WIP tailpipe

Updates #nnn

Change-Id: I719479e4cd58c487b4d987ab563689caacce1549
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

.github/workflows/cifuzz.yml

@@ -2,7 +2,7 @@ name: CIFuzz
 on: [pull_request]
 
 concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:

chirp/chirp.go

@@ -24,11 +24,17 @@ func New(socket string) (*BIRDClient, error) {
 	return newWithTimeout(socket, responseTimeout)
 }
 
-func newWithTimeout(socket string, timeout time.Duration) (*BIRDClient, error) {
+func newWithTimeout(socket string, timeout time.Duration) (_ *BIRDClient, err error) {
 	conn, err := net.Dial("unix", socket)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
 	}
+	defer func() {
+		if err != nil {
+			conn.Close()
+		}
+	}()
+
 	b := &BIRDClient{
 		socket:  socket,
 		conn:    conn,

chirp/chirp_test.go

@@ -106,10 +106,10 @@ func TestChirp(t *testing.T) {
 		t.Fatal(err)
 	}
 	if err := c.EnableProtocol("rando"); err == nil {
-		t.Fatalf("enabling %q succeded", "rando")
+		t.Fatalf("enabling %q succeeded", "rando")
 	}
 	if err := c.DisableProtocol("rando"); err == nil {
-		t.Fatalf("disabling %q succeded", "rando")
+		t.Fatalf("disabling %q succeeded", "rando")
 	}
 }
 

client/tailscale/acl.go

@@ -459,7 +459,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
+		return nil, fmt.Errorf("control api responded with %d status code", resp.StatusCode)
 	}
 
 	// The test ran without fail

client/tailscale/localclient.go

@@ -19,6 +19,7 @@ import (
 	"net/http"
 	"net/http/httptrace"
 	"net/netip"
+	"net/textproto"
 	"net/url"
 	"os/exec"
 	"runtime"
@@ -267,15 +268,47 @@ func (lc *LocalClient) Profile(ctx context.Context, pprofType string, sec int) (
 	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
 }
 
-// BugReport logs and returns a log marker that can be shared by the user with support.
-func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
+// BugReportOpts contains options to pass to the Tailscale daemon when
+// generating a bug report.
+type BugReportOpts struct {
+	// Note contains an optional user-provided note to add to the logs.
+	Note string
+
+	// Diagnose specifies whether to print additional diagnostic information to
+	// the logs when generating this bugreport.
+	Diagnose bool
+}
+
+// BugReportWithOpts logs and returns a log marker that can be shared by the
+// user with support.
+//
+// The opts type specifies options to pass to the Tailscale daemon when
+// generating this bug report.
+func (lc *LocalClient) BugReportWithOpts(ctx context.Context, opts BugReportOpts) (string, error) {
+	var qparams url.Values
+	if opts.Note != "" {
+		qparams.Set("note", opts.Note)
+	}
+	if opts.Diagnose {
+		qparams.Set("diagnose", "true")
+	}
+
+	uri := fmt.Sprintf("/localapi/v0/bugreport?%s", qparams.Encode())
+	body, err := lc.send(ctx, "POST", uri, 200, nil)
 	if err != nil {
 		return "", err
 	}
 	return strings.TrimSpace(string(body)), nil
 }
 
+// BugReport logs and returns a log marker that can be shared by the user with support.
+//
+// This is the same as calling BugReportWithOpts and only specifying the Note
+// field.
+func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
+	return lc.BugReportWithOpts(ctx, BugReportOpts{Note: note})
+}
+
 // DebugAction invokes a debug action, such as "rebind" or "restun".
 // These are development tools and subject to change or removal over time.
 func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
@@ -286,6 +319,28 @@ func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
 	return nil
 }
 
+// SetComponentDebugLogging sets component's debug logging enabled for
+// the provided duration. If the duration is in the past, the debug logging
+// is disabled.
+func (lc *LocalClient) SetComponentDebugLogging(ctx context.Context, component string, d time.Duration) error {
+	body, err := lc.send(ctx, "POST",
+		fmt.Sprintf("/localapi/v0/component-debug-logging?component=%s&secs=%d",
+			url.QueryEscape(component), int64(d.Seconds())), 200, nil)
+	if err != nil {
+		return fmt.Errorf("error %w: %s", err, body)
+	}
+	var res struct {
+		Error string
+	}
+	if err := json.Unmarshal(body, &res); err != nil {
+		return err
+	}
+	if res.Error != "" {
+		return errors.New(res.Error)
+	}
+	return nil
+}
+
 // Status returns the Tailscale daemon's status.
 func Status(ctx context.Context) (*ipnstate.Status, error) {
 	return defaultLocalClient.Status(ctx)
@@ -504,6 +559,15 @@ func (lc *LocalClient) SetDNS(ctx context.Context, name, value string) error {
 //
 // The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
 func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
+	return lc.dialViaLocalAPI(ctx, host, fmt.Sprint(port))
+}
+
+// DialTCPNamedPort is like DialTCP but takes a named port rather than an integer.
+func (lc *LocalClient) DialTCPNamedPort(ctx context.Context, host, portName string) (net.Conn, error) {
+	return lc.dialViaLocalAPI(ctx, host, portName)
+}
+
+func (lc *LocalClient) dialViaLocalAPI(ctx context.Context, host, port string) (net.Conn, error) {
 	connCh := make(chan net.Conn, 1)
 	trace := httptrace.ClientTrace{
 		GotConn: func(info httptrace.GotConnInfo) {
@@ -519,7 +583,7 @@ func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (n
 		"Upgrade":    []string{"ts-dial"},
 		"Connection": []string{"upgrade"},
 		"Dial-Host":  []string{host},
-		"Dial-Port":  []string{fmt.Sprint(port)},
+		"Dial-Port":  []string{port},
 	}
 	res, err := lc.DoLocalRequest(req)
 	if err != nil {
@@ -551,6 +615,59 @@ func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (n
 	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
 }
 
+// ListenNewRandomPortName...
+func (lc *LocalClient) ListenNewRandomPortName(ctx context.Context) (portName string, accept func(context.Context) (net.Conn, error), err error) {
+	connCh := make(chan net.Conn, 1)
+	portNameCh := make(chan string, 1)
+	trace := httptrace.ClientTrace{
+		GotConn: func(info httptrace.GotConnInfo) {
+			connCh <- info.Conn
+		},
+		Got1xxResponse: func(code int, header textproto.MIMEHeader) error {
+			portNameCh <- fmt.Sprintf("Got %v, %v", code, header)
+			return nil
+		},
+	}
+	ctx = httptrace.WithClientTrace(ctx, &trace)
+	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/open-bidi-pipe", nil)
+	if err != nil {
+		return "", nil, err
+	}
+	req.Header = http.Header{
+		"Upgrade":    []string{"ts-open-bidi-pipe"},
+		"Connection": []string{"upgrade"},
+	}
+
+	doErrc := make(chan error, 1)
+
+	go func() {
+		res, err := lc.DoLocalRequest(req)
+		if err != nil {
+			doErrc <- err
+			return
+		}
+		_ = res
+	}()
+
+	accept = func(ctx context.Context) (net.Conn, error) {
+		panic("TODO")
+	}
+
+	select {
+	case name := <-portNameCh:
+		return name, accept, nil
+	case err := <-doErrc:
+		return "", nil, err
+	}
+
+	// if res.StatusCode != http.StatusSwitchingProtocols {
+	// 	body, _ := io.ReadAll(res.Body)
+	// 	res.Body.Close()
+	// 	return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
+	// }
+	panic("TODO")
+}
+
 // CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
 // It is intended to be used with netcheck to see availability of DERPs.
 func (lc *LocalClient) CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
@@ -642,14 +759,14 @@ func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate
 	return &cert, nil
 }
 
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
 //
 // Deprecated: use LocalClient.ExpandSNIName.
 func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	return defaultLocalClient.ExpandSNIName(ctx, name)
 }
 
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
 func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	st, err := lc.StatusWithoutPeers(ctx)
 	if err != nil {
@@ -716,6 +833,30 @@ func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key) (*ip
 	return pr, nil
 }
 
+// NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
+func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
+	var b bytes.Buffer
+	type modifyRequest struct {
+		AddKeys    []tka.Key
+		RemoveKeys []tka.Key
+	}
+
+	if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
+		return nil, err
+	}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 200, &b)
+	if err != nil {
+		return nil, fmt.Errorf("error: %w", err)
+	}
+
+	pr := new(ipnstate.NetworkLockStatus)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
+}
+
 // tailscaledConnectHint gives a little thing about why tailscaled (or
 // platform equivalent) is not answering localapi connections.
 //

client/tailscale/tailscale.go

@@ -115,7 +115,7 @@ func (c *Client) Do(req *http.Request) (*http.Response, error) {
 	return c.httpClient().Do(req)
 }
 
