstreamHost     string // "my.database.com"
-	upstreamCertPool *x509.CertPool
-	downstreamCert   []tls.Certificate
-	client           *tailscale.LocalClient
-
-	activeSessions  expvar.Int
-	startedSessions expvar.Int
-	errors          metrics.LabelMap
-}
-
-// newProxy returns a proxy that forwards connections to
-// upstreamAddr. The upstream's TLS session is verified using the CA
-// cert(s) in upstreamCAPath.
-func newProxy(upstreamAddr, upstreamCAPath string, client *tailscale.LocalClient) (*proxy, error) {
-	bs, err := os.ReadFile(upstreamCAPath)
-	if err != nil {
-		return nil, err
-	}
-	upstreamCertPool := x509.NewCertPool()
-	if !upstreamCertPool.AppendCertsFromPEM(bs) {
-		return nil, fmt.Errorf("invalid CA cert in %q", upstreamCAPath)
-	}
-
-	h, _, err := net.SplitHostPort(upstreamAddr)
-	if err != nil {
-		return nil, err
-	}
-	downstreamCert, err := mkSelfSigned(h)
-	if err != nil {
-		return nil, err
-	}
-
-	return &proxy{
-		upstreamAddr:     upstreamAddr,
-		upstreamHost:     h,
-		upstreamCertPool: upstreamCertPool,
-		downstreamCert:   []tls.Certificate{downstreamCert},
-		client:           client,
-		errors:           metrics.LabelMap{Label: "kind"},
-	}, nil
-}
-
-// Expvar returns p's monitoring metrics.
-func (p *proxy) Expvar() expvar.Var {
-	ret := &metrics.Set{}
-	ret.Set("sessions_active", &p.activeSessions)
-	ret.Set("sessions_started", &p.startedSessions)
-	ret.Set("session_errors", &p.errors)
-	return ret
-}
-
-// Serve accepts postgres client connections on ln and proxies them to
-// the configured upstream. ln can be any net.Listener, but all client
-// connections must originate from tailscale IPs that can be verified
-// with WhoIs.
-func (p *proxy) Serve(ln net.Listener) error {
-	var lastSessionID int64
-	for {
-		c, err := ln.Accept()
-		if err != nil {
-			return err
-		}
-		id := time.Now().UnixNano()
-		if id == lastSessionID {
-			// Bluntly enforce SID uniqueness, even if collisions are
-			// fantastically unlikely (but OSes vary in how much timer
-			// precision they expose to the OS, so id might be rounded
-			// e.g. to the same millisecond)
-			id++
-		}
-		lastSessionID = id
-		go func(sessionID int64) {
-			if err := p.serve(sessionID, c); err != nil {
-				log.Printf("%d: session ended with error: %v", sessionID, err)
-			}
-		}(id)
-	}
-}
-
-var (
-	// sslStart is the magic bytes that postgres clients use to indicate
-	// that they want to do a TLS handshake. Servers should respond with
-	// the single byte "S" before starting a normal TLS handshake.
-	sslStart = [8]byte{0, 0, 0, 8, 0x04, 0xd2, 0x16, 0x2f}
-	// plaintextStart is the magic bytes that postgres clients use to
-	// indicate that they're starting a plaintext authentication
-	// handshake.
-	plaintextStart = [8]byte{0, 0, 0, 86, 0, 3, 0, 0}
-)
-
-// serve proxies the postgres client on c to the proxy's upstream,
-// enforcing strict TLS to the upstream.
-func (p *proxy) serve(sessionID int64, c net.Conn) error {
-	defer c.Close()
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	whois, err := p.client.WhoIs(ctx, c.RemoteAddr().String())
-	if err != nil {
-		p.errors.Add("whois-failed", 1)
-		return fmt.Errorf("getting client identity: %v", err)
-	}
-
-	// Before anything else, log the connection attempt.
-	user, machine := "", ""
-	if whois.Node != nil {
-		if whois.Node.Hostinfo.ShareeNode() {
-			machine = "external-device"
-		} else {
-			machine = strings.TrimSuffix(whois.Node.Name, ".")
-		}
-	}
-	if whois.UserProfile != nil {
-		user = whois.UserProfile.LoginName
-		if user == "tagged-devices" && whois.Node != nil {
-			user = strings.Join(whois.Node.Tags, ",")
-		}
-	}
-	if user == "" || machine == "" {
-		p.errors.Add("no-ts-identity", 1)
-		return fmt.Errorf("couldn't identify source user and machine (user %q, machine %q)", user, machine)
-	}
-	log.Printf("%d: session start, from %s (machine %s, user %s)", sessionID, c.RemoteAddr(), machine, user)
-	start := time.Now()
-	defer func() {
-		elapsed := time.Since(start)
-		log.Printf("%d: session end, from %s (machine %s, user %s), lasted %s", sessionID, c.RemoteAddr(), machine, user, elapsed.Round(time.Millisecond))
-	}()
-
-	// Read the client's opening message, to figure out if it's trying
-	// to TLS or not.
-	var buf [8]byte
-	if _, err := io.ReadFull(c, buf[:len(sslStart)]); err != nil {
-		p.errors.Add("network-error", 1)
-		return fmt.Errorf("initial magic read: %v", err)
-	}
-	var clientIsTLS bool
-	switch {
-	case buf == sslStart:
-		clientIsTLS = true
-	case buf == plaintextStart:
-		clientIsTLS = false
-	default:
-		p.errors.Add("client-bad-protocol", 1)
-		return fmt.Errorf("unrecognized initial packet = % 02x", buf)
-	}
-
-	// Dial & verify upstream connection.
-	var d net.Dialer
-	d.Timeout = 10 * time.Second
-	upc, err := d.Dial("tcp", p.upstreamAddr)
-	if err != nil {
-		p.errors.Add("network-error", 1)
-		return fmt.Errorf("upstream dial: %v", err)
-	}
-	defer upc.Close()
-	if _, err := upc.Write(sslStart[:]); err != nil {
-		p.errors.Add("network-error", 1)
-		return fmt.Errorf("upstream write of start-ssl magic: %v", err)
-	}
-	if _, err := io.ReadFull(upc, buf[:1]); err != nil {
-		p.errors.Add("network-error", 1)
-		return fmt.Errorf("reading upstream start-ssl response: %v", err)
-	}
-	if buf[0] != 'S' {
-		p.errors.Add("upstream-bad-protocol", 1)
-		return fmt.Errorf("upstream didn't acknowldge start-ssl, said %q", buf[0])
-	}
-	tlsConf := &tls.Config{
-		ServerName: p.upstreamHost,
-		RootCAs:    p.upstreamCertPool,
-		MinVersion: tls.VersionTLS12,
-	}
-	uptc := tls.Client(upc, tlsConf)
-	if err = uptc.HandshakeContext(ctx); err != nil {
-		p.errors.Add("upstream-tls", 1)
-		return fmt.Errorf("upstream TLS handshake: %v", err)
-	}
-
-	// Accept the client conn and set it up the way the client wants.
-	var clientConn net.Conn
-	if clientIsTLS {
-		io.WriteString(c, "S") // yeah, we're good to speak TLS
-		s := tls.Server(c, &tls.Config{
-			ServerName:   p.upstreamHost,
-			Certificates: p.downstreamCert,
-			MinVersion:   tls.VersionTLS12,
-		})
-		if err = uptc.HandshakeContext(ctx); err != nil {
-			p.errors.Add("client-tls", 1)
-			return fmt.Errorf("client TLS handshake: %v", err)
-		}
-		clientConn = s
-	} else {
-		// Repeat the header we read earlier up to the server.
-		if _, err := uptc.Write(plaintextStart[:]); err != nil {
-			p.errors.Add("network-error", 1)
-			return fmt.Errorf("sending initial client bytes to upstream: %v", err)
-		}
-		clientConn = c
-	}
-
-	// Finally, proxy the client to the upstream.
-	errc := make(chan error, 1)
-	go func() {
-		_, err := io.Copy(uptc, clientConn)
-		errc <- err
-	}()
-	go func() {
-		_, err := io.Copy(clientConn, uptc)
-		errc <- err
-	}()
-	if err := <-errc; err != nil {
-		// Don't increment error counts here, because the most common
-		// cause of termination is client or server closing the
-		// connection normally, and it'll obscure "interesting"
-		// handshake errors.
-		return fmt.Errorf("session terminated with error: %v", err)
-	}
-	return nil
-}
-
-// mkSelfSigned creates and returns a self-signed TLS certificate for
-// hostname.
-func mkSelfSigned(hostname string) (tls.Certificate, error) {
-	priv, err := ecdsa.GenerateKey(elliptic.P256(), crand.Reader)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	pub := priv.Public()
-	template := x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject: pkix.Name{
-			Organization: []string{"pgproxy"},
-		},
-		DNSNames:              []string{hostname},
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
-		KeyUsage:              x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-	derBytes, err := x509.CreateCertificate(crand.Reader, &template, &template, pub, priv)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	cert, err := x509.ParseCertificate(derBytes)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-
-	return tls.Certificate{
-		Certificate: [][]byte{derBytes},
-		PrivateKey:  priv,
-		Leaf:        cert,
-	}, nil
-}
--- a/cmd/ssh-auth-none-demo/ssh-auth-none-demo.go
+++ b/cmd/ssh-auth-none-demo/ssh-auth-none-demo.go
@@ -1,189 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// ssh-auth-none-demo is a demo SSH server that's meant to run on the
-// public internet (at 188.166.70.128 port 2222) and
-// highlight the unique parts of the Tailscale SSH server so SSH
-// client authors can hit it easily and fix their SSH clients without
-// needing to set up Tailscale and Tailscale SSH.
-package main
-
-import (
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"flag"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"log"
-	"os"
-	"path/filepath"
-	"time"
-
-	gossh "github.com/tailscale/golang-x-crypto/ssh"
-	"tailscale.com/tempfork/gliderlabs/ssh"
-)
-
-// keyTypes are the SSH key types that we either try to read from the
-// system's OpenSSH keys.
-var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
-
-var (
-	addr = flag.String("addr", ":2222", "address to listen on")
-)
-
-func main() {
-	flag.Parse()
-
-	cacheDir, err := os.UserCacheDir()
-	if err != nil {
-		log.Fatal(err)
-	}
-	dir := filepath.Join(cacheDir, "ssh-auth-none-demo")
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		log.Fatal(err)
-	}
-
-	keys, err := getHostKeys(dir)
-	if err != nil {
-		log.Fatal(err)
-	}
-	if len(keys) == 0 {
-		log.Fatal("no host keys")
-	}
-
-	srv := &ssh.Server{
-		Addr:    *addr,
-		Version: "Tailscale",
-		Handler: handleSessionPostSSHAuth,
-		ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {
-			start := time.Now()
-			return &gossh.ServerConfig{
-				NextAuthMethodCallback: func(conn gossh.ConnMetadata, prevErrors []error) []string {
-					return []string{"tailscale"}
-				},
-				NoClientAuth: true, // required for the NoClientAuthCallback to run
-				NoClientAuthCallback: func(cm gossh.ConnMetadata) (*gossh.Permissions, error) {
-					cm.SendAuthBanner(fmt.Sprintf("# Banner: doing none auth at %v\r\n", time.Since(start)))
-
-					totalBanners := 2
-					if cm.User() == "banners" {
-						totalBanners = 5
-					}
-					for banner := 2; banner <= totalBanners; banner++ {
-						time.Sleep(time.Second)
-						if banner == totalBanners {
-							cm.SendAuthBanner(fmt.Sprintf("# Banner%d: access granted at %v\r\n", banner, time.Since(start)))
-						} else {
-							cm.SendAuthBanner(fmt.Sprintf("# Banner%d at %v\r\n", banner, time.Since(start)))
-						}
-					}
-					return nil, nil
-				},
-				BannerCallback: func(cm gossh.ConnMetadata) string {
-					log.Printf("Got connection from user %q, %q from %v", cm.User(), cm.ClientVersion(), cm.RemoteAddr())
-					return fmt.Sprintf("# Banner for user %q, %q\n", cm.User(), cm.ClientVersion())
-				},
-			}
-		},
-	}
-
-	for _, signer := range keys {
-		srv.AddHostKey(signer)
-	}
-
-	log.Printf("Running on %s ...", srv.Addr)
-	if err := srv.ListenAndServe(); err != nil {
-		log.Fatal(err)
-	}
-	log.Printf("done")
-}
-
-func handleSessionPostSSHAuth(s ssh.Session) {
-	log.Printf("Started session from user %q", s.User())
-	fmt.Fprintf(s, "Hello user %q, it worked.\n", s.User())
-
-	// Abort the session on Control-C or Control-D.
-	go func() {
-		buf := make([]byte, 1024)
-		for {
-			n, err := s.Read(buf)
-			for _, b := range buf[:n] {
-				if b <= 4 { // abort on Control-C (3) or Control-D (4)
-					io.WriteString(s, "bye\n")
-					s.Exit(1)
-				}
-			}
-			if err != nil {
-				return
-			}
-		}
-	}()
-
-	for i := 10; i > 0; i-- {
-		fmt.Fprintf(s, "%v ...\n", i)
-		time.Sleep(time.Second)
-	}
-	s.Exit(0)
-}
-
-func getHostKeys(dir string) (ret []ssh.Signer, err error) {
-	for _, typ := range keyTypes {
-		hostKey, err := hostKeyFileOrCreate(dir, typ)
-		if err != nil {
-			return nil, err
-		}
-		signer, err := gossh.ParsePrivateKey(hostKey)
-		if err != nil {
-			return nil, err
-		}
-		ret = append(ret, signer)
-	}
-	return ret, nil
-}
-
-func hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
-	path := filepath.Join(keyDir, "ssh_host_"+typ+"_key")
-	v, err := ioutil.ReadFile(path)
-	if err == nil {
-		return v, nil
-	}
-	if !os.IsNotExist(err) {
-		return nil, err
-	}
-	var priv any
-	switch typ {
-	default:
-		return nil, fmt.Errorf("unsupported key type %q", typ)
-	case "ed25519":
-		_, priv, err = ed25519.GenerateKey(rand.Reader)
-	case "ecdsa":
-		// curve is arbitrary. We pick whatever will at
-		// least pacify clients as the actual encryption
-		// doesn't matter: it's all over WireGuard anyway.
-		curve := elliptic.P256()
-		priv, err = ecdsa.GenerateKey(curve, rand.Reader)
-	case "rsa":
-		// keySize is arbitrary. We pick whatever will at
-		// least pacify clients as the actual encryption
-		// doesn't matter: it's all over WireGuard anyway.
-		const keySize = 2048
-		priv, err = rsa.GenerateKey(rand.Reader, keySize)
-	}
-	if err != nil {
-		return nil, err
-	}
-	mk, err := x509.MarshalPKCS8PrivateKey(priv)
-	if err != nil {
-		return nil, err
-	}
-	pemGen := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: mk})
-	err = os.WriteFile(path, pemGen, 0700)
-	return pemGen, err
-}
--- a/cmd/stunc/stunc.go
+++ b/cmd/stunc/stunc.go
@@ -1,58 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Command stunc makes a STUN request to a STUN server and prints the result.
-package main
-
-import (
-	"log"
-	"net"
-	"os"
-
-	"tailscale.com/net/stun"
-)
-
-func main() {
-	log.SetFlags(0)
-
-	if len(os.Args) != 2 {
-		log.Fatalf("usage: %s <hostname>", os.Args[0])
-	}
-	host := os.Args[1]
-
-	uaddr, err := net.ResolveUDPAddr("udp", host+":3478")
-	if err != nil {
-		log.Fatal(err)
-	}
-	c, err := net.ListenUDP("udp", nil)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	txID := stun.NewTxID()
-	req := stun.Request(txID)
-
-	_, err = c.WriteToUDP(req, uaddr)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	var buf [1024]byte
-	n, raddr, err := c.ReadFromUDPAddrPort(buf[:])
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	tid, saddr, err := stun.ParseResponse(buf[:n])
-	if err != nil {
-		log.Fatal(err)
-	}
-	if tid != txID {
-		log.Fatalf("txid mismatch: got %v, want %v", tid, txID)
-	}
-
-	log.Printf("sent addr: %v", uaddr)
-	log.Printf("from addr: %v", raddr)
-	log.Printf("stun addr: %v", saddr)
-}
--- a/cmd/tailscale/cli/bugreport.go
+++ b/cmd/tailscale/cli/bugreport.go
@@ -8,7 +8,6 @@ import (
 	"context"
 	"errors"
 	"flag"
-	"fmt"

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/client/tailscale"
@@ -22,14 +21,12 @@ var bugReportCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("bugreport")
 		fs.BoolVar(&bugReportArgs.diagnose, "diagnose", false, "run additional in-depth checks")
-		fs.BoolVar(&bugReportArgs.record, "record", false, "if true, pause and then write another bugreport")
 		return fs
 	})(),
 }

 var bugReportArgs struct {
 	diagnose bool
-	record   bool
 }

 func runBugReport(ctx context.Context, args []string) error {
@@ -39,46 +36,15 @@ func runBugReport(ctx context.Context, args []string) error {
 	case 1:
 		note = args[0]
 	default:
-		return errors.New("unknown arguments")
+		return errors.New("unknown argumets")
 	}
-	opts := tailscale.BugReportOpts{
+	logMarker, err := localClient.BugReportWithOpts(ctx, tailscale.BugReportOpts{
 		Note:     note,
 		Diagnose: bugReportArgs.diagnose,
+	})
+	if err != nil {
+		return err
 	}
-	if !bugReportArgs.record {
-		// Simple, non-record case
-		logMarker, err := localClient.BugReportWithOpts(ctx, opts)
-		if err != nil {
-			return err
-		}
-		outln(logMarker)
-		return nil
-	}
-
-	// Recording; run the request in the background
-	done := make(chan struct{})
-	opts.Record = done
-
-	type bugReportResp struct {
-		marker string
-		err    error
-	}
-	resCh := make(chan bugReportResp, 1)
-	go func() {
-		m, err := localClient.BugReportWithOpts(ctx, opts)
-		resCh <- bugReportResp{m, err}
-	}()
-
-	outln("Recording started; please reproduce your issue and then press Enter...")
-	fmt.Scanln()
-	close(done)
-	res := <-resCh
-
-	if res.err != nil {
-		return res.err
-	}
-
-	outln(res.marker)
-	outln("Please provide both bugreport markers above to the support team or GitHub issue.")
+	outln(logMarker)
 	return nil
 }
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -7,10 +7,7 @@ package cli
 import (
 	"bytes"
 	"context"
-	"crypto/rand"
 	"crypto/tls"
-	"crypto/x509"
-	"errors"
 	"flag"
 	"fmt"
 	"log"
@@ -19,7 +16,6 @@ import (
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"software.sslmate.com/src/go-pkcs12"
 	"tailscale.com/atomicfile"
 	"tailscale.com/ipn"
 	"tailscale.com/version"
@@ -28,7 +24,7 @@ import (
 var certCmd = &ffcli.Command{
 	Name:       "cert",
 	Exec:       runCert,
-	ShortHelp:  "Get TLS certs",
+	ShortHelp:  "get TLS certs",
 	ShortUsage: "cert [flags] <domain>",
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("cert")
@@ -48,7 +44,6 @@ var certArgs struct {
 func runCert(ctx context.Context, args []string) error {
 	if certArgs.serve {
 		s := &http.Server{
-			Addr: ":443",
 			TLSConfig: &tls.Config{
 				GetCertificate: localClient.GetCertificate,
 			},
@@ -62,16 +57,7 @@ func runCert(ctx context.Context, args []string) error {
 				fmt.Fprintf(w, "<h1>Hello from Tailscale</h1>It works.")
 			}),
 		}
-		switch len(args) {
-		case 0:
-			// Nothing.
-		case 1:
-			s.Addr = args[0]
-		default:
-			return errors.New("too many arguments; max 1 allowed with --serve-demo (the listen address)")
-		}
-
-		log.Printf("running TLS server on %s ...", s.Addr)
+		log.Printf("running TLS server on :443 ...")
 		return s.ListenAndServeTLS("", "")
 	}

@@ -133,25 +119,17 @@ func runCert(ctx context.Context, args []string) error {
 			}
 		}
 	}
-	if dst := certArgs.keyFile; dst != "" {
-		contents := keyPEM
-		if isPKCS12(dst) {
-			var err error
-			contents, err = convertToPKCS12(certPEM, keyPEM)
-			if err != nil {
-				return err
-			}
-		}
-		keyChanged, err := writeIfChanged(dst, contents, 0600)
+	if certArgs.keyFile != "" {
+		keyChanged, err := writeIfChanged(certArgs.keyFile, keyPEM, 0600)
 		if err != nil {
 			return err
 		}
 		if certArgs.keyFile != "-" {
 			macWarn()
 			if keyChanged {
-				printf("Wrote private key to %v\n", dst)
+				printf("Wrote private key to %v\n", certArgs.keyFile)
 			} else {
-				printf("Private key unchanged at %v\n", dst)
+				printf("Private key unchanged at %v\n", certArgs.keyFile)
 			}
 		}
 	}
@@ -171,29 +149,3 @@ func writeIfChanged(filename string, contents []byte, mode os.FileMode) (changed
 	}
 	return true, nil
 }
-
-func isPKCS12(dst string) bool {
-	return strings.HasSuffix(dst, ".p12") || strings.HasSuffix(dst, ".pfx")
-}
-
-func convertToPKCS12(certPEM, keyPEM []byte) ([]byte, error) {
-	cert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, err
-	}
-	var certs []*x509.Certificate
-	for _, c := range cert.Certificate {
-		cert, err := x509.ParseCertificate(c)
-		if err != nil {
-			return nil, err
-		}
-		certs = append(certs, cert)
-	}
-	if len(certs) == 0 {
-		return nil, errors.New("no certs")
-	}
-	// TODO(bradfitz): I'm not sure this is right yet. The goal was to make this
-	// work for https://github.com/tailscale/tailscale/issues/2928 but I'm still
-	// fighting Windows.
-	return pkcs12.Encode(rand.Reader, cert.PrivateKey, certs[0], certs[1:], "" /* no password */)
-}
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -13,28 +13,28 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"net"
 	"os"
+	"os/signal"
 	"runtime"
 	"strconv"
 	"strings"
 	"sync"
+	"syscall"
 	"text/tabwriter"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"golang.org/x/exp/slices"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
+	"tailscale.com/ipn"
 	"tailscale.com/paths"
+	"tailscale.com/safesocket"
 	"tailscale.com/version/distro"
 )

 var Stderr io.Writer = os.Stderr
 var Stdout io.Writer = os.Stdout

-func errf(format string, a ...any) {
-	fmt.Fprintf(Stderr, format, a...)
-}
-
 func printf(format string, a ...any) {
 	fmt.Fprintf(Stdout, format, a...)
 }
@@ -157,10 +157,7 @@ change in the future.
 		Subcommands: []*ffcli.Command{
 			upCmd,
 			downCmd,
-			setCmd,
-			loginCmd,
 			logoutCmd,
-			switchCmd,
 			netcheckCmd,
 			ipCmd,
 			statusCmd,
@@ -180,22 +177,15 @@ change in the future.
 		UsageFunc: usageFunc,
 	}
 	for _, c := range rootCmd.Subcommands {
-		if c.UsageFunc == nil {
-			c.UsageFunc = usageFunc
-		}
+		c.UsageFunc = usageFunc
 	}
 	if envknob.UseWIPCode() {
-		rootCmd.Subcommands = append(rootCmd.Subcommands,
-			idTokenCmd,
-		)
+		rootCmd.Subcommands = append(rootCmd.Subcommands, idTokenCmd)
 	}

