WIP

Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id806c5c62b5097d9a5a7600324349ce7692d4d55
words: beaver, the cutest of them all (#6001 )
2022-10-21 11:08:39 -04:00 · 2022-10-20 12:18:15 -07:00 · 2022-10-20 14:34:49 -04:00 · 2022-10-20 08:45:42 -07:00 · 2022-10-20 13:54:34 +01:00 · 2022-10-19 21:14:55 -07:00
203 changed files with 7621 additions and 1611 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -1,12 +1,12 @@
 name: Bug report
-description: File a bug report
+description: File a bug report. If you need help, contact support instead
 labels: [needs-triage, bug]
 body:
  - type: markdown
    attributes:
      value: |
-        Please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues).
-        Have an urgent issue? Let us know by emailing us at <support@tailscale.com>.
+        Need help with your tailnet? [Contact support](https://tailscale.com/contact/support) instead.
+        Otherwise, please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues) before filing a new one.
  - type: textarea
    id: what-happened
    attributes:
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -5,4 +5,4 @@ contact_links:
    about: Contact us for support
  - name: Troubleshooting
    url: https://tailscale.com/kb/1023/troubleshooting
-    about: Troubleshoot common issues
+    about: See the troubleshooting guide for help addressing common issues
--- a/.github/workflows/cross-wasm.yml
+++ b/.github/workflows/cross-wasm.yml
@@ -39,7 +39,7 @@ jobs:
      # that depend on it.
      run: |
        ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect build-pkg
+        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/go-licenses.yml
+++ b/.github/workflows/go-licenses.yml
@@ -50,7 +50,7 @@ jobs:
          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}

      - name: Send pull request
-        uses: peter-evans/create-pull-request@18f90432bedd2afd6a825469ffd38aa24712a91d #v4.1.1
+        uses: peter-evans/create-pull-request@ad43dccb4d726ca8514126628bec209b8354b6dd #v4.1.4
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: License Updater <noreply@tailscale.com>
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.31.0
+1.33.0
--- a/api.md
+++ b/api.md
@@ -355,6 +355,13 @@ GET /api/v2/tailnet/alice@gmail.com/...
 curl https://api.tailscale.com/api/v2/tailnet/alice@gmail.com/...
 ```

+Alternatively, you can specify the value "-" to refer to the default tailnet of
+the authenticated user making the API call.  For example:
+```
+GET /api/v2/tailnet/-/...
+curl https://api.tailscale.com/api/v2/tailnet/-/...
+```
+
 Tailnets are a top-level resource. ACL is an example of a resource that is tied to a top-level tailnet.

 For more information on Tailscale networks/tailnets, click [here](https://tailscale.com/kb/1064/invite-team-members).
@@ -813,6 +820,10 @@ Supply the tailnet in the path.

 ###### POST Body
 `capabilities` - A mapping of resources to permissible actions.
+
+`expirySeconds` - (Optional) How long the key is valid for in seconds.
+                  Defaults to 90d.
+
 ```
 {
  "capabilities": {
@@ -826,7 +837,8 @@ Supply the tailnet in the path.
        ]
      }
    }
-  }
+  },
+  "expirySeconds": 1440
 }
 ```

--- a/chirp/chirp_test.go
+++ b/chirp/chirp_test.go
@@ -106,10 +106,10 @@ func TestChirp(t *testing.T) {
 		t.Fatal(err)
 	}
 	if err := c.EnableProtocol("rando"); err == nil {
-		t.Fatalf("enabling %q succeded", "rando")
+		t.Fatalf("enabling %q succeeded", "rando")
 	}
 	if err := c.DisableProtocol("rando"); err == nil {
-		t.Fatalf("disabling %q succeded", "rando")
+		t.Fatalf("disabling %q succeeded", "rando")
 	}
 }

--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -459,7 +459,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 	}

 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
+		return nil, fmt.Errorf("control api responded with %d status code", resp.StatusCode)
 	}

 	// The test ran without fail
--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -5,7 +5,11 @@
 // Package apitype contains types for the Tailscale local API and control plane API.
 package apitype

-import "tailscale.com/tailcfg"
+import (
+	"net/netip"
+
+	"tailscale.com/tailcfg"
+)

 // WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
 type WhoIsResponse struct {
@@ -30,3 +34,34 @@ type WaitingFile struct {
 	Name string
 	Size int64
 }
+
+// TODO: docs
+type SubnetRouteDebugResponse struct {
+	InputAddr string
+	Addresses []SubnetRouteDebugAddress
+	Nodes     []SubnetRouteDebugNode
+	Errors    []string `json:",omitempty"`
+}
+
+type SubnetRouteDebugAddress struct {
+	Addr   netip.Addr
+	Source string
+}
+
+type SubnetRouteDebugPingResponse struct {
+	IP             netip.Addr
+	Err            string  `json:",omitempty"`
+	LatencySeconds float64 `json:",omitempty"`
+}
+
+// TODO: docs
+type SubnetRouteDebugNode struct {
+	StableID   tailcfg.StableNodeID
+	Name       string
+	AllowedIPs []netip.Prefix
+	Primary    []netip.Prefix `json:",omitempty"`
+	Online     string
+	IsExitNode bool
+	DiscoPing  *SubnetRouteDebugPingResponse `json:",omitempty"`
+	ICMPPing   *SubnetRouteDebugPingResponse `json:",omitempty"`
+}
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -276,6 +276,12 @@ type BugReportOpts struct {
 	// Diagnose specifies whether to print additional diagnostic information to
 	// the logs when generating this bugreport.
 	Diagnose bool
+
+	// Record specifies, if non-nil, whether to perform a bugreport
+	// "recording"–generating an initial log marker, then waiting for
+	// this channel to be closed before finishing the request, which
+	// generates another log marker.
+	Record <-chan struct{}
 }

 // BugReportWithOpts logs and returns a log marker that can be shared by the
@@ -284,16 +290,40 @@ type BugReportOpts struct {
 // The opts type specifies options to pass to the Tailscale daemon when
 // generating this bug report.
 func (lc *LocalClient) BugReportWithOpts(ctx context.Context, opts BugReportOpts) (string, error) {
-	var qparams url.Values
+	qparams := make(url.Values)
 	if opts.Note != "" {
 		qparams.Set("note", opts.Note)
 	}
 	if opts.Diagnose {
 		qparams.Set("diagnose", "true")
 	}
+	if opts.Record != nil {
+		qparams.Set("record", "true")
+	}

+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	var requestBody io.Reader
+	if opts.Record != nil {
+		pr, pw := io.Pipe()
+		requestBody = pr
+
+		// This goroutine waits for the 'Record' channel to be closed,
+		// and then closes the write end of our pipe to unblock the
+		// reader.
+		go func() {
+			defer pw.Close()
+			select {
+			case <-opts.Record:
+			case <-ctx.Done():
+			}
+		}()
+	}
+
+	// lc.send might block if opts.Record != nil; see above.
 	uri := fmt.Sprintf("/localapi/v0/bugreport?%s", qparams.Encode())
-	body, err := lc.send(ctx, "POST", uri, 200, nil)
+	body, err := lc.send(ctx, "POST", uri, 200, requestBody)
 	if err != nil {
 		return "", err
 	}
@@ -318,6 +348,44 @@ func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
 	return nil
 }

+// TODO: docs
+func (lc *LocalClient) DebugSubnetRoute(ctx context.Context, addr string) (*apitype.SubnetRouteDebugResponse, error) {
+	urlvals := make(url.Values)
+	urlvals.Set("addr", addr)
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/debug-subnet-route?"+urlvals.Encode(), 200, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error %w: %s", err, body)
+	}
+	var res apitype.SubnetRouteDebugResponse
+	if err := json.Unmarshal(body, &res); err != nil {
+		return nil, err
+	}
+	return &res, nil
+}
+
+// SetComponentDebugLogging sets component's debug logging enabled for
+// the provided duration. If the duration is in the past, the debug logging
+// is disabled.
+func (lc *LocalClient) SetComponentDebugLogging(ctx context.Context, component string, d time.Duration) error {
+	body, err := lc.send(ctx, "POST",
+		fmt.Sprintf("/localapi/v0/component-debug-logging?component=%s&secs=%d",
+			url.QueryEscape(component), int64(d.Seconds())), 200, nil)
+	if err != nil {
+		return fmt.Errorf("error %w: %s", err, body)
+	}
+	var res struct {
+		Error string
+	}
+	if err := json.Unmarshal(body, &res); err != nil {
+		return err
+	}
+	if res.Error != "" {
+		return errors.New(res.Error)
+	}
+	return nil
+}
+
 // Status returns the Tailscale daemon's status.
 func Status(ctx context.Context) (*ipnstate.Status, error) {
 	return defaultLocalClient.Status(ctx)
@@ -674,14 +742,14 @@ func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate
 	return &cert, nil
 }

-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
 //
 // Deprecated: use LocalClient.ExpandSNIName.
 func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	return defaultLocalClient.ExpandSNIName(ctx, name)
 }

-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
 func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	st, err := lc.StatusWithoutPeers(ctx)
 	if err != nil {
@@ -748,6 +816,30 @@ func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key) (*ip
 	return pr, nil
 }

+// NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
+func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
+	var b bytes.Buffer
+	type modifyRequest struct {
+		AddKeys    []tka.Key
+		RemoveKeys []tka.Key
+	}
+
+	if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
+		return nil, err
+	}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 200, &b)
+	if err != nil {
+		return nil, fmt.Errorf("error: %w", err)
+	}
+
+	pr := new(ipnstate.NetworkLockStatus)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
+}
+
 // tailscaledConnectHint gives a little thing about why tailscaled (or
 // platform equivalent) is not answering localapi connections.
 //
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -18,6 +18,9 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
+
+	"tailscale.com/types/key"
 )

 // I_Acknowledge_This_API_Is_Unstable must be set true to use this package
@@ -90,6 +93,29 @@ func (c *Client) setAuth(r *http.Request) {
 	}
 }

+// nodeKeyAuth is an AuthMethod for NewClient that authenticates requests
+// using a node key over the Noise protocol.
+type nodeKeyAuth key.NodePublic
+
+func (k nodeKeyAuth) modifyRequest(req *http.Request) {
+	// QueryEscape the node key since it has a colon in it.
+	nk := url.QueryEscape(key.NodePublic(k).String())
+	req.SetBasicAuth(nk, "")
+}
+
+// NewNoiseClient is a convenience method for instantiating a new Client
+// that uses the Noise protocol for authentication.
+//
+// tailnet is the globally unique identifier for a Tailscale network, such
+// as "example.com" or "user@gmail.com".
+func NewNoiseClient(tailnet string, noiseRoundTripper http.RoundTripper, nk key.NodePublic) *Client {
+	return &Client{
+		tailnet:    tailnet,
+		auth:       nodeKeyAuth(nk),
+		HTTPClient: &http.Client{Transport: noiseRoundTripper},
+	}
+}
+
 // NewClient is a convenience method for instantiating a new Client.
 //
 // tailnet is the globally unique identifier for a Tailscale network, such
@@ -115,7 +141,7 @@ func (c *Client) Do(req *http.Request) (*http.Response, error) {
 	return c.httpClient().Do(req)
 }

-// sendRequest add the authenication key to the request and sends it. It
+// sendRequest add the authentication key to the request and sends it. It
 // receives the response and reads up to 10MB of it.
 func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
 	if !I_Acknowledge_This_API_Is_Unstable {
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -47,6 +47,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
+        tailscale.com/net/wsconn                                     from tailscale.com/cmd/derper+
        tailscale.com/paths                                          from tailscale.com/client/tailscale
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale
        tailscale.com/syncs                                          from tailscale.com/cmd/derper+
@@ -107,6 +108,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -325,11 +325,31 @@ func main() {
 	}
 }

+const (
+	noContentChallengeHeader = "X-Tailscale-Challenge"
+	noContentResponseHeader  = "X-Tailscale-Response"
+)
+
 // For captive portal detection
 func serveNoContent(w http.ResponseWriter, r *http.Request) {
+	if challenge := r.Header.Get(noContentChallengeHeader); challenge != "" {
+		badChar := strings.IndexFunc(challenge, func(r rune) bool {
+			return !isChallengeChar(r)
+		}) != -1
+		if len(challenge) <= 64 && !badChar {
+			w.Header().Set(noContentResponseHeader, "response "+challenge)
+		}
+	}
 	w.WriteHeader(http.StatusNoContent)
 }

+func isChallengeChar(c rune) bool {
+	// Semi-randomly chosen as a limited set of valid characters
+	return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z') ||
+		('0' <= c && c <= '9') ||
+		c == '.' || c == '-' || c == '_'
+}
+
 // probeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
 func probeHandler(w http.ResponseWriter, r *http.Request) {
--- a/cmd/derper/derper_test.go
+++ b/cmd/derper/derper_test.go
@@ -7,6 +7,9 @@ package main
 import (
 	"context"
 	"net"
+	"net/http"
+	"net/http/httptest"
+	"strings"
 	"testing"

 	"tailscale.com/net/stun"
@@ -67,3 +70,57 @@ func BenchmarkServerSTUN(b *testing.B) {
 	}

 }
+
+func TestNoContent(t *testing.T) {
+	testCases := []struct {
+		name  string
+		input string
+		want  string
+	}{
+		{
+			name: "no challenge",
+		},
+		{
+			name:  "valid challenge",
+			input: "input",
+			want:  "response input",
+		},
+		{
+			name:  "invalid challenge",
+			input: "foo\x00bar",
+			want:  "",
+		},
+		{
+			name:  "whitespace invalid challenge",
+			input: "foo bar",
+			want:  "",
+		},
+		{
+			name:  "long challenge",
+			input: strings.Repeat("x", 65),
+			want:  "",
+		},
+	}
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			req, _ := http.NewRequest("GET", "https://localhost/generate_204", nil)
+			if tt.input != "" {
+				req.Header.Set(noContentChallengeHeader, tt.input)
+			}
+			w := httptest.NewRecorder()
+			serveNoContent(w, req)
+			resp := w.Result()
+
+			if tt.want == "" {
+				if h, found := resp.Header[noContentResponseHeader]; found {
+					t.Errorf("got %+v; expected no response header", h)
+				}
+				return
+			}
+
+			if got := resp.Header.Get(noContentResponseHeader); got != tt.want {
+				t.Errorf("got %q; want %q", got, tt.want)
+			}
+		})
+	}
+}
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -13,6 +13,7 @@ import (

 	"nhooyr.io/websocket"
 	"tailscale.com/derp"
+	"tailscale.com/net/wsconn"
 )

 var counterWebSocketAccepts = expvar.NewInt("derp_websocket_accepts")
@@ -23,7 +24,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		up := strings.ToLower(r.Header.Get("Upgrade"))

 		// Very early versions of Tailscale set "Upgrade: WebSocket" but didn't actually
-		// speak WebSockets (they still assumed DERP's binary framining). So to distinguish
+		// speak WebSockets (they still assumed DERP's binary framing). So to distinguish
 		// clients that actually want WebSockets, look for an explicit "derp" subprotocol.
 		if up != "websocket" || !strings.Contains(r.Header.Get("Sec-Websocket-Protocol"), "derp") {
 			base.ServeHTTP(w, r)
@@ -50,7 +51,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 			return
 		}
 		counterWebSocketAccepts.Add(1)
-		wc := websocket.NetConn(r.Context(), c, websocket.MessageBinary)
+		wc := wsconn.NetConn(r.Context(), c, websocket.MessageBinary)
 		brw := bufio.NewReadWriter(bufio.NewReader(wc), bufio.NewWriter(wc))
 		s.Accept(r.Context(), wc, brw, r.RemoteAddr)
 	})
--- a/cmd/netlogfmt/main.go
+++ b/cmd/netlogfmt/main.go
@@ -0,0 +1,307 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// netlogfmt parses a stream of JSON log messages from stdin and
+// formats the network traffic logs produced by "tailscale.com/wgengine/netlog"
+// in a more humanly readable format.
+//
+// Example usage:
+//
+//	$ cat netlog.json | netlogfmt
+//	=========================================================================================
+//	Time: 2022-10-13T20:23:09.644Z (5s)
+//	---------------------------------------------------  Tx[P/s]  Tx[B/s]  Rx[P/s]    Rx[B/s]
+//	VirtualTraffic:                                       16.80    1.64Ki   11.20      1.03Ki
+//	    TCP:    100.109.51.95:22 -> 100.85.80.41:42912    16.00    1.59Ki   10.40   1008.84
+//	    TCP: 100.109.51.95:21291 -> 100.107.177.2:53133    0.40   27.60      0.40     24.20
+//	    TCP: 100.109.51.95:21291 -> 100.107.177.2:53134    0.40   23.40      0.40     24.20
+//	PhysicalTraffic:                                      16.80    2.32Ki   11.20      1.48Ki
+//	                100.85.80.41 -> 192.168.0.101:41641   16.00    2.23Ki   10.40      1.40Ki
+//	               100.107.177.2 -> 192.168.0.100:41641    0.80   83.20      0.80     83.20
+//	=========================================================================================
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"math"
+	"net/http"
+	"net/netip"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
+	"tailscale.com/net/flowtrack"
+	"tailscale.com/net/tunstats"
+	"tailscale.com/util/must"
+	"tailscale.com/wgengine/netlog"
+)
+
+var (
+	resolveNames = flag.Bool("resolve-names", false, "convert tailscale IP addresses to hostnames; must also specify --api-key and --tailnet-id")
+	apiKey       = flag.String("api-key", "", "API key to query the Tailscale API with; see https://login.tailscale.com/admin/settings/keys")
+	tailnetName  = flag.String("tailnet-name", "", "tailnet domain name to lookup devices in; see https://login.tailscale.com/admin/settings/general")
+)
+
+func main() {
+	flag.Parse()
+
+	namesByAddr := mustMakeNamesByAddr()
+	dec := json.NewDecoder(os.Stdin)
+	for {
+		// Unmarshal the log message containing network traffics.
+		var msg struct {
+			Logtail struct {
+				ID string `json:"id"`
+			} `json:"logtail"`
+			netlog.Message
+		}
+		if err := dec.Decode(&msg); err != nil {
+			if err == io.EOF {
+				break
+			}
+			log.Fatalf("UnmarshalNext: %v", err)
+		}
+		if len(msg.VirtualTraffic)+len(msg.SubnetTraffic)+len(msg.ExitTraffic)+len(msg.PhysicalTraffic) == 0 {
+			continue // nothing to print
+		}
+
+		// Construct a table of network traffic per connection.
+		rows := [][7]string{{3: "Tx[P/s]", 4: "Tx[B/s]", 5: "Rx[P/s]", 6: "Rx[B/s]"}}
+		duration := msg.End.Sub(msg.Start)
+		addRows := func(heading string, traffic []netlog.TupleCounts) {
+			if len(traffic) == 0 {
+				return
+			}
+			slices.SortFunc(traffic, func(x, y netlog.TupleCounts) bool {
+				nx := x.TxPackets + x.TxBytes + x.RxPackets + x.RxBytes
+				ny := y.TxPackets + y.TxBytes + y.RxPackets + y.RxBytes
+				return nx > ny
+			})
+			var sum tunstats.Counts
+			for _, cc := range traffic {
+				sum = sum.Add(cc.Counts)
+			}
+			rows = append(rows, [7]string{
+				0: heading + ":",
+				3: formatSI(float64(sum.TxPackets) / duration.Seconds()),
+				4: formatIEC(float64(sum.TxBytes) / duration.Seconds()),
+				5: formatSI(float64(sum.RxPackets) / duration.Seconds()),
+				6: formatIEC(float64(sum.RxBytes) / duration.Seconds()),
+			})
+			if len(traffic) == 1 && traffic[0].Tuple == (flowtrack.Tuple{}) {
+				return // this is already a summary counts
+			}
+			formatAddrPort := func(a netip.AddrPort) string {
+				if !a.IsValid() {
+					return ""
+				}
+				if name, ok := namesByAddr[a.Addr()]; ok {
+					if a.Port() == 0 {
+						return name
+					}
+					return name + ":" + strconv.Itoa(int(a.Port()))
+				}
+				if a.Port() == 0 {
+					return a.Addr().String()
+				}
+				return a.String()
+			}
+			for _, cc := range traffic {
+				row := [7]string{
+					0: "    ",
+					1: formatAddrPort(cc.Src),
+					2: formatAddrPort(cc.Dst),
+					3: formatSI(float64(cc.TxPackets) / duration.Seconds()),
+					4: formatIEC(float64(cc.TxBytes) / duration.Seconds()),
+					5: formatSI(float64(cc.RxPackets) / duration.Seconds()),
+					6: formatIEC(float64(cc.RxBytes) / duration.Seconds()),
+				}
+				if cc.Proto > 0 {
+					row[0] += cc.Proto.String() + ":"
+				}
+				rows = append(rows, row)
+			}
+		}
+		addRows("VirtualTraffic", msg.VirtualTraffic)
+		addRows("SubnetTraffic", msg.SubnetTraffic)
+		addRows("ExitTraffic", msg.ExitTraffic)
+		addRows("PhysicalTraffic", msg.PhysicalTraffic)
+
+		// Compute the maximum width of each field.
+		var maxWidths [7]int
+		for _, row := range rows {
+			for i, col := range row {
+				if maxWidths[i] < len(col) && !(i == 0 && !strings.HasPrefix(col, " ")) {
+					maxWidths[i] = len(col)
+				}
+			}
+		}
+		var maxSum int
+		for _, n := range maxWidths {
+			maxSum += n
+		}
+
+		// Output a table of network traffic per connection.
+		line := make([]byte, 0, maxSum+len(" ")+len(" -> ")+4*len("  "))
+		line = appendRepeatByte(line, '=', cap(line))
+		fmt.Println(string(line))
+		if msg.Logtail.ID != "" {
+			fmt.Printf("ID:   %s\n", msg.Logtail.ID)
+		}
+		fmt.Printf("Time: %s (%s)\n", msg.Start.Round(time.Millisecond).Format(time.RFC3339Nano), duration.Round(time.Millisecond))
+		for i, row := range rows {
+			line = line[:0]
+			isHeading := !strings.HasPrefix(row[0], " ")
+			for j, col := range row {
+				if isHeading && j == 0 {
+					col = "" // headings will be printed later
+				}
+				switch j {
+				case 0, 2: // left justified
+					line = append(line, col...)
+					line = appendRepeatByte(line, ' ', maxWidths[j]-len(col))
+				case 1, 3, 4, 5, 6: // right justified
+					line = appendRepeatByte(line, ' ', maxWidths[j]-len(col))
+					line = append(line, col...)
+				}
+				switch j {
+				case 0:
+					line = append(line, " "...)
+				case 1:
+					if row[1] == "" && row[2] == "" {
+						line = append(line, "    "...)
+					} else {
+						line = append(line, " -> "...)
+					}
+				case 2, 3, 4, 5:
+					line = append(line, "  "...)
+				}
+			}
+			switch {
+			case i == 0: // print dashed-line table heading
+				line = appendRepeatByte(line[:0], '-', maxWidths[0]+len(" ")+maxWidths[1]+len(" -> ")+maxWidths[2])[:cap(line)]
+			case isHeading:
+				copy(line[:], row[0])
+			}
+			fmt.Println(string(line))
+		}
+	}
+}
+
+func mustMakeNamesByAddr() map[netip.Addr]string {
+	switch {
+	case !*resolveNames:
+		return nil
+	case *apiKey == "":
+		log.Fatalf("--api-key must be specified with --resolve-names")
+	case *tailnetName == "":
+		log.Fatalf("--tailnet must be specified with --resolve-names")
+	}
+
+	// Query the Tailscale API for a list of devices in the tailnet.
+	const apiURL = "https://api.tailscale.com/api/v2"
+	req := must.Get(http.NewRequest("GET", apiURL+"/tailnet/"+*tailnetName+"/devices", nil))
+	req.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(*apiKey+":")))
+	resp := must.Get(http.DefaultClient.Do(req))
+	defer resp.Body.Close()
+	b := must.Get(io.ReadAll(resp.Body))
+	if resp.StatusCode != 200 {
+		log.Fatalf("http: %v: %s", http.StatusText(resp.StatusCode), b)
+	}
+
+	// Unmarshal the API response.
+	var m struct {
+		Devices []struct {
+			Name  string       `json:"name"`
+			Addrs []netip.Addr `json:"addresses"`
+		} `json:"devices"`
+	}
+	must.Do(json.Unmarshal(b, &m))
+
+	// Construct a unique mapping of Tailscale IP addresses to hostnames.
+	// For brevity, we start with the first segment of the name and
+	// use more segments until we find the shortest prefix that is unique
+	// for all names in the tailnet.
+	seen := make(map[string]bool)
+	namesByAddr := make(map[netip.Addr]string)
+retry:
+	for i := 0; i < 10; i++ {
+		maps.Clear(seen)
+		maps.Clear(namesByAddr)
+		for _, d := range m.Devices {
+			name := fieldPrefix(d.Name, i)
+			if seen[name] {
+				continue retry
+			}
+			seen[name] = true
+			for _, a := range d.Addrs {
+				namesByAddr[a] = name
+			}
+		}
+		return namesByAddr
+	}
+	panic("unable to produce unique mapping of address to names")
+}
+
+// fieldPrefix returns the first n number of dot-separated segments.
+//
+// Example:
+//
+//	fieldPrefix("foo.bar.baz", 0) returns ""
+//	fieldPrefix("foo.bar.baz", 1) returns "foo"
+//	fieldPrefix("foo.bar.baz", 2) returns "foo.bar"
+//	fieldPrefix("foo.bar.baz", 3) returns "foo.bar.baz"
+//	fieldPrefix("foo.bar.baz", 4) returns "foo.bar.baz"
+func fieldPrefix(s string, n int) string {
+	s0 := s
+	for i := 0; i < n && len(s) > 0; i++ {
+		if j := strings.IndexByte(s, '.'); j >= 0 {
+			s = s[j+1:]
+		} else {
+			s = ""
+		}
+	}
+	return strings.TrimSuffix(s0[:len(s0)-len(s)], ".")
+}
+
+func appendRepeatByte(b []byte, c byte, n int) []byte {
+	for i := 0; i < n; i++ {
+		b = append(b, c)
+	}
+	return b
+}
+
+func formatSI(n float64) string {
+	switch n := math.Abs(n); {
+	case n < 1e3:
+		return fmt.Sprintf("%0.2f ", n/(1e0))
+	case n < 1e6:
+		return fmt.Sprintf("%0.2fk", n/(1e3))
+	case n < 1e9:
+		return fmt.Sprintf("%0.2fM", n/(1e6))
+	default:
+		return fmt.Sprintf("%0.2fG", n/(1e9))
+	}
+}
+
+func formatIEC(n float64) string {
+	switch n := math.Abs(n); {
+	case n < 1<<10:
+		return fmt.Sprintf("%0.2f  ", n/(1<<0))
+	case n < 1<<20:
+		return fmt.Sprintf("%0.2fKi", n/(1<<10))
+	case n < 1<<30:
+		return fmt.Sprintf("%0.2fMi", n/(1<<20))
+	default:
+		return fmt.Sprintf("%0.2fGi", n/(1<<30))
+	}
+}
--- a/cmd/pgproxy/README.md
+++ b/cmd/pgproxy/README.md
@@ -0,0 +1,42 @@
+# pgproxy
+
+The pgproxy server is a proxy for the Postgres wire protocol. [Read
+more in our blog
+post](https://tailscale.com/blog/introducing-pgproxy/) about it!
+
+The proxy runs an in-process Tailscale instance, accepts postgres
+client connections over Tailscale only, and proxies them to the
+configured upstream postgres server.
+
+This proxy exists because postgres clients default to very insecure
+connection settings: either they "prefer" but do not require TLS; or
+they set sslmode=require, which merely requires that a TLS handshake
+took place, but don't verify the server's TLS certificate or the
+presented TLS hostname.  In other words, sslmode=require enforces that
+a TLS session is created, but that session can trivially be
+machine-in-the-middled to steal credentials, data, inject malicious
+queries, and so forth.
+
+Because this flaw is in the client's validation of the TLS session,
+you have no way of reliably detecting the misconfiguration
+server-side. You could fix the configuration of all the clients you
+know of, but the default makes it very easy to accidentally regress.
+
+Instead of trying to verify client configuration over time, this proxy
+removes the need for postgres clients to be configured correctly: the
+upstream database is configured to only accept connections from the
+proxy, and the proxy is only available to clients over Tailscale.
+
+Therefore, clients must use the proxy to connect to the database. The
+client<>proxy connection is secured end-to-end by Tailscale, which the
+proxy enforces by verifying that the connecting client is a known
+current Tailscale peer. The proxy<>server connection is established by
+the proxy itself, using strict TLS verification settings, and the
+client is only allowed to communicate with the server once we've
+established that the upstream connection is safe to use.
+
+A couple side benefits: because clients can only connect via
+Tailscale, you can use Tailscale ACLs as an extra layer of defense on
+top of the postgres user/password authentication. And, the proxy can
+maintain an audit log of who connected to the database, complete with
+the strongly authenticated Tailscale identity of the client.
