api.md: add TOC

2021-01-19 12:34:22 -08:00
50 changed files with 555 additions and 1739 deletions
--- a/3
+++ b/3
@@ -48,9 +48,6 @@ RUN go mod download

 COPY . .

-ARG goflags_arg # default intentionally unset
-ENV GOFLAGS=$goflags_arg
-
 RUN go install -v ./cmd/...

 FROM alpine:3.11
--- a/46
+++ b/46
@@ -1,29 +1,27 @@
-BSD 3-Clause License
-
-Copyright (c) 2020 Tailscale & AUTHORS.
-All rights reserved.
+Copyright (c) 2020 Tailscale & AUTHORS. All rights reserved.

 Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
+modification, are permitted provided that the following conditions are
+met:

-1. Redistributions of source code must retain the above copyright notice, this
-   list of conditions and the following disclaimer.
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Tailscale Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.

-2. Redistributions in binary form must reproduce the above copyright notice,
-   this list of conditions and the following disclaimer in the documentation
-   and/or other materials provided with the distribution.
-
-3. Neither the name of the copyright holder nor the names of its
-   contributors may be used to endorse or promote products derived from
-   this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.4.4
+1.3.0
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -1,31 +0,0 @@
-#!/usr/bin/env sh
-
-#
-# Runs `go build` with flags configured for docker distribution. All
-# it does differently from `go build` is burn git commit and version
-# information into the binaries inside docker, so that we can track down user
-# issues.
-#
-############################################################################
-#
-# WARNING: Tailscale is not yet officially supported in Docker,
-# Kubernetes, etc.
-#
-# It might work, but we don't regularly test it, and it's not as polished as
-# our currently supported platforms. This is provided for people who know
-# how Tailscale works and what they're doing.
-#
-# Our tracking bug for officially support container use cases is:
-#    https://github.com/tailscale/tailscale/issues/504
-#
-# Also, see the various bugs tagged "containers":
-#    https://github.com/tailscale/tailscale/labels/containers
-#
-############################################################################
-
-set -eu
-
-eval $(./version/version.sh)
-
-GOFLAGS='-tags xversion -ldflags '"-X tailscale.com/version.Long=${VERSION_LONG} -X tailscale.com/version.Short=${VERSION_SHORT} -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}"
-docker build --build-arg goflags_arg="'""${GOFLAGS}""'" -t tailscale:tailscale .
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -64,63 +64,34 @@ func runPing(ctx context.Context, args []string) error {
 	c, bc, ctx, cancel := connect(ctx)
 	defer cancel()

-	if len(args) != 1 || args[0] == "" {
+	if len(args) != 1 {
 		return errors.New("usage: ping <hostname-or-IP>")
 	}
+	hostOrIP := args[0]
 	var ip string
-	prc := make(chan *ipnstate.PingResult, 1)
-	stc := make(chan *ipnstate.Status, 1)
+	var res net.Resolver
+	if addrs, err := res.LookupHost(ctx, hostOrIP); err != nil {
+		return fmt.Errorf("error looking up IP of %q: %v", hostOrIP, err)
+	} else if len(addrs) == 0 {
+		return fmt.Errorf("no IPs found for %q", hostOrIP)
+	} else {
+		ip = addrs[0]
+	}
+	if pingArgs.verbose && ip != hostOrIP {
+		log.Printf("lookup %q => %q", hostOrIP, ip)
+	}
+
+	ch := make(chan *ipnstate.PingResult, 1)
 	bc.SetNotifyCallback(func(n ipn.Notify) {
 		if n.ErrMessage != nil {
 			log.Fatal(*n.ErrMessage)
 		}
 		if pr := n.PingResult; pr != nil && pr.IP == ip {
-			prc <- pr
-		}
-		if n.Status != nil {
-			stc <- n.Status
+			ch <- pr
 		}
 	})
 	go pump(ctx, bc, c)

-	hostOrIP := args[0]
-
-	// If the argument is an IP address, use it directly without any resolution.
-	if net.ParseIP(hostOrIP) != nil {
-		ip = hostOrIP
-	}
-
-	// Otherwise, try to resolve it first from the network peer list.
-	if ip == "" {
-		bc.RequestStatus()
-		select {
-		case st := <-stc:
-			for _, ps := range st.Peer {
-				if hostOrIP == dnsOrQuoteHostname(st, ps) || hostOrIP == ps.DNSName {
-					ip = ps.TailAddr
-					break
-				}
-			}
-		case <-ctx.Done():
-			return ctx.Err()
-		}
-	}
-
-	// Finally, use DNS.
-	if ip == "" {
-		var res net.Resolver
-		if addrs, err := res.LookupHost(ctx, hostOrIP); err != nil {
-			return fmt.Errorf("error looking up IP of %q: %v", hostOrIP, err)
-		} else if len(addrs) == 0 {
-			return fmt.Errorf("no IPs found for %q", hostOrIP)
-		} else {
-			ip = addrs[0]
-		}
-	}
-	if pingArgs.verbose && ip != hostOrIP {
-		log.Printf("lookup %q => %q", hostOrIP, ip)
-	}
-
 	n := 0
 	anyPong := false
 	for {
@@ -130,7 +101,7 @@ func runPing(ctx context.Context, args []string) error {
 		select {
 		case <-timer.C:
 			fmt.Printf("timeout waiting for ping reply\n")
-		case pr := <-prc:
+		case pr := <-ch:
 			timer.Stop()
 			if pr.Err != "" {
 				return errors.New(pr.Err)
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -14,6 +14,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"sort"
 	"strings"
 	"time"

@@ -65,17 +66,7 @@ func runStatus(ctx context.Context, args []string) error {
 			log.Fatal(*n.ErrMessage)
 		}
 		if n.Status != nil {
-			select {
-			case ch <- n.Status:
-			default:
-				// A status update from somebody else's request.
-				// Ignoring this matters mostly for "tailscale status -web"
-				// mode, otherwise the channel send would block forever
-				// and pump would stop reading from tailscaled, which
-				// previously caused tailscaled to block (while holding
-				// a mutex), backing up unrelated clients.
-				// See https://github.com/tailscale/tailscale/issues/1234
-			}
+			ch <- n.Status
 		}
 	})
 	go pump(ctx, bc, c)
@@ -190,7 +181,7 @@ func runStatus(ctx context.Context, args []string) error {
 			}
 			peers = append(peers, ps)
 		}
-		ipnstate.SortPeers(peers)
+		sort.Slice(peers, func(i, j int) bool { return sortKey(peers[i]) < sortKey(peers[j]) })
 		for _, ps := range peers {
 			active := peerActive(ps)
 			if statusArgs.active && !active {
@@ -220,6 +211,16 @@ func dnsOrQuoteHostname(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	return fmt.Sprintf("(%q)", strings.ReplaceAll(ps.SimpleHostName(), " ", "_"))
 }

+func sortKey(ps *ipnstate.PeerStatus) string {
+	if ps.DNSName != "" {
+		return ps.DNSName
+	}
+	if ps.HostName != "" {
+		return ps.HostName
+	}
+	return ps.TailAddr
+}
+
 func ownerLogin(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	if ps.UserID.IsZero() {
 		return "-"
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -120,11 +120,6 @@ func checkIPForwarding() {
 	}
 }

-var (
-	ipv4default = netaddr.MustParseIPPrefix("0.0.0.0/0")
-	ipv6default = netaddr.MustParseIPPrefix("::/0")
-)
-
 func runUp(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		log.Fatalf("too many non-flag arguments: %q", args)
@@ -144,7 +139,6 @@ func runUp(ctx context.Context, args []string) error {
 	}

 	var routes []netaddr.IPPrefix
-	var default4, default6 bool
 	if upArgs.advertiseRoutes != "" {
 		advroutes := strings.Split(upArgs.advertiseRoutes, ",")
 		for _, s := range advroutes {
@@ -155,18 +149,8 @@ func runUp(ctx context.Context, args []string) error {
 			if ipp != ipp.Masked() {
 				fatalf("%s has non-address bits set; expected %s", ipp, ipp.Masked())
 			}
-			if ipp == ipv4default {
-				default4 = true
-			} else if ipp == ipv6default {
-				default6 = true
-			}
 			routes = append(routes, ipp)
 		}
-		if default4 && !default6 {
-			fatalf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv4default, ipv6default)
-		} else if default6 && !default4 {
-			fatalf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv6default, ipv4default)
-		}
 		checkIPForwarding()
 	}

@@ -228,16 +212,7 @@ func runUp(ctx context.Context, args []string) error {
 		AuthKey:  upArgs.authKey,
 		Notify: func(n ipn.Notify) {
 			if n.ErrMessage != nil {
-				msg := *n.ErrMessage
-				if msg == ipn.ErrMsgPermissionDenied {
-					switch runtime.GOOS {
-					case "windows":
-						msg += " (Tailscale service in use by other user?)"
-					default:
-						msg += " (try 'sudo tailscale up [...]')"
-					}
-				}
-				fatalf("backend error: %v\n", msg)
+				fatalf("backend error: %v\n", *n.ErrMessage)
 			}
 			if s := n.State; s != nil {
 				switch *s {
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -66,7 +66,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
        tailscale.com/types/key                                      from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
@@ -89,7 +88,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
        tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine
-        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -103,7 +103,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
        tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
        tailscale.com/types/key                                      from tailscale.com/derp+
@@ -113,7 +112,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
        tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
-        tailscale.com/util/dnsname                                   from tailscale.com/wgengine/tsdns+
+        tailscale.com/util/dnsname                                   from tailscale.com/control/controlclient+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
@@ -130,7 +129,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
        tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine+
-        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -103,6 +103,10 @@ func main() {
 		os.Exit(0)
 	}

+	if args.statepath == "" {
+		log.Fatalf("--state is required")
+	}
+
 	if args.socketpath == "" && runtime.GOOS != "windows" {
 		log.Fatalf("--socket is required")
 	}
@@ -136,10 +140,6 @@ func run() error {
 		return nil
 	}

-	if args.statepath == "" {
-		log.Fatalf("--state is required")
-	}
-
 	var debugMux *http.ServeMux
 	if args.debug != "" {
 		debugMux = newDebugMux()
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -20,5 +20,22 @@ CacheDirectory=tailscale
 CacheDirectoryMode=0750
 Type=notify

+DeviceAllow=/dev/net/tun
+DeviceAllow=/dev/null
+DeviceAllow=/dev/random
+DeviceAllow=/dev/urandom
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/etc/
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+
 [Install]
 WantedBy=multi-user.target
--- a/cmd/tsshd/tsshd.go
+++ b/cmd/tsshd/tsshd.go
@@ -32,9 +32,7 @@ import (
 	"github.com/gliderlabs/ssh"
 	"github.com/kr/pty"
 	gossh "golang.org/x/crypto/ssh"
-	"inet.af/netaddr"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/net/tsaddr"
 )

 var (
@@ -98,13 +96,7 @@ func handleSSH(s ssh.Session) {
 		s.Exit(1)
 		return
 	}
-	tanetaddr, ok := netaddr.FromStdIP(ta.IP)
-	if !ok {
-		log.Printf("tsshd: rejecting unparseable addr %v", ta.IP)
-		s.Exit(1)
-		return
-	}
-	if !tsaddr.IsTailscaleIP(tanetaddr) {
+	if !interfaces.IsTailscaleIP(ta.IP) {
 		log.Printf("tsshd: rejecting non-Tailscale addr %v", ta.IP)
 		s.Exit(1)
 		return
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -213,7 +213,7 @@ func (c *Client) sendNewMapRequest() {
 	// If we're not already streaming a netmap, or if we're already stuck
 	// in a lite update, then tear down everything and start a new stream
 	// (which starts by sending a new map request)
-	if !c.inPollNetMap || c.inLiteMapUpdate || !c.loggedIn {
+	if !c.inPollNetMap || c.inLiteMapUpdate {
 		c.mu.Unlock()
 		c.cancelMapSafely()
 		return
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -550,9 +550,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 	everEndpoints := c.everEndpoints
 	c.mu.Unlock()

-	if persist.PrivateNodeKey.IsZero() {
-		return errors.New("privateNodeKey is zero")
-	}
 	if backendLogID == "" {
 		return errors.New("hostinfo: BackendLogID missing")
 	}
@@ -747,14 +744,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 			}
 			resp.Peers = filtered
 		}
-		if Debug.StripEndpoints {
-			for _, p := range resp.Peers {
-				// We need at least one endpoint here for now else
-				// other code doesn't even create the discoEndpoint.
-				// TODO(bradfitz): fix that and then just nil this out.
-				p.Endpoints = []string{"127.9.9.9:456"}
-			}
-		}

 		if pf := resp.PacketFilter; pf != nil {
 			lastParsedPacketFilter = c.parsePacketFilter(pf)
@@ -773,7 +762,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 		c.mu.Unlock()

 		nm := &NetworkMap{
-			SelfNode:        resp.Node,
 			NodeKey:         tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
 			PrivateKey:      persist.PrivateNodeKey,
 			MachineKey:      machinePubKey,
@@ -802,10 +790,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*Netw
 			}
 		}
 		addUserProfile(nm.User)
-		magicDNSSuffix := nm.MagicDNSSuffix()
-		nm.SelfNode.InitDisplayNames(magicDNSSuffix)
 		for _, peer := range resp.Peers {
-			peer.InitDisplayNames(magicDNSSuffix)
 			if !peer.Sharer.IsZero() {
 				if c.keepSharerAndUserSplit {
 					addUserProfile(peer.Sharer)
@@ -987,21 +972,19 @@ func loadServerKey(ctx context.Context, httpc *http.Client, serverURL string) (w
 var Debug = initDebug()

 type debug struct {
-	NetMap         bool
-	ProxyDNS       bool
-	OnlyDisco      bool
-	Disco          bool
-	StripEndpoints bool // strip endpoints from control (only use disco messages)
+	NetMap    bool
+	ProxyDNS  bool
+	OnlyDisco bool
+	Disco     bool
 }

 func initDebug() debug {
 	use := os.Getenv("TS_DEBUG_USE_DISCO")
 	return debug{
-		NetMap:         envBool("TS_DEBUG_NETMAP"),
-		ProxyDNS:       envBool("TS_DEBUG_PROXY_DNS"),
-		StripEndpoints: envBool("TS_DEBUG_STRIP_ENDPOINTS"),
-		OnlyDisco:      use == "only",
-		Disco:          use == "only" || use == "" || envBool("TS_DEBUG_USE_DISCO"),
+		NetMap:    envBool("TS_DEBUG_NETMAP"),
+		ProxyDNS:  envBool("TS_DEBUG_PROXY_DNS"),
+		OnlyDisco: use == "only",
+		Disco:     use == "only" || use == "" || envBool("TS_DEBUG_USE_DISCO"),
 	}
 }

@@ -1082,24 +1065,6 @@ func undeltaPeers(mapRes *tailcfg.MapResponse, prev []*tailcfg.Node) {
 		}
 	}
 	sortNodes(newFull)
-
-	if mapRes.PeerSeenChange != nil {
-		peerByID := make(map[tailcfg.NodeID]*tailcfg.Node, len(newFull))
-		for _, n := range newFull {
-			peerByID[n.ID] = n
-		}
-		now := time.Now()
-		for nodeID, seen := range mapRes.PeerSeenChange {
-			if n, ok := peerByID[nodeID]; ok {
-				if seen {
-					n.LastSeen = &now
-				} else {
-					n.LastSeen = nil
-				}
-			}
-		}
-	}
-
 	mapRes.Peers = newFull
 	mapRes.PeersChanged = nil
 	mapRes.PeersRemoved = nil
--- a/control/controlclient/netmap.go
+++ b/control/controlclient/netmap.go
@@ -18,13 +18,13 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/wgkey"
+	"tailscale.com/util/dnsname"
 	"tailscale.com/wgengine/filter"
 )

 type NetworkMap struct {
 	// Core networking

-	SelfNode   *tailcfg.Node
 	NodeKey    tailcfg.NodeKey
 	PrivateKey wgkey.Private
 	Expiry     time.Time
@@ -63,16 +63,27 @@ type NetworkMap struct {
 	// TODO(crawshaw): Capabilities []tailcfg.Capability
 }

-// MagicDNSSuffix returns the domain's MagicDNS suffix (even if
-// MagicDNS isn't necessarily in use).
-//
-// It will neither start nor end with a period.
+// MagicDNSSuffix returns the domain's MagicDNS suffix, or empty if none.
+// If non-empty, it will neither start nor end with a period.
 func (nm *NetworkMap) MagicDNSSuffix() string {
-	name := strings.Trim(nm.Name, ".")
-	if i := strings.Index(name, "."); i != -1 {
-		name = name[i+1:]
+	searchPathUsedAsDNSSuffix := func(suffix string) bool {
+		if dnsname.HasSuffix(nm.Name, suffix) {
+			return true
+		}
+		for _, p := range nm.Peers {
+			if dnsname.HasSuffix(p.Name, suffix) {
+				return true
+			}
+		}
+		return false
 	}
-	return name
+
+	for _, d := range nm.DNS.Domains {
+		if searchPathUsedAsDNSSuffix(d) {
+			return strings.Trim(d, ".")
+		}
+	}
+	return ""
 }

 func (nm *NetworkMap) String() string {
@@ -301,14 +312,12 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 		for _, allowedIP := range peer.AllowedIPs {
 			if allowedIP.Bits == 0 {
 				if (flags & AllowDefaultRoute) == 0 {
-					logf("[v1] wgcfg: not accepting default route from %q (%v)",
-						nodeDebugName(peer), peer.Key.ShortString())
+					logf("[v1] wgcfg: %v skipping default route", peer.Key.ShortString())
 					continue
 				}
 			} else if cidrIsSubnet(peer, allowedIP) {
 				if (flags & AllowSubnetRoutes) == 0 {
-					logf("[v1] wgcfg: not accepting subnet route %v from %q (%v)",
-						allowedIP, nodeDebugName(peer), peer.Key.ShortString())
+					logf("[v1] wgcfg: %v skipping subnet route", peer.Key.ShortString())
 					continue
 				}
 			}
@@ -319,20 +328,6 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 	return cfg, nil
 }