-	// Don't advertise these commands, but they're still explicitly available.
-	switch {
-	case slices.Contains(args, "debug"):
+	// Don't advertise the debug command, but it exists.
+	if strSliceContains(args, "debug") {
 		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
-	case slices.Contains(args, "serve"):
-		rootCmd.Subcommands = append(rootCmd.Subcommands, serveCmd)
 	}
 	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
 		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)
@@ -241,16 +231,68 @@ var rootArgs struct {
 	socket string
 }

-// usageFuncNoDefaultValues is like usageFunc but doesn't print default values.
-func usageFuncNoDefaultValues(c *ffcli.Command) string {
-	return usageFuncOpt(c, false)
+func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context, context.CancelFunc) {
+	s := safesocket.DefaultConnectionStrategy(rootArgs.socket)
+	c, err := safesocket.Connect(s)
+	if err != nil {
+		if runtime.GOOS != "windows" && rootArgs.socket == "" {
+			fatalf("--socket cannot be empty")
+		}
+		fatalf("Failed to connect to tailscaled. (safesocket.Connect: %v)\n", err)
+	}
+	clientToServer := func(b []byte) {
+		ipn.WriteMsg(c, b)
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+
+	go func() {
+		interrupt := make(chan os.Signal, 1)
+		signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
+		select {
+		case <-interrupt:
+		case <-ctx.Done():
+			// Context canceled elsewhere.
+			signal.Reset(syscall.SIGINT, syscall.SIGTERM)
+			return
+		}
+		c.Close()
+		cancel()
+	}()
+
+	bc := ipn.NewBackendClient(log.Printf, clientToServer)
+	return c, bc, ctx, cancel
+}
+
+// pump receives backend messages on conn and pushes them into bc.
+func pump(ctx context.Context, bc *ipn.BackendClient, conn net.Conn) error {
+	defer conn.Close()
+	for ctx.Err() == nil {
+		msg, err := ipn.ReadMsg(conn)
+		if err != nil {
+			if ctx.Err() != nil {
+				return ctx.Err()
+			}
+			if errors.Is(err, io.EOF) || errors.Is(err, net.ErrClosed) {
+				return fmt.Errorf("%w (tailscaled stopped running?)", err)
+			}
+			return err
+		}
+		bc.GotNotifyMsg(msg)
+	}
+	return ctx.Err()
+}
+
+func strSliceContains(ss []string, s string) bool {
+	for _, v := range ss {
+		if v == s {
+			return true
+		}
+	}
+	return false
 }

 func usageFunc(c *ffcli.Command) string {
-	return usageFuncOpt(c, true)
-}
-
-func usageFuncOpt(c *ffcli.Command, withDefaults bool) string {
 	var b strings.Builder

 	fmt.Fprintf(&b, "USAGE\n")
@@ -281,9 +323,6 @@ func usageFuncOpt(c *ffcli.Command, withDefaults bool) string {
 		c.FlagSet.VisitAll(func(f *flag.Flag) {
 			var s string
 			name, usage := flag.UnquoteUsage(f)
-			if strings.HasPrefix(usage, "HIDDEN: ") {
-				return
-			}
 			if isBoolFlag(f) {
 				s = fmt.Sprintf("  --%s, --%s=false", f.Name, f.Name)
 			} else {
@@ -297,7 +336,7 @@ func usageFuncOpt(c *ffcli.Command, withDefaults bool) string {
 			s += "\n    \t"
 			s += strings.ReplaceAll(usage, "\n", "\n    \t")

-			if f.DefValue != "" && withDefaults {
+			if f.DefValue != "" {
 				s += fmt.Sprintf(" (default %s)", f.DefValue)
 			}

--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -16,10 +16,8 @@ import (

 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp"
-	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tka"
 	"tailscale.com/tstest"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
@@ -38,10 +36,10 @@ var geese = []string{"linux", "darwin", "windows", "freebsd"}
 func TestUpdateMaskedPrefsFromUpFlag(t *testing.T) {
 	for _, goos := range geese {
 		var upArgs upArgsT
-		fs := newUpFlagSet(goos, &upArgs, "up")
+		fs := newUpFlagSet(goos, &upArgs)
 		fs.VisitAll(func(f *flag.Flag) {
 			mp := new(ipn.MaskedPrefs)
-			updateMaskedPrefsFromUpOrSetFlag(mp, f.Name)
+			updateMaskedPrefsFromUpFlag(mp, f.Name)
 			got := mp.Pretty()
 			wantEmpty := preflessFlag(f.Name)
 			isEmpty := got == "MaskedPrefs{}"
@@ -412,7 +410,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
 		},
 		{
-			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Issue 3480
+			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
 			flags:         []string{"--hostname=foo"},
 			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
 			curPrefs: &ipn.Prefs{
@@ -450,7 +448,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		},
 		{
 			// Issue 3176: on Synology, don't require --accept-routes=false because user
-			// might've had an old install, and we don't support --accept-routes anyway.
+			// migth've had old an install, and we don't support --accept-routes anyway.
 			name:  "synology_permit_omit_accept_routes",
 			flags: []string{"--hostname=foo"},
 			curPrefs: &ipn.Prefs{
@@ -480,19 +478,6 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			distro: "", // not Synology
 			want:   accidentalUpPrefix + " --hostname=foo --accept-routes",
 		},
-		{
-			name:  "profile_name_ignored_in_up",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				CorpDNS:          true,
-				AllowSingleHosts: true,
-				NetfilterMode:    preftype.NetfilterOn,
-				ProfileName:      "foo",
-			},
-			goos: "linux",
-			want: "",
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -501,7 +486,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				goos = tt.goos
 			}
 			var upArgs upArgsT
-			flagSet := newUpFlagSet(goos, &upArgs, "up")
+			flagSet := newUpFlagSet(goos, &upArgs)
 			flags := CleanUpArgs(tt.flags)
 			flagSet.Parse(flags)
 			newPrefs, err := prefsFromUpArgs(upArgs, t.Logf, new(ipnstate.Status), goos)
@@ -528,7 +513,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 }

 func upArgsFromOSArgs(goos string, flagArgs ...string) (args upArgsT) {
-	fs := newUpFlagSet(goos, &args, "up")
+	fs := newUpFlagSet(goos, &args)
 	fs.Parse(flagArgs) // populates args
 	return
 }
@@ -788,7 +773,7 @@ func TestPrefFlagMapping(t *testing.T) {
 func TestFlagAppliesToOS(t *testing.T) {
 	for _, goos := range geese {
 		var upArgs upArgsT
-		fs := newUpFlagSet(goos, &upArgs, "up")
+		fs := newUpFlagSet(goos, &upArgs)
 		fs.VisitAll(func(f *flag.Flag) {
 			if !flagAppliesToOS(f.Name, goos) {
 				t.Errorf("flagAppliesToOS(%q, %q) = false but found in %s set", f.Name, goos, goos)
@@ -1083,7 +1068,7 @@ func TestUpdatePrefs(t *testing.T) {
 			if tt.env.goos == "" {
 				tt.env.goos = "linux"
 			}
-			tt.env.flagSet = newUpFlagSet(tt.env.goos, &tt.env.upArgs, "up")
+			tt.env.flagSet = newUpFlagSet(tt.env.goos, &tt.env.upArgs)
 			flags := CleanUpArgs(tt.flags)
 			if err := tt.env.flagSet.Parse(flags); err != nil {
 				t.Fatal(err)
@@ -1158,81 +1143,3 @@ func TestCleanUpArgs(t *testing.T) {
 		c.Assert(got, qt.DeepEquals, tt.want)
 	}
 }
-
-func TestUpWorthWarning(t *testing.T) {
-	if !upWorthyWarning(healthmsg.WarnAcceptRoutesOff) {
-		t.Errorf("WarnAcceptRoutesOff of %q should be worth warning", healthmsg.WarnAcceptRoutesOff)
-	}
-	if !upWorthyWarning(healthmsg.TailscaleSSHOnBut + "some problem") {
-		t.Errorf("want true for SSH problems")
-	}
-	if upWorthyWarning("not in map poll") {
-		t.Errorf("want false for other misc errors")
-	}
-}
-
-func TestParseNLArgs(t *testing.T) {
-	tcs := []struct {
-		name              string
-		input             []string
-		parseKeys         bool
-		parseDisablements bool
-
-		wantErr          error
-		wantKeys         []tka.Key
-		wantDisablements [][]byte
-	}{
-		{
-			name:              "empty",
-			input:             nil,
-			parseKeys:         true,
-			parseDisablements: true,
-		},
-		{
-			name:      "key no votes",
-			input:     []string{"nlpub:" + strings.Repeat("00", 32)},
-			parseKeys: true,
-			wantKeys:  []tka.Key{{Kind: tka.Key25519, Votes: 1, Public: bytes.Repeat([]byte{0}, 32)}},
-		},
-		{
-			name:      "key with votes",
-			input:     []string{"nlpub:" + strings.Repeat("01", 32) + "?5"},
-			parseKeys: true,
-			wantKeys:  []tka.Key{{Kind: tka.Key25519, Votes: 5, Public: bytes.Repeat([]byte{1}, 32)}},
-		},
-		{
-			name:              "disablements",
-			input:             []string{"disablement:" + strings.Repeat("02", 32), "disablement-secret:" + strings.Repeat("03", 32)},
-			parseDisablements: true,
-			wantDisablements:  [][]byte{bytes.Repeat([]byte{2}, 32), bytes.Repeat([]byte{3}, 32)},
-		},
-		{
-			name:      "disablements not allowed",
-			input:     []string{"disablement:" + strings.Repeat("02", 32)},
-			parseKeys: true,
-			wantErr:   fmt.Errorf("parsing key 1: key hex string doesn't have expected type prefix nlpub:"),
-		},
-		{
-			name:              "keys not allowed",
-			input:             []string{"nlpub:" + strings.Repeat("02", 32)},
-			parseDisablements: true,
-			wantErr:           fmt.Errorf("parsing argument 1: expected value with \"disablement:\" or \"disablement-secret:\" prefix, got %q", "nlpub:0202020202020202020202020202020202020202020202020202020202020202"),
-		},
-	}
-
-	for _, tc := range tcs {
-		t.Run(tc.name, func(t *testing.T) {
-			keys, disablements, err := parseNLArgs(tc.input, tc.parseKeys, tc.parseDisablements)
-			if !reflect.DeepEqual(err, tc.wantErr) {
-				t.Fatalf("parseNLArgs(%v).err = %v, want %v", tc.input, err, tc.wantErr)
-			}
-
-			if !reflect.DeepEqual(keys, tc.wantKeys) {
-				t.Errorf("keys = %v, want %v", keys, tc.wantKeys)
-			}
-			if !reflect.DeepEqual(disablements, tc.wantDisablements) {
-				t.Errorf("disablements = %v, want %v", disablements, tc.wantDisablements)
-			}
-		})
-	}
-}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -17,9 +17,7 @@ import (
 	"log"
 	"net"
 	"net/http"
-	"net/http/httputil"
 	"net/netip"
-	"net/url"
 	"os"
 	"runtime"
 	"strconv"
@@ -27,20 +25,14 @@ import (
 	"time"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"golang.org/x/net/http/httpproxy"
-	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlhttp"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/net/tsaddr"
-	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/must"
-	"tailscale.com/util/strs"
 )

 var debugCmd = &ffcli.Command{
@@ -50,7 +42,7 @@ var debugCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("debug")
 		fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
-		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-seconds seconds and write it to this file; - for stdout")
+		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-sec seconds and write it to this file; - for stdout")
 		fs.StringVar(&debugArgs.memFile, "mem-profile", "", "if non-empty, grab a memory profile and write it to this file; - for stdout")
 		fs.IntVar(&debugArgs.cpuSec, "profile-seconds", 15, "number of seconds to run a CPU profile for, when --cpu-profile is non-empty")
 		return fs
@@ -61,16 +53,6 @@ var debugCmd = &ffcli.Command{
 			Exec:      runDERPMap,
 			ShortHelp: "print DERP map",
 		},
-		{
-			Name:      "component-logs",
-			Exec:      runDebugComponentLogs,
-			ShortHelp: "enable/disable debug logs for a component",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("component-logs")
-				fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
-				return fs
-			})(),
-		},
 		{
 			Name:      "daemon-goroutines",
 			Exec:      runDaemonGoroutines,
@@ -104,7 +86,7 @@ var debugCmd = &ffcli.Command{
 		{
 			Name:      "local-creds",
 			Exec:      runLocalCreds,
-			ShortHelp: "print how to access Tailscale LocalAPI",
+			ShortHelp: "print how to access Tailscale local API",
 		},
 		{
 			Name:      "restun",
@@ -133,7 +115,6 @@ var debugCmd = &ffcli.Command{
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("watch-ipn")
 				fs.BoolVar(&watchIPNArgs.netmap, "netmap", true, "include netmap in messages")
-				fs.BoolVar(&watchIPNArgs.initial, "initial", false, "include initial status")
 				return fs
 			})(),
 		},
@@ -150,25 +131,9 @@ var debugCmd = &ffcli.Command{
 				fs := newFlagSet("ts2021")
 				fs.StringVar(&ts2021Args.host, "host", "controlplane.tailscale.com", "hostname of control plane")
 				fs.IntVar(&ts2021Args.version, "version", int(tailcfg.CurrentCapabilityVersion), "protocol version")
-				fs.BoolVar(&ts2021Args.verbose, "verbose", false, "be extra verbose")
 				return fs
 			})(),
 		},
-		{
-			Name:      "dev-store-set",
-			Exec:      runDevStoreSet,
-			ShortHelp: "set a key/value pair during development",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("store-set")
-				fs.BoolVar(&devStoreSetArgs.danger, "danger", false, "accept danger")
-				return fs
-			})(),
-		},
-		{
-			Name:      "derp",
-			Exec:      runDebugDERP,
-			ShortHelp: "test a DERP configuration",
-		},
 	},
 }

@@ -203,9 +168,9 @@ func runDebug(ctx context.Context, args []string) error {
 	}
 	var usedFlag bool
 	if out := debugArgs.cpuFile; out != "" {
-		usedFlag = true // TODO(bradfitz): add "pprof" subcommand
+		usedFlag = true // TODO(bradfitz): add "profile" subcommand
 		log.Printf("Capturing CPU profile for %v seconds ...", debugArgs.cpuSec)
-		if v, err := localClient.Pprof(ctx, "profile", debugArgs.cpuSec); err != nil {
+		if v, err := localClient.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
 			return err
 		} else {
 			if err := writeProfile(out, v); err != nil {
@@ -215,9 +180,9 @@ func runDebug(ctx context.Context, args []string) error {
 		}
 	}
 	if out := debugArgs.memFile; out != "" {
-		usedFlag = true // TODO(bradfitz): add "pprof" subcommand
+		usedFlag = true // TODO(bradfitz): add "profile" subcommand
 		log.Printf("Capturing memory profile ...")
-		if v, err := localClient.Pprof(ctx, "heap", 0); err != nil {
+		if v, err := localClient.Profile(ctx, "heap", 0); err != nil {
 			return err
 		} else {
 			if err := writeProfile(out, v); err != nil {
@@ -238,8 +203,9 @@ func runDebug(ctx context.Context, args []string) error {
 			e.Encode(wfs)
 			return nil
 		}
-		if name, ok := strs.CutPrefix(debugArgs.file, "delete:"); ok {
-			return localClient.DeleteWaitingFile(ctx, name)
+		delete := strings.HasPrefix(debugArgs.file, "delete:")
+		if delete {
+			return localClient.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
 		}
 		rc, size, err := localClient.GetWaitingFile(ctx, debugArgs.file)
 		if err != nil {
@@ -264,42 +230,13 @@ func runLocalCreds(ctx context.Context, args []string) error {
 		return nil
 	}
 	if runtime.GOOS == "windows" {
-		runLocalAPIProxy()
+		printf("curl http://localhost:%v/localapi/v0/status\n", safesocket.WindowsLocalPort)
 		return nil
 	}
-	printf("curl --unix-socket %s http://local-tailscaled.sock/localapi/v0/status\n", paths.DefaultTailscaledSocket())
+	printf("curl --unix-socket %s http://foo/localapi/v0/status\n", paths.DefaultTailscaledSocket())
 	return nil
 }

-type localClientRoundTripper struct{}
-
-func (localClientRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	return localClient.DoLocalRequest(req)
-}
-
-func runLocalAPIProxy() {
-	rp := httputil.NewSingleHostReverseProxy(&url.URL{
-		Scheme: "http",
-		Host:   apitype.LocalAPIHost,
-		Path:   "/",
-	})
-	dir := rp.Director
-	rp.Director = func(req *http.Request) {
-		dir(req)
-		req.Host = ""
-		req.RequestURI = ""
-	}
-	rp.Transport = localClientRoundTripper{}
-	lc, err := net.Listen("tcp", "localhost:0")
-	if err != nil {
-		log.Fatal(err)
-	}
-	fmt.Printf("Serving LocalAPI proxy on http://%s\n", lc.Addr())
-	fmt.Printf("curl.exe http://%v/localapi/v0/status\n", lc.Addr())
-	fmt.Printf("Ctrl+C to stop")
-	http.Serve(lc, rp)
-}
-
 var prefsArgs struct {
 	pretty bool
 }
@@ -319,32 +256,23 @@ func runPrefs(ctx context.Context, args []string) error {
 }

 var watchIPNArgs struct {
-	netmap  bool
-	initial bool
+	netmap bool
 }

 func runWatchIPN(ctx context.Context, args []string) error {
-	var mask ipn.NotifyWatchOpt
-	if watchIPNArgs.initial {
-		mask = ipn.NotifyInitialState | ipn.NotifyInitialPrefs | ipn.NotifyInitialNetMap
-	}
-	watcher, err := localClient.WatchIPNBus(ctx, mask)
-	if err != nil {
-		return err
-	}
-	defer watcher.Close()
-	printf("Connected.\n")
-	for {
-		n, err := watcher.Next()
-		if err != nil {
-			return err
-		}
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	bc.SetNotifyCallback(func(n ipn.Notify) {
 		if !watchIPNArgs.netmap {
 			n.NetMap = nil
 		}
 		j, _ := json.MarshalIndent(n, "", "\t")
 		printf("%s\n", j)
-	}
+	})
+	bc.RequestEngineStatus()
+	pump(ctx, bc, c)
+	return errors.New("exit")
 }

 func runDERPMap(ctx context.Context, args []string) error {
@@ -517,35 +445,19 @@ func runVia(ctx context.Context, args []string) error {
 var ts2021Args struct {
 	host    string // "controlplane.tailscale.com"
 	version int    // 27 or whatever
-	verbose bool
 }

 func runTS2021(ctx context.Context, args []string) error {
 	log.SetOutput(os.Stdout)
 	log.SetFlags(log.Ltime | log.Lmicroseconds)

-	keysURL := "https://" + ts2021Args.host + "/key?v=" + strconv.Itoa(ts2021Args.version)
-
-	if ts2021Args.verbose {
-		u, err := url.Parse(keysURL)
-		if err != nil {
-			return err
-		}
-		envConf := httpproxy.FromEnvironment()
-		if *envConf == (httpproxy.Config{}) {
-			log.Printf("HTTP proxy env: (none)")
-		} else {
-			log.Printf("HTTP proxy env: %+v", envConf)
-		}
-		proxy, err := tshttpproxy.ProxyFromEnvironment(&http.Request{URL: u})
-		log.Printf("tshttpproxy.ProxyFromEnvironment = (%v, %v)", proxy, err)
-	}
 	machinePrivate := key.NewMachine()
 	var dialer net.Dialer

 	var keys struct {
 		PublicKey key.MachinePublic
 	}
+	keysURL := "https://" + ts2021Args.host + "/key?v=" + strconv.Itoa(ts2021Args.version)
 	log.Printf("Fetching keys from %s ...", keysURL)
 	req, err := http.NewRequestWithContext(ctx, "GET", keysURL, nil)
 	if err != nil {
@@ -565,9 +477,6 @@ func runTS2021(ctx context.Context, args []string) error {
 		return fmt.Errorf("decoding /keys JSON: %w", err)
 	}
 	res.Body.Close()
-	if ts2021Args.verbose {
-		log.Printf("got public key: %v", keys.PublicKey)
-	}

 	dialFunc := func(ctx context.Context, network, address string) (net.Conn, error) {
 		log.Printf("Dial(%q, %q) ...", network, address)
@@ -579,10 +488,7 @@ func runTS2021(ctx context.Context, args []string) error {
 		}
 		return c, err
 	}
-	var logf logger.Logf
-	if ts2021Args.verbose {
-		logf = log.Printf
-	}
+
 	conn, err := (&controlhttp.Dialer{
 		Hostname:        ts2021Args.host,
 		HTTPPort:        "80",
@@ -591,7 +497,6 @@ func runTS2021(ctx context.Context, args []string) error {
 		ControlKey:      keys.PublicKey,
 		ProtocolVersion: uint16(ts2021Args.version),
 		Dialer:          dialFunc,
-		Logf:            logf,
 	}).Dial(ctx)
 	log.Printf("controlhttp.Dial = %p, %v", conn, err)
 	if err != nil {
@@ -608,60 +513,3 @@ func runTS2021(ctx context.Context, args []string) error {
 	log.Printf("final underlying conn: %v / %v", conn.LocalAddr(), conn.RemoteAddr())
 	return nil
 }
-
-var debugComponentLogsArgs struct {
-	forDur time.Duration
-}
-
-func runDebugComponentLogs(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return errors.New("usage: debug component-logs <component>")
-	}
-	component := args[0]
-	dur := debugComponentLogsArgs.forDur
-
-	err := localClient.SetComponentDebugLogging(ctx, component, dur)
-	if err != nil {
-		return err
-	}
-	if debugComponentLogsArgs.forDur <= 0 {
-		fmt.Printf("Disabled debug logs for component %q\n", component)
-	} else {
-		fmt.Printf("Enabled debug logs for component %q for %v\n", component, dur)
-	}
-	return nil
-}
-
-var devStoreSetArgs struct {
-	danger bool
-}
-
-func runDevStoreSet(ctx context.Context, args []string) error {
-	if len(args) != 2 {
-		return errors.New("usage: dev-store-set --danger <key> <value>")
-	}
-	if !devStoreSetArgs.danger {
-		return errors.New("this command is dangerous; use --danger to proceed")
-	}
-	key, val := args[0], args[1]
-	if val == "-" {
-		valb, err := io.ReadAll(os.Stdin)
-		if err != nil {
-			return err
-		}
-		val = string(valb)
-	}
-	return localClient.SetDevStoreKeyValue(ctx, key, val)
-}
-
-func runDebugDERP(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return errors.New("usage: debug derp <region>")
-	}
-	st, err := localClient.DebugDERPRegion(ctx, args[0])
-	if err != nil {
-		return err
-	}
-	fmt.Printf("%s\n", must.Get(json.MarshalIndent(st, "", " ")))
-	return nil
-}
--- a/cmd/tailscale/cli/diag.go
+++ b/cmd/tailscale/cli/diag.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build linux || windows || darwin
+// +build linux windows darwin

 package cli

--- a/cmd/tailscale/cli/diag_other.go
+++ b/cmd/tailscale/cli/diag_other.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build !linux && !windows && !darwin
+// +build !linux,!windows,!darwin

 package cli

--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -26,10 +26,9 @@ import (
 	"golang.org/x/time/rate"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
+	"tailscale.com/ipn"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/quarantine"
-	"tailscale.com/util/strs"
 	"tailscale.com/version"
 )