-// sendRequest add the authenication key to the request and sends it. It
+// sendRequest add the authentication key to the request and sends it. It
 // receives the response and reads up to 10MB of it.
 func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
 	if !I_Acknowledge_This_API_Is_Unstable {

cmd/derper/depaware.txt

@@ -51,7 +51,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale
         tailscale.com/syncs                                          from tailscale.com/cmd/derper+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
-        tailscale.com/tka                                            from tailscale.com/client/tailscale
+        tailscale.com/tka                                            from tailscale.com/client/tailscale+
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
      💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
         tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
@@ -107,6 +107,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
    W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
    W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
         golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
         golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
         golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+

cmd/derper/websocket.go

@@ -23,7 +23,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		up := strings.ToLower(r.Header.Get("Upgrade"))
 
 		// Very early versions of Tailscale set "Upgrade: WebSocket" but didn't actually
-		// speak WebSockets (they still assumed DERP's binary framining). So to distinguish
+		// speak WebSockets (they still assumed DERP's binary framing). So to distinguish
 		// clients that actually want WebSockets, look for an explicit "derp" subprotocol.
 		if up != "websocket" || !strings.Contains(r.Header.Get("Sec-Websocket-Protocol"), "derp") {
 			base.ServeHTTP(w, r)

cmd/pgproxy/README.md

@@ -0,0 +1,42 @@
+# pgproxy
+
+The pgproxy server is a proxy for the Postgres wire protocol. [Read
+more in our blog
+post](https://tailscale.com/blog/introducing-pgproxy/) about it!
+
+The proxy runs an in-process Tailscale instance, accepts postgres
+client connections over Tailscale only, and proxies them to the
+configured upstream postgres server.
+
+This proxy exists because postgres clients default to very insecure
+connection settings: either they "prefer" but do not require TLS; or
+they set sslmode=require, which merely requires that a TLS handshake
+took place, but don't verify the server's TLS certificate or the
+presented TLS hostname.  In other words, sslmode=require enforces that
+a TLS session is created, but that session can trivially be
+machine-in-the-middled to steal credentials, data, inject malicious
+queries, and so forth.
+
+Because this flaw is in the client's validation of the TLS session,
+you have no way of reliably detecting the misconfiguration
+server-side. You could fix the configuration of all the clients you
+know of, but the default makes it very easy to accidentally regress.
+
+Instead of trying to verify client configuration over time, this proxy
+removes the need for postgres clients to be configured correctly: the
+upstream database is configured to only accept connections from the
+proxy, and the proxy is only available to clients over Tailscale.
+
+Therefore, clients must use the proxy to connect to the database. The
+client<>proxy connection is secured end-to-end by Tailscale, which the
+proxy enforces by verifying that the connecting client is a known
+current Tailscale peer. The proxy<>server connection is established by
+the proxy itself, using strict TLS verification settings, and the
+client is only allowed to communicate with the server once we've
+established that the upstream connection is safe to use.
+
+A couple side benefits: because clients can only connect via
+Tailscale, you can use Tailscale ACLs as an extra layer of defense on
+top of the postgres user/password authentication. And, the proxy can
+maintain an audit log of who connected to the database, complete with
+the strongly authenticated Tailscale identity of the client.

cmd/pgproxy/pgproxy.go

@@ -0,0 +1,366 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The pgproxy server is a proxy for the Postgres wire protocol.
+package main
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	crand "crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"expvar"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"math/big"
+	"net"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"tailscale.com/client/tailscale"
+	"tailscale.com/metrics"
+	"tailscale.com/tsnet"
+	"tailscale.com/tsweb"
+	"tailscale.com/types/logger"
+)
+
+var (
+	hostname     = flag.String("hostname", "", "Tailscale hostname to serve on")
+	port         = flag.Int("port", 5432, "Listening port for client connections")
+	debugPort    = flag.Int("debug-port", 80, "Listening port for debug/metrics endpoint")
+	upstreamAddr = flag.String("upstream-addr", "", "Address of the upstream Postgres server, in host:port format")
+	upstreamCA   = flag.String("upstream-ca-file", "", "File containing the PEM-encoded CA certificate for the upstream server")
+	tailscaleDir = flag.String("state-dir", "", "Directory in which to store the Tailscale auth state")
+)
+
+func main() {
+	flag.Parse()
+	if *hostname == "" {
+		log.Fatal("missing --hostname")
+	}
+	if *upstreamAddr == "" {
+		log.Fatal("missing --upstream-addr")
+	}
+	if *upstreamCA == "" {
+		log.Fatal("missing --upstream-ca-file")
+	}
+	if *tailscaleDir == "" {
+		log.Fatal("missing --state-dir")
+	}
+
+	ts := &tsnet.Server{
+		Dir:      *tailscaleDir,
+		Hostname: *hostname,
+		// Make the stdout logs a clean audit log of connections.
+		Logf: logger.Discard,
+	}
+
+	if os.Getenv("TS_AUTHKEY") == "" {
+		log.Print("Note: you need to run this with TS_AUTHKEY=... the first time, to join your tailnet of choice.")
+	}
+
+	tsclient, err := ts.LocalClient()
+	if err != nil {
+		log.Fatalf("getting tsnet API client: %v", err)
+	}
+
+	p, err := newProxy(*upstreamAddr, *upstreamCA, tsclient)
+	if err != nil {
+		log.Fatal(err)
+	}
+	expvar.Publish("pgproxy", p.Expvar())
+
+	if *debugPort != 0 {
+		mux := http.NewServeMux()
+		tsweb.Debugger(mux)
+		srv := &http.Server{
+			Handler: mux,
+		}
+		dln, err := ts.Listen("tcp", fmt.Sprintf(":%d", *debugPort))
+		if err != nil {
+			log.Fatal(err)
+		}
+		go func() {
+			log.Fatal(srv.Serve(dln))
+		}()
+	}
+
+	ln, err := ts.Listen("tcp", fmt.Sprintf(":%d", *port))
+	if err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("serving access to %s on port %d", *upstreamAddr, *port)
+	log.Fatal(p.Serve(ln))
+}
+
+// proxy is a postgres wire protocol proxy, which strictly enforces
+// the security of the TLS connection to its upstream regardless of
+// what the client's TLS configuration is.
+type proxy struct {
+	upstreamAddr     string // "my.database.com:5432"
+	upstreamHost     string // "my.database.com"
+	upstreamCertPool *x509.CertPool
+	downstreamCert   []tls.Certificate
+	client           *tailscale.LocalClient
+
+	activeSessions  expvar.Int
+	startedSessions expvar.Int
+	errors          metrics.LabelMap
+}
+
+// newProxy returns a proxy that forwards connections to
+// upstreamAddr. The upstream's TLS session is verified using the CA
+// cert(s) in upstreamCAPath.
+func newProxy(upstreamAddr, upstreamCAPath string, client *tailscale.LocalClient) (*proxy, error) {
+	bs, err := os.ReadFile(upstreamCAPath)
+	if err != nil {
+		return nil, err
+	}
+	upstreamCertPool := x509.NewCertPool()
+	if !upstreamCertPool.AppendCertsFromPEM(bs) {
+		return nil, fmt.Errorf("invalid CA cert in %q", upstreamCAPath)
+	}
+
+	h, _, err := net.SplitHostPort(upstreamAddr)
+	if err != nil {
+		return nil, err
+	}
+	downstreamCert, err := mkSelfSigned(h)
+	if err != nil {
+		return nil, err
+	}
+
+	return &proxy{
+		upstreamAddr:     upstreamAddr,
+		upstreamHost:     h,
+		upstreamCertPool: upstreamCertPool,
+		downstreamCert:   []tls.Certificate{downstreamCert},
+		client:           client,
+		errors:           metrics.LabelMap{Label: "kind"},
+	}, nil
+}
+
+// Expvar returns p's monitoring metrics.
+func (p *proxy) Expvar() expvar.Var {
+	ret := &metrics.Set{}
+	ret.Set("sessions_active", &p.activeSessions)
+	ret.Set("sessions_started", &p.startedSessions)
+	ret.Set("session_errors", &p.errors)
+	return ret
+}
+
+// Serve accepts postgres client connections on ln and proxies them to
+// the configured upstream. ln can be any net.Listener, but all client
+// connections must originate from tailscale IPs that can be verified
+// with WhoIs.
+func (p *proxy) Serve(ln net.Listener) error {
+	var lastSessionID int64
+	for {
+		c, err := ln.Accept()
+		if err != nil {
+			return err
+		}
+		id := time.Now().UnixNano()
+		if id == lastSessionID {
+			// Bluntly enforce SID uniqueness, even if collisions are
+			// fantastically unlikely (but OSes vary in how much timer
+			// precision they expose to the OS, so id might be rounded
+			// e.g. to the same millisecond)
+			id++
+		}
+		lastSessionID = id
+		go func(sessionID int64) {
+			if err := p.serve(sessionID, c); err != nil {
+				log.Printf("%d: session ended with error: %v", sessionID, err)
+			}
+		}(id)
+	}
+}
+
+var (
+	// sslStart is the magic bytes that postgres clients use to indicate
+	// that they want to do a TLS handshake. Servers should respond with
+	// the single byte "S" before starting a normal TLS handshake.
+	sslStart = [8]byte{0, 0, 0, 8, 0x04, 0xd2, 0x16, 0x2f}
+	// plaintextStart is the magic bytes that postgres clients use to
+	// indicate that they're starting a plaintext authentication
+	// handshake.
+	plaintextStart = [8]byte{0, 0, 0, 86, 0, 3, 0, 0}
+)
+
+// serve proxies the postgres client on c to the proxy's upstream,
+// enforcing strict TLS to the upstream.
+func (p *proxy) serve(sessionID int64, c net.Conn) error {
+	defer c.Close()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	whois, err := p.client.WhoIs(ctx, c.RemoteAddr().String())
+	if err != nil {
+		p.errors.Add("whois-failed", 1)
+		return fmt.Errorf("getting client identity: %v", err)
+	}
+
+	// Before anything else, log the connection attempt.
+	user, machine := "", ""
+	if whois.Node != nil {
+		if whois.Node.Hostinfo.ShareeNode() {
+			machine = "external-device"
+		} else {
+			machine = strings.TrimSuffix(whois.Node.Name, ".")
+		}
+	}
+	if whois.UserProfile != nil {
+		user = whois.UserProfile.LoginName
+		if user == "tagged-devices" && whois.Node != nil {
+			user = strings.Join(whois.Node.Tags, ",")
+		}
+	}
+	if user == "" || machine == "" {
+		p.errors.Add("no-ts-identity", 1)
+		return fmt.Errorf("couldn't identify source user and machine (user %q, machine %q)", user, machine)
+	}
+	log.Printf("%d: session start, from %s (machine %s, user %s)", sessionID, c.RemoteAddr(), machine, user)
+	start := time.Now()
+	defer func() {
+		elapsed := time.Since(start)
+		log.Printf("%d: session end, from %s (machine %s, user %s), lasted %s", sessionID, c.RemoteAddr(), machine, user, elapsed.Round(time.Millisecond))
+	}()
+
+	// Read the client's opening message, to figure out if it's trying
+	// to TLS or not.
+	var buf [8]byte
+	if _, err := io.ReadFull(c, buf[:len(sslStart)]); err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("initial magic read: %v", err)
+	}
+	var clientIsTLS bool
+	switch {
+	case buf == sslStart:
+		clientIsTLS = true
+	case buf == plaintextStart:
+		clientIsTLS = false
+	default:
+		p.errors.Add("client-bad-protocol", 1)
+		return fmt.Errorf("unrecognized initial packet = % 02x", buf)
+	}
+
+	// Dial & verify upstream connection.
+	var d net.Dialer
+	d.Timeout = 10 * time.Second
+	upc, err := d.Dial("tcp", p.upstreamAddr)
+	if err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("upstream dial: %v", err)
+	}
+	defer upc.Close()
+	if _, err := upc.Write(sslStart[:]); err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("upstream write of start-ssl magic: %v", err)
+	}
+	if _, err := io.ReadFull(upc, buf[:1]); err != nil {
+		p.errors.Add("network-error", 1)
+		return fmt.Errorf("reading upstream start-ssl response: %v", err)
+	}
+	if buf[0] != 'S' {
+		p.errors.Add("upstream-bad-protocol", 1)
+		return fmt.Errorf("upstream didn't acknowldge start-ssl, said %q", buf[0])
+	}
+	tlsConf := &tls.Config{
+		ServerName: p.upstreamHost,
+		RootCAs:    p.upstreamCertPool,
+		MinVersion: tls.VersionTLS12,
+	}
+	uptc := tls.Client(upc, tlsConf)
+	if err = uptc.HandshakeContext(ctx); err != nil {
+		p.errors.Add("upstream-tls", 1)
+		return fmt.Errorf("upstream TLS handshake: %v", err)
+	}
+
+	// Accept the client conn and set it up the way the client wants.
+	var clientConn net.Conn
+	if clientIsTLS {
+		io.WriteString(c, "S") // yeah, we're good to speak TLS
+		s := tls.Server(c, &tls.Config{
+			ServerName:   p.upstreamHost,
+			Certificates: p.downstreamCert,
+			MinVersion:   tls.VersionTLS12,
+		})
+		if err = uptc.HandshakeContext(ctx); err != nil {
+			p.errors.Add("client-tls", 1)
+			return fmt.Errorf("client TLS handshake: %v", err)
+		}
+		clientConn = s
+	} else {
+		// Repeat the header we read earlier up to the server.
+		if _, err := uptc.Write(plaintextStart[:]); err != nil {
+			p.errors.Add("network-error", 1)
+			return fmt.Errorf("sending initial client bytes to upstream: %v", err)
+		}
+		clientConn = c
+	}
+
+	// Finally, proxy the client to the upstream.
+	errc := make(chan error, 1)
+	go func() {
+		_, err := io.Copy(uptc, clientConn)
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(clientConn, uptc)
+		errc <- err
+	}()
+	if err := <-errc; err != nil {
+		// Don't increment error counts here, because the most common
+		// cause of termination is client or server closing the
+		// connection normally, and it'll obscure "interesting"
+		// handshake errors.
+		return fmt.Errorf("session terminated with error: %v", err)
+	}
+	return nil
+}
+
+// mkSelfSigned creates and returns a self-signed TLS certificate for
+// hostname.
+func mkSelfSigned(hostname string) (tls.Certificate, error) {
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), crand.Reader)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	pub := priv.Public()
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"pgproxy"},
+		},
+		DNSNames:              []string{hostname},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+	derBytes, err := x509.CreateCertificate(crand.Reader, &template, &template, pub, priv)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	cert, err := x509.ParseCertificate(derBytes)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	return tls.Certificate{
+		Certificate: [][]byte{derBytes},
+		PrivateKey:  priv,
+		Leaf:        cert,
+	}, nil
+}