-func nodeDebugName(n *tailcfg.Node) string {
-	name := n.Name
-	if name == "" {
-		name = n.Hostinfo.Hostname
-	}
-	if i := strings.Index(name, "."); i != -1 {
-		name = name[:i]
-	}
-	if name == "" && len(n.Addresses) != 0 {
-		return n.Addresses[0].String()
-	}
-	return name
-}
-
 // cidrIsSubnet reports whether cidr is a non-default-route subnet
 // exported by node that is not one of its own self addresses.
 func cidrIsSubnet(node *tailcfg.Node, cidr netaddr.IPPrefix) bool {
--- a/disco/disco.go
+++ b/disco/disco.go
@@ -70,7 +70,7 @@ func Parse(p []byte) (Message, error) {
 	case TypePong:
 		return parsePong(ver, p)
 	case TypeCallMeMaybe:
-		return parseCallMeMaybe(ver, p)
+		return CallMeMaybe{}, nil
 	default:
 		return nil, fmt.Errorf("unknown message type 0x%02x", byte(t))
 	}
@@ -122,57 +122,13 @@ func parsePing(ver uint8, p []byte) (m *Ping, err error) {
 //
 // The recipient may choose to not open a path back, if it's already
 // happy with its path. But usually it will.
-type CallMeMaybe struct {
-	// MyNumber is what the peer believes its endpoints are.
-	//
-	// Prior to Tailscale 1.4, the endpoints were exchanged purely
-	// between nodes and the control server.
-	//
-	// Starting with Tailscale 1.4, clients advertise their endpoints.
-	// Older clients won't use this, but newer clients should
-	// use any endpoints in here that aren't included from control.
-	//
-	// Control might have sent stale endpoints if the client was idle
-	// before contacting us. In that case, the client likely did a STUN
-	// request immediately before sending the CallMeMaybe to recreate
-	// their NAT port mapping, and that new good endpoint is included
-	// in this field, but might not yet be in control's endpoints.
-	// (And in the future, control will stop distributing endpoints
-	// when clients are suitably new.)
-	MyNumber []netaddr.IPPort
-}
+type CallMeMaybe struct{}

-const epLength = 16 + 2 // 16 byte IP address + 2 byte port
-
-func (m *CallMeMaybe) AppendMarshal(b []byte) []byte {
-	ret, p := appendMsgHeader(b, TypeCallMeMaybe, v0, epLength*len(m.MyNumber))
-	for _, ipp := range m.MyNumber {
-		a := ipp.IP.As16()
-		copy(p[:], a[:])
-		binary.BigEndian.PutUint16(p[16:], ipp.Port)
-		p = p[epLength:]
-	}
+func (CallMeMaybe) AppendMarshal(b []byte) []byte {
+	ret, _ := appendMsgHeader(b, TypeCallMeMaybe, v0, 0)
 	return ret
 }

-func parseCallMeMaybe(ver uint8, p []byte) (m *CallMeMaybe, err error) {
-	m = new(CallMeMaybe)
-	if len(p)%epLength != 0 || ver != 0 || len(p) == 0 {
-		return m, nil
-	}
-	m.MyNumber = make([]netaddr.IPPort, 0, len(p)/epLength)
-	for len(p) > 0 {
-		var a [16]byte
-		copy(a[:], p)
-		m.MyNumber = append(m.MyNumber, netaddr.IPPort{
-			IP:   netaddr.IPFrom16(a),
-			Port: binary.BigEndian.Uint16(p[16:18]),
-		})
-		p = p[epLength:]
-	}
-	return m, nil
-}
-
 // Pong is a response a Ping.
 //
 // It includes the sender's source IP + port, so it's effectively a
@@ -215,7 +171,7 @@ func MessageSummary(m Message) string {
 		return fmt.Sprintf("ping tx=%x", m.TxID[:6])
 	case *Pong:
 		return fmt.Sprintf("pong tx=%x", m.TxID[:6])
-	case *CallMeMaybe:
+	case CallMeMaybe:
 		return "call-me-maybe"
 	default:
 		return fmt.Sprintf("%#v", m)
--- a/disco/disco_test.go
+++ b/disco/disco_test.go
@@ -44,19 +44,9 @@ func TestMarshalAndParse(t *testing.T) {
 		},
 		{
 			name: "call_me_maybe",
-			m:    &CallMeMaybe{},
+			m:    CallMeMaybe{},
 			want: "03 00",
 		},
-		{
-			name: "call_me_maybe_endpoints",
-			m: &CallMeMaybe{
-				MyNumber: []netaddr.IPPort{
-					netaddr.MustParseIPPort("1.2.3.4:567"),
-					netaddr.MustParseIPPort("[2001::3456]:789"),
-				},
-			},
-			want: "03 00 00 00 00 00 00 00 00 00 00 00 ff ff 01 02 03 04 02 37 20 01 00 00 00 00 00 00 00 00 00 00 00 00 34 56 03 15",
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/go.mod
+++ b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
-	github.com/tailscale/wireguard-go v0.0.0-20210120212909-7ad8a0443bd3
+	github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
--- a/go.sum
+++ b/go.sum
@@ -294,8 +294,6 @@ github.com/tailscale/wireguard-go v0.0.0-20210114205708-a1377e83f551 h1:hjBVxvVa
 github.com/tailscale/wireguard-go v0.0.0-20210114205708-a1377e83f551/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
 github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d h1:8GcGtZ4Ui+lzHm6gOq7s2Oe4ksxkbUYtS/JuoJ2Nce8=
 github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
-github.com/tailscale/wireguard-go v0.0.0-20210120212909-7ad8a0443bd3 h1:wpgSErXul2ysBGZVVM0fKISMgZ9BZRXuOYAyn8MxAbY=
-github.com/tailscale/wireguard-go v0.0.0-20210120212909-7ad8a0443bd3/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
 github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -503,6 +503,41 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	}()
 	logf("Listening on %v", listen.Addr())

+	bo := backoff.NewBackoff("ipnserver", logf, 30*time.Second)
+	var unservedConn net.Conn // if non-nil, accepted, but hasn't served yet
+
+	eng, err := getEngine()
+	if err != nil {
+		logf("ipnserver: initial getEngine call: %v", err)
+		for i := 1; ctx.Err() == nil; i++ {
+			c, err := listen.Accept()
+			if err != nil {
+				logf("%d: Accept: %v", i, err)
+				bo.BackOff(ctx, err)
+				continue
+			}
+			logf("ipnserver: try%d: trying getEngine again...", i)
+			eng, err = getEngine()
+			if err == nil {
+				logf("%d: GetEngine worked; exiting failure loop", i)
+				unservedConn = c
+				break
+			}
+			logf("ipnserver%d: getEngine failed again: %v", i, err)
+			errMsg := err.Error()
+			go func() {
+				defer c.Close()
+				serverToClient := func(b []byte) { ipn.WriteMsg(c, b) }
+				bs := ipn.NewBackendServer(logf, nil, serverToClient)
+				bs.SendErrorMessage(errMsg)
+				time.Sleep(time.Second)
+			}()
+		}
+		if err := ctx.Err(); err != nil {
+			return err
+		}
+	}
+
 	var store ipn.StateStore
 	if opts.StatePath != "" {
 		store, err = ipn.NewFileStore(opts.StatePath)
@@ -531,82 +566,6 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 		store = &ipn.MemoryStore{}
 	}

-	bo := backoff.NewBackoff("ipnserver", logf, 30*time.Second)
-	var unservedConn net.Conn // if non-nil, accepted, but hasn't served yet
-
-	eng, err := getEngine()
-	if err != nil {
-		logf("ipnserver: initial getEngine call: %v", err)
-
-		// Issue 1187: on Windows, in unattended mode,
-		// sometimes we try 5 times and fail to create the
-		// engine before the system's ready. Hack until the
-		// bug if fixed properly: if we're running in
-		// unattended mode on Windows, keep trying forever,
-		// waiting for the machine to be ready (networking to
-		// come up?) and then dial our own safesocket TCP
-		// listener to wake up the usual mechanism that lets
-		// us surface getEngine errors to UI clients. (We
-		// don't want to just call getEngine in a loop without
-		// the listener.Accept, as we do want to handle client
-		// connections so we can tell them about errors)
-
-		bootRaceWaitForEngine, bootRaceWaitForEngineCancel := context.WithTimeout(context.Background(), time.Minute)
-		if runtime.GOOS == "windows" && opts.AutostartStateKey != "" {
-			logf("ipnserver: in unattended mode, waiting for engine availability")
-			getEngine = getEngineUntilItWorksWrapper(getEngine)
-			// Wait for it to be ready.
-			go func() {
-				defer bootRaceWaitForEngineCancel()
-				t0 := time.Now()
-				for {
-					time.Sleep(10 * time.Second)
-					if _, err := getEngine(); err != nil {
-						logf("ipnserver: unattended mode engine load: %v", err)
-						continue
-					}
-					c, err := net.Dial("tcp", listen.Addr().String())
-					logf("ipnserver: engine created after %v; waking up Accept: Dial error: %v", time.Since(t0).Round(time.Second), err)
-					if err == nil {
-						c.Close()
-					}
-					break
-				}
-			}()
-		} else {
-			bootRaceWaitForEngineCancel()
-		}
-
-		for i := 1; ctx.Err() == nil; i++ {
-			c, err := listen.Accept()
-			if err != nil {
-				logf("%d: Accept: %v", i, err)
-				bo.BackOff(ctx, err)
-				continue
-			}
-			<-bootRaceWaitForEngine.Done()
-			logf("ipnserver: try%d: trying getEngine again...", i)
-			eng, err = getEngine()
-			if err == nil {
-				logf("%d: GetEngine worked; exiting failure loop", i)
-				unservedConn = c
-				break
-			}
-			logf("ipnserver%d: getEngine failed again: %v", i, err)
-			errMsg := err.Error()
-			go func() {
-				defer c.Close()
-				serverToClient := func(b []byte) { ipn.WriteMsg(c, b) }
-				bs := ipn.NewBackendServer(logf, nil, serverToClient)
-				bs.SendErrorMessage(errMsg)
-				time.Sleep(time.Second)
-			}()
-		}
-		if err := ctx.Err(); err != nil {
-			return err
-		}
-	}
-
 	b, err := ipn.NewLocalBackend(logf, logid, store, eng)
 	if err != nil {
 		return fmt.Errorf("NewLocalBackend: %v", err)
@@ -797,27 +756,6 @@ func FixedEngine(eng wgengine.Engine) func() (wgengine.Engine, error) {
 	return func() (wgengine.Engine, error) { return eng, nil }
 }

-// getEngineUntilItWorksWrapper returns a getEngine wrapper that does
-// not call getEngine concurrently and stops calling getEngine once
-// it's returned a working engine.
-func getEngineUntilItWorksWrapper(getEngine func() (wgengine.Engine, error)) func() (wgengine.Engine, error) {
-	var mu sync.Mutex
-	var engGood wgengine.Engine
-	return func() (wgengine.Engine, error) {
-		mu.Lock()
-		defer mu.Unlock()
-		if engGood != nil {
-			return engGood, nil
-		}
-		e, err := getEngine()
-		if err != nil {
-			return nil, err
-		}
-		engGood = e
-		return e, nil
-	}
-}
-
 type dummyAddr string
 type oneConnListener struct {
 	conn net.Conn
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -21,21 +21,14 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/util/dnsname"
 )

 // Status represents the entire state of the IPN network.
 type Status struct {
-	BackendState string
-	TailscaleIPs []netaddr.IP // Tailscale IP(s) assigned to this node
-	Self         *PeerStatus
-
-	// MagicDNSSuffix is the network's MagicDNS suffix for nodes
-	// in the network such as "userfoo.tailscale.net".
-	// There are no surrounding dots.
-	// MagicDNSSuffix should be populated regardless of whether a domain
-	// has MagicDNS enabled.
-	MagicDNSSuffix string
+	BackendState   string
+	TailscaleIPs   []netaddr.IP // Tailscale IP(s) assigned to this node
+	Self           *PeerStatus
+	MagicDNSSuffix string // e.g. "userfoo.tailscale.net" (no surrounding dots)

 	Peer map[key.Public]*PeerStatus
 	User map[tailcfg.UserID]tailcfg.UserProfile
@@ -281,22 +274,13 @@ table tbody tr:nth-child(even) td { background-color: #f5f5f5; }
 	f("<p>Tailscale IP: %s", strings.Join(ips, ", "))

 	f("<table>\n<thead>\n")
-	f("<tr><th>Peer</th><th>OS</th><th>Node</th><th>Owner</th><th>Rx</th><th>Tx</th><th>Activity</th><th>Connection</th></tr>\n")
+	f("<tr><th>Peer</th><th>Node</th><th>Owner</th><th>Rx</th><th>Tx</th><th>Activity</th><th>Endpoints</th></tr>\n")
 	f("</thead>\n<tbody>\n")

 	now := time.Now()

-	var peers []*PeerStatus
 	for _, peer := range st.Peers() {
 		ps := st.Peer[peer]
-		if ps.ShareeNode {
-			continue
-		}
-		peers = append(peers, ps)
-	}
-	SortPeers(peers)
-
-	for _, ps := range peers {
 		var actAgo string
 		if !ps.LastWrite.IsZero() {
 			ago := now.Sub(ps.LastWrite)
@@ -312,44 +296,40 @@ table tbody tr:nth-child(even) td { background-color: #f5f5f5; }
 				owner = owner[:i]
 			}
 		}
-
-		hostName := ps.SimpleHostName()
-		dnsName := strings.TrimRight(ps.DNSName, ".")
-		if i := strings.Index(dnsName, "."); i != -1 && dnsname.HasSuffix(dnsName, st.MagicDNSSuffix) {
-			dnsName = dnsName[:i]
-		}
-		if strings.EqualFold(dnsName, hostName) || ps.UserID != st.Self.UserID {
-			hostName = ""
-		}
-		var hostNameHTML string
-		if hostName != "" {
-			hostNameHTML = "<br>" + html.EscapeString(hostName)
-		}
-
-		f("<tr><td>%s</td><td class=acenter>%s</td>"+
-			"<td><b>%s</b>%s<div class=\"tailaddr\">%s</div></td><td class=\"acenter owner\">%s</td><td class=\"aright\">%v</td><td class=\"aright\">%v</td><td class=\"aright\">%v</td>",
-			ps.PublicKey.ShortString(),
+		f("<tr><td>%s</td><td>%s %s<br><span class=\"tailaddr\">%s</span></td><td class=\"acenter owner\">%s</td><td class=\"aright\">%v</td><td class=\"aright\">%v</td><td class=\"aright\">%v</td>",
+			peer.ShortString(),
+			html.EscapeString(ps.SimpleHostName()),
 			osEmoji(ps.OS),
-			html.EscapeString(dnsName),
-			hostNameHTML,
 			ps.TailAddr,
 			html.EscapeString(owner),
 			ps.RxBytes,
 			ps.TxBytes,
 			actAgo,
 		)
-		f("<td>")
-
+		f("<td class=\"aright\">")
 		// TODO: let server report this active bool instead
 		active := !ps.LastWrite.IsZero() && time.Since(ps.LastWrite) < 2*time.Minute
-		if active {
-			if ps.Relay != "" && ps.CurAddr == "" {
-				f("relay <b>%s</b>", html.EscapeString(ps.Relay))
-			} else if ps.CurAddr != "" {
-				f("direct <b>%s</b>", html.EscapeString(ps.CurAddr))
+		relay := ps.Relay
+		if relay != "" {
+			if active && ps.CurAddr == "" {
+				f("🔗 <b>derp-%v</b><br>", html.EscapeString(relay))
+			} else {
+				f("derp-%v<br>", html.EscapeString(relay))
 			}
 		}

+		match := false
+		for _, addr := range ps.Addrs {
+			if addr == ps.CurAddr {
+				match = true
+				f("🔗 <b>%s</b><br>", addr)
+			} else {
+				f("%s<br>", addr)
+			}
+		}
+		if ps.CurAddr != "" && !match {
+			f("<b>%s</b> \xf0\x9f\xa7\xb3<br>", ps.CurAddr)
+		}
 		f("</td>") // end Addrs

 		f("</tr>\n")
@@ -395,17 +375,3 @@ type PingResult struct {

 	// TODO(bradfitz): details like whether port mapping was used on either side? (Once supported)
 }
-
-func SortPeers(peers []*PeerStatus) {
-	sort.Slice(peers, func(i, j int) bool { return sortKey(peers[i]) < sortKey(peers[j]) })
-}
-
-func sortKey(ps *PeerStatus) string {
-	if ps.DNSName != "" {
-		return ps.DNSName
-	}
-	if ps.HostName != "" {
-		return ps.HostName
-	}
-	return ps.TailAddr
-}
--- a/ipn/local.go
+++ b/ipn/local.go
@@ -562,13 +562,12 @@ func (b *LocalBackend) updateFilter(netMap *controlclient.NetworkMap, prefs *Pre

 	localNets := unmapIPPrefixes(netMap.Addresses, advRoutes)

-	oldFilter := b.e.GetFilter()
 	if shieldsUp {
 		b.logf("netmap packet filter: (shields up)")
-		b.e.SetFilter(filter.NewShieldsUpFilter(localNets, oldFilter, b.logf))
+		b.e.SetFilter(filter.NewShieldsUpFilter(b.logf))
 	} else {
 		b.logf("netmap packet filter: %v", packetFilter)
-		b.e.SetFilter(filter.New(packetFilter, localNets, oldFilter, b.logf))
+		b.e.SetFilter(filter.New(packetFilter, localNets, b.e.GetFilter(), b.logf))
 	}
 }

--- a/ipn/message.go
+++ b/ipn/message.go
@@ -146,10 +146,6 @@ func (bs *BackendServer) GotFakeCommand(ctx context.Context, cmd *Command) error
 	return bs.GotCommand(ctx, cmd)
 }

-// ErrMsgPermissionDenied is the Notify.ErrMessage value used an
-// operation was done from a user/context that didn't have permission.
-const ErrMsgPermissionDenied = "permission denied"
-
 func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	if cmd.Version != version.Long && !cmd.AllowVersionSkew {
 		vs := fmt.Sprintf("GotCommand: Version mismatch! frontend=%#v backend=%#v",
@@ -182,7 +178,7 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	}

 	if IsReadonlyContext(ctx) {
-		msg := ErrMsgPermissionDenied
+		msg := "permission denied"
 		bs.send(Notify{ErrMessage: &msg})
 		return nil
 	}
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@@ -10,7 +10,6 @@ import (
 	"net"
 	"net/http"
 	"reflect"
-	"runtime"
 	"sort"
 	"strings"