@@ -77,10 +76,10 @@ func runCp(ctx context.Context, args []string) error {
 		return errors.New("usage: tailscale file cp <files...> <target>:")
 	}
 	files, target := args[:len(args)-1], args[len(args)-1]
-	target, ok := strs.CutSuffix(target, ":")
-	if !ok {
+	if !strings.HasSuffix(target, ":") {
 		return fmt.Errorf("final argument to 'tailscale file cp' must end in colon")
 	}
+	target = strings.TrimSuffix(target, ":")
 	hadBrackets := false
 	if strings.HasPrefix(target, "[") && strings.HasSuffix(target, "]") {
 		hadBrackets = true
@@ -394,10 +393,6 @@ func receiveFile(ctx context.Context, wf apitype.WaitingFile, dir string) (targe
 	if err != nil {
 		return "", 0, err
 	}
-	// Apply quarantine attribute before copying
-	if err := quarantine.SetOnFile(f); err != nil {
-		return "", 0, fmt.Errorf("failed to apply quarantine attribute to file %v: %v", f.Name(), err)
-	}
 	_, err = io.Copy(f, rc)
 	if err != nil {
 		f.Close()
@@ -528,16 +523,30 @@ func wipeInbox(ctx context.Context) error {
 }

 func waitForFile(ctx context.Context) error {
-	for {
-		ff, err := localClient.AwaitWaitingFiles(ctx, time.Hour)
-		if len(ff) > 0 {
-			return nil
+	c, bc, pumpCtx, cancel := connect(ctx)
+	defer cancel()
+	fileWaiting := make(chan bool, 1)
+	notifyError := make(chan error, 1)
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			notifyError <- fmt.Errorf("Notify.ErrMessage: %v", *n.ErrMessage)
 		}
-		if err := ctx.Err(); err != nil {
-			return err
-		}
-		if err != nil && !errors.Is(err, context.DeadlineExceeded) && !errors.Is(err, context.Canceled) {
-			return err
+		if n.FilesWaiting != nil {
+			select {
+			case fileWaiting <- true:
+			default:
+			}
 		}
+	})
+	go pump(pumpCtx, bc, c)
+	select {
+	case <-fileWaiting:
+		return nil
+	case <-pumpCtx.Done():
+		return pumpCtx.Err()
+	case <-ctx.Done():
+		return ctx.Err()
+	case err := <-notifyError:
+		return err
 	}
 }
--- a/cmd/tailscale/cli/login.go
+++ b/cmd/tailscale/cli/login.go
@@ -1,32 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"flag"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-)
-
-var loginArgs upArgsT
-
-var loginCmd = &ffcli.Command{
-	Name:       "login",
-	ShortUsage: "[ALPHA] login [flags]",
-	ShortHelp:  "Log in to a Tailscale account",
-	LongHelp: `"tailscale login" logs this machine in to your Tailscale network.
-This command is currently in alpha and may change in the future.`,
-	UsageFunc: usageFunc,
-	FlagSet: func() *flag.FlagSet {
-		return newUpFlagSet(effectiveGOOS(), &loginArgs, "login")
-	}(),
-	Exec: func(ctx context.Context, args []string) error {
-		if err := localClient.SwitchToEmptyProfile(ctx); err != nil {
-			return err
-		}
-		return runUp(ctx, "login", args, loginArgs)
-	},
-}
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -6,82 +6,29 @@ package cli

 import (
 	"context"
-	"crypto/rand"
-	"encoding/hex"
-	"encoding/json"
 	"errors"
-	"flag"
 	"fmt"
-	"os"
 	"strconv"
 	"strings"

-	"github.com/mattn/go-colorable"
-	"github.com/mattn/go-isatty"
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
 )

 var netlockCmd = &ffcli.Command{
-	Name:       "lock",
-	ShortUsage: "lock <sub-command> <arguments>",
-	ShortHelp:  "Manage tailnet lock",
-	LongHelp:  "Manage tailnet lock",
-	Subcommands: []*ffcli.Command{
-		nlInitCmd,
-		nlStatusCmd,
-		nlAddCmd,
-		nlRemoveCmd,
-		nlSignCmd,
-		nlDisableCmd,
-		nlDisablementKDFCmd,
-		nlLogCmd,
-		nlLocalDisableCmd,
-	},
-	Exec: runNetworkLockStatus,
-}
-
-var nlInitArgs struct {
-	numDisablements       int
-	disablementForSupport bool
-	confirm               bool
+	Name:        "lock",
+	ShortUsage:  "lock <sub-command> <arguments>",
+	ShortHelp:   "Manipulate the tailnet key authority",
+	Subcommands: []*ffcli.Command{nlInitCmd, nlStatusCmd},
+	Exec:        runNetworkLockStatus,
 }

 var nlInitCmd = &ffcli.Command{
 	Name:       "init",
-	ShortUsage: "init [--gen-disablement-for-support] --gen-disablements N <trusted-key>...",
-	ShortHelp:  "Initialize tailnet lock",
-	LongHelp: strings.TrimSpace(`
-
-The 'tailscale lock init' command initializes tailnet lock for the
-entire tailnet. The tailnet lock keys specified are those initially
-trusted to sign nodes or to make further changes to tailnet lock.
-
-You can identify the tailnet lock key for a node you wish to trust by
-running 'tailscale lock' on that node, and copying the node's tailnet
-lock key.
-
-To disable tailnet lock, use the 'tailscale lock disable' command
-along with one of the disablement secrets.
-The number of disablement secrets to be generated is specified using the
--gen-disablements flag. Initializing tailnet lock requires at least
-one disablement.
-
-If --gen-disablement-for-support is specified, an additional disablement secret
-will be generated and transmitted to Tailscale, which support can use to disable
-tailnet lock. We recommend setting this flag.
-
-`),
-	Exec: runNetworkLockInit,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("lock init")
-		fs.IntVar(&nlInitArgs.numDisablements, "gen-disablements", 1, "number of disablement secrets to generate")
-		fs.BoolVar(&nlInitArgs.disablementForSupport, "gen-disablement-for-support", false, "generates and transmits a disablement secret for Tailscale support")
-		fs.BoolVar(&nlInitArgs.confirm, "confirm", false, "do not prompt for confirmation")
-		return fs
-	})(),
+	ShortUsage: "init <public-key>...",
+	ShortHelp:  "Initialize the tailnet key authority",
+	Exec:       runNetworkLockInit,
 }

 func runNetworkLockInit(ctx context.Context, args []string) error {
@@ -90,64 +37,41 @@ func runNetworkLockInit(ctx context.Context, args []string) error {
 		return fixTailscaledConnectError(err)
 	}
 	if st.Enabled {
-		return errors.New("tailnet lock is already enabled")
+		return errors.New("network-lock is already enabled")
 	}

-	// Parse initially-trusted keys & disablement values.
-	keys, disablementValues, err := parseNLArgs(args, true, true)
+	// Parse the set of initially-trusted keys.
+	// Keys are specified using their key.NLPublic.MarshalText representation,
+	// with an optional '?<votes>' suffix.
+	var keys []tka.Key
+	for i, a := range args {
+		var key key.NLPublic
+		spl := strings.SplitN(a, "?", 2)
+		if err := key.UnmarshalText([]byte(spl[0])); err != nil {
+			return fmt.Errorf("parsing key %d: %v", i+1, err)
+		}
+
+		k := tka.Key{
+			Kind:   tka.Key25519,
+			Public: key.Verifier(),
+			Votes:  1,
+		}
+		if len(spl) > 1 {
+			votes, err := strconv.Atoi(spl[1])
+			if err != nil {
+				return fmt.Errorf("parsing key %d votes: %v", i+1, err)
+			}
+			k.Votes = uint(votes)
+		}
+		keys = append(keys, k)
+	}
+
+	status, err := localClient.NetworkLockInit(ctx, keys)
 	if err != nil {
 		return err
 	}

-	fmt.Println("You are initializing tailnet lock with the following trusted signing keys:")
-	for _, k := range keys {
-		fmt.Printf(" - tlpub:%x (%s key)\n", k.Public, k.Kind.String())
-	}
-	fmt.Println()
-
-	if !nlInitArgs.confirm {
-		fmt.Printf("%d disablement secrets will be generated.\n", nlInitArgs.numDisablements)
-		if nlInitArgs.disablementForSupport {
-			fmt.Println("A disablement secret will be generated and transmitted to Tailscale support.")
-		}
-
-		genSupportFlag := ""
-		if nlInitArgs.disablementForSupport {
-			genSupportFlag = "--gen-disablement-for-support "
-		}
-		fmt.Println("\nIf this is correct, please re-run this command with the --confirm flag:")
-		fmt.Printf("\t%s lock init --confirm --gen-disablements %d %s%s", os.Args[0], nlInitArgs.numDisablements, genSupportFlag, strings.Join(args, " "))
-		fmt.Println()
-		return nil
-	}
-
-	fmt.Printf("%d disablement secrets have been generated and are printed below. Take note of them now, they WILL NOT be shown again.\n", nlInitArgs.numDisablements)
-	for i := 0; i < nlInitArgs.numDisablements; i++ {
-		var secret [32]byte
-		if _, err := rand.Read(secret[:]); err != nil {
-			return err
-		}
-		fmt.Printf("\tdisablement-secret:%X\n", secret[:])
-		disablementValues = append(disablementValues, tka.DisablementKDF(secret[:]))
-	}
-
-	var supportDisablement []byte
-	if nlInitArgs.disablementForSupport {
-		supportDisablement = make([]byte, 32)
-		if _, err := rand.Read(supportDisablement); err != nil {
-			return err
-		}
-		disablementValues = append(disablementValues, tka.DisablementKDF(supportDisablement))
-		fmt.Println("A disablement secret for Tailscale support has been generated and will be transmitted to Tailscale upon initialization.")
-	}
-
-	// The state returned by NetworkLockInit likely doesn't contain the initialized state,
-	// because that has to tick through from netmaps.
-	if _, err := localClient.NetworkLockInit(ctx, keys, disablementValues, supportDisablement); err != nil {
-		return err
-	}
-
-	fmt.Println("Initialization complete.")
+	fmt.Printf("Status: %+v\n\n", status)
 	return nil
 }

@@ -155,7 +79,6 @@ var nlStatusCmd = &ffcli.Command{
 	Name:       "status",
 	ShortUsage: "status",
 	ShortHelp:  "Outputs the state of network lock",
-	LongHelp:  "Outputs the state of network lock",
 	Exec:       runNetworkLockStatus,
 }

@@ -165,354 +88,14 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
 		return fixTailscaledConnectError(err)
 	}
 	if st.Enabled {
-		fmt.Println("Tailnet lock is ENABLED.")
+		fmt.Println("Network-lock is ENABLED.")
 	} else {
-		fmt.Println("Tailnet lock is NOT enabled.")
+		fmt.Println("Network-lock is NOT enabled.")
 	}
-	fmt.Println()
-
-	if st.Enabled && st.NodeKey != nil && !st.PublicKey.IsZero() {
-		if st.NodeKeySigned {
-			fmt.Println("This node is accessible under tailnet lock.")
-		} else {
-			fmt.Println("This node is LOCKED OUT by tailnet-lock, and action is required to establish connectivity.")
-			fmt.Printf("Run the following command on a node with a trusted key:\n\ttailscale lock sign %v %s\n", st.NodeKey, st.PublicKey.CLIString())
-		}
-		fmt.Println()
-	}
-
-	if !st.PublicKey.IsZero() {
-		fmt.Printf("This node's tailnet-lock key: %s\n", st.PublicKey.CLIString())
-		fmt.Println()
-	}
-
-	if st.Enabled && len(st.TrustedKeys) > 0 {
-		fmt.Println("Trusted signing keys:")
-		for _, k := range st.TrustedKeys {
-			var line strings.Builder
-			line.WriteString("\t")
-			line.WriteString(k.Key.CLIString())
-			line.WriteString("\t")
-			line.WriteString(fmt.Sprint(k.Votes))
-			line.WriteString("\t")
-			if k.Key == st.PublicKey {
-				line.WriteString("(us)")
-			}
-			fmt.Println(line.String())
-		}
-	}
-
-	if st.Enabled && len(st.FilteredPeers) > 0 {
-		fmt.Println()
-		fmt.Println("The following nodes are locked out by tailnet lock and cannot connect to other nodes:")
-		for _, p := range st.FilteredPeers {
-			var line strings.Builder
-			line.WriteString("\t")
-			line.WriteString(p.Name)
-			line.WriteString("\t")
-			for i, addr := range p.TailscaleIPs {
-				line.WriteString(addr.String())
-				if i < len(p.TailscaleIPs)-1 {
-					line.WriteString(", ")
-				}
-			}
-			line.WriteString("\t")
-			line.WriteString(string(p.StableID))
-			fmt.Println(line.String())
-		}
-	}
-
-	return nil
-}
-
-var nlAddCmd = &ffcli.Command{
-	Name:       "add",
-	ShortUsage: "add <public-key>...",
-	ShortHelp:  "Adds one or more trusted signing keys to tailnet lock",
-	LongHelp:  "Adds one or more trusted signing keys to tailnet lock",
-	Exec: func(ctx context.Context, args []string) error {
-		return runNetworkLockModify(ctx, args, nil)
-	},
-}
-
-var nlRemoveCmd = &ffcli.Command{
-	Name:       "remove",
-	ShortUsage: "remove <public-key>...",
-	ShortHelp:  "Removes one or more trusted signing keys from tailnet lock",
-	LongHelp:  "Removes one or more trusted signing keys from tailnet lock",
-	Exec: func(ctx context.Context, args []string) error {
-		return runNetworkLockModify(ctx, nil, args)
-	},
-}
-
-// parseNLArgs parses a slice of strings into slices of tka.Key & disablement
-// values/secrets.
-// The keys encoded in args should be specified using their key.NLPublic.MarshalText
-// representation with an optional '?<votes>' suffix.
-// Disablement values or secrets must be encoded in hex with a prefix of 'disablement:' or
-// 'disablement-secret:'.
-//
-// If any element could not be parsed,
-// a nil slice is returned along with an appropriate error.
-func parseNLArgs(args []string, parseKeys, parseDisablements bool) (keys []tka.Key, disablements [][]byte, err error) {
-	for i, a := range args {
-		if parseDisablements && (strings.HasPrefix(a, "disablement:") || strings.HasPrefix(a, "disablement-secret:")) {
-			b, err := hex.DecodeString(a[strings.Index(a, ":")+1:])
-			if err != nil {
-				return nil, nil, fmt.Errorf("parsing disablement %d: %v", i+1, err)
-			}
-			disablements = append(disablements, b)
-			continue
-		}
-
-		if !parseKeys {
-			return nil, nil, fmt.Errorf("parsing argument %d: expected value with \"disablement:\" or \"disablement-secret:\" prefix, got %q", i+1, a)
-		}
-
-		var nlpk key.NLPublic
-		spl := strings.SplitN(a, "?", 2)
-		if err := nlpk.UnmarshalText([]byte(spl[0])); err != nil {
-			return nil, nil, fmt.Errorf("parsing key %d: %v", i+1, err)
-		}
-
-		k := tka.Key{
-			Kind:   tka.Key25519,
-			Public: nlpk.Verifier(),
-			Votes:  1,
-		}
-		if len(spl) > 1 {
-			votes, err := strconv.Atoi(spl[1])
-			if err != nil {
-				return nil, nil, fmt.Errorf("parsing key %d votes: %v", i+1, err)
-			}
-			k.Votes = uint(votes)
-		}
-		keys = append(keys, k)
-	}
-	return keys, disablements, nil
-}
-
-func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) error {
-	st, err := localClient.NetworkLockStatus(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	if !st.Enabled {
-		return errors.New("tailnet lock is not enabled")
-	}
-
-	addKeys, _, err := parseNLArgs(addArgs, true, false)
-	if err != nil {
-		return err
-	}
-	removeKeys, _, err := parseNLArgs(removeArgs, true, false)
-	if err != nil {
-		return err
-	}
-
-	status, err := localClient.NetworkLockModify(ctx, addKeys, removeKeys)
-	if err != nil {
-		return err
-	}
-
-	fmt.Printf("Status: %+v\n\n", status)
-	return nil
-}
-
-var nlSignCmd = &ffcli.Command{
-	Name:       "sign",
-	ShortUsage: "sign <node-key> [<rotation-key>]",
-	ShortHelp:  "Signs a node key and transmits the signature to the coordination server",
-	LongHelp:  "Signs a node key and transmits the signature to the coordination server",
-	Exec:       runNetworkLockSign,
-}
-
-func runNetworkLockSign(ctx context.Context, args []string) error {
-	var (
-		nodeKey     key.NodePublic
-		rotationKey key.NLPublic
-	)
-
-	if len(args) == 0 || len(args) > 2 {
-		return errors.New("usage: lock sign <node-key> [<rotation-key>]")
-	}
-	if err := nodeKey.UnmarshalText([]byte(args[0])); err != nil {
-		return fmt.Errorf("decoding node-key: %w", err)
-	}
-	if len(args) > 1 {
-		if err := rotationKey.UnmarshalText([]byte(args[1])); err != nil {
-			return fmt.Errorf("decoding rotation-key: %w", err)
-		}
-	}
-
-	return localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey.Verifier()))
-}
-
-var nlDisableCmd = &ffcli.Command{
-	Name:       "disable",
-	ShortUsage: "disable <disablement-secret>",
-	ShortHelp:  "Consumes a disablement secret to shut down tailnet lock for the tailnet",
-	LongHelp: strings.TrimSpace(`
-
-The 'tailscale lock disable' command uses the specified disablement
-secret to disable tailnet lock.
-
-If tailnet lock is re-enabled, new disablement secrets can be generated.
-
-Once this secret is used, it has been distributed
-to all nodes in the tailnet and should be considered public.
-
-`),
-	Exec:       runNetworkLockDisable,
-}
-
-func runNetworkLockDisable(ctx context.Context, args []string) error {
-	_, secrets, err := parseNLArgs(args, false, true)
-	if err != nil {
-		return err
-	}
-	if len(secrets) != 1 {
-		return errors.New("usage: lock disable <disablement-secret>")
-	}
-	return localClient.NetworkLockDisable(ctx, secrets[0])
-}
-
-var nlLocalDisableCmd = &ffcli.Command{
-	Name:       "local-disable",
-	ShortUsage: "local-disable",
-	ShortHelp:  "Disables tailnet lock for this node only",
-	LongHelp: strings.TrimSpace(`
-
-The 'tailscale lock local-disable' command disables tailnet lock for only
-the current node.
-
-If the current node is locked out, this does not mean that it can initiate
-connections in a tailnet with tailnet lock enabled. Rather, this means
-that the current node will accept traffic from other nodes in the tailnet
-that are locked out.
-
-`),
-	Exec:       runNetworkLockLocalDisable,
-}
-
-func runNetworkLockLocalDisable(ctx context.Context, args []string) error {
-	return localClient.NetworkLockForceLocalDisable(ctx)
-}
-
-var nlDisablementKDFCmd = &ffcli.Command{
-	Name:       "disablement-kdf",
-	ShortUsage: "disablement-kdf <hex-encoded-disablement-secret>",
-	ShortHelp:  "Computes a disablement value from a disablement secret (advanced users only)",
-	LongHelp:  "Computes a disablement value from a disablement secret (advanced users only)",
-	Exec:       runNetworkLockDisablementKDF,
-}
-
-func runNetworkLockDisablementKDF(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return errors.New("usage: lock disablement-kdf <hex-encoded-disablement-secret>")
-	}
-	secret, err := hex.DecodeString(args[0])
-	if err != nil {
-		return err
-	}
-	fmt.Printf("disablement:%x\n", tka.DisablementKDF(secret))
-	return nil
-}
-
-var nlLogArgs struct {
-	limit int
-}
-
-var nlLogCmd = &ffcli.Command{
-	Name:       "log",
-	ShortUsage: "log [--limit N]",
-	ShortHelp:  "List changes applied to tailnet lock",
-	LongHelp:  "List changes applied to tailnet lock",
-	Exec:       runNetworkLockLog,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("lock log")
-		fs.IntVar(&nlLogArgs.limit, "limit", 50, "max number of updates to list")
-		return fs
-	})(),
-}
-
-func nlDescribeUpdate(update ipnstate.NetworkLockUpdate, color bool) (string, error) {
-	terminalYellow := ""
-	terminalClear := ""
-	if color {
-		terminalYellow = "\x1b[33m"
-		terminalClear = "\x1b[0m"
-	}
-
-	var stanza strings.Builder
-	printKey := func(key *tka.Key, prefix string) {
-		fmt.Fprintf(&stanza, "%sType: %s\n", prefix, key.Kind.String())
-		fmt.Fprintf(&stanza, "%sKeyID: %x\n", prefix, key.ID())
-		fmt.Fprintf(&stanza, "%sVotes: %d\n", prefix, key.Votes)
-		if key.Meta != nil {
-			fmt.Fprintf(&stanza, "%sMetadata: %+v\n", prefix, key.Meta)
-		}
-	}
-
-	var aum tka.AUM
-	if err := aum.Unserialize(update.Raw); err != nil {
-		return "", fmt.Errorf("decoding: %w", err)
-	}
-
-	fmt.Fprintf(&stanza, "%supdate %x (%s)%s\n", terminalYellow, update.Hash, update.Change, terminalClear)
-
-	switch update.Change {
-	case tka.AUMAddKey.String():
-		printKey(aum.Key, "")
-	case tka.AUMRemoveKey.String():
-		fmt.Fprintf(&stanza, "KeyID: %x\n", aum.KeyID)
-
-	case tka.AUMUpdateKey.String():
-		fmt.Fprintf(&stanza, "KeyID: %x\n", aum.KeyID)
-		if aum.Votes != nil {
-			fmt.Fprintf(&stanza, "Votes: %d\n", aum.Votes)
-		}
-		if aum.Meta != nil {
-			fmt.Fprintf(&stanza, "Metadata: %+v\n", aum.Meta)
-		}
-
-	case tka.AUMCheckpoint.String():
-		fmt.Fprintln(&stanza, "Disablement values:")
-		for _, v := range aum.State.DisablementSecrets {
-			fmt.Fprintf(&stanza, " - %x\n", v)
-		}
-		fmt.Fprintln(&stanza, "Keys:")
-		for _, k := range aum.State.Keys {
-			printKey(&k, "  ")
-		}
-
-	default:
-		// Print a JSON encoding of the AUM as a fallback.
-		e := json.NewEncoder(&stanza)
-		e.SetIndent("", "\t")
-		if err := e.Encode(aum); err != nil {
-			return "", err
-		}
-		stanza.WriteRune('\n')
-	}
-
-	return stanza.String(), nil
-}
-
-func runNetworkLockLog(ctx context.Context, args []string) error {
-	updates, err := localClient.NetworkLockLog(ctx, nlLogArgs.limit)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	useColor := isatty.IsTerminal(os.Stdout.Fd())
-
-	stdOut := colorable.NewColorableStdout()
-	for _, update := range updates {
-		stanza, err := nlDescribeUpdate(update, useColor)
-		if err != nil {
-			return err
-		}
-		fmt.Fprintln(stdOut, stanza)
+	p, err := st.PublicKey.MarshalText()
+	if err != nil {
+		return err
 	}
+	fmt.Printf("our public-key: %s\n", p)
 	return nil
 }
--- a/cmd/tailscale/cli/risks.go
+++ b/cmd/tailscale/cli/risks.go
@@ -18,7 +18,6 @@ import (
 var (
 	riskTypes   []string
 	riskLoseSSH = registerRiskType("lose-ssh")
-	riskAll     = registerRiskType("all")
 )