--- a/cmd/pgproxy/pgproxy.go
+++ b/cmd/pgproxy/pgproxy.go
@@ -0,0 +1,366 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The pgproxy server is a proxy for the Postgres wire protocol.
+package main
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	crand "crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"expvar"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"math/big"
+	"net"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"tailscale.com/client/tailscale"
+	"tailscale.com/metrics"
+	"tailscale.com/tsnet"
+	"tailscale.com/tsweb"
+	"tailscale.com/types/logger"
+)
+
+var (
+	hostname     = flag.String("hostname", "", "Tailscale hostname to serve on")
+	port         = flag.Int("port", 5432, "Listening port for client connections")
+	debugPort    = flag.Int("debug-port", 80, "Listening port for debug/metrics endpoint")
+	upstreamAddr = flag.String("upstream-addr", "", "Address of the upstream Postgres server, in host:port format")
+	upstreamCA   = flag.String("upstream-ca-file", "", "File containing the PEM-encoded CA certificate for the upstream server")
+	tailscaleDir = flag.String("state-dir", "", "Directory in which to store the Tailscale auth state")
+)
+
+func main() {
+	flag.Parse()
+	if *hostname == "" {
+		log.Fatal("missing --hostname")
+	}
+	if *upstreamAddr == "" {
+		log.Fatal("missing --upstream-addr")
+	}
+	if *upstreamCA == "" {
+		log.Fatal("missing --upstream-ca-file")
+	}
+	if *tailscaleDir == "" {
+		log.Fatal("missing --state-dir")
+	}
+
+	ts := &tsnet.Server{
+		Dir:      *tailscaleDir,
+		Hostname: *hostname,
+		// Make the stdout logs a clean audit log of connections.
+		Logf: logger.Discard,
+	}
+
+	if os.Getenv("TS_AUTHKEY") == "" {
+		log.Print("Note: you need to run this with TS_AUTHKEY=... the first time, to join your tailnet of choice.")
+	}
+
+	tsclient, err := ts.LocalClient()
+	if err != nil {
+		log.Fatalf("getting tsnet API client: %v", err)
+	}
+
+	p, err := newProxy(*upstreamAddr, *upstreamCA, tsclient)
+	if err != nil {
+		log.Fatal(err)
+	}
+	expvar.Publish("pgproxy", p.Expvar())
+
+	if *debugPort != 0 {
+		mux := http.NewServeMux()
+		tsweb.Debugger(mux)
+		srv := &http.Server{
+			Handler: mux,
+		}
+		dln, err := ts.Listen("tcp", fmt.Sprintf(":%d", *debugPort))
+		if err != nil {
+			log.Fatal(err)
+		}
+		go func() {
+			log.Fatal(srv.Serve(dln))
+		}()
+	}
+
+	ln, err := ts.Listen("tcp", fmt.Sprintf(":%d", *port))
+	if err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("serving access to %s on port %d", *upstreamAddr, *port)
+	log.Fatal(p.Serve(ln))
+}
+
+// proxy is a postgres wire protocol proxy, which strictly enforces
+// the security of the TLS connection to its upstream regardless of
+// what the client's TLS configuration is.
+type proxy struct {
+	upstreamAddr     string // "my.database.com:5432"
+	upstreamHost     string // "my.database.com"
+	upstreamCertPool *x509.CertPool
+	downstreamCert   []tls.Certificate
+	client           *tailscale.LocalClient
+
+	activeSessions  expvar.Int
+	startedSessions expvar.Int
+	errors          metrics.LabelMap
+}
+
+// newProxy returns a proxy that forwards connections to
+// upstreamAddr. The upstream's TLS session is verified using the CA
+// cert(s) in upstreamCAPath.
+func newProxy(upstreamAddr, upstreamCAPath string, client *tailscale.LocalClient) (*proxy, error) {
+	bs, err := os.ReadFile(upstreamCAPath)
+	if err != nil {
+		return nil, err
+	}
+	upstreamCertPool := x509.NewCertPool()
+	if !upstreamCertPool.AppendCertsFromPEM(bs) {
+		return nil, fmt.Errorf("invalid CA cert in %q", upstreamCAPath)
+	}
+
+	h, _, err := net.SplitHostPort(upstreamAddr)
+	if err != nil {
+		return nil, err
+	}
+	downstreamCert, err := mkSelfSigned(h)
+	if err != nil {
+		return nil, err
+	}
+
+	return &proxy{
+		upstreamAddr:     upstreamAddr,
+		upstreamHost:     h,
+		upstreamCertPool: upstreamCertPool,
+		downstreamCert:   []tls.Certificate{downstreamCert},
+		client:           client,
+		errors:           metrics.LabelMap{Label: "kind"},
+	}, nil
+}
+
+// Expvar returns p's monitoring metrics.
+func (p *proxy) Expvar() expvar.Var {
+	ret := &metrics.Set{}
+	ret.Set("sessions_active", &p.activeSessions)
+	ret.Set("sessions_started", &p.startedSessions)
+	ret.Set("session_errors", &p.errors)
+	return ret
+}
+
+// Serve accepts postgres client connections on ln and proxies them to
+// the configured upstream. ln can be any net.Listener, but all client
+// connections must originate from tailscale IPs that can be verified
+// with WhoIs.
+func (p *proxy) Serve(ln net.Listener) error {
+	var lastSessionID int64
+	for {
+		c, err := ln.Accept()
+		if err != nil {
+			return err
+		}
+		id := time.Now().UnixNano()
+		if id == lastSessionID {
+			// Bluntly enforce SID uniqueness, even if collisions are
+			// fantastically unlikely (but OSes vary in how much timer
+			// precision they expose to the OS, so id might be rounded
+			// e.g. to the same millisecond)
+			id++
+		}
+		lastSessionID = id
+		go func(sessionID int64) {
+			if err := p.serve(sessionID, c); err != nil {
+				log.Printf("%d: session ended with error: %v", sessionID, err)
+			}
+		}(id)
+	}
+}
+
+var (
+	// sslStart is the magic bytes that postgres clients use to indicate
+	// that they want to do a TLS handshake. Servers should respond with
+	// the single byte "S" before starting a normal TLS handshake.
+	sslStart = [8]byte{0, 0, 0, 8, 0x04, 0xd2, 0x16, 0x2f}
+	// plaintextStart is the magic bytes that postgres clients use to
+	// indicate that they're starting a plaintext authentication
+	// handshake.
+	plaintextStart = [8]byte{0, 0, 0, 86, 0, 3, 0, 0}
+)
+
+// serve proxies the postgres client on c to the proxy's upstream,
+// enforcing strict TLS to the upstream.
+func (p *proxy) serve(sessionID int64, c net.Conn) error {
+	defer c.Close()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	whois, err := p.client.WhoIs(ctx, c.RemoteAddr().String())
+	if err != nil {
+		p.errors.Add("whois-failed", 1)
+		return fmt.Errorf("getting client identity: %v", err)
+	}
+
+	// Before anything else, log the connection attempt.
+	user, machine := "", ""
+	if whois.Node != nil {
+		if whois.Node.Hostinfo.ShareeNode() {
+			machine = "external-device"
+		} else {
+			machine = strings.TrimSuffix(whois.Node.Name, ".")
+		}
+	}
+	if whois.UserProfile != nil {
+		user = whois.UserProfile.LoginName
+		if user == "tagged-devices" && whois.Node != nil {
+			user = strings.Join(whois.Node.Tags, ",")
+		}
+	}
+	if user == "" || machine == "" {
+		p.errors.Add("no-ts-identity", 1)
+		return fmt.Errorf("couldn't identify source user and machine (user %q, machine %q)", user, machine)
+	}
+	log.Printf("%d: session start, from %s (machine %s, user %s)", sessionID, c.RemoteAddr(), machine, user)
+	start := time.Now()
+	defer func() {
+		elapsed := time.Since(start)
+		log.Printf("%d: session end, from %s (machine %s, user %s), lasted %s", sessionID, c.RemoteAddr(), machine, user, elapsed.Round(time.Millisecond))
+	}()
+
+	// Read the client's opening message, to figure out if it's trying
+	// to TLS or not.
+	var buf [8]byte
+	if _, err := io.ReadFull(c, buf[:len(sslStart)]); err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("initial magic read: %v", err)
+	}
+	var clientIsTLS bool
+	switch {
+	case buf == sslStart:
+		clientIsTLS = true
+	case buf == plaintextStart:
+		clientIsTLS = false
+	default:
+		p.errors.Add("client-bad-protocol", 1)
+		return fmt.Errorf("unrecognized initial packet = % 02x", buf)
+	}
+
+	// Dial & verify upstream connection.
+	var d net.Dialer
+	d.Timeout = 10 * time.Second
+	upc, err := d.Dial("tcp", p.upstreamAddr)
+	if err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("upstream dial: %v", err)
+	}
+	defer upc.Close()
+	if _, err := upc.Write(sslStart[:]); err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("upstream write of start-ssl magic: %v", err)
+	}
+	if _, err := io.ReadFull(upc, buf[:1]); err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("reading upstream start-ssl response: %v", err)
+	}
+	if buf[0] != 'S' {
+		p.errors.Add("upstream-bad-protocol", 1)
+		return fmt.Errorf("upstream didn't acknowldge start-ssl, said %q", buf[0])
+	}
+	tlsConf := &tls.Config{
+		ServerName: p.upstreamHost,
+		RootCAs:    p.upstreamCertPool,
+		MinVersion: tls.VersionTLS12,
+	}
+	uptc := tls.Client(upc, tlsConf)
+	if err = uptc.HandshakeContext(ctx); err != nil {
+		p.errors.Add("upstream-tls", 1)
+		return fmt.Errorf("upstream TLS handshake: %v", err)
+	}
+
+	// Accept the client conn and set it up the way the client wants.
+	var clientConn net.Conn
+	if clientIsTLS {
+		io.WriteString(c, "S") // yeah, we're good to speak TLS
+		s := tls.Server(c, &tls.Config{
+			ServerName:   p.upstreamHost,
+			Certificates: p.downstreamCert,
+			MinVersion:   tls.VersionTLS12,
+		})
+		if err = uptc.HandshakeContext(ctx); err != nil {
+			p.errors.Add("client-tls", 1)
+			return fmt.Errorf("client TLS handshake: %v", err)
+		}
+		clientConn = s
+	} else {
+		// Repeat the header we read earlier up to the server.
+		if _, err := uptc.Write(plaintextStart[:]); err != nil {
+			p.errors.Add("network-error", 1)
+			return fmt.Errorf("sending initial client bytes to upstream: %v", err)
+		}
+		clientConn = c
+	}
+
+	// Finally, proxy the client to the upstream.
+	errc := make(chan error, 1)
+	go func() {
+		_, err := io.Copy(uptc, clientConn)
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(clientConn, uptc)
+		errc <- err
+	}()
+	if err := <-errc; err != nil {
+		// Don't increment error counts here, because the most common
+		// cause of termination is client or server closing the
+		// connection normally, and it'll obscure "interesting"
+		// handshake errors.
+		return fmt.Errorf("session terminated with error: %v", err)
+	}
+	return nil
+}
+
+// mkSelfSigned creates and returns a self-signed TLS certificate for
+// hostname.
+func mkSelfSigned(hostname string) (tls.Certificate, error) {
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), crand.Reader)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	pub := priv.Public()
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"pgproxy"},
+		},
+		DNSNames:              []string{hostname},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+	derBytes, err := x509.CreateCertificate(crand.Reader, &template, &template, pub, priv)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	cert, err := x509.ParseCertificate(derBytes)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	return tls.Certificate{
+		Certificate: [][]byte{derBytes},
+		PrivateKey:  priv,
+		Leaf:        cert,
+	}, nil
+}
--- a/cmd/ssh-auth-none-demo/ssh-auth-none-demo.go
+++ b/cmd/ssh-auth-none-demo/ssh-auth-none-demo.go
@@ -0,0 +1,189 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// ssh-auth-none-demo is a demo SSH server that's meant to run on the
+// public internet (at 188.166.70.128 port 2222) and
+// highlight the unique parts of the Tailscale SSH server so SSH
+// client authors can hit it easily and fix their SSH clients without
+// needing to set up Tailscale and Tailscale SSH.
+package main
+
+import (
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+	"time"
+
+	gossh "github.com/tailscale/golang-x-crypto/ssh"
+	"tailscale.com/tempfork/gliderlabs/ssh"
+)
+
+// keyTypes are the SSH key types that we either try to read from the
+// system's OpenSSH keys.
+var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
+
+var (
+	addr = flag.String("addr", ":2222", "address to listen on")
+)
+
+func main() {
+	flag.Parse()
+
+	cacheDir, err := os.UserCacheDir()
+	if err != nil {
+		log.Fatal(err)
+	}
+	dir := filepath.Join(cacheDir, "ssh-auth-none-demo")
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		log.Fatal(err)
+	}
+
+	keys, err := getHostKeys(dir)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if len(keys) == 0 {
+		log.Fatal("no host keys")
+	}
+
+	srv := &ssh.Server{
+		Addr:    *addr,
+		Version: "Tailscale",
+		Handler: handleSessionPostSSHAuth,
+		ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {
+			start := time.Now()
+			return &gossh.ServerConfig{
+				NextAuthMethodCallback: func(conn gossh.ConnMetadata, prevErrors []error) []string {
+					return []string{"tailscale"}
+				},
+				NoClientAuth: true, // required for the NoClientAuthCallback to run
+				NoClientAuthCallback: func(cm gossh.ConnMetadata) (*gossh.Permissions, error) {
+					cm.SendAuthBanner(fmt.Sprintf("# Banner: doing none auth at %v\r\n", time.Since(start)))
+
+					totalBanners := 2
+					if cm.User() == "banners" {
+						totalBanners = 5
+					}
+					for banner := 2; banner <= totalBanners; banner++ {
+						time.Sleep(time.Second)
+						if banner == totalBanners {
+							cm.SendAuthBanner(fmt.Sprintf("# Banner%d: access granted at %v\r\n", banner, time.Since(start)))
+						} else {
+							cm.SendAuthBanner(fmt.Sprintf("# Banner%d at %v\r\n", banner, time.Since(start)))
+						}
+					}
+					return nil, nil
+				},
+				BannerCallback: func(cm gossh.ConnMetadata) string {
+					log.Printf("Got connection from user %q, %q from %v", cm.User(), cm.ClientVersion(), cm.RemoteAddr())
+					return fmt.Sprintf("# Banner for user %q, %q\n", cm.User(), cm.ClientVersion())
+				},
+			}
+		},
+	}
+
+	for _, signer := range keys {
+		srv.AddHostKey(signer)
+	}
+
+	log.Printf("Running on %s ...", srv.Addr)
+	if err := srv.ListenAndServe(); err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("done")
+}
+
+func handleSessionPostSSHAuth(s ssh.Session) {
+	log.Printf("Started session from user %q", s.User())
+	fmt.Fprintf(s, "Hello user %q, it worked.\n", s.User())
+
+	// Abort the session on Control-C or Control-D.
+	go func() {
+		buf := make([]byte, 1024)
+		for {
+			n, err := s.Read(buf)
+			for _, b := range buf[:n] {
+				if b <= 4 { // abort on Control-C (3) or Control-D (4)
+					io.WriteString(s, "bye\n")
+					s.Exit(1)
+				}
+			}
+			if err != nil {
+				return
+			}
+		}
+	}()
+
+	for i := 10; i > 0; i-- {
+		fmt.Fprintf(s, "%v ...\n", i)
+		time.Sleep(time.Second)
+	}
+	s.Exit(0)
+}
+
+func getHostKeys(dir string) (ret []ssh.Signer, err error) {
+	for _, typ := range keyTypes {
+		hostKey, err := hostKeyFileOrCreate(dir, typ)
+		if err != nil {
+			return nil, err
+		}
+		signer, err := gossh.ParsePrivateKey(hostKey)
+		if err != nil {
+			return nil, err
+		}
+		ret = append(ret, signer)
+	}
+	return ret, nil
+}
+
+func hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
+	path := filepath.Join(keyDir, "ssh_host_"+typ+"_key")
+	v, err := ioutil.ReadFile(path)
+	if err == nil {
+		return v, nil
+	}
+	if !os.IsNotExist(err) {
+		return nil, err
+	}
+	var priv any
+	switch typ {
+	default:
+		return nil, fmt.Errorf("unsupported key type %q", typ)
+	case "ed25519":
+		_, priv, err = ed25519.GenerateKey(rand.Reader)
+	case "ecdsa":
+		// curve is arbitrary. We pick whatever will at
+		// least pacify clients as the actual encryption
+		// doesn't matter: it's all over WireGuard anyway.
+		curve := elliptic.P256()
+		priv, err = ecdsa.GenerateKey(curve, rand.Reader)
+	case "rsa":
+		// keySize is arbitrary. We pick whatever will at
+		// least pacify clients as the actual encryption
+		// doesn't matter: it's all over WireGuard anyway.
+		const keySize = 2048
+		priv, err = rsa.GenerateKey(rand.Reader, keySize)
+	}
+	if err != nil {
+		return nil, err
+	}
+	mk, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, err
+	}
+	pemGen := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: mk})
+	err = os.WriteFile(path, pemGen, 0700)
+	return pemGen, err
+}
--- a/cmd/tailscale/cli/bugreport.go
+++ b/cmd/tailscale/cli/bugreport.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"errors"
 	"flag"
+	"fmt"

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/client/tailscale"
@@ -21,12 +22,14 @@ var bugReportCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("bugreport")
 		fs.BoolVar(&bugReportArgs.diagnose, "diagnose", false, "run additional in-depth checks")
+		fs.BoolVar(&bugReportArgs.record, "record", false, "if true, pause and then write another bugreport")
 		return fs
 	})(),
 }

 var bugReportArgs struct {
 	diagnose bool
+	record   bool
 }

 func runBugReport(ctx context.Context, args []string) error {
@@ -36,15 +39,46 @@ func runBugReport(ctx context.Context, args []string) error {
 	case 1:
 		note = args[0]
 	default:
-		return errors.New("unknown argumets")
+		return errors.New("unknown arguments")
 	}
-	logMarker, err := localClient.BugReportWithOpts(ctx, tailscale.BugReportOpts{
+	opts := tailscale.BugReportOpts{
 		Note:     note,
 		Diagnose: bugReportArgs.diagnose,
-	})
-	if err != nil {
-		return err
 	}
-	outln(logMarker)
+	if !bugReportArgs.record {
+		// Simple, non-record case
+		logMarker, err := localClient.BugReportWithOpts(ctx, opts)
+		if err != nil {
+			return err
+		}
+		outln(logMarker)
+		return nil
+	}
+
+	// Recording; run the request in the background
+	done := make(chan struct{})
+	opts.Record = done
+
+	type bugReportResp struct {
+		marker string
+		err    error
+	}
+	resCh := make(chan bugReportResp, 1)
+	go func() {
+		m, err := localClient.BugReportWithOpts(ctx, opts)
+		resCh <- bugReportResp{m, err}
+	}()
+
+	outln("Recording started; please reproduce your issue and then press Enter...")
+	fmt.Scanln()
+	close(done)
+	res := <-resCh
+
+	if res.err != nil {
+		return res.err
+	}
+
+	outln(res.marker)
+	outln("Please provide both bugreport markers above to the support team or GitHub issue.")
 	return nil
 }
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"errors"
 	"flag"
 	"fmt"
 	"log"
@@ -44,6 +45,7 @@ var certArgs struct {
 func runCert(ctx context.Context, args []string) error {
 	if certArgs.serve {
 		s := &http.Server{
+			Addr: ":443",
 			TLSConfig: &tls.Config{
 				GetCertificate: localClient.GetCertificate,
 			},
@@ -57,7 +59,16 @@ func runCert(ctx context.Context, args []string) error {
 				fmt.Fprintf(w, "<h1>Hello from Tailscale</h1>It works.")
 			}),
 		}
-		log.Printf("running TLS server on :443 ...")
+		switch len(args) {
+		case 0:
+			// Nothing.
+		case 1:
+			s.Addr = args[0]
+		default:
+			return errors.New("too many arguments; max 1 allowed with --serve-demo (the listen address)")
+		}
+
+		log.Printf("running TLS server on %s ...", s.Addr)
 		return s.ListenAndServeTLS("", "")
 	}

--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -410,7 +410,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
 		},
 		{
-			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
+			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Issue 3480
 			flags:         []string{"--hostname=foo"},
 			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
 			curPrefs: &ipn.Prefs{
@@ -448,7 +448,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		},
 		{
 			// Issue 3176: on Synology, don't require --accept-routes=false because user
-			// migth've had old an install, and we don't support --accept-routes anyway.
+			// might've had an old install, and we don't support --accept-routes anyway.
 			name:  "synology_permit_omit_accept_routes",
 			flags: []string{"--hostname=foo"},
 			curPrefs: &ipn.Prefs{
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -42,7 +42,7 @@ var debugCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("debug")
 		fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
-		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-sec seconds and write it to this file; - for stdout")
+		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-seconds seconds and write it to this file; - for stdout")
 		fs.StringVar(&debugArgs.memFile, "mem-profile", "", "if non-empty, grab a memory profile and write it to this file; - for stdout")
 		fs.IntVar(&debugArgs.cpuSec, "profile-seconds", 15, "number of seconds to run a CPU profile for, when --cpu-profile is non-empty")
 		return fs
@@ -53,6 +53,16 @@ var debugCmd = &ffcli.Command{
 			Exec:      runDERPMap,
 			ShortHelp: "print DERP map",
 		},
+		{
+			Name:      "component-logs",
+			Exec:      runDebugComponentLogs,
+			ShortHelp: "enable/disable debug logs for a component",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("component-logs")
+				fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
+				return fs
+			})(),
+		},
 		{
 			Name:      "daemon-goroutines",
 			Exec:      runDaemonGoroutines,
@@ -98,6 +108,11 @@ var debugCmd = &ffcli.Command{
 			Exec:      localAPIAction("rebind"),
 			ShortHelp: "force a magicsock rebind",
 		},
+		{
+			Name:      "subnet-router",
+			Exec:      runDebugSubnetRouter,
+			ShortHelp: "debug connectivity to a host through a subnet router",
+		},
 		{
 			Name:      "prefs",
 			Exec:      runPrefs,
@@ -513,3 +528,40 @@ func runTS2021(ctx context.Context, args []string) error {
 	log.Printf("final underlying conn: %v / %v", conn.LocalAddr(), conn.RemoteAddr())
 	return nil
 }
+
+var debugComponentLogsArgs struct {
+	forDur time.Duration
+}
+
+func runDebugComponentLogs(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		return errors.New("usage: debug component-logs <component>")
+	}
+	component := args[0]
+	dur := debugComponentLogsArgs.forDur
+
+	err := localClient.SetComponentDebugLogging(ctx, component, dur)
+	if err != nil {
+		return err
+	}
+	if debugComponentLogsArgs.forDur <= 0 {
+		fmt.Printf("Disabled debug logs for component %q\n", component)
+	} else {
+		fmt.Printf("Enabled debug logs for component %q for %v\n", component, dur)
+	}
+	return nil
+}
+
+func runDebugSubnetRouter(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		return errors.New("usage: debug subnet-router <hostname-or-ipv6>")
+	}
+
+	s, err := localClient.DebugSubnetRoute(ctx, args[0])
+	if err != nil {
+		return err
+	}
+	j, _ := json.MarshalIndent(s, "", "\t")
+	outln(string(j))
+	return nil
+}
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -17,11 +17,16 @@ import (
 )

 var netlockCmd = &ffcli.Command{
-	Name:        "lock",
-	ShortUsage:  "lock <sub-command> <arguments>",
-	ShortHelp:   "Manipulate the tailnet key authority",
-	Subcommands: []*ffcli.Command{nlInitCmd, nlStatusCmd},
-	Exec:        runNetworkLockStatus,
+	Name:       "lock",
+	ShortUsage: "lock <sub-command> <arguments>",
+	ShortHelp:  "Manipulate the tailnet key authority",
+	Subcommands: []*ffcli.Command{
+		nlInitCmd,
+		nlStatusCmd,
+		nlAddCmd,
+		nlRemoveCmd,
+	},
+	Exec: runNetworkLockStatus,
 }

 var nlInitCmd = &ffcli.Command{
@@ -41,29 +46,9 @@ func runNetworkLockInit(ctx context.Context, args []string) error {
 	}

 	// Parse the set of initially-trusted keys.
-	// Keys are specified using their key.NLPublic.MarshalText representation,
-	// with an optional '?<votes>' suffix.
-	var keys []tka.Key
-	for i, a := range args {
-		var key key.NLPublic
-		spl := strings.SplitN(a, "?", 2)
-		if err := key.UnmarshalText([]byte(spl[0])); err != nil {
-			return fmt.Errorf("parsing key %d: %v", i+1, err)
-		}
-
-		k := tka.Key{
-			Kind:   tka.Key25519,
-			Public: key.Verifier(),
-			Votes:  1,
-		}
-		if len(spl) > 1 {
-			votes, err := strconv.Atoi(spl[1])
-			if err != nil {
-				return fmt.Errorf("parsing key %d votes: %v", i+1, err)
-			}
-			k.Votes = uint(votes)
-		}
-		keys = append(keys, k)
+	keys, err := parseNLKeyArgs(args)
+	if err != nil {
+		return err
 	}

 	status, err := localClient.NetworkLockInit(ctx, keys)
@@ -99,3 +84,78 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
 	fmt.Printf("our public-key: %s\n", p)
 	return nil
 }
+
+var nlAddCmd = &ffcli.Command{
+	Name:       "add",
+	ShortUsage: "add <public-key>...",
+	ShortHelp:  "Adds one or more signing keys to the tailnet key authority",
+	Exec: func(ctx context.Context, args []string) error {
+		return runNetworkLockModify(ctx, args, nil)
+	},
+}
+
+var nlRemoveCmd = &ffcli.Command{
+	Name:       "remove",
+	ShortUsage: "remove <public-key>...",
+	ShortHelp:  "Removes one or more signing keys to the tailnet key authority",
+	Exec: func(ctx context.Context, args []string) error {
+		return runNetworkLockModify(ctx, nil, args)
+	},
+}
+
+// parseNLKeyArgs converts a slice of strings into a slice of tka.Key. The keys
+// should be specified using their key.NLPublic.MarshalText representation with
+// an optional '?<votes>' suffix. If any of the keys encounters an error, a nil
+// slice is returned along with an appropriate error.
+func parseNLKeyArgs(args []string) ([]tka.Key, error) {
+	var keys []tka.Key
+	for i, a := range args {
+		var nlpk key.NLPublic
+		spl := strings.SplitN(a, "?", 2)
+		if err := nlpk.UnmarshalText([]byte(spl[0])); err != nil {
+			return nil, fmt.Errorf("parsing key %d: %v", i+1, err)
+		}
+
+		k := tka.Key{
+			Kind:   tka.Key25519,
+			Public: nlpk.Verifier(),
+			Votes:  1,
+		}
+		if len(spl) > 1 {
+			votes, err := strconv.Atoi(spl[1])
+			if err != nil {
+				return nil, fmt.Errorf("parsing key %d votes: %v", i+1, err)
+			}
+			k.Votes = uint(votes)
+		}
+		keys = append(keys, k)
+	}
+	return keys, nil
+}
+
+func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) error {
+	st, err := localClient.NetworkLockStatus(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	if st.Enabled {
+		return errors.New("network-lock is already enabled")
+	}
+
+	addKeys, err := parseNLKeyArgs(addArgs)
+	if err != nil {
+		return err
+	}
+	removeKeys, err := parseNLKeyArgs(removeArgs)
+	if err != nil {
+		return err
+	}
+
+	status, err := localClient.NetworkLockModify(ctx, addKeys, removeKeys)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Status: %+v\n\n", status)
+	return nil
+}
--- a/cmd/tailscale/cli/ssh_exec_windows.go
+++ b/cmd/tailscale/cli/ssh_exec_windows.go
@@ -13,7 +13,7 @@ import (

 func findSSH() (string, error) {
 	// use C:\Windows\System32\OpenSSH\ssh.exe since unexpected behavior
-	// occured with ssh.exe provided by msys2/cygwin and other environments.