cmd/speedtest/speedtest.go

@@ -110,11 +110,12 @@ func runSpeedtest(ctx context.Context, args []string) error {
 	w := tabwriter.NewWriter(os.Stdout, 12, 0, 0, ' ', tabwriter.TabIndent)
 	fmt.Println("Results:")
 	fmt.Fprintln(w, "Interval\t\tTransfer\t\tBandwidth\t\t")
+	startTime := results[0].IntervalStart
 	for _, r := range results {
 		if r.Total {
 			fmt.Fprintln(w, "-------------------------------------------------------------------------")
 		}
-		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Seconds(), r.IntervalEnd.Seconds(), r.MegaBits(), r.MBitsPerSecond())
+		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Sub(startTime).Seconds(), r.IntervalEnd.Sub(startTime).Seconds(), r.MegaBits(), r.MBitsPerSecond())
 	}
 	w.Flush()
 	return nil

cmd/ssh-auth-none-demo/ssh-auth-none-demo.go

@@ -0,0 +1,187 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// ssh-auth-none-demo is a demo SSH server that's meant to run on the
+// public internet (at 188.166.70.128 port 2222) and
+// highlight the unique parts of the Tailscale SSH server so SSH
+// client authors can hit it easily and fix their SSH clients without
+// needing to set up Tailscale and Tailscale SSH.
+package main
+
+import (
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+	"time"
+
+	gossh "github.com/tailscale/golang-x-crypto/ssh"
+	"tailscale.com/tempfork/gliderlabs/ssh"
+)
+
+// keyTypes are the SSH key types that we either try to read from the
+// system's OpenSSH keys.
+var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
+
+var (
+	addr = flag.String("addr", ":2222", "address to listen on")
+)
+
+func main() {
+	flag.Parse()
+
+	cacheDir, err := os.UserCacheDir()
+	if err != nil {
+		log.Fatal(err)
+	}
+	dir := filepath.Join(cacheDir, "ssh-auth-none-demo")
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		log.Fatal(err)
+	}
+
+	keys, err := getHostKeys(dir)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if len(keys) == 0 {
+		log.Fatal("no host keys")
+	}
+
+	srv := &ssh.Server{
+		Addr:    *addr,
+		Version: "Tailscale",
+		Handler: handleSessionPostSSHAuth,
+		ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {
+			start := time.Now()
+			return &gossh.ServerConfig{
+				ImplicitAuthMethod: "tailscale",
+				NoClientAuth:       true, // required for the NoClientAuthCallback to run
+				NoClientAuthCallback: func(cm gossh.ConnMetadata) (*gossh.Permissions, error) {
+					cm.SendAuthBanner(fmt.Sprintf("# Banner: doing none auth at %v\r\n", time.Since(start)))
+
+					totalBanners := 2
+					if cm.User() == "banners" {
+						totalBanners = 5
+					}
+					for banner := 2; banner <= totalBanners; banner++ {
+						time.Sleep(time.Second)
+						if banner == totalBanners {
+							cm.SendAuthBanner(fmt.Sprintf("# Banner%d: access granted at %v\r\n", banner, time.Since(start)))
+						} else {
+							cm.SendAuthBanner(fmt.Sprintf("# Banner%d at %v\r\n", banner, time.Since(start)))
+						}
+					}
+					return nil, nil
+				},
+				BannerCallback: func(cm gossh.ConnMetadata) string {
+					log.Printf("Got connection from user %q, %q from %v", cm.User(), cm.ClientVersion(), cm.RemoteAddr())
+					return fmt.Sprintf("# Banner for user %q, %q\n", cm.User(), cm.ClientVersion())
+				},
+			}
+		},
+	}
+
+	for _, signer := range keys {
+		srv.AddHostKey(signer)
+	}
+
+	log.Printf("Running on %s ...", srv.Addr)
+	if err := srv.ListenAndServe(); err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("done")
+}
+
+func handleSessionPostSSHAuth(s ssh.Session) {
+	log.Printf("Started session from user %q", s.User())
+	fmt.Fprintf(s, "Hello user %q, it worked.\n", s.User())
+
+	// Abort the session on Control-C or Control-D.
+	go func() {
+		buf := make([]byte, 1024)
+		for {
+			n, err := s.Read(buf)
+			for _, b := range buf[:n] {
+				if b <= 4 { // abort on Control-C (3) or Control-D (4)
+					io.WriteString(s, "bye\n")
+					s.Exit(1)
+				}
+			}
+			if err != nil {
+				return
+			}
+		}
+	}()
+
+	for i := 10; i > 0; i-- {
+		fmt.Fprintf(s, "%v ...\n", i)
+		time.Sleep(time.Second)
+	}
+	s.Exit(0)
+}
+
+func getHostKeys(dir string) (ret []ssh.Signer, err error) {
+	for _, typ := range keyTypes {
+		hostKey, err := hostKeyFileOrCreate(dir, typ)
+		if err != nil {
+			return nil, err
+		}
+		signer, err := gossh.ParsePrivateKey(hostKey)
+		if err != nil {
+			return nil, err
+		}
+		ret = append(ret, signer)
+	}
+	return ret, nil
+}
+
+func hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
+	path := filepath.Join(keyDir, "ssh_host_"+typ+"_key")
+	v, err := ioutil.ReadFile(path)
+	if err == nil {
+		return v, nil
+	}
+	if !os.IsNotExist(err) {
+		return nil, err
+	}
+	var priv any
+	switch typ {
+	default:
+		return nil, fmt.Errorf("unsupported key type %q", typ)
+	case "ed25519":
+		_, priv, err = ed25519.GenerateKey(rand.Reader)
+	case "ecdsa":
+		// curve is arbitrary. We pick whatever will at
+		// least pacify clients as the actual encryption
+		// doesn't matter: it's all over WireGuard anyway.
+		curve := elliptic.P256()
+		priv, err = ecdsa.GenerateKey(curve, rand.Reader)
+	case "rsa":
+		// keySize is arbitrary. We pick whatever will at
+		// least pacify clients as the actual encryption
+		// doesn't matter: it's all over WireGuard anyway.
+		const keySize = 2048
+		priv, err = rsa.GenerateKey(rand.Reader, keySize)
+	}
+	if err != nil {
+		return nil, err
+	}
+	mk, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, err
+	}
+	pemGen := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: mk})
+	err = os.WriteFile(path, pemGen, 0700)
+	return pemGen, err
+}