 func registerRiskType(riskType string) string {
@@ -36,7 +35,7 @@ func registerAcceptRiskFlag(f *flag.FlagSet, acceptedRisks *string) {
 // risks in acceptedRisks.
 func isRiskAccepted(riskType, acceptedRisks string) bool {
 	for _, r := range strings.Split(acceptedRisks, ",") {
-		if r == riskType || r == riskAll {
+		if r == riskType {
 			return true
 		}
 	}
--- a/cmd/tailscale/cli/serve.go
+++ b/cmd/tailscale/cli/serve.go
@@ -1,730 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"flag"
-	"fmt"
-	"io"
-	"net"
-	"net/url"
-	"os"
-	"path"
-	"path/filepath"
-	"reflect"
-	"sort"
-	"strconv"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"golang.org/x/exp/slices"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/mak"
-	"tailscale.com/version"
-)
-
-var serveCmd = newServeCommand(&serveEnv{})
-
-// newServeCommand returns a new "serve" subcommand using e as its environmment.
-func newServeCommand(e *serveEnv) *ffcli.Command {
-	return &ffcli.Command{
-		Name:      "serve",
-		ShortHelp: "[ALPHA] Serve from your Tailscale node",
-		ShortUsage: strings.TrimSpace(`
-  serve [flags] <mount-point> {proxy|path|text} <arg>
-  serve [flags] <sub-command> [sub-flags] <args>`),
-		LongHelp: strings.TrimSpace(`
-*** ALPHA; all of this is subject to change ***
-
-The 'tailscale serve' set of commands allows you to serve
-content and local servers from your Tailscale node to
-your tailnet. 
-
-You can also choose to enable the Tailscale Funnel with:
-'tailscale serve funnel on'. Funnel allows you to publish
-a 'tailscale serve' server publicly, open to the entire
-internet. See https://tailscale.com/funnel.
-
-EXAMPLES
-  - To proxy requests to a web server at 127.0.0.1:3000:
-    $ tailscale serve / proxy 3000
-
-  - To serve a single file or a directory of files:
-    $ tailscale serve / path /home/alice/blog/index.html
-    $ tailscale serve /images/ path /home/alice/blog/images
-
-  - To serve simple static text:
-    $ tailscale serve / text "Hello, world!"
-`),
-		Exec: e.runServe,
-		FlagSet: e.newFlags("serve", func(fs *flag.FlagSet) {
-			fs.BoolVar(&e.remove, "remove", false, "remove an existing serve config")
-			fs.UintVar(&e.servePort, "serve-port", 443, "port to serve on (443, 8443 or 10000)")
-		}),
-		UsageFunc: usageFunc,
-		Subcommands: []*ffcli.Command{
-			{
-				Name:      "status",
-				Exec:      e.runServeStatus,
-				ShortHelp: "show current serve status",
-				FlagSet: e.newFlags("serve-status", func(fs *flag.FlagSet) {
-					fs.BoolVar(&e.json, "json", false, "output JSON")
-				}),
-				UsageFunc: usageFunc,
-			},
-			{
-				Name:      "tcp",
-				Exec:      e.runServeTCP,
-				ShortHelp: "add or remove a TCP port forward",
-				LongHelp: strings.Join([]string{
-					"EXAMPLES",
-					"  - Forward TLS over TCP to a local TCP server on port 5432:",
-					"    $ tailscale serve tcp 5432",
-					"",
-					"  - Forward raw, TLS-terminated TCP packets to a local TCP server on port 5432:",
-					"    $ tailscale serve --terminate-tls tcp 5432",
-				}, "\n"),
-				FlagSet: e.newFlags("serve-tcp", func(fs *flag.FlagSet) {
-					fs.BoolVar(&e.terminateTLS, "terminate-tls", false, "terminate TLS before forwarding TCP connection")
-				}),
-				UsageFunc: usageFunc,
-			},
-			{
-				Name:       "funnel",
-				Exec:       e.runServeFunnel,
-				ShortUsage: "funnel [flags] {on|off}",
-				ShortHelp:  "turn Tailscale Funnel on or off",
-				LongHelp: strings.Join([]string{
-					"Funnel allows you to publish a 'tailscale serve'",
-					"server publicly, open to the entire internet.",
-					"",
-					"Turning off Funnel only turns off serving to the internet.",
-					"It does not affect serving to your tailnet.",
-				}, "\n"),
-				UsageFunc: usageFunc,
-			},
-		},
-	}
-}
-
-func (e *serveEnv) newFlags(name string, setup func(fs *flag.FlagSet)) *flag.FlagSet {
-	onError, out := flag.ExitOnError, Stderr
-	if e.testFlagOut != nil {
-		onError, out = flag.ContinueOnError, e.testFlagOut
-	}
-	fs := flag.NewFlagSet(name, onError)
-	fs.SetOutput(out)
-	if setup != nil {
-		setup(fs)
-	}
-	return fs
-}
-
-// serveEnv is the environment the serve command runs within. All I/O should be
-// done via serveEnv methods so that it can be faked out for tests.
-//
-// It also contains the flags, as registered with newServeCommand.
-type serveEnv struct {
-	// flags
-	servePort    uint // Port to serve on. Defaults to 443.
-	terminateTLS bool
-	remove       bool // remove a serve config
-	json         bool // output JSON (status only for now)
-
-	// optional stuff for tests:
-	testFlagOut              io.Writer
-	testGetServeConfig       func(context.Context) (*ipn.ServeConfig, error)
-	testSetServeConfig       func(context.Context, *ipn.ServeConfig) error
-	testGetLocalClientStatus func(context.Context) (*ipnstate.Status, error)
-	testStdout               io.Writer
-}
-
-// getSelfDNSName returns the DNS name of the current node.
-// The trailing dot is removed.
-// Returns an error if local client status fails.
-func (e *serveEnv) getSelfDNSName(ctx context.Context) (string, error) {
-	st, err := e.getLocalClientStatus(ctx)
-	if err != nil {
-		return "", fmt.Errorf("getting client status: %w", err)
-	}
-	return strings.TrimSuffix(st.Self.DNSName, "."), nil
-}
-
-// getLocalClientStatus calls LocalClient.Status, checks if
-// Status is ready.
-// Returns error if unable to reach tailscaled or if self node is nil.
-// Exits if status is not running or starting.
-func (e *serveEnv) getLocalClientStatus(ctx context.Context) (*ipnstate.Status, error) {
-	if e.testGetLocalClientStatus != nil {
-		return e.testGetLocalClientStatus(ctx)
-	}
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return nil, fixTailscaledConnectError(err)
-	}
-	description, ok := isRunningOrStarting(st)
-	if !ok {
-		fmt.Fprintf(os.Stderr, "%s\n", description)
-		os.Exit(1)
-	}
-	if st.Self == nil {
-		return nil, errors.New("no self node")
-	}
-	return st, nil
-}
-
-func (e *serveEnv) getServeConfig(ctx context.Context) (*ipn.ServeConfig, error) {
-	if e.testGetServeConfig != nil {
-		return e.testGetServeConfig(ctx)
-	}
-	return localClient.GetServeConfig(ctx)
-}
-
-func (e *serveEnv) setServeConfig(ctx context.Context, c *ipn.ServeConfig) error {
-	if e.testSetServeConfig != nil {
-		return e.testSetServeConfig(ctx, c)
-	}
-	return localClient.SetServeConfig(ctx, c)
-}
-
-// validateServePort returns --serve-port flag value,
-// or an error if the port is not a valid port to serve on.
-func (e *serveEnv) validateServePort() (port uint16, err error) {
-	// make sure e.servePort is uint16
-	port = uint16(e.servePort)
-	if uint(port) != e.servePort {
-		return 0, fmt.Errorf("serve-port %d is out of range", e.servePort)
-	}
-	// make sure e.servePort is 443, 8443 or 10000
-	if port != 443 && port != 8443 && port != 10000 {
-		return 0, fmt.Errorf("serve-port %d is invalid; must be 443, 8443 or 10000", e.servePort)
-	}
-	return port, nil
-}
-
-// runServe is the entry point for the "serve" subcommand, managing Web
-// serve config types like proxy, path, and text.
-//
-// Examples:
-// - tailscale serve / proxy 3000
-// - tailscale serve /images/ path /var/www/images/
-// - tailscale --serve-port=10000 serve /motd.txt text "Hello, world!"
-func (e *serveEnv) runServe(ctx context.Context, args []string) error {
-	if len(args) == 0 {
-		return flag.ErrHelp
-	}
-
-	// Undocumented debug command (not using ffcli subcommands) to set raw
-	// configs from stdin for now (2022-11-13).
-	if len(args) == 1 && args[0] == "set-raw" {
-		valb, err := io.ReadAll(os.Stdin)
-		if err != nil {
-			return err
-		}
-		sc := new(ipn.ServeConfig)
-		if err := json.Unmarshal(valb, sc); err != nil {
-			return fmt.Errorf("invalid JSON: %w", err)
-		}
-		return localClient.SetServeConfig(ctx, sc)
-	}
-
-	if !(len(args) == 3 || (e.remove && len(args) >= 1)) {
-		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
-		return flag.ErrHelp
-	}
-
-	srvPort, err := e.validateServePort()
-	if err != nil {
-		return err
-	}
-	srvPortStr := strconv.Itoa(int(srvPort))
-
-	mount, err := cleanMountPoint(args[0])
-	if err != nil {
-		return err
-	}
-
-	if e.remove {
-		return e.handleWebServeRemove(ctx, mount)
-	}
-
-	h := new(ipn.HTTPHandler)
-
-	switch args[1] {
-	case "path":
-		if version.IsSandboxedMacOS() {
-			// don't allow path serving for now on macOS (2022-11-15)
-			return fmt.Errorf("path serving is not supported if sandboxed on macOS")
-		}
-		if !filepath.IsAbs(args[2]) {
-			fmt.Fprintf(os.Stderr, "error: path must be absolute\n\n")
-			return flag.ErrHelp
-		}
-		fi, err := os.Stat(args[2])
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: invalid path: %v\n\n", err)
-			return flag.ErrHelp
-		}
-		if fi.IsDir() && !strings.HasSuffix(mount, "/") {
-			// dir mount points must end in /
-			// for relative file links to work
-			mount += "/"
-		}
-		h.Path = args[2]
-	case "proxy":
-		t, err := expandProxyTarget(args[2])
-		if err != nil {
-			return err
-		}
-		h.Proxy = t
-	case "text":
-		if args[2] == "" {
-			return errors.New("unable to serve; text cannot be an empty string")
-		}
-		h.Text = args[2]
-	default:
-		fmt.Fprintf(os.Stderr, "error: unknown serve type %q\n\n", args[1])
-		return flag.ErrHelp
-	}
-
-	cursc, err := e.getServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	sc := cursc.Clone() // nil if no config
-	if sc == nil {
-		sc = new(ipn.ServeConfig)
-	}
-	dnsName, err := e.getSelfDNSName(ctx)
-	if err != nil {
-		return err
-	}
-	hp := ipn.HostPort(net.JoinHostPort(dnsName, srvPortStr))
-
-	if sc.IsTCPForwardingOnPort(srvPort) {
-		fmt.Fprintf(os.Stderr, "error: cannot serve web; already serving TCP\n")
-		return flag.ErrHelp
-	}
-
-	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: true})
-
-	if _, ok := sc.Web[hp]; !ok {
-		mak.Set(&sc.Web, hp, new(ipn.WebServerConfig))
-	}
-	mak.Set(&sc.Web[hp].Handlers, mount, h)
-
-	for k, v := range sc.Web[hp].Handlers {
-		if v == h {
-			continue
-		}
-		// If the new mount point ends in / and another mount point
-		// shares the same prefix, remove the other handler.
-		// (e.g. /foo/ overwrites /foo)
-		// The opposite example is also handled.
-		m1 := strings.TrimSuffix(mount, "/")
-		m2 := strings.TrimSuffix(k, "/")
-		if m1 == m2 {
-			delete(sc.Web[hp].Handlers, k)
-			continue
-		}
-	}
-
-	if !reflect.DeepEqual(cursc, sc) {
-		if err := e.setServeConfig(ctx, sc); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (e *serveEnv) handleWebServeRemove(ctx context.Context, mount string) error {
-	srvPort, err := e.validateServePort()
-	if err != nil {
-		return err
-	}
-	srvPortStr := strconv.Itoa(int(srvPort))
-	sc, err := e.getServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	if sc == nil {
-		return errors.New("error: serve config does not exist")
-	}
-	dnsName, err := e.getSelfDNSName(ctx)
-	if err != nil {
-		return err
-	}
-	if sc.IsTCPForwardingOnPort(srvPort) {
-		return errors.New("cannot remove web handler; currently serving TCP")
-	}
-	hp := ipn.HostPort(net.JoinHostPort(dnsName, srvPortStr))
-	if !sc.WebHandlerExists(hp, mount) {
-		return errors.New("error: serve config does not exist")
-	}
-	// delete existing handler, then cascade delete if empty
-	delete(sc.Web[hp].Handlers, mount)
-	if len(sc.Web[hp].Handlers) == 0 {
-		delete(sc.Web, hp)
-		delete(sc.TCP, srvPort)
-	}
-	// clear empty maps mostly for testing
-	if len(sc.Web) == 0 {
-		sc.Web = nil
-	}
-	if len(sc.TCP) == 0 {
-		sc.TCP = nil
-	}
-	if err := e.setServeConfig(ctx, sc); err != nil {
-		return err
-	}
-	return nil
-}
-
-func cleanMountPoint(mount string) (string, error) {
-	if mount == "" {
-		return "", errors.New("mount point cannot be empty")
-	}
-	if !strings.HasPrefix(mount, "/") {
-		mount = "/" + mount
-	}
-	c := path.Clean(mount)
-	if mount == c || mount == c+"/" {
-		return mount, nil
-	}
-	return "", fmt.Errorf("invalid mount point %q", mount)
-}
-
-func expandProxyTarget(target string) (string, error) {
-	if allNumeric(target) {
-		p, err := strconv.ParseUint(target, 10, 16)
-		if p == 0 || err != nil {
-			return "", fmt.Errorf("invalid port %q", target)
-		}
-		return "http://127.0.0.1:" + target, nil
-	}
-	if !strings.Contains(target, "://") {
-		target = "http://" + target
-	}
-	u, err := url.ParseRequestURI(target)
-	if err != nil {
-		return "", fmt.Errorf("parsing url: %w", err)
-	}
-	switch u.Scheme {
-	case "http", "https", "https+insecure":
-		// ok
-	default:
-		return "", fmt.Errorf("must be a URL starting with http://, https://, or https+insecure://")
-	}
-	host := u.Hostname()
-	switch host {
-	// TODO(shayne,bradfitz): do we want to do this?
-	case "localhost", "127.0.0.1":
-		host = "127.0.0.1"
-	default:
-		return "", fmt.Errorf("only localhost or 127.0.0.1 proxies are currently supported")
-	}
-	url := u.Scheme + "://" + host
-	if u.Port() != "" {
-		url += ":" + u.Port()
-	}
-	return url, nil
-}
-
-func allNumeric(s string) bool {
-	for i := 0; i < len(s); i++ {
-		if s[i] < '0' || s[i] > '9' {
-			return false
-		}
-	}
-	return s != ""
-}
-
-// runServeStatus prints the current serve config.
-//
-// Examples:
-//   - tailscale status
-//   - tailscale status --json
-func (e *serveEnv) runServeStatus(ctx context.Context, args []string) error {
-	sc, err := e.getServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	if e.json {
-		j, err := json.MarshalIndent(sc, "", "  ")
-		if err != nil {
-			return err
-		}
-		j = append(j, '\n')
-		e.stdout().Write(j)
-		return nil
-	}
-	if sc == nil || (len(sc.TCP) == 0 && len(sc.Web) == 0 && len(sc.AllowFunnel) == 0) {
-		printf("No serve config\n")
-		return nil
-	}
-	st, err := e.getLocalClientStatus(ctx)
-	if err != nil {
-		return err
-	}
-	if sc.IsTCPForwardingAny() {
-		if err := printTCPStatusTree(ctx, sc, st); err != nil {
-			return err
-		}
-		printf("\n")
-	}
-	for hp := range sc.Web {
-		printWebStatusTree(sc, hp)
-		printf("\n")
-	}
-	// warn when funnel on without handlers
-	for hp, a := range sc.AllowFunnel {
-		if !a {
-			continue
-		}
-		_, portStr, _ := net.SplitHostPort(string(hp))
-		p, _ := strconv.ParseUint(portStr, 10, 16)
-		if _, ok := sc.TCP[uint16(p)]; !ok {
-			printf("WARNING: funnel=on for %s, but no serve config\n", hp)
-		}
-	}
-	return nil
-}
-
-func (e *serveEnv) stdout() io.Writer {
-	if e.testStdout != nil {
-		return e.testStdout
-	}
-	return os.Stdout
-}
-
-func printTCPStatusTree(ctx context.Context, sc *ipn.ServeConfig, st *ipnstate.Status) error {
-	dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
-	for p, h := range sc.TCP {
-		if h.TCPForward == "" {
-			continue
-		}
-		hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(p))))
-		tlsStatus := "TLS over TCP"
-		if h.TerminateTLS != "" {
-			tlsStatus = "TLS terminated"
-		}
-		fStatus := "tailnet only"
-		if sc.IsFunnelOn(hp) {
-			fStatus = "Funnel on"
-		}
-		printf("|-- tcp://%s (%s, %s)\n", hp, tlsStatus, fStatus)
-		for _, a := range st.TailscaleIPs {
-			ipp := net.JoinHostPort(a.String(), strconv.Itoa(int(p)))
-			printf("|-- tcp://%s\n", ipp)
-		}
-		printf("|--> tcp://%s\n", h.TCPForward)
-	}
-	return nil
-}
-
-func printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) {
-	if sc == nil {
-		return
-	}
-	fStatus := "tailnet only"
-	if sc.IsFunnelOn(hp) {
-		fStatus = "Funnel on"
-	}
-	host, portStr, _ := net.SplitHostPort(string(hp))
-	if portStr == "443" {
-		printf("https://%s (%s)\n", host, fStatus)
-	} else {
-		printf("https://%s:%s (%s)\n", host, portStr, fStatus)
-	}
-	srvTypeAndDesc := func(h *ipn.HTTPHandler) (string, string) {
-		switch {
-		case h.Path != "":
-			return "path", h.Path
-		case h.Proxy != "":
-			return "proxy", h.Proxy
-		case h.Text != "":
-			return "text", "\"" + elipticallyTruncate(h.Text, 20) + "\""
-		}
-		return "", ""
-	}
-
-	var mounts []string
-	for k := range sc.Web[hp].Handlers {
-		mounts = append(mounts, k)
-	}
-	sort.Slice(mounts, func(i, j int) bool {
-		return len(mounts[i]) < len(mounts[j])
-	})
-	maxLen := len(mounts[len(mounts)-1])
-
-	for _, m := range mounts {
-		h := sc.Web[hp].Handlers[m]
-		t, d := srvTypeAndDesc(h)
-		printf("%s %s%s %-5s %s\n", "|--", m, strings.Repeat(" ", maxLen-len(m)), t, d)
-	}
-}
-
-func elipticallyTruncate(s string, max int) string {
-	if len(s) <= max {
-		return s
-	}
-	return s[:max-3] + "..."
-}
-
-// runServeTCP is the entry point for the "serve tcp" subcommand and
-// manages the serve config for TCP forwarding.
-//
-// Examples:
-//   - tailscale serve tcp 5432
-//   - tailscale --serve-port=8443 tcp 4430
-//   - tailscale --serve-port=10000 --terminate-tls tcp 8080
-func (e *serveEnv) runServeTCP(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
-		return flag.ErrHelp
-	}
-
-	srvPort, err := e.validateServePort()
-	if err != nil {
-		return err
-	}
-
-	portStr := args[0]
-	p, err := strconv.ParseUint(portStr, 10, 16)
-	if p == 0 || err != nil {
-		fmt.Fprintf(os.Stderr, "error: invalid port %q\n\n", portStr)
-	}
-
-	cursc, err := e.getServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	sc := cursc.Clone() // nil if no config
-	if sc == nil {
-		sc = new(ipn.ServeConfig)
-	}
-
-	fwdAddr := "127.0.0.1:" + portStr
-
-	if sc.IsServingWeb(srvPort) {
-		if e.remove {
-			return fmt.Errorf("unable to remove; serving web, not TCP forwarding on serve port %d", srvPort)
-		}
-		return fmt.Errorf("cannot serve TCP; already serving web on %d", srvPort)
-	}
-
-	if e.remove {
-		if ph := sc.GetTCPPortHandler(srvPort); ph != nil && ph.TCPForward == fwdAddr {
-			delete(sc.TCP, srvPort)
-			// clear map mostly for testing
-			if len(sc.TCP) == 0 {
-				sc.TCP = nil
-			}
-			return e.setServeConfig(ctx, sc)
-		}
-		return errors.New("error: serve config does not exist")
-	}
-
-	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{TCPForward: fwdAddr})
-
-	dnsName, err := e.getSelfDNSName(ctx)
-	if err != nil {
-		return err
-	}
-	if e.terminateTLS {
-		sc.TCP[srvPort].TerminateTLS = dnsName
-	}
-
-	if !reflect.DeepEqual(cursc, sc) {
-		if err := e.setServeConfig(ctx, sc); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-// runServeFunnel is the entry point for the "serve funnel" subcommand and
-// manages turning on/off funnel. Funnel is off by default.
-//
-// Note: funnel is only supported on single DNS name for now. (2022-11-15)
-func (e *serveEnv) runServeFunnel(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return flag.ErrHelp
-	}
-
-	srvPort, err := e.validateServePort()
-	if err != nil {
-		return err
-	}
-	srvPortStr := strconv.Itoa(int(srvPort))
-
-	var on bool
-	switch args[0] {
-	case "on", "off":
-		on = args[0] == "on"
-	default:
-		return flag.ErrHelp
-	}
-	sc, err := e.getServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	if sc == nil {
-		sc = new(ipn.ServeConfig)
-	}
-	st, err := e.getLocalClientStatus(ctx)
-	if err != nil {
-		return fmt.Errorf("getting client status: %w", err)
-	}
-	if err := checkHasAccess(st.Self.Capabilities); err != nil {
-		return err
-	}
-	dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
-	hp := ipn.HostPort(dnsName + ":" + srvPortStr)
-	isFun := sc.IsFunnelOn(hp)
-	if on && isFun || !on && !isFun {
-		// Nothing to do.
-		return nil
-	}
-	if on {
-		mak.Set(&sc.AllowFunnel, hp, true)
-	} else {
-		delete(sc.AllowFunnel, hp)
-		// clear map mostly for testing
-		if len(sc.AllowFunnel) == 0 {
-			sc.AllowFunnel = nil
-		}
-	}
-	if err := e.setServeConfig(ctx, sc); err != nil {
-		return err
-	}
-	return nil
-}
-
-// checkHasAccess checks three things: 1) an invite was used to join the
-// Funnel alpha; 2) HTTPS is enabled; 3) the node has the "funnel" attribute.
-// If any of these are false, an error is returned describing the problem.
-//
-// The nodeAttrs arg should be the node's Self.Capabilities which should contain
-// the attribute we're checking for and possibly warning-capabilities for Funnel.
-func checkHasAccess(nodeAttrs []string) error {
-	if slices.Contains(nodeAttrs, tailcfg.CapabilityWarnFunnelNoInvite) {
-		return errors.New("Funnel not available; an invite is required to join the alpha. See https://tailscale.com/kb/1223/tailscale-funnel/.")
-	}
-	if slices.Contains(nodeAttrs, tailcfg.CapabilityWarnFunnelNoHTTPS) {
-		return errors.New("Funnel not available; HTTPS must be enabled. See https://tailscale.com/kb/1153/enabling-https/.")
-	}
-	if !slices.Contains(nodeAttrs, tailcfg.NodeAttrFunnel) {
-		return errors.New("Funnel not available; \"funnel\" node attribute not set. See https://tailscale.com/kb/1223/tailscale-funnel/.")
-	}
-	return nil
-}
--- a/cmd/tailscale/cli/serve_test.go
+++ b/cmd/tailscale/cli/serve_test.go
@@ -1,700 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"bytes"
-	"context"
-	"flag"
-	"fmt"
-	"os"
-	"path/filepath"
-	"reflect"
-	"runtime"
-	"strings"
-	"testing"
-
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
-)
-
-func TestCleanMountPoint(t *testing.T) {
-	tests := []struct {
-		mount   string
-		want    string
-		wantErr bool
-	}{
-		{"foo", "/foo", false},              // missing prefix
-		{"/foo/", "/foo/", false},           // keep trailing slash
-		{"////foo", "", true},               // too many slashes
-		{"/foo//", "", true},                // too many slashes
-		{"", "", true},                      // empty
-		{"https://tailscale.com", "", true}, // not a path
-	}
-	for _, tt := range tests {
-		mp, err := cleanMountPoint(tt.mount)
-		if err != nil && tt.wantErr {
-			continue
-		}
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if mp != tt.want {
-			t.Fatalf("got %q, want %q", mp, tt.want)
-		}
-	}
-}
-
-func TestCheckHasAccess(t *testing.T) {
-	tests := []struct {
-		caps    []string
-		wantErr bool
-	}{
-		{[]string{}, true}, // No "funnel" attribute
-		{[]string{tailcfg.CapabilityWarnFunnelNoInvite}, true},
-		{[]string{tailcfg.CapabilityWarnFunnelNoHTTPS}, true},
-		{[]string{tailcfg.NodeAttrFunnel}, false},
-	}
-	for _, tt := range tests {
-		err := checkHasAccess(tt.caps)
-		switch {
-		case err != nil && tt.wantErr,
-			err == nil && !tt.wantErr:
-			continue
-		case tt.wantErr:
-			t.Fatalf("got no error, want error")
-		case !tt.wantErr:
-			t.Fatalf("got error %v, want no error", err)
-		}
-	}
-}
-
-func TestServeConfigMutations(t *testing.T) {
-	// Stateful mutations, starting from an empty config.
-	type step struct {
-		command []string                       // serve args; nil means no command to run (only reset)
-		reset   bool                           // if true, reset all ServeConfig state
-		want    *ipn.ServeConfig               // non-nil means we want a save of this value
-		wantErr func(error) (badErrMsg string) // nil means no error is wanted