+	// occurred with ssh.exe provided by msys2/cygwin and other environments.
 	if systemRoot := os.Getenv("SystemRoot"); systemRoot != "" {
 		exe := filepath.Join(systemRoot, "System32", "OpenSSH", "ssh.exe")
 		if st, err := os.Stat(exe); err == nil && !st.IsDir() {
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -501,7 +501,7 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
-		justEditMP.EggSet = true
+		justEditMP.EggSet = egg
 		_, err := localClient.EditPrefs(ctx, justEditMP)
 		return err
 	}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -70,6 +70,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
        tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
+        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
@@ -135,6 +136,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
  LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+
   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -88,6 +88,8 @@ func runMonitor(ctx context.Context, loop bool) error {
 	if err != nil {
 		return err
 	}
+	defer mon.Close()
+
 	mon.RegisterChangeCallback(func(changed bool, st *interfaces.State) {
 		if !changed {
 			log.Printf("Link monitor fired; no change")
@@ -162,7 +164,7 @@ func getURL(ctx context.Context, urlStr string) error {
 	return res.Write(os.Stdout)
 }

-func checkDerp(ctx context.Context, derpRegion string) error {
+func checkDerp(ctx context.Context, derpRegion string) (err error) {
 	req, err := http.NewRequestWithContext(ctx, "GET", ipn.DefaultControlURL+"/derpmap/default", nil)
 	if err != nil {
 		return fmt.Errorf("create derp map request: %w", err)
@@ -201,6 +203,12 @@ func checkDerp(ctx context.Context, derpRegion string) error {

 	c1 := derphttp.NewRegionClient(priv1, log.Printf, getRegion)
 	c2 := derphttp.NewRegionClient(priv2, log.Printf, getRegion)
+	defer func() {
+		if err != nil {
+			c1.Close()
+			c2.Close()
+		}
+	}()

 	c2.NotePreferred(true) // just to open it

--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -240,6 +240,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
        tailscale.com/net/tstun                                      from tailscale.com/net/dns+
+        tailscale.com/net/tunstats                                   from tailscale.com/net/tstun+
+        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
        tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
@@ -296,6 +298,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
+        tailscale.com/wgengine/netlog                                from tailscale.com/wgengine
        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
@@ -321,6 +324,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
+        golang.org/x/exp/maps                                        from tailscale.com/wgengine
        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -342,7 +346,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W    golang.org/x/sys/windows/registry                            from golang.org/x/sys/windows/svc/eventlog+
   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
   W    golang.org/x/sys/windows/svc/eventlog                        from tailscale.com/cmd/tailscaled
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled+
        golang.org/x/term                                            from tailscale.com/logpolicy
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
--- a/cmd/tailscaled/install_darwin.go
+++ b/cmd/tailscaled/install_darwin.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/fs"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -83,6 +84,13 @@ func uninstallSystemDaemonDarwin(args []string) (ret error) {
 			ret = err
 		}
 	}
+
+	// Do not delete targetBin if it's a symlink, which happens if it was installed via
+	// Homebrew.
+	if isSymlink(targetBin) {
+		return ret
+	}
+
 	if err := os.Remove(targetBin); err != nil {
 		if os.IsNotExist(err) {
 			err = nil
@@ -107,40 +115,24 @@ func installSystemDaemonDarwin(args []string) (err error) {
 	// Best effort:
 	uninstallSystemDaemonDarwin(nil)

-	// Copy ourselves to /usr/local/bin/tailscaled.
-	if err := os.MkdirAll(filepath.Dir(targetBin), 0755); err != nil {
-		return err
-	}
 	exe, err := os.Executable()
 	if err != nil {
 		return fmt.Errorf("failed to find our own executable path: %w", err)
 	}
-	tmpBin := targetBin + ".tmp"
-	f, err := os.Create(tmpBin)
+
+	same, err := sameFile(exe, targetBin)
 	if err != nil {
 		return err
 	}
-	self, err := os.Open(exe)
-	if err != nil {
-		f.Close()
-		return err
-	}
-	_, err = io.Copy(f, self)
-	self.Close()
-	if err != nil {
-		f.Close()
-		return err
-	}
-	if err := f.Close(); err != nil {
-		return err
-	}
-	if err := os.Chmod(tmpBin, 0755); err != nil {
-		return err
-	}
-	if err := os.Rename(tmpBin, targetBin); err != nil {
-		return err
-	}

+	// Do not overwrite targetBin with the binary file if it it's already
+	// pointing to it. This is primarily to handle Homebrew that writes
+	// /usr/local/bin/tailscaled is a symlink to the actual binary.
+	if !same {
+		if err := copyBinary(exe, targetBin); err != nil {
+			return err
+		}
+	}
 	if err := os.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
 		return err
 	}
@@ -155,3 +147,55 @@ func installSystemDaemonDarwin(args []string) (err error) {

 	return nil
 }
+
+// copyBinary copies binary file `src` into `dst`.
+func copyBinary(src, dst string) error {
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
+		return err
+	}
+	tmpBin := dst + ".tmp"
+	f, err := os.Create(tmpBin)
+	if err != nil {
+		return err
+	}
+	srcf, err := os.Open(src)
+	if err != nil {
+		f.Close()
+		return err
+	}
+	_, err = io.Copy(f, srcf)
+	srcf.Close()
+	if err != nil {
+		f.Close()
+		return err
+	}
+	if err := f.Close(); err != nil {
+		return err
+	}
+	if err := os.Chmod(tmpBin, 0755); err != nil {
+		return err
+	}
+	if err := os.Rename(tmpBin, dst); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func isSymlink(path string) bool {
+	fi, err := os.Lstat(path)
+	return err == nil && (fi.Mode()&os.ModeSymlink == os.ModeSymlink)
+}
+
+// sameFile returns true if both file paths exist and resolve to the same file.
+func sameFile(path1, path2 string) (bool, error) {
+	dst1, err := filepath.EvalSymlinks(path1)
+	if err != nil && !errors.Is(err, fs.ErrNotExist) {
+		return false, fmt.Errorf("EvalSymlinks(%s): %w", path1, err)
+	}
+	dst2, err := filepath.EvalSymlinks(path2)
+	if err != nil && !errors.Is(err, fs.ErrNotExist) {
+		return false, fmt.Errorf("EvalSymlinks(%s): %w", path2, err)
+	}
+	return dst1 == dst2, nil
+}
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -88,7 +88,7 @@ func defaultTunName() string {
 			// see https://github.com/tailscale/tailscale/issues/391
 			//
 			// But Gokrazy does have the tun module built-in, so users
-			// can stil run --tun=tailscale0 if they wish, if they
+			// can still run --tun=tailscale0 if they wish, if they
 			// arrange for iptables to be present or run in "tailscale
 			// up --netfilter-mode=off" mode, perhaps. Untested.
 			return "userspace-networking"
@@ -158,7 +158,7 @@ func main() {
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
 	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
+	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an ephemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
@@ -375,8 +375,7 @@ func run() error {

 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)

-	dialer := new(tsdial.Dialer) // mutated below (before used)
-	dialer.Logf = logf
+	dialer := &tsdial.Dialer{Logf: logf} // mutated below (before used)
 	e, useNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
 		return fmt.Errorf("createEngine: %w", err)
@@ -565,6 +564,8 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 		}
 		d, err := dns.NewOSConfigurator(logf, devName)
 		if err != nil {
+			dev.Close()
+			r.Close()
 			return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 		}
 		conf.DNS = d
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -23,6 +23,7 @@ package main // import "tailscale.com/cmd/tailscaled"
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log"
 	"net/netip"
@@ -192,7 +193,7 @@ func beWindowsSubprocess() bool {
 	}
 	logid := os.Args[2]

-	// Remove the date/time prefix; the logtail + file logggers add it.
+	// Remove the date/time prefix; the logtail + file loggers add it.
 	log.SetFlags(0)

 	log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
@@ -265,11 +266,17 @@ func startIPNServer(ctx context.Context, logid string) error {
 	if err != nil {
 		return fmt.Errorf("monitor: %w", err)
 	}
-	dialer := new(tsdial.Dialer)
+	dialer := &tsdial.Dialer{Logf: logf}

 	getEngineRaw := func() (wgengine.Engine, *netstack.Impl, error) {
 		dev, devName, err := tstun.New(logf, "Tailscale")
 		if err != nil {
+			if errors.Is(err, windows.ERROR_DEVICE_NOT_AVAILABLE) {
+				// Wintun is not installing correctly. Dump the state of NetSetupSvc
+				// (which is a user-mode service that must be active for network devices
+				// to install) and its dependencies to the log.
+				winutil.LogSvcState(logf, "NetSetupSvc")
+			}
 			return nil, nil, fmt.Errorf("TUN: %w", err)
 		}
 		r, err := router.New(logf, dev, nil)
--- a/cmd/tsconnect/build-pkg.go
+++ b/cmd/tsconnect/build-pkg.go
@@ -12,6 +12,7 @@ import (
 	"path"

 	"github.com/tailscale/hujson"
+	"tailscale.com/util/precompress"
 	"tailscale.com/version"
 )

@@ -37,6 +38,10 @@ func runBuildPkg() {

 	runEsbuild(*buildOptions)

+	if err := precompressWasm(); err != nil {
+		log.Fatalf("Could not pre-recompress wasm: %v", err)
+	}
+
 	log.Printf("Generating types...\n")
 	if err := runYarn("pkg-types"); err != nil {
 		log.Fatalf("Type generation failed: %v", err)
@@ -49,6 +54,13 @@ func runBuildPkg() {
 	log.Printf("Built package version %s", version.Long)
 }

+func precompressWasm() error {
+	log.Printf("Pre-compressing main.wasm...\n")
+	return precompress.Precompress(path.Join(*pkgDir, "main.wasm"), precompress.Options{
+		FastCompression: *fastCompression,
+	})
+}
+
 func updateVersion() error {
 	packageJSONBytes, err := os.ReadFile("package.json.tmpl")
 	if err != nil {
--- a/cmd/tsconnect/build.go
+++ b/cmd/tsconnect/build.go
@@ -57,7 +57,7 @@ func runBuild() {

 // fixEsbuildMetadataPaths re-keys the esbuild metadata file to use paths
 // relative to the dist directory (it normally uses paths relative to the cwd,
-// which are akward if we're running with a different cwd at serving time).
+// which are awkward if we're running with a different cwd at serving time).
 func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
 	var metadata EsbuildMetadata
 	if err := json.Unmarshal([]byte(metadataStr), &metadata); err != nil {
--- a/cmd/tsconnect/common.go
+++ b/cmd/tsconnect/common.go
@@ -187,7 +187,12 @@ func buildWasm(dev bool) ([]byte, error) {
 		return nil, fmt.Errorf("Cannot create main.wasm output file: %w", err)
 	}
 	outputPath := outputFile.Name()
+
 	defer os.Remove(outputPath)
+	// Running defer (*os.File).Close() in defer order before os.Remove
+	// because on some systems like Windows, it is possible for os.Remove
+	// to fail for unclosed files.
+	defer outputFile.Close()

 	args := []string{"build", "-tags", "tailscale_go,osusergo,netgo,nethttpomithttp2,omitidna,omitpemdecrypt"}
 	if !dev {
--- a/cmd/tsconnect/package.json
+++ b/cmd/tsconnect/package.json
@@ -10,9 +10,9 @@
    "qrcode": "^1.5.0",
    "tailwindcss": "^3.1.6",
    "typescript": "^4.7.4",
-    "xterm": "5.0.0-beta.58",
-    "xterm-addon-fit": "^0.5.0",
-    "xterm-addon-web-links": "0.7.0-beta.6"
+    "xterm": "^5.0.0",
+    "xterm-addon-fit": "^0.6.0",
+    "xterm-addon-web-links": "^0.7.0"
  },
  "scripts": {
    "lint": "tsc --noEmit",
--- a/cmd/tsconnect/package.json.tmpl
+++ b/cmd/tsconnect/package.json.tmpl
@@ -9,7 +9,7 @@
  "author": "Tailscale Inc.",
  "description": "Tailscale Connect SDK",
  "license": "BSD-3-Clause",
-  "name": "tailscale-connect",
+  "name": "@tailscale/connect",
  "type": "module",
  "main": "./pkg.js",
  "types": "./pkg.d.ts",
--- a/cmd/tsconnect/src/app/ssh.tsx
+++ b/cmd/tsconnect/src/app/ssh.tsx
@@ -46,7 +46,12 @@ function SSHSession({
  const ref = useRef<HTMLDivElement>(null)
  useEffect(() => {
    if (ref.current) {
-      runSSHSession(ref.current, def, ipn, onDone, (err) => console.error(err))
+      runSSHSession(ref.current, def, ipn, {
+        onConnectionProgress: (p) => console.log("Connection progress", p),
+        onConnected() {},
+        onError: (err) => console.error(err),
+        onDone,
+      })
    }
  }, [ref])

--- a/cmd/tsconnect/src/lib/ssh.ts
+++ b/cmd/tsconnect/src/lib/ssh.ts
@@ -9,12 +9,18 @@ export type SSHSessionDef = {
  timeoutSeconds?: number
 }

+export type SSHSessionCallbacks = {
+  onConnectionProgress: (messsage: string) => void
+  onConnected: () => void
+  onDone: () => void
+  onError?: (err: string) => void
+}
+
 export function runSSHSession(
  termContainerNode: HTMLDivElement,
  def: SSHSessionDef,
  ipn: IPN,
-  onDone: () => void,
-  onError?: (err: string) => void,
+  callbacks: SSHSessionCallbacks,
  terminalOptions?: ITerminalOptions
 ) {
  const parentWindow = termContainerNode.ownerDocument.defaultView ?? window
@@ -42,14 +48,14 @@ export function runSSHSession(
  term.focus()

  let resizeObserver: ResizeObserver | undefined
-  let handleBeforeUnload: ((e: BeforeUnloadEvent) => void) | undefined
+  let handleUnload: ((e: Event) => void) | undefined

  const sshSession = ipn.ssh(def.hostname, def.username, {
    writeFn(input) {
      term.write(input)
    },
    writeErrorFn(err) {
-      onError?.(err)
+      callbacks.onError?.(err)
      term.write(err)
    },
    setReadFn(hook) {
@@ -57,13 +63,15 @@ export function runSSHSession(
    },
    rows: term.rows,
    cols: term.cols,
+    onConnectionProgress: callbacks.onConnectionProgress,
+    onConnected: callbacks.onConnected,
    onDone() {
      resizeObserver?.disconnect()
      term.dispose()
-      if (handleBeforeUnload) {
-        parentWindow.removeEventListener("beforeunload", handleBeforeUnload)
+      if (handleUnload) {
+        parentWindow.removeEventListener("unload", handleUnload)
      }
-      onDone()
+      callbacks.onDone()
    },
    timeoutSeconds: def.timeoutSeconds,
  })
@@ -75,6 +83,6 @@ export function runSSHSession(

  // Close the session if the user closes the window without an explicit
  // exit.
-  handleBeforeUnload = () => sshSession.close()
-  parentWindow.addEventListener("beforeunload", handleBeforeUnload)
+  handleUnload = () => sshSession.close()
+  parentWindow.addEventListener("unload", handleUnload)
 }
--- a/cmd/tsconnect/src/pkg/pkg.ts
+++ b/cmd/tsconnect/src/pkg/pkg.ts
@@ -15,12 +15,12 @@ import wasmURL from "./main.wasm"
 * needed for the package to function.
 */
 type IPNPackageConfig = IPNConfig & {
-  // Auth key used to intitialize the Tailscale client (required)
+  // Auth key used to initialize the Tailscale client (required)
  authKey: string
  // URL of the main.wasm file that is included in the page, if it is not
  // accessible via a relative URL.
  wasmURL?: string
-  // Funtion invoked if the Go process panics or unexpectedly exits.
+  // Function invoked if the Go process panics or unexpectedly exits.
  panicHandler: (err: string) => void
 }

--- a/cmd/tsconnect/src/types/wasm_js.d.ts
+++ b/cmd/tsconnect/src/types/wasm_js.d.ts
@@ -25,6 +25,8 @@ declare global {
        cols: number
        /** Defaults to 5 seconds */
        timeoutSeconds?: number
+        onConnectionProgress: (message: string) => void
+        onConnected: () => void
        onDone: () => void
      }
    ): IPNSSHSession
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -96,7 +96,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 	logtail := logtail.NewLogger(c, log.Printf)
 	logf := logtail.Logf

-	dialer := new(tsdial.Dialer)
+	dialer := &tsdial.Dialer{Logf: logf}
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
 		Dialer: dialer,
 	})
@@ -364,15 +364,21 @@ func (s *jsSSHSession) Run() {
 	if jsTimeoutSeconds := s.termConfig.Get("timeoutSeconds"); jsTimeoutSeconds.Type() == js.TypeNumber {
 		timeoutSeconds = jsTimeoutSeconds.Float()
 	}
+	onConnectionProgress := s.termConfig.Get("onConnectionProgress")
+	onConnected := s.termConfig.Get("onConnected")
 	onDone := s.termConfig.Get("onDone")
 	defer onDone.Invoke()

 	writeError := func(label string, err error) {
 		writeErrorFn.Invoke(fmt.Sprintf("%s Error: %v\r\n", label, err))
 	}
+	reportProgress := func(message string) {
+		onConnectionProgress.Invoke(message)
+	}

 	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeoutSeconds*float64(time.Second)))
 	defer cancel()
+	reportProgress(fmt.Sprintf("Connecting to %s…", strings.Split(s.host, ".")[0]))
 	c, err := s.jsIPN.dialer.UserDial(ctx, "tcp", net.JoinHostPort(s.host, "22"))
 	if err != nil {
 		writeError("Dial", err)
@@ -381,10 +387,16 @@ func (s *jsSSHSession) Run() {
 	defer c.Close()

 	config := &ssh.ClientConfig{
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-		User:            s.username,
+		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+			// Host keys are not used with Tailscale SSH, but we can use this
+			// callback to know that the connection has been established.
+			reportProgress("SSH connection established…")
+			return nil
+		},
+		User: s.username,
 	}

+	reportProgress("Starting SSH client…")
 	sshConn, _, _, err := ssh.NewClientConn(c, s.host, config)
 	if err != nil {
 		writeError("SSH Connection", err)
@@ -442,6 +454,7 @@ func (s *jsSSHSession) Run() {
 		return
 	}

+	onConnected.Invoke()
 	err = session.Wait()
 	if err != nil {
 		writeError("Wait", err)
--- a/cmd/tsconnect/yarn.lock
+++ b/cmd/tsconnect/yarn.lock
@@ -639,20 +639,20 @@ xtend@^4.0.2:
  resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"
  integrity sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==

-xterm-addon-fit@^0.5.0:
-  version "0.5.0"
-  resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.5.0.tgz#2d51b983b786a97dcd6cde805e700c7f913bc596"
-  integrity sha512-DsS9fqhXHacEmsPxBJZvfj2la30Iz9xk+UKjhQgnYNkrUIN5CYLbw7WEfz117c7+S86S/tpHPfvNxJsF5/G8wQ==
+xterm-addon-fit@^0.6.0:
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.6.0.tgz#142e1ce181da48763668332593fc440349c88c34"
+  integrity sha512-9/7A+1KEjkFam0yxTaHfuk9LEvvTSBi0PZmEkzJqgafXPEXL9pCMAVV7rB09sX6ATRDXAdBpQhZkhKj7CGvYeg==

-xterm@5.0.0-beta.58:
-  version "5.0.0-beta.58"
-  resolved "https://registry.yarnpkg.com/xterm/-/xterm-5.0.0-beta.58.tgz#e3e96ab9fd24d006ec16cc9351a060cc79e67e80"
-  integrity sha512-gjg39oKdgUKful27+7I1hvSK51lu/LRhdimFhfZyMvdk0iATH0FAfzv1eAvBKWY2UBgYUfxhicTkanYioANdMw==
+xterm-addon-web-links@^0.7.0:
+  version "0.7.0"
+  resolved "https://registry.yarnpkg.com/xterm-addon-web-links/-/xterm-addon-web-links-0.7.0.tgz#dceac36170605f9db10a01d716bd83ee38f65c17"
+  integrity sha512-6PqoqzzPwaeSq22skzbvyboDvSnYk5teUYEoKBwMYvhbkwOQkemZccjWHT5FnNA8o1aInTc4PRYAl4jjPucCKA==

-xterm-addon-web-links@0.7.0-beta.6:
-  version "0.7.0-beta.6"
-  resolved "https://registry.yarnpkg.com/xterm-addon-web-links/-/xterm-addon-web-links-0.7.0-beta.6.tgz#ec63b681b4f0f0135fa039f53664f65fe9d9f43a"
-  integrity sha512-nD/r/GchGTN4c9gAIVLWVoxExTzAUV7E9xZnwsvhuwI4CEE6yqO15ns8g2hdcUrsPyCbNEw05mIrkF6W5Yj8qA==
+xterm@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/xterm/-/xterm-5.0.0.tgz#0af50509b33d0dc62fde7a4ec17750b8e453cc5c"
+  integrity sha512-tmVsKzZovAYNDIaUinfz+VDclraQpPUnAME+JawosgWRMphInDded/PuY0xmU5dOhyeYZsI0nz5yd8dPYsdLTA==

 y18n@^4.0.0:
  version "4.0.3"
--- a/cmd/viewer/viewer.go
+++ b/cmd/viewer/viewer.go
@@ -388,7 +388,7 @@ func main() {
 		log.Fatal(err)
 	}
 	if runCloner {
-		// When a new pacakge is added or when existing generated files have
+		// When a new package is added or when existing generated files have
 		// been deleted, we might run into a case where tailscale.com/cmd/cloner
 		// has not run yet. We detect this by verifying that all the structs we
 		// interacted with have had Clone method already generated. If they
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -88,11 +88,17 @@ func New(opts Options) (*Auto, error) {
 }

 // NewNoStart creates a new Auto, but without calling Start on it.
-func NewNoStart(opts Options) (*Auto, error) {
+func NewNoStart(opts Options) (_ *Auto, err error) {
 	direct, err := NewDirect(opts)
 	if err != nil {
 		return nil, err
 	}
+	defer func() {
+		if err != nil {
+			direct.Close()
+		}
+	}()
+
 	if opts.Status == nil {
 		return nil, errors.New("missing required Options.Status")
 	}
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -43,11 +43,13 @@ import (
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tka"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
+	"tailscale.com/types/tkatype"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/multierr"
 	"tailscale.com/util/singleflight"
@@ -68,7 +70,7 @@ type Direct struct {
 	linkMon                *monitor.Mon // or nil
 	discoPubKey            key.DiscoPublic
 	getMachinePrivKey      func() (key.MachinePrivate, error)
-	getNLPublicKey         func() (key.NLPublic, error) // or nil
+	getNLPrivateKey        func() (key.NLPrivate, error) // or nil
 	debugFlags             []string
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
@@ -115,9 +117,9 @@ type Options struct {
 	Dialer               *tsdial.Dialer   // non-nil
 	C2NHandler           http.Handler     // or nil

-	// GetNLPublicKey specifies an optional function to use
+	// GetNLPrivateKey specifies an optional function to use
 	// Network Lock. If nil, it's not used.
-	GetNLPublicKey func() (key.NLPublic, error)
+	GetNLPrivateKey func() (key.NLPrivate, error)

 	// Status is called when there's a change in status.
 	Status func(Status)
@@ -229,7 +231,7 @@ func NewDirect(opts Options) (*Direct, error) {
 	c := &Direct{
 		httpc:                  httpc,
 		getMachinePrivKey:      opts.GetMachinePrivateKey,
-		getNLPublicKey:         opts.GetNLPublicKey,
+		getNLPrivateKey:        opts.GetNLPrivateKey,
 		serverURL:              opts.ServerURL,
 		timeNow:                opts.TimeNow,
 		logf:                   opts.Logf,
@@ -324,7 +326,7 @@ func (c *Direct) GetPersist() persist.Persist {
 func (c *Direct) TryLogout(ctx context.Context) error {
 	c.logf("[v1] direct.TryLogout()")

-	mustRegen, newURL, err := c.doLogin(ctx, loginOpt{Logout: true})
+	mustRegen, newURL, _, err := c.doLogin(ctx, loginOpt{Logout: true})
 	c.logf("[v1] TryLogout control response: mustRegen=%v, newURL=%v, err=%v", mustRegen, newURL, err)

 	c.mu.Lock()
@@ -348,13 +350,14 @@ func (c *Direct) WaitLoginURL(ctx context.Context, url string) (newURL string, e
 }

 func (c *Direct) doLoginOrRegen(ctx context.Context, opt loginOpt) (newURL string, err error) {
-	mustRegen, url, err := c.doLogin(ctx, opt)
+	mustRegen, url, oldNodeKeySignature, err := c.doLogin(ctx, opt)
 	if err != nil {
 		return url, err
 	}
 	if mustRegen {
 		opt.Regen = true
-		_, url, err = c.doLogin(ctx, opt)
+		opt.OldNodeKeySignature = oldNodeKeySignature
+		_, url, _, err = c.doLogin(ctx, opt)
 	}
 	return url, err
 }
@@ -380,6 +383,10 @@ type loginOpt struct {
 	// It is ignored if Logout is set since Logout works by setting a
 	// expiry time in the far past.
 	Expiry *time.Time
+
+	// OldNodeKeySignature indicates the former NodeKeySignature
+	// that must be resigned for the new node-key.
+	OldNodeKeySignature tkatype.MarshaledSignature
 }

 // httpClient provides a common interface for the noiseClient and
@@ -396,7 +403,7 @@ func (c *Direct) hostInfoLocked() *tailcfg.Hostinfo {
 	return hi
 }

-func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, err error) {
+func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, nks tkatype.MarshaledSignature, err error) {
 	c.mu.Lock()
 	persist := c.persist
 	tryingNewKey := c.tryingNewKey
@@ -410,10 +417,10 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new

 	machinePrivKey, err := c.getMachinePrivKey()
 	if err != nil {
-		return false, "", fmt.Errorf("getMachinePrivKey: %w", err)
+		return false, "", nil, fmt.Errorf("getMachinePrivKey: %w", err)
 	}
 	if machinePrivKey.IsZero() {
-		return false, "", errors.New("getMachinePrivKey returned zero key")
+		return false, "", nil, errors.New("getMachinePrivKey returned zero key")
 	}

 	regen := opt.Regen
@@ -435,7 +442,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	if serverKey.IsZero() {
 		keys, err := loadServerPubKeys(ctx, c.httpc, c.serverURL)
 		if err != nil {
-			return regen, opt.URL, err
+			return regen, opt.URL, nil, err
 		}
 		c.logf("control server key from %s: ts2021=%s, legacy=%v", c.serverURL, keys.PublicKey.ShortString(), keys.LegacyPublicKey.ShortString())

@@ -472,43 +479,53 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		oldNodeKey = persist.OldPrivateNodeKey.Public()
 	}

-	var nlPub key.NLPublic
-	if c.getNLPublicKey != nil {
-		nlPub, err = c.getNLPublicKey()
-		if err != nil {
-			return false, "", fmt.Errorf("get nl key: %v", err)
-		}
-	}
-
 	if tryingNewKey.IsZero() {
 		if opt.Logout {
-			return false, "", errors.New("no nodekey to log out")
+			return false, "", nil, errors.New("no nodekey to log out")
 		}
 		log.Fatalf("tryingNewKey is empty, give up")
 	}
+
+	var nlPub key.NLPublic
+	var nodeKeySignature tkatype.MarshaledSignature
+	if c.getNLPrivateKey != nil {
+		priv, err := c.getNLPrivateKey()
+		if err != nil {
+			return false, "", nil, fmt.Errorf("get nl key: %v", err)
+		}
+		nlPub = priv.Public()
+
+		if !oldNodeKey.IsZero() && opt.OldNodeKeySignature != nil {
+			if nodeKeySignature, err = resignNKS(priv, tryingNewKey.Public(), opt.OldNodeKeySignature); err != nil {
+				c.logf("Failed re-signing node-key signature: %v", err)
+			}
+		}
+	}
+
 	if backendLogID == "" {
 		err = errors.New("hostinfo: BackendLogID missing")
-		return regen, opt.URL, err
+		return regen, opt.URL, nil, err
 	}
 	now := time.Now().Round(time.Second)
 	request := tailcfg.RegisterRequest{
-		Version:    1,
-		OldNodeKey: oldNodeKey,
-		NodeKey:    tryingNewKey.Public(),
-		NLKey:      nlPub,
-		Hostinfo:   hi,
-		Followup:   opt.URL,
-		Timestamp:  &now,
-		Ephemeral:  (opt.Flags & LoginEphemeral) != 0,
+		Version:          1,
+		OldNodeKey:       oldNodeKey,
+		NodeKey:          tryingNewKey.Public(),
+		NLKey:            nlPub,
+		Hostinfo:         hi,
+		Followup:         opt.URL,
+		Timestamp:        &now,
+		Ephemeral:        (opt.Flags & LoginEphemeral) != 0,
+		NodeKeySignature: nodeKeySignature,
 	}
 	if opt.Logout {
 		request.Expiry = time.Unix(123, 0) // far in the past
 	} else if opt.Expiry != nil {
 		request.Expiry = *opt.Expiry
 	}
-	c.logf("RegisterReq: onode=%v node=%v fup=%v",
+	c.logf("RegisterReq: onode=%v node=%v fup=%v nks=%v",
 		request.OldNodeKey.ShortString(),
-		request.NodeKey.ShortString(), opt.URL != "")
+		request.NodeKey.ShortString(), opt.URL != "", len(nodeKeySignature) > 0)
 	request.Auth.Oauth2Token = opt.Token
 	request.Auth.Provider = persist.Provider
 	request.Auth.LoginName = persist.LoginName
@@ -542,33 +559,33 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		request.Version = tailcfg.CurrentCapabilityVersion
 		httpc, err = c.getNoiseClient()
 		if err != nil {
-			return regen, opt.URL, fmt.Errorf("getNoiseClient: %w", err)
+			return regen, opt.URL, nil, fmt.Errorf("getNoiseClient: %w", err)
 		}
 		url = fmt.Sprintf("%s/machine/register", c.serverURL)
 		url = strings.Replace(url, "http:", "https:", 1)
 	}
 	bodyData, err := encode(request, serverKey, serverNoiseKey, machinePrivKey)
 	if err != nil {
-		return regen, opt.URL, err
+		return regen, opt.URL, nil, err
 	}
 	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(bodyData))
 	if err != nil {
-		return regen, opt.URL, err
+		return regen, opt.URL, nil, err
 	}
 	res, err := httpc.Do(req)
 	if err != nil {
-		return regen, opt.URL, fmt.Errorf("register request: %w", err)
+		return regen, opt.URL, nil, fmt.Errorf("register request: %w", err)
 	}
 	if res.StatusCode != 200 {
 		msg, _ := io.ReadAll(res.Body)
 		res.Body.Close()
-		return regen, opt.URL, fmt.Errorf("register request: http %d: %.200s",
+		return regen, opt.URL, nil, fmt.Errorf("register request: http %d: %.200s",
 			res.StatusCode, strings.TrimSpace(string(msg)))
 	}
 	resp := tailcfg.RegisterResponse{}
 	if err := decode(res, &resp, serverKey, serverNoiseKey, machinePrivKey); err != nil {
 		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
-		return regen, opt.URL, fmt.Errorf("register request: %v", err)
+		return regen, opt.URL, nil, fmt.Errorf("register request: %v", err)
 	}
 	if debugRegister() {
 		j, _ := json.MarshalIndent(resp, "", "\t")
@@ -580,15 +597,19 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		resp.NodeKeyExpired, resp.MachineAuthorized, resp.AuthURL != "")

 	if resp.Error != "" {
-		return false, "", UserVisibleError(resp.Error)
+		return false, "", nil, UserVisibleError(resp.Error)
 	}
+	if len(resp.NodeKeySignature) > 0 {
+		return true, "", resp.NodeKeySignature, nil
+	}
+
 	if resp.NodeKeyExpired {
 		if regen {
-			return true, "", fmt.Errorf("weird: regen=true but server says NodeKeyExpired: %v", request.NodeKey)
+			return true, "", nil, fmt.Errorf("weird: regen=true but server says NodeKeyExpired: %v", request.NodeKey)
 		}
 		c.logf("server reports new node key %v has expired",
 			request.NodeKey.ShortString())
-		return true, "", nil
+		return true, "", nil, nil
 	}
 	if resp.Login.Provider != "" {
 		persist.Provider = resp.Login.Provider
@@ -621,12 +642,51 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	c.mu.Unlock()

 	if err != nil {
-		return regen, "", err
+		return regen, "", nil, err
 	}
 	if ctx.Err() != nil {
-		return regen, "", ctx.Err()
+		return regen, "", nil, ctx.Err()
 	}
-	return false, resp.AuthURL, nil
+	return false, resp.AuthURL, nil, nil
+}
+
+// resignNKS re-signs a node-key signature for a new node-key.