cmd/tailscale/cli/bugreport.go

@@ -7,8 +7,11 @@ package cli
 import (
 	"context"
 	"errors"
+	"flag"
+	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 )
 
 var bugReportCmd = &ffcli.Command{
@@ -16,6 +19,17 @@ var bugReportCmd = &ffcli.Command{
 	Exec:       runBugReport,
 	ShortHelp:  "Print a shareable identifier to help diagnose issues",
 	ShortUsage: "bugreport [note]",
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("bugreport")
+		fs.BoolVar(&bugReportArgs.diagnose, "diagnose", false, "run additional in-depth checks")
+		fs.BoolVar(&bugReportArgs.record, "record", false, "if true, pause and then write another bugreport")
+		return fs
+	})(),
+}
+
+var bugReportArgs struct {
+	diagnose bool
+	record   bool
 }
 
 func runBugReport(ctx context.Context, args []string) error {
@@ -25,12 +39,31 @@ func runBugReport(ctx context.Context, args []string) error {
 	case 1:
 		note = args[0]
 	default:
-		return errors.New("unknown argumets")
+		return errors.New("unknown arguments")
 	}
-	logMarker, err := localClient.BugReport(ctx, note)
+	logMarker, err := localClient.BugReportWithOpts(ctx, tailscale.BugReportOpts{
+		Note:     note,
+		Diagnose: bugReportArgs.diagnose,
+	})
 	if err != nil {
 		return err
 	}
+
+	if bugReportArgs.record {
+		outln("The initial bugreport is below; please reproduce your issue and then press Enter...")
+	}
+
 	outln(logMarker)
+
+	if bugReportArgs.record {
+		fmt.Scanln()
+
+		logMarker, err := localClient.BugReportWithOpts(ctx, tailscale.BugReportOpts{})
+		if err != nil {
+			return err
+		}
+		outln(logMarker)
+		outln("Please provide both bugreport markers above to the support team or GitHub issue.")
+	}
 	return nil
 }

cmd/tailscale/cli/cli.go

@@ -34,6 +34,7 @@ import (
 
 var Stderr io.Writer = os.Stderr
 var Stdout io.Writer = os.Stdout
+var Stdin io.Reader = os.Stdin
 
 func printf(format string, a ...any) {
 	fmt.Fprintf(Stdout, format, a...)

cmd/tailscale/cli/cli_test.go

@@ -410,7 +410,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
 		},
 		{
-			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
+			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Issue 3480
 			flags:         []string{"--hostname=foo"},
 			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
 			curPrefs: &ipn.Prefs{
@@ -448,7 +448,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		},
 		{
 			// Issue 3176: on Synology, don't require --accept-routes=false because user
-			// migth've had old an install, and we don't support --accept-routes anyway.
+			// might've had an old install, and we don't support --accept-routes anyway.
 			name:  "synology_permit_omit_accept_routes",
 			flags: []string{"--hostname=foo"},
 			curPrefs: &ipn.Prefs{

cmd/tailscale/cli/configure-host.go

@@ -48,11 +48,11 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if uid := os.Getuid(); uid != 0 {
 		return fmt.Errorf("must be run as root, not %q (%v)", os.Getenv("USER"), uid)
 	}
-	osVer := hostinfo.GetOSVersion()
-	isDSM6 := strings.HasPrefix(osVer, "Synology 6")
-	isDSM7 := strings.HasPrefix(osVer, "Synology 7")
+	hi := hostinfo.New()
+	isDSM6 := strings.HasPrefix(hi.DistroVersion, "6.")
+	isDSM7 := strings.HasPrefix(hi.DistroVersion, "7.")
 	if !isDSM6 && !isDSM7 {
-		return fmt.Errorf("unsupported DSM version %q", osVer)
+		return fmt.Errorf("unsupported DSM version %q", hi.DistroVersion)
 	}
 	if _, err := os.Stat("/dev/net/tun"); os.IsNotExist(err) {
 		if err := os.MkdirAll("/dev/net", 0755); err != nil {

cmd/tailscale/cli/debug.go

@@ -53,6 +53,16 @@ var debugCmd = &ffcli.Command{
 			Exec:      runDERPMap,
 			ShortHelp: "print DERP map",
 		},
+		{
+			Name:      "component-logs",
+			Exec:      runDebugComponentLogs,
+			ShortHelp: "enable/disable debug logs for a component",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("component-logs")
+				fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
+				return fs
+			})(),
+		},
 		{
 			Name:      "daemon-goroutines",
 			Exec:      runDaemonGoroutines,
@@ -513,3 +523,26 @@ func runTS2021(ctx context.Context, args []string) error {
 	log.Printf("final underlying conn: %v / %v", conn.LocalAddr(), conn.RemoteAddr())
 	return nil
 }
+
+var debugComponentLogsArgs struct {
+	forDur time.Duration
+}
+
+func runDebugComponentLogs(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		return errors.New("usage: debug component-logs <component>")
+	}
+	component := args[0]
+	dur := debugComponentLogsArgs.forDur
+
+	err := localClient.SetComponentDebugLogging(ctx, component, dur)
+	if err != nil {
+		return err
+	}
+	if debugComponentLogsArgs.forDur <= 0 {
+		fmt.Printf("Disabled debug logs for component %q\n", component)
+	} else {
+		fmt.Printf("Enabled debug logs for component %q for %v\n", component, dur)
+	}
+	return nil
+}

cmd/tailscale/cli/nc.go

@@ -7,46 +7,65 @@ package cli
 import (
 	"context"
 	"errors"
+	"flag"
 	"fmt"
 	"io"
+	"net"
 	"os"
 	"strconv"
+	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/ipn/ipnstate"
 )
 
 var ncCmd = &ffcli.Command{
 	Name:       "nc",
-	ShortUsage: "nc <hostname-or-IP> <port>",
+	ShortUsage: "nc <hostname-or-IP> <port>\n  nc -l",
 	ShortHelp:  "Connect to a port on a host, connected to stdin/stdout",
 	Exec:       runNC,
+	FlagSet: func() *flag.FlagSet {
+		fs := flag.NewFlagSet("nc", flag.ExitOnError)
+		fs.BoolVar(&ncArgs.listen, "l", false, "whether to listen for incoming connections (\"Tailpipe\")")
+		return fs
+	}(),
+}
+
+var ncArgs struct {
+	listen bool
 }
 
 func runNC(ctx context.Context, args []string) error {
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	description, ok := isRunningOrStarting(st)
-	if !ok {
-		printf("%s\n", description)
-		os.Exit(1)
+	if ncArgs.listen {
+		if len(args) != 0 {
+			return errors.New("no arguments supported with -l")
+		}
+		return runNCListen(ctx)
 	}
 
 	if len(args) != 2 {
 		return errors.New("usage: nc <hostname-or-IP> <port>")
 	}
 