-		line    int                            // line number of addStep call, for error messages
-	}
-	var steps []step
-	add := func(s step) {
-		_, _, s.line, _ = runtime.Caller(1)
-		steps = append(steps, s)
-	}
-
-	// funnel
-	add(step{reset: true})
-	add(step{
-		command: cmd("funnel on"),
-		want:    &ipn.ServeConfig{AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true}},
-	})
-	add(step{
-		command: cmd("funnel on"),
-		want:    nil, // nothing to save
-	})
-	add(step{
-		command: cmd("funnel off"),
-		want:    &ipn.ServeConfig{},
-	})
-	add(step{
-		command: cmd("funnel off"),
-		want:    nil, // nothing to save
-	})
-	add(step{
-		command: cmd("funnel"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
-
-	// https
-	add(step{reset: true})
-	add(step{
-		command: cmd("/ proxy 0"), // invalid port, too low
-		wantErr: anyErr(),
-	})
-	add(step{
-		command: cmd("/ proxy 65536"), // invalid port, too high
-		wantErr: anyErr(),
-	})
-	add(step{
-		command: cmd("/ proxy somehost"), // invalid host
-		wantErr: anyErr(),
-	})
-	add(step{
-		command: cmd("/ proxy http://otherhost"), // invalid host
-		wantErr: anyErr(),
-	})
-	add(step{
-		command: cmd("/ proxy httpz://127.0.0.1"), // invalid scheme
-		wantErr: anyErr(),
-	})
-	add(step{
-		command: cmd("/ proxy 3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("--serve-port=9999 /abc proxy 3001"),
-		wantErr: anyErr(),
-	}) // invalid port
-	add(step{
-		command: cmd("--serve-port=8443 /abc proxy 3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("--serve-port=10000 / text hi"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {HTTPS: true}, 8443: {HTTPS: true}, 10000: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-				"foo.test.ts.net:10000": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Text: "hi"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("--remove /foo"),
-		want:    nil, // nothing to save
-		wantErr: anyErr(),
-	}) // handler doesn't exist, so we get an error
-	add(step{
-		command: cmd("--remove --serve-port=10000 /"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("--remove /"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("--remove --serve-port=8443 /abc"),
-		want:    &ipn.ServeConfig{},
-	})
-	add(step{
-		command: cmd("bar proxy https://127.0.0.1:8443"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/bar": {Proxy: "https://127.0.0.1:8443"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("bar proxy https://127.0.0.1:8443"),
-		want:    nil, // nothing to save
-	})
-	add(step{reset: true})
-	add(step{
-		command: cmd("/ proxy https+insecure://127.0.0.1:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "https+insecure://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{reset: true})
-	add(step{
-		command: cmd("/foo proxy localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/foo": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // test a second handler on the same port
-		command: cmd("--serve-port=8443 /foo proxy localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/foo": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/foo": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-
-	// tcp
-	add(step{reset: true})
-	add(step{
-		command: cmd("tcp 5432"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {TCPForward: "127.0.0.1:5432"},
-			},
-		},
-	})
-	add(step{
-		command: cmd("tcp -terminate-tls 8443"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:8443",
-					TerminateTLS: "foo.test.ts.net",
-				},
-			},
-		},
-	})
-	add(step{
-		command: cmd("tcp -terminate-tls 8443"),
-		want:    nil, // nothing to save
-	})
-	add(step{
-		command: cmd("tcp --terminate-tls 8444"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:8444",
-					TerminateTLS: "foo.test.ts.net",
-				},
-			},
-		},
-	})
-	add(step{
-		command: cmd("tcp -terminate-tls=false 8445"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {TCPForward: "127.0.0.1:8445"},
-			},
-		},
-	})
-	add(step{reset: true})
-	add(step{
-		command: cmd("tcp 123"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {TCPForward: "127.0.0.1:123"},
-			},
-		},
-	})
-	add(step{
-		command: cmd("--remove tcp 321"),
-		wantErr: anyErr(),
-	}) // handler doesn't exist, so we get an error
-	add(step{
-		command: cmd("--remove tcp 123"),
-		want:    &ipn.ServeConfig{},
-	})
-
-	// text
-	add(step{reset: true})
-	add(step{
-		command: cmd("/ text hello"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Text: "hello"},
-				}},
-			},
-		},
-	})
-
-	// path
-	td := t.TempDir()
-	writeFile := func(suffix, contents string) {
-		if err := os.WriteFile(filepath.Join(td, suffix), []byte(contents), 0600); err != nil {
-			t.Fatal(err)
-		}
-	}
-	add(step{reset: true})
-	writeFile("foo", "this is foo")
-	add(step{
-		command: cmd("/ path " + filepath.Join(td, "foo")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Path: filepath.Join(td, "foo")},
-				}},
-			},
-		},
-	})
-	os.MkdirAll(filepath.Join(td, "subdir"), 0700)
-	writeFile("subdir/file-a", "this is A")
-	add(step{
-		command: cmd("/some/where path " + filepath.Join(td, "subdir/file-a")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/":           {Path: filepath.Join(td, "foo")},
-					"/some/where": {Path: filepath.Join(td, "subdir/file-a")},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("/ path missing"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
-	add(step{reset: true})
-	add(step{
-		command: cmd("/ path " + filepath.Join(td, "subdir")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Path: filepath.Join(td, "subdir/")},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("--remove /"),
-		want:    &ipn.ServeConfig{},
-	})
-
-	// combos
-	add(step{reset: true})
-	add(step{
-		command: cmd("/ proxy 3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("funnel on"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
-			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // serving on secondary port doesn't change funnel
-		command: cmd("--serve-port=8443 /bar proxy 3001"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
-			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/bar": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{ // turn funnel on for secondary port
-		command: cmd("--serve-port=8443 funnel on"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true, "foo.test.ts.net:8443": true},
-			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/bar": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{ // turn funnel off for primary port 443
-		command: cmd("funnel off"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
-			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/bar": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{ // remove secondary port
-		command: cmd("--serve-port=8443 --remove /bar"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
-			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // start a tcp forwarder on 8443
-		command: cmd("--serve-port=8443 tcp 5432"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
-			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {TCPForward: "127.0.0.1:5432"}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // remove primary port http handler
-		command: cmd("--remove /"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
-			TCP:         map[uint16]*ipn.TCPPortHandler{8443: {TCPForward: "127.0.0.1:5432"}},
-		},
-	})
-	add(step{ // remove tcp forwarder
-		command: cmd("--serve-port=8443 --remove tcp 5432"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
-		},
-	})
-	add(step{ // turn off funnel
-		command: cmd("--serve-port=8443 funnel off"),
-		want:    &ipn.ServeConfig{},
-	})
-
-	// tricky steps
-	add(step{reset: true})
-	add(step{ // a directory with a trailing slash mount point
-		command: cmd("/dir path " + filepath.Join(td, "subdir")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/dir/": {Path: filepath.Join(td, "subdir/")},
-				}},
-			},
-		},
-	})
-	add(step{ // this should overwrite the previous one
-		command: cmd("/dir path " + filepath.Join(td, "foo")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/dir": {Path: filepath.Join(td, "foo")},
-				}},
-			},
-		},
-	})
-	add(step{reset: true}) // reset and do the opposite
-	add(step{              // a file without a trailing slash mount point
-		command: cmd("/dir path " + filepath.Join(td, "foo")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/dir": {Path: filepath.Join(td, "foo")},
-				}},
-			},
-		},
-	})
-	add(step{ // this should overwrite the previous one
-		command: cmd("/dir path " + filepath.Join(td, "subdir")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/dir/": {Path: filepath.Join(td, "subdir/")},
-				}},
-			},
-		},
-	})
-
-	// error states
-	add(step{reset: true})
-	add(step{ // make sure we can't add "tcp" as if it was a mount
-		command: cmd("tcp text foo"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
-	add(step{ // "/tcp" is fine though as a mount
-		command: cmd("/tcp text foo"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/tcp": {Text: "foo"},
-				}},
-			},
-		},
-	})
-	add(step{reset: true})
-	add(step{ // tcp forward 5432 on serve port 443
-		command: cmd("tcp 5432"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {TCPForward: "127.0.0.1:5432"},
-			},
-		},
-	})
-	add(step{ // try to start a web handler on the same port
-		command: cmd("/ proxy 3000"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
-	add(step{reset: true})
-	add(step{ // start a web handler on port 443
-		command: cmd("/ proxy 3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // try to start a tcp forwarder on the same serve port (443 default)
-		command: cmd("tcp 5432"),
-		wantErr: anyErr(),
-	})
-
-	// And now run the steps above.
-	var current *ipn.ServeConfig
-	for i, st := range steps {
-		if st.reset {
-			t.Logf("Executing step #%d, line %v: [reset]", i, st.line)
-			current = nil
-		}
-		if st.command == nil {
-			continue
-		}
-		t.Logf("Executing step #%d, line %v: %q ... ", i, st.line, st.command)
-
-		var stdout bytes.Buffer
-		var flagOut bytes.Buffer
-		var newState *ipn.ServeConfig
-		e := &serveEnv{
-			testFlagOut: &flagOut,
-			testStdout:  &stdout,
-			testGetLocalClientStatus: func(context.Context) (*ipnstate.Status, error) {
-				return &ipnstate.Status{
-					Self: &ipnstate.PeerStatus{
-						DNSName:      "foo.test.ts.net",
-						Capabilities: []string{tailcfg.NodeAttrFunnel},
-					},
-				}, nil
-			},
-			testGetServeConfig: func(context.Context) (*ipn.ServeConfig, error) {
-				return current, nil
-			},
-			testSetServeConfig: func(_ context.Context, c *ipn.ServeConfig) error {
-				newState = c
-				return nil
-			},
-		}
-		cmd := newServeCommand(e)
-		err := cmd.ParseAndRun(context.Background(), st.command)
-		if flagOut.Len() > 0 {
-			t.Logf("flag package output: %q", flagOut.Bytes())
-		}
-		if err != nil {
-			if st.wantErr == nil {
-				t.Fatalf("step #%d, line %v: unexpected error: %v", i, st.line, err)
-			}
-			if bad := st.wantErr(err); bad != "" {
-				t.Fatalf("step #%d, line %v: unexpected error: %v", i, st.line, bad)
-			}
-			continue
-		}
-		if st.wantErr != nil {
-			t.Fatalf("step #%d, line %v: got success (saved=%v), but wanted an error", i, st.line, newState != nil)
-		}
-		if !reflect.DeepEqual(newState, st.want) {
-			t.Fatalf("[%d] %v: bad state. got:\n%s\n\nwant:\n%s\n",
-				i, st.command, asJSON(newState), asJSON(st.want))
-			// NOTE: asJSON will omit empty fields, which might make
-			// result in bad state got/want diffs being the same, even
-			// though the actual state is different. Use below to debug:
-			// t.Fatalf("[%d] %v: bad state. got:\n%+v\n\nwant:\n%+v\n",
-			// i, st.command, newState, st.want)
-		}
-		if newState != nil {
-			current = newState
-		}
-	}
-}
-
-// exactError returns an error checker that wants exactly the provided want error.
-// If optName is non-empty, it's used in the error message.
-func exactErr(want error, optName ...string) func(error) string {
-	return func(got error) string {
-		if got == want {
-			return ""
-		}
-		if len(optName) > 0 {
-			return fmt.Sprintf("got error %v, want %v", got, optName[0])
-		}
-		return fmt.Sprintf("got error %v, want %v", got, want)
-	}
-}
-
-// anyErr returns an error checker that wants any error.
-func anyErr() func(error) string {
-	return func(got error) string {
-		return ""
-	}
-}
-
-func cmd(s string) []string {
-	cmds := strings.Fields(s)
-	fmt.Printf("cmd: %v", cmds)
-	return cmds
-}
--- a/cmd/tailscale/cli/set.go
+++ b/cmd/tailscale/cli/set.go
@@ -1,183 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"net/netip"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/ipn"
-	"tailscale.com/net/tsaddr"
-	"tailscale.com/safesocket"
-)
-
-var setCmd = &ffcli.Command{
-	Name:       "set",
-	ShortUsage: "set [flags]",
-	ShortHelp:  "Change specified preferences",
-	LongHelp: `"tailscale set" allows changing specific preferences.
-
-Unlike "tailscale up", this command does not require the complete set of desired settings.
-
-Only settings explicitly mentioned will be set. There are no default values.`,
-	FlagSet:   setFlagSet,
-	Exec:      runSet,
-	UsageFunc: usageFuncNoDefaultValues,
-}
-
-type setArgsT struct {
-	acceptRoutes           bool
-	acceptDNS              bool
-	exitNodeIP             string
-	exitNodeAllowLANAccess bool
-	shieldsUp              bool
-	runSSH                 bool
-	hostname               string
-	advertiseRoutes        string
-	advertiseDefaultRoute  bool
-	opUser                 string
-	acceptedRisks          string
-	profileName            string
-	forceDaemon            bool
-}
-
-func newSetFlagSet(goos string, setArgs *setArgsT) *flag.FlagSet {
-	setf := newFlagSet("set")
-
-	setf.StringVar(&setArgs.profileName, "nickname", "", "nickname for the current account")
-	setf.BoolVar(&setArgs.acceptRoutes, "accept-routes", false, "accept routes advertised by other Tailscale nodes")
-	setf.BoolVar(&setArgs.acceptDNS, "accept-dns", false, "accept DNS configuration from the admin panel")
-	setf.StringVar(&setArgs.exitNodeIP, "exit-node", "", "Tailscale exit node (IP or base name) for internet traffic, or empty string to not use an exit node")
-	setf.BoolVar(&setArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
-	setf.BoolVar(&setArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
-	setf.BoolVar(&setArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
-	setf.StringVar(&setArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
-	setf.StringVar(&setArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. \"10.0.0.0/8,192.168.0.0/24\") or empty string to not advertise routes")
-	setf.BoolVar(&setArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
-	if safesocket.GOOSUsesPeerCreds(goos) {
-		setf.StringVar(&setArgs.opUser, "operator", "", "Unix username to allow to operate on tailscaled without sudo")
-	}
-	switch goos {
-	case "windows":
-		setf.BoolVar(&setArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
-	}
-
-	registerAcceptRiskFlag(setf, &setArgs.acceptedRisks)
-	return setf
-}
-
-var (
-	setArgs    setArgsT
-	setFlagSet = newSetFlagSet(effectiveGOOS(), &setArgs)
-)
-
-func runSet(ctx context.Context, args []string) (retErr error) {
-	if len(args) > 0 {
-		fatalf("too many non-flag arguments: %q", args)
-	}
-
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return err
-	}
-
-	maskedPrefs := &ipn.MaskedPrefs{
-		Prefs: ipn.Prefs{
-			ProfileName:            setArgs.profileName,
-			RouteAll:               setArgs.acceptRoutes,
-			CorpDNS:                setArgs.acceptDNS,
-			ExitNodeAllowLANAccess: setArgs.exitNodeAllowLANAccess,
-			ShieldsUp:              setArgs.shieldsUp,
-			RunSSH:                 setArgs.runSSH,
-			Hostname:               setArgs.hostname,
-			OperatorUser:           setArgs.opUser,
-			ForceDaemon:            setArgs.forceDaemon,
-		},
-	}
-
-	if setArgs.exitNodeIP != "" {
-		if err := maskedPrefs.Prefs.SetExitNodeIP(setArgs.exitNodeIP, st); err != nil {
-			var e ipn.ExitNodeLocalIPError
-			if errors.As(err, &e) {
-				return fmt.Errorf("%w; did you mean --advertise-exit-node?", err)
-			}
-			return err
-		}
-	}
-
-	var advertiseExitNodeSet, advertiseRoutesSet bool
-	setFlagSet.Visit(func(f *flag.Flag) {
-		updateMaskedPrefsFromUpOrSetFlag(maskedPrefs, f.Name)
-		switch f.Name {
-		case "advertise-exit-node":
-			advertiseExitNodeSet = true
-		case "advertise-routes":
-			advertiseRoutesSet = true
-		}
-	})
-	if maskedPrefs.IsEmpty() {
-		return flag.ErrHelp
-	}
-
-	curPrefs, err := localClient.GetPrefs(ctx)
-	if err != nil {
-		return err
-	}
-	if maskedPrefs.AdvertiseRoutesSet {
-		maskedPrefs.AdvertiseRoutes, err = calcAdvertiseRoutesForSet(advertiseExitNodeSet, advertiseRoutesSet, curPrefs, setArgs)
-		if err != nil {
-			return err
-		}
-	}
-
-	if maskedPrefs.RunSSHSet {
-		wantSSH, haveSSH := maskedPrefs.RunSSH, curPrefs.RunSSH
-		if err := presentSSHToggleRisk(wantSSH, haveSSH, setArgs.acceptedRisks); err != nil {
-			return err
-		}
-	}
-	checkPrefs := curPrefs.Clone()
-	checkPrefs.ApplyEdits(maskedPrefs)
-	if err := localClient.CheckPrefs(ctx, checkPrefs); err != nil {
-		return err
-	}
-
-	_, err = localClient.EditPrefs(ctx, maskedPrefs)
-	return err
-}
-
-// calcAdvertiseRoutesForSet returns the new value for Prefs.AdvertiseRoutes based on the
-// current value, the flags passed to "tailscale set".
-// advertiseExitNodeSet is whether the --advertise-exit-node flag was set.
-// advertiseRoutesSet is whether the --advertise-routes flag was set.
-// curPrefs is the current Prefs.
-// setArgs is the parsed command-line arguments.
-func calcAdvertiseRoutesForSet(advertiseExitNodeSet, advertiseRoutesSet bool, curPrefs *ipn.Prefs, setArgs setArgsT) (routes []netip.Prefix, err error) {
-	if advertiseExitNodeSet && advertiseRoutesSet {
-		return calcAdvertiseRoutes(setArgs.advertiseRoutes, setArgs.advertiseDefaultRoute)
-
-	}
-	if advertiseRoutesSet {
-		return calcAdvertiseRoutes(setArgs.advertiseRoutes, curPrefs.AdvertisesExitNode())
-	}
-	if advertiseExitNodeSet {
-		alreadyAdvertisesExitNode := curPrefs.AdvertisesExitNode()
-		if alreadyAdvertisesExitNode == setArgs.advertiseDefaultRoute {
-			return curPrefs.AdvertiseRoutes, nil
-		}
-		routes = tsaddr.FilterPrefixesCopy(curPrefs.AdvertiseRoutes, func(p netip.Prefix) bool {
-			return p.Bits() != 0
-		})
-		if setArgs.advertiseDefaultRoute {
-			routes = append(routes, tsaddr.AllIPv4(), tsaddr.AllIPv6())
-		}
-		return routes, nil
-	}
-	return nil, nil
-}
--- a/cmd/tailscale/cli/set_test.go
+++ b/cmd/tailscale/cli/set_test.go
@@ -1,132 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"net/netip"
-	"reflect"
-	"testing"
-
-	"tailscale.com/ipn"
-	"tailscale.com/net/tsaddr"
-	"tailscale.com/types/ptr"
-)
-
-func TestCalcAdvertiseRoutesForSet(t *testing.T) {
-	pfx := netip.MustParsePrefix
-	tests := []struct {
-		name      string
-		setExit   *bool
-		setRoutes *string
-		was       []netip.Prefix
-		want      []netip.Prefix
-	}{
-		{
-			name: "empty",
-		},
-		{
-			name:    "advertise-exit",
-			setExit: ptr.To(true),
-			want:    tsaddr.ExitRoutes(),
-		},
-		{
-			name:    "advertise-exit/already-routes",
-			was:     []netip.Prefix{pfx("34.0.0.0/16")},
-			setExit: ptr.To(true),
-			want:    []netip.Prefix{pfx("34.0.0.0/16"), tsaddr.AllIPv4(), tsaddr.AllIPv6()},
-		},
-		{
-			name:    "advertise-exit/already-exit",
-			was:     tsaddr.ExitRoutes(),
-			setExit: ptr.To(true),
-			want:    tsaddr.ExitRoutes(),
-		},
-		{
-			name:    "stop-advertise-exit",
-			was:     tsaddr.ExitRoutes(),
-			setExit: ptr.To(false),
-			want:    nil,
-		},
-		{
-			name:    "stop-advertise-exit/with-routes",
-			was:     []netip.Prefix{pfx("34.0.0.0/16"), tsaddr.AllIPv4(), tsaddr.AllIPv6()},
-			setExit: ptr.To(false),
-			want:    []netip.Prefix{pfx("34.0.0.0/16")},
-		},
-		{
-			name:      "advertise-routes",
-			setRoutes: ptr.To("10.0.0.0/24,192.168.0.0/16"),
-			want:      []netip.Prefix{pfx("10.0.0.0/24"), pfx("192.168.0.0/16")},
-		},
-		{
-			name:      "advertise-routes/already-exit",
-			was:       tsaddr.ExitRoutes(),
-			setRoutes: ptr.To("10.0.0.0/24,192.168.0.0/16"),
-			want:      []netip.Prefix{pfx("10.0.0.0/24"), pfx("192.168.0.0/16"), tsaddr.AllIPv4(), tsaddr.AllIPv6()},
-		},
-		{
-			name:      "advertise-routes/already-diff-routes",
-			was:       []netip.Prefix{pfx("34.0.0.0/16")},
-			setRoutes: ptr.To("10.0.0.0/24,192.168.0.0/16"),
-			want:      []netip.Prefix{pfx("10.0.0.0/24"), pfx("192.168.0.0/16")},
-		},
-		{
-			name:      "stop-advertise-routes",
-			was:       []netip.Prefix{pfx("34.0.0.0/16")},
-			setRoutes: ptr.To(""),
-			want:      nil,
-		},
-		{
-			name:      "stop-advertise-routes/already-exit",
-			was:       []netip.Prefix{pfx("34.0.0.0/16"), tsaddr.AllIPv4(), tsaddr.AllIPv6()},
-			setRoutes: ptr.To(""),
-			want:      tsaddr.ExitRoutes(),
-		},
-		{
-			name:      "advertise-routes-and-exit",
-			setExit:   ptr.To(true),
-			setRoutes: ptr.To("10.0.0.0/24,192.168.0.0/16"),
-			want:      []netip.Prefix{pfx("10.0.0.0/24"), pfx("192.168.0.0/16"), tsaddr.AllIPv4(), tsaddr.AllIPv6()},
-		},
-		{
-			name:      "advertise-routes-and-exit/already-exit",
-			was:       tsaddr.ExitRoutes(),
-			setExit:   ptr.To(true),
-			setRoutes: ptr.To("10.0.0.0/24,192.168.0.0/16"),
-			want:      []netip.Prefix{pfx("10.0.0.0/24"), pfx("192.168.0.0/16"), tsaddr.AllIPv4(), tsaddr.AllIPv6()},
-		},
-		{
-			name:      "advertise-routes-and-exit/already-routes",
-			was:       []netip.Prefix{pfx("10.0.0.0/24"), pfx("192.168.0.0/16")},
-			setExit:   ptr.To(true),
-			setRoutes: ptr.To("10.0.0.0/24,192.168.0.0/16"),
-			want:      []netip.Prefix{pfx("10.0.0.0/24"), pfx("192.168.0.0/16"), tsaddr.AllIPv4(), tsaddr.AllIPv6()},
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			curPrefs := &ipn.Prefs{
-				AdvertiseRoutes: tc.was,
-			}
-			sa := setArgsT{}
-			if tc.setExit != nil {
-				sa.advertiseDefaultRoute = *tc.setExit
-			}
-			if tc.setRoutes != nil {
-				sa.advertiseRoutes = *tc.setRoutes
-			}
-			got, err := calcAdvertiseRoutesForSet(tc.setExit != nil, tc.setRoutes != nil, curPrefs, sa)
-			if err != nil {
-				t.Fatal(err)
-			}
-			tsaddr.SortPrefixes(got)
-			tsaddr.SortPrefixes(tc.want)
-			if !reflect.DeepEqual(got, tc.want) {
-				t.Errorf("got %v, want %v", got, tc.want)
-			}
-		})
-	}
-}
--- a/cmd/tailscale/cli/ssh.go
+++ b/cmd/tailscale/cli/ssh.go
@@ -21,7 +21,6 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
-	"tailscale.com/paths"
 	"tailscale.com/version"
 )