@@ -40,11 +39,8 @@ func Tailscale() (net.IP, *net.Interface, error) {
 			continue
 		}
 		for _, a := range addrs {
-			if ipnet, ok := a.(*net.IPNet); ok {
-				nip, ok := netaddr.FromStdIP(ipnet.IP)
-				if ok && tsaddr.IsTailscaleIP(nip) {
-					return ipnet.IP, &iface, nil
-				}
+			if ipnet, ok := a.(*net.IPNet); ok && IsTailscaleIP(ipnet.IP) {
+				return ipnet.IP, &iface, nil
 			}
 		}
 	}
@@ -61,21 +57,16 @@ func maybeTailscaleInterfaceName(s string) bool {
 		strings.HasPrefix(s, "utun")
 }

+// IsTailscaleIP reports whether ip is an IP in a range used by
+// Tailscale virtual network interfaces.
+func IsTailscaleIP(ip net.IP) bool {
+	nip, _ := netaddr.FromStdIP(ip) // TODO: push this up to caller, change func signature
+	return tsaddr.IsTailscaleIP(nip)
+}
+
 func isUp(nif *net.Interface) bool       { return nif.Flags&net.FlagUp != 0 }
 func isLoopback(nif *net.Interface) bool { return nif.Flags&net.FlagLoopback != 0 }

-func isProblematicInterface(nif *net.Interface) bool {
-	name := nif.Name
-	// Don't try to send disco/etc packets over zerotier; they effectively
-	// DoS each other by doing traffic amplification, both of them
-	// preferring/trying to use each other for transport. See:
-	// https://github.com/tailscale/tailscale/issues/1208
-	if strings.HasPrefix(name, "zt") || (runtime.GOOS == "windows" && strings.Contains(name, "ZeroTier")) {
-		return true
-	}
-	return false
-}
-
 // LocalAddresses returns the machine's IP addresses, separated by
 // whether they're loopback addresses.
 func LocalAddresses() (regular, loopback []string, err error) {
@@ -86,10 +77,8 @@ func LocalAddresses() (regular, loopback []string, err error) {
 	}
 	for i := range ifaces {
 		iface := &ifaces[i]
-		if !isUp(iface) || isProblematicInterface(iface) {
-			// Skip down interfaces and ones that are
-			// problematic that we don't want to try to
-			// send Tailscale traffic over.
+		if !isUp(iface) {
+			// Down interfaces don't count
 			continue
 		}
 		ifcIsLoopback := isLoopback(iface)
--- a/net/interfaces/interfaces_darwin_cgo.go
+++ b/net/interfaces/interfaces_darwin_cgo.go
@@ -15,7 +15,7 @@ package interfaces

 // privateGatewayIPFromRoute returns the private gateway ip address from rtm, if it exists.
 // Otherwise, it returns 0.
-uint32_t privateGatewayIPFromRoute(struct rt_msghdr2 *rtm)
+int privateGatewayIPFromRoute(struct rt_msghdr2 *rtm)
 {
    // sockaddrs are after the message header
    struct sockaddr* dst_sa = (struct sockaddr *)(rtm + 1);
@@ -38,7 +38,7 @@ uint32_t privateGatewayIPFromRoute(struct rt_msghdr2 *rtm)
        return 0; // gateway not IPv4

    struct sockaddr_in* gateway_si= (struct sockaddr_in *)gateway_sa;
-    uint32_t ip;
+    int ip;
    ip = gateway_si->sin_addr.s_addr;

    unsigned char a, b;
@@ -62,7 +62,7 @@ uint32_t privateGatewayIPFromRoute(struct rt_msghdr2 *rtm)
 // If no private gateway IP address was found, it returns 0.
 // On an error, it returns an error code in (0, 255].
 // Any private gateway IP address is > 255.
-uint32_t privateGatewayIP()
+int privateGatewayIP()
 {
    size_t needed;
    int mib[6];
@@ -90,7 +90,7 @@ uint32_t privateGatewayIP()
 	struct rt_msghdr2 *rtm;
    for (next = buf; next < lim; next += rtm->rtm_msglen) {
        rtm = (struct rt_msghdr2 *)next;
-        uint32_t ip;
+		int ip;
        ip = privateGatewayIPFromRoute(rtm);
        if (ip) {
            free(buf);
--- a/net/interfaces/interfaces_test.go
+++ b/net/interfaces/interfaces_test.go
@@ -5,9 +5,30 @@
 package interfaces

 import (
+	"net"
 	"testing"
 )

+func TestIsTailscaleIP(t *testing.T) {
+	tests := []struct {
+		ip   string
+		want bool
+	}{
+		{"100.81.251.94", true},
+		{"8.8.8.8", false},
+	}
+	for _, tt := range tests {
+		ip := net.ParseIP(tt.ip)
+		if ip == nil {
+			t.Fatalf("failed to parse IP %q", tt.ip)
+		}
+		got := IsTailscaleIP(ip)
+		if got != tt.want {
+			t.Errorf("F(%q) = %v; want %v", tt.ip, got, tt.want)
+		}
+	}
+}
+
 func TestGetState(t *testing.T) {
 	st, err := GetState()
 	if err != nil {
--- a/net/packet/tsmp.go
+++ b/net/packet/tsmp.go
@@ -23,14 +23,12 @@ import (
 // Tailscale node has rejected the connection from another. Unlike a
 // TCP RST, this includes a reason.
 //
-// On the wire, after the IP header, it's currently 7 or 8 bytes:
+// On the wire, after the IP header, it's currently 7 bytes:
 //     * '!'
 //     * IPProto byte (IANA protocol number: TCP or UDP)
 //     * 'A' or 'S' (RejectedDueToACLs, RejectedDueToShieldsUp)
 //     * srcPort big endian uint16
 //     * dstPort big endian uint16
-//     * [optional] byte of flag bits:
-//          lowest bit (0x1): MaybeBroken
 //
 // In the future it might also accept 16 byte IP flow src/dst IPs
 // after the header, if they're different than the IP-level ones.
@@ -41,21 +39,8 @@ type TailscaleRejectedHeader struct {
 	Dst    netaddr.IPPort        // rejected flow's dst
 	Proto  IPProto               // proto that was rejected (TCP or UDP)
 	Reason TailscaleRejectReason // why the connection was rejected
-
-	// MaybeBroken is whether the rejection is non-terminal (the
-	// client should not fail immediately). This is sent by a
-	// target when it's not sure whether it's totally broken, but
-	// it might be. For example, the target tailscaled might think
-	// its host firewall or IP forwarding aren't configured
-	// properly, but tailscaled might be wrong (not having enough
-	// visibility into what the OS is doing). When true, the
-	// message is simply an FYI as a potential reason to use for
-	// later when the pendopen connection tracking timer expires.
-	MaybeBroken bool
 }

-const rejectFlagBitMaybeBroken = 0x1
-
 func (rh TailscaleRejectedHeader) Flow() flowtrack.Tuple {
 	return flowtrack.Tuple{Src: rh.Src, Dst: rh.Dst}
 }
@@ -67,32 +52,14 @@ func (rh TailscaleRejectedHeader) String() string {
 type TSMPType uint8

 const (
-	// TSMPTypeRejectedConn is the type byte for a TailscaleRejectedHeader.
 	TSMPTypeRejectedConn TSMPType = '!'
 )

 type TailscaleRejectReason byte

-// IsZero reports whether r is the zero value, representing no rejection.
-func (r TailscaleRejectReason) IsZero() bool { return r == TailscaleRejectReasonNone }
-
 const (
-	// TailscaleRejectReasonNone is the TailscaleRejectReason zero value.
-	TailscaleRejectReasonNone TailscaleRejectReason = 0
-
-	// RejectedDueToACLs means that the host rejected the connection due to ACLs.
-	RejectedDueToACLs TailscaleRejectReason = 'A'
-
-	// RejectedDueToShieldsUp means that the host rejected the connection due to shields being up.
+	RejectedDueToACLs      TailscaleRejectReason = 'A'
 	RejectedDueToShieldsUp TailscaleRejectReason = 'S'
-
-	// RejectedDueToIPForwarding means that the relay node's IP
-	// forwarding is disabled.
-	RejectedDueToIPForwarding TailscaleRejectReason = 'F'
-
-	// RejectedDueToHostFirewall means that the target host's
-	// firewall is blocking the traffic.
-	RejectedDueToHostFirewall TailscaleRejectReason = 'W'
 )

 func (r TailscaleRejectReason) String() string {
@@ -101,32 +68,22 @@ func (r TailscaleRejectReason) String() string {
 		return "acl"
 	case RejectedDueToShieldsUp:
 		return "shields"
-	case RejectedDueToIPForwarding:
-		return "host-ip-forwarding-unavailable"
-	case RejectedDueToHostFirewall:
-		return "host-firewall"
 	}
 	return fmt.Sprintf("0x%02x", byte(r))
 }

-func (h TailscaleRejectedHeader) hasFlags() bool {
-	return h.MaybeBroken // the only one currently
-}
-
 func (h TailscaleRejectedHeader) Len() int {
-	v := 1 + // TSMPType byte
+	var ipHeaderLen int
+	if h.IPSrc.Is4() {
+		ipHeaderLen = ip4HeaderLength
+	} else if h.IPSrc.Is6() {
+		ipHeaderLen = ip6HeaderLength
+	}
+	return ipHeaderLen +
+		1 + // TSMPType byte
 		1 + // IPProto byte
 		1 + // TailscaleRejectReason byte
 		2*2 // 2 uint16 ports
-	if h.IPSrc.Is4() {
-		v += ip4HeaderLength
-	} else if h.IPSrc.Is6() {
-		v += ip6HeaderLength
-	}
-	if h.hasFlags() {
-		v++
-	}
-	return v
 }

 func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
@@ -160,14 +117,6 @@ func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
 	buf[2] = byte(h.Reason)
 	binary.BigEndian.PutUint16(buf[3:5], h.Src.Port)
 	binary.BigEndian.PutUint16(buf[5:7], h.Dst.Port)
-
-	if h.hasFlags() {
-		var flags byte
-		if h.MaybeBroken {
-			flags |= rejectFlagBitMaybeBroken
-		}
-		buf[7] = flags
-	}
 	return nil
 }

@@ -180,17 +129,12 @@ func (pp *Parsed) AsTailscaleRejectedHeader() (h TailscaleRejectedHeader, ok boo
 	if len(p) < 7 || p[0] != byte(TSMPTypeRejectedConn) {
 		return
 	}
-	h = TailscaleRejectedHeader{
+	return TailscaleRejectedHeader{
 		Proto:  IPProto(p[1]),
 		Reason: TailscaleRejectReason(p[2]),
 		IPSrc:  pp.Src.IP,
 		IPDst:  pp.Dst.IP,
 		Src:    netaddr.IPPort{IP: pp.Dst.IP, Port: binary.BigEndian.Uint16(p[3:5])},
 		Dst:    netaddr.IPPort{IP: pp.Src.IP, Port: binary.BigEndian.Uint16(p[5:7])},
-	}
-	if len(p) > 7 {
-		flags := p[7]
-		h.MaybeBroken = (flags & rejectFlagBitMaybeBroken) != 0
-	}
-	return h, true
+	}, true
 }
--- a/net/packet/tsmp_test.go
+++ b/net/packet/tsmp_test.go
@@ -37,18 +37,6 @@ func TestTailscaleRejectedHeader(t *testing.T) {
 			},
 			wantStr: "TSMP-reject-flow{UDP [1::1]:567 > [2::2]:443}: shields",
 		},
-		{
-			h: TailscaleRejectedHeader{
-				IPSrc:       netaddr.MustParseIP("2::2"),
-				IPDst:       netaddr.MustParseIP("1::1"),
-				Src:         netaddr.MustParseIPPort("[1::1]:567"),
-				Dst:         netaddr.MustParseIPPort("[2::2]:443"),
-				Proto:       UDP,
-				Reason:      RejectedDueToIPForwarding,
-				MaybeBroken: true,
-			},
-			wantStr: "TSMP-reject-flow{UDP [1::1]:567 > [2::2]:443}: host-ip-forwarding-unavailable",
-		},
 	}
 	for i, tt := range tests {
 		gotStr := tt.h.String()
--- a/safesocket/unixsocket.go
+++ b/safesocket/unixsocket.go
@@ -59,32 +59,12 @@ func listen(path string, port uint16) (ln net.Listener, _ uint16, err error) {
 		return nil, 0, fmt.Errorf("%v: address already in use", path)
 	}
 	_ = os.Remove(path)
-
-	perm := socketPermissionsForOS()
-
-	sockDir := filepath.Dir(path)
-	if _, err := os.Stat(sockDir); os.IsNotExist(err) {
-		os.MkdirAll(sockDir, 0755) // best effort
-
-		// If we're on a platform where we want the socket
-		// world-readable, open up the permissions on the
-		// just-created directory too, in case a umask ate
-		// it. This primarily affects running tailscaled by
-		// hand as root in a shell, as there is no umask when
-		// running under systemd.
-		if perm == 0666 {
-			if fi, err := os.Stat(sockDir); err == nil && fi.Mode()&0077 == 0 {
-				if err := os.Chmod(sockDir, 0755); err != nil {
-					log.Print(err)
-				}
-			}
-		}
-	}
+	os.MkdirAll(filepath.Dir(path), 0755) // best effort
 	pipe, err := net.Listen("unix", path)
 	if err != nil {
 		return nil, 0, err
 	}
-	os.Chmod(path, perm)
+	os.Chmod(path, socketPermissionsForOS())
 	return pipe, 0, err
 }

--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -20,7 +20,6 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/structs"
-	"tailscale.com/util/dnsname"
 )

 // CurrentMapRequestVersion is the current MapRequest.Version value.
@@ -33,10 +32,7 @@ import (
 //     7: 2020-12-15: FilterRule.SrcIPs accepts CIDRs+ranges, doesn't warn about 0.0.0.0/::
 //     8: 2020-12-19: client can receive IPv6 addresses and routes if beta enabled server-side
 //     9: 2020-12-30: client doesn't auto-add implicit search domains from peers; only DNSConfig.Domains
-//    10: 2021-01-17: client understands MapResponse.PeerSeenChange
-const CurrentMapRequestVersion = 10
-
-type StableID string
+const CurrentMapRequestVersion = 9

 type ID int64

@@ -58,12 +54,6 @@ func (u NodeID) IsZero() bool {
 	return u == 0
 }

-type StableNodeID StableID
-
-func (u StableNodeID) IsZero() bool {
-	return u == ""
-}
-
 type GroupID ID

 func (u GroupID) IsZero() bool {
@@ -157,9 +147,8 @@ type UserProfile struct {
 }

 type Node struct {
-	ID       NodeID
-	StableID StableNodeID
-	Name     string // DNS
+	ID   NodeID
+	Name string // DNS

 	// User is the user who created the node. If ACL tags are in
 	// use for the node then it doesn't reflect the ACL identity
@@ -184,98 +173,6 @@ type Node struct {
 	KeepAlive bool `json:",omitempty"` // open and keep open a connection to this peer

 	MachineAuthorized bool `json:",omitempty"` // TODO(crawshaw): replace with MachineStatus
-
-	// The following three computed fields hold the various names that can
-	// be used for this node in UIs. They are populated from controlclient
-	// (not from control) by calling node.InitDisplayNames. These can be
-	// used directly or accessed via node.DisplayName or node.DisplayNames.
-
-	ComputedName            string `json:",omitempty"` // MagicDNS base name (for normal non-shared-in nodes), FQDN (without trailing dot, for shared-in nodes), or Hostname (if no MagicDNS)
-	computedHostIfDifferent string // hostname, if different than ComputedName, otherwise empty
-	ComputedNameWithHost    string `json:",omitempty"` // either "ComputedName" or "ComputedName (computedHostIfDifferent)", if computedHostIfDifferent is set
-}
-
-// DisplayName returns the user-facing name for a node which should
-// be shown in client UIs.
-//
-// Parameter forOwner specifies whether the name is requested by
-// the owner of the node. When forOwner is false, the hostname is
-// never included in the return value.
-//
-// Return value is either either "Name" or "Name (Hostname)", where
-// Name is the node's MagicDNS base name (for normal non-shared-in
-// nodes), FQDN (without trailing dot, for shared-in nodes), or
-// Hostname (if no MagicDNS). Hostname is only included in the
-// return value if it varies from Name and forOwner is provided true.
-//
-// DisplayName is only valid if InitDisplayNames has been called.
-func (n *Node) DisplayName(forOwner bool) string {
-	if forOwner {
-		return n.ComputedNameWithHost
-	}
-	return n.ComputedName
-}
-
-// DisplayName returns the decomposed user-facing name for a node.
-//
-// Parameter forOwner specifies whether the name is requested by
-// the owner of the node. When forOwner is false, hostIfDifferent
-// is always returned empty.
-//
-// Return value name is the node's primary name, populated with the
-// node's MagicDNS base name (for normal non-shared-in nodes), FQDN
-// (without trailing dot, for shared-in nodes), or Hostname (if no
-// MagicDNS).
-//
-// Return value hostIfDifferent, when non-empty, is the node's
-// hostname. hostIfDifferent is only populated when the hostname
-// varies from name and forOwner is provided as true.
-//
-// DisplayNames is only valid if InitDisplayNames has been called.
-func (n *Node) DisplayNames(forOwner bool) (name, hostIfDifferent string) {
-	if forOwner {
-		return n.ComputedName, n.computedHostIfDifferent
-	}
-	return n.ComputedName, ""
-}
-
-// InitDisplayNames computes and populates n's display name
-// fields: n.ComputedName, n.computedHostIfDifferent, and
-// n.ComputedNameWithHost.
-func (n *Node) InitDisplayNames(networkMagicDNSSuffix string) {
-	dnsName := n.Name
-	if dnsName != "" {
-		dnsName = strings.TrimRight(dnsName, ".")
-		if i := strings.Index(dnsName, "."); i != -1 && dnsname.HasSuffix(dnsName, networkMagicDNSSuffix) {
-			dnsName = dnsName[:i]
-		}
-	}
-
-	name := dnsName
-	hostIfDifferent := n.Hostinfo.Hostname
-
-	if strings.EqualFold(name, hostIfDifferent) {
-		hostIfDifferent = ""
-	}
-	if name == "" {
-		if hostIfDifferent != "" {
-			name = hostIfDifferent
-			hostIfDifferent = ""
-		} else {
-			name = n.Key.String()
-		}
-	}
-
-	var nameWithHost string
-	if hostIfDifferent != "" {
-		nameWithHost = fmt.Sprintf("%s (%s)", name, hostIfDifferent)
-	} else {
-		nameWithHost = name
-	}
-
-	n.ComputedName = name
-	n.computedHostIfDifferent = hostIfDifferent
-	n.ComputedNameWithHost = nameWithHost
 }

 type MachineStatus int
@@ -739,11 +636,6 @@ type MapResponse struct {
 	// PeersRemoved are the NodeIDs that are no longer in the peer list.
 	PeersRemoved []NodeID `json:",omitempty"`