+//
+// This only matters on network-locked tailnets, because node-key signatures are
+// how other nodes know that a node-key is authentic. When the node-key is
+// rotated then the existing signature becomes invalid, so this function is
+// responsible for generating a new wrapping signature to certify the new node-key.
+//
+// The signature itself is a SigRotation signature, which embeds the old signature
+// and certifies the new node-key as a replacement for the old by signing the new
+// signature with RotationPubkey (which is the node's own network-lock key).
+func resignNKS(priv key.NLPrivate, nodeKey key.NodePublic, oldNKS tkatype.MarshaledSignature) (tkatype.MarshaledSignature, error) {
+	var oldSig tka.NodeKeySignature
+	if err := oldSig.Unserialize(oldNKS); err != nil {
+		return nil, fmt.Errorf("decoding NKS: %w", err)
+	}
+
+	nk, err := nodeKey.MarshalBinary()
+	if err != nil {
+		return nil, fmt.Errorf("marshalling node-key: %w", err)
+	}
+
+	if bytes.Equal(nk, oldSig.Pubkey) {
+		// The old signature is valid for the node-key we are using, so just
+		// use it verbatim.
+		return oldNKS, nil
+	}
+
+	newSig := tka.NodeKeySignature{
+		SigKind: tka.SigRotation,
+		Pubkey:  nk,
+		Nested:  &oldSig,
+	}
+	if newSig.Signature, err = priv.SignNKS(newSig.SigHash()); err != nil {
+		return nil, fmt.Errorf("signing NKS: %w", err)
+	}
+
+	return newSig.Serialize(), nil
 }

 func sameEndpoints(a, b []tailcfg.Endpoint) bool {
@@ -776,7 +836,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		// with useful results. The first POST just gets us the DERP map which we
 		// need to do the STUN queries to discover our endpoints.
 		// TODO(bradfitz): we skip this optimization in tests, though,
-		// because the e2e tests are currently hyperspecific about the
+		// because the e2e tests are currently hyper-specific about the
 		// ordering of things. The e2e tests need love.
 		ReadOnly: readOnly || (len(epStrs) == 0 && !everEndpoints && !inTest()),
 	}
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -35,7 +35,7 @@ type mapSession struct {
 	machinePubKey          key.MachinePublic
 	keepSharerAndUserSplit bool // see Options.KeepSharerAndUserSplit

-	// Fields storing state over the the coards of multiple MapResponses.
+	// Fields storing state over the course of multiple MapResponses.
 	lastNode               *tailcfg.Node
 	lastDNSConfig          *tailcfg.DNSConfig
 	lastDERPMap            *tailcfg.DERPMap
@@ -45,6 +45,7 @@ type mapSession struct {
 	collectServices        bool
 	previousPeers          []*tailcfg.Node // for delta-purposes
 	lastDomain             string
+	lastDomainAuditLogID   string
 	lastHealth             []string
 	lastPopBrowserURL      string
 	stickyDebug            tailcfg.Debug // accumulated opt.Bool values
@@ -113,6 +114,9 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	if resp.Domain != "" {
 		ms.lastDomain = resp.Domain
 	}
+	if resp.DomainDataPlaneAuditLogID != "" {
+		ms.lastDomainAuditLogID = resp.DomainDataPlaneAuditLogID
+	}
 	if resp.Health != nil {
 		ms.lastHealth = resp.Health
 	}
@@ -143,20 +147,21 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	}

 	nm := &netmap.NetworkMap{
-		NodeKey:         ms.privateNodeKey.Public(),
-		PrivateKey:      ms.privateNodeKey,
-		MachineKey:      ms.machinePubKey,
-		Peers:           resp.Peers,
-		UserProfiles:    make(map[tailcfg.UserID]tailcfg.UserProfile),
-		Domain:          ms.lastDomain,
-		DNS:             *ms.lastDNSConfig,
-		PacketFilter:    ms.lastParsedPacketFilter,
-		SSHPolicy:       ms.lastSSHPolicy,
-		CollectServices: ms.collectServices,
-		DERPMap:         ms.lastDERPMap,
-		Debug:           debug,
-		ControlHealth:   ms.lastHealth,
-		TKAEnabled:      ms.lastTKAInfo != nil && !ms.lastTKAInfo.Disabled,
+		NodeKey:          ms.privateNodeKey.Public(),
+		PrivateKey:       ms.privateNodeKey,
+		MachineKey:       ms.machinePubKey,
+		Peers:            resp.Peers,
+		UserProfiles:     make(map[tailcfg.UserID]tailcfg.UserProfile),
+		Domain:           ms.lastDomain,
+		DomainAuditLogID: ms.lastDomainAuditLogID,
+		DNS:              *ms.lastDNSConfig,
+		PacketFilter:     ms.lastParsedPacketFilter,
+		SSHPolicy:        ms.lastSSHPolicy,
+		CollectServices:  ms.collectServices,
+		DERPMap:          ms.lastDERPMap,
+		Debug:            debug,
+		ControlHealth:    ms.lastHealth,
+		TKAEnabled:       ms.lastTKAInfo != nil && !ms.lastTKAInfo.Disabled,
 	}
 	ms.netMapBuilding = nm

--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -466,7 +466,7 @@ func TestNetmapForResponse(t *testing.T) {
 	})
 }

-// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResposnes
+// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResponses
 // entirely or have their opt.Bool values unspecified between MapResponses in a
 // session and that should mean no change. (as of capver 37). But two Debug
 // fields existed prior to capver 37 that weren't opt.Bool; we test that we both
--- a/control/controlclient/noise.go
+++ b/control/controlclient/noise.go
@@ -210,7 +210,7 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()

-	conn, err := (&controlhttp.Dialer{
+	clientConn, err := (&controlhttp.Dialer{
 		Hostname:        nc.host,
 		HTTPPort:        nc.httpPort,
 		HTTPSPort:       nc.httpsPort,
@@ -226,7 +226,7 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {

 	nc.mu.Lock()
 	defer nc.mu.Unlock()
-	ncc := &noiseConn{Conn: conn, id: connID, pool: nc}
+	ncc := &noiseConn{Conn: clientConn.Conn, id: connID, pool: nc}
 	mak.Set(&nc.connPool, ncc.id, ncc)
 	return ncc, nil
 }
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@@ -60,7 +60,7 @@ var stdDialer net.Dialer
 //
 // The provided ctx is only used for the initial connection, until
 // Dial returns. It does not affect the connection once established.
-func (a *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
+func (a *Dialer) Dial(ctx context.Context) (*ClientConn, error) {
 	if a.Hostname == "" {
 		return nil, errors.New("required Dialer.Hostname empty")
 	}
@@ -91,7 +91,7 @@ func (a *Dialer) httpsFallbackDelay() time.Duration {

 var _ = envknob.RegisterBool("TS_USE_CONTROL_DIAL_PLAN") // to record at init time whether it's in use

-func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
+func (a *Dialer) dial(ctx context.Context) (*ClientConn, error) {
 	// If we don't have a dial plan, just fall back to dialing the single
 	// host we know about.
 	useDialPlan := envknob.BoolDefaultTrue("TS_USE_CONTROL_DIAL_PLAN")
@@ -117,7 +117,7 @@ func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {

 	// Now, for each candidate, kick off a dial in parallel.
 	type dialResult struct {
-		conn     *controlbase.Conn
+		conn     *ClientConn
 		err      error
 		addr     netip.Addr
 		priority int
@@ -129,7 +129,7 @@ func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
 	for _, c := range candidates {
 		go func(ctx context.Context, c tailcfg.ControlIPCandidate) {
 			var (
-				conn *controlbase.Conn
+				conn *ClientConn
 				err  error
 			)

@@ -228,7 +228,7 @@ func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
 	})

 	var (
-		conn *controlbase.Conn
+		conn *ClientConn
 		errs []error
 	)
 	for i, result := range results {
@@ -252,7 +252,7 @@ func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
 // dialHost connects to the configured Dialer.Hostname and upgrades the
 // connection into a controlbase.Conn. If addr is valid, then no DNS is used
 // and the connection will be made to the provided address.
-func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Conn, error) {
+func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*ClientConn, error) {
 	// Create one shared context used by both port 80 and port 443 dials.
 	// If port 80 is still in flight when 443 returns, this deferred cancel
 	// will stop the port 80 dial.
@@ -274,8 +274,8 @@ func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Co
 	}

 	type tryURLRes struct {
-		u    *url.URL          // input (the URL conn+err are for/from)
-		conn *controlbase.Conn // result (mutually exclusive with err)
+		u    *url.URL    // input (the URL conn+err are for/from)
+		conn *ClientConn // result (mutually exclusive with err)
 		err  error
 	}
 	ch := make(chan tryURLRes) // must be unbuffered
@@ -331,12 +331,12 @@ func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Co
 }

 // dialURL attempts to connect to the given URL.
-func (a *Dialer) dialURL(ctx context.Context, u *url.URL, addr netip.Addr) (*controlbase.Conn, error) {
+func (a *Dialer) dialURL(ctx context.Context, u *url.URL, addr netip.Addr) (*ClientConn, error) {
 	init, cont, err := controlbase.ClientDeferred(a.MachineKey, a.ControlKey, a.ProtocolVersion)
 	if err != nil {
 		return nil, err
 	}
-	netConn, err := a.tryURLUpgrade(ctx, u, addr, init)
+	netConn, untrustedUpgradeHeaders, err := a.tryURLUpgrade(ctx, u, addr, init)
 	if err != nil {
 		return nil, err
 	}
@@ -345,7 +345,10 @@ func (a *Dialer) dialURL(ctx context.Context, u *url.URL, addr netip.Addr) (*con
 		netConn.Close()
 		return nil, err
 	}
-	return cbConn, nil
+	return &ClientConn{
+		Conn:                    cbConn,
+		UntrustedUpgradeHeaders: untrustedUpgradeHeaders,
+	}, nil
 }

 // tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn. If addr
@@ -353,7 +356,7 @@ func (a *Dialer) dialURL(ctx context.Context, u *url.URL, addr netip.Addr) (*con
 // provided address.
 //
 // Only the provided ctx is used, not a.ctx.
-func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr, init []byte) (net.Conn, error) {
+func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr, init []byte) (_ net.Conn, untrustedUpgradeHeaders http.Header, _ error) {
 	var dns *dnscache.Resolver

 	// If we were provided an address to dial, then create a resolver that just
@@ -435,11 +438,11 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr,

 	resp, err := tr.RoundTrip(req)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	if resp.StatusCode != http.StatusSwitchingProtocols {
-		return nil, fmt.Errorf("unexpected HTTP response: %s", resp.Status)
+		return nil, nil, fmt.Errorf("unexpected HTTP response: %s", resp.Status)
 	}

 	// From here on, the underlying net.Conn is ours to use, but there
@@ -453,19 +456,19 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr,
 	}
 	if switchedConn == nil {
 		resp.Body.Close()
-		return nil, fmt.Errorf("httptrace didn't provide a connection")
+		return nil, nil, fmt.Errorf("httptrace didn't provide a connection")
 	}

 	if next := resp.Header.Get("Upgrade"); next != upgradeHeaderValue {
 		resp.Body.Close()
-		return nil, fmt.Errorf("server switched to unexpected protocol %q", next)
+		return nil, nil, fmt.Errorf("server switched to unexpected protocol %q", next)
 	}

 	rwc, ok := resp.Body.(io.ReadWriteCloser)
 	if !ok {
 		resp.Body.Close()
-		return nil, errors.New("http Transport did not provide a writable body")
+		return nil, nil, errors.New("http Transport did not provide a writable body")
 	}

-	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
+	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), resp.Header, nil
 }
--- a/control/controlhttp/client_common.go
+++ b/control/controlhttp/client_common.go
@@ -0,0 +1,26 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlhttp
+
+import (
+	"net/http"
+
+	"tailscale.com/control/controlbase"
+)
+
+// ClientConn is a Tailscale control client as returned by the Dialer.
+//
+// It's effectively just a *controlbase.Conn (which it embeds) with
+// optional metadata.
+type ClientConn struct {
+	// Conn is the noise connection.
+	*controlbase.Conn
+
+	// UntrustedUpgradeHeaders are the HTTP headers seen in the
+	// 101 Switching Protocols upgrade response. They may be nil
+	// or even might've been tampered with by a middlebox.
+	// They should not be trusted.
+	UntrustedUpgradeHeaders http.Header
+}
--- a/control/controlhttp/client_js.go
+++ b/control/controlhttp/client_js.go
@@ -13,11 +13,12 @@ import (

 	"nhooyr.io/websocket"
 	"tailscale.com/control/controlbase"
+	"tailscale.com/net/wsconn"
 )

 // Variant of Dial that tunnels the request over WebSockets, since we cannot do
 // bi-directional communication over an HTTP connection when in JS.
-func (d *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
+func (d *Dialer) Dial(ctx context.Context) (*ClientConn, error) {
 	if d.Hostname == "" {
 		return nil, errors.New("required Dialer.Hostname empty")
 	}
@@ -45,17 +46,20 @@ func (d *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
 			handshakeHeaderName: []string{base64.StdEncoding.EncodeToString(init)},
 		}.Encode(),
 	}
-	wsConn, _, err := websocket.Dial(ctx, wsURL.String(), &websocket.DialOptions{
+	wsConn, httpRes, err := websocket.Dial(ctx, wsURL.String(), &websocket.DialOptions{
 		Subprotocols: []string{upgradeHeaderValue},
 	})
 	if err != nil {
 		return nil, err
 	}
-	netConn := websocket.NetConn(context.Background(), wsConn, websocket.MessageBinary)
+	netConn := wsconn.NetConn(context.Background(), wsConn, websocket.MessageBinary)
 	cbConn, err := cont(ctx, netConn)
 	if err != nil {
 		netConn.Close()
 		return nil, err
 	}
-	return cbConn, nil
+	return &ClientConn{
+		Conn:                    cbConn,
+		UntrustedUpgradeHeaders: httpRes.Header,
+	}, nil
 }
--- a/control/controlhttp/http_test.go
+++ b/control/controlhttp/http_test.go
@@ -127,7 +127,7 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 	const testProtocolVersion = 1
 	sch := make(chan serverResult, 1)
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		conn, err := AcceptHTTP(context.Background(), w, r, server)
+		conn, err := AcceptHTTP(context.Background(), w, r, server, nil)
 		if err != nil {
 			log.Print(err)
 		}
@@ -459,20 +459,33 @@ func TestDialPlan(t *testing.T) {

 	const (
 		testProtocolVersion = 1
-
-		// We need consistent ports for each address; these are chosen
-		// randomly and we hope that they won't conflict during this test.
-		httpPort  = "40080"
-		httpsPort = "40443"
 	)

+	getRandomPort := func() string {
+		ln, err := net.Listen("tcp", ":0")
+		if err != nil {
+			t.Fatalf("net.Listen: %v", err)
+		}
+		defer ln.Close()
+		_, port, err := net.SplitHostPort(ln.Addr().String())
+		if err != nil {
+			t.Fatal(err)
+		}
+		return port
+	}
+
+	// We need consistent ports for each address; these are chosen
+	// randomly and we hope that they won't conflict during this test.
+	httpPort := getRandomPort()
+	httpsPort := getRandomPort()
+
 	makeHandler := func(t *testing.T, name string, host netip.Addr, wrap func(http.Handler) http.Handler) {
 		done := make(chan struct{})
 		t.Cleanup(func() {
 			close(done)
 		})
 		var handler http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			conn, err := AcceptHTTP(context.Background(), w, r, server)
+			conn, err := AcceptHTTP(context.Background(), w, r, server, nil)
 			if err != nil {
 				log.Print(err)
 			} else {
--- a/control/controlhttp/server.go
+++ b/control/controlhttp/server.go
@@ -14,6 +14,7 @@ import (
 	"nhooyr.io/websocket"
 	"tailscale.com/control/controlbase"
 	"tailscale.com/net/netutil"
+	"tailscale.com/net/wsconn"
 	"tailscale.com/types/key"
 )

@@ -22,7 +23,11 @@ import (
 //
 // AcceptHTTP always writes an HTTP response to w. The caller must not
 // attempt their own response after calling AcceptHTTP.
-func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate) (*controlbase.Conn, error) {
+//
+// extraHeader optionally specifies extra header(s) to send in the
+// 101 Switching Protocols Upgrade response. It must not include the "Upgrade"
+// or "Connection" headers; they will be replaced.
+func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate, extraHeader http.Header) (*controlbase.Conn, error) {
 	next := r.Header.Get("Upgrade")
 	if next == "" {
 		http.Error(w, "missing next protocol", http.StatusBadRequest)
@@ -53,6 +58,9 @@ func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, pri
 		return nil, errors.New("can't hijack client connection")
 	}

+	for k, vv := range extraHeader {
+		w.Header()[k] = vv
+	}
 	w.Header().Set("Upgrade", upgradeHeaderValue)
 	w.Header().Set("Connection", "upgrade")
 	w.WriteHeader(http.StatusSwitchingProtocols)
@@ -111,7 +119,7 @@ func acceptWebsocket(ctx context.Context, w http.ResponseWriter, r *http.Request
 		return nil, fmt.Errorf("decoding base64 handshake parameter: %v", err)
 	}

-	conn := websocket.NetConn(ctx, c, websocket.MessageBinary)
+	conn := wsconn.NetConn(ctx, c, websocket.MessageBinary)
 	nc, err := controlbase.Server(ctx, conn, private, init)
 	if err != nil {
 		conn.Close()
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -136,7 +136,8 @@ type Server struct {
 	multiForwarderCreated        expvar.Int
 	multiForwarderDeleted        expvar.Int
 	removePktForwardOther        expvar.Int
-	avgQueueDuration             *uint64 // In milliseconds; accessed atomically
+	avgQueueDuration             *uint64          // In milliseconds; accessed atomically
+	tcpRtt                       metrics.LabelMap // histogram

 	// verifyClients only accepts client connections to the DERP server if the clientKey is a
 	// known peer in the network, as specified by a running tailscaled's client's local api.
@@ -312,6 +313,7 @@ func NewServer(privateKey key.NodePrivate, logf logger.Logf) *Server {
 		watchers:             map[*sclient]bool{},
 		sentTo:               map[key.NodePublic]map[key.NodePublic]int64{},
 		avgQueueDuration:     new(uint64),
+		tcpRtt:               metrics.LabelMap{Label: "le"},
 		keyOfAddr:            map[netip.AddrPort]key.NodePublic{},
 	}
 	s.initMetacert()
@@ -713,6 +715,7 @@ func (c *sclient) run(ctx context.Context) error {
 	var grp errgroup.Group
 	sendCtx, cancelSender := context.WithCancel(ctx)
 	grp.Go(func() error { return c.sendLoop(sendCtx) })
+	grp.Go(func() error { return c.statsLoop(sendCtx) })
 	defer func() {
 		cancelSender()
 		if err := grp.Wait(); err != nil && !c.s.isClosed() {
@@ -1699,6 +1702,7 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("average_queue_duration_ms", expvar.Func(func() any {
 		return math.Float64frombits(atomic.LoadUint64(s.avgQueueDuration))
 	}))
+	m.Set("counter_tcp_rtt", &s.tcpRtt)
 	var expvarVersion expvar.String
 	expvarVersion.Set(version.Long)
 	m.Set("version", &expvarVersion)
--- a/derp/derp_server_default.go
+++ b/derp/derp_server_default.go
@@ -0,0 +1,14 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !linux
+// +build !linux
+
+package derp
+
+import "context"
+
+func (c *sclient) statsLoop(ctx context.Context) error {
+	return nil
+}
--- a/derp/derp_server_linux.go
+++ b/derp/derp_server_linux.go
@@ -0,0 +1,95 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package derp
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"time"
+
+	"golang.org/x/sys/unix"
+)
+
+func (c *sclient) statsLoop(ctx context.Context) error {
+	// If we can't get a TCP socket, then we can't send stats.
+	tcpConn := c.tcpConn()
+	if tcpConn == nil {
+		c.s.tcpRtt.Add("non-tcp", 1)
+		return nil
+	}
+	rawConn, err := tcpConn.SyscallConn()
+	if err != nil {
+		c.logf("error getting SyscallConn: %v", err)
+		c.s.tcpRtt.Add("error", 1)
+		return nil
+	}
+
+	const statsInterval = 10 * time.Second
+
+	ticker := time.NewTicker(statsInterval)
+	defer ticker.Stop()
+
+	var (
+		tcpInfo *unix.TCPInfo
+		sysErr  error
+	)
+statsLoop:
+	for {
+		select {
+		case <-ticker.C:
+			err = rawConn.Control(func(fd uintptr) {
+				tcpInfo, sysErr = unix.GetsockoptTCPInfo(int(fd), unix.IPPROTO_TCP, unix.TCP_INFO)
+			})
+			if err != nil || sysErr != nil {
+				continue statsLoop
+			}
+
+			// TODO(andrew): more metrics?
+			rtt := time.Duration(tcpInfo.Rtt) * time.Microsecond
+			c.s.tcpRtt.Add(durationToLabel(rtt), 1)
+
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+}
+
+// tcpConn attempts to get the underlying *net.TCPConn from this client's
+// Conn; if it cannot, then it will return nil.
+func (c *sclient) tcpConn() *net.TCPConn {
+	nc := c.nc
+	for {
+		switch v := nc.(type) {
+		case *net.TCPConn:
+			return v
+		case *tls.Conn:
+			nc = v.NetConn()
+		default:
+			return nil
+		}
+	}
+}
+
+func durationToLabel(dur time.Duration) string {
+	switch {
+	case dur <= 10*time.Millisecond:
+		return "10ms"
+	case dur <= 20*time.Millisecond:
+		return "20ms"
+	case dur <= 50*time.Millisecond:
+		return "50ms"
+	case dur <= 100*time.Millisecond:
+		return "100ms"
+	case dur <= 150*time.Millisecond:
+		return "150ms"
+	case dur <= 250*time.Millisecond:
+		return "250ms"
+	case dur <= 500*time.Millisecond:
+		return "500ms"
+	default:
+		return "inf"
+	}
+}
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -232,7 +232,7 @@ func TestSendFreeze(t *testing.T) {
 	//	alice --> bob
 	//	alice --> cathy
 	//
-	// Then cathy stops processing messsages.
+	// Then cathy stops processing messages.
 	// That should not interfere with alice talking to bob.

 	newClient := func(ctx context.Context, name string, k key.NodePrivate) (c *Client, clientConn nettest.Conn) {
@@ -772,7 +772,7 @@ func TestForwarderRegistration(t *testing.T) {
 	})

 	// Now pretend u1 was already connected locally (so clientsMesh[u1] is nil), and then we heard
-	// that they're also connected to a peer of ours. That sholdn't transition the forwarder
+	// that they're also connected to a peer of ours. That shouldn't transition the forwarder
 	// from nil to the new one, not a multiForwarder.
 	s.clients[u1] = singleClient{u1c}
 	s.clientsMesh[u1] = nil
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -96,7 +96,7 @@ func NewRegionClient(privateKey key.NodePrivate, logf logger.Logf, getRegion fun
 	return c
 }

-// NewNetcheckClient returns a Client that's only able to have its DialRegion method called.
+// NewNetcheckClient returns a Client that's only able to have its DialRegionTLS method called.
 // It's used by the netcheck package.
 func NewNetcheckClient(logf logger.Logf) *Client {
 	return &Client{logf: logf}
@@ -199,7 +199,7 @@ func (c *Client) urlString(node *tailcfg.DERPNode) string {
 	return fmt.Sprintf("https://%s/derp", node.HostName)
 }

-// AddressFamilySelector decides whethers IPv6 is preferred for
+// AddressFamilySelector decides whether IPv6 is preferred for
 // outbound dials.
 type AddressFamilySelector interface {
 	// PreferIPv6 reports whether IPv4 dials should be slightly
@@ -985,7 +985,9 @@ func (c *Client) isClosed() bool {
 // Close closes the client. It will not automatically reconnect after
 // being closed.
 func (c *Client) Close() error {
-	c.cancelCtx() // not in lock, so it can cancel Connect, which holds mu
+	if c.cancelCtx != nil {
+		c.cancelCtx() // not in lock, so it can cancel Connect, which holds mu
+	}

 	c.mu.Lock()
 	defer c.mu.Unlock()
--- a/derp/derphttp/websocket.go
+++ b/derp/derphttp/websocket.go
@@ -13,6 +13,7 @@ import (
 	"net"

 	"nhooyr.io/websocket"
+	"tailscale.com/net/wsconn"
 )

 func init() {
@@ -28,6 +29,6 @@ func dialWebsocket(ctx context.Context, urlStr string) (net.Conn, error) {
 		return nil, err
 	}
 	log.Printf("websocket: connected to %v", urlStr)
-	netConn := websocket.NetConn(context.Background(), c, websocket.MessageBinary)
+	netConn := wsconn.NetConn(context.Background(), c, websocket.MessageBinary)
 	return netConn, nil
 }
--- a/disco/disco.go
+++ b/disco/disco.go
@@ -15,9 +15,9 @@
 // The recipient then decrypts the bytes following (the nacl secretbox)
 // and then the inner payload structure is:
 //
-//	messageType    byte  (the MessageType constants below)
-//	messageVersion byte  (0 for now; but always ignore bytes at the end)
-//	message-paylod [...]byte
+//	messageType     byte  (the MessageType constants below)
+//	messageVersion  byte  (0 for now; but always ignore bytes at the end)
+//	message-payload [...]byte
 package disco

 import (
--- a/docs/k8s/proxy.yaml
+++ b/docs/k8s/proxy.yaml
@@ -9,7 +9,7 @@ spec:
  serviceAccountName: "{{SA_NAME}}"
  initContainers:
    # In order to run as a proxy we need to enable IP Forwarding inside
-    # the container. The `net.ipv4.ip_forward` sysctl is not whitelisted
+    # the container. The `net.ipv4.ip_forward` sysctl is not allowlisted
    # in Kubelet by default.
  - name: sysctler
    image: busybox
@@ -18,7 +18,7 @@ spec:
    command: ["/bin/sh"]
    args:
      - -c
-      - sysctl -w net.ipv4.ip_forward=1 -w net.ipv6.conf.all.forwarding=1
+      - sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
    resources:
      requests:
        cpu: 1m
--- a/envknob/envknob.go
+++ b/envknob/envknob.go
@@ -277,6 +277,11 @@ func SSHPolicyFile() string { return String("TS_DEBUG_SSH_POLICY_FILE") }
 // SSHIgnoreTailnetPolicy is whether to ignore the Tailnet SSH policy for development.
 func SSHIgnoreTailnetPolicy() bool { return Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY") }

+
+// TKASkipSignatureCheck is whether to skip node-key signature checking for development.