-	hostOrIP, portStr := args[0], args[1]
-	port, err := strconv.ParseUint(portStr, 10, 16)
-	if err != nil {
-		return fmt.Errorf("invalid port number %q", portStr)
+	if _, err := checkRunning(ctx); err != nil {
+		return err
 	}
+	hostOrIP, portStr := args[0], args[1]
 
-	// TODO(bradfitz): also add UDP too, via flag?
-	c, err := localClient.DialTCP(ctx, hostOrIP, uint16(port))
+	var c net.Conn
+	var err error
+	if strings.HasPrefix(portStr, "tailpipe-") {
+		c, err = localClient.DialTCPNamedPort(ctx, hostOrIP, portStr)
+	} else {
+		port, err := strconv.ParseUint(portStr, 10, 16)
+		if err != nil {
+			return fmt.Errorf("invalid port number %q", portStr)
+		}
+		// TODO(bradfitz): also add UDP too, via flag?
+		c, err = localClient.DialTCP(ctx, hostOrIP, uint16(port))
+	}
 	if err != nil {
-		return fmt.Errorf("Dial(%q, %v): %w", hostOrIP, port, err)
+		return fmt.Errorf("Dial(%q, %v): %w", hostOrIP, portStr, err)
 	}
 	defer c.Close()
 	errc := make(chan error, 1)
@@ -60,3 +79,43 @@ func runNC(ctx context.Context, args []string) error {
 	}()
 	return <-errc
 }
+
+func checkRunning(ctx context.Context) (*ipnstate.Status, error) {
+	st, err := localClient.Status(ctx)
+	if err != nil {
+		return nil, fixTailscaledConnectError(err)
+	}
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		printf("%s\n", description)
+		os.Exit(1)
+	}
+	return st, err
+}
+
+// runNCLIsten opens a tailpipe.
+func runNCListen(ctx context.Context) error {
+	st, err := checkRunning(ctx)
+	if err != nil {
+		return err
+	}
+	portName, accept, err := localClient.ListenNewRandomPortName(ctx)
+	if err != nil {
+		return err
+	}
+	fmt.Fprintf(Stderr, "Port opened. Connect with: nc %v %v\n", st.Self.Addrs[0], portName)
+	c, err := accept(ctx)
+	if err != nil {
+		return err
+	}
+	errc := make(chan error, 1)
+	go func() {
+		_, err := io.Copy(Stdout, c)
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(c, Stdin)
+		errc <- err
+	}()
+	return <-errc
+}

cmd/tailscale/cli/netcheck.go

@@ -133,6 +133,9 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	printf("\t* MappingVariesByDestIP: %v\n", report.MappingVariesByDestIP)
 	printf("\t* HairPinning: %v\n", report.HairPinning)
 	printf("\t* PortMapping: %v\n", portMapping(report))
+	if report.CaptivePortal != "" {
+		printf("\t* CaptivePortal: %v\n", report.CaptivePortal)
+	}
 
 	// When DERP latency checking failed,
 	// magicsock will try to pick the DERP server that

cmd/tailscale/cli/network-lock.go

@@ -17,11 +17,16 @@ import (
 )
 
 var netlockCmd = &ffcli.Command{
-	Name:        "lock",
-	ShortUsage:  "lock <sub-command> <arguments>",
-	ShortHelp:   "Manipulate the tailnet key authority",
-	Subcommands: []*ffcli.Command{nlInitCmd, nlStatusCmd},
-	Exec:        runNetworkLockStatus,
+	Name:       "lock",
+	ShortUsage: "lock <sub-command> <arguments>",
+	ShortHelp:  "Manipulate the tailnet key authority",
+	Subcommands: []*ffcli.Command{
+		nlInitCmd,
+		nlStatusCmd,
+		nlAddCmd,
+		nlRemoveCmd,
+	},
+	Exec: runNetworkLockStatus,
 }
 
 var nlInitCmd = &ffcli.Command{
@@ -41,29 +46,9 @@ func runNetworkLockInit(ctx context.Context, args []string) error {
 	}
 
 	// Parse the set of initially-trusted keys.
-	// Keys are specified using their key.NLPublic.MarshalText representation,
-	// with an optional '?<votes>' suffix.
-	var keys []tka.Key
-	for i, a := range args {
-		var key key.NLPublic
-		spl := strings.SplitN(a, "?", 2)
-		if err := key.UnmarshalText([]byte(spl[0])); err != nil {
-			return fmt.Errorf("parsing key %d: %v", i+1, err)
-		}
-
-		k := tka.Key{
-			Kind:   tka.Key25519,
-			Public: key.Verifier(),
-			Votes:  1,
-		}
-		if len(spl) > 1 {
-			votes, err := strconv.Atoi(spl[1])
-			if err != nil {
-				return fmt.Errorf("parsing key %d votes: %v", i+1, err)
-			}
-			k.Votes = uint(votes)
-		}
-		keys = append(keys, k)
+	keys, err := parseNLKeyArgs(args)
+	if err != nil {
+		return err
 	}
 
 	status, err := localClient.NetworkLockInit(ctx, keys)
@@ -99,3 +84,78 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
 	fmt.Printf("our public-key: %s\n", p)
 	return nil
 }
+
+var nlAddCmd = &ffcli.Command{
+	Name:       "add",
+	ShortUsage: "add <public-key>...",
+	ShortHelp:  "Adds one or more signing keys to the tailnet key authority",
+	Exec: func(ctx context.Context, args []string) error {
+		return runNetworkLockModify(ctx, args, nil)
+	},
+}
+
+var nlRemoveCmd = &ffcli.Command{
+	Name:       "remove",
+	ShortUsage: "remove <public-key>...",
+	ShortHelp:  "Removes one or more signing keys to the tailnet key authority",
+	Exec: func(ctx context.Context, args []string) error {
+		return runNetworkLockModify(ctx, nil, args)
+	},
+}
+
+// parseNLKeyArgs converts a slice of strings into a slice of tka.Key. The keys
+// should be specified using their key.NLPublic.MarshalText representation with
+// an optional '?<votes>' suffix. If any of the keys encounters an error, a nil
+// slice is returned along with an appropriate error.
+func parseNLKeyArgs(args []string) ([]tka.Key, error) {
+	var keys []tka.Key
+	for i, a := range args {
+		var nlpk key.NLPublic
+		spl := strings.SplitN(a, "?", 2)
+		if err := nlpk.UnmarshalText([]byte(spl[0])); err != nil {
+			return nil, fmt.Errorf("parsing key %d: %v", i+1, err)
+		}
+
+		k := tka.Key{
+			Kind:   tka.Key25519,
+			Public: nlpk.Verifier(),
+			Votes:  1,
+		}
+		if len(spl) > 1 {
+			votes, err := strconv.Atoi(spl[1])
+			if err != nil {
+				return nil, fmt.Errorf("parsing key %d votes: %v", i+1, err)
+			}
+			k.Votes = uint(votes)
+		}
+		keys = append(keys, k)
+	}
+	return keys, nil
+}
+
+func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) error {
+	st, err := localClient.NetworkLockStatus(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	if st.Enabled {
+		return errors.New("network-lock is already enabled")
+	}
+
+	addKeys, err := parseNLKeyArgs(addArgs)
+	if err != nil {
+		return err
+	}
+	removeKeys, err := parseNLKeyArgs(removeArgs)
+	if err != nil {
+		return err
+	}
+
+	status, err := localClient.NetworkLockModify(ctx, addKeys, removeKeys)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Status: %+v\n\n", status)
+	return nil
+}

cmd/tailscale/cli/ssh_exec_windows.go

@@ -13,7 +13,7 @@ import (
 
 func findSSH() (string, error) {
 	// use C:\Windows\System32\OpenSSH\ssh.exe since unexpected behavior
-	// occured with ssh.exe provided by msys2/cygwin and other environments.
+	// occurred with ssh.exe provided by msys2/cygwin and other environments.
 	if systemRoot := os.Getenv("SystemRoot"); systemRoot != "" {
 		exe := filepath.Join(systemRoot, "System32", "OpenSSH", "ssh.exe")
 		if st, err := os.Stat(exe); err == nil && !st.IsDir() {

cmd/tailscale/cli/up.go

@@ -380,7 +380,6 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 	// Do this after validations to avoid the 5s delay if we're going to error
 	// out anyway.
 	wantSSH, haveSSH := env.upArgs.runSSH, curPrefs.RunSSH
-	fmt.Println("wantSSH", wantSSH, "haveSSH", haveSSH)
 	if wantSSH != haveSSH && isSSHOverTailscale() {
 		if wantSSH {
 			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, env.upArgs.acceptedRisks)

cmd/tailscale/depaware.txt

@@ -100,6 +100,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
         tailscale.com/util/mak                                       from tailscale.com/net/netcheck
+        tailscale.com/util/multierr                                  from tailscale.com/control/controlhttp
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
    L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
    W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
@@ -134,6 +135,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+
    W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
    W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
         golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
         golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
         golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+