-	// PeerSeenChange contains information on how to update peers' LastSeen
-	// times. If the value is false, the peer is gone. If the value is true,
-	// the LastSeen time is now. Absent means unchanged.
-	PeerSeenChange map[NodeID]bool `json:",omitempty"`
-
 	// DNS is the same as DNSConfig.Nameservers.
 	//
 	// TODO(dmytro): should be sent in DNSConfig.Nameservers once clients have updated.
@@ -887,7 +779,6 @@ func (n *Node) Equal(n2 *Node) bool {
 	}
 	return n != nil && n2 != nil &&
 		n.ID == n2.ID &&
-		n.StableID == n2.StableID &&
 		n.Name == n2.Name &&
 		n.User == n2.User &&
 		n.Sharer == n2.Sharer &&
@@ -902,10 +793,7 @@ func (n *Node) Equal(n2 *Node) bool {
 		n.Hostinfo.Equal(&n2.Hostinfo) &&
 		n.Created.Equal(n2.Created) &&
 		eqTimePtr(n.LastSeen, n2.LastSeen) &&
-		n.MachineAuthorized == n2.MachineAuthorized &&
-		n.ComputedName == n2.ComputedName &&
-		n.computedHostIfDifferent == n2.computedHostIfDifferent &&
-		n.ComputedNameWithHost == n2.ComputedNameWithHost
+		n.MachineAuthorized == n2.MachineAuthorized
 }

 func eqStrings(a, b []string) bool {
--- a/tailcfg/tailcfg_clone.go
+++ b/tailcfg/tailcfg_clone.go
@@ -61,27 +61,23 @@ func (src *Node) Clone() *Node {
 // A compilation failure here means this code must be regenerated, with command:
 //   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig,RegisterResponse
 var _NodeNeedsRegeneration = Node(struct {
-	ID                      NodeID
-	StableID                StableNodeID
-	Name                    string
-	User                    UserID
-	Sharer                  UserID
-	Key                     NodeKey
-	KeyExpiry               time.Time
-	Machine                 MachineKey
-	DiscoKey                DiscoKey
-	Addresses               []netaddr.IPPrefix
-	AllowedIPs              []netaddr.IPPrefix
-	Endpoints               []string
-	DERP                    string
-	Hostinfo                Hostinfo
-	Created                 time.Time
-	LastSeen                *time.Time
-	KeepAlive               bool
-	MachineAuthorized       bool
-	ComputedName            string
-	computedHostIfDifferent string
-	ComputedNameWithHost    string
+	ID                NodeID
+	Name              string
+	User              UserID
+	Sharer            UserID
+	Key               NodeKey
+	KeyExpiry         time.Time
+	Machine           MachineKey
+	DiscoKey          DiscoKey
+	Addresses         []netaddr.IPPrefix
+	AllowedIPs        []netaddr.IPPrefix
+	Endpoints         []string
+	DERP              string
+	Hostinfo          Hostinfo
+	Created           time.Time
+	LastSeen          *time.Time
+	KeepAlive         bool
+	MachineAuthorized bool
 }{})

 // Clone makes a deep copy of Hostinfo.
--- a/tailcfg/tailcfg_test.go
+++ b/tailcfg/tailcfg_test.go
@@ -189,11 +189,10 @@ func TestHostinfoEqual(t *testing.T) {

 func TestNodeEqual(t *testing.T) {
 	nodeHandles := []string{
-		"ID", "StableID", "Name", "User", "Sharer",
+		"ID", "Name", "User", "Sharer",
 		"Key", "KeyExpiry", "Machine", "DiscoKey",
 		"Addresses", "AllowedIPs", "Endpoints", "DERP", "Hostinfo",
 		"Created", "LastSeen", "KeepAlive", "MachineAuthorized",
-		"ComputedName", "computedHostIfDifferent", "ComputedNameWithHost",
 	}
 	if have := fieldsOf(reflect.TypeOf(Node{})); !reflect.DeepEqual(have, nodeHandles) {
 		t.Errorf("Node.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
@@ -230,31 +229,6 @@ func TestNodeEqual(t *testing.T) {
 			&Node{},
 			true,
 		},
-		{
-			&Node{},
-			&Node{},
-			true,
-		},
-		{
-			&Node{ID: 1},
-			&Node{},
-			false,
-		},
-		{
-			&Node{ID: 1},
-			&Node{ID: 1},
-			true,
-		},
-		{
-			&Node{StableID: "node-abcd"},
-			&Node{},
-			false,
-		},
-		{
-			&Node{StableID: "node-abcd"},
-			&Node{StableID: "node-abcd"},
-			true,
-		},
 		{
 			&Node{User: 0},
 			&Node{User: 1},
--- a/tstime/jitter.go
+++ b/tstime/jitter.go
@@ -1,44 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tstime
-
-import (
-	crand "crypto/rand"
-	"encoding/binary"
-	"math/rand"
-	"sync"
-	"time"
-)
-
-// crandSource is a rand.Source64 that gets its numbers from
-// crypto/rand.Reader.
-type crandSource struct{ sync.Mutex }
-
-var _ rand.Source64 = (*crandSource)(nil)
-
-func (s *crandSource) Int63() int64 { return int64(s.Uint64() >> 1) }
-
-func (s *crandSource) Uint64() uint64 {
-	s.Lock()
-	defer s.Unlock()
-	var buf [8]byte
-	crand.Read(buf[:])
-	return binary.BigEndian.Uint64(buf[:])
-}
-
-func (*crandSource) Seed(seed int64) {} // nope
-
-var durRand = rand.New(new(crandSource))
-
-// RandomDurationBetween returns a random duration in range [min,max).
-// If panics if max < min.
-func RandomDurationBetween(min, max time.Duration) time.Duration {
-	diff := max - min
-	if diff == 0 {
-		return min
-	}
-	ns := durRand.Int63n(int64(diff))
-	return min + time.Duration(ns)
-}
--- a/tstime/jitter_test.go
+++ b/tstime/jitter_test.go
@@ -1,23 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tstime
-
-import (
-	"testing"
-	"time"
-)
-
-func TestRandomDurationBetween(t *testing.T) {
-	if got := RandomDurationBetween(1, 1); got != 1 {
-		t.Errorf("between 1 and 1 = %v; want 1", int64(got))
-	}
-	const min = 1 * time.Second
-	const max = 10 * time.Second
-	for i := 0; i < 500; i++ {
-		if got := RandomDurationBetween(min, max); got < min || got >= max {
-			t.Fatalf("%v (%d) out of range", got, got)
-		}
-	}
-}
--- a/tsweb/tsweb.go
+++ b/tsweb/tsweb.go
@@ -23,9 +23,8 @@ import (
 	"strings"
 	"time"

-	"inet.af/netaddr"
 	"tailscale.com/metrics"
-	"tailscale.com/net/tsaddr"
+	"tailscale.com/net/interfaces"
 	"tailscale.com/types/logger"
 )

@@ -82,11 +81,8 @@ func AllowDebugAccess(r *http.Request) bool {
 	if err != nil {
 		return false
 	}
-	ip, err := netaddr.ParseIP(ipStr)
-	if err != nil {
-		return false
-	}
-	if tsaddr.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == os.Getenv("TS_ALLOW_DEBUG_IP") {
+	ip := net.ParseIP(ipStr)
+	if interfaces.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == os.Getenv("TS_ALLOW_DEBUG_IP") {
 		return true
 	}
 	if r.Method == "GET" {
--- a/types/logger/logger.go
+++ b/types/logger/logger.go
@@ -64,9 +64,9 @@ type limitData struct {

 var disableRateLimit = os.Getenv("TS_DEBUG_LOG_RATE") == "all"

-// rateFree are format string substrings that are exempt from rate limiting.
+// rateFreePrefix are format string prefixes that are exempt from rate limiting.
 // Things should not be added to this unless they're already limited otherwise.
-var rateFree = []string{
+var rateFreePrefix = []string{
 	"magicsock: disco: ",
 	"magicsock: CreateEndpoint:",
 }
@@ -93,8 +93,8 @@ func RateLimitedFn(logf Logf, f time.Duration, burst int, maxCache int) Logf {
 	)

 	judge := func(format string) verdict {
-		for _, sub := range rateFree {
-			if strings.Contains(format, sub) {
+		for _, pfx := range rateFreePrefix {
+			if strings.HasPrefix(format, pfx) {
 				return allow
 			}
 		}
@@ -132,7 +132,7 @@ func RateLimitedFn(logf Logf, f time.Duration, burst int, maxCache int) Logf {
 			logf(format, args...)
 		case warn:
 			// For the warning, log the specific format string
-			logf("[RATE LIMITED] format string \"%s\" (example: \"%s\")", format, strings.TrimSpace(fmt.Sprintf(format, args...)))
+			logf("[RATE LIMITED] format string \"%s\" (example: \"%s\")", format, fmt.Sprintf(format, args...))
 		}
 	}
 }
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -132,16 +132,8 @@ func NewAllowNone(logf logger.Logf) *Filter {
 	return New(nil, nil, nil, logf)
 }

-// NewShieldsUpFilter returns a packet filter that rejects incoming connections.
-//
-// If shareStateWith is non-nil, the returned filter shares state with the previous one,
-// as long as the previous one was also a shields up filter.
-func NewShieldsUpFilter(localNets []netaddr.IPPrefix, shareStateWith *Filter, logf logger.Logf) *Filter {
-	// Don't permit sharing state with a prior filter that wasn't a shields-up filter.
-	if shareStateWith != nil && !shareStateWith.shieldsUp {
-		shareStateWith = nil
-	}
-	f := New(nil, localNets, shareStateWith, logf)
+func NewShieldsUpFilter(logf logger.Logf) *Filter {
+	f := New(nil, nil, nil, logf)
 	f.shieldsUp = true
 	return f
 }
--- a/wgengine/filter/match.go
+++ b/wgengine/filter/match.go
@@ -12,8 +12,6 @@ import (
 	"tailscale.com/net/packet"
 )

-//go:generate go run tailscale.com/cmd/cloner --type=Match --output=match_clone.go
-
 // PortRange is a range of TCP and UDP ports.
 type PortRange struct {
 	First, Last uint16 // inclusive
--- a/wgengine/filter/match_clone.go
+++ b/wgengine/filter/match_clone.go
@@ -1,31 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Code generated by tailscale.com/cmd/cloner -type Match; DO NOT EDIT.
-
-package filter
-
-import (
-	"inet.af/netaddr"
-)
-
-// Clone makes a deep copy of Match.
-// The result aliases no memory with the original.
-func (src *Match) Clone() *Match {
-	if src == nil {
-		return nil
-	}
-	dst := new(Match)
-	*dst = *src
-	dst.Dsts = append(src.Dsts[:0:0], src.Dsts...)
-	dst.Srcs = append(src.Srcs[:0:0], src.Srcs...)
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type Match
-var _MatchNeedsRegeneration = Match(struct {
-	Dsts []NetPortRange
-	Srcs []netaddr.IPPrefix
-}{})
--- a/wgengine/magicsock/legacy.go
+++ b/wgengine/magicsock/legacy.go
@@ -438,7 +438,8 @@ func (a *addrSet) DstToBytes() []byte {
 	return packIPPort(a.dst())
 }
 func (a *addrSet) DstToString() string {
-	return a.Addrs()
+	dst := a.dst()
+	return dst.String()
 }
 func (a *addrSet) DstIP() net.IP {
 	return a.dst().IP.IPAddr().IP // TODO: add netaddr accessor to cut an alloc here?
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -12,7 +12,6 @@ import (
 	crand "crypto/rand"
 	"encoding/binary"
 	"errors"
-	"expvar"
 	"fmt"
 	"hash/fnv"
 	"math"
@@ -46,10 +45,10 @@ import (
 	"tailscale.com/net/stun"
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tstime"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/nettype"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/version"
 )
@@ -154,15 +153,13 @@ type Conn struct {
 	// derpRecvCh is used by ReceiveIPv4 to read DERP messages.
 	derpRecvCh chan derpReadResult

-	// derpRecvCountAtomic is how many derpRecvCh sends are pending.
-	// It's incremented by runDerpReader whenever a DERP message
-	// arrives and decremented when they're read.
+	// derpRecvCountAtomic is atomically incremented by runDerpReader whenever
+	// a DERP message arrives. It's incremented before runDerpReader is interrupted.
 	derpRecvCountAtomic int64
-
-	// ippEndpoint4 and ippEndpoint6 are owned by ReceiveIPv4 and
-	// ReceiveIPv6, respectively, to cache an IPPort->endpoint for
-	// hot flows.
-	ippEndpoint4, ippEndpoint6 ippEndpointCache
+	// derpRecvCountLast is used by ReceiveIPv4 to compare against
+	// its last read value of derpRecvCountAtomic to determine
+	// whether a DERP channel read should be done.
+	derpRecvCountLast int64 // owned by ReceiveIPv4

 	// ============================================================
 	mu     sync.Mutex // guards all following fields; see userspaceEngine lock ordering rules
@@ -171,19 +168,6 @@ type Conn struct {
 	started bool // Start was called
 	closed  bool // Close was called

-	// derpCleanupTimer is the timer that fires to occasionally clean
-	// up idle DERP connections. It's only used when there is a non-home
-	// DERP connection in use.
-	derpCleanupTimer *time.Timer
-
-	// derpCleanupTimerArmed is whether derpCleanupTimer is
-	// scheduled to fire within derpCleanStaleInterval.
-	derpCleanupTimerArmed bool
-
-	// periodicReSTUNTimer, when non-nil, is an AfterFunc timer
-	// that will call Conn.doPeriodicSTUN.
-	periodicReSTUNTimer *time.Timer
-
 	// endpointsUpdateActive indicates that updateEndpoints is
 	// currently running. It's used to deduplicate concurrent endpoint
 	// update requests.
@@ -198,14 +182,6 @@ type Conn struct {
 	// change notifications.
 	lastEndpoints []string

-	// lastEndpointsTime is the last time the endpoints were updated,
-	// even if there was no change.
-	lastEndpointsTime time.Time
-
-	// onEndpointRefreshed are funcs to run (in their own goroutines)
-	// when endpoints are refreshed.
-	onEndpointRefreshed map[*discoEndpoint]func()
-
 	// peerSet is the set of peers that are currently configured in
 	// WireGuard. These are not used to filter inbound or outbound
 	// traffic at all, but only to track what state can be cleaned up
@@ -302,9 +278,6 @@ type Conn struct {
 	// with IPv4 or IPv6). It's used to suppress log spam and prevent
 	// new connection that'll fail.
 	networkUp syncs.AtomicBool
-
-	// havePrivateKey is whether privateKey is non-zero.
-	havePrivateKey syncs.AtomicBool
 }

 // derpRoute is a route entry for a public key, saying that a certain
@@ -504,6 +477,13 @@ func (c *Conn) Start() {
 	c.mu.Unlock()

 	c.ReSTUN("initial")
+
+	// We assume that LinkChange notifications are plumbed through well
+	// on our mobile clients, so don't do the timer thing to save radio/battery/CPU/etc.
+	if !version.IsMobile() {
+		go c.periodicReSTUN()
+	}
+	go c.periodicDerpCleanup()
 }

 // ignoreSTUNPackets sets a STUN packet processing func that does nothing.
@@ -511,17 +491,6 @@ func (c *Conn) ignoreSTUNPackets() {
 	c.stunReceiveFunc.Store(func([]byte, netaddr.IPPort) {})
 }

-// doPeriodicSTUN is called (in a new goroutine) by
-// periodicReSTUNTimer when periodic STUNs are active.
-func (c *Conn) doPeriodicSTUN() { c.ReSTUN("periodic") }
-
-func (c *Conn) stopPeriodicReSTUNTimerLocked() {
-	if t := c.periodicReSTUNTimer; t != nil {
-		t.Stop()
-		c.periodicReSTUNTimer = nil
-	}
-}
-
 // c.mu must NOT be held.
 func (c *Conn) updateEndpoints(why string) {
 	defer func() {
@@ -529,37 +498,13 @@ func (c *Conn) updateEndpoints(why string) {
 		defer c.mu.Unlock()
 		why := c.wantEndpointsUpdate
 		c.wantEndpointsUpdate = ""
-		if !c.closed {
-			if why != "" {
-				go c.updateEndpoints(why)
-				return
-			}
-			if c.shouldDoPeriodicReSTUNLocked() {
-				// Pick a random duration between 20
-				// and 26 seconds (just under 30s, a
-				// common UDP NAT timeout on Linux,
-				// etc)
-				d := tstime.RandomDurationBetween(20*time.Second, 26*time.Second)
-				if t := c.periodicReSTUNTimer; t != nil {
-					if debugReSTUNStopOnIdle {
-						c.logf("resetting existing periodicSTUN to run in %v", d)
-					}
-					t.Reset(d)
-				} else {
-					if debugReSTUNStopOnIdle {
-						c.logf("scheduling periodicSTUN to run in %v", d)
-					}
-					c.periodicReSTUNTimer = time.AfterFunc(d, c.doPeriodicSTUN)
-				}
-			} else {
-				if debugReSTUNStopOnIdle {
-					c.logf("periodic STUN idle")
-				}
-				c.stopPeriodicReSTUNTimerLocked()
-			}
+		if why != "" && !c.closed {
+			go c.updateEndpoints(why)
+		} else {
+			c.endpointsUpdateActive = false
+			c.muCond.Broadcast()
 		}
-		c.endpointsUpdateActive = false
-		c.muCond.Broadcast()
+
 	}()
 	c.logf("[v1] magicsock: starting endpoint update (%s)", why)