@@ -29,23 +28,7 @@ var sshCmd = &ffcli.Command{
 	Name:       "ssh",
 	ShortUsage: "ssh [user@]<host> [args...]",
 	ShortHelp:  "SSH to a Tailscale machine",
-	LongHelp: strings.TrimSpace(`
-
-The 'tailscale ssh' command is an optional wrapper around the system 'ssh'
-command that's useful in some cases. Tailscale SSH does not require its use;
-most users running the Tailscale SSH server will prefer to just use the normal
-'ssh' command or their normal SSH client.
-
-The 'tailscale ssh' wrapper adds a few things:
-
-* It resolves the destination server name in its arguments using MagicDNS,
-  even if --accept-dns=false.
-* It works in userspace-networking mode, by supplying a ProxyCommand to the
-  system 'ssh' command that connects via a pipe through tailscaled.
-* It automatically checks the destination server's SSH host key against the
-  node's SSH host key as advertised via the Tailscale coordination server.
-`),
-	Exec: runSSH,
+	Exec:       runSSH,
 }

 func runSSH(ctx context.Context, args []string) error {
@@ -111,15 +94,10 @@ func runSSH(ctx context.Context, args []string) error {
 	// So don't use it for now. MagicDNS is usually working on macOS anyway
 	// and they're not in userspace mode, so 'nc' isn't very useful.
 	if runtime.GOOS != "darwin" {
-		socketArg := ""
-		if rootArgs.socket != "" && rootArgs.socket != paths.DefaultTailscaledSocket() {
-			socketArg = fmt.Sprintf("--socket=%q", rootArgs.socket)
-		}
-
 		argv = append(argv,
-			"-o", fmt.Sprintf("ProxyCommand %q %s nc %%h %%p",
+			"-o", fmt.Sprintf("ProxyCommand %q --socket=%q nc %%h %%p",
 				tailscaleBin,
-				socketArg,
+				rootArgs.socket,
 			))
 	}

--- a/cmd/tailscale/cli/ssh_exec.go
+++ b/cmd/tailscale/cli/ssh_exec.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build !js && !windows
+// +build !js,!windows

 package cli

--- a/cmd/tailscale/cli/ssh_exec_windows.go
+++ b/cmd/tailscale/cli/ssh_exec_windows.go
@@ -13,7 +13,7 @@ import (

 func findSSH() (string, error) {
 	// use C:\Windows\System32\OpenSSH\ssh.exe since unexpected behavior
-	// occurred with ssh.exe provided by msys2/cygwin and other environments.
+	// occured with ssh.exe provided by msys2/cygwin and other environments.
 	if systemRoot := os.Getenv("SystemRoot"); systemRoot != "" {
 		exe := filepath.Join(systemRoot, "System32", "OpenSSH", "ssh.exe")
 		if st, err := os.Stat(exe); err == nil && !st.IsDir() {
--- a/cmd/tailscale/cli/ssh_unix.go
+++ b/cmd/tailscale/cli/ssh_unix.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build !js && !windows
+// +build !js,!windows

 package cli

--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -19,7 +19,6 @@ import (

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/toqueteos/webbrowser"
-	"golang.org/x/net/idna"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
@@ -129,21 +128,18 @@ func runStatus(ctx context.Context, args []string) error {
 		return err
 	}

-	printHealth := func() {
+	// print health check information prior to checking LocalBackend state as
+	// it may provide an explanation to the user if we choose to exit early
+	if len(st.Health) > 0 {
 		printf("# Health check:\n")
 		for _, m := range st.Health {
 			printf("#     - %s\n", m)
 		}
+		outln()
 	}

 	description, ok := isRunningOrStarting(st)
 	if !ok {
-		// print health check information if we're in a weird state, as it might
-		// provide context about why we're in that weird state.
-		if len(st.Health) > 0 && (st.BackendState == ipn.Starting.String() || st.BackendState == ipn.NoState.String()) {
-			printHealth()
-			outln()
-		}
 		outln(description)
 		os.Exit(1)
 	}
@@ -218,10 +214,6 @@ func runStatus(ctx context.Context, args []string) error {
 		}
 	}
 	Stdout.Write(buf.Bytes())
-	if len(st.Health) > 0 {
-		outln()
-		printHealth()
-	}
 	return nil
 }

@@ -249,11 +241,6 @@ func isRunningOrStarting(st *ipnstate.Status) (description string, ok bool) {
 func dnsOrQuoteHostname(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	baseName := dnsname.TrimSuffix(ps.DNSName, st.MagicDNSSuffix)
 	if baseName != "" {
-		if strings.HasPrefix(baseName, "xn-") {
-			if u, err := idna.ToUnicode(baseName); err == nil {
-				return fmt.Sprintf("%s (%s)", baseName, u)
-			}
-		}
 		return baseName
 	}
 	return fmt.Sprintf("(%q)", dnsname.SanitizeHostname(ps.HostName))
--- a/cmd/tailscale/cli/switch.go
+++ b/cmd/tailscale/cli/switch.go
@@ -1,122 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/ipn"
-)
-
-var switchCmd = &ffcli.Command{
-	Name:      "switch",
-	ShortHelp: "Switches to a different Tailscale account",
-	FlagSet: func() *flag.FlagSet {
-		fs := flag.NewFlagSet("switch", flag.ExitOnError)
-		fs.BoolVar(&switchArgs.list, "list", false, "list available accounts")
-		return fs
-	}(),
-	Exec: switchProfile,
-	UsageFunc: func(*ffcli.Command) string {
-		return `USAGE
-  [ALPHA] switch <name>
-  [ALPHA] switch --list
-
-"tailscale switch" switches between logged in accounts.
-This command is currently in alpha and may change in the future.`
-	},
-}
-
-var switchArgs struct {
-	list bool
-}
-
-func listProfiles(ctx context.Context) error {
-	curP, all, err := localClient.ProfileStatus(ctx)
-	if err != nil {
-		return err
-	}
-	for _, prof := range all {
-		if prof.ID == curP.ID {
-			fmt.Printf("%s *\n", prof.Name)
-		} else {
-			fmt.Println(prof.Name)
-		}
-	}
-	return nil
-}
-
-func switchProfile(ctx context.Context, args []string) error {
-	if switchArgs.list {
-		return listProfiles(ctx)
-	}
-	if len(args) != 1 {
-		outln("usage: tailscale switch NAME")
-		os.Exit(1)
-	}
-	cp, all, err := localClient.ProfileStatus(ctx)
-	if err != nil {
-		errf("Failed to switch to account: %v\n", err)
-		os.Exit(1)
-	}
-	var profID ipn.ProfileID
-	for _, p := range all {
-		if p.Name == args[0] {
-			profID = p.ID
-			break
-		}
-	}
-	if profID == "" {
-		errf("No profile named %q\n", args[0])
-		os.Exit(1)
-	}
-	if profID == cp.ID {
-		printf("Already on account %q\n", args[0])
-		os.Exit(0)
-	}
-	if err := localClient.SwitchProfile(ctx, profID); err != nil {
-		errf("Failed to switch to account: %v\n", err)
-		os.Exit(1)
-	}
-	printf("Switching to account %q\n", args[0])
-	for {
-		select {
-		case <-ctx.Done():
-			errf("Timed out waiting for switch to complete.")
-			os.Exit(1)
-		default:
-		}
-		st, err := localClient.StatusWithoutPeers(ctx)
-		if err != nil {
-			errf("Error getting status: %v", err)
-			os.Exit(1)
-		}
-		switch st.BackendState {
-		case "NoState", "Starting":
-			// TODO(maisem): maybe add a way to subscribe to state changes to
-			// LocalClient.
-			time.Sleep(100 * time.Millisecond)
-			continue
-		case "NeedsLogin":
-			outln("Logged out.")
-			outln("To log in, run:")
-			outln("  tailscale up")
-			return nil
-		case "Running":
-			outln("Success.")
-			return nil
-		}
-		// For all other states, use the default error message.
-		if msg, ok := isRunningOrStarting(st); !ok {
-			outln(msg)
-			os.Exit(1)
-		}
-	}
-}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -15,19 +15,16 @@ import (
 	"log"
 	"net/netip"
 	"os"
-	"os/signal"
 	"reflect"
 	"runtime"
 	"sort"
 	"strings"
 	"sync"
-	"syscall"
 	"time"

 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
-	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -35,7 +32,6 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/preftype"
-	"tailscale.com/util/strs"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@@ -61,9 +57,7 @@ considered settings that need to be re-specified when modifying
 settings.)
 `),
 	FlagSet: upFlagSet,
-	Exec: func(ctx context.Context, args []string) error {
-		return runUp(ctx, "up", args, upArgsGlobal)
-	},
+	Exec:    runUp,
 }

 func effectiveGOOS() string {
@@ -86,29 +80,28 @@ func acceptRouteDefault(goos string) bool {
 	}
 }

-var upFlagSet = newUpFlagSet(effectiveGOOS(), &upArgsGlobal, "up")
+var upFlagSet = newUpFlagSet(effectiveGOOS(), &upArgs)

 func inTest() bool { return flag.Lookup("test.v") != nil }

-// newUpFlagSet returns a new flag set for the "up" and "login" commands.
-func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
-	if cmd != "up" && cmd != "login" {
-		panic("cmd must be up or login")
-	}
-	upf := newFlagSet(cmd)
+func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
+	upf := newFlagSet("up")

 	upf.BoolVar(&upArgs.qr, "qr", false, "show QR code for login URLs")
-	upf.StringVar(&upArgs.authKeyOrFile, "auth-key", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
+	upf.BoolVar(&upArgs.json, "json", false, "output in JSON format (WARNING: format subject to change)")
+	upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication")
+	upf.BoolVar(&upArgs.reset, "reset", false, "reset unspecified settings to their default values")

 	upf.StringVar(&upArgs.server, "login-server", ipn.DefaultControlURL, "base URL of control server")
 	upf.BoolVar(&upArgs.acceptRoutes, "accept-routes", acceptRouteDefault(goos), "accept routes advertised by other Tailscale nodes")
 	upf.BoolVar(&upArgs.acceptDNS, "accept-dns", true, "accept DNS configuration from the admin panel")
-	upf.BoolVar(&upArgs.singleRoutes, "host-routes", true, "HIDDEN: install host routes to other Tailscale nodes")
+	upf.BoolVar(&upArgs.singleRoutes, "host-routes", true, "install host routes to other Tailscale nodes")
 	upf.StringVar(&upArgs.exitNodeIP, "exit-node", "", "Tailscale exit node (IP or base name) for internet traffic, or empty string to not use an exit node")
 	upf.BoolVar(&upArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
 	upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
 	upf.BoolVar(&upArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
 	upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "comma-separated ACL tags to request; each must start with \"tag:\" (e.g. \"tag:eng,tag:montreal,tag:ssh\")")
+	upf.StringVar(&upArgs.authKeyOrFile, "auth-key", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
 	upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
 	upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. \"10.0.0.0/8,192.168.0.0/24\") or empty string to not advertise routes")
 	upf.BoolVar(&upArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
@@ -123,19 +116,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
 		upf.BoolVar(&upArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
 	}
 	upf.DurationVar(&upArgs.timeout, "timeout", 0, "maximum amount of time to wait for tailscaled to enter a Running state; default (0s) blocks forever")
-
-	if cmd == "login" {
-		upf.StringVar(&upArgs.profileName, "nickname", "", "short name for the account")
-	}
-
-	if cmd == "up" {
-		// Some flags are only for "up", not "login".
-		upf.BoolVar(&upArgs.json, "json", false, "output in JSON format (WARNING: format subject to change)")
-		upf.BoolVar(&upArgs.reset, "reset", false, "reset unspecified settings to their default values")
-		upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication")
-		registerAcceptRiskFlag(upf, &upArgs.acceptedRisks)
-	}
-
+	registerAcceptRiskFlag(upf, &upArgs.acceptedRisks)
 	return upf
 }

@@ -170,12 +151,12 @@ type upArgsT struct {
 	json                   bool
 	timeout                time.Duration
 	acceptedRisks          string
-	profileName            string
 }

 func (a upArgsT) getAuthKey() (string, error) {
 	v := a.authKeyOrFile
-	if file, ok := strs.CutPrefix(v, "file:"); ok {
+	if strings.HasPrefix(v, "file:") {
+		file := strings.TrimPrefix(v, "file:")
 		b, err := os.ReadFile(file)
 		if err != nil {
 			return "", err
@@ -185,7 +166,7 @@ func (a upArgsT) getAuthKey() (string, error) {
 	return v, nil
 }

-var upArgsGlobal upArgsT
+var upArgs upArgsT

 // Fields output when `tailscale up --json` is used. Two JSON blocks will be output.
 //
@@ -279,9 +260,6 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 		routeMap[netip.MustParsePrefix("0.0.0.0/0")] = true
 		routeMap[netip.MustParsePrefix("::/0")] = true
 	}
-	if len(routeMap) == 0 {
-		return nil, nil
-	}
 	routes := make([]netip.Prefix, 0, len(routeMap))
 	for r := range routeMap {
 		routes = append(routes, r)
@@ -300,7 +278,7 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 // Note that the parameters upArgs and warnf are named intentionally
 // to shadow the globals to prevent accidental misuse of them. This
 // function exists for testing and should have no side effects or
-// outside interactions (e.g. no making Tailscale LocalAPI calls).
+// outside interactions (e.g. no making Tailscale local API calls).
 func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goos string) (*ipn.Prefs, error) {
 	routes, err := calcAdvertiseRoutes(upArgs.advertiseRoutes, upArgs.advertiseDefaultRoute)
 	if err != nil {
@@ -351,7 +329,6 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 	prefs.Hostname = upArgs.hostname
 	prefs.ForceDaemon = upArgs.forceDaemon
 	prefs.OperatorUser = upArgs.opUser
-	prefs.ProfileName = upArgs.profileName

 	if goos == "linux" {
 		prefs.NoSNAT = !upArgs.snat
@@ -403,8 +380,15 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 	// Do this after validations to avoid the 5s delay if we're going to error
 	// out anyway.
 	wantSSH, haveSSH := env.upArgs.runSSH, curPrefs.RunSSH
-	if err := presentSSHToggleRisk(wantSSH, haveSSH, env.upArgs.acceptedRisks); err != nil {
-		return false, nil, err
+	if wantSSH != haveSSH && isSSHOverTailscale() {
+		if wantSSH {
+			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, env.upArgs.acceptedRisks)
+		} else {
+			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`, env.upArgs.acceptedRisks)
+		}
+		if err != nil {
+			return false, nil, err
+		}
 	}

 	tagsChanged := !reflect.DeepEqual(curPrefs.AdvertiseTags, prefs.AdvertiseTags)
@@ -429,24 +413,14 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 			visitFlags = env.flagSet.VisitAll
 		}
 		visitFlags(func(f *flag.Flag) {
-			updateMaskedPrefsFromUpOrSetFlag(justEditMP, f.Name)
+			updateMaskedPrefsFromUpFlag(justEditMP, f.Name)
 		})
 	}

 	return simpleUp, justEditMP, nil
 }

-func presentSSHToggleRisk(wantSSH, haveSSH bool, acceptedRisks string) error {
-	if !isSSHOverTailscale() || wantSSH == haveSSH {
-		return nil
-	}
-	if wantSSH {
-		return presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, acceptedRisks)
-	}
-	return presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`, acceptedRisks)
-}
-
-func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retErr error) {
+func runUp(ctx context.Context, args []string) (retErr error) {
 	var egg bool
 	if len(args) > 0 {
 		egg = fmt.Sprint(args) == "[up down down left right left right b a]"
@@ -505,11 +479,6 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 	if err != nil {
 		return err
 	}
-	if cmd == "up" {
-		// "tailscale up" should not be able to change the
-		// profile name.
-		prefs.ProfileName = curPrefs.ProfileName
-	}

 	env := upCheckEnv{
 		goos:          effectiveGOOS(),
@@ -523,7 +492,7 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE

 	defer func() {
 		if retErr == nil {
-			checkUpWarnings(ctx)
+			checkSSHUpWarnings(ctx)
 		}
 	}()

@@ -532,106 +501,114 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
-		justEditMP.EggSet = egg
+		justEditMP.EggSet = true
 		_, err := localClient.EditPrefs(ctx, justEditMP)
 		return err
 	}

-	watchCtx, cancelWatch := context.WithCancel(ctx)
-	defer cancelWatch()
-	watcher, err := localClient.WatchIPNBus(watchCtx, 0)
-	if err != nil {
-		return err
-	}
-	defer watcher.Close()
+	// At this point we need to subscribe to the IPN bus to watch
+	// for state transitions and possible need to authenticate.
+	c, bc, pumpCtx, cancel := connect(ctx)
+	defer cancel()

-	go func() {
-		interrupt := make(chan os.Signal, 1)
-		signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
-		select {
-		case <-interrupt:
-			cancelWatch()
-		case <-watchCtx.Done():
-		}
-	}()
-
-	running := make(chan bool, 1) // gets value once in state ipn.Running
+	running := make(chan bool, 1)         // gets value once in state ipn.Running
+	gotEngineUpdate := make(chan bool, 1) // gets value upon an engine update
 	pumpErr := make(chan error, 1)
+	go func() { pumpErr <- pump(pumpCtx, bc, c) }()

 	var printed bool // whether we've yet printed anything to stdout or stderr
 	var loginOnce sync.Once
-	startLoginInteractive := func() { loginOnce.Do(func() { localClient.StartLoginInteractive(ctx) }) }
+	startLoginInteractive := func() { loginOnce.Do(func() { bc.StartLoginInteractive() }) }

-	go func() {
-		for {
-			n, err := watcher.Next()
-			if err != nil {
-				pumpErr <- err
-				return
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.Engine != nil {
+			select {
+			case gotEngineUpdate <- true:
+			default:
 			}
-			if n.ErrMessage != nil {
-				msg := *n.ErrMessage
-				fatalf("backend error: %v\n", msg)
-			}
-			if s := n.State; s != nil {
-				switch *s {
-				case ipn.NeedsLogin:
-					startLoginInteractive()
-				case ipn.NeedsMachineAuth:
-					printed = true
-					if env.upArgs.json {
-						printUpDoneJSON(ipn.NeedsMachineAuth, "")
-					} else {
-						fmt.Fprintf(Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s\n\n", prefs.AdminPageURL())
-					}
-				case ipn.Running:
-					// Done full authentication process
-					if env.upArgs.json {
-						printUpDoneJSON(ipn.Running, "")
-					} else if printed {
-						// Only need to print an update if we printed the "please click" message earlier.
-						fmt.Fprintf(Stderr, "Success.\n")
-					}
-					select {
-					case running <- true:
-					default:
-					}
-					cancelWatch()
+		}
+		if n.ErrMessage != nil {
+			msg := *n.ErrMessage
+			if msg == ipn.ErrMsgPermissionDenied {
+				switch effectiveGOOS() {
+				case "windows":
+					msg += " (Tailscale service in use by other user?)"
+				default:
+					msg += " (try 'sudo tailscale up [...]')"
 				}
 			}
-			if url := n.BrowseToURL; url != nil && printAuthURL(*url) {
+			fatalf("backend error: %v\n", msg)
+		}
+		if s := n.State; s != nil {
+			switch *s {
+			case ipn.NeedsLogin:
+				startLoginInteractive()
+			case ipn.NeedsMachineAuth:
 				printed = true
-				if upArgs.json {
-					js := &upOutputJSON{AuthURL: *url, BackendState: st.BackendState}
-
-					q, err := qrcode.New(*url, qrcode.Medium)
-					if err == nil {
-						png, err := q.PNG(128)
-						if err == nil {
-							js.QR = "data:image/png;base64," + base64.StdEncoding.EncodeToString(png)
-						}
-					}
-
-					data, err := json.MarshalIndent(js, "", "\t")
-					if err != nil {
-						printf("upOutputJSON marshalling error: %v", err)
-					} else {
-						outln(string(data))
-					}
+				if env.upArgs.json {
+					printUpDoneJSON(ipn.NeedsMachineAuth, "")
 				} else {
-					fmt.Fprintf(Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
-					if upArgs.qr {
-						q, err := qrcode.New(*url, qrcode.Medium)
-						if err != nil {
-							log.Printf("QR code error: %v", err)
-						} else {
-							fmt.Fprintf(Stderr, "%s\n", q.ToString(false))
-						}
+					fmt.Fprintf(Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s\n\n", prefs.AdminPageURL())
+				}
+			case ipn.Running:
+				// Done full authentication process
+				if env.upArgs.json {
+					printUpDoneJSON(ipn.Running, "")
+				} else if printed {
+					// Only need to print an update if we printed the "please click" message earlier.
+					fmt.Fprintf(Stderr, "Success.\n")
+				}
+				select {
+				case running <- true:
+				default:
+				}
+				cancel()
+			}
+		}
+		if url := n.BrowseToURL; url != nil && printAuthURL(*url) {
+			printed = true
+			if upArgs.json {
+				js := &upOutputJSON{AuthURL: *url, BackendState: st.BackendState}
+
+				q, err := qrcode.New(*url, qrcode.Medium)
+				if err == nil {
+					png, err := q.PNG(128)
+					if err == nil {
+						js.QR = "data:image/png;base64," + base64.StdEncoding.EncodeToString(png)
+					}
+				}
+
+				data, err := json.MarshalIndent(js, "", "\t")
+				if err != nil {
+					printf("upOutputJSON marshalling error: %v", err)
+				} else {
+					outln(string(data))
+				}
+			} else {
+				fmt.Fprintf(Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
+				if upArgs.qr {
+					q, err := qrcode.New(*url, qrcode.Medium)
+					if err != nil {
+						log.Printf("QR code error: %v", err)
+					} else {
+						fmt.Fprintf(Stderr, "%s\n", q.ToString(false))
 					}
 				}
 			}
 		}
-	}()
+	})
+	// Wait for backend client to be connected so we know
+	// we're subscribed to updates. Otherwise we can miss
+	// an update upon its transition to running. Do so by causing some traffic
+	// back to the bus that we then wait on.
+	bc.RequestEngineStatus()
+	select {
+	case <-gotEngineUpdate:
+	case <-pumpCtx.Done():
+		return pumpCtx.Err()
+	case err := <-pumpErr:
+		return err
+	}