cmd/tailscaled/depaware.txt

@@ -109,7 +109,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
         github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
         github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
-   L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router
+   L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router+
         github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
   LD    github.com/u-root/u-root/pkg/termios                         from tailscale.com/ssh/tailssh
    L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
@@ -190,6 +190,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/derp                                           from tailscale.com/derp/derphttp+
         tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
         tailscale.com/disco                                          from tailscale.com/derp+
+        tailscale.com/doctor                                         from tailscale.com/ipn/ipnlocal
+        tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
         tailscale.com/envknob                                        from tailscale.com/control/controlclient+
         tailscale.com/health                                         from tailscale.com/control/controlclient+
         tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
@@ -230,6 +232,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
+        tailscale.com/net/routetable                                 from tailscale.com/doctor/routetable
         tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
         tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
         tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
@@ -237,6 +240,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
         tailscale.com/net/tstun                                      from tailscale.com/net/dns+
+        tailscale.com/net/tunstats                                   from tailscale.com/net/tstun
         tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
         tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
@@ -272,6 +276,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
   LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
+        tailscale.com/util/goroutines                                from tailscale.com/control/controlclient+
         tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
      💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
@@ -317,6 +322,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
         golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
+        golang.org/x/exp/maps                                        from tailscale.com/wgengine
         golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
         golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
         golang.org/x/net/dns/dnsmessage                              from net+
@@ -338,7 +344,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    W    golang.org/x/sys/windows/registry                            from golang.org/x/sys/windows/svc/eventlog+
    W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
    W    golang.org/x/sys/windows/svc/eventlog                        from tailscale.com/cmd/tailscaled
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled+
         golang.org/x/term                                            from tailscale.com/logpolicy
         golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
         golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+

cmd/tailscaled/tailscaled.go

@@ -88,7 +88,7 @@ func defaultTunName() string {
 			// see https://github.com/tailscale/tailscale/issues/391
 			//
 			// But Gokrazy does have the tun module built-in, so users
-			// can stil run --tun=tailscale0 if they wish, if they
+			// can still run --tun=tailscale0 if they wish, if they
 			// arrange for iptables to be present or run in "tailscale
 			// up --netfilter-mode=off" mode, perhaps. Untested.
 			return "userspace-networking"
@@ -158,7 +158,7 @@ func main() {
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
 	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
+	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an ephemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
@@ -375,8 +375,7 @@ func run() error {
 
 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)
 
-	dialer := new(tsdial.Dialer) // mutated below (before used)
-	dialer.Logf = logf
+	dialer := &tsdial.Dialer{Logf: logf} // mutated below (before used)
 	e, useNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
 		return fmt.Errorf("createEngine: %w", err)

cmd/tailscaled/tailscaled.service

@@ -7,7 +7,7 @@ After=network-pre.target NetworkManager.service systemd-resolved.service
 [Service]
 EnvironmentFile=/etc/default/tailscaled
 ExecStartPre=/usr/sbin/tailscaled --cleanup
-ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port $PORT $FLAGS
+ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS
 ExecStopPost=/usr/sbin/tailscaled --cleanup
 
 Restart=on-failure

cmd/tailscaled/tailscaled_windows.go

@@ -23,6 +23,7 @@ package main // import "tailscale.com/cmd/tailscaled"
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log"
 	"net/netip"
@@ -192,7 +193,7 @@ func beWindowsSubprocess() bool {
 	}
 	logid := os.Args[2]
 
-	// Remove the date/time prefix; the logtail + file logggers add it.
+	// Remove the date/time prefix; the logtail + file loggers add it.
 	log.SetFlags(0)
 
 	log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
@@ -265,11 +266,17 @@ func startIPNServer(ctx context.Context, logid string) error {
 	if err != nil {
 		return fmt.Errorf("monitor: %w", err)
 	}
-	dialer := new(tsdial.Dialer)
+	dialer := &tsdial.Dialer{Logf: logf}
 
 	getEngineRaw := func() (wgengine.Engine, *netstack.Impl, error) {
 		dev, devName, err := tstun.New(logf, "Tailscale")
 		if err != nil {
+			if errors.Is(err, windows.ERROR_DEVICE_NOT_AVAILABLE) {
+				// Wintun is not installing correctly. Dump the state of NetSetupSvc
+				// (which is a user-mode service that must be active for network devices
+				// to install) and its dependencies to the log.
+				winutil.LogSvcState(logf, "NetSetupSvc")
+			}
 			return nil, nil, fmt.Errorf("TUN: %w", err)
 		}
 		r, err := router.New(logf, dev, nil)

cmd/tsconnect/build.go

@@ -57,7 +57,7 @@ func runBuild() {
 
 // fixEsbuildMetadataPaths re-keys the esbuild metadata file to use paths
 // relative to the dist directory (it normally uses paths relative to the cwd,
-// which are akward if we're running with a different cwd at serving time).
+// which are awkward if we're running with a different cwd at serving time).
 func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
 	var metadata EsbuildMetadata
 	if err := json.Unmarshal([]byte(metadataStr), &metadata); err != nil {

cmd/tsconnect/package.json

@@ -10,9 +10,9 @@
     "qrcode": "^1.5.0",
     "tailwindcss": "^3.1.6",
     "typescript": "^4.7.4",
-    "xterm": "5.0.0-beta.58",
-    "xterm-addon-fit": "^0.5.0",
-    "xterm-addon-web-links": "0.7.0-beta.6"
+    "xterm": "^5.0.0",
+    "xterm-addon-fit": "^0.6.0",
+    "xterm-addon-web-links": "^0.7.0"
   },
   "scripts": {
     "lint": "tsc --noEmit",

cmd/tsconnect/src/app/ssh.tsx

@@ -46,7 +46,7 @@ function SSHSession({
   const ref = useRef<HTMLDivElement>(null)
   useEffect(() => {
     if (ref.current) {
-      runSSHSession(ref.current, def, ipn, onDone)
+      runSSHSession(ref.current, def, ipn, onDone, (err) => console.error(err))
     }
   }, [ref])
 

cmd/tsconnect/src/lib/ssh.ts

@@ -5,6 +5,8 @@ import { WebLinksAddon } from "xterm-addon-web-links"
 export type SSHSessionDef = {
   username: string
   hostname: string
+  /** Defaults to 5 seconds */
+  timeoutSeconds?: number
 }
 
 export function runSSHSession(
@@ -12,6 +14,7 @@ export function runSSHSession(
   def: SSHSessionDef,
   ipn: IPN,
   onDone: () => void,
+  onError?: (err: string) => void,
   terminalOptions?: ITerminalOptions
 ) {
   const parentWindow = termContainerNode.ownerDocument.defaultView ?? window
@@ -39,14 +42,14 @@ export function runSSHSession(
   term.focus()
 
   let resizeObserver: ResizeObserver | undefined
-  let handleBeforeUnload: ((e: BeforeUnloadEvent) => void) | undefined
+  let handleUnload: ((e: Event) => void) | undefined
 
   const sshSession = ipn.ssh(def.hostname, def.username, {
     writeFn(input) {
       term.write(input)
     },
     writeErrorFn(err) {
-      console.error(err)
+      onError?.(err)
       term.write(err)
     },
     setReadFn(hook) {
@@ -57,11 +60,12 @@ export function runSSHSession(
     onDone() {
       resizeObserver?.disconnect()
       term.dispose()
-      if (handleBeforeUnload) {
-        parentWindow.removeEventListener("beforeunload", handleBeforeUnload)
+      if (handleUnload) {
+        parentWindow.removeEventListener("unload", handleUnload)
       }
       onDone()
     },
+    timeoutSeconds: def.timeoutSeconds,
   })
 
   // Make terminal and SSH session track the size of the containing DOM node.
@@ -71,6 +75,6 @@ export function runSSHSession(
 
   // Close the session if the user closes the window without an explicit
   // exit.
-  handleBeforeUnload = () => sshSession.close()
-  parentWindow.addEventListener("beforeunload", handleBeforeUnload)
+  handleUnload = () => sshSession.close()
+  parentWindow.addEventListener("unload", handleUnload)
 }

cmd/tsconnect/src/pkg/pkg.ts

@@ -15,12 +15,12 @@ import wasmURL from "./main.wasm"
  * needed for the package to function.
  */
 type IPNPackageConfig = IPNConfig & {
-  // Auth key used to intitialize the Tailscale client (required)
+  // Auth key used to initialize the Tailscale client (required)
   authKey: string
   // URL of the main.wasm file that is included in the page, if it is not
   // accessible via a relative URL.
   wasmURL?: string
-  // Funtion invoked if the Go process panics or unexpectedly exits.
+  // Function invoked if the Go process panics or unexpectedly exits.
   panicHandler: (err: string) => void
 }
 

cmd/tsconnect/src/types/wasm_js.d.ts

@@ -23,6 +23,8 @@ declare global {
         setReadFn: (readFn: (data: string) => void) => void
         rows: number
         cols: number
+        /** Defaults to 5 seconds */
+        timeoutSeconds?: number
         onDone: () => void
       }
     ): IPNSSHSession

cmd/tsconnect/wasm/wasm_js.go

@@ -96,7 +96,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 	logtail := logtail.NewLogger(c, log.Printf)
 	logf := logtail.Logf
 