@@ -604,12 +549,6 @@ func (c *Conn) setEndpoints(endpoints []string, reasons map[string]string) (chan
 		return false
 	}

-	c.lastEndpointsTime = time.Now()
-	for de, fn := range c.onEndpointRefreshed {
-		go fn()
-		delete(c.onEndpointRefreshed, de)
-	}
-
 	if stringsEqual(endpoints, c.lastEndpoints) {
 		return false
 	}
@@ -961,13 +900,6 @@ func (c *Conn) setNearestDERP(derpNum int) (wantDERP bool) {
 	return true
 }

-// startDerpHomeConnectLocked starts connecting to our DERP home, if any.
-//
-// c.mu must be held.
-func (c *Conn) startDerpHomeConnectLocked() {
-	c.goDerpConnect(c.myDerp)
-}
-
 // goDerpConnect starts a goroutine to start connecting to the given
 // DERP node.
 //
@@ -1282,7 +1214,6 @@ func (c *Conn) derpWriteChanOfAddr(addr netaddr.IPPort, peer key.Public) chan<-
 	c.activeDerp[regionID] = ad
 	c.logActiveDerpLocked()
 	c.setPeerLastDerpLocked(peer, regionID, regionID)
-	c.scheduleCleanStaleDerpLocked()

 	// Build a startGate for the derp reader+writer
 	// goroutines, so they don't start running until any
@@ -1361,8 +1292,6 @@ type derpReadResult struct {
 	// copyBuf is called to copy the data to dst.  It returns how
 	// much data was copied, which will be n if dst is large
 	// enough. copyBuf can only be called once.
-	// If copyBuf is nil, that's a signal from the sender to ignore
-	// this message.
 	copyBuf func(dst []byte) int
 }

@@ -1450,62 +1379,28 @@ func (c *Conn) runDerpReader(ctx context.Context, derpFakeAddr netaddr.IPPort, d
 			continue

 		}
+		// Before we wake up ReceiveIPv4 with SetReadDeadline,
+		// note that a DERP packet has arrived.  ReceiveIPv4
+		// will read this field to note that its UDP read
+		// error is due to us.
+		atomic.AddInt64(&c.derpRecvCountAtomic, 1)
+		// Cancel the pconn read goroutine.
+		c.pconn4.SetReadDeadline(aLongTimeAgo)

-		if !c.sendDerpReadResult(ctx, res) {
-			return
-		}
 		select {
 		case <-ctx.Done():
 			return
-		case <-didCopy:
-			continue
+		case c.derpRecvCh <- res:
+			select {
+			case <-ctx.Done():
+				return
+			case <-didCopy:
+				continue
+			}
 		}
 	}
 }

-var (
-	testCounterZeroDerpReadResultSend expvar.Int
-	testCounterZeroDerpReadResultRecv expvar.Int
-)
-
-// sendDerpReadResult sends res to c.derpRecvCh and reports whether it
-// was sent. (It reports false if ctx was done first.)
-//
-// This includes doing the whole wake-up dance to interrupt
-// ReceiveIPv4's blocking UDP read.
-func (c *Conn) sendDerpReadResult(ctx context.Context, res derpReadResult) (sent bool) {
-	// Before we wake up ReceiveIPv4 with SetReadDeadline,
-	// note that a DERP packet has arrived. ReceiveIPv4
-	// will read this field to note that its UDP read
-	// error is due to us.
-	atomic.AddInt64(&c.derpRecvCountAtomic, 1)
-	// Cancel the pconn read goroutine.
-	c.pconn4.SetReadDeadline(aLongTimeAgo)
-	select {
-	case <-ctx.Done():
-		select {
-		case <-c.donec:
-			// The whole Conn shut down. The reader of
-			// c.derpRecvCh also selects on c.donec, so it's
-			// safe to abort now.
-		case c.derpRecvCh <- (derpReadResult{}):
-			// Just this DERP reader is closing (perhaps
-			// the user is logging out, or the DERP
-			// connection is too idle for sends). Since we
-			// already incremented c.derpRecvCountAtomic,
-			// we need to send on the channel (unless the
-			// conn is going down).
-			// The receiver treats a derpReadResult zero value
-			// message as a skip.
-			testCounterZeroDerpReadResultSend.Add(1)
-
-		}
-		return false
-	case c.derpRecvCh <- res:
-		return true
-	}
-}
-
 type derpWriteRequest struct {
 	addr   netaddr.IPPort
 	pubKey key.Public
@@ -1588,27 +1483,27 @@ func (c *Conn) ReceiveIPv6(b []byte) (int, conn.Endpoint, error) {
 		if err != nil {
 			return 0, nil, err
 		}
-		if ep, ok := c.receiveIP(b[:n], pAddr.(*net.UDPAddr), &c.ippEndpoint6); ok {
+		if ep, ok := c.receiveIP(b[:n], pAddr.(*net.UDPAddr)); ok {
 			return n, ep, nil
 		}
 	}
 }

 func (c *Conn) derpPacketArrived() bool {
-	return atomic.LoadInt64(&c.derpRecvCountAtomic) > 0
+	rc := atomic.LoadInt64(&c.derpRecvCountAtomic)
+	if rc != c.derpRecvCountLast {
+		c.derpRecvCountLast = rc
+		return true
+	}
+	return false
 }

 // ReceiveIPv4 is called by wireguard-go to receive an IPv4 packet.
 // In Tailscale's case, that packet might also arrive via DERP. A DERP packet arrival
 // aborts the pconn4 read deadline to make it fail.
 func (c *Conn) ReceiveIPv4(b []byte) (n int, ep conn.Endpoint, err error) {
-	var pAddr net.Addr
 	for {
-		// Drain DERP queues before reading new UDP packets.
-		if c.derpPacketArrived() {
-			goto ReadDERP
-		}
-		n, pAddr, err = c.pconn4.ReadFrom(b)
+		n, pAddr, err := c.pconn4.ReadFrom(b)
 		if err != nil {
 			// If the pconn4 read failed, the likely reason is a DERP reader received
 			// a packet and interrupted us.
@@ -1616,59 +1511,37 @@ func (c *Conn) ReceiveIPv4(b []byte) (n int, ep conn.Endpoint, err error) {
 			// and for there to have also had a DERP packet arrive, but that's fine:
 			// we'll get the same error from ReadFrom later.
 			if c.derpPacketArrived() {
-				goto ReadDERP
+				c.pconn4.SetReadDeadline(time.Time{}) // restore
+				n, ep, err = c.receiveIPv4DERP(b)
+				if err == errLoopAgain {
+					continue
+				}
+				return n, ep, err
 			}
 			return 0, nil, err
 		}
-		if ep, ok := c.receiveIP(b[:n], pAddr.(*net.UDPAddr), &c.ippEndpoint4); ok {
+		if ep, ok := c.receiveIP(b[:n], pAddr.(*net.UDPAddr)); ok {
 			return n, ep, nil
-		} else {
-			continue
 		}
-	ReadDERP:
-		n, ep, err = c.receiveIPv4DERP(b)
-		if err == errLoopAgain {
-			continue
-		}
-		return n, ep, err
 	}
 }

 // receiveIP is the shared bits of ReceiveIPv4 and ReceiveIPv6.
-//
-// ok is whether this read should be reported up to wireguard-go (our
-// caller).
-func (c *Conn) receiveIP(b []byte, ua *net.UDPAddr, cache *ippEndpointCache) (ep conn.Endpoint, ok bool) {
+func (c *Conn) receiveIP(b []byte, ua *net.UDPAddr) (ep conn.Endpoint, ok bool) {
 	ipp, ok := netaddr.FromStdAddr(ua.IP, ua.Port, ua.Zone)
 	if !ok {
-		return nil, false
+		return
 	}
 	if stun.Is(b) {
 		c.stunReceiveFunc.Load().(func([]byte, netaddr.IPPort))(b, ipp)
-		return nil, false
+		return
 	}
 	if c.handleDiscoMessage(b, ipp) {
-		return nil, false
+		return
 	}
-	if !c.havePrivateKey.Get() {
-		// If we have no private key, we're logged out or
-		// stopped.  Don't try to pass these wireguard packets
-		// up to wireguard-go; it'll just complain (Issue
-		// 1167).
-		return nil, false
-	}
-	if cache.ipp == ipp && cache.de != nil && cache.gen == cache.de.numStopAndReset() {
-		ep = cache.de
-	} else {
-		ep = c.findEndpoint(ipp, ua, b)
-		if ep == nil {
-			return nil, false
-		}
-		if de, ok := ep.(*discoEndpoint); ok {
-			cache.ipp = ipp
-			cache.de = de
-			cache.gen = de.numStopAndReset()
-		}
+	ep = c.findEndpoint(ipp, ua, b)
+	if ep == nil {
+		return
 	}
 	c.noteRecvActivityFromEndpoint(ep)
 	return ep, true
@@ -1698,13 +1571,6 @@ func (c *Conn) receiveIPv4DERP(b []byte) (n int, ep conn.Endpoint, err error) {
 	case dm = <-c.derpRecvCh:
 		// Below.
 	}
-	if atomic.AddInt64(&c.derpRecvCountAtomic, -1) == 0 {
-		c.pconn4.SetReadDeadline(time.Time{})
-	}
-	if dm.copyBuf == nil {
-		testCounterZeroDerpReadResultRecv.Add(1)
-		return 0, nil, errLoopAgain
-	}

 	var regionID int
 	n, regionID = dm.n, dm.regionID
@@ -1742,7 +1608,7 @@ func (c *Conn) receiveIPv4DERP(b []byte) (n int, ep conn.Endpoint, err error) {
 			c.mu.Lock()

 			discoEp = c.endpointOfDisco[dk]
-			c.logf("magicsock: DERP packet received from idle peer %v; created=%v", dm.src.ShortString(), discoEp != nil)
+			c.logf("magicsock: DERP packet received from idle peer %v; created=%v", dm.src.ShortString(), ep != nil)
 		}
 	}
 	if !c.disableLegacy {
@@ -1814,8 +1680,8 @@ func (c *Conn) sendDiscoMessage(dst netaddr.IPPort, dstKey tailcfg.NodeKey, dstD
 	return sent, err
 }

-// handleDiscoMessage handles a discovery message and reports whether
-// msg was a Tailscale inter-node discovery message.
+// handleDiscoMessage reports whether msg was a Tailscale inter-node discovery message
+// that was handled.
 //
 // A discovery message has the form:
 //
@@ -1826,18 +1692,11 @@ func (c *Conn) sendDiscoMessage(dst netaddr.IPPort, dstKey tailcfg.NodeKey, dstD
 //
 // For messages received over DERP, the addr will be derpMagicIP (with
 // port being the region)
-func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bool) {
+func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) bool {
 	const headerLen = len(disco.Magic) + len(tailcfg.DiscoKey{}) + disco.NonceLen
 	if len(msg) < headerLen || string(msg[:len(disco.Magic)]) != disco.Magic {
 		return false
 	}
-
-	// If the first four parts are the prefix of disco.Magic
-	// (0x5453f09f) then it's definitely not a valid Wireguard
-	// packet (which starts with little-endian uint32 1, 2, 3, 4).
-	// Use naked returns for all following paths.
-	isDiscoMsg = true
-
 	var sender tailcfg.DiscoKey
 	copy(sender[:], msg[len(disco.Magic):])

@@ -1845,21 +1704,20 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 	defer c.mu.Unlock()

 	if c.closed {
-		return
+		return true
 	}
 	if debugDisco {
 		c.logf("magicsock: disco: got disco-looking frame from %v", sender.ShortString())
 	}
 	if c.privateKey.IsZero() {
 		// Ignore disco messages when we're stopped.
-		// Still return true, to not pass it down to wireguard.
-		return
+		return false
 	}
 	if c.discoPrivate.IsZero() {
 		if debugDisco {
 			c.logf("magicsock: disco: ignoring disco-looking frame, no local key")
 		}
-		return
+		return false
 	}

 	peerNode, ok := c.nodeOfDisco[sender]
@@ -1867,7 +1725,9 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 		if debugDisco {
 			c.logf("magicsock: disco: ignoring disco-looking frame, don't know node for %v", sender.ShortString())
 		}
-		return
+		// Returning false keeps passing it down, to WireGuard.
+		// WireGuard will almost surely reject it, but give it a chance.
+		return false
 	}

 	needsRecvActivityCall := false
@@ -1880,7 +1740,7 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 		c.logf("magicsock: got disco message from idle peer, starting lazy conf for %v, %v", peerNode.Key.ShortString(), sender.ShortString())
 		if c.noteRecvActivity == nil {
 			c.logf("magicsock: [unexpected] have node without endpoint, without c.noteRecvActivity hook")
-			return
+			return false
 		}
 		needsRecvActivityCall = true
 	} else {
@@ -1899,7 +1759,7 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 		// Now, recheck invariants that might've changed while we'd
 		// released the lock, which isn't much:
 		if c.closed || c.privateKey.IsZero() {
-			return
+			return true
 		}
 		de, ok = c.endpointOfDisco[sender]
 		if !ok {
@@ -1908,7 +1768,7 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 				return false
 			}
 			c.logf("magicsock: [unexpected] lazy endpoint not created for %v, %v", peerNode.Key.ShortString(), sender.ShortString())
-			return
+			return false
 		}
 		if !endpointFound0 {
 			c.logf("magicsock: lazy endpoint created via disco message for %v, %v", peerNode.Key.ShortString(), sender.ShortString())
@@ -1935,7 +1795,7 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 			c.logf("magicsock: disco: failed to open naclbox from %v (wrong rcpt?)", sender)
 		}
 		// TODO(bradfitz): add some counter for this that logs rarely
-		return
+		return false
 	}

 	dm, err := disco.Parse(payload)
@@ -1949,7 +1809,7 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 		// understand. Not even worth logging about, lest it
 		// be too spammy for old clients.
 		// TODO(bradfitz): add some counter for this that logs rarely
-		return
+		return true
 	}

 	switch dm := dm.(type) {
@@ -1957,24 +1817,22 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) (isDiscoMsg bo
 		c.handlePingLocked(dm, de, src, sender, peerNode)
 	case *disco.Pong:
 		if de == nil {
-			return
+			return true
 		}
 		de.handlePongConnLocked(dm, src)
-	case *disco.CallMeMaybe:
+	case disco.CallMeMaybe:
 		if src.IP != derpMagicIPAddr {
 			// CallMeMaybe messages should only come via DERP.
 			c.logf("[unexpected] CallMeMaybe packets should only come via DERP")
-			return
+			return true
 		}
 		if de != nil {
-			c.logf("magicsock: disco: %v<-%v (%v, %v)  got call-me-maybe, %d endpoints",
-				c.discoShort, de.discoShort,
-				de.publicKey.ShortString(), derpStr(src.String()),
-				len(dm.MyNumber))
-			go de.handleCallMeMaybe(dm)
+			c.logf("magicsock: disco: %v<-%v (%v, %v)  got call-me-maybe", c.discoShort, de.discoShort, de.publicKey.ShortString(), derpStr(src.String()))
+			go de.handleCallMeMaybe()
 		}
 	}
-	return
+
+	return true
 }

 func (c *Conn) handlePingLocked(dm *disco.Ping, de *discoEndpoint, src netaddr.IPPort, sender tailcfg.DiscoKey, peerNode *tailcfg.Node) {
@@ -2001,47 +1859,6 @@ func (c *Conn) handlePingLocked(dm *disco.Ping, de *discoEndpoint, src netaddr.I
 	}, discoVerboseLog)
 }

-// enqueueCallMeMaybe schedules a send of disco.CallMeMaybe to de via derpAddr
-// once we know that our STUN endpoint is fresh.
-//
-// derpAddr is de.derpAddr at the time of send. It's assumed the peer won't be
-// flipping primary DERPs in the 0-30ms it takes to confirm our STUN endpoint.
-// If they do, traffic will just go over DERP for a bit longer until the next
-// discovery round.
-func (c *Conn) enqueueCallMeMaybe(derpAddr netaddr.IPPort, de *discoEndpoint) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	if !c.lastEndpointsTime.After(time.Now().Add(-endpointsFreshEnoughDuration)) {
-		c.logf("magicsock: want call-me-maybe but endpoints stale; restunning")
-		if c.onEndpointRefreshed == nil {
-			c.onEndpointRefreshed = map[*discoEndpoint]func(){}
-		}
-		c.onEndpointRefreshed[de] = func() {
-			c.logf("magicsock: STUN done; sending call-me-maybe to %v %v", de.discoShort, de.publicKey.ShortString())
-			c.enqueueCallMeMaybe(derpAddr, de)
-		}
-		// TODO(bradfitz): make a new 'reSTUNQuickly' method
-		// that passes down a do-a-lite-netcheck flag down to
-		// netcheck that does 1 (or 2 max) STUN queries
-		// (UDP-only, not HTTPs) to find our port mapping to
-		// our home DERP and maybe one other. For now we do a
-		// "full" ReSTUN which may or may not be a full one
-		// (depending on age) and may do HTTPS timing queries
-		// (if UDP is blocked). Good enough for now.
-		go c.ReSTUN("refresh-for-peering")
-		return
-	}
-
-	eps := make([]netaddr.IPPort, 0, len(c.lastEndpoints))
-	for _, ep := range c.lastEndpoints {
-		if ipp, err := netaddr.ParseIPPort(ep); err == nil {
-			eps = append(eps, ipp)
-		}
-	}
-	go de.sendDiscoMessage(derpAddr, &disco.CallMeMaybe{MyNumber: eps}, discoLog)
-}
-
 // setAddrToDiscoLocked records that newk is at src.
 //
 // c.mu must be held.
@@ -2130,9 +1947,7 @@ func (c *Conn) SetNetworkUp(up bool) {
 	c.logf("magicsock: SetNetworkUp(%v)", up)
 	c.networkUp.Set(up)