 	// Special case: bare "tailscale up" means to just start
 	// running, if there's ever been a login.
@@ -654,12 +631,27 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 		if err != nil {
 			return err
 		}
-		if err := localClient.Start(ctx, ipn.Options{
+		opts := ipn.Options{
+			StateKey:    ipn.GlobalDaemonStateKey,
 			AuthKey:     authKey,
 			UpdatePrefs: prefs,
-		}); err != nil {
-			return err
 		}
+		// On Windows, we still run in mostly the "legacy" way that
+		// predated the server's StateStore. That is, we send an empty
+		// StateKey and send the prefs directly. Although the Windows
+		// supports server mode, though, the transition to StateStore
+		// is only half complete. Only server mode uses it, and the
+		// Windows service (~tailscaled) is the one that computes the
+		// StateKey based on the connection identity. So for now, just
+		// do as the Windows GUI's always done:
+		if effectiveGOOS() == "windows" {
+			// The Windows service will set this as needed based
+			// on our connection's identity.
+			opts.StateKey = ""
+			opts.Prefs = prefs
+		}
+
+		bc.Start(opts)
 		if upArgs.forceReauth {
 			startLoginInteractive()
 		}
@@ -681,13 +673,13 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 	select {
 	case <-running:
 		return nil
-	case <-watchCtx.Done():
+	case <-pumpCtx.Done():
 		select {
 		case <-running:
 			return nil
 		default:
 		}
-		return watchCtx.Err()
+		return pumpCtx.Err()
 	case err := <-pumpErr:
 		select {
 		case <-running:
@@ -700,39 +692,25 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 	}
 }

-// upWorthWarning reports whether the health check message s is worth warning
-// about during "tailscale up". Many of the health checks are noisy or confusing
-// or very ephemeral and happen especially briefly at startup.
-//
-// TODO(bradfitz): change the server to send typed warnings with metadata about
-// the health check, rather than just a string.
-func upWorthyWarning(s string) bool {
-	return strings.Contains(s, healthmsg.TailscaleSSHOnBut) ||
-		strings.Contains(s, healthmsg.WarnAcceptRoutesOff)
-}
-
-func checkUpWarnings(ctx context.Context) {
-	st, err := localClient.StatusWithoutPeers(ctx)
+func checkSSHUpWarnings(ctx context.Context) {
+	if !upArgs.runSSH {
+		return
+	}
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		// Ignore. Don't spam more.
 		return
 	}
-	var warn []string
-	for _, w := range st.Health {
-		if upWorthyWarning(w) {
-			warn = append(warn, w)
-		}
-	}
-	if len(warn) == 0 {
+	if len(st.Health) == 0 {
 		return
 	}
-	if len(warn) == 1 {
-		printf("%s\n", warn[0])
+	if len(st.Health) == 1 && strings.Contains(st.Health[0], "SSH") {
+		printf("%s\n", st.Health[0])
 		return
 	}
-	printf("# Health check warnings:\n")
-	for _, m := range warn {
-		printf("#     - %s\n", m)
+	printf("# Health check:\n")
+	for _, m := range st.Health {
+		printf("    - %s\n", m)
 	}
 }

@@ -772,7 +750,6 @@ func init() {
 	addPrefFlagMapping("unattended", "ForceDaemon")
 	addPrefFlagMapping("operator", "OperatorUser")
 	addPrefFlagMapping("ssh", "RunSSH")
-	addPrefFlagMapping("nickname", "ProfileName")
 }

 func addPrefFlagMapping(flagName string, prefNames ...string) {
@@ -796,7 +773,7 @@ func preflessFlag(flagName string) bool {
 	return false
 }

-func updateMaskedPrefsFromUpOrSetFlag(mp *ipn.MaskedPrefs, flagName string) {
+func updateMaskedPrefsFromUpFlag(mp *ipn.MaskedPrefs, flagName string) {
 	if preflessFlag(flagName) {
 		return
 	}
@@ -955,7 +932,7 @@ func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]any) {
 		return env.curExitNodeIP.String()
 	}

-	fs := newUpFlagSet(env.goos, new(upArgsT) /* dummy */, "up")
+	fs := newUpFlagSet(env.goos, new(upArgsT) /* dummy */)
 	fs.VisitAll(func(f *flag.Flag) {
 		if preflessFlag(f.Name) {
 			return
@@ -1077,15 +1054,3 @@ func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netip.Addr) {
 	}
 	return
 }
-
-func anyPeerAdvertisingRoutes(st *ipnstate.Status) bool {
-	for _, ps := range st.Peer {
-		if ps.PrimaryRoutes == nil {
-			continue
-		}
-		if ps.PrimaryRoutes.Len() > 0 {
-			return true
-		}
-	}
-	return false
-}
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -23,12 +23,13 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"runtime"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/preftype"
 	"tailscale.com/util/groupmember"
 	"tailscale.com/version/distro"
 )
@@ -223,8 +224,8 @@ func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResp
 		"user":   []string{user},
 	}
 	u := url.URL{
-		Scheme:   "http",
-		Host:     "127.0.0.1:8080",
+		Scheme:   r.URL.Scheme,
+		Host:     r.URL.Host,
 		Path:     "/cgi-bin/authLogin.cgi",
 		RawQuery: query.Encode(),
 	}
@@ -237,8 +238,8 @@ func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse,
 		"sid": []string{sid},
 	}
 	u := url.URL{
-		Scheme:   "http",
-		Host:     "127.0.0.1:8080",
+		Scheme:   r.URL.Scheme,
+		Host:     r.URL.Host,
 		Path:     "/cgi-bin/authLogin.cgi",
 		RawQuery: query.Encode(),
 	}
@@ -316,7 +317,6 @@ req.send(null);
 `

 func webHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
 	if authRedirect(w, r) {
 		return
 	}
@@ -327,18 +327,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	if r.URL.Path == "/redirect" || r.URL.Path == "/redirect/" {
-		io.WriteString(w, authenticationRedirectHTML)
-		return
-	}
-
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	prefs, err := localClient.GetPrefs(ctx)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		w.Write([]byte(authenticationRedirectHTML))
 		return
 	}

@@ -355,31 +344,23 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
 		}
-
-		routes, err := calcAdvertiseRoutes(postData.AdvertiseRoutes, postData.AdvertiseExitNode)
-		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-			json.NewEncoder(w).Encode(mi{"error": err.Error()})
-			return
-		}
-		mp := &ipn.MaskedPrefs{
-			AdvertiseRoutesSet: true,
-			WantRunningSet:     true,
-		}
-		mp.Prefs.WantRunning = true
-		mp.Prefs.AdvertiseRoutes = routes
-		log.Printf("Doing edit: %v", mp.Pretty())
-
-		if _, err := localClient.EditPrefs(ctx, mp); err != nil {
+		prefs, err := localClient.GetPrefs(r.Context())
+		if err != nil && !postData.Reauthenticate {
 			w.WriteHeader(http.StatusInternalServerError)
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
+		} else {
+			routes, err := calcAdvertiseRoutes(postData.AdvertiseRoutes, postData.AdvertiseExitNode)
+			if err != nil {
+				w.WriteHeader(http.StatusInternalServerError)
+				json.NewEncoder(w).Encode(mi{"error": err.Error()})
+				return
+			}
+			prefs.AdvertiseRoutes = routes
 		}

 		w.Header().Set("Content-Type", "application/json")
-		log.Printf("tailscaleUp(reauth=%v) ...", postData.Reauthenticate)
-		url, err := tailscaleUp(r.Context(), st, postData.Reauthenticate)
-		log.Printf("tailscaleUp = (URL %v, %v)", url != "", err)
+		url, err := tailscaleUp(r.Context(), prefs, postData.Reauthenticate)
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
@@ -393,6 +374,17 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	st, err := localClient.Status(r.Context())
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	prefs, err := localClient.GetPrefs(r.Context())
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
 	profile := st.User[st.Self.UserID]
 	deviceName := strings.Split(st.Self.DNSName, ".")[0]
 	data := tmplData{
@@ -426,53 +418,100 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 	w.Write(buf.Bytes())
 }

-func tailscaleUp(ctx context.Context, st *ipnstate.Status, forceReauth bool) (authURL string, retErr error) {
-	origAuthURL := st.AuthURL
-	isRunning := st.BackendState == ipn.Running.String()
-
-	if !forceReauth {
-		if origAuthURL != "" {
-			return origAuthURL, nil
-		}
-		if isRunning {
-			return "", nil
-		}
+// TODO(crawshaw): some of this is very similar to the code in 'tailscale up', can we share anything?
+func tailscaleUp(ctx context.Context, prefs *ipn.Prefs, forceReauth bool) (authURL string, retErr error) {
+	if prefs == nil {
+		prefs = ipn.NewPrefs()
+		prefs.ControlURL = ipn.DefaultControlURL
+		prefs.WantRunning = true
+		prefs.CorpDNS = true
+		prefs.AllowSingleHosts = true
+		prefs.ForceDaemon = (runtime.GOOS == "windows")
 	}

+	if distro.Get() == distro.Synology {
+		prefs.NetfilterMode = preftype.NetfilterOff
+	}
+
+	st, err := localClient.Status(ctx)
+	if err != nil {
+		return "", fmt.Errorf("can't fetch status: %v", err)
+	}
+	origAuthURL := st.AuthURL
+
 	// printAuthURL reports whether we should print out the
 	// provided auth URL from an IPN notify.
 	printAuthURL := func(url string) bool {
 		return url != origAuthURL
 	}

-	watchCtx, cancelWatch := context.WithCancel(ctx)
-	defer cancelWatch()
-	watcher, err := localClient.WatchIPNBus(watchCtx, 0)
-	if err != nil {
-		return "", err
-	}
-	defer watcher.Close()
+	c, bc, pumpCtx, cancel := connect(ctx)
+	defer cancel()

-	go func() {
-		if !isRunning {
-			localClient.Start(ctx, ipn.Options{})
-		}
-		if forceReauth {
-			localClient.StartLoginInteractive(ctx)
-		}
-	}()
+	gotEngineUpdate := make(chan bool, 1) // gets value upon an engine update
+	go pump(pumpCtx, bc, c)

-	for {
-		n, err := watcher.Next()
-		if err != nil {
-			return "", err
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.Engine != nil {
+			select {
+			case gotEngineUpdate <- true:
+			default:
+			}
 		}
 		if n.ErrMessage != nil {
 			msg := *n.ErrMessage
-			return "", fmt.Errorf("backend error: %v", msg)
+			if msg == ipn.ErrMsgPermissionDenied {
+				switch runtime.GOOS {
+				case "windows":
+					msg += " (Tailscale service in use by other user?)"
+				default:
+					msg += " (try 'sudo tailscale up [...]')"
+				}
+			}
+			retErr = fmt.Errorf("backend error: %v", msg)
+			cancel()
+		} else if url := n.BrowseToURL; url != nil && printAuthURL(*url) {
+			authURL = *url
+			cancel()
 		}
-		if url := n.BrowseToURL; url != nil && printAuthURL(*url) {
-			return *url, nil
+		if !forceReauth && n.Prefs != nil {
+			p1, p2 := *n.Prefs, *prefs
+			p1.Persist = nil
+			p2.Persist = nil
+			if p1.Equals(&p2) {
+				cancel()
+			}
 		}
+	})
+	// Wait for backend client to be connected so we know
+	// we're subscribed to updates. Otherwise we can miss
+	// an update upon its transition to running. Do so by causing some traffic
+	// back to the bus that we then wait on.
+	bc.RequestEngineStatus()
+	select {
+	case <-gotEngineUpdate:
+	case <-pumpCtx.Done():
+		return authURL, pumpCtx.Err()
 	}
+
+	bc.SetPrefs(prefs)
+
+	bc.Start(ipn.Options{
+		StateKey: ipn.GlobalDaemonStateKey,
+	})
+	if forceReauth {
+		bc.StartLoginInteractive()
+	}
+
+	<-pumpCtx.Done() // wait for authURL or complete failure
+	if authURL == "" && retErr == nil {
+		if !forceReauth {
+			return "", nil // no auth URL is fine
+		}
+		retErr = pumpCtx.Err()
+	}
+	if authURL == "" && retErr == nil {
+		return "", fmt.Errorf("login failed with no backend error message")
+	}
+	return authURL, retErr
 }
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -2,23 +2,17 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep

        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
        filippo.io/edwards25519/field                                from filippo.io/edwards25519
-   W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
-   W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
-   W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-   D    github.com/google/uuid                                       from tailscale.com/util/quarantine
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
-     💣 github.com/mattn/go-colorable                                from tailscale.com/cmd/tailscale/cli
-     💣 github.com/mattn/go-isatty                                   from github.com/mattn/go-colorable+
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
@@ -43,8 +37,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
-        software.sslmate.com/src/go-pkcs12                           from tailscale.com/cmd/tailscale/cli
-        software.sslmate.com/src/go-pkcs12/internal/rc2              from software.sslmate.com/src/go-pkcs12
        tailscale.com                                                from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli+
@@ -57,11 +49,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck
        tailscale.com/disco                                          from tailscale.com/derp
        tailscale.com/envknob                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/health/healthmsg                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/metrics                                        from tailscale.com/derp
+     💣 tailscale.com/metrics                                        from tailscale.com/derp
        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp+
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp
        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
@@ -79,7 +70,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
        tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
-        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
@@ -96,26 +86,23 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/netmap                                   from tailscale.com/ipn
        tailscale.com/types/nettype                                  from tailscale.com/net/netcheck+
        tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
+        tailscale.com/types/pad32                                    from tailscale.com/derp
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/types/ptr                                      from tailscale.com/hostinfo
        tailscale.com/types/structs                                  from tailscale.com/ipn+
        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
        tailscale.com/types/views                                    from tailscale.com/tailcfg+
        tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
-        tailscale.com/util/mak                                       from tailscale.com/net/netcheck+
+        tailscale.com/util/mak                                       from tailscale.com/net/netcheck
        tailscale.com/util/multierr                                  from tailscale.com/control/controlhttp
-        tailscale.com/util/must                                      from tailscale.com/cmd/tailscale/cli
-        tailscale.com/util/quarantine                                from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
+   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
@@ -131,14 +118,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/hkdf                                     from crypto/tls+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http+
-        golang.org/x/net/http/httpproxy                              from net/http+
+        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2/hpack                                 from net/http
        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
@@ -151,8 +135,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
  LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+
   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
@@ -185,7 +167,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
-   D    database/sql/driver                                          from github.com/google/uuid
        embed                                                        from tailscale.com/cmd/tailscale/cli+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@@ -224,8 +205,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        net/http                                                     from expvar+
        net/http/cgi                                                 from tailscale.com/cmd/tailscale/cli
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
-        net/http/httputil                                            from tailscale.com/cmd/tailscale/cli
-        net/http/internal                                            from net/http+
+        net/http/internal                                            from net/http
        net/netip                                                    from net+
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
--- a/cmd/tailscale/generate.go
+++ b/cmd/tailscale/generate.go
@@ -1,10 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-//go:generate go run tailscale.com/cmd/mkmanifest amd64 windows-manifest.xml manifest_windows_amd64.syso
-//go:generate go run tailscale.com/cmd/mkmanifest 386 windows-manifest.xml manifest_windows_386.syso
-//go:generate go run tailscale.com/cmd/mkmanifest arm64 windows-manifest.xml manifest_windows_arm64.syso
-//go:generate go run tailscale.com/cmd/mkmanifest arm windows-manifest.xml manifest_windows_arm.syso
--- a/cmd/tailscale/manifest_windows_386.syso
+++ b/cmd/tailscale/manifest_windows_386.syso
--- a/cmd/tailscale/manifest_windows_amd64.syso
+++ b/cmd/tailscale/manifest_windows_amd64.syso
--- a/cmd/tailscale/manifest_windows_arm.syso
+++ b/cmd/tailscale/manifest_windows_arm.syso
--- a/cmd/tailscale/manifest_windows_arm64.syso
+++ b/cmd/tailscale/manifest_windows_arm64.syso
--- a/cmd/tailscale/windows-manifest.xml
+++ b/cmd/tailscale/windows-manifest.xml
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
-
-  <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
-      <application>
-          <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 7 -->
-          <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8 -->
-          <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 8.1 -->
-          <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> <!-- Windows 10 -->
-      </application>
-  </compatibility>
-
-</assembly>
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 package main

@@ -87,8 +88,6 @@ func runMonitor(ctx context.Context, loop bool) error {
 	if err != nil {
 		return err
 	}
-	defer mon.Close()
-
 	mon.RegisterChangeCallback(func(changed bool, st *interfaces.State) {
 		if !changed {
 			log.Printf("Link monitor fired; no change")
@@ -163,7 +162,7 @@ func getURL(ctx context.Context, urlStr string) error {
 	return res.Write(os.Stdout)
 }

-func checkDerp(ctx context.Context, derpRegion string) (err error) {
+func checkDerp(ctx context.Context, derpRegion string) error {
 	req, err := http.NewRequestWithContext(ctx, "GET", ipn.DefaultControlURL+"/derpmap/default", nil)
 	if err != nil {
 		return fmt.Errorf("create derp map request: %w", err)
@@ -202,12 +201,6 @@ func checkDerp(ctx context.Context, derpRegion string) (err error) {

 	c1 := derphttp.NewRegionClient(priv1, log.Printf, getRegion)
 	c2 := derphttp.NewRegionClient(priv2, log.Printf, getRegion)
-	defer func() {
-		if err != nil {
-			c1.Close()
-			c2.Close()
-		}
-	}()

 	c2.NotePreferred(true) // just to open it

--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -2,9 +2,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de

        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
        filippo.io/edwards25519/field                                from filippo.io/edwards25519
-   W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
-   W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
-   W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
@@ -67,8 +64,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
  LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
-   W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com
-   W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/cmd/tailscaled
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
@@ -76,7 +71,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
-   L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
@@ -178,7 +172,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from tailscale.com/net/tstun+
        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
-        inet.af/peercred                                             from tailscale.com/ipn/ipnauth
+        inet.af/peercred                                             from tailscale.com/ipn/ipnserver
   W 💣 inet.af/wf                                                   from tailscale.com/wf
        nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
@@ -200,10 +194,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
        tailscale.com/envknob                                        from tailscale.com/control/controlclient+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
-        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
        tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
        tailscale.com/ipn                                            from tailscale.com/ipn/ipnlocal+
-     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ssh/tailssh+
        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
        tailscale.com/ipn/ipnstate                                   from tailscale.com/control/controlclient+
@@ -220,8 +212,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/logtail                                        from tailscale.com/control/controlclient+
        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
-        tailscale.com/metrics                                        from tailscale.com/derp+
-        tailscale.com/net/connstats                                  from tailscale.com/net/tstun+
+     💣 tailscale.com/metrics                                        from tailscale.com/derp+
        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver+
        tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
@@ -235,7 +226,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
        tailscale.com/net/netknob                                    from tailscale.com/net/netns+
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
-     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnauth+
+     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
        tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/packet                                     from tailscale.com/net/tstun+
        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
@@ -249,11 +240,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
        tailscale.com/net/tstun                                      from tailscale.com/net/dns+
-        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
        tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
-     💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
+        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
-        tailscale.com/smallzstd                                      from tailscale.com/cmd/tailscaled+
+        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
@@ -270,14 +260,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
        tailscale.com/types/key                                      from tailscale.com/control/controlbase+
        tailscale.com/types/logger                                   from tailscale.com/control/controlclient+
-        tailscale.com/types/logid                                    from tailscale.com/logtail+
-        tailscale.com/types/netlogtype                               from tailscale.com/net/connstats+
        tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock+
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
+        tailscale.com/types/pad32                                    from tailscale.com/derp
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
-        tailscale.com/types/ptr                                      from tailscale.com/hostinfo+
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
        tailscale.com/types/tkatype                                  from tailscale.com/tka+
        tailscale.com/types/views                                    from tailscale.com/ipn/ipnlocal+
@@ -285,23 +273,21 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
  LW    tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
-   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
        tailscale.com/util/goroutines                                from tailscale.com/control/controlclient+
-        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnauth
+        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
        tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
-   W    tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnauth
+        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
-        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
-        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock+
+        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
     💣 tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/version                                        from tailscale.com/derp+
        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
@@ -310,15 +296,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
-        tailscale.com/wgengine/netlog                                from tailscale.com/wgengine
-        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
+        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
     💣 tailscale.com/wgengine/wgint                                 from tailscale.com/wgengine
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
-        golang.org/x/crypto/acme                                     from tailscale.com/ipn/ipnlocal
+        golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
        golang.org/x/crypto/argon2                                   from tailscale.com/tka
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
@@ -336,7 +321,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/maps                                        from tailscale.com/wgengine
        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -358,7 +342,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W    golang.org/x/sys/windows/registry                            from golang.org/x/sys/windows/svc/eventlog+
   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
   W    golang.org/x/sys/windows/svc/eventlog                        from tailscale.com/cmd/tailscaled
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled+
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
        golang.org/x/term                                            from tailscale.com/logpolicy
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
@@ -435,7 +419,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
        os/exec                                                      from github.com/coreos/go-iptables/iptables+
-        os/signal                                                    from tailscale.com/cmd/tailscaled
+        os/signal                                                    from tailscale.com/cmd/tailscaled+
        os/user                                                      from github.com/godbus/dbus/v5+
        path                                                         from github.com/godbus/dbus/v5+
        path/filepath                                                from crypto/x509+
--- a/cmd/tailscaled/generate.go
+++ b/cmd/tailscaled/generate.go
@@ -1,10 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-//go:generate go run tailscale.com/cmd/mkmanifest amd64 windows-manifest.xml manifest_windows_amd64.syso
-//go:generate go run tailscale.com/cmd/mkmanifest 386 windows-manifest.xml manifest_windows_386.syso
-//go:generate go run tailscale.com/cmd/mkmanifest arm64 windows-manifest.xml manifest_windows_arm64.syso
-//go:generate go run tailscale.com/cmd/mkmanifest arm windows-manifest.xml manifest_windows_arm.syso
--- a/cmd/tailscaled/install_darwin.go
+++ b/cmd/tailscaled/install_darwin.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 package main