+func TKASkipSignatureCheck() bool { return Bool("TS_UNSAFE_SKIP_NKS_VERIFICATION") }
+
+
 // NoLogsNoSupport reports whether the client's opted out of log uploads and
 // technical support.
 func NoLogsNoSupport() bool {
--- a/go.mod
+++ b/go.mod
@@ -39,12 +39,13 @@ require (
 	github.com/miekg/dns v1.1.43
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/peterbourgon/ff/v3 v3.1.2
+	github.com/pkg/errors v0.9.1
 	github.com/pkg/sftp v1.13.4
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1
+	github.com/tailscale/golang-x-crypto v0.0.0-20221011214003-2ffa11beee90
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
 	github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89
@@ -57,9 +58,9 @@ require (
 	go4.org/netipx v0.0.0-20220725152314-7e7bdc8411bf
 	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
-	golang.org/x/net v0.0.0-20220607020251-c690dde0001d
+	golang.org/x/net v0.0.0-20221002022538-bcab6841153b
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
-	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8
+	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11
@@ -210,13 +211,11 @@ require (
 	github.com/nishanths/exhaustive v0.7.11 // indirect
 	github.com/nishanths/predeclared v0.2.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
 	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d // indirect
 	github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/polyfloyd/go-errorlint v0.0.0-20211125173453-6d6d39c5bb8b // indirect
 	github.com/prometheus/client_golang v1.11.0 // indirect
@@ -230,7 +229,7 @@ require (
 	github.com/ryancurrah/gomodguard v1.2.3 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.3.0 // indirect
 	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
-	github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b // indirect
+	github.com/sassoftware/go-rpmutils v0.1.0 // indirect
 	github.com/securego/gosec/v2 v2.9.3 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
--- a/go.sum
+++ b/go.sum
@@ -876,7 +876,6 @@ github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
 github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
-github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -990,8 +989,9 @@ github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYI
 github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
 github.com/sanposhiho/wastedassign/v2 v2.0.7 h1:J+6nrY4VW+gC9xFzUc+XjPD3g3wF3je/NsJFwFK7Uxc=
 github.com/sanposhiho/wastedassign/v2 v2.0.7/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
-github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b h1:+gCnWOZV8Z/8jehJ2CdqB47Z3S+SREmQcuXkRFLNsiI=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
+github.com/sassoftware/go-rpmutils v0.1.0 h1:VLrna+tV+77Tclr956QkY/pTyyKomQlq2Xw6PuE8tsc=
+github.com/sassoftware/go-rpmutils v0.1.0/go.mod h1:euhXULoBpvAxqrBHEyJS4Tsu3hHxUmQWNymxoJbzgUY=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/securego/gosec/v2 v2.5.0/go.mod h1:L/CDXVntIff5ypVHIkqPXbtRpJiNCh6c6Amn68jXDjo=
 github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc=
@@ -1082,8 +1082,8 @@ github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HP
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1 h1:vsFV6BKSIgjRd8m8UfrGW4r+cc28fRF71K6IRo46rKs=
-github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
+github.com/tailscale/golang-x-crypto v0.0.0-20221011214003-2ffa11beee90 h1:Vw3TVi00T2/J3yU22807VB0K0Fo8lNMUBEo2gL0L1bM=
+github.com/tailscale/golang-x-crypto v0.0.0-20221011214003-2ffa11beee90/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f h1:n4r/sJ92cBSBHK8n9lR1XLFr0OiTVeGfN5TR+9LaN7E=
@@ -1235,6 +1235,7 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
@@ -1354,8 +1355,8 @@ golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d h1:4SFsTMi4UahlKoloni7L4eYzhFRifURQLw+yv0QDCx8=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20221002022538-bcab6841153b h1:6e93nYa3hNqAvLr0pD4PN1fFS+gKzp2zAXqrnTCstqU=
+golang.org/x/net v0.0.0-20221002022538-bcab6841153b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1490,8 +1491,9 @@ golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
+golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-b13188dd36c1ad2509796ce10b6a1231b200c36a
+3fd24dee31726924c1b61c8037a889b30b8aa0f6
--- a/ipn/backend.go
+++ b/ipn/backend.go
@@ -69,7 +69,7 @@ type Notify struct {
 	State         *State             // if non-nil, the new or current IPN state
 	Prefs         *Prefs             // if non-nil, the new or current preferences
 	NetMap        *netmap.NetworkMap // if non-nil, the new or current netmap
-	Engine        *EngineStatus      // if non-nil, the new or urrent wireguard stats
+	Engine        *EngineStatus      // if non-nil, the new or current wireguard stats
 	BrowseToURL   *string            // if non-nil, UI should open a browser right now
 	BackendLogID  *string            // if non-nil, the public logtail ID used by backend

@@ -168,6 +168,11 @@ type PartialFile struct {
 //     LocalBackend.userID, a string like "user-$USER_ID" (used in
 //     server mode).
 //   - on Linux/etc, it's always "_daemon" (ipn.GlobalDaemonStateKey)
+//
+// Additionally, the StateKey can be debug setting name:
+//
+//   - "_debug_magicsock_until" with value being a unix timestamp stringified
+//   - "_debug_<component>_until" with value being a unix timestamp stringified
 type StateKey string

 type Options struct {
--- a/ipn/handle.go
+++ b/ipn/handle.go
@@ -1,176 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ipn
-
-import (
-	"net/netip"
-	"sync"
-	"time"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
-	"tailscale.com/types/netmap"
-)
-
-type Handle struct {
-	b    Backend
-	logf logger.Logf
-
-	// Mutex protects everything below
-	mu                sync.Mutex
-	xnotify           func(Notify)
-	frontendLogID     string
-	netmapCache       *netmap.NetworkMap
-	engineStatusCache EngineStatus
-	stateCache        State
-	prefsCache        *Prefs
-}
-
-func NewHandle(b Backend, logf logger.Logf, notify func(Notify), opts Options) (*Handle, error) {
-	h := &Handle{
-		b:    b,
-		logf: logf,
-	}
-
-	h.SetNotifyCallback(notify)
-	err := h.Start(opts)
-	if err != nil {
-		return nil, err
-	}
-
-	return h, nil
-}
-
-func (h *Handle) SetNotifyCallback(notify func(Notify)) {
-	h.mu.Lock()
-	h.xnotify = notify
-	h.mu.Unlock()
-
-	h.b.SetNotifyCallback(h.notify)
-}
-
-func (h *Handle) Start(opts Options) error {
-	h.mu.Lock()
-	h.frontendLogID = opts.FrontendLogID
-	h.netmapCache = nil
-	h.engineStatusCache = EngineStatus{}
-	h.stateCache = NoState
-	if opts.Prefs != nil {
-		h.prefsCache = opts.Prefs.Clone()
-	}
-	h.mu.Unlock()
-	return h.b.Start(opts)
-}
-
-func (h *Handle) Reset() {
-	st := NoState
-	h.notify(Notify{State: &st})
-}
-
-func (h *Handle) notify(n Notify) {
-	h.mu.Lock()
-	if n.BackendLogID != nil {
-		h.logf("Handle: logs: be:%v fe:%v",
-			*n.BackendLogID, h.frontendLogID)
-	}
-	if n.State != nil {
-		h.stateCache = *n.State
-	}
-	if n.Prefs != nil {
-		h.prefsCache = n.Prefs.Clone()
-	}
-	if n.NetMap != nil {
-		h.netmapCache = n.NetMap
-	}
-	if n.Engine != nil {
-		h.engineStatusCache = *n.Engine
-	}
-	h.mu.Unlock()
-
-	if h.xnotify != nil {
-		// Forward onward to our parent's notifier
-		h.xnotify(n)
-	}
-}
-
-func (h *Handle) Prefs() *Prefs {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-
-	return h.prefsCache.Clone()
-}
-
-func (h *Handle) UpdatePrefs(updateFn func(p *Prefs)) {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-
-	new := h.prefsCache.Clone()
-	updateFn(new)
-	h.prefsCache = new
-	h.b.SetPrefs(new)
-}
-
-func (h *Handle) State() State {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-
-	return h.stateCache
-}
-
-func (h *Handle) EngineStatus() EngineStatus {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-
-	return h.engineStatusCache
-}
-
-func (h *Handle) LocalAddrs() []netip.Prefix {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-
-	nm := h.netmapCache
-	if nm != nil {
-		return nm.Addresses
-	}
-	return []netip.Prefix{}
-}
-
-func (h *Handle) NetMap() *netmap.NetworkMap {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-
-	return h.netmapCache
-}
-
-func (h *Handle) Expiry() time.Time {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-
-	nm := h.netmapCache
-	if nm != nil {
-		return nm.Expiry
-	}
-	return time.Time{}
-}
-
-func (h *Handle) AdminPageURL() string {
-	return h.prefsCache.AdminPageURL()
-}
-
-func (h *Handle) StartLoginInteractive() {
-	h.b.StartLoginInteractive()
-}
-
-func (h *Handle) Login(token *tailcfg.Oauth2Token) {
-	h.b.Login(token)
-}
-
-func (h *Handle) Logout() {
-	h.b.Logout()
-}
-
-func (h *Handle) RequestEngineStatus() {
-	h.b.RequestEngineStatus()
-}
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -8,6 +8,8 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"strconv"
+	"time"

 	"tailscale.com/tailcfg"
 	"tailscale.com/util/clientmetric"
@@ -32,6 +34,21 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 	case "/debug/metrics":
 		w.Header().Set("Content-Type", "text/plain")
 		clientmetric.WritePrometheusExpositionFormat(w)
+	case "/debug/component-logging":
+		component := r.FormValue("component")
+		secs, _ := strconv.Atoi(r.FormValue("secs"))
+		if secs == 0 {
+			secs -= 1
+		}
+		until := time.Now().Add(time.Duration(secs) * time.Second)
+		err := b.SetComponentDebugLogging(component, until)
+		var res struct {
+			Error string `json:",omitempty"`
+		}
+		if err != nil {
+			res.Error = err.Error()
+		}
+		writeJSON(res)
 	case "/ssh/usernames":
 		var req tailcfg.C2NSSHUsernamesRequest
 		if r.Method == "POST" {
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -24,6 +24,8 @@ import (
 	"time"

 	"go4.org/netipx"
+	"golang.org/x/exp/slices"
+	"golang.org/x/sync/errgroup"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/doctor"
@@ -55,6 +57,7 @@ import (
 	"tailscale.com/types/views"
 	"tailscale.com/util/deephash"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/util/mak"
 	"tailscale.com/util/multierr"
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/systemd"
@@ -186,6 +189,7 @@ type LocalBackend struct {
 	// *.partial file to its final name on completion.
 	directFileRoot          string
 	directFileDoFinalRename bool // false on macOS, true on several NAS platforms
+	componentLogUntil       map[string]componentLogState

 	// statusLock must be held before calling statusChanged.Wait() or
 	// statusChanged.Broadcast().
@@ -195,6 +199,14 @@ type LocalBackend struct {
 	// dialPlan is any dial plan that we've received from the control
 	// server during a previous connection; it is cleared on logout.
 	dialPlan atomic.Pointer[tailcfg.ControlDialPlan]
+
+	// tkaSyncLock is used to make tkaSyncIfNeeded an exclusive
+	// section. This is needed to stop two map-responses in quick succession
+	// from racing each other through TKA sync logic / RPCs.
+	//
+	// tkaSyncLock MUST be taken before mu (or inversely, mu must not be held
+	// at the moment that tkaSyncLock is taken).
+	tkaSyncLock sync.Mutex
 }

 // clientGen is a func that creates a control plane client.
@@ -214,7 +226,7 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 	logf.JSON(1, "Hostinfo", hi)
 	envknob.LogCurrent(logf)
 	if dialer == nil {
-		dialer = new(tsdial.Dialer)
+		dialer = &tsdial.Dialer{Logf: logf}
 	}

 	osshare.SetFileSharingEnabled(false, logf)
@@ -267,9 +279,106 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 		b.logf("[unexpected] failed to wire up peer API port for engine %T", e)
 	}

+	for _, component := range debuggableComponents {
+		key := componentStateKey(component)
+		if ut, err := ipn.ReadStoreInt(store, key); err == nil {
+			if until := time.Unix(ut, 0); until.After(time.Now()) {
+				// conditional to avoid log spam at start when off
+				b.SetComponentDebugLogging(component, until)
+			}
+		}
+	}
+
 	return b, nil
 }

+type componentLogState struct {
+	until time.Time
+	timer *time.Timer // if non-nil, the AfterFunc to disable it
+}
+
+var debuggableComponents = []string{
+	"magicsock",
+}
+
+func componentStateKey(component string) ipn.StateKey {
+	return ipn.StateKey("_debug_" + component + "_until")
+}
+
+// SetComponentDebugLogging sets component's debug logging enabled until the until time.
+// If until is in the past, the component's debug logging is disabled.
+//
+// The following components are recognized:
+//
+//   - magicsock
+func (b *LocalBackend) SetComponentDebugLogging(component string, until time.Time) error {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	var setEnabled func(bool)
+	switch component {
+	case "magicsock":
+		mc, err := b.magicConn()
+		if err != nil {
+			return err
+		}
+		setEnabled = mc.SetDebugLoggingEnabled
+	}
+	if setEnabled == nil || !slices.Contains(debuggableComponents, component) {
+		return fmt.Errorf("unknown component %q", component)
+	}
+	timeUnixOrZero := func(t time.Time) int64 {
+		if t.IsZero() {
+			return 0
+		}
+		return t.Unix()
+	}
+	ipn.PutStoreInt(b.store, componentStateKey(component), timeUnixOrZero(until))
+	now := time.Now()
+	on := now.Before(until)
+	setEnabled(on)
+	var onFor time.Duration
+	if on {
+		onFor = until.Sub(now)
+		b.logf("debugging logging for component %q enabled for %v (until %v)", component, onFor.Round(time.Second), until.UTC().Format(time.RFC3339))
+	} else {
+		b.logf("debugging logging for component %q disabled", component)
+	}
+	if oldSt, ok := b.componentLogUntil[component]; ok && oldSt.timer != nil {
+		oldSt.timer.Stop()
+	}
+	newSt := componentLogState{until: until}
+	if on {
+		newSt.timer = time.AfterFunc(onFor, func() {
+			// Turn off logging after the timer fires, as long as the state is
+			// unchanged when the timer actually fires.
+			b.mu.Lock()
+			defer b.mu.Unlock()
+			if ls := b.componentLogUntil[component]; ls.until == until {
+				setEnabled(false)
+				b.logf("debugging logging for component %q disabled (by timer)", component)
+			}
+		})
+	}
+	mak.Set(&b.componentLogUntil, component, newSt)
+	return nil
+}
+
+// GetComponentDebugLogging gets the time that component's debug logging is
+// enabled until, or the zero time if component's time is not currently
+// enabled.
+func (b *LocalBackend) GetComponentDebugLogging(component string) time.Time {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	now := time.Now()
+	ls := b.componentLogUntil[component]
+	if ls.until.IsZero() || ls.until.Before(now) {
+		return time.Time{}
+	}
+	return ls.until
+}
+
 // Dialer returns the backend's dialer.
 func (b *LocalBackend) Dialer() *tsdial.Dialer {
 	return b.dialer
@@ -690,9 +799,15 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		}
 	}
 	if st.NetMap != nil {
-		if err := b.tkaSyncIfNeededLocked(st.NetMap); err != nil {
+		b.mu.Unlock() // respect locking rules for tkaSyncIfNeeded
+		if err := b.tkaSyncIfNeeded(st.NetMap); err != nil {
 			b.logf("[v1] TKA sync error: %v", err)
 		}
+		b.mu.Lock()
+
+		if !envknob.TKASkipSignatureCheck() {
+			b.tkaFilterNetmapLocked(st.NetMap)
+		}
 		if b.findExitNodeIDLocked(st.NetMap) {
 			prefsChanged = true
 		}
@@ -1076,7 +1191,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	// but it won't take effect until the next Start().
 	cc, err := b.getNewControlClientFunc()(controlclient.Options{
 		GetMachinePrivateKey: b.createGetMachinePrivateKeyFunc(),
-		GetNLPublicKey:       b.createGetNLPublicKeyFunc(),
+		GetNLPrivateKey:      b.createGetNLPrivateKeyFunc(),
 		Logf:                 logger.WithPrefix(b.logf, "control: "),
 		Persist:              *persistv,
 		ServerURL:            b.serverURL,
@@ -1546,18 +1661,18 @@ func (b *LocalBackend) createGetMachinePrivateKeyFunc() func() (key.MachinePriva
 	}
 }

-func (b *LocalBackend) createGetNLPublicKeyFunc() func() (key.NLPublic, error) {
-	var cache syncs.AtomicValue[key.NLPublic]
-	return func() (key.NLPublic, error) {
+func (b *LocalBackend) createGetNLPrivateKeyFunc() func() (key.NLPrivate, error) {
+	var cache syncs.AtomicValue[key.NLPrivate]
+	return func() (key.NLPrivate, error) {
 		b.mu.Lock()
 		defer b.mu.Unlock()
 		if v, ok := cache.LoadOk(); ok {
 			return v, nil
 		}

-		pub := b.nlPrivKey.Public()
-		cache.Store(pub)
-		return pub, nil
+		priv := b.nlPrivKey
+		cache.Store(priv)
+		return priv, nil
 	}
 }

@@ -2173,7 +2288,7 @@ func (b *LocalBackend) GetPeerAPIPort(ip netip.Addr) (port uint16, ok bool) {
 // ServePeerAPIConnection serves an already-accepted connection c.
 //
 // The remote parameter is the remote address.
-// The local paramater is the local address (either a Tailscale IPv4
+// The local parameter is the local address (either a Tailscale IPv4
 // or IPv6 IP and the peerapi port for that address).
 //
 // The connection will be closed by ServePeerAPIConnection.
@@ -2233,7 +2348,7 @@ func (b *LocalBackend) doSetHostinfoFilterServices(hi *tailcfg.Hostinfo) {
 	}
 	peerAPIServices := b.peerAPIServicesLocked()
 	if b.egg {
-		peerAPIServices = append(peerAPIServices, tailcfg.Service{Proto: "egg"})
+		peerAPIServices = append(peerAPIServices, tailcfg.Service{Proto: "egg", Port: 1})
 	}
 	b.mu.Unlock()

@@ -3027,7 +3142,7 @@ func (b *LocalBackend) RequestEngineStatus() {
 // that have happened. It is invoked from the various callbacks that
 // feed events into LocalBackend.
 //
-// TODO(apenwarr): use a channel or something to prevent re-entrancy?
+// TODO(apenwarr): use a channel or something to prevent reentrancy?
 // Or maybe just call the state machine from fewer places.
 func (b *LocalBackend) stateMachine() {
 	b.enterState(b.nextState())
@@ -3087,7 +3202,7 @@ func (b *LocalBackend) ResetForClientDisconnect() {

 func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && envknob.CanSSHD() }

-// ShouldHandleViaIP reports whether whether ip is an IPv6 address in the
+// ShouldHandleViaIP reports whether ip is an IPv6 address in the
 // Tailscale ULA's v6 "via" range embedding an IPv4 address to be forwarded to
 // by Tailscale.
 func (b *LocalBackend) ShouldHandleViaIP(ip netip.Addr) bool {
@@ -3331,10 +3446,7 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 		return nil, errors.New("file sharing not enabled by Tailscale admin")
 	}
 	for _, p := range nm.Peers {
-		if len(p.Addresses) == 0 {
-			continue
-		}
-		if p.User != nm.User && b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityFileSharing) {
+		if !b.peerIsTaildropTargetLocked(p) {
 			continue
 		}
 		peerAPI := peerAPIBase(b.netMap, p)
@@ -3350,6 +3462,26 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 	return ret, nil
 }

+// peerIsTaildropTargetLocked reports whether p is a valid Taildrop file
+// recipient from this node according to its ownership and the capabilities in
+// the netmap.
+//
+// b.mu must be locked.
+func (b *LocalBackend) peerIsTaildropTargetLocked(p *tailcfg.Node) bool {
+	if b.netMap == nil || p == nil {
+		return false
+	}
+	if b.netMap.User == p.User {
+		return true
+	}
+	if len(p.Addresses) > 0 &&
+		b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityFileSharingTarget) {
+		// Explicitly noted in the netmap ACL caps as a target.
+		return true
+	}
+	return false
+}
+
 func (b *LocalBackend) peerHasCapLocked(addr netip.Addr, wantCap string) bool {
 	for _, hasCap := range b.peerCapsLocked(addr) {
 		if hasCap == wantCap {
@@ -3593,6 +3725,193 @@ func (b *LocalBackend) DebugReSTUN() error {
 	return nil
 }

+func (b *LocalBackend) DebugSubnetRoute(ctx context.Context, addr string) (*apitype.SubnetRouteDebugResponse, error) {
+	b.mu.Lock()
+	nm := b.netMap
+	b.mu.Unlock()
+
+	if nm == nil {
+		return nil, errors.New("no netmap")
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+
+	out := &apitype.SubnetRouteDebugResponse{
+		InputAddr: addr,
+	}
+
+	returnWithError := func(format string, args ...any) (*apitype.SubnetRouteDebugResponse, error) {
+		if len(format) > 0 && format[len(format)-1] != '\n' {
+			format += "\n"
+		}
+		out.Errors = append(out.Errors, fmt.Sprintf(format, args...))
+		return out, nil
+	}
+
+	ip, err := netip.ParseAddr(addr)
+	if err != nil {
+		// Try resolving the address using both the Go and platform-specific resolver
+		var addrs []apitype.SubnetRouteDebugAddress
+		for _, preferGo := range []bool{true, false} {
+			resolver := net.Resolver{PreferGo: preferGo}
+			ips, err := resolver.LookupNetIP(ctx, "ip", addr)
+			if err != nil {
+				return returnWithError("error resolving address %q: %v", addr, err)
+			}
+			for _, ip := range ips {
+				addrs = append(addrs, apitype.SubnetRouteDebugAddress{
+					Addr:   ip.Unmap(),
+					Source: fmt.Sprintf("net.Resolver{PreferGo: %v}", preferGo),
+				})
+			}
+		}
+
+		// Pick the first IP, since we always expect it.
+		// TODO: try all IPs?
+		out.Addresses = addrs
+		ip = addrs[0].Addr
+	} else {
+		out.Addresses = []apitype.SubnetRouteDebugAddress{{
+			Addr:   ip,
+			Source: "user",
+		}}
+	}
+	ip = ip.Unmap()
+
+	// Try to determine which subnet router is routing this address.
+	type nodeWithMatching struct {
+		*tailcfg.Node
+		MatchingAllowedIPs []netip.Prefix
+	}
+	var ns []nodeWithMatching
+	for _, peer := range nm.Peers {
+		curr := nodeWithMatching{Node: peer}
+		for _, allowedip := range peer.AllowedIPs {
+			if !allowedip.Contains(ip) {
+				continue
+			}
+			curr.MatchingAllowedIPs = append(curr.MatchingAllowedIPs, allowedip)
+		}
+
+		if len(curr.MatchingAllowedIPs) > 0 {
+			ns = append(ns, curr)
+		}
+	}
+	if len(ns) == 0 {
+		return returnWithError("this node has no peers advertising a route for %s", ip)
+	}
+
+	// For each possible subnet router, check the status.
+	type nodeRes struct {
+		dn  apitype.SubnetRouteDebugNode
+		err error
+	}
+	nodeResults := make(chan nodeRes, len(ns))
+	grp, grpCtx := errgroup.WithContext(ctx)
+	grp.SetLimit(5)
+	for _, node := range ns {
+		node := node // capture loop variable
+		grp.Go(func() error {
+			var retErr error
+			dn := apitype.SubnetRouteDebugNode{
+				StableID:   node.StableID,
+				Name:       node.Name,
+				AllowedIPs: node.MatchingAllowedIPs,
+			}
+			defer func() {
+				nodeResults <- nodeRes{dn, retErr}
+			}()
+
+			// Check PrimaryRoutes
+			for _, pref := range node.PrimaryRoutes {
+				if pref.Contains(ip) {
+					dn.Primary = append(dn.Primary, pref)
+				}
+			}
+
+			// Check for exit node
+			if tsaddr.ContainsExitRoutes(node.AllowedIPs) {
+				dn.IsExitNode = true
+			}
+
+			// Do online checks after gathering all data that doesn't
+			// require an interaction, so we can 'continue' if the node
+			// isn't online.
+			if node.Online == nil {
+				dn.Online = "unknown"
+				return nil
+			} else if !*node.Online {
+				dn.Online = "false"
+				return nil
+			} else {
+				dn.Online = "true"
+			}
+
+			// Try pinging the node itself
+			// TODO: try all IPs?
+			// TODO: check if we have the right v4/v6 address support
+			candidates := []struct {
+				ty  tailcfg.PingType
+				res **apitype.SubnetRouteDebugPingResponse
+			}{
+				{tailcfg.PingDisco, &dn.DiscoPing},
+				{tailcfg.PingICMP, &dn.ICMPPing},
+			}
+			for _, cand := range candidates {
+				ip := node.Addresses[0].Addr()
+
+				res := &apitype.SubnetRouteDebugPingResponse{
+					IP: ip,
+				}
+				*cand.res = res
+
+				pingRes := make(chan *ipnstate.PingResult, 1)
+				b.e.Ping(ip, cand.ty, func(pr *ipnstate.PingResult) {
+					select {
+					case pingRes <- pr:
+					default:
+					}
+				})
+				select {
+				case pr := <-pingRes:
+					if pr.Err != "" {
+						res.Err = pr.Err
+					} else {
+						res.LatencySeconds = pr.LatencySeconds
+					}
+
+				case <-grpCtx.Done():
+					res.Err = grpCtx.Err().Error()
+					retErr = fmt.Errorf("context canceled while waiting for %s response from %v: %v", cand.ty, ip, grpCtx.Err())
+					return nil
+				}
+			}
+			return nil
+		})
+	}
+	grp.Wait()
+
+resultsLoop:
+	for i := 0; i < len(ns); i++ {
+		select {
+		case res := <-nodeResults:
+			if res.err != nil {
+				out.Errors = append(out.Errors, res.err.Error())
+			}
+			out.Nodes = append(out.Nodes, res.dn)
+
+		// We could have finished before starting all goroutines, so we
+		// need to handle the case where our channel doesn't have all
+		// the responses.
+		default:
+			break resultsLoop
+		}
+	}
+
+	return out, nil
+}
+
 func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
 	ig, ok := b.e.(wgengine.InternalsGetter)
 	if !ok {
@@ -3605,7 +3924,21 @@ func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
 	return mc, nil
 }

-// DoNoiseRequest sends a request to URL over the the control plane
+type noiseRoundTripper struct {
+	*LocalBackend
+}
+
+func (n noiseRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return n.LocalBackend.DoNoiseRequest(req)
+}
+
+// NoiseRoundTripper returns an http.RoundTripper that uses the LocalBackend's
+// DoNoiseRequest method.
+func (b *LocalBackend) NoiseRoundTripper() http.RoundTripper {
+	return noiseRoundTripper{b}
+}
+
+// DoNoiseRequest sends a request to URL over the control plane
 // Noise connection.
 func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 	b.mu.Lock()
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -18,7 +18,6 @@ import (

 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/logtail/backoff"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
@@ -26,36 +25,83 @@ import (
 	"tailscale.com/types/tkatype"
 )

-var networkLockAvailable = envknob.RegisterBool("TS_EXPERIMENTAL_NETWORK_LOCK")
+// TODO(tom): RPC retry/backoff was broken and has been removed. Fix?
+
+var (
+	errMissingNetmap        = errors.New("missing netmap: verify that you are logged in")
+	errNetworkLockNotActive = errors.New("network-lock is not active")
+)

 type tkaState struct {
 	authority *tka.Authority
 	storage   *tka.FS
 }

-// tkaSyncIfNeededLocked examines TKA info reported from the control plane,
+// tkaFilterNetmapLocked checks the signatures on each node key, dropping
+// nodes from the netmap who's signature does not verify.
+//
+// b.mu must be held.
+func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
+	if !envknob.UseWIPCode() {
+		return // Feature-flag till network-lock is in Alpha.
+	}
+	if b.tka == nil {
+		return // TKA not enabled.