-	if up {
-		c.startDerpHomeConnectLocked()
-	} else {
+	if !up {
 		c.closeAllDerpLocked("network-down")
 	}
 }
@@ -2153,7 +1968,6 @@ func (c *Conn) SetPrivateKey(privateKey wgkey.Private) error {
 		return nil
 	}
 	c.privateKey = newKey
-	c.havePrivateKey.Set(!newKey.IsZero())

 	if oldKey.IsZero() {
 		c.everHadKey = true
@@ -2164,8 +1978,6 @@ func (c *Conn) SetPrivateKey(privateKey wgkey.Private) error {
 	} else if newKey.IsZero() {
 		c.logf("magicsock: SetPrivateKey called (zeroed)")
 		c.closeAllDerpLocked("zero-private-key")
-		c.stopPeriodicReSTUNTimerLocked()
-		c.onEndpointRefreshed = nil
 	} else {
 		c.logf("magicsock: SetPrivateKey called (changed)")
 		c.closeAllDerpLocked("new-private-key")
@@ -2174,7 +1986,7 @@ func (c *Conn) SetPrivateKey(privateKey wgkey.Private) error {
 	// Key changed. Close existing DERP connections and reconnect to home.
 	if c.myDerp != 0 && !newKey.IsZero() {
 		c.logf("magicsock: private key changed, reconnecting to home derp-%d", c.myDerp)
-		c.startDerpHomeConnectLocked()
+		c.goDerpConnect(c.myDerp)
 	}

 	if newKey.IsZero() {
@@ -2373,14 +2185,9 @@ func (c *Conn) foreachActiveDerpSortedLocked(fn func(regionID int, ad activeDerp
 func (c *Conn) cleanStaleDerp() {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	if c.closed {
-		return
-	}
-	c.derpCleanupTimerArmed = false
-
-	tooOld := time.Now().Add(-derpInactiveCleanupTime)
+	const inactivityTime = 60 * time.Second
+	tooOld := time.Now().Add(-inactivityTime)
 	dirty := false
-	someNonHomeOpen := false
 	for i, ad := range c.activeDerp {
 		if i == c.myDerp {
 			continue
@@ -2388,31 +2195,11 @@ func (c *Conn) cleanStaleDerp() {
 		if ad.lastWrite.Before(tooOld) {
 			c.closeDerpLocked(i, "idle")
 			dirty = true
-		} else {
-			someNonHomeOpen = true
 		}
 	}
 	if dirty {
 		c.logActiveDerpLocked()
 	}
-	if someNonHomeOpen {
-		c.scheduleCleanStaleDerpLocked()
-	}
-}
-
-func (c *Conn) scheduleCleanStaleDerpLocked() {
-	if c.derpCleanupTimerArmed {
-		// Already going to fire soon. Let the existing one
-		// fire lest it get infinitely delayed by repeated
-		// calls to scheduleCleanStaleDerpLocked.
-		return
-	}
-	c.derpCleanupTimerArmed = true
-	if c.derpCleanupTimer != nil {
-		c.derpCleanupTimer.Reset(derpCleanStaleInterval)
-	} else {
-		c.derpCleanupTimer = time.AfterFunc(derpCleanStaleInterval, c.cleanStaleDerp)
-	}
 }

 // DERPs reports the number of active DERP connections.
@@ -2435,10 +2222,6 @@ func (c *Conn) Close() error {
 	if c.closed {
 		return nil
 	}
-	if c.derpCleanupTimerArmed {
-		c.derpCleanupTimer.Stop()
-	}
-	c.stopPeriodicReSTUNTimerLocked()

 	for _, ep := range c.endpointOfDisco {
 		ep.stopAndReset()
@@ -2462,6 +2245,13 @@ func (c *Conn) Close() error {
 	return err
 }

+// isClosed reports whether c is closed.
+func (c *Conn) isClosed() bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.closed
+}
+
 func (c *Conn) goroutinesRunningLocked() bool {
 	if c.endpointsUpdateActive {
 		return true
@@ -2487,36 +2277,86 @@ func (c *Conn) goroutinesRunningLocked() bool {

 func maxIdleBeforeSTUNShutdown() time.Duration {
 	if debugReSTUNStopOnIdle {
-		return 45 * time.Second
+		return time.Minute
 	}
-	return sessionActiveTimeout
+	return 5 * time.Minute
 }

-func (c *Conn) shouldDoPeriodicReSTUNLocked() bool {
+func (c *Conn) shouldDoPeriodicReSTUN() bool {
 	if c.networkDown() {
 		return false
 	}
-	if len(c.peerSet) == 0 || c.privateKey.IsZero() {
-		// If no peers, not worth doing.
-		// Also don't if there's no key (not running).
+
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if len(c.peerSet) == 0 {
+		// No peers, so not worth doing.
 		return false
 	}
+	// If it turns out this optimization was a mistake, we can
+	// override it from the control server without waiting for a
+	// new software rollout:
+	if c.netMap != nil && c.netMap.Debug != nil && c.netMap.Debug.ForceBackgroundSTUN && !debugReSTUNStopOnIdle {
+		return true
+	}
 	if f := c.idleFunc; f != nil {
 		idleFor := f()
 		if debugReSTUNStopOnIdle {
 			c.logf("magicsock: periodicReSTUN: idle for %v", idleFor.Round(time.Second))
 		}
 		if idleFor > maxIdleBeforeSTUNShutdown() {
-			if c.netMap != nil && c.netMap.Debug != nil && c.netMap.Debug.ForceBackgroundSTUN {
-				// Overridden by control.
-				return true
+			if debugReSTUNStopOnIdle || version.IsMobile() { // TODO: make this unconditional later
+				return false
 			}
-			return false
 		}
 	}
 	return true
 }

+func (c *Conn) periodicReSTUN() {
+	prand := rand.New(rand.NewSource(time.Now().UnixNano()))
+	dur := func() time.Duration {
+		// Just under 30s, a common UDP NAT timeout (Linux at least)
+		return time.Duration(20+prand.Intn(7)) * time.Second
+	}
+	timer := time.NewTimer(dur())
+	defer timer.Stop()
+	var lastIdleState opt.Bool
+	for {
+		select {
+		case <-c.donec:
+			return
+		case <-timer.C:
+			doReSTUN := c.shouldDoPeriodicReSTUN()
+			if !lastIdleState.EqualBool(doReSTUN) {
+				if doReSTUN {
+					c.logf("[v1] magicsock: periodicReSTUN enabled")
+				} else {
+					c.logf("[v1] magicsock: periodicReSTUN disabled due to inactivity")
+				}
+				lastIdleState.Set(doReSTUN)
+			}
+			if doReSTUN {
+				c.ReSTUN("periodic")
+			}
+			timer.Reset(dur())
+		}
+	}
+}
+
+func (c *Conn) periodicDerpCleanup() {
+	ticker := time.NewTicker(15 * time.Second) // arbitrary
+	defer ticker.Stop()
+	for {
+		select {
+		case <-c.donec:
+			return
+		case <-ticker.C:
+			c.cleanStaleDerp()
+		}
+	}
+}
+
 // ReSTUN triggers an address discovery.
 // The provided why string is for debug logging only.
 func (c *Conn) ReSTUN(why string) {
@@ -2637,11 +2477,12 @@ func (c *Conn) Rebind() {

 	c.mu.Lock()
 	c.closeAllDerpLocked("rebind")
-	if !c.privateKey.IsZero() {
-		c.startDerpHomeConnectLocked()
-	}
+	haveKey := !c.privateKey.IsZero()
 	c.mu.Unlock()

+	if haveKey {
+		c.goDerpConnect(c.myDerp)
+	}
 	c.resetEndpointStates()
 }

@@ -2940,8 +2781,7 @@ func udpAddrDebugString(ua net.UDPAddr) string {
 // advertise a DiscoKey and participate in active discovery.
 type discoEndpoint struct {
 	// atomically accessed; declared first for alignment reasons
-	lastRecvUnixAtomic    int64
-	numStopAndResetAtomic int64
+	lastRecvUnixAtomic int64

 	// These fields are initialized once and never modified.
 	c                  *Conn
@@ -2969,7 +2809,6 @@ type discoEndpoint struct {
 	trustBestAddrUntil time.Time // time when bestAddr expires
 	sentPing           map[stun.TxID]sentPing
 	endpointState      map[netaddr.IPPort]*endpointState
-	isCallMeMaybeEP    map[netaddr.IPPort]bool

 	pendingCLIPings []pendingCLIPing // any outstanding "tailscale ping" commands running
 }
@@ -2982,8 +2821,6 @@ type pendingCLIPing struct {
 const (
 	// sessionActiveTimeout is how long since the last activity we
 	// try to keep an established discoEndpoint peering alive.
-	// It's also the idle time at which we stop doing STUN queries to
-	// keep NAT mappings alive.
 	sessionActiveTimeout = 2 * time.Minute

 	// upgradeInterval is how often we try to upgrade to a better path
@@ -3011,19 +2848,6 @@ const (
 	// goodEnoughLatency is the latency at or under which we don't
 	// try to upgrade to a better path.
 	goodEnoughLatency = 5 * time.Millisecond
-
-	// derpInactiveCleanupTime is how long a non-home DERP connection
-	// needs to be idle (last written to) before we close it.
-	derpInactiveCleanupTime = 60 * time.Second
-
-	// derpCleanStaleInterval is how often cleanStaleDerp runs when there
-	// are potentially-stale DERP connections to close.
-	derpCleanStaleInterval = 15 * time.Second
-
-	// endpointsFreshEnoughDuration is how long we consider a
-	// STUN-derived endpoint valid for. UDP NAT mappings typically
-	// expire at 30 seconds, so this is a few seconds shy of that.
-	endpointsFreshEnoughDuration = 27 * time.Second
 )

 // endpointState is some state and history for a specific endpoint of
@@ -3041,10 +2865,6 @@ type endpointState struct {
 	// updated and use it to discard old candidates.
 	lastGotPing time.Time

-	// callMeMaybeTime, if non-zero, is the time this endpoint
-	// was advertised last via a call-me-maybe disco message.
-	callMeMaybeTime time.Time
-
 	recentPongs []pongReply // ring buffer up to pongHistoryCount entries
 	recentPong  uint16      // index into recentPongs of most recent; older before, wrapped

@@ -3058,13 +2878,11 @@ const indexSentinelDeleted = -1
 // shouldDeleteLocked reports whether we should delete this endpoint.
 func (st *endpointState) shouldDeleteLocked() bool {
 	switch {
-	case !st.callMeMaybeTime.IsZero():
-		return false
 	case st.lastGotPing.IsZero():
 		// This was an endpoint from the network map. Is it still in the network map?
 		return st.index == indexSentinelDeleted
 	default:
-		// This was an endpoint discovered at runtime.
+		// Thiw was an endpoint discovered at runtime.
 		return time.Since(st.lastGotPing) > sessionActiveTimeout
 	}
 }
@@ -3164,6 +2982,10 @@ func (de *discoEndpoint) heartbeat() {

 	de.heartBeatTimer = nil

+	if de.c.isClosed() {
+		return
+	}
+
 	if de.lastSend.IsZero() {
 		// Shouldn't happen.
 		return
@@ -3378,12 +3200,13 @@ func (de *discoEndpoint) sendPingsLocked(now time.Time, sendCallMeMaybe bool) {
 	}
 	derpAddr := de.derpAddr
 	if sentAny && sendCallMeMaybe && !derpAddr.IsZero() {
-		// Have our magicsock.Conn figure out its STUN endpoint (if
-		// it doesn't know already) and then send a CallMeMaybe
-		// message to our peer via DERP informing them that we've
-		// sent so our firewall ports are probably open and now
-		// would be a good time for them to connect.
-		go de.c.enqueueCallMeMaybe(derpAddr, de)
+		// In just a bit of a time (for goroutines above to schedule and run),
+		// send a message to peer via DERP informing them that we've sent
+		// so our firewall ports are probably open and now would be a good time
+		// for them to connect.
+		time.AfterFunc(5*time.Millisecond, func() {
+			de.sendDiscoMessage(derpAddr, disco.CallMeMaybe{}, discoLog)
+		})
 	}
 }

@@ -3565,55 +3388,10 @@ func (st *endpointState) addPongReplyLocked(r pongReply) {
 // DERP. The contract for use of this message is that the peer has
 // already sent to us via UDP, so their stateful firewall should be
 // open. Now we can Ping back and make it through.
-func (de *discoEndpoint) handleCallMeMaybe(m *disco.CallMeMaybe) {
+func (de *discoEndpoint) handleCallMeMaybe() {
 	de.mu.Lock()
 	defer de.mu.Unlock()

-	now := time.Now()
-	for ep := range de.isCallMeMaybeEP {
-		de.isCallMeMaybeEP[ep] = false // mark for deletion
-	}
-	if de.isCallMeMaybeEP == nil {
-		de.isCallMeMaybeEP = map[netaddr.IPPort]bool{}
-	}
-	var newEPs []netaddr.IPPort
-	for _, ep := range m.MyNumber {
-		if ep.IP.Is6() && ep.IP.IsLinkLocalUnicast() {
-			// We send these out, but ignore them for now.
-			// TODO: teach the ping code to ping on all interfaces
-			// for these.
-			continue
-		}
-		de.isCallMeMaybeEP[ep] = true
-		if es, ok := de.endpointState[ep]; ok {
-			es.callMeMaybeTime = now
-		} else {
-			de.endpointState[ep] = &endpointState{callMeMaybeTime: now}
-			newEPs = append(newEPs, ep)
-		}
-	}
-	if len(newEPs) > 0 {
-		de.c.logf("magicsock: disco: call-me-maybe from %v %v added new endpoints: %v",
-			de.publicKey.ShortString(), de.discoShort,
-			logger.ArgWriter(func(w *bufio.Writer) {
-				for i, ep := range newEPs {
-					if i > 0 {
-						w.WriteString(", ")
-					}
-					w.WriteString(ep.String())
-				}
-			}))
-	}
-
-	// Delete any prior CalllMeMaybe endpoints that weren't included
-	// in this message.
-	for ep, want := range de.isCallMeMaybeEP {
-		if !want {
-			delete(de.isCallMeMaybeEP, ep)
-			de.deleteEndpointLocked(ep)
-		}
-	}
-
 	// Zero out all the lastPing times to force sendPingsLocked to send new ones,
 	// even if it's been less than 5 seconds ago.
 	for _, st := range de.endpointState {
@@ -3642,7 +3420,6 @@ func (de *discoEndpoint) populatePeerStatus(ps *ipnstate.PeerStatus) {
 // It's called when a discovery endpoint is no longer present in the NetworkMap,
 // or when magicsock is transition from running to stopped state (via SetPrivateKey(zero))
 func (de *discoEndpoint) stopAndReset() {
-	atomic.AddInt64(&de.numStopAndResetAtomic, 1)
 	de.mu.Lock()
 	defer de.mu.Unlock()

@@ -3670,10 +3447,6 @@ func (de *discoEndpoint) stopAndReset() {
 	de.pendingCLIPings = nil
 }

-func (de *discoEndpoint) numStopAndReset() int64 {
-	return atomic.LoadInt64(&de.numStopAndResetAtomic)
-}
-
 // derpStr replaces DERP IPs in s with "derp-".
 func derpStr(s string) string { return strings.ReplaceAll(s, "127.3.3.40:", "derp-") }

@@ -3695,11 +3468,3 @@ func (c *Conn) WhoIs(ip netaddr.IP) (n *tailcfg.Node, u tailcfg.UserProfile, ok
 	}
 	return nil, u, false
 }
-
-// ippEndpointCache is a mutex-free single-element cache, mapping from
-// a single netaddr.IPPort to a single endpoint.
-type ippEndpointCache struct {
-	ipp netaddr.IPPort
-	gen int64
-	de  *discoEndpoint
-}
--- a/wgengine/magicsock/magicsock_test.go
+++ b/wgengine/magicsock/magicsock_test.go
@@ -17,7 +17,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
-	"runtime"
 	"strconv"
 	"strings"
 	"sync"
@@ -47,7 +46,6 @@ import (
 	"tailscale.com/types/wgkey"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/tstun"
-	"tailscale.com/wgengine/wglog"
 )

 func init() {
@@ -129,7 +127,6 @@ type magicStack struct {
 	tun        *tuntest.ChannelTUN // TUN device to send/receive packets
 	tsTun      *tstun.TUN          // wrapped tun that implements filtering and wgengine hooks
 	dev        *device.Device      // the wireguard-go Device that connects the previous things
-	wgLogger   *wglog.Logger       // wireguard-go log wrapper
 }

 // newMagicStack builds and initializes an idle magicsock and
@@ -166,9 +163,8 @@ func newMagicStack(t testing.TB, logf logger.Logf, l nettype.PacketListener, der
 	tsTun := tstun.WrapTUN(logf, tun.TUN())
 	tsTun.SetFilter(filter.NewAllowAllForTest(logf))

-	wgLogger := wglog.NewLogger(logf)
 	dev := device.NewDevice(tsTun, &device.DeviceOptions{
-		Logger:         wgLogger.DeviceLogger,
+		Logger:         wireguardGoLogger(logf),
 		CreateEndpoint: conn.CreateEndpoint,
 		CreateBind:     conn.CreateBind,
 		SkipBindUpdate: true,
@@ -191,15 +187,9 @@ func newMagicStack(t testing.TB, logf logger.Logf, l nettype.PacketListener, der
 		tun:        tun,
 		tsTun:      tsTun,
 		dev:        dev,
-		wgLogger:   wgLogger,
 	}
 }