-	dialer := new(tsdial.Dialer)
+	dialer := &tsdial.Dialer{Logf: logf}
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
 		Dialer: dialer,
 	})
@@ -360,6 +360,10 @@ func (s *jsSSHSession) Run() {
 	setReadFn := s.termConfig.Get("setReadFn")
 	rows := s.termConfig.Get("rows").Int()
 	cols := s.termConfig.Get("cols").Int()
+	timeoutSeconds := 5.0
+	if jsTimeoutSeconds := s.termConfig.Get("timeoutSeconds"); jsTimeoutSeconds.Type() == js.TypeNumber {
+		timeoutSeconds = jsTimeoutSeconds.Float()
+	}
 	onDone := s.termConfig.Get("onDone")
 	defer onDone.Invoke()
 
@@ -367,7 +371,7 @@ func (s *jsSSHSession) Run() {
 		writeErrorFn.Invoke(fmt.Sprintf("%s Error: %v\r\n", label, err))
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeoutSeconds*float64(time.Second)))
 	defer cancel()
 	c, err := s.jsIPN.dialer.UserDial(ctx, "tcp", net.JoinHostPort(s.host, "22"))
 	if err != nil {

cmd/tsconnect/yarn.lock

@@ -639,20 +639,20 @@ xtend@^4.0.2:
   resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"
   integrity sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==
 
-xterm-addon-fit@^0.5.0:
-  version "0.5.0"
-  resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.5.0.tgz#2d51b983b786a97dcd6cde805e700c7f913bc596"
-  integrity sha512-DsS9fqhXHacEmsPxBJZvfj2la30Iz9xk+UKjhQgnYNkrUIN5CYLbw7WEfz117c7+S86S/tpHPfvNxJsF5/G8wQ==
+xterm-addon-fit@^0.6.0:
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.6.0.tgz#142e1ce181da48763668332593fc440349c88c34"
+  integrity sha512-9/7A+1KEjkFam0yxTaHfuk9LEvvTSBi0PZmEkzJqgafXPEXL9pCMAVV7rB09sX6ATRDXAdBpQhZkhKj7CGvYeg==
 
-xterm@5.0.0-beta.58:
-  version "5.0.0-beta.58"
-  resolved "https://registry.yarnpkg.com/xterm/-/xterm-5.0.0-beta.58.tgz#e3e96ab9fd24d006ec16cc9351a060cc79e67e80"
-  integrity sha512-gjg39oKdgUKful27+7I1hvSK51lu/LRhdimFhfZyMvdk0iATH0FAfzv1eAvBKWY2UBgYUfxhicTkanYioANdMw==
+xterm-addon-web-links@^0.7.0:
+  version "0.7.0"
+  resolved "https://registry.yarnpkg.com/xterm-addon-web-links/-/xterm-addon-web-links-0.7.0.tgz#dceac36170605f9db10a01d716bd83ee38f65c17"
+  integrity sha512-6PqoqzzPwaeSq22skzbvyboDvSnYk5teUYEoKBwMYvhbkwOQkemZccjWHT5FnNA8o1aInTc4PRYAl4jjPucCKA==
 
-xterm-addon-web-links@0.7.0-beta.6:
-  version "0.7.0-beta.6"
-  resolved "https://registry.yarnpkg.com/xterm-addon-web-links/-/xterm-addon-web-links-0.7.0-beta.6.tgz#ec63b681b4f0f0135fa039f53664f65fe9d9f43a"
-  integrity sha512-nD/r/GchGTN4c9gAIVLWVoxExTzAUV7E9xZnwsvhuwI4CEE6yqO15ns8g2hdcUrsPyCbNEw05mIrkF6W5Yj8qA==
+xterm@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/xterm/-/xterm-5.0.0.tgz#0af50509b33d0dc62fde7a4ec17750b8e453cc5c"
+  integrity sha512-tmVsKzZovAYNDIaUinfz+VDclraQpPUnAME+JawosgWRMphInDded/PuY0xmU5dOhyeYZsI0nz5yd8dPYsdLTA==
 
 y18n@^4.0.0:
   version "4.0.3"

cmd/viewer/viewer.go

@@ -388,7 +388,7 @@ func main() {
 		log.Fatal(err)
 	}
 	if runCloner {
-		// When a new pacakge is added or when existing generated files have
+		// When a new package is added or when existing generated files have
 		// been deleted, we might run into a case where tailscale.com/cmd/cloner
 		// has not run yet. We detect this by verifying that all the structs we
 		// interacted with have had Clone method already generated. If they

control/controlclient/auto.go

@@ -114,19 +114,11 @@ func NewNoStart(opts Options) (*Auto, error) {
 	}
 	c.authCtx, c.authCancel = context.WithCancel(context.Background())
 	c.mapCtx, c.mapCancel = context.WithCancel(context.Background())
-	c.unregisterHealthWatch = health.RegisterWatcher(c.onHealthChange)
+	c.unregisterHealthWatch = health.RegisterWatcher(direct.ReportHealthChange)
 	return c, nil
 
 }
 
-func (c *Auto) onHealthChange(sys health.Subsystem, err error) {
-	if sys == health.SysOverall {
-		return
-	}
-	c.logf("controlclient: restarting map request for %q health change to new state: %v", sys, err)
-	c.cancelMapSafely()
-}
-
 // SetPaused controls whether HTTP activity should be paused.
 //
 // The client can be paused and unpaused repeatedly, unlike Start and Shutdown, which can only be used once.

control/controlclient/debug.go

@@ -8,12 +8,11 @@ import (
 	"bytes"
 	"compress/gzip"
 	"context"
-	"fmt"
 	"log"
 	"net/http"
-	"runtime"
-	"strconv"
 	"time"
+
+	"tailscale.com/util/goroutines"
 )
 
 func dumpGoroutinesToURL(c *http.Client, targetURL string) {
@@ -22,7 +21,7 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {
 
 	zbuf := new(bytes.Buffer)
 	zw := gzip.NewWriter(zbuf)
-	zw.Write(scrubbedGoroutineDump())
+	zw.Write(goroutines.ScrubbedGoroutineDump())
 	zw.Close()
 
 	req, err := http.NewRequestWithContext(ctx, "PUT", targetURL, zbuf)
@@ -40,83 +39,3 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {
 		log.Printf("dumpGoroutinesToURL complete to %v (after %v)", targetURL, d)
 	}
 }
-
-// scrubbedGoroutineDump returns the list of all current goroutines, but with the actual
-// values of arguments scrubbed out, lest it contain some private key material.
-func scrubbedGoroutineDump() []byte {
-	var buf []byte
-	// Grab stacks multiple times into increasingly larger buffer sizes
-	// to minimize the risk that we blow past our iOS memory limit.
-	for size := 1 << 10; size <= 1<<20; size += 1 << 10 {
-		buf = make([]byte, size)
-		buf = buf[:runtime.Stack(buf, true)]
-		if len(buf) < size {
-			// It fit.
-			break
-		}
-	}
-	return scrubHex(buf)
-}
-
-func scrubHex(buf []byte) []byte {
-	saw := map[string][]byte{} // "0x123" => "v1%3" (unique value 1 and its value mod 8)
-
-	foreachHexAddress(buf, func(in []byte) {
-		if string(in) == "0x0" {
-			return
-		}
-		if v, ok := saw[string(in)]; ok {
-			for i := range in {
-				in[i] = '_'
-			}
-			copy(in, v)
-			return
-		}
-		inStr := string(in)
-		u64, err := strconv.ParseUint(string(in[2:]), 16, 64)
-		for i := range in {
-			in[i] = '_'
-		}
-		if err != nil {
-			in[0] = '?'
-			return
-		}
-		v := []byte(fmt.Sprintf("v%d%%%d", len(saw)+1, u64%8))
-		saw[inStr] = v
-		copy(in, v)
-	})
-	return buf
-}
-
-var ohx = []byte("0x")
-
-// foreachHexAddress calls f with each subslice of b that matches
-// regexp `0x[0-9a-f]*`.
-func foreachHexAddress(b []byte, f func([]byte)) {
-	for len(b) > 0 {
-		i := bytes.Index(b, ohx)
-		if i == -1 {
-			return
-		}
-		b = b[i:]
-		hx := hexPrefix(b)
-		f(hx)
-		b = b[len(hx):]
-	}
-}
-
-func hexPrefix(b []byte) []byte {
-	for i, c := range b {
-		if i < 2 {
-			continue
-		}
-		if !isHexByte(c) {
-			return b[:i]
-		}
-	}
-	return b
-}
-
-func isHexByte(b byte) bool {
-	return '0' <= b && b <= '9' || 'a' <= b && b <= 'f' || 'A' <= b && b <= 'F'
-}

control/controlclient/direct.go

@@ -76,6 +76,8 @@ type Direct struct {
 	popBrowser             func(url string) // or nil
 	c2nHandler             http.Handler     // or nil
 