+	}
+
+	toDelete := make(map[int]struct{}, len(nm.Peers))
+	for i, p := range nm.Peers {
+		if len(p.KeySignature) == 0 {
+			b.logf("Network lock is dropping peer %v(%v) due to missing signature", p.ID, p.StableID)
+			toDelete[i] = struct{}{}
+		} else {
+			if err := b.tka.authority.NodeKeyAuthorized(p.Key, p.KeySignature); err != nil {
+				b.logf("Network lock is dropping peer %v(%v) due to failed signature check: %v", p.ID, p.StableID, err)
+				toDelete[i] = struct{}{}
+			}
+		}
+	}
+
+	// nm.Peers is ordered, so deletion must be order-preserving.
+	peers := make([]*tailcfg.Node, 0, len(nm.Peers))
+	for i, p := range nm.Peers {
+		if _, delete := toDelete[i]; !delete {
+			peers = append(peers, p)
+		}
+	}
+	nm.Peers = peers
+}
+
+// tkaSyncIfNeeded examines TKA info reported from the control plane,
 // performing the steps necessary to synchronize local tka state.
 //
 // There are 4 scenarios handled here:
 //   - Enablement: nm.TKAEnabled but b.tka == nil
-//     ∴ reach out to /machine/tka/boostrap to get the genesis AUM, then
+//     ∴ reach out to /machine/tka/bootstrap to get the genesis AUM, then
 //     initialize TKA.
 //   - Disablement: !nm.TKAEnabled but b.tka != nil
-//     ∴ reach out to /machine/tka/boostrap to read the disablement secret,
+//     ∴ reach out to /machine/tka/bootstrap to read the disablement secret,
 //     then verify and clear tka local state.
 //   - Sync needed: b.tka.Head != nm.TKAHead
 //     ∴ complete multi-step synchronization flow.
 //   - Everything up to date: All other cases.
 //     ∴ no action necessary.
 //
-// b.mu must be held. b.mu will be stepped out of (and back in) during network
-// RPCs.
-func (b *LocalBackend) tkaSyncIfNeededLocked(nm *netmap.NetworkMap) error {
-	if !networkLockAvailable() {
+// tkaSyncIfNeeded immediately takes b.takeSyncLock which is held throughout,
+// and may take b.mu as required.
+func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap) error {
+	if !envknob.UseWIPCode() {
 		// If the feature flag is not enabled, pretend we don't exist.
 		return nil
 	}

+	b.tkaSyncLock.Lock() // take tkaSyncLock to make this function an exclusive section.
+	defer b.tkaSyncLock.Unlock()
+	b.mu.Lock() // take mu to protect access to synchronized fields.
+	defer b.mu.Unlock()
+
+	ourNodeKey := b.prefs.Persist.PrivateNodeKey.Public()
+
 	isEnabled := b.tka != nil
 	wantEnabled := nm.TKAEnabled
 	if isEnabled != wantEnabled {
@@ -66,17 +112,16 @@ func (b *LocalBackend) tkaSyncIfNeededLocked(nm *netmap.NetworkMap) error {

 		// Regardless of whether we are moving to disabled or enabled, we
 		// need information from the tka bootstrap endpoint.
-		ourNodeKey := b.prefs.Persist.PrivateNodeKey.Public()
 		b.mu.Unlock()
 		bs, err := b.tkaFetchBootstrap(ourNodeKey, ourHead)
 		b.mu.Lock()
 		if err != nil {
-			return fmt.Errorf("fetching bootstrap: %v", err)
+			return fmt.Errorf("fetching bootstrap: %w", err)
 		}

 		if wantEnabled && !isEnabled {
 			if err := b.tkaBootstrapFromGenesisLocked(bs.GenesisAUM); err != nil {
-				return fmt.Errorf("bootstrap: %v", err)
+				return fmt.Errorf("bootstrap: %w", err)
 			}
 			isEnabled = true
 		} else if !wantEnabled && isEnabled {
@@ -96,7 +141,98 @@ func (b *LocalBackend) tkaSyncIfNeededLocked(nm *netmap.NetworkMap) error {
 	}

 	if isEnabled && b.tka.authority.Head() != nm.TKAHead {
-		// TODO(tom): Implement sync
+		if err := b.tkaSyncLocked(ourNodeKey); err != nil {
+			return fmt.Errorf("tka sync: %w", err)
+		}
+	}
+
+	return nil
+}
+
+func toSyncOffer(head string, ancestors []string) (tka.SyncOffer, error) {
+	var out tka.SyncOffer
+	if err := out.Head.UnmarshalText([]byte(head)); err != nil {
+		return tka.SyncOffer{}, fmt.Errorf("head.UnmarshalText: %v", err)
+	}
+	out.Ancestors = make([]tka.AUMHash, len(ancestors))
+	for i, a := range ancestors {
+		if err := out.Ancestors[i].UnmarshalText([]byte(a)); err != nil {
+			return tka.SyncOffer{}, fmt.Errorf("ancestor[%d].UnmarshalText: %v", i, err)
+		}
+	}
+	return out, nil
+}
+
+// tkaSyncLocked synchronizes TKA state with control. b.mu must be held
+// and tka must be initialized. b.mu will be stepped out of (and back into)
+// during network RPCs.
+//
+// b.mu must be held.
+func (b *LocalBackend) tkaSyncLocked(ourNodeKey key.NodePublic) error {
+	offer, err := b.tka.authority.SyncOffer(b.tka.storage)
+	if err != nil {
+		return fmt.Errorf("offer: %w", err)
+	}
+
+	b.mu.Unlock()
+	offerResp, err := b.tkaDoSyncOffer(ourNodeKey, offer)
+	b.mu.Lock()
+	if err != nil {
+		return fmt.Errorf("offer RPC: %w", err)
+	}
+	controlOffer, err := toSyncOffer(offerResp.Head, offerResp.Ancestors)
+	if err != nil {
+		return fmt.Errorf("control offer: %v", err)
+	}
+
+	if controlOffer.Head == offer.Head {
+		// We are up to date.
+		return nil
+	}
+
+	// Compute missing AUMs before we apply any AUMs from the control-plane,
+	// so we still submit AUMs to control even if they are not part of the
+	// active chain.
+	toSendAUMs, err := b.tka.authority.MissingAUMs(b.tka.storage, controlOffer)
+	if err != nil {
+		return fmt.Errorf("computing missing AUMs: %w", err)
+	}
+
+	// If we got this far, then we are not up to date. Either the control-plane
+	// has updates for us, or we have updates for the control plane.
+	//
+	// TODO(tom): Do we want to keep processing even if the Inform fails? Need
+	// to think through if theres holdback concerns here or not.
+	if len(offerResp.MissingAUMs) > 0 {
+		aums := make([]tka.AUM, len(offerResp.MissingAUMs))
+		for i, a := range offerResp.MissingAUMs {
+			if err := aums[i].Unserialize(a); err != nil {
+				return fmt.Errorf("MissingAUMs[%d]: %v", i, err)
+			}
+		}
+
+		if err := b.tka.authority.Inform(b.tka.storage, aums); err != nil {
+			return fmt.Errorf("inform failed: %v", err)
+		}
+	}
+
+	// NOTE(tom): We could short-circuit here if our HEAD equals the
+	// control-plane's head, but we don't just so control always has a
+	// copy of all forks that clients had.
+
+	b.mu.Unlock()
+	sendResp, err := b.tkaDoSyncSend(ourNodeKey, toSendAUMs, false)
+	b.mu.Lock()
+	if err != nil {
+		return fmt.Errorf("send RPC: %v", err)
+	}
+
+	var remoteHead tka.AUMHash
+	if err := remoteHead.UnmarshalText([]byte(sendResp.Head)); err != nil {
+		return fmt.Errorf("head unmarshal: %v", err)
+	}
+	if remoteHead != b.tka.authority.Head() {
+		b.logf("TKA desync: expected consensus after sync but our head is %v and the control plane's is %v", b.tka.authority.Head(), remoteHead)
 	}

 	return nil
@@ -113,8 +249,8 @@ func (b *LocalBackend) chonkPath() string {
 //
 // b.mu must be held.
 func (b *LocalBackend) tkaBootstrapFromGenesisLocked(g tkatype.MarshaledAUM) error {
-	if !b.CanSupportNetworkLock() {
-		return errors.New("network lock not supported in this configuration")
+	if err := b.CanSupportNetworkLock(); err != nil {
+		return err
 	}

 	var genesis tka.AUM
@@ -143,26 +279,34 @@ func (b *LocalBackend) tkaBootstrapFromGenesisLocked(g tkatype.MarshaledAUM) err
 	return nil
 }

-// CanSupportNetworkLock returns true if tailscaled is able to operate
+// CanSupportNetworkLock returns nil if tailscaled is able to operate
 // a local tailnet key authority (and hence enforce network lock).
-func (b *LocalBackend) CanSupportNetworkLock() bool {
-	if b.tka != nil {
-		// The TKA is being used, so yeah its supported.
-		return true
+func (b *LocalBackend) CanSupportNetworkLock() error {
+	if !envknob.UseWIPCode() {
+		return errors.New("this feature is not yet complete, a later release may support this functionality")
 	}

-	if b.TailscaleVarRoot() != "" {
-		// Theres a var root (aka --statedir), so if network lock gets
-		// initialized we have somewhere to store our AUMs. Thats all
-		// we need.
-		return true
+	if b.tka != nil {
+		// If the TKA is being used, it is supported.
+		return nil
 	}
-	return false
+
+	if b.TailscaleVarRoot() == "" {
+		return errors.New("network-lock is not supported in this configuration, try setting --statedir")
+	}
+
+	// There's a var root (aka --statedir), so if network lock gets
+	// initialized we have somewhere to store our AUMs. That's all
+	// we need.
+	return nil
 }

 // NetworkLockStatus returns a structure describing the state of the
 // tailnet key authority, if any.
 func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
 	if b.tka == nil {
 		return &ipnstate.NetworkLockStatus{
 			Enabled:   false,
@@ -191,14 +335,8 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 // The Finish RPC submits signatures for all these nodes, at which point
 // Control has everything it needs to atomically enable network lock.
 func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
-	if b.tka != nil {
-		return errors.New("network-lock is already initialized")
-	}
-	if !networkLockAvailable() {
-		return errors.New("this is an experimental feature in your version of tailscale - Please upgrade to the latest to use this.")
-	}
-	if !b.CanSupportNetworkLock() {
-		return errors.New("network-lock is not supported in this configuration. Did you supply a --statedir?")
+	if err := b.CanSupportNetworkLock(); err != nil {
+		return err
 	}

 	var ourNodeKey key.NodePublic
@@ -255,6 +393,87 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
 	return err
 }

+// Only use is in tests.
+func (b *LocalBackend) NetworkLockVerifySignatureForTest(nks tkatype.MarshaledSignature, nodeKey key.NodePublic) error {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.tka == nil {
+		return errNetworkLockNotActive
+	}
+	return b.tka.authority.NodeKeyAuthorized(nodeKey, nks)
+}
+
+// Only use is in tests.
+func (b *LocalBackend) NetworkLockKeyTrustedForTest(keyID tkatype.KeyID) bool {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.tka == nil {
+		panic("network lock not initialized")
+	}
+	return b.tka.authority.KeyTrusted(keyID)
+}
+
+// NetworkLockModify adds and/or removes keys in the tailnet's key authority.
+func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("modify network-lock keys: %w", err)
+		}
+	}()
+
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	if err := b.CanSupportNetworkLock(); err != nil {
+		return err
+	}
+	if b.tka == nil {
+		return errNetworkLockNotActive
+	}
+
+	updater := b.tka.authority.NewUpdater(b.nlPrivKey)
+
+	for _, addKey := range addKeys {
+		if err := updater.AddKey(addKey); err != nil {
+			return err
+		}
+	}
+	for _, removeKey := range removeKeys {
+		if err := updater.RemoveKey(removeKey.ID()); err != nil {
+			return err
+		}
+	}
+
+	aums, err := updater.Finalize(b.tka.storage)
+	if err != nil {
+		return err
+	}
+
+	if len(aums) == 0 {
+		return nil
+	}
+
+	ourNodeKey := b.prefs.Persist.PrivateNodeKey.Public()
+	b.mu.Unlock()
+	resp, err := b.tkaDoSyncSend(ourNodeKey, aums, true)
+	b.mu.Lock()
+	if err != nil {
+		return err
+	}
+
+	var controlHead tka.AUMHash
+	if err := controlHead.UnmarshalText([]byte(resp.Head)); err != nil {
+		return err
+	}
+
+	lastHead := aums[len(aums)-1].Hash()
+	if controlHead != lastHead {
+		return errors.New("central tka head differs from submitted AUM, try again")
+	}
+
+	return nil
+}
+
 func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeKeySignature, error) {
 	p, err := nodeInfo.NodePublic.MarshalBinary()
 	if err != nil {
@@ -286,34 +505,27 @@ func (b *LocalBackend) tkaInitBegin(ourNodeKey key.NodePublic, aum tka.AUM) (*ta

 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	bo := backoff.NewBackoff("tka-init-begin", b.logf, 5*time.Second)
-	for {
-		if err := ctx.Err(); err != nil {
-			return nil, fmt.Errorf("ctx: %w", err)
-		}
-		req, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/begin", &req)
-		if err != nil {
-			return nil, fmt.Errorf("req: %w", err)
-		}
-		res, err := b.DoNoiseRequest(req)
-		if err != nil {
-			bo.BackOff(ctx, err)
-			continue
-		}
-		if res.StatusCode != 200 {
-			body, _ := io.ReadAll(res.Body)
-			res.Body.Close()
-			return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
-		}
-		a := new(tailcfg.TKAInitBeginResponse)
-		err = json.NewDecoder(res.Body).Decode(a)
-		res.Body.Close()
-		if err != nil {
-			return nil, fmt.Errorf("decoding JSON: %w", err)
-		}
-
-		return a, nil
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/begin", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
 	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKAInitBeginResponse)
+	err = json.NewDecoder(res.Body).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
 }

 func (b *LocalBackend) tkaInitFinish(ourNodeKey key.NodePublic, nks map[tailcfg.NodeID]tkatype.MarshaledSignature) (*tailcfg.TKAInitFinishResponse, error) {
@@ -328,34 +540,28 @@ func (b *LocalBackend) tkaInitFinish(ourNodeKey key.NodePublic, nks map[tailcfg.

 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	bo := backoff.NewBackoff("tka-init-finish", b.logf, 5*time.Second)
-	for {
-		if err := ctx.Err(); err != nil {
-			return nil, fmt.Errorf("ctx: %w", err)
-		}
-		req, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/finish", &req)
-		if err != nil {
-			return nil, fmt.Errorf("req: %w", err)
-		}
-		res, err := b.DoNoiseRequest(req)
-		if err != nil {
-			bo.BackOff(ctx, err)
-			continue
-		}
-		if res.StatusCode != 200 {
-			body, _ := io.ReadAll(res.Body)
-			res.Body.Close()
-			return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
-		}
-		a := new(tailcfg.TKAInitFinishResponse)
-		err = json.NewDecoder(res.Body).Decode(a)
-		res.Body.Close()
-		if err != nil {
-			return nil, fmt.Errorf("decoding JSON: %w", err)
-		}

-		return a, nil
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/finish", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
 	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKAInitFinishResponse)
+	err = json.NewDecoder(res.Body).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
 }

 // tkaFetchBootstrap sends a /machine/tka/bootstrap RPC to the control plane
@@ -405,3 +611,107 @@ func (b *LocalBackend) tkaFetchBootstrap(ourNodeKey key.NodePublic, head tka.AUM

 	return a, nil
 }
+
+func fromSyncOffer(offer tka.SyncOffer) (head string, ancestors []string, err error) {
+	headBytes, err := offer.Head.MarshalText()
+	if err != nil {
+		return "", nil, fmt.Errorf("head.MarshalText: %v", err)
+	}
+
+	ancestors = make([]string, len(offer.Ancestors))
+	for i, ancestor := range offer.Ancestors {
+		hash, err := ancestor.MarshalText()
+		if err != nil {
+			return "", nil, fmt.Errorf("ancestor[%d].MarshalText: %v", i, err)
+		}
+		ancestors[i] = string(hash)
+	}
+	return string(headBytes), ancestors, nil
+}
+
+// tkaDoSyncOffer sends a /machine/tka/sync/offer RPC to the control plane
+// over noise. This is the first of two RPCs implementing tka synchronization.
+func (b *LocalBackend) tkaDoSyncOffer(ourNodeKey key.NodePublic, offer tka.SyncOffer) (*tailcfg.TKASyncOfferResponse, error) {
+	head, ancestors, err := fromSyncOffer(offer)
+	if err != nil {
+		return nil, fmt.Errorf("encoding offer: %v", err)
+	}
+	syncReq := tailcfg.TKASyncOfferRequest{
+		Version:   tailcfg.CurrentCapabilityVersion,
+		NodeKey:   ourNodeKey,
+		Head:      head,
+		Ancestors: ancestors,
+	}
+
+	var req bytes.Buffer
+	if err := json.NewEncoder(&req).Encode(syncReq); err != nil {
+		return nil, fmt.Errorf("encoding request: %v", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/sync/offer", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
+	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKASyncOfferResponse)
+	err = json.NewDecoder(res.Body).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
+}
+
+// tkaDoSyncSend sends a /machine/tka/sync/send RPC to the control plane
+// over noise. This is the second of two RPCs implementing tka synchronization.
+func (b *LocalBackend) tkaDoSyncSend(ourNodeKey key.NodePublic, aums []tka.AUM, interactive bool) (*tailcfg.TKASyncSendResponse, error) {
+	sendReq := tailcfg.TKASyncSendRequest{
+		Version:     tailcfg.CurrentCapabilityVersion,
+		NodeKey:     ourNodeKey,
+		MissingAUMs: make([]tkatype.MarshaledAUM, len(aums)),
+		Interactive: interactive,
+	}
+	for i, a := range aums {
+		sendReq.MissingAUMs[i] = a.Serialize()
+	}
+
+	var req bytes.Buffer
+	if err := json.NewEncoder(&req).Encode(sendReq); err != nil {
+		return nil, fmt.Errorf("encoding request: %v", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/sync/send", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
+	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKASyncSendResponse)
+	err = json.NewDecoder(res.Body).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
+}
--- a/ipn/ipnlocal/network-lock_test.go
+++ b/ipn/ipnlocal/network-lock_test.go
@@ -15,7 +15,9 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/google/go-cmp/cmp"
 	"tailscale.com/control/controlclient"
+	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
@@ -23,6 +25,7 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
+	"tailscale.com/types/tkatype"
 )

 func fakeControlClient(t *testing.T, c *http.Client) *controlclient.Auto {
@@ -49,8 +52,6 @@ func fakeControlClient(t *testing.T, c *http.Client) *controlclient.Auto {
 	return cc
 }

-// NOTE: URLs must have a https scheme and example.com domain to work with the underlying
-// httptest plumbing, despite the domain being unused in the actual noise request transport.
 func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server, *http.Client) {
 	ts := httptest.NewUnstartedServer(handler)
 	ts.StartTLS()
@@ -63,7 +64,7 @@ func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server,
 }

 func TestTKAEnablementFlow(t *testing.T) {
-	networkLockAvailable = func() bool { return true } // Enable the feature flag
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
 	nodePriv := key.NewNode()

 	// Make a fake TKA authority, getting a usable genesis AUM which
@@ -104,6 +105,9 @@ func TestTKAEnablementFlow(t *testing.T) {
 				t.Fatal(err)
 			}

+		case "/machine/tka/sync/offer", "/machine/tka/sync/send":
+			t.Error("node attempted to sync, but should have been up to date")
+
 		default:
 			t.Errorf("unhandled endpoint path: %v", r.URL.Path)
 			w.WriteHeader(404)
@@ -123,12 +127,10 @@ func TestTKAEnablementFlow(t *testing.T) {
 		},
 	}

-	b.mu.Lock()
-	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
+	err = b.tkaSyncIfNeeded(&netmap.NetworkMap{
 		TKAEnabled: true,
-		TKAHead:    tka.AUMHash{},
+		TKAHead:    a1.Head(),
 	})
-	b.mu.Unlock()
 	if err != nil {
 		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
 	}
@@ -141,7 +143,7 @@ func TestTKAEnablementFlow(t *testing.T) {
 }

 func TestTKADisablementFlow(t *testing.T) {
-	networkLockAvailable = func() bool { return true } // Enable the feature flag
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
 	temp := t.TempDir()
 	os.Mkdir(filepath.Join(temp, "tka"), 0755)
 	nodePriv := key.NewNode()
@@ -224,12 +226,10 @@ func TestTKADisablementFlow(t *testing.T) {

 	// Test that the wrong disablement secret does not shut down the authority.
 	returnWrongSecret = true
-	b.mu.Lock()
-	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
+	err = b.tkaSyncIfNeeded(&netmap.NetworkMap{
 		TKAEnabled: false,
 		TKAHead:    authority.Head(),
 	})
-	b.mu.Unlock()
 	if err != nil {
 		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
 	}
@@ -239,12 +239,10 @@ func TestTKADisablementFlow(t *testing.T) {

 	// Test the correct disablement secret shuts down the authority.
 	returnWrongSecret = false
-	b.mu.Lock()
-	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
+	err = b.tkaSyncIfNeeded(&netmap.NetworkMap{
 		TKAEnabled: false,
 		TKAHead:    authority.Head(),
 	})
-	b.mu.Unlock()
 	if err != nil {
 		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
 	}
@@ -256,3 +254,285 @@ func TestTKADisablementFlow(t *testing.T) {
 		t.Errorf("os.Stat(chonkDir) = %v, want ErrNotExist", err)
 	}
 }
+
+func TestTKASync(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+
+	someKeyPriv := key.NewNLPrivate()
+	someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1}
+
+	type tkaSyncScenario struct {
+		name string
+		// controlAUMs is called (if non-nil) to get any AUMs which the tka state
+		// on control should be seeded with.
+		controlAUMs func(*testing.T, *tka.Authority, tka.Chonk, tka.Signer) []tka.AUM
+		// controlAUMs is called (if non-nil) to get any AUMs which the tka state
+		// on the node should be seeded with.
+		nodeAUMs func(*testing.T, *tka.Authority, tka.Chonk, tka.Signer) []tka.AUM
+	}
+
+	tcs := []tkaSyncScenario{
+		{name: "up to date"},
+		{
+			name: "control has an update",
+			controlAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
+				b := a.NewUpdater(signer)
+				if err := b.RemoveKey(someKey.ID()); err != nil {
+					t.Fatal(err)
+				}
+				aums, err := b.Finalize(storage)
+				if err != nil {
+					t.Fatal(err)
+				}
+				return aums
+			},
+		},
+		{
+			// AKA 'control data loss' scenario
+			name: "node has an update",
+			nodeAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
+				b := a.NewUpdater(signer)
+				if err := b.RemoveKey(someKey.ID()); err != nil {
+					t.Fatal(err)
+				}
+				aums, err := b.Finalize(storage)
+				if err != nil {
+					t.Fatal(err)
+				}
+				return aums
+			},
+		},
+		{
+			// AKA 'control data loss + update in the meantime' scenario
+			name: "node and control diverge",
+			controlAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
+				b := a.NewUpdater(signer)
+				if err := b.SetKeyMeta(someKey.ID(), map[string]string{"ye": "swiggity"}); err != nil {
+					t.Fatal(err)
+				}
+				aums, err := b.Finalize(storage)
+				if err != nil {
+					t.Fatal(err)
+				}
+				return aums
+			},
+			nodeAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
+				b := a.NewUpdater(signer)
+				if err := b.SetKeyMeta(someKey.ID(), map[string]string{"ye": "swooty"}); err != nil {
+					t.Fatal(err)
+				}
+				aums, err := b.Finalize(storage)
+				if err != nil {
+					t.Fatal(err)
+				}
+				return aums
+			},
+		},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.name, func(t *testing.T) {
+			temp := t.TempDir()
+			os.Mkdir(filepath.Join(temp, "tka"), 0755)
+			nodePriv := key.NewNode()
+			nlPriv := key.NewNLPrivate()
+
+			// Setup the tka authority on the control plane.
+			key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
+			controlStorage := &tka.Mem{}
+			controlAuthority, bootstrap, err := tka.Create(controlStorage, tka.State{
+				Keys:               []tka.Key{key, someKey},
+				DisablementSecrets: [][]byte{bytes.Repeat([]byte{0xa5}, 32)},
+			}, nlPriv)
+			if err != nil {
+				t.Fatalf("tka.Create() failed: %v", err)
+			}
+			if tc.controlAUMs != nil {
+				if err := controlAuthority.Inform(controlStorage, tc.controlAUMs(t, controlAuthority, controlStorage, nlPriv)); err != nil {
+					t.Fatalf("controlAuthority.Inform() failed: %v", err)
+				}
+			}
+
+			// Setup the TKA authority on the node.
+			nodeStorage, err := tka.ChonkDir(filepath.Join(temp, "tka"))
+			if err != nil {
+				t.Fatal(err)
+			}
+			nodeAuthority, err := tka.Bootstrap(nodeStorage, bootstrap)
+			if err != nil {
+				t.Fatalf("tka.Bootstrap() failed: %v", err)
+			}
+			if tc.nodeAUMs != nil {
+				if err := nodeAuthority.Inform(nodeStorage, tc.nodeAUMs(t, nodeAuthority, nodeStorage, nlPriv)); err != nil {
+					t.Fatalf("nodeAuthority.Inform() failed: %v", err)
+				}
+			}
+
+			// Make a mock control server.
+			ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				defer r.Body.Close()
+				switch r.URL.Path {
+				case "/machine/tka/sync/offer":
+					body := new(tailcfg.TKASyncOfferRequest)
+					if err := json.NewDecoder(r.Body).Decode(body); err != nil {
+						t.Fatal(err)
+					}
+					t.Logf("got sync offer:\n%+v", body)
+					nodeOffer, err := toSyncOffer(body.Head, body.Ancestors)
+					if err != nil {
+						t.Fatal(err)
+					}
+					controlOffer, err := controlAuthority.SyncOffer(controlStorage)
+					if err != nil {
+						t.Fatal(err)
+					}
+					sendAUMs, err := controlAuthority.MissingAUMs(controlStorage, nodeOffer)
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					head, ancestors, err := fromSyncOffer(controlOffer)
+					if err != nil {
+						t.Fatal(err)
+					}
+					resp := tailcfg.TKASyncOfferResponse{
+						Head:        head,
+						Ancestors:   ancestors,
+						MissingAUMs: make([]tkatype.MarshaledAUM, len(sendAUMs)),
+					}
+					for i, a := range sendAUMs {
+						resp.MissingAUMs[i] = a.Serialize()
+					}
+
+					t.Logf("responding to sync offer with:\n%+v", resp)
+					w.WriteHeader(200)
+					if err := json.NewEncoder(w).Encode(resp); err != nil {
+						t.Fatal(err)
+					}
+
+				case "/machine/tka/sync/send":
+					body := new(tailcfg.TKASyncSendRequest)
+					if err := json.NewDecoder(r.Body).Decode(body); err != nil {
+						t.Fatal(err)
+					}
+					t.Logf("got sync send:\n%+v", body)
+					toApply := make([]tka.AUM, len(body.MissingAUMs))
+					for i, a := range body.MissingAUMs {
+						if err := toApply[i].Unserialize(a); err != nil {
+							t.Fatalf("decoding missingAUM[%d]: %v", i, err)
+						}
+					}
+
+					if len(toApply) > 0 {
+						if err := controlAuthority.Inform(controlStorage, toApply); err != nil {
+							t.Fatalf("control.Inform(%+v) failed: %v", toApply, err)
+						}
+					}
+					head, err := controlAuthority.Head().MarshalText()
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					w.WriteHeader(200)
+					if err := json.NewEncoder(w).Encode(tailcfg.TKASyncSendResponse{Head: string(head)}); err != nil {
+						t.Fatal(err)
+					}
+
+				default:
+					t.Errorf("unhandled endpoint path: %v", r.URL.Path)
+					w.WriteHeader(404)
+				}
+			}))
+			defer ts.Close()
+
+			// Setup the client.
+			cc := fakeControlClient(t, client)
+			b := LocalBackend{
+				varRoot: temp,
+				cc:      cc,
+				ccAuto:  cc,
+				logf:    t.Logf,
+				tka: &tkaState{
+					authority: nodeAuthority,
+					storage:   nodeStorage,
+				},
+				prefs: &ipn.Prefs{
+					Persist: &persist.Persist{PrivateNodeKey: nodePriv},
+				},
+			}
+
+			// Finally, lets trigger a sync.
+			err = b.tkaSyncIfNeeded(&netmap.NetworkMap{
+				TKAEnabled: true,
+				TKAHead:    controlAuthority.Head(),
+			})
+			if err != nil {
+				t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
+			}
+
+			// Check that at the end of this ordeal, the node and the control
+			// plane are in sync.