-func (s *magicStack) Reconfig(cfg *wgcfg.Config) error {
-	s.wgLogger.SetPeers(cfg.Peers)
-	return s.dev.Reconfig(cfg)
-}
-
 func (s *magicStack) String() string {
 	pub := s.Public()
 	return pub.ShortString()
@@ -300,7 +290,7 @@ func meshStacks(logf logger.Logf, ms []*magicStack) (cleanup func()) {
 				// blow up. Shouldn't happen anyway.
 				panic(fmt.Sprintf("failed to construct wgcfg from netmap: %v", err))
 			}
-			if err := m.Reconfig(wg); err != nil {
+			if err := m.dev.Reconfig(wg); err != nil {
 				panic(fmt.Sprintf("device reconfig failed: %v", err))
 			}
 		}
@@ -536,7 +526,7 @@ func TestDeviceStartStop(t *testing.T) {

 	tun := tuntest.NewChannelTUN()
 	dev := device.NewDevice(tun.TUN(), &device.DeviceOptions{
-		Logger:         wglog.NewLogger(t.Logf).DeviceLogger,
+		Logger:         wireguardGoLogger(t.Logf),
 		CreateEndpoint: conn.CreateEndpoint,
 		CreateBind:     conn.CreateBind,
 		SkipBindUpdate: true,
@@ -906,10 +896,7 @@ func testTwoDevicePing(t *testing.T, d *devices) {

 	// This gets reassigned inside every test, so that the connections
 	// all log using the "current" t.Logf function. Sigh.
-	nestedLogf, setT := makeNestable(t)
-
-	logf, closeLogf := logger.LogfCloser(nestedLogf)
-	defer closeLogf()
+	logf, setT := makeNestable(t)

 	derpMap, cleanup := runDERPAndStun(t, logf, d.stun, d.stunIP)
 	defer cleanup()
@@ -925,10 +912,10 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 	}
 	cfgs := makeConfigs(t, addrs)

-	if err := m1.Reconfig(&cfgs[0]); err != nil {
+	if err := m1.dev.Reconfig(&cfgs[0]); err != nil {
 		t.Fatal(err)
 	}
-	if err := m2.Reconfig(&cfgs[1]); err != nil {
+	if err := m2.dev.Reconfig(&cfgs[1]); err != nil {
 		t.Fatal(err)
 	}

@@ -993,7 +980,7 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 	t.Run("no-op dev1 reconfig", func(t *testing.T) {
 		setT(t)
 		defer setT(outerT)
-		if err := m1.Reconfig(&cfgs[0]); err != nil {
+		if err := m1.dev.Reconfig(&cfgs[0]); err != nil {
 			t.Fatal(err)
 		}
 		ping1(t)
@@ -1070,10 +1057,10 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 	ep1 := cfgs[1].Peers[0].Endpoints
 	ep1 = derpEp + "," + ep1
 	cfgs[1].Peers[0].Endpoints = ep1
-	if err := m1.Reconfig(&cfgs[0]); err != nil {
+	if err := m1.dev.Reconfig(&cfgs[0]); err != nil {
 		t.Fatal(err)
 	}
-	if err := m2.Reconfig(&cfgs[1]); err != nil {
+	if err := m2.dev.Reconfig(&cfgs[1]); err != nil {
 		t.Fatal(err)
 	}

@@ -1086,10 +1073,10 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 	// Disable real route.
 	cfgs[0].Peers[0].Endpoints = derpEp
 	cfgs[1].Peers[0].Endpoints = derpEp
-	if err := m1.Reconfig(&cfgs[0]); err != nil {
+	if err := m1.dev.Reconfig(&cfgs[0]); err != nil {
 		t.Fatal(err)
 	}
-	if err := m2.Reconfig(&cfgs[1]); err != nil {
+	if err := m2.dev.Reconfig(&cfgs[1]); err != nil {
 		t.Fatal(err)
 	}
 	time.Sleep(250 * time.Millisecond) // TODO remove
@@ -1115,10 +1102,10 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 	if ep2 := cfgs[1].Peers[0].Endpoints; len(ep2) != 1 {
 		t.Errorf("unexpected peer endpoints in dev2: %v", ep2)
 	}
-	if err := m2.Reconfig(&cfgs[1]); err != nil {
+	if err := m2.dev.Reconfig(&cfgs[1]); err != nil {
 		t.Fatal(err)
 	}
-	if err := m1.Reconfig(&cfgs[0]); err != nil {
+	if err := m1.dev.Reconfig(&cfgs[0]); err != nil {
 		t.Fatal(err)
 	}
 	// Dear future human debugging a test failure here: this test is
@@ -1411,136 +1398,19 @@ func Test32bitAlignment(t *testing.T) {
 	atomic.AddInt64(&c.derpRecvCountAtomic, 1)
 }

-// newNonLegacyTestConn returns a new Conn with DisableLegacyNetworking set true.
-func newNonLegacyTestConn(t testing.TB) *Conn {
-	t.Helper()
-	port := pickPort(t)
+func BenchmarkReceiveFrom(b *testing.B) {
+	port := pickPort(b)
 	conn, err := NewConn(Options{
-		Logf: t.Logf,
+		Logf: b.Logf,
 		Port: port,
 		EndpointsFunc: func(eps []string) {
-			t.Logf("endpoints: %q", eps)
+			b.Logf("endpoints: %q", eps)
 		},
 		DisableLegacyNetworking: true,
 	})
 	if err != nil {
-		t.Fatal(err)
+		b.Fatal(err)
 	}
-	return conn
-}
-
-// Tests concurrent DERP readers pushing DERP data into ReceiveIPv4
-// (which should blend all DERP reads into UDP reads).
-func TestDerpReceiveFromIPv4(t *testing.T) {
-	conn := newNonLegacyTestConn(t)
-	defer conn.Close()
-
-	sendConn, err := net.ListenPacket("udp4", "127.0.0.1:0")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer sendConn.Close()
-	nodeKey, _ := addTestEndpoint(conn, sendConn)
-
-	var sends int = 250e3 // takes about a second
-	if testing.Short() {
-		sends /= 10
-	}
-	senders := runtime.NumCPU()
-	sends -= (sends % senders)
-	var wg sync.WaitGroup
-	defer wg.Wait()
-	t.Logf("doing %v sends over %d senders", sends, senders)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer conn.Close()
-	defer cancel()
-
-	doneCtx, cancelDoneCtx := context.WithCancel(context.Background())
-	cancelDoneCtx()
-
-	for i := 0; i < senders; i++ {
-		wg.Add(1)
-		regionID := i + 1
-		go func() {
-			defer wg.Done()
-			for i := 0; i < sends/senders; i++ {
-				res := derpReadResult{
-					regionID: regionID,
-					n:        123,
-					src:      key.Public(nodeKey),
-					copyBuf:  func(dst []byte) int { return 123 },
-				}
-				// First send with the closed context. ~50% of
-				// these should end up going through the
-				// send-a-zero-derpReadResult path, returning
-				// true, in which case we don't want to send again.
-				// We test later that we hit the other path.
-				if conn.sendDerpReadResult(doneCtx, res) {
-					continue
-				}
-
-				if !conn.sendDerpReadResult(ctx, res) {
-					t.Error("unexpected false")
-					return
-				}
-			}
-		}()
-	}
-
-	zeroSendsStart := testCounterZeroDerpReadResultSend.Value()
-
-	buf := make([]byte, 1500)
-	for i := 0; i < sends; i++ {
-		n, ep, err := conn.ReceiveIPv4(buf)
-		if err != nil {
-			t.Fatal(err)
-		}
-		_ = n
-		_ = ep
-	}
-
-	t.Logf("did %d ReceiveIPv4 calls", sends)
-
-	zeroSends, zeroRecv := testCounterZeroDerpReadResultSend.Value(), testCounterZeroDerpReadResultRecv.Value()
-	if zeroSends != zeroRecv {
-		t.Errorf("did %d zero sends != %d corresponding receives", zeroSends, zeroRecv)
-	}
-	zeroSendDelta := zeroSends - zeroSendsStart
-	if zeroSendDelta == 0 {
-		t.Errorf("didn't see any sends of derpReadResult zero value")
-	}
-	if zeroSendDelta == int64(sends) {
-		t.Errorf("saw %v sends of the derpReadResult zero value which was unexpectedly high (100%% of our %v sends)", zeroSendDelta, sends)
-	}
-}
-
-// addTestEndpoint sets conn's network map to a single peer expected
-// to receive packets from sendConn (or DERP), and returns that peer's
-// nodekey and discokey.
-func addTestEndpoint(conn *Conn, sendConn net.PacketConn) (tailcfg.NodeKey, tailcfg.DiscoKey) {
-	// Give conn just enough state that it'll recognize sendConn as a
-	// valid peer and not fall through to the legacy magicsock
-	// codepath.
-	discoKey := tailcfg.DiscoKey{31: 1}
-	nodeKey := tailcfg.NodeKey{0: 'N', 1: 'K'}
-	conn.SetNetworkMap(&controlclient.NetworkMap{
-		Peers: []*tailcfg.Node{
-			{
-				Key:       nodeKey,
-				DiscoKey:  discoKey,
-				Endpoints: []string{sendConn.LocalAddr().String()},
-			},
-		},
-	})
-	conn.SetPrivateKey(wgkey.Private{0: 1})
-	conn.CreateEndpoint([32]byte(nodeKey), "0000000000000000000000000000000000000000000000000000000000000001.disco.tailscale:12345")
-	conn.addValidDiscoPathForTest(discoKey, netaddr.MustParseIPPort(sendConn.LocalAddr().String()))
-	return nodeKey, discoKey
-}
-
-func BenchmarkReceiveFrom(b *testing.B) {
-	conn := newNonLegacyTestConn(b)
 	defer conn.Close()

 	sendConn, err := net.ListenPacket("udp4", "127.0.0.1:0")
@@ -1549,7 +1419,20 @@ func BenchmarkReceiveFrom(b *testing.B) {
 	}
 	defer sendConn.Close()

-	addTestEndpoint(conn, sendConn)
+	// Give conn just enough state that it'll recognize sendConn as a
+	// valid peer and not fall through to the legacy magicsock
+	// codepath.
+	discoKey := tailcfg.DiscoKey{31: 1}
+	conn.SetNetworkMap(&controlclient.NetworkMap{
+		Peers: []*tailcfg.Node{
+			{
+				DiscoKey:  discoKey,
+				Endpoints: []string{sendConn.LocalAddr().String()},
+			},
+		},
+	})
+	conn.CreateEndpoint([32]byte{1: 1}, "0000000000000000000000000000000000000000000000000000000000000001.disco.tailscale:12345")
+	conn.addValidDiscoPathForTest(discoKey, netaddr.MustParseIPPort(sendConn.LocalAddr().String()))

 	var dstAddr net.Addr = conn.pconn4.LocalAddr()
 	sendBuf := make([]byte, 1<<10)
@@ -1601,3 +1484,19 @@ func BenchmarkReceiveFrom_Native(b *testing.B) {
 		}
 	}
 }
+
+func wireguardGoLogger(logf logger.Logf) *device.Logger {
+	// wireguard-go logs as it starts and stops routines.
+	// Silence those; there are a lot of them, and they're just noise.
+	allowLogf := func(s string) bool {
+		return !strings.Contains(s, "Routine:")
+	}
+	filtered := logger.Filtered(logf, allowLogf)
+	stdLogger := logger.StdLogger(filtered)
+
+	return &device.Logger{
+		Debug: stdLogger,
+		Info:  stdLogger,
+		Error: stdLogger,
+	}
+}
--- a/wgengine/pendopen.go
+++ b/wgengine/pendopen.go
@@ -30,12 +30,6 @@ func debugConnectFailures() bool {

 type pendingOpenFlow struct {
 	timer *time.Timer // until giving up on the flow
-
-	// guarded by userspaceEngine.mu:
-
-	// problem is non-zero if we got a MaybeBroken (non-terminal)
-	// TSMP "reject" header.
-	problem packet.TailscaleRejectReason
 }

 func (e *userspaceEngine) removeFlow(f flowtrack.Tuple) (removed bool) {
@@ -51,17 +45,6 @@ func (e *userspaceEngine) removeFlow(f flowtrack.Tuple) (removed bool) {
 	return true
 }

-func (e *userspaceEngine) noteFlowProblemFromPeer(f flowtrack.Tuple, problem packet.TailscaleRejectReason) {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-	of, ok := e.pendOpen[f]
-	if !ok {
-		// Not a tracked flow (likely already removed)
-		return
-	}
-	of.problem = problem
-}
-
 func (e *userspaceEngine) trackOpenPreFilterIn(pp *packet.Parsed, t *tstun.TUN) (res filter.Response) {
 	res = filter.Accept // always

@@ -71,9 +54,7 @@ func (e *userspaceEngine) trackOpenPreFilterIn(pp *packet.Parsed, t *tstun.TUN)
 		if !ok {
 			return
 		}
-		if rh.MaybeBroken {
-			e.noteFlowProblemFromPeer(rh.Flow(), rh.Reason)
-		} else if f := rh.Flow(); e.removeFlow(f) {
+		if f := rh.Flow(); e.removeFlow(f) {
 			e.logf("open-conn-track: flow %v %v > %v rejected due to %v", rh.Proto, rh.Src, rh.Dst, rh.Reason)
 		}
 		return
@@ -125,20 +106,14 @@ func (e *userspaceEngine) trackOpenPostFilterOut(pp *packet.Parsed, t *tstun.TUN

 func (e *userspaceEngine) onOpenTimeout(flow flowtrack.Tuple) {
 	e.mu.Lock()
-	of, ok := e.pendOpen[flow]
-	if !ok {
+	if _, ok := e.pendOpen[flow]; !ok {
 		// Not a tracked flow, or already handled & deleted.
 		e.mu.Unlock()
 		return
 	}
 	delete(e.pendOpen, flow)
-	problem := of.problem
 	e.mu.Unlock()

-	if !problem.IsZero() {
-		e.logf("open-conn-track: timeout opening %v; peer reported problem: %v", flow, problem)
-	}
-
 	// Diagnose why it might've timed out.
 	n, ok := e.magicConn.PeerForIP(flow.Dst.IP)
 	if !ok {
--- a/wgengine/router/ifconfig_windows.go
+++ b/wgengine/router/ifconfig_windows.go
@@ -237,7 +237,7 @@ func interfaceFromLUID(luid winipcfg.LUID, flags winipcfg.GAAFlags) (*winipcfg.I
 	return nil, fmt.Errorf("interfaceFromLUID: interface with LUID %v not found", luid)
 }

-func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
+func configureInterface(cfg *Config, tun *tun.NativeTun) error {
 	const mtu = 0
 	luid := winipcfg.LUID(tun.LUID())
 	iface, err := interfaceFromLUID(luid,
@@ -251,15 +251,6 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 		return err
 	}

-	// Send non-nil return errors to retErrc, to interupt our background
-	// setPrivateNetwork goroutine.
-	retErrc := make(chan error, 1)
-	defer func() {
-		if retErr != nil {
-			retErrc <- retErr
-		}
-	}()
-
 	go func() {
 		// It takes a weirdly long time for Windows to notice the
 		// new interface has come up. Poll periodically until it
@@ -271,18 +262,11 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 				log.Printf("setPrivateNetwork(try=%d): %v", i, err)
 			} else {
 				if found {
-					if i > 0 {
-						log.Printf("setPrivateNetwork(try=%d): success", i)
-					}
 					return
 				}
 				log.Printf("setPrivateNetwork(try=%d): not found", i)
 			}
-			select {
-			case <-time.After(time.Second):
-			case <-retErrc:
-				return
-			}
+			time.Sleep(1 * time.Second)
 		}
 		log.Printf("setPrivateNetwork: adapter LUID %v not found after %d tries, giving up", luid, tries)
 	}()
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -116,7 +116,7 @@ func newUserspaceRouter(logf logger.Logf, _ *device.Device, tunDev tun.Device) (

 	v6err := checkIPv6()
 	if v6err != nil {
-		logf("disabling tunneled IPv6 due to system IPv6 config: %v", v6err)
+		logf("disabling IPv6 due to system IPv6 config: %v", v6err)
 	}
 	supportsV6 := v6err == nil
 	supportsV6NAT := supportsV6 && supportsV6NAT()
@@ -366,9 +366,7 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
 // address is already assigned to the interface, or if the addition
 // fails.
 func (r *linuxRouter) addAddress(addr netaddr.IPPrefix) error {
-	if !r.v6Available && addr.IP.Is6() {
-		return nil
-	}
+
 	if err := r.cmd.run("ip", "addr", "add", addr.String(), "dev", r.tunname); err != nil {
 		return fmt.Errorf("adding address %q to tunnel interface: %w", addr, err)
 	}
@@ -382,9 +380,6 @@ func (r *linuxRouter) addAddress(addr netaddr.IPPrefix) error {
 // the address is not assigned to the interface, or if the removal
 // fails.
 func (r *linuxRouter) delAddress(addr netaddr.IPPrefix) error {
-	if !r.v6Available && addr.IP.Is6() {
-		return nil
-	}
 	if err := r.delLoopbackRule(addr.IP); err != nil {
 		return err
 	}
@@ -442,9 +437,6 @@ func (r *linuxRouter) delLoopbackRule(addr netaddr.IP) error {
 // interface. Fails if the route already exists, or if adding the
 // route fails.
 func (r *linuxRouter) addRoute(cidr netaddr.IPPrefix) error {
-	if !r.v6Available && cidr.IP.Is6() {
-		return nil
-	}
 	args := []string{
 		"ip", "route", "add",
 		normalizeCIDR(cidr),
@@ -460,9 +452,6 @@ func (r *linuxRouter) addRoute(cidr netaddr.IPPrefix) error {
 // interface. Fails if the route doesn't exist, or if removing the
 // route fails.
 func (r *linuxRouter) delRoute(cidr netaddr.IPPrefix) error {
-	if !r.v6Available && cidr.IP.Is6() {
-		return nil
-	}
 	args := []string{
 		"ip", "route", "del",
 		normalizeCIDR(cidr),
@@ -1045,22 +1034,18 @@ func checkIPv6() error {
 		return errors.New("disable_ipv6 is set")
 	}