+	dialPlan ControlDialPlanner // can be nil
+
 	mu             sync.Mutex        // mutex guards the following fields
 	serverKey      key.MachinePublic // original ("legacy") nacl crypto_box-based public key
 	serverNoiseKey key.MachinePublic
@@ -106,6 +108,7 @@ type Options struct {
 	KeepAlive            bool
 	Logf                 logger.Logf
 	HTTPTestClient       *http.Client     // optional HTTP client to use (for tests only)
+	NoiseTestClient      *http.Client     // optional HTTP client to use for noise RPCs (tests only)
 	DebugFlags           []string         // debug settings to send to control
 	LinkMonitor          *monitor.Mon     // optional link monitor
 	PopBrowserURL        func(url string) // optional func to open browser
@@ -132,6 +135,34 @@ type Options struct {
 	// MapResponse.PingRequest queries from the control plane.
 	// If nil, PingRequest queries are not answered.
 	Pinger Pinger
+
+	// DialPlan contains and stores a previous dial plan that we received
+	// from the control server; if nil, we fall back to using DNS.
+	//
+	// If we receive a new DialPlan from the server, this value will be
+	// updated.
+	DialPlan ControlDialPlanner
+}
+
+// ControlDialPlanner is the interface optionally supplied when creating a
+// control client to control exactly how TCP connections to the control plane
+// are dialed.
+//
+// It is usually implemented by an atomic.Pointer.
+type ControlDialPlanner interface {
+	// Load returns the current plan for how to connect to control.
+	//
+	// The returned plan can be nil. If so, connections should be made by
+	// resolving the control URL using DNS.
+	Load() *tailcfg.ControlDialPlan
+
+	// Store updates the dial plan with new directions from the control
+	// server.
+	//
+	// The dial plan can span multiple connections to the control server.
+	// That is, a dial plan received when connected over Wi-Fi is still
+	// valid for a subsequent connection over LTE after a network switch.
+	Store(*tailcfg.ControlDialPlan)
 }
 
 // Pinger is the LocalBackend.Ping method.
@@ -215,6 +246,7 @@ func NewDirect(opts Options) (*Direct, error) {
 		popBrowser:             opts.PopBrowserURL,
 		c2nHandler:             opts.C2NHandler,
 		dialer:                 opts.Dialer,
+		dialPlan:               opts.DialPlan,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(hostinfo.New())
@@ -226,6 +258,12 @@ func NewDirect(opts Options) (*Direct, error) {
 			c.SetNetInfo(ni)
 		}
 	}
+	if opts.NoiseTestClient != nil {
+		c.noiseClient = &noiseClient{
+			Client: opts.NoiseTestClient,
+		}
+		c.serverNoiseKey = key.NewMachine().Public() // prevent early error before hitting test client
+	}
 	return c, nil
 }
 
@@ -738,7 +776,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		// with useful results. The first POST just gets us the DERP map which we
 		// need to do the STUN queries to discover our endpoints.
 		// TODO(bradfitz): we skip this optimization in tests, though,
-		// because the e2e tests are currently hyperspecific about the
+		// because the e2e tests are currently hyper-specific about the
 		// ordering of things. The e2e tests need love.
 		ReadOnly: readOnly || (len(epStrs) == 0 && !everEndpoints && !inTest()),
 	}
@@ -908,6 +946,14 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		} else {
 			vlogf("netmap: got new map")
 		}
+		if resp.ControlDialPlan != nil {
+			if c.dialPlan != nil {
+				c.logf("netmap: got new dial plan from control")
+				c.dialPlan.Store(resp.ControlDialPlan)
+			} else {
+				c.logf("netmap: [unexpected] new dial plan; nowhere to store it")
+			}
+		}
 
 		select {
 		case timeoutReset <- struct{}{}:
@@ -1358,12 +1404,17 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 	if nc != nil {
 		return nc, nil
 	}
+	var dp func() *tailcfg.ControlDialPlan
+	if c.dialPlan != nil {
+		dp = c.dialPlan.Load
+	}
 	nc, err, _ := c.sfGroup.Do(struct{}{}, func() (*noiseClient, error) {
 		k, err := c.getMachinePrivKey()
 		if err != nil {
 			return nil, err
 		}
-		nc, err := newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer)
+		c.logf("creating new noise client")
+		nc, err := newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer, dp)
 		if err != nil {
 			return nil, err
 		}
@@ -1383,15 +1434,11 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 func (c *Direct) setDNSNoise(ctx context.Context, req *tailcfg.SetDNSRequest) error {
 	newReq := *req
 	newReq.Version = tailcfg.CurrentCapabilityVersion
-	np, err := c.getNoiseClient()
+	nc, err := c.getNoiseClient()
 	if err != nil {
 		return err
 	}
-	bodyData, err := json.Marshal(newReq)
-	if err != nil {
-		return err
-	}
-	res, err := np.Post(fmt.Sprintf("https://%v/%v", np.host, "machine/set-dns"), "application/json", bytes.NewReader(bodyData))
+	res, err := nc.post(ctx, "/machine/set-dns", &newReq)
 	if err != nil {
 		return err
 	}
@@ -1539,6 +1586,38 @@ func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailc
 	return nil
 }
 
+// ReportHealthChange reports to the control plane a change to this node's
+// health.
+func (c *Direct) ReportHealthChange(sys health.Subsystem, sysErr error) {
+	if sys == health.SysOverall {
+		// We don't report these. These include things like the network is down
+		// (in which case we can't report anyway) or the user wanted things
+		// stopped, as opposed to the more unexpected failure types in the other
+		// subsystems.
+		return
+	}
+	np, err := c.getNoiseClient()
+	if err != nil {
+		// Don't report errors to control if the server doesn't support noise.
+		return
+	}
+	req := &tailcfg.HealthChangeRequest{
+		Subsys: string(sys),
+	}
+	if sysErr != nil {
+		req.Error = sysErr.Error()
+	}
+
+	// Best effort, no logging:
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	res, err := np.post(ctx, "/machine/update-health", req)
+	if err != nil {
+		return
+	}
+	res.Body.Close()
+}
+
 var (
 	metricMapRequestsActive = clientmetric.NewGauge("controlclient_map_requests_active")
 

control/controlclient/map.go

@@ -35,7 +35,7 @@ type mapSession struct {
 	machinePubKey          key.MachinePublic
 	keepSharerAndUserSplit bool // see Options.KeepSharerAndUserSplit
 
-	// Fields storing state over the the coards of multiple MapResponses.
+	// Fields storing state over the course of multiple MapResponses.
 	lastNode               *tailcfg.Node
 	lastDNSConfig          *tailcfg.DNSConfig
 	lastDERPMap            *tailcfg.DERPMap
@@ -45,9 +45,11 @@ type mapSession struct {
 	collectServices        bool
 	previousPeers          []*tailcfg.Node // for delta-purposes
 	lastDomain             string
+	lastDomainAuditLogID   string
 	lastHealth             []string
 	lastPopBrowserURL      string
 	stickyDebug            tailcfg.Debug // accumulated opt.Bool values
+	lastTKAInfo            *tailcfg.TKAInfo
 
 	// netMapBuilding is non-nil during a netmapForResponse call,
 	// containing the value to be returned, once fully populated.
@@ -112,9 +114,15 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	if resp.Domain != "" {
 		ms.lastDomain = resp.Domain
 	}
+	if resp.DomainDataPlaneAuditLogID != "" {
+		ms.lastDomainAuditLogID = resp.DomainDataPlaneAuditLogID
+	}
 	if resp.Health != nil {
 		ms.lastHealth = resp.Health
 	}
+	if resp.TKAInfo != nil {
+		ms.lastTKAInfo = resp.TKAInfo
+	}
 
 	debug := resp.Debug
 	if debug != nil {
@@ -139,22 +147,31 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	}
 
 	nm := &netmap.NetworkMap{
-		NodeKey:         ms.privateNodeKey.Public(),
-		PrivateKey:      ms.privateNodeKey,
-		MachineKey:      ms.machinePubKey,
-		Peers:           resp.Peers,
-		UserProfiles:    make(map[tailcfg.UserID]tailcfg.UserProfile),
-		Domain:          ms.lastDomain,
-		DNS:             *ms.lastDNSConfig,
-		PacketFilter:    ms.lastParsedPacketFilter,
-		SSHPolicy:       ms.lastSSHPolicy,
-		CollectServices: ms.collectServices,
-		DERPMap:         ms.lastDERPMap,
-		Debug:           debug,
-		ControlHealth:   ms.lastHealth,
+		NodeKey:          ms.privateNodeKey.Public(),
+		PrivateKey:       ms.privateNodeKey,
+		MachineKey:       ms.machinePubKey,
+		Peers:            resp.Peers,
+		UserProfiles:     make(map[tailcfg.UserID]tailcfg.UserProfile),
+		Domain:           ms.lastDomain,
+		DomainAuditLogID: ms.lastDomainAuditLogID,
+		DNS:              *ms.lastDNSConfig,
+		PacketFilter:     ms.lastParsedPacketFilter,
+		SSHPolicy:        ms.lastSSHPolicy,
+		CollectServices:  ms.collectServices,
+		DERPMap:          ms.lastDERPMap,
+		Debug:            debug,
+		ControlHealth:    ms.lastHealth,
+		TKAEnabled:       ms.lastTKAInfo != nil && !ms.lastTKAInfo.Disabled,
 	}
 	ms.netMapBuilding = nm
 
+	if ms.lastTKAInfo != nil && ms.lastTKAInfo.Head != "" {
+		if err := nm.TKAHead.UnmarshalText([]byte(ms.lastTKAInfo.Head)); err != nil {
+			ms.logf("error