+			if nodeHead, controlHead := b.tka.authority.Head(), controlAuthority.Head(); nodeHead != controlHead {
+				t.Errorf("node head = %v, want %v", nodeHead, controlHead)
+			}
+		})
+	}
+}
+
+func TestTKAFilterNetmap(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+
+	nlPriv := key.NewNLPrivate()
+	nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
+	storage := &tka.Mem{}
+	authority, _, err := tka.Create(storage, tka.State{
+		Keys:               []tka.Key{nlKey},
+		DisablementSecrets: [][]byte{bytes.Repeat([]byte{0xa5}, 32)},
+	}, nlPriv)
+	if err != nil {
+		t.Fatalf("tka.Create() failed: %v", err)
+	}
+
+	n1, n2, n3, n4, n5 := key.NewNode(), key.NewNode(), key.NewNode(), key.NewNode(), key.NewNode()
+	n1GoodSig, err := signNodeKey(tailcfg.TKASignInfo{NodePublic: n1.Public()}, nlPriv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	n4Sig, err := signNodeKey(tailcfg.TKASignInfo{NodePublic: n4.Public()}, nlPriv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	n4Sig.Signature[3] = 42 // mess up the signature
+	n4Sig.Signature[4] = 42 // mess up the signature
+	n5GoodSig, err := signNodeKey(tailcfg.TKASignInfo{NodePublic: n5.Public()}, nlPriv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	nm := netmap.NetworkMap{
+		Peers: []*tailcfg.Node{
+			{ID: 1, Key: n1.Public(), KeySignature: n1GoodSig.Serialize()},
+			{ID: 2, Key: n2.Public(), KeySignature: nil},                   // missing sig
+			{ID: 3, Key: n3.Public(), KeySignature: n1GoodSig.Serialize()}, // someone elses sig
+			{ID: 4, Key: n4.Public(), KeySignature: n4Sig.Serialize()},     // messed-up signature
+			{ID: 5, Key: n5.Public(), KeySignature: n5GoodSig.Serialize()},
+		},
+	}
+
+	b := &LocalBackend{
+		logf: t.Logf,
+		tka:  &tkaState{authority: authority},
+	}
+	b.tkaFilterNetmapLocked(&nm)
+
+	want := []*tailcfg.Node{
+		{ID: 1, Key: n1.Public(), KeySignature: n1GoodSig.Serialize()},
+		{ID: 5, Key: n5.Public(), KeySignature: n5GoodSig.Serialize()},
+	}
+	nodePubComparer := cmp.Comparer(func(x, y key.NodePublic) bool {
+		return x.Raw32() == y.Raw32()
+	})
+	if diff := cmp.Diff(nm.Peers, want, nodePubComparer); diff != "" {
+		t.Errorf("filtered netmap differs (-want, +got):\n%s", diff)
+	}
+}
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -79,7 +79,7 @@ type peerAPIServer struct {
 }

 const (
-	// partialSuffix is the suffix appened to files while they're
+	// partialSuffix is the suffix appended to files while they're
 	// still in the process of being transferred.
 	partialSuffix = ".partial"

@@ -1184,7 +1184,7 @@ func newFakePeerAPIListener(ip netip.Addr) net.Listener {
 // even if the kernel isn't cooperating (like on Android: Issue 4449, 4293, etc)
 // or we lack permission to listen on a port. It's okay to not actually listen via
 // the kernel because on almost all platforms (except iOS as of 2022-04-20) we
-// also intercept netstack TCP requests in to our peerapi port and hand it over
+// also intercept incoming netstack TCP requests to our peerapi port and hand them over
 // directly to peerapi, without involving the kernel. So this doesn't need to be
 // real. But the port number we return (1, in this case) is the port number we advertise
 // to peers and they connect to. 1 seems pretty safe to use. Even if the kernel's
--- a/ipn/ipnlocal/peerapi_test.go
+++ b/ipn/ipnlocal/peerapi_test.go
@@ -109,7 +109,7 @@ func TestHandlePeerAPI(t *testing.T) {
 	tests := []struct {
 		name       string
 		isSelf     bool // the peer sending the request is owned by us
-		capSharing bool // self node has file sharing capabilty
+		capSharing bool // self node has file sharing capability
 		omitRoot   bool // don't configure
 		req        *http.Request
 		checks     []check
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -57,7 +57,7 @@ import (

 // Options is the configuration of the Tailscale node agent.
 type Options struct {
-	// VarRoot is the the Tailscale daemon's private writable
+	// VarRoot is the Tailscale daemon's private writable
 	// directory (usually "/var/lib/tailscale" on Linux) that
 	// contains the "tailscaled.state" file, the "certs" directory
 	// for TLS certs, and the "files" directory for incoming
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -26,6 +26,8 @@ import (

 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
+	"tailscale.com/health"
+	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnstate"
@@ -35,9 +37,50 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/mak"
+	"tailscale.com/util/strs"
 	"tailscale.com/version"
 )

+type localAPIHandler func(*Handler, http.ResponseWriter, *http.Request)
+
+// handler is the set of LocalAPI handlers, keyed by the part of the
+// Request.URL.Path after "/localapi/v0/". If the key ends with a trailing slash
+// then it's a prefix match.
+var handler = map[string]localAPIHandler{
+	// The prefix match handlers end with a slash:
+	"cert/":     (*Handler).serveCert,
+	"file-put/": (*Handler).serveFilePut,
+	"files/":    (*Handler).serveFiles,
+
+	// The other /localapi/v0/NAME handlers are exact matches and contain only NAME
+	// without a trailing slash:
+	"bugreport":               (*Handler).serveBugReport,
+	"check-ip-forwarding":     (*Handler).serveCheckIPForwarding,
+	"check-prefs":             (*Handler).serveCheckPrefs,
+	"component-debug-logging": (*Handler).serveComponentDebugLogging,
+	"debug":                   (*Handler).serveDebug,
+	"debug-subnet-route":      (*Handler).serveDebugSubnetRoute,
+	"derpmap":                 (*Handler).serveDERPMap,
+	"dial":                    (*Handler).serveDial,
+	"file-targets":            (*Handler).serveFileTargets,
+	"goroutines":              (*Handler).serveGoroutines,
+	"id-token":                (*Handler).serveIDToken,
+	"login-interactive":       (*Handler).serveLoginInteractive,
+	"logout":                  (*Handler).serveLogout,
+	"metrics":                 (*Handler).serveMetrics,
+	"ping":                    (*Handler).servePing,
+	"prefs":                   (*Handler).servePrefs,
+	"profile":                 (*Handler).serveProfile,
+	"set-dns":                 (*Handler).serveSetDNS,
+	"set-expiry-sooner":       (*Handler).serveSetExpirySooner,
+	"status":                  (*Handler).serveStatus,
+	"tka/init":                (*Handler).serveTKAInit,
+	"tka/modify":              (*Handler).serveTKAModify,
+	"tka/status":              (*Handler).serveTKAStatus,
+	"upload-client-metrics":   (*Handler).serveUploadClientMetrics,
+	"whois":                   (*Handler).serveWhoIs,
+}
+
 func randHex(n int) string {
 	b := make([]byte, n)
 	rand.Read(b)
@@ -99,68 +142,45 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-	if strings.HasPrefix(r.URL.Path, "/localapi/v0/files/") {
-		h.serveFiles(w, r)
-		return
+	if fn, ok := handlerForPath(r.URL.Path); ok {
+		fn(h, w, r)
+	} else {
+		http.NotFound(w, r)
 	}
-	if strings.HasPrefix(r.URL.Path, "/localapi/v0/file-put/") {
-		h.serveFilePut(w, r)
-		return
+}
+
+// handlerForPath returns the LocalAPI handler for the provided Request.URI.Path.
+// (the path doesn't include any query parameters)
+func handlerForPath(urlPath string) (h localAPIHandler, ok bool) {
+	if urlPath == "/" {
+		return (*Handler).serveLocalAPIRoot, true
 	}
-	if strings.HasPrefix(r.URL.Path, "/localapi/v0/cert/") {
-		h.serveCert(w, r)
-		return
+	suff, ok := strs.CutPrefix(urlPath, "/localapi/v0/")
+	if !ok {
+		// Currently all LocalAPI methods start with "/localapi/v0/" to signal
+		// to people that they're not necessarily stable APIs. In practice we'll
+		// probably need to keep them pretty stable anyway, but for now treat
+		// them as an internal implementation detail.
+		return nil, false
 	}
-	switch r.URL.Path {
-	case "/localapi/v0/whois":
-		h.serveWhoIs(w, r)
-	case "/localapi/v0/goroutines":
-		h.serveGoroutines(w, r)
-	case "/localapi/v0/profile":
-		h.serveProfile(w, r)
-	case "/localapi/v0/status":
-		h.serveStatus(w, r)
-	case "/localapi/v0/logout":
-		h.serveLogout(w, r)
-	case "/localapi/v0/login-interactive":
-		h.serveLoginInteractive(w, r)
-	case "/localapi/v0/prefs":
-		h.servePrefs(w, r)
-	case "/localapi/v0/ping":
-		h.servePing(w, r)
-	case "/localapi/v0/check-prefs":
-		h.serveCheckPrefs(w, r)
-	case "/localapi/v0/check-ip-forwarding":
-		h.serveCheckIPForwarding(w, r)
-	case "/localapi/v0/bugreport":
-		h.serveBugReport(w, r)
-	case "/localapi/v0/file-targets":
-		h.serveFileTargets(w, r)
-	case "/localapi/v0/set-dns":
-		h.serveSetDNS(w, r)
-	case "/localapi/v0/derpmap":
-		h.serveDERPMap(w, r)
-	case "/localapi/v0/metrics":
-		h.serveMetrics(w, r)
-	case "/localapi/v0/debug":
-		h.serveDebug(w, r)
-	case "/localapi/v0/set-expiry-sooner":
-		h.serveSetExpirySooner(w, r)
-	case "/localapi/v0/dial":
-		h.serveDial(w, r)
-	case "/localapi/v0/id-token":
-		h.serveIDToken(w, r)
-	case "/localapi/v0/upload-client-metrics":
-		h.serveUploadClientMetrics(w, r)
-	case "/localapi/v0/tka/status":
-		h.serveTkaStatus(w, r)
-	case "/localapi/v0/tka/init":
-		h.serveTkaInit(w, r)
-	case "/":
-		io.WriteString(w, "tailscaled\n")
-	default:
-		http.Error(w, "404 not found", 404)
+	if fn, ok := handler[suff]; ok {
+		// Here we match exact handler suffixes like "status" or ones with a
+		// slash already in their name, like "tka/status".
+		return fn, true
 	}
+	// Otherwise, it might be a prefix match like "files/*" which we look up
+	// by the prefix including first trailing slash.
+	if i := strings.IndexByte(suff, '/'); i != -1 {
+		suff = suff[:i+1]
+		if fn, ok := handler[suff]; ok {
+			return fn, true
+		}
+	}
+	return nil, false
+}
+
+func (*Handler) serveLocalAPIRoot(w http.ResponseWriter, r *http.Request) {
+	io.WriteString(w, "tailscaled\n")
 }

 // serveIDToken handles requests to get an OIDC ID token.
@@ -213,19 +233,81 @@ func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	logMarker := fmt.Sprintf("BUG-%v-%v-%v", h.backendLogID, time.Now().UTC().Format("20060102150405Z"), randHex(8))
-	if envknob.NoLogsNoSupport() {
-		logMarker = "BUG-NO-LOGS-NO-SUPPORT-this-node-has-had-its-logging-disabled"
+	logMarker := func() string {
+		return fmt.Sprintf("BUG-%v-%v-%v", h.backendLogID, time.Now().UTC().Format("20060102150405Z"), randHex(8))
 	}
-	h.logf("user bugreport: %s", logMarker)
-	if note := r.FormValue("note"); len(note) > 0 {
+	if envknob.NoLogsNoSupport() {
+		logMarker = func() string { return "BUG-NO-LOGS-NO-SUPPORT-this-node-has-had-its-logging-disabled" }
+	}
+
+	startMarker := logMarker()
+	h.logf("user bugreport: %s", startMarker)
+	if note := r.URL.Query().Get("note"); len(note) > 0 {
 		h.logf("user bugreport note: %s", note)
 	}
-	if defBool(r.FormValue("diagnose"), false) {
+	hi, _ := json.Marshal(hostinfo.New())
+	h.logf("user bugreport hostinfo: %s", hi)
+	if err := health.OverallError(); err != nil {
+		h.logf("user bugreport health: %s", err.Error())
+	} else {
+		h.logf("user bugreport health: ok")
+	}
+	if defBool(r.URL.Query().Get("diagnose"), false) {
 		h.b.Doctor(r.Context(), logger.WithPrefix(h.logf, "diag: "))
 	}
 	w.Header().Set("Content-Type", "text/plain")
-	fmt.Fprintln(w, logMarker)
+	fmt.Fprintln(w, startMarker)
+
+	// Nothing else to do if we're not in record mode; we wrote the marker
+	// above, so we can just finish our response now.
+	if !defBool(r.URL.Query().Get("record"), false) {
+		return
+	}
+
+	until := time.Now().Add(12 * time.Hour)
+
+	var changed map[string]bool
+	for _, component := range []string{"magicsock"} {
+		if h.b.GetComponentDebugLogging(component).IsZero() {
+			if err := h.b.SetComponentDebugLogging(component, until); err != nil {
+				h.logf("bugreport: error setting component %q logging: %v", component, err)
+				continue
+			}
+
+			mak.Set(&changed, component, true)
+		}
+	}
+	defer func() {
+		for component := range changed {
+			h.b.SetComponentDebugLogging(component, time.Time{})
+		}
+	}()
+
+	// NOTE(andrew): if we have anything else we want to do while recording
+	// a bugreport, we can add it here.
+
+	// Read from the client; this will also return when the client closes
+	// the connection.
+	var buf [1]byte
+	_, err := r.Body.Read(buf[:])
+
+	switch {
+	case err == nil:
+		// good
+	case errors.Is(err, io.EOF):
+		// good
+	case errors.Is(err, io.ErrUnexpectedEOF):
+		// this happens when Ctrl-C'ing the tailscale client; don't
+		// bother logging an error
+	default:
+		// Log but continue anyway.
+		h.logf("user bugreport: error reading body: %v", err)
+	}
+
+	// Generate another log marker and return it to the client.
+	endMarker := logMarker()
+	h.logf("user bugreport end: %s", endMarker)
+	fmt.Fprintln(w, endMarker)
 }

 func (h *Handler) serveWhoIs(w http.ResponseWriter, r *http.Request) {
@@ -318,6 +400,44 @@ func (h *Handler) serveDebug(w http.ResponseWriter, r *http.Request) {
 	io.WriteString(w, "done\n")
 }

+func (h *Handler) serveComponentDebugLogging(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "debug access denied", http.StatusForbidden)
+		return
+	}
+	component := r.FormValue("component")
+	secs, _ := strconv.Atoi(r.FormValue("secs"))
+	err := h.b.SetComponentDebugLogging(component, time.Now().Add(time.Duration(secs)*time.Second))
+	var res struct {
+		Error string
+	}
+	if err != nil {
+		res.Error = err.Error()
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(res)
+}
+
+func (h *Handler) serveDebugSubnetRoute(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "debug access denied", http.StatusForbidden)
+		return
+	}
+	addr := r.FormValue("addr")
+	res, err := h.b.DebugSubnetRoute(r.Context(), addr)
+	w.Header().Set("Content-Type", "application/json")
+	if err != nil {
+		json.NewEncoder(w).Encode(struct {
+			Errors []string
+		}{
+			Errors: []string{err.Error()},
+		})
+		return
+	}
+
+	json.NewEncoder(w).Encode(res)
+}
+
 // serveProfileFunc is the implementation of Handler.serveProfile, after auth,
 // for platforms where we want to link it in.
 var serveProfileFunc func(http.ResponseWriter, *http.Request)
@@ -803,13 +923,13 @@ func (h *Handler) serveUploadClientMetrics(w http.ResponseWriter, r *http.Reques
 	json.NewEncoder(w).Encode(struct{}{})
 }

-func (h *Handler) serveTkaStatus(w http.ResponseWriter, r *http.Request) {
+func (h *Handler) serveTKAStatus(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitRead {
 		http.Error(w, "lock status access denied", http.StatusForbidden)
 		return
 	}
 	if r.Method != http.MethodGet {
-		http.Error(w, "use Get", http.StatusMethodNotAllowed)
+		http.Error(w, "use GET", http.StatusMethodNotAllowed)
 		return
 	}

@@ -822,7 +942,7 @@ func (h *Handler) serveTkaStatus(w http.ResponseWriter, r *http.Request) {
 	w.Write(j)
 }

-func (h *Handler) serveTkaInit(w http.ResponseWriter, r *http.Request) {
+func (h *Handler) serveTKAInit(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "lock init access denied", http.StatusForbidden)
 		return
@@ -855,6 +975,40 @@ func (h *Handler) serveTkaInit(w http.ResponseWriter, r *http.Request) {
 	w.Write(j)
 }

+func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != http.MethodPost {
+		http.Error(w, "use POST", http.StatusMethodNotAllowed)
+		return
+	}
+
+	type modifyRequest struct {
+		AddKeys    []tka.Key
+		RemoveKeys []tka.Key
+	}
+	var req modifyRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "invalid JSON body", 400)
+		return
+	}
+
+	if err := h.b.NetworkLockModify(req.AddKeys, req.RemoveKeys); err != nil {
+		http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	j, err := json.MarshalIndent(h.b.NetworkLockStatus(), "", "\t")
+	if err != nil {
+		http.Error(w, "JSON encoding error", 500)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.Write(j)
+}
+
 func defBool(a string, def bool) bool {
 	if a == "" {
 		return def
--- a/ipn/message_test.go
+++ b/ipn/message_test.go
@@ -6,12 +6,8 @@ package ipn

 import (
 	"bytes"
-	"context"
-	"encoding/json"
 	"testing"
-	"time"

-	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
 )

@@ -61,133 +57,6 @@ func TestReadWrite(t *testing.T) {
 	}
 }

-func TestClientServer(t *testing.T) {
-	tstest.PanicOnLog()
-	tstest.ResourceCheck(t)
-
-	b := &FakeBackend{}
-	var bs *BackendServer
-	var bc *BackendClient
-	serverToClientCh := make(chan []byte, 16)
-	defer close(serverToClientCh)
-	go func() {
-		for b := range serverToClientCh {
-			bc.GotNotifyMsg(b)
-		}
-	}()
-	serverToClient := func(n Notify) {
-		b, err := json.Marshal(n)
-		if err != nil {
-			panic(err.Error())
-		}
-		serverToClientCh <- append([]byte{}, b...)
-	}
-	clientToServer := func(b []byte) {
-		bs.GotCommandMsg(context.TODO(), b)
-	}
-	slogf := func(fmt string, args ...any) {
-		t.Logf("s: "+fmt, args...)
-	}
-	clogf := func(fmt string, args ...any) {
-		t.Logf("c: "+fmt, args...)
-	}
-	bs = NewBackendServer(slogf, b, serverToClient)
-	// Verify that this doesn't break bs's callback:
-	NewBackendServer(slogf, b, nil)
-	bc = NewBackendClient(clogf, clientToServer)
-
-	ch := make(chan Notify, 256)
-	notify := func(n Notify) { ch <- n }
-	h, err := NewHandle(bc, clogf, notify, Options{
-		Prefs: &Prefs{
-			ControlURL: "http://example.com/fake",
-		},
-	})
-	if err != nil {
-		t.Fatalf("NewHandle error: %v\n", err)
-	}
-
-	notes := Notify{}
-	nn := []Notify{}
-	processNote := func(n Notify) {
-		nn = append(nn, n)
-		if n.State != nil {
-			t.Logf("state change: %v", *n.State)
-			notes.State = n.State
-		}
-		if n.Prefs != nil {
-			notes.Prefs = n.Prefs
-		}
-		if n.NetMap != nil {
-			notes.NetMap = n.NetMap
-		}
-		if n.Engine != nil {
-			notes.Engine = n.Engine
-		}
-		if n.BrowseToURL != nil {
-			notes.BrowseToURL = n.BrowseToURL
-		}
-	}
-	notesState := func() State {
-		if notes.State != nil {
-			return *notes.State
-		}
-		return NoState
-	}
-
-	flushUntil := func(wantFlush State) {
-		t.Helper()
-		timer := time.NewTimer(1 * time.Second)
-	loop:
-		for {
-			select {
-			case n := <-ch:
-				processNote(n)
-				if notesState() == wantFlush {
-					break loop
-				}
-			case <-timer.C:
-				t.Fatalf("timeout waiting for state %v, got %v", wantFlush, notes.State)
-			}
-		}
-		timer.Stop()
-	loop2:
-		for {
-			select {
-			case n := <-ch:
-				processNote(n)
-			default:
-				break loop2
-			}
-		}
-		if got, want := h.State(), notesState(); got != want {
-			t.Errorf("h.State()=%v, notes.State=%v (on flush until %v)\n", got, want, wantFlush)
-		}
-	}
-
-	flushUntil(NeedsLogin)
-
-	h.StartLoginInteractive()
-	flushUntil(Running)
-	if notes.NetMap == nil && h.NetMap() != nil {
-		t.Errorf("notes.NetMap == nil while h.NetMap != nil\nnotes:\n%v", nn)
-	}
-
-	h.UpdatePrefs(func(p *Prefs) {
-		p.WantRunning = false
-	})
-	flushUntil(Stopped)
-
-	h.Logout()
-	flushUntil(NeedsLogin)
-
-	h.Login(&tailcfg.Oauth2Token{
-		AccessToken: "google_id_token",
-		TokenType:   GoogleIDTokenType,
-	})
-	flushUntil(Running)
-}
-
 func TestNilBackend(t *testing.T) {
 	var called *Notify
 	bs := NewBackendServer(t.Logf, nil, func(n Notify) {
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -470,7 +470,7 @@ func TestLoadPrefsNotExist(t *testing.T) {
 	t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
 }

-// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs hanldes corrupted input files.
+// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs handles corrupted input files.
 // See issue #954 for details.
 func TestLoadPrefsFileWithZeroInIt(t *testing.T) {
 	f, err := os.CreateTemp("", "TestLoadPrefsFileWithZeroInIt")
--- a/ipn/store.go
+++ b/ipn/store.go
@@ -6,6 +6,8 @@ package ipn

 import (
 	"errors"
+	"fmt"
+	"strconv"
 )

 // ErrStateNotExist is returned by StateStore.ReadState when the
@@ -35,7 +37,7 @@ const (
 	// StateKey "user-1234".
 	ServerModeStartKey = StateKey("server-mode-start-key")

-	// NLKeyStateKey is the key under which we store the nodes'
+	// NLKeyStateKey is the key under which we store the node's
 	// network-lock node key, in its key.NLPrivate.MarshalText representation.
 	NLKeyStateKey = StateKey("_nl-node-key")
 )
@@ -48,3 +50,17 @@ type StateStore interface {
 	// WriteState saves bs as the state associated with ID.
 	WriteState(id StateKey, bs []byte) error
 }
+
+// ReadStoreInt reads an integer from a StateStore.
+func ReadStoreInt(store StateStore, id StateKey) (int64, error) {
+	v, err := store.ReadState(id)
+	if err != nil {
+		return 0, err
+	}
+	return strconv.ParseInt(string(v), 10, 64)
+}
+
+// PutStoreInt puts an integer into a StateStore.
+func PutStoreInt(store StateStore, id StateKey, val int64) error {
+	return store.WriteState(id, fmt.Appendf(nil, "%d", val))
+}
--- a/kube/client.go
+++ b/kube/client.go
@@ -100,7 +100,9 @@ func (c *Client) secretURL(name string) string {
 }

 func getError(resp *http.Response) error {
-	if resp.StatusCode == 200 {
+	if resp.StatusCode == 200 || resp.StatusCode == 201 {
+		// These are the only success codes returned by the Kubernetes API.
+		// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#http-status-codes
 		return nil
 	}
 	st := &Status{}
--- a/licenses/android.md
+++ b/licenses/android.md
@@ -38,7 +38,7 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.2.3/LICENSE.md))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/0b941c09a5e1/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/2ffa11beee90/LICENSE))
 - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
 - [github.com/tailscale/tailscale-android](https://pkg.go.dev/github.com/tailscale/tailscale-android) ([BSD-3-Clause](https://github.com/tailscale/tailscale-android/blob/HEAD/LICENSE))
@@ -55,9 +55,9 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
 - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/807a2327:shiny/LICENSE))
 - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/a66eb644:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -20,14 +20,16 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/1ca156eafb9f/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/v1.0.0/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
- - [github.com/klauspost/compress/flate](https://pkg.go.dev/github.com/klauspost/compress/flate) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.5/LICENSE))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.5/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.15.5/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.15.5/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
 - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.2.0/LICENSE.md))
 - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.6.0/LICENSE.md))
 - [github.com/mdlayher/sdnotify](https://pkg.go.dev/github.com/mdlayher/sdnotify) ([MIT](https://github.com/mdlayher/sdnotify/blob/v1.0.0/LICENSE.md))
 - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.2.3/LICENSE.md))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/0b941c09a5e1/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/2ffa11beee90/LICENSE))
 - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
@@ -39,9 +41,10 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/6f7dac96:LICENSE))
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/886fb937:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
 - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=b51010ba13f0))
@@ -54,3 +57,4 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [Inter Typeface](https://rsms.me/inter/) ([OFL-1.1](https://github.com/rsms/inter/blob/v3.19/LICENSE.txt))
 - [Sparkle](https://sparkle-project.org/) ([MIT](https://github.com/sparkle-project/Sparkle/blob/2.x/LICENSE))
 - [wireguard-apple](https://git.zx2c4.com/wireguard-apple) ([MIT](https://git.zx2c4.com/wireguard-apple/tree/COPYING))
+ - Code from [keybase/client](https://github.com/keybase/client) ([BSD-3-Clause](https://github.com/keybase/client/blob/master/LICENSE))
--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -58,7 +58,7 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/pkg/sftp](https://pkg.go.dev/github.com/pkg/sftp) ([BSD-2-Clause](https://github.com/pkg/sftp/blob/v1.13.4/LICENSE))
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
 - [github.com/tailscale/certstore](https://pkg.go.dev/github.com/tailscale/certstore) ([MIT](https://github.com/tailscale/certstore/blob/78d6e1c49d8d/LICENSE.md))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/0b941c09a5e1/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/2ffa11beee90/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
 - [github.com/toqueteos/webbrowser](https://pkg.go.dev/github.com/toqueteos/webbrowser) ([MIT](https://github.com/toqueteos/webbrowser/blob/v1.2.0/LICENSE.md))
@@ -71,9 +71,9 @@ Some packages may only be included on certain architectures or operating systems
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/eb4f295c:LICENSE))
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
--- a/licenses/windows.md
+++ b/licenses/windows.md
@@ -31,9 +31,9 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/6f7dac96:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/886fb937:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
 - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -70,11 +70,24 @@ func getLogTarget() string {
 	return getLogTargetOnce.v
 }

+// LogURL is the base URL for the configured logtail server, or the default.
+// It is guaranteed to not terminate with any forward slashes.
+func LogURL() string {
+	if v := getLogTarget(); v != "" {
+		return strings.TrimRight(v, "/")
+	}
+	return "https://" + logtail.DefaultHost
+}
+
 // LogHost returns the hostname only (without port) of the configured
 // logtail server, or the default.
+//
+// Deprecated: Use LogURL instead.
 func LogHost() string {
 	if v := getLogTarget(); v != "" {
-		return v
+		if u, err := url.Parse(v); err == nil {
+			return u.Hostname()
+		}
 	}
 	return logtail.DefaultHost
 }
@@ -596,7 +609,7 @@ func NewWithConfigPath(collection, dir, cmdName string) *Policy {
 		}
 	}

-	log.SetFlags(0) // other logflags are set on console, not here
+	log.SetFlags(0) // other log flags are set on console, not here
 	log.SetOutput(logOutput)

 	log.Printf("Program starting: v%v, Go %v: %#v",
--- a/logpolicy/logpolicy_test.go
+++ b/logpolicy/logpolicy_test.go
@@ -0,0 +1,37 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package logpolicy
+
+import (
+	"os"
+	"reflect"
+	"testing"
+)
+
+func TestLogHost(t *testing.T) {
+	v := reflect.ValueOf(&getLogTargetOnce).Elem()
+	reset := func() {
+		v.Set(reflect.Zero(v.Type()))
+	}
+	defer reset()
+
+	tests := []struct {
+		env  string
+		want string
+	}{
+		{"", "log.tailscale.io"},
+		{"http://foo.com", "foo.com"},
+		{"https://foo.com", "foo.com"},
+		{"https://foo.com/", "foo.com"},
+		{"https://foo.com:123/", "foo.com"},
+	}
+	for _, tt := range tests {
+		reset()
+		os.Setenv("TS_LOG_TARGET", tt.env)
+		if got := LogHost(); got != tt.want {
+			t.Errorf("for env %q, got %q, want %q", tt.env, got, tt.want)
+		}
+	}
+}
--- a/logtail/id.go
+++ b/logtail/id.go
@@ -34,7 +34,7 @@ func NewPrivateID() (id PrivateID, err error) {
 func (id PrivateID) MarshalText() ([]byte, error) {
 	b := make([]byte, hex.EncodedLen(len(id)))
 	if i := hex.Encode(b, id[:]); i != len(b) {
-		return nil, fmt.Errorf("logtail.PrivateID.MarhsalText: i=%d", i)
+		return nil, fmt.Errorf("logtail.PrivateID.MarshalText: i=%d", i)
 	}
 	return b, nil
 }
@@ -122,7 +122,7 @@ func MustParsePublicID(s string) PublicID {
 func (id PublicID) MarshalText() ([]byte, error) {
 	b := make([]byte, hex.EncodedLen(len(id)))
 	if i := hex.Encode(b, id[:]); i != len(b) {
-		return nil, fmt.Errorf("logtail.PublicID.MarhsalText: i=%d", i)
+		return nil, fmt.Errorf("logtail.PublicID.MarshalText: i=%d", i)
 	}
 	return b, nil
 }
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -13,6 +13,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"os"
 	"strconv"
@@ -21,6 +22,7 @@ import (
 	"sync/atomic"
 	"time"

+	"tailscale.com/envknob"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/interfaces"
 	tslogger "tailscale.com/types/logger"
@@ -31,6 +33,8 @@ import (
 // Config.BaseURL isn't provided.
 const DefaultHost = "log.tailscale.io"

+const defaultFlushDelay = 2 * time.Second
+
 const (
 	// CollectionNode is the name of a logtail Config.Collection
 	// for tailscaled (or equivalent: IPNExtension, Android app).