-	// Older kernels don't support IPv6 policy routing. Some kernels
-	// support policy routing but don't have this knob, so absence of
-	// the knob is not fatal.
+	// Older kernels don't support IPv6 policy routing.
 	bs, err = ioutil.ReadFile("/proc/sys/net/ipv6/conf/all/disable_policy")
-	if err == nil {
-		disabled, err = strconv.ParseBool(strings.TrimSpace(string(bs)))
-		if err != nil {
-			return errors.New("disable_policy has invalid bool")
-		}
-		if disabled {
-			return errors.New("disable_policy is set")
-		}
+	if err != nil {
+		// Absent knob means policy routing is unsupported.
+		return err
 	}
-
-	if err := checkIPRuleSupportsV6(); err != nil {
-		return fmt.Errorf("kernel doesn't support IPv6 policy routing: %w", err)
+	disabled, err = strconv.ParseBool(strings.TrimSpace(string(bs)))
+	if err != nil {
+		return errors.New("disable_policy has invalid bool")
+	}
+	if disabled {
+		return errors.New("disable_policy is set")
 	}

 	// Some distros ship ip6tables separately from iptables.
@@ -1068,6 +1053,10 @@ func checkIPv6() error {
 		return err
 	}

+	if err := checkIPRuleSupportsV6(); err != nil {
+		return err
+	}
+
 	return nil
 }

@@ -1088,17 +1077,13 @@ func supportsV6NAT() bool {
 }

 func checkIPRuleSupportsV6() error {
-	add := []string{"-6", "rule", "add", "pref", "1234", "fwmark", tailscaleBypassMark, "table", tailscaleRouteTable}
-	del := []string{"-6", "rule", "del", "pref", "1234", "fwmark", tailscaleBypassMark, "table", tailscaleRouteTable}
-
-	// First delete the rule unconditionally, and don't check for
-	// errors. This is just cleaning up anything that might be already
-	// there.
-	exec.Command("ip", del...).Run()
-
-	// Try adding the rule. This will fail on systems that support
-	// IPv6, but not IPv6 policy routing.
-	out, err := exec.Command("ip", add...).CombinedOutput()
+	// First add a rule for "ip rule del" to delete.
+	// We ignore the "add" operation's error because it can also
+	// fail if the rule already exists.
+	exec.Command("ip", "-6", "rule", "add",
+		"pref", "123", "fwmark", tailscaleBypassMark, "table", fmt.Sprint(tailscaleRouteTable)).Run()
+	out, err := exec.Command("ip", "-6", "rule", "del",
+		"pref", "123", "fwmark", tailscaleBypassMark, "table", fmt.Sprint(tailscaleRouteTable)).CombinedOutput()
 	if err != nil {
 		out = bytes.TrimSpace(out)
 		var detail interface{} = out
@@ -1107,8 +1092,5 @@ func checkIPRuleSupportsV6() error {
 		}
 		return fmt.Errorf("ip -6 rule failed: %s", detail)
 	}
-
-	// Delete again.
-	exec.Command("ip", del...).Run()
 	return nil
 }
--- a/wgengine/router/router_windows.go
+++ b/wgengine/router/router_windows.go
@@ -7,7 +7,6 @@ package router
 import (
 	"context"
 	"fmt"
-	"os"
 	"os/exec"
 	"sync"
 	"syscall"
@@ -122,12 +121,11 @@ func cleanup(logf logger.Logf, interfaceName string) {
 type firewallTweaker struct {
 	logf logger.Logf

-	mu          sync.Mutex
-	didProcRule bool
-	running     bool     // doAsyncSet goroutine is running
-	known       bool     // firewall is in known state (in lastVal)
-	want        []string // next value we want, or "" to delete the firewall rule
-	lastVal     []string // last set value, if known
+	mu      sync.Mutex
+	running bool     // doAsyncSet goroutine is running
+	known   bool     // firewall is in known state (in lastVal)
+	want    []string // next value we want, or "" to delete the firewall rule
+	lastVal []string // last set value, if known
 }

 func (ft *firewallTweaker) clear() { ft.set(nil) }
@@ -179,7 +177,6 @@ func (ft *firewallTweaker) doAsyncSet() {
 			return
 		}
 		needClear := !ft.known || len(ft.lastVal) > 0 || len(val) == 0
-		needProcRule := !ft.didProcRule
 		ft.mu.Unlock()

 		if needClear {
@@ -192,37 +189,6 @@ func (ft *firewallTweaker) doAsyncSet() {
 			d, _ := ft.runFirewall("delete", "rule", "name=Tailscale-In", "dir=in")
 			ft.logf("cleared Tailscale-In firewall rules in %v", d)
 		}
-		if needProcRule {
-			ft.logf("deleting any prior Tailscale-Process rule...")
-			d, err := ft.runFirewall("delete", "rule", "name=Tailscale-Process", "dir=in") // best effort
-			if err == nil {
-				ft.logf("removed old Tailscale-Process rule in %v", d)
-			}
-			var exe string
-			exe, err = os.Executable()
-			if err != nil {
-				ft.logf("failed to find Executable for Tailscale-Process rule: %v", err)
-			} else {
-				ft.logf("adding Tailscale-Process rule to allow UDP for %q ...", exe)
-				d, err = ft.runFirewall("add", "rule", "name=Tailscale-Process",
-					"dir=in",
-					"action=allow",
-					"edge=yes",
-					"program="+exe,
-					"protocol=udp",
-					"profile=any",
-					"enable=yes",
-				)
-				if err != nil {
-					ft.logf("error adding Tailscale-Process rule: %v", err)
-				} else {
-					ft.mu.Lock()
-					ft.didProcRule = true
-					ft.mu.Unlock()
-					ft.logf("added Tailscale-Process rule in %v", d)
-				}
-			}
-		}
 		var err error
 		for _, cidr := range val {
 			ft.logf("adding Tailscale-In rule to allow %v ...", cidr)
--- a/wgengine/tstun/tun.go
+++ b/wgengine/tstun/tun.go
@@ -346,8 +346,8 @@ func (t *TUN) filterIn(buf []byte) filter.Response {
 	}

 	if t.PostFilterIn != nil {
-		if res := t.PostFilterIn(p, t); res.IsDrop() {
-			return res
+		if t.PostFilterIn(p, t) == filter.Drop {
+			return filter.Drop
 		}
 	}

--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log"
 	"net"
 	"os"
 	"os/exec"
@@ -46,7 +47,6 @@ import (
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/tsdns"
 	"tailscale.com/wgengine/tstun"
-	"tailscale.com/wgengine/wglog"
 )

 // minimalMTU is the MTU we set on tailscale's TUN
@@ -84,7 +84,6 @@ const (

 type userspaceEngine struct {
 	logf      logger.Logf
-	wgLogger  *wglog.Logger //a wireguard-go logging wrapper
 	reqCh     chan struct{}
 	waitCh    chan struct{} // chan is closed when first Close call completes; contrast with closing bool
 	timeNow   func() time.Time
@@ -111,7 +110,6 @@ type userspaceEngine struct {
 	trimmedDisco        map[tailcfg.DiscoKey]bool // set of disco keys of peers currently excluded from wireguard config
 	sentActivityAt      map[netaddr.IP]*int64     // value is atomic int64 of unixtime
 	destIPActivityFuncs map[netaddr.IP]func()
-	statusBufioReader   *bufio.Reader // reusable for UAPI

 	mu                  sync.Mutex // guards following; see lock order comment below
 	closing             bool       // Close was called (even if we're still closing)
@@ -194,7 +192,6 @@ func NewUserspaceEngine(logf logger.Logf, tunname string, listenPort uint16) (En

 	e, err := NewUserspaceEngineAdvanced(conf)
 	if err != nil {
-		tun.Close()
 		return nil, err
 	}
 	return e, err
@@ -282,9 +279,23 @@ func newUserspaceEngineAdvanced(conf EngineConfig) (_ Engine, reterr error) {
 		e.tundev.PostFilterOut = e.trackOpenPostFilterOut
 	}

-	e.wgLogger = wglog.NewLogger(logf)
+	// wireguard-go logs as it starts and stops routines.
+	// Silence those; there are a lot of them, and they're just noise.
+	allowLogf := func(s string) bool {
+		return !strings.Contains(s, "Routine:")
+	}
+	filtered := logger.Filtered(logf, allowLogf)
+	// flags==0 because logf is already nested in another logger.
+	// The outer one can display the preferred log prefixes, etc.
+	dlog := logger.StdLogger(filtered)
+	logger := device.Logger{
+		Debug: dlog,
+		Info:  dlog,
+		Error: dlog,
+	}
+
 	opts := &device.DeviceOptions{
-		Logger: e.wgLogger.DeviceLogger,
+		Logger: &logger,
 		HandshakeDone: func(peerKey device.NoisePublicKey, peer *device.Peer, deviceAllowedIPs *device.AllowedIPs) {
 			// Send an unsolicited status event every time a
 			// handshake completes. This makes sure our UI can
@@ -763,7 +774,6 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[key.Publ
 	}

 	full := e.lastCfgFull
-	e.wgLogger.SetPeers(full.Peers)

 	// Compute a minimal config to pass to wireguard-go
 	// based on the full config. Prune off all the peers
@@ -1036,8 +1046,8 @@ func (e *userspaceEngine) getStatusCallback() StatusCallback {
 	return e.statusCallback
 }

-var singleNewline = []byte{'\n'}
-
+// TODO: this function returns an error but it's always nil, and when
+// there's actually a problem it just calls log.Fatal. Why?
 func (e *userspaceEngine) getStatus() (*Status, error) {
 	// Grab derpConns before acquiring wgLock to not violate lock ordering;
 	// the DERPs method acquires magicsock.Conn.mu.
@@ -1062,12 +1072,15 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 		return nil, nil
 	}

-	pr, pw := io.Pipe()
-	defer pr.Close() // to unblock writes on error path returns
+	// lineLen is the max UAPI line we expect. The longest I see is
+	// len("preshared_key=")+64 hex+"\n" == 79. Add some slop.
+	const lineLen = 100

+	pr, pw := io.Pipe()
 	errc := make(chan error, 1)
 	go func() {
 		defer pw.Close()
+		bw := bufio.NewWriterSize(pw, lineLen)
 		// TODO(apenwarr): get rid of silly uapi stuff for in-process comms
 		// FIXME: get notified of status changes instead of polling.
 		filter := device.IPCGetFilter{
@@ -1075,34 +1088,23 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 			// unused below; request that they not be sent instead.
 			FilterAllowedIPs: true,
 		}
-		err := e.wgdev.IpcGetOperationFiltered(pw, filter)
-		if err != nil {
-			err = fmt.Errorf("IpcGetOperation: %w", err)
+		if err := e.wgdev.IpcGetOperationFiltered(bw, filter); err != nil {
+			errc <- fmt.Errorf("IpcGetOperation: %w", err)
+			return
 		}
-		errc <- err
+		errc <- bw.Flush()
 	}()

 	pp := make(map[wgkey.Key]*PeerStatus)
 	p := &PeerStatus{}

 	var hst1, hst2, n int64
+	var err error

-	br := e.statusBufioReader
-	if br != nil {
-		br.Reset(pr)
-	} else {
-		br = bufio.NewReaderSize(pr, 1<<10)
-		e.statusBufioReader = br
-	}
-	for {
-		line, err := br.ReadSlice('\n')
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return nil, fmt.Errorf("reading from UAPI pipe: %w", err)
-		}
-		line = bytes.TrimSuffix(line, singleNewline)
+	bs := bufio.NewScanner(pr)
+	bs.Buffer(make([]byte, lineLen), lineLen)
+	for bs.Scan() {
+		line := bs.Bytes()
 		k := line
 		var v mem.RO
 		if i := bytes.IndexByte(line, '='); i != -1 {
@@ -1113,7 +1115,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 		case "public_key":
 			pk, err := key.NewPublicFromHexMem(v)
 			if err != nil {
-				return nil, fmt.Errorf("IpcGetOperation: invalid key in line %q", line)
+				log.Fatalf("IpcGetOperation: invalid key %#v", v)
 			}
 			p = &PeerStatus{}
 			pp[wgkey.Key(pk)] = p
@@ -1124,31 +1126,34 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 			n, err = mem.ParseInt(v, 10, 64)
 			p.RxBytes = ByteCount(n)
 			if err != nil {
-				return nil, fmt.Errorf("IpcGetOperation: rx_bytes invalid: %#v", line)
+				log.Fatalf("IpcGetOperation: rx_bytes invalid: %#v", line)
 			}
 		case "tx_bytes":
 			n, err = mem.ParseInt(v, 10, 64)
 			p.TxBytes = ByteCount(n)
 			if err != nil {
-				return nil, fmt.Errorf("IpcGetOperation: tx_bytes invalid: %#v", line)
+				log.Fatalf("IpcGetOperation: tx_bytes invalid: %#v", line)
 			}
 		case "last_handshake_time_sec":
 			hst1, err = mem.ParseInt(v, 10, 64)
 			if err != nil {
-				return nil, fmt.Errorf("IpcGetOperation: hst1 invalid: %#v", line)
+				log.Fatalf("IpcGetOperation: hst1 invalid: %#v", line)
 			}
 		case "last_handshake_time_nsec":
 			hst2, err = mem.ParseInt(v, 10, 64)
 			if err != nil {
-				return nil, fmt.Errorf("IpcGetOperation: hst2 invalid: %#v", line)
+				log.Fatalf("IpcGetOperation: hst2 invalid: %#v", line)
 			}
 			if hst1 != 0 || hst2 != 0 {
 				p.LastHandshake = time.Unix(hst1, hst2)
 			} // else leave at time.IsZero()
 		}
 	}
+	if err := bs.Err(); err != nil {
+		log.Fatalf("reading IpcGetOperation output: %v", err)
+	}
 	if err := <-errc; err != nil {
-		return nil, fmt.Errorf("IpcGetOperation: %v", err)
+		log.Fatalf("IpcGetOperation: %v", err)
 	}

 	e.mu.Lock()
--- a/wgengine/wglog/wglog.go
+++ b/wgengine/wglog/wglog.go
@@ -1,89 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package wglog contains logging helpers for wireguard-go.
-package wglog
-
-import (
-	"encoding/base64"
-	"fmt"
-	"strings"
-	"sync/atomic"
-
-	"github.com/tailscale/wireguard-go/device"
-	"github.com/tailscale/wireguard-go/wgcfg"
-	"tailscale.com/types/logger"
-)
-
-// A Logger is a wireguard-go log wrapper that cleans up and rewrites log lines.
-// It can be modified at run time to adjust to new wireguard-go configurations.
-type Logger struct {
-	DeviceLogger *device.Logger
-	replacer     atomic.Value // of *strings.Replacer
-}
-
-// NewLogger creates a new logger for use with wireguard-go.
-// This logger silences repetitive/unhelpful noisy log lines
-// and rewrites peer keys from wireguard-go into Tailscale format.
-func NewLogger(logf logger.Logf) *Logger {
-	ret := new(Logger)
-
-	wrapper := func(format string, args ...interface{}) {
-		msg := fmt.Sprintf(format, args...)
-		if strings.Contains(msg, "Routine:") {
-			// wireguard-go logs as it starts and stops routines.
-			// Drop those; there are a lot of them, and they're just noise.
-			return
-		}
-		r := ret.replacer.Load()
-		if r == nil {
-			// No replacements specified; log as originally planned.
-			logf(format, args...)
-			return
-		}
-		// Do the replacements.
-		new := r.(*strings.Replacer).Replace(msg)
-		if new == msg {
-			// No replacements. Log as originally planned.
-			logf(format, args...)
-			return
-		}
-		// We made some replacements. Log the new version.
-		// This changes the format string,
-		// which is somewhat unfortunate as it impacts rate limiting,
-		// but there's not much we can do about that.
-		logf("%s", new)
-	}
-	std := logger.StdLogger(wrapper)
-	ret.DeviceLogger = &device.Logger{
-		Debug: std,
-		Info:  std,
-		Error: std,
-	}
-	return ret
-}
-
-// SetPeers adjusts x to rewrite the peer public keys found in peers.
-// SetPeers is safe for concurrent use.
-func (x *Logger) SetPeers(peers []wgcfg.Peer) {
-	// Construct a new peer public key log rewriter.
-	var replace []string
-	for _, peer := range peers {
-		old := "peer(" + wireguardGoString(peer.PublicKey) + ")"
-		new := peer.PublicKey.ShortString()
-		replace = append(replace, old, new)
-	}
-	r := strings.NewReplacer(replace...)
-	x.replacer.Store(r)
-}
-
-// wireguardGoString prints p in the same format used by wireguard-go.
-func wireguardGoString(k wgcfg.Key) string {
-	base64Key := base64.StdEncoding.EncodeToString(k[:])
-	abbreviatedKey := "invalid"
-	if len(base64Key) == 44 {
-		abbreviatedKey = base64Key[0:4] + "…" + base64Key[39:43]
-	}
-	return abbreviatedKey
-}
--- a/wgengine/wglog/wglog_test.go
+++ b/wgengine/wglog/wglog_test.go
@@ -1,59 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package wglog_test
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/tailscale/wireguard-go/wgcfg"
-	"tailscale.com/wgengine/wglog"
-)
-
-func TestLogger(t *testing.T) {
-	tests := []struct {
-		in   string
-		want string
-		omit bool
-	}{
-		{"hi", "hi", false},
-		{"Routine: starting", "", true},
-		{"peer(IMTB…r7lM) says it misses you", "[IMTBr] says it misses you", false},
-	}
-
-	c := make(chan string, 1)
-	logf := func(format string, args ...interface{}) {
-		s := fmt.Sprintf(format, args...)
-		select {
-		case c <- s:
-		default:
-			t.Errorf("wrote %q, but shouldn't have", s)
-		}
-	}
-
-	x := wglog.NewLogger(logf)
-	key, err := wgcfg.ParseHexKey("20c4c1ae54e1fd37cab6e9a532ca20646aff496796cc41d4519560e5e82bee53")
-	if err != nil {
-		t.Fatal(err)
-	}
-	x.SetPeers([]wgcfg.Peer{{PublicKey: key}})
-
-	for _, tt := range tests {
-		if tt.omit {
-			// Write a message ourselves into the channel.
-			// Then if logf also attempts to write into the channel, it'll fail.
-			c <- ""
-		}
-		x.DeviceLogger.Info.Println(tt.in)
-		got := <-c
-		if tt.omit {
-			continue
-		}
-		tt.want += "\n"
-		if got != tt.want {
-			t.Errorf("Println(%q) = %q want %q", tt.in, got, tt.want)
-		}
-	}
-}
@@ -1 +1 @@
 .4.4
 .3.0