@@ -10,7 +11,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/fs"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -83,13 +83,6 @@ func uninstallSystemDaemonDarwin(args []string) (ret error) {
 			ret = err
 		}
 	}
-
-	// Do not delete targetBin if it's a symlink, which happens if it was installed via
-	// Homebrew.
-	if isSymlink(targetBin) {
-		return ret
-	}
-
 	if err := os.Remove(targetBin); err != nil {
 		if os.IsNotExist(err) {
 			err = nil
@@ -114,24 +107,40 @@ func installSystemDaemonDarwin(args []string) (err error) {
 	// Best effort:
 	uninstallSystemDaemonDarwin(nil)

+	// Copy ourselves to /usr/local/bin/tailscaled.
+	if err := os.MkdirAll(filepath.Dir(targetBin), 0755); err != nil {
+		return err
+	}
 	exe, err := os.Executable()
 	if err != nil {
 		return fmt.Errorf("failed to find our own executable path: %w", err)
 	}
-
-	same, err := sameFile(exe, targetBin)
+	tmpBin := targetBin + ".tmp"
+	f, err := os.Create(tmpBin)
 	if err != nil {
 		return err
 	}
-
-	// Do not overwrite targetBin with the binary file if it it's already
-	// pointing to it. This is primarily to handle Homebrew that writes
-	// /usr/local/bin/tailscaled is a symlink to the actual binary.
-	if !same {
-		if err := copyBinary(exe, targetBin); err != nil {
-			return err
-		}
+	self, err := os.Open(exe)
+	if err != nil {
+		f.Close()
+		return err
 	}
+	_, err = io.Copy(f, self)
+	self.Close()
+	if err != nil {
+		f.Close()
+		return err
+	}
+	if err := f.Close(); err != nil {
+		return err
+	}
+	if err := os.Chmod(tmpBin, 0755); err != nil {
+		return err
+	}
+	if err := os.Rename(tmpBin, targetBin); err != nil {
+		return err
+	}
+
 	if err := os.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
 		return err
 	}
@@ -146,55 +155,3 @@ func installSystemDaemonDarwin(args []string) (err error) {

 	return nil
 }
-
-// copyBinary copies binary file `src` into `dst`.
-func copyBinary(src, dst string) error {
-	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
-		return err
-	}
-	tmpBin := dst + ".tmp"
-	f, err := os.Create(tmpBin)
-	if err != nil {
-		return err
-	}
-	srcf, err := os.Open(src)
-	if err != nil {
-		f.Close()
-		return err
-	}
-	_, err = io.Copy(f, srcf)
-	srcf.Close()
-	if err != nil {
-		f.Close()
-		return err
-	}
-	if err := f.Close(); err != nil {
-		return err
-	}
-	if err := os.Chmod(tmpBin, 0755); err != nil {
-		return err
-	}
-	if err := os.Rename(tmpBin, dst); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func isSymlink(path string) bool {
-	fi, err := os.Lstat(path)
-	return err == nil && (fi.Mode()&os.ModeSymlink == os.ModeSymlink)
-}
-
-// sameFile returns true if both file paths exist and resolve to the same file.
-func sameFile(path1, path2 string) (bool, error) {
-	dst1, err := filepath.EvalSymlinks(path1)
-	if err != nil && !errors.Is(err, fs.ErrNotExist) {
-		return false, fmt.Errorf("EvalSymlinks(%s): %w", path1, err)
-	}
-	dst2, err := filepath.EvalSymlinks(path2)
-	if err != nil && !errors.Is(err, fs.ErrNotExist) {
-		return false, fmt.Errorf("EvalSymlinks(%s): %w", path2, err)
-	}
-	return dst1 == dst2, nil
-}
--- a/cmd/tailscaled/install_windows.go
+++ b/cmd/tailscaled/install_windows.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 package main

--- a/cmd/tailscaled/manifest_windows_386.syso
+++ b/cmd/tailscaled/manifest_windows_386.syso
--- a/cmd/tailscaled/manifest_windows_amd64.syso
+++ b/cmd/tailscaled/manifest_windows_amd64.syso
--- a/cmd/tailscaled/manifest_windows_arm.syso
+++ b/cmd/tailscaled/manifest_windows_arm.syso
--- a/cmd/tailscaled/manifest_windows_arm64.syso
+++ b/cmd/tailscaled/manifest_windows_arm64.syso
--- a/cmd/tailscaled/proxy.go
+++ b/cmd/tailscaled/proxy.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 // HTTP proxy code

--- a/cmd/tailscaled/required_version.go
+++ b/cmd/tailscaled/required_version.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build !go1.19
+// +build !go1.19

 package main

--- a/cmd/tailscaled/ssh.go
+++ b/cmd/tailscaled/ssh.go
@@ -2,7 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux || darwin || freebsd
+//go:build linux || darwin
+// +build linux darwin

 package main

--- a/cmd/tailscaled/taildrop.go
+++ b/cmd/tailscaled/taildrop.go
@@ -1,106 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.19
-
-package main
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-
-	"tailscale.com/ipn/ipnlocal"
-	"tailscale.com/types/logger"
-	"tailscale.com/version/distro"
-)
-
-func configureTaildrop(logf logger.Logf, lb *ipnlocal.LocalBackend) {
-	dg := distro.Get()
-	switch dg {
-	case distro.Synology, distro.TrueNAS, distro.QNAP:
-		// See if they have a "Taildrop" share.
-		// See https://github.com/tailscale/tailscale/issues/2179#issuecomment-982821319
-		path, err := findTaildropDir(dg)
-		if err != nil {
-			logf("%s Taildrop support: %v", dg, err)
-		} else {
-			logf("%s Taildrop: using %v", dg, path)
-			lb.SetDirectFileRoot(path)
-			lb.SetDirectFileDoFinalRename(true)
-		}
-	}
-
-}
-
-func findTaildropDir(dg distro.Distro) (string, error) {
-	const name = "Taildrop"
-	switch dg {
-	case distro.Synology:
-		return findSynologyTaildropDir(name)
-	case distro.TrueNAS:
-		return findTrueNASTaildropDir(name)
-	case distro.QNAP:
-		return findQnapTaildropDir(name)
-	}
-	return "", fmt.Errorf("%s is an unsupported distro for Taildrop dir", dg)
-}
-
-// findSynologyTaildropDir looks for the first volume containing a
-// "Taildrop" directory.  We'd run "synoshare --get Taildrop" command
-// but on DSM7 at least, we lack permissions to run that.
-func findSynologyTaildropDir(name string) (dir string, err error) {
-	for i := 1; i <= 16; i++ {
-		dir = fmt.Sprintf("/volume%v/%s", i, name)
-		if fi, err := os.Stat(dir); err == nil && fi.IsDir() {
-			return dir, nil
-		}
-	}
-	return "", fmt.Errorf("shared folder %q not found", name)
-}
-
-// findTrueNASTaildropDir returns the first matching directory of
-// /mnt/{name} or /mnt/*/{name}
-func findTrueNASTaildropDir(name string) (dir string, err error) {
-	// If we're running in a jail, a mount point could just be added at /mnt/Taildrop
-	dir = fmt.Sprintf("/mnt/%s", name)
-	if fi, err := os.Stat(dir); err == nil && fi.IsDir() {
-		return dir, nil
-	}
-
-	// but if running on the host, it may be something like /mnt/Primary/Taildrop
-	fis, err := os.ReadDir("/mnt")
-	if err != nil {
-		return "", fmt.Errorf("error reading /mnt: %w", err)
-	}
-	for _, fi := range fis {
-		dir = fmt.Sprintf("/mnt/%s/%s", fi.Name(), name)
-		if fi, err := os.Stat(dir); err == nil && fi.IsDir() {
-			return dir, nil
-		}
-	}
-	return "", fmt.Errorf("shared folder %q not found", name)
-}
-
-// findQnapTaildropDir checks if a Shared Folder named "Taildrop" exists.
-func findQnapTaildropDir(name string) (string, error) {
-	dir := fmt.Sprintf("/share/%s", name)
-	fi, err := os.Stat(dir)
-	if err != nil {
-		return "", fmt.Errorf("shared folder %q not found", name)
-	}
-	if fi.IsDir() {
-		return dir, nil
-	}
-
-	// share/Taildrop is usually a symlink to CACHEDEV1_DATA/Taildrop/ or some such.
-	fullpath, err := filepath.EvalSymlinks(dir)
-	if err != nil {
-		return "", fmt.Errorf("symlink to shared folder %q not found", name)
-	}
-	if fi, err = os.Stat(fullpath); err == nil && fi.IsDir() {
-		return dir, nil // return the symlink, how QNAP set it up
-	}
-	return "", fmt.Errorf("shared folder %q not found", name)
-}
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.

 //go:build go1.19
+// +build go1.19

 // The tailscaled program is the Tailscale client daemon. It's configured
 // and controlled via the tailscale CLI program.
@@ -33,13 +34,12 @@ import (
 	"tailscale.com/cmd/tailscaled/childproc"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
-	"tailscale.com/ipn/ipnlocal"
+	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/ipn/store"
 	"tailscale.com/logpolicy"
 	"tailscale.com/logtail"
 	"tailscale.com/net/dns"
-	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/proxymux"
 	"tailscale.com/net/socks5"
@@ -47,8 +47,6 @@ import (
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
-	"tailscale.com/smallzstd"
-	"tailscale.com/syncs"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
@@ -90,7 +88,7 @@ func defaultTunName() string {
 			// see https://github.com/tailscale/tailscale/issues/391
 			//
 			// But Gokrazy does have the tun module built-in, so users
-			// can still run --tun=tailscale0 if they wish, if they
+			// can stil run --tun=tailscale0 if they wish, if they
 			// arrange for iptables to be present or run in "tailscale
 			// up --netfilter-mode=off" mode, perhaps. Untested.
 			return "userspace-networking"
@@ -111,9 +109,6 @@ func defaultPort() uint16 {
 			return uint16(p)
 		}
 	}
-	if envknob.GOOS() == "windows" {
-		return 41641
-	}
 	return 0
 }

@@ -163,7 +158,7 @@ func main() {
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
 	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an ephemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
+	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
@@ -280,22 +275,13 @@ func statePathOrDefault() string {
 	return ""
 }

-// serverOptions is the configuration of the Tailscale node agent.
-type serverOptions struct {
-	// VarRoot is the Tailscale daemon's private writable
-	// directory (usually "/var/lib/tailscale" on Linux) that
-	// contains the "tailscaled.state" file, the "certs" directory
-	// for TLS certs, and the "files" directory for incoming
-	// Taildrop files before they're moved to a user directory.
-	// If empty, Taildrop and TLS certs don't function.
-	VarRoot string
-
-	// LoginFlags specifies the LoginFlags to pass to the client.
-	LoginFlags controlclient.LoginFlags
-}
-
-func ipnServerOpts() (o serverOptions) {
-	goos := envknob.GOOS()
+func ipnServerOpts() (o ipnserver.Options) {
+	// Allow changing the OS-specific IPN behavior for tests
+	// so we can e.g. test Windows-specific behaviors on Linux.
+	goos := envknob.String("TS_DEBUG_TAILSCALED_IPN_GOOS")
+	if goos == "" {
+		goos = runtime.GOOS
+	}

 	o.VarRoot = args.statedir

@@ -318,19 +304,21 @@ func ipnServerOpts() (o serverOptions) {
 		// TODO(bradfitz): if we start using browser LocalStorage
 		// or something, then rethink this.
 		o.LoginFlags = controlclient.LoginEphemeral
+		fallthrough
+	default:
+		o.SurviveDisconnects = true
+		o.AutostartStateKey = ipn.GlobalDaemonStateKey
 	case "windows":
 		// Not those.
 	}
 	return o
 }

-var logPol *logpolicy.Policy
-var debugMux *http.ServeMux
-
 func run() error {
+	var err error
+
 	pol := logpolicy.New(logtail.CollectionNode)
 	pol.SetVerbosityLevel(args.verbose)
-	logPol = pol
 	defer func() {
 		// Finish uploading logs after closing everything else.
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
@@ -374,97 +362,24 @@ func run() error {
 		log.Printf("error in synology migration: %v", err)
 	}

+	var debugMux *http.ServeMux
 	if args.debug != "" {
 		debugMux = newDebugMux()
 	}

-	logid := pol.PublicID.String()
-	return startIPNServer(context.Background(), logf, logid)
-}
-
-func startIPNServer(ctx context.Context, logf logger.Logf, logid string) error {
-	ln, _, err := safesocket.Listen(args.socketpath, safesocket.WindowsLocalPort)
-	if err != nil {
-		return fmt.Errorf("safesocket.Listen: %v", err)
-	}
-
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-	// Exit gracefully by cancelling the ipnserver context in most common cases:
-	// interrupted from the TTY or killed by a service manager.
-	interrupt := make(chan os.Signal, 1)
-	signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
-	// SIGPIPE sometimes gets generated when CLIs disconnect from
-	// tailscaled. The default action is to terminate the process, we
-	// want to keep running.
-	signal.Ignore(syscall.SIGPIPE)
-	go func() {
-		select {
-		case s := <-interrupt:
-			logf("tailscaled got signal %v; shutting down", s)
-			cancel()
-		case <-ctx.Done():
-			// continue
-		}
-	}()
-
-	srv := ipnserver.New(logf, logid)
-	if debugMux != nil {
-		debugMux.HandleFunc("/debug/ipn", srv.ServeHTMLStatus)
-	}
-	var lbErr syncs.AtomicValue[error]
-
-	go func() {
-		t0 := time.Now()
-		if s, ok := envknob.LookupInt("TS_DEBUG_BACKEND_DELAY_SEC"); ok {
-			d := time.Duration(s) * time.Second
-			logf("sleeping %v before starting backend...", d)
-			select {
-			case <-time.After(d):
-				logf("slept %v; starting backend...", d)
-			case <-ctx.Done():
-				return
-			}
-		}
-		lb, err := getLocalBackend(ctx, logf, logid)
-		if err == nil {
-			logf("got LocalBackend in %v", time.Since(t0).Round(time.Millisecond))
-			srv.SetLocalBackend(lb)
-			return
-		}
-		lbErr.Store(err) // before the following cancel
-		cancel()         // make srv.Run below complete
-	}()
-
-	err = srv.Run(ctx, ln)
-
-	if err != nil && lbErr.Load() != nil {
-		return fmt.Errorf("getLocalBackend error: %v", lbErr.Load())
-	}
-
-	// Cancelation is not an error: it is the only way to stop ipnserver.
-	if err != nil && !errors.Is(err, context.Canceled) {
-		return fmt.Errorf("ipnserver.Run: %w", err)
-	}
-
-	return nil
-}
-
-func getLocalBackend(ctx context.Context, logf logger.Logf, logid string) (_ *ipnlocal.LocalBackend, retErr error) {
 	linkMon, err := monitor.New(logf)
 	if err != nil {
-		return nil, fmt.Errorf("monitor.New: %w", err)
-	}
-	if logPol != nil {
-		logPol.Logtail.SetLinkMonitor(linkMon)
+		return fmt.Errorf("monitor.New: %w", err)
 	}
+	pol.Logtail.SetLinkMonitor(linkMon)

 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)

-	dialer := &tsdial.Dialer{Logf: logf} // mutated below (before used)
-	e, onlyNetstack, err := createEngine(logf, linkMon, dialer)
+	dialer := new(tsdial.Dialer) // mutated below (before used)
+	dialer.Logf = logf
+	e, useNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
-		return nil, fmt.Errorf("createEngine: %w", err)
+		return fmt.Errorf("createEngine: %w", err)
 	}
 	if _, ok := e.(wgengine.ResolvingEngine).GetResolver(); !ok {
 		panic("internal error: exit node resolver not wired up")
@@ -480,12 +395,12 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logid string) (_ *ip

 	ns, err := newNetstack(logf, dialer, e)
 	if err != nil {
-		return nil, fmt.Errorf("newNetstack: %w", err)
+		return fmt.Errorf("newNetstack: %w", err)
 	}
-	ns.ProcessLocalIPs = onlyNetstack
-	ns.ProcessSubnets = onlyNetstack || handleSubnetsInNetstack()
+	ns.ProcessLocalIPs = useNetstack
+	ns.ProcessSubnets = useNetstack || shouldWrapNetstack()

-	if onlyNetstack {
+	if useNetstack {
 		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
 			_, ok := e.PeerForIP(ip)
 			return ok
@@ -514,47 +429,69 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logid string) (_ *ip

 	e = wgengine.NewWatchdog(e)

+	ctx, cancel := context.WithCancel(context.Background())
+	// Exit gracefully by cancelling the ipnserver context in most common cases:
+	// interrupted from the TTY or killed by a service manager.
+	interrupt := make(chan os.Signal, 1)
+	signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
+	// SIGPIPE sometimes gets generated when CLIs disconnect from
+	// tailscaled. The default action is to terminate the process, we
+	// want to keep running.
+	signal.Ignore(syscall.SIGPIPE)
+	go func() {
+		select {
+		case s := <-interrupt:
+			logf("tailscaled got signal %v; shutting down", s)
+			cancel()
+		case <-ctx.Done():
+			// continue
+		}
+	}()
+
 	opts := ipnServerOpts()

 	store, err := store.New(logf, statePathOrDefault())
 	if err != nil {
-		return nil, fmt.Errorf("store.New: %w", err)
+		return fmt.Errorf("store.New: %w", err)
 	}
-
-	lb, err := ipnlocal.NewLocalBackend(logf, logid, store, "", dialer, e, opts.LoginFlags)
+	srv, err := ipnserver.New(logf, pol.PublicID.String(), store, e, dialer, nil, opts)
 	if err != nil {
-		return nil, fmt.Errorf("ipnlocal.NewLocalBackend: %w", err)
+		return fmt.Errorf("ipnserver.New: %w", err)
 	}
-	lb.SetVarRoot(opts.VarRoot)
-	if root := lb.TailscaleVarRoot(); root != "" {
-		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"))
-	}
-	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
-		return smallzstd.NewDecoder(nil)
-	})
-	configureTaildrop(logf, lb)
-	ns.SetLocalBackend(lb)
+	ns.SetLocalBackend(srv.LocalBackend())
 	if err := ns.Start(); err != nil {
 		log.Fatalf("failed to start netstack: %v", err)
 	}
-	return lb, nil
+
+	if debugMux != nil {
+		debugMux.HandleFunc("/debug/ipn", srv.ServeHTMLStatus)
+	}
+
+	ln, _, err := safesocket.Listen(args.socketpath, safesocket.WindowsLocalPort)
+	if err != nil {
+		return fmt.Errorf("safesocket.Listen: %v", err)
+	}
+	defer dialer.Close()
+
+	err = srv.Run(ctx, ln)
+	// Cancelation is not an error: it is the only way to stop ipnserver.
+	if err != nil && err != context.Canceled {
+		return fmt.Errorf("ipnserver.Run: %w", err)
+	}
+
+	return nil
 }

-// createEngine tries to the wgengine.Engine based on the order of tunnels
-// specified in the command line flags.
-//
-// onlyNetstack is true if the user has explicitly requested that we use netstack
-// for all networking.
-func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer) (e wgengine.Engine, onlyNetstack bool, err error) {
+func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer) (e wgengine.Engine, useNetstack bool, err error) {
 	if args.tunname == "" {
 		return nil, false, errors.New("no --tun value specified")
 	}
 	var errs []error
 	for _, name := range strings.Split(args.tunname, ",") {
 		logf("wgengine.NewUserspaceEngine(tun %q) ...", name)
-		e, onlyNetstack, err = tryEngine(logf, linkMon, dialer, name)
+		e, useNetstack, err = tryEngine(logf, linkMon, dialer, name)
 		if err == nil {
-			return e, onlyNetstack, nil
+			return e, useNetstack, nil
 		}
 		logf("wgengine.NewUserspaceEngine(tun %q) error: %v", name, err)
 		errs = append(errs, err)
@@ -562,12 +499,8 @@ func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer)
 	return nil, false, multierr.New(errs...)
 }

-// handleSubnetsInNetstack reports whether netstack should handle subnet routers
-// as opposed to the OS. We do this if the OS doesn't support subnet routers
-// (e.g. Windows) or if the user has explicitly requested it (e.g.
-// --tun=userspace-networking).
-func handleSubnetsInNetstack() bool {
-	if v, ok := envknob.LookupBool("TS_DEBUG_NETSTACK_SUBNETS"); ok {
+func shouldWrapNetstack() bool {
+	if v, ok := envknob.LookupBool("TS_DEBUG_WRAP_NETSTACK"); ok {
 		return v
 	}
 	if distro.Get() == distro.Synology {
@@ -582,17 +515,15 @@ func handleSubnetsInNetstack() bool {
 	return false
 }

-var tstunNew = tstun.New
-
-func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, name string) (e wgengine.Engine, onlyNetsack bool, err error) {
+func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, name string) (e wgengine.Engine, useNetstack bool, err error) {
 	conf := wgengine.Config{
 		ListenPort:  args.port,
 		LinkMonitor: linkMon,
 		Dialer:      dialer,
 	}

-	onlyNetsack = name == "userspace-networking"
-	netns.SetEnabled(!onlyNetsack)
+	useNetstack = name == "userspace-networking"
+	netns.SetEnabled(!useNetstack)

 	if args.birdSocketPath != "" && createBIRDClient != nil {
 		log.Printf("Connecting to BIRD at %s ...", args.birdSocketPath)
@@ -601,7 +532,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 			return nil, false, fmt.Errorf("createBIRDClient: %w", err)
 		}
 	}
-	if onlyNetsack {
+	if useNetstack {
 		if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
 			// On Synology in netstack mode, still init a DNS
 			// manager (directManager) to avoid the health check
@@ -615,7 +546,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 			}
 		}
 	} else {
-		dev, devName, err := tstunNew(logf, name)
+		dev, devName, err := tstun.New(logf, name)
 		if err != nil {
 			tstun.Diagnose(logf, name, err)
 			return nil, false, fmt.Errorf("tstun.New(%q): %w", name, err)
@@ -634,21 +565,19 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 		}
 		d, err := dns.NewOSConfigurator(logf, devName)
 		if err != nil {
-			dev.Close()
-			r.Close()
 			return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 		}
 		conf.DNS = d
 		conf.Router = r
-		if handleSubnetsInNetstack() {
+		if shouldWrapNetstack() {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
 		}
 	}
 	e, err = wgengine.NewUserspaceEngine(logf, conf)
 	if err != nil {
-		return nil, onlyNetsack, err
+		return nil, useNetstack, err
 	}
-	return e, onlyNetsack, nil
+	return e, useNetstack, nil
 }

 func newDebugMux() *http.ServeMux {
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .34.2
 .31.0