@@ -44,12 +48,13 @@ type Encoder interface {

 type Config struct {
 	Collection     string           // collection name, a domain name
-	PrivateID      PrivateID        // machine-specific private identifier
+	PrivateID      PrivateID        // private ID for the primary log stream
+	CopyPrivateID  PrivateID        // private ID for a log stream that is a superset of this log stream
 	BaseURL        string           // if empty defaults to "https://log.tailscale.io"
 	HTTPC          *http.Client     // if empty defaults to http.DefaultClient
 	SkipClientTime bool             // if true, client_time is not written to logs
 	LowMemory      bool             // if true, logtail minimizes memory use
-	TimeNow        func() time.Time // if set, subsitutes uses of time.Now
+	TimeNow        func() time.Time // if set, substitutes uses of time.Now
 	Stderr         io.Writer        // if set, logs are sent here instead of os.Stderr
 	StderrLevel    int              // max verbosity level to write to stderr; 0 means the non-verbose messages only
 	Buffer         Buffer           // temp storage, if nil a MemoryBuffer
@@ -61,9 +66,13 @@ type Config struct {
 	// that's safe to embed in a JSON string literal without further escaping.
 	MetricsDelta func() string

-	// DrainLogs, if non-nil, disables automatic uploading of new logs,
-	// so that logs are only uploaded when a token is sent to DrainLogs.
-	DrainLogs <-chan struct{}
+	// FlushDelay is how long to wait to accumulate logs before
+	// uploading them.
+	//
+	// If zero, a default value is used. (currently 2 seconds)
+	//
+	// Negative means to upload immediately.
+	FlushDelay time.Duration

 	// IncludeProcID, if true, results in an ephemeral process identifier being
 	// included in logs. The ID is random and not guaranteed to be globally
@@ -73,7 +82,7 @@ type Config struct {

 	// IncludeProcSequence, if true, results in an ephemeral sequence number
 	// being included in the logs. The sequence number is incremented for each
-	// log message sent, but is not peristed across process restarts.
+	// log message sent, but is not persisted across process restarts.
 	IncludeProcSequence bool
 }

@@ -108,22 +117,35 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 			procID = 7
 		}
 	}
+	if s := envknob.String("TS_DEBUG_LOGTAIL_FLUSHDELAY"); s != "" {
+		var err error
+		cfg.FlushDelay, err = time.ParseDuration(s)
+		if err != nil {
+			log.Fatalf("invalid TS_DEBUG_LOGTAIL_FLUSHDELAY: %v", err)
+		}
+	} else if cfg.FlushDelay == 0 && !envknob.Bool("IN_TS_TEST") {
+		cfg.FlushDelay = defaultFlushDelay
+	}

 	stdLogf := func(f string, a ...any) {
 		fmt.Fprintf(cfg.Stderr, strings.TrimSuffix(f, "\n")+"\n", a...)
 	}
+	var urlSuffix string
+	if !cfg.CopyPrivateID.IsZero() {
+		urlSuffix = "?copyId=" + cfg.CopyPrivateID.String()
+	}
 	l := &Logger{
 		privateID:      cfg.PrivateID,
 		stderr:         cfg.Stderr,
 		stderrLevel:    int64(cfg.StderrLevel),
 		httpc:          cfg.HTTPC,
-		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String(),
+		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String() + urlSuffix,
 		lowMem:         cfg.LowMemory,
 		buffer:         cfg.Buffer,
 		skipClientTime: cfg.SkipClientTime,
-		sent:           make(chan struct{}, 1),
+		drainWake:      make(chan struct{}, 1),
 		sentinel:       make(chan int32, 16),
-		drainLogs:      cfg.DrainLogs,
+		flushDelay:     cfg.FlushDelay,
 		timeNow:        cfg.TimeNow,
 		bo:             backoff.NewBackoff("logtail", stdLogf, 30*time.Second),
 		metricsDelta:   cfg.MetricsDelta,
@@ -157,8 +179,9 @@ type Logger struct {
 	skipClientTime bool
 	linkMonitor    *monitor.Mon
 	buffer         Buffer
-	sent           chan struct{}   // signal to speed up drain
-	drainLogs      <-chan struct{} // if non-nil, external signal to attempt a drain
+	drainWake      chan struct{} // signal to speed up drain
+	flushDelay     time.Duration // negative or zero to upload agressively, or >0 to batch at this delay
+	flushPending   atomic.Bool
 	sentinel       chan int32
 	timeNow        func() time.Time
 	bo             *backoff.Backoff
@@ -167,12 +190,14 @@ type Logger struct {
 	explainedRaw   bool
 	metricsDelta   func() string // or nil
 	privateID      PrivateID
+	httpDoCalls    atomic.Int32

 	procID              uint32
 	includeProcSequence bool

-	writeLock    sync.Mutex // guards increments of procSequence
+	writeLock    sync.Mutex // guards procSequence, flushTimer, buffer.Write calls
 	procSequence uint64
+	flushTimer   *time.Timer // used when flushDelay is >0

 	shutdownStart chan struct{} // closed when shutdown begins
 	shutdownDone  chan struct{} // closed when shutdown complete
@@ -236,24 +261,16 @@ func (l *Logger) Close() {

 // drainBlock is called by drainPending when there are no logs to drain.
 //
-// In typical operation, every call to the Write method unblocks and triggers
-// a buffer.TryReadline, so logs are written with very low latency.
+// In typical operation, every call to the Write method unblocks and triggers a
+// buffer.TryReadline, so logs are written with very low latency.
 //
-// If the caller provides a DrainLogs channel, then unblock-drain-on-Write
-// is disabled, and it is up to the caller to trigger unblock the drain.
+// If the caller specified FlushInterface, drainWake is only sent to
+// periodically.
 func (l *Logger) drainBlock() (shuttingDown bool) {
-	if l.drainLogs == nil {
-		select {
-		case <-l.shutdownStart:
-			return true
-		case <-l.sent:
-		}
-	} else {
-		select {
-		case <-l.shutdownStart:
-			return true
-		case <-l.drainLogs:
-		}
+	select {
+	case <-l.shutdownStart:
+		return true
+	case <-l.drainWake:
 	}
 	return false
 }
@@ -421,6 +438,7 @@ func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (uploaded
 		compressedNote = "compressed"
 	}

+	l.httpDoCalls.Add(1)
 	resp, err := l.httpc.Do(req)
 	if err != nil {
 		return false, fmt.Errorf("log upload of %d bytes %s failed: %v", len(body), compressedNote, err)
@@ -458,16 +476,40 @@ func Disable() {
 	logtailDisabled.Store(true)
 }

+var debugWakesAndUploads = envknob.RegisterBool("TS_DEBUG_LOGTAIL_WAKES")
+
+// tryDrainWake tries to send to lg.drainWake, to cause an uploading wakeup.
+// It does not block.
+func (l *Logger) tryDrainWake() {
+	l.flushPending.Store(false)
+	if debugWakesAndUploads() {
+		// Using println instead of log.Printf here to avoid recursing back into
+		// ourselves.
+		println("logtail: try drain wake, numHTTP:", l.httpDoCalls.Load())
+	}
+	select {
+	case l.drainWake <- struct{}{}:
+	default:
+	}
+}
+
 func (l *Logger) sendLocked(jsonBlob []byte) (int, error) {
 	if logtailDisabled.Load() {
 		return len(jsonBlob), nil
 	}
+
 	n, err := l.buffer.Write(jsonBlob)
-	if l.drainLogs == nil {
-		select {
-		case l.sent <- struct{}{}:
-		default:
+
+	if l.flushDelay > 0 {
+		if l.flushPending.CompareAndSwap(false, true) {
+			if l.flushTimer == nil {
+				l.flushTimer = time.AfterFunc(l.flushDelay, l.tryDrainWake)
+			} else {
+				l.flushTimer.Reset(l.flushDelay)
+			}
 		}
+	} else {
+		l.tryDrainWake()
 	}
 	return n, err
 }
@@ -519,7 +561,7 @@ func (l *Logger) encodeText(buf []byte, skipClientTime bool, procID uint32, proc
 		b = append(b, `"logtail": {`...)
 		if !skipClientTime {
 			b = append(b, `"client_time": "`...)
-			b = now.AppendFormat(b, time.RFC3339Nano)
+			b = now.UTC().AppendFormat(b, time.RFC3339Nano)
 			b = append(b, `",`...)
 		}
 		if procID != 0 {
@@ -612,7 +654,7 @@ func (l *Logger) encodeLocked(buf []byte, level int) []byte {
 	if !l.skipClientTime || l.procID != 0 || l.procSequence != 0 {
 		logtail := map[string]any{}
 		if !l.skipClientTime {
-			logtail["client_time"] = now.Format(time.RFC3339Nano)
+			logtail["client_time"] = now.UTC().Format(time.RFC3339Nano)
 		}
 		if l.procID != 0 {
 			logtail["proc_id"] = l.procID
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -265,22 +265,40 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	rcfg.Routes = routes
 	ocfg.Nameservers = []netip.Addr{cfg.serviceIP()}

-	if m.os.SupportsSplitDNS() {
-		ocfg.MatchDomains = cfg.matchDomains()
-	} else {
+	var baseCfg *OSConfig // base config; non-nil if/when known
+
+	// Even though Apple devices can do split DNS, they don't provide a way to
+	// selectively answer ExtraRecords, and ignore other DNS traffic. As a
+	// workaround, we read the existing default resolver configuration and use
+	// that as the forwarder for all DNS traffic that quad-100 doesn't handle.
+	const isApple = runtime.GOOS == "darwin" || runtime.GOOS == "ios"
+
+	if isApple || !m.os.SupportsSplitDNS() {
 		// If the OS can't do native split-dns, read out the underlying
 		// resolver config and blend it into our config.
-		bcfg, err := m.os.GetBaseConfig()
-		if err != nil {
+		cfg, err := m.os.GetBaseConfig()
+		if err == nil {
+			baseCfg = &cfg
+		} else if isApple && err == ErrGetBaseConfigNotSupported {
+			// This is currently (2022-10-13) expected on certain iOS and macOS
+			// builds.
+		} else {
 			health.SetDNSOSHealth(err)
 			return resolver.Config{}, OSConfig{}, err
 		}
+	}
+
+	if baseCfg == nil || isApple && len(baseCfg.Nameservers) == 0 {
+		// If there was no base config, or if we're on Apple and the base
+		// config is empty, then we need to fallback to SplitDNS mode.
+		ocfg.MatchDomains = cfg.matchDomains()
+	} else {
 		var defaultRoutes []*dnstype.Resolver
-		for _, ip := range bcfg.Nameservers {
+		for _, ip := range baseCfg.Nameservers {
 			defaultRoutes = append(defaultRoutes, &dnstype.Resolver{Addr: ip.String()})
 		}
 		rcfg.Routes["."] = defaultRoutes
-		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)
+		ocfg.SearchDomains = append(ocfg.SearchDomains, baseCfg.SearchDomains...)
 	}

 	return rcfg, ocfg, nil
@@ -381,7 +399,7 @@ func (m *Manager) NextPacket() ([]byte, error) {
 	return buf, nil
 }

-// Query executes a DNS query recieved from the given address. The query is
+// Query executes a DNS query received from the given address. The query is
 // provided in bs as a wire-encoded DNS query without any transport header.
 // This method is called for requests arriving over UDP and TCP.
 func (m *Manager) Query(ctx context.Context, bs []byte, from netip.AddrPort) ([]byte, error) {
@@ -540,7 +558,7 @@ func Cleanup(logf logger.Logf, interfaceName string) {
 		logf("creating dns cleanup: %v", err)
 		return
 	}
-	dns := NewManager(logf, oscfg, nil, new(tsdial.Dialer), nil)
+	dns := NewManager(logf, oscfg, nil, &tsdial.Dialer{Logf: logf}, nil)
 	if err := dns.Down(); err != nil {
 		logf("dns down: %v", err)
 	}
--- a/net/dns/manager_linux.go
+++ b/net/dns/manager_linux.go
@@ -31,6 +31,7 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 	env := newOSConfigEnv{
 		fs:                directFS{},
 		dbusPing:          dbusPing,
+		dbusReadString:    dbusReadString,
 		nmIsUsingResolved: nmIsUsingResolved,
 		nmVersionBetween:  nmVersionBetween,
 		resolvconfStyle:   resolvconfStyle,
@@ -60,6 +61,7 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 type newOSConfigEnv struct {
 	fs                        wholeFileFS
 	dbusPing                  func(string, string) error
+	dbusReadString            func(string, string, string, string) (string, error)
 	nmIsUsingResolved         func() error
 	nmVersionBetween          func(v1, v2 string) (safe bool, err error)
 	resolvconfStyle           func() string
@@ -78,6 +80,25 @@ func dnsMode(logf logger.Logf, env newOSConfigEnv) (ret string, err error) {
 		logf("dns: %v", debug)
 	}()

+	// In all cases that we detect systemd-resolved, try asking it what it
+	// thinks the current resolv.conf mode is so we can add it to our logs.
+	defer func() {
+		if ret != "systemd-resolved" {
+			return
+		}
+
+		// Try to ask systemd-resolved what it thinks the current
+		// status of resolv.conf is. This is documented at:
+		//    https://www.freedesktop.org/software/systemd/man/org.freedesktop.resolve1.html
+		mode, err := env.dbusReadString("org.freedesktop.resolve1", "/org/freedesktop/resolve1", "org.freedesktop.resolve1.Manager", "ResolvConfMode")
+		if err != nil {
+			logf("dns: ResolvConfMode error: %v", err)
+			dbg("resolv-conf-mode", "error")
+		} else {
+			dbg("resolv-conf-mode", mode)
+		}
+	}()
+
 	// Before we read /etc/resolv.conf (which might be in a broken
 	// or symlink-dangling state), try to ping the D-Bus service
 	// for systemd-resolved. If it's active on the machine, this
@@ -102,6 +123,7 @@ func dnsMode(logf logger.Logf, env newOSConfigEnv) (ret string, err error) {
 	switch resolvOwner(bs) {
 	case "systemd-resolved":
 		dbg("rc", "resolved")
+
 		// Some systems, for reasons known only to them, have a
 		// resolv.conf that has the word "systemd-resolved" in its
 		// header, but doesn't actually point to resolved. We mustn't
@@ -327,3 +349,29 @@ func dbusPing(name, objectPath string) error {
 	call := obj.CallWithContext(ctx, "org.freedesktop.DBus.Peer.Ping", 0)
 	return call.Err
 }
+
+// dbusReadString reads a string property from the provided name and object
+// path. property must be in "interface.member" notation.
+func dbusReadString(name, objectPath, iface, member string) (string, error) {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		// DBus probably not running.
+		return "", err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+	defer cancel()
+
+	obj := conn.Object(name, dbus.ObjectPath(objectPath))
+
+	var result dbus.Variant
+	err = obj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, iface, member).Store(&result)
+	if err != nil {
+		return "", err
+	}
+
+	if s, ok := result.Value().(string); ok {
+		return s, nil
+	}
+	return result.String(), nil
+}
--- a/net/dns/manager_linux_test.go
+++ b/net/dns/manager_linux_test.go
@@ -71,7 +71,7 @@ func TestLinuxDNSMode(t *testing.T) {
 		{
 			name:    "resolved_alone_without_ping",
 			env:     env(resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53")),
-			wantLog: "dns: [rc=resolved nm=no ret=systemd-resolved]",
+			wantLog: "dns: ResolvConfMode error: dbus property not found\ndns: [rc=resolved nm=no resolv-conf-mode=error ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -79,7 +79,7 @@ func TestLinuxDNSMode(t *testing.T) {
 			env: env(
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
 				resolvedRunning()),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -88,7 +88,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
 				resolvedRunning(),
 				nmRunning("1.2.3", false)),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=yes nm-resolved=no ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved nm=yes nm-resolved=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -106,7 +106,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
 				resolvedRunning(),
 				nmRunning("1.27.0", true)),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=yes nm-resolved=yes nm-safe=no ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved nm=yes nm-resolved=yes nm-safe=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -115,7 +115,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
 				resolvedRunning(),
 				nmRunning("1.22.0", true)),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=yes nm-resolved=yes nm-safe=no ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved nm=yes nm-resolved=yes nm-safe=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		// Regression tests for extreme corner cases below.
@@ -141,7 +141,7 @@ func TestLinuxDNSMode(t *testing.T) {
 					"nameserver 127.0.0.53",
 					"nameserver 127.0.0.53"),
 				resolvedRunning()),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -156,7 +156,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"# run \"systemd-resolve --status\" to see details about the actual nameservers.",
 				"nameserver 127.0.0.53"),
 				resolvedRunning()),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -171,7 +171,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"# 127.0.0.53 is the systemd-resolved stub resolver.",
 				"# run \"systemd-resolve --status\" to see details about the actual nameservers.",
 				"nameserver 127.0.0.53")),
-			wantLog: "dns: [rc=resolved nm=no ret=systemd-resolved]",
+			wantLog: "dns: ResolvConfMode error: dbus property not found\ndns: [rc=resolved nm=no resolv-conf-mode=error ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -183,7 +183,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"options edns0 trust-ad"),
 				resolvedRunning(),
 				nmRunning("1.32.12", true)),
-			wantLog: "dns: [resolved-ping=yes rc=nm nm-resolved=yes nm-safe=no ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=nm nm-resolved=yes nm-safe=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -194,7 +194,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"nameserver 127.0.0.53",
 				"options edns0 trust-ad"),
 				nmRunning("1.32.12", true)),
-			wantLog: "dns: [rc=nm nm-resolved=yes nm-safe=no ret=systemd-resolved]",
+			wantLog: "dns: ResolvConfMode error: dbus property not found\ndns: [rc=nm nm-resolved=yes nm-safe=no resolv-conf-mode=error ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -217,7 +217,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"nameserver 127.0.0.53",
 				"options edns0 trust-ad"),
 				resolvedRunning()),
-			wantLog: "dns: [resolved-ping=yes rc=nm nm-resolved=yes nm=no ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=nm nm-resolved=yes nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -228,7 +228,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"search lan",
 				"nameserver 127.0.0.53"),
 				resolvedRunning()),
-			wantLog: "dns: [resolved-ping=yes rc=nm nm-resolved=yes nm=no ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=nm nm-resolved=yes nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -236,8 +236,9 @@ func TestLinuxDNSMode(t *testing.T) {
 			// before we read its file.
 			env: env(resolvedStartOnPingAndThen(
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
+				resolvedDbusProperty(),
 			)),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 	}
@@ -306,9 +307,16 @@ type dbusService struct {
 	hook       func() // if non-nil, run on ping
 }

+type dbusProperty struct {
+	name, path    string
+	iface, member string
+	hook          func() (string, error) // what to return
+}
+
 type envBuilder struct {
 	fs              memFS
 	dbus            []dbusService
+	dbusProperties  []dbusProperty
 	nmUsingResolved bool
 	nmVersion       string
 	resolvconfStyle string
@@ -345,6 +353,14 @@ func env(opts ...envOption) newOSConfigEnv {
 			}
 			return errors.New("dbus service not found")
 		},
+		dbusReadString: func(name, path, iface, member string) (string, error) {
+			for _, svc := range b.dbusProperties {
+				if svc.name == name && svc.path == path && svc.iface == iface && svc.member == member {
+					return svc.hook()
+				}
+			}
+			return "", errors.New("dbus property not found")
+		},
 		nmIsUsingResolved: func() error {
 			if !b.nmUsingResolved {
 				return errors.New("networkmanager not using resolved")
@@ -365,9 +381,16 @@ func resolvDotConf(ss ...string) envOption {
 	})
 }

-// resolvedRunning returns an option that makes resolved reply to a dbusPing.
+// resolvedRunning returns an option that makes resolved reply to a dbusPing
+// and the ResolvConfMode property.
 func resolvedRunning() envOption {
-	return resolvedStartOnPingAndThen( /* nothing */ )
+	return resolvedStartOnPingAndThen(resolvedDbusProperty())
+}
+
+// resolvedDbusProperty returns an option that responds to the ResolvConfMode
+// property that resolved exposes.
+func resolvedDbusProperty() envOption {
+	return setDbusProperty("org.freedesktop.resolve1", "/org/freedesktop/resolve1", "org.freedesktop.resolve1.Manager", "ResolvConfMode", "fortests")
 }

 // resolvedStartOnPingAndThen returns an option that makes resolved be
@@ -400,3 +423,17 @@ func resolvconf(s string) envOption {
 		b.resolvconfStyle = s
 	})
 }
+
+func setDbusProperty(name, path, iface, member, value string) envOption {
+	return envOpt(func(b *envBuilder) {
+		b.dbusProperties = append(b.dbusProperties, dbusProperty{
+			name:   name,
+			path:   path,
+			iface:  iface,
+			member: member,
+			hook: func() (string, error) {
+				return value, nil
+			},
+		})
+	})
+}
--- a/net/dns/manager_windows_test.go
+++ b/net/dns/manager_windows_test.go
@@ -274,7 +274,7 @@ func runTest(t *testing.T, isLocal bool) {
 	runCase := func(n int) {
 		t.Logf("Test case: %d domains\n", n)
 		if !isLocal {
-			// When !isLocal, we want to check that a GP notification occured for
+			// When !isLocal, we want to check that a GP notification occurred for
 			// every single test case.
 			trk, err = newGPNotificationTracker()
 			if err != nil {
--- a/net/dns/nm.go
+++ b/net/dns/nm.go
@@ -302,7 +302,7 @@ func (m *nmManager) GetBaseConfig() (OSConfig, error) {
 	for _, cfg := range cfgs {
 		if name, ok := cfg["interface"]; ok {
 			if s, ok := name.Value().(string); ok && s == m.interfaceName {
-				// Config for the taislcale interface, skip.
+				// Config for the tailscale interface, skip.
 				continue
 			}
 		}
--- a/net/dns/nrpt_windows.go
+++ b/net/dns/nrpt_windows.go
@@ -58,7 +58,7 @@ var (

 const _RP_FORCE = 1 // Flag for RefreshPolicyEx

-// nrptRuleDatabase ensapsulates access to the Windows Name Resolution Policy
+// nrptRuleDatabase encapsulates access to the Windows Name Resolution Policy
 // Table (NRPT).
 type nrptRuleDatabase struct {
 	logf               logger.Logf
--- a/net/dns/publicdns/publicdns.go
+++ b/net/dns/publicdns/publicdns.go
@@ -37,15 +37,15 @@ func DoHEndpointFromIP(ip netip.Addr) (dohBase string, dohOnly bool, ok bool) {
 	}

 	// NextDNS DoH URLs are of the form "https://dns.nextdns.io/c3a884"
-	// where the path component is the lower 8 bytes of the IPv6 address
+	// where the path component is the lower 12 bytes of the IPv6 address
 	// in lowercase hex without any zero padding.
 	if nextDNSv6RangeA.Contains(ip) || nextDNSv6RangeB.Contains(ip) {
 		a := ip.As16()
 		var sb strings.Builder
 		const base = "https://dns.nextdns.io/"
-		sb.Grow(len(base) + 8)
+		sb.Grow(len(base) + 12)
 		sb.WriteString(base)
-		for _, b := range bytes.TrimLeft(a[8:], "\x00") {
+		for _, b := range bytes.TrimLeft(a[4:], "\x00") {
 			fmt.Fprintf(&sb, "%02x", b)
 		}
 		return sb.String(), true, true
@@ -100,7 +100,7 @@ func DoHIPsOfBase(dohBase string) []netip.Addr {
 		// conventional for them and not required (it'll already be in the DoH path).
 		// (Really we shouldn't use either IPv4 or IPv6 anycast for DoH once we
 		// resolve "dns.nextdns.io".)
-		if b, err := hex.DecodeString(hexStr); err == nil && len(b) <= 8 && len(b) > 0 {
+		if b, err := hex.DecodeString(hexStr); err == nil && len(b) <= 12 && len(b) > 0 {
 			return []netip.Addr{
 				nextDNSv4One,
 				nextDNSv4Two,
@@ -215,7 +215,7 @@ var (
 // nextDNSv6Gen generates a NextDNS IPv6 address from the upper 8 bytes in the
 // provided ip and using id as the lowest 0-8 bytes.
 func nextDNSv6Gen(ip netip.Addr, id []byte) netip.Addr {
-	if len(id) > 8 {
+	if len(id) > 12 {
 		return netip.Addr{}
 	}
 	a := ip.As16()
--- a/net/dns/publicdns/publicdns_test.go
+++ b/net/dns/publicdns/publicdns_test.go
@@ -86,6 +86,19 @@ func TestDoHIPsOfBase(t *testing.T) {
 				"2a07:a8c1::c3:a884",
 			),
 		},
+		{
+			base: "https://dns.nextdns.io/112233445566778899aabbcc",
+			want: ips(
+				"45.90.28.0",
+				"45.90.30.0",
+				"2a07:a8c0:1122:3344:5566:7788:99aa:bbcc",
+				"2a07:a8c1:1122:3344:5566:7788:99aa:bbcc",
+			),
+		},
+		{
+			base: "https://dns.nextdns.io/112233445566778899aabbccdd",
+			want: ips(), // nothing; profile length is over 12 bytes
+		},
 		{
 			base: "https://dns.nextdns.io/c3a884/with/more/stuff",
 			want: ips(
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -180,7 +180,7 @@ type resolverAndDelay struct {
 type forwarder struct {
 	logf    logger.Logf
 	linkMon *monitor.Mon
-	linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absords it
+	linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absorbs it
 	dialer  *tsdial.Dialer
 	dohSem  chan struct{}

@@ -502,7 +502,7 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 		// Only known DoH providers are supported currently. Specifically, we
 		// only support DoH providers where we can TCP connect to them on port
 		// 443 at the same IP address they serve normal UDP DNS from (1.1.1.1,
-		// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custon DoH providers
+		// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custom DoH providers
 		// aren't currently supported. There's no backup DNS resolution path for
 		// them.
 		urlBase := rr.name.Addr
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -609,7 +609,7 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netip.Addr,
 		metricDNSResolveLocalOKAll.Add(1)
 		return addrs[0], dns.RCodeSuccess

-	// Leave some some record types explicitly unimplemented.
+	// Leave some record types explicitly unimplemented.
 	// These types relate to recursive resolution or special
 	// DNS semantics and might be implemented in the future.
 	case dns.TypeNS, dns.TypeSOA, dns.TypeAXFR, dns.TypeHINFO:
--- a/net/dnscache/messagecache.go
+++ b/net/dnscache/messagecache.go
@@ -99,7 +99,7 @@ type msgResource struct {
 }

 // ErrCacheMiss is a sentinel error returned by MessageCache.ReplyFromCache
-// when the request can not be satisified from cache.
+// when the request can not be satisfied from cache.
 var ErrCacheMiss = errors.New("cache miss")

 var parserPool = &sync.Pool{
@@ -264,7 +264,7 @@ func asciiLowerName(n dnsmessage.Name) dnsmessage.Name {
 }

 // packDNSResponse builds a DNS response for the given question and
-// transaction ID. The response resource records will have have the
+// transaction ID. The response resource records will have the
 // same provided TTL.
 func packDNSResponse(q msgQ, txID uint16, ttl uint32, answers []msgResource) ([]byte, error) {
 	var baseMem []byte // TODO: guess a max size based on looping over answers?
--- a/net/flowtrack/flowtrack.go
+++ b/net/flowtrack/flowtrack.go
@@ -20,9 +20,9 @@ import (

 // Tuple is a 5-tuple of proto, source and destination IP and port.
 type Tuple struct {
-	Proto ipproto.Proto
-	Src   netip.AddrPort
-	Dst   netip.AddrPort
+	Proto ipproto.Proto  `json:"proto"`
+	Src   netip.AddrPort `json:"src"`
+	Dst   netip.AddrPort `json:"dst"`
 }

 func (t Tuple) String() string {
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .31.0
 .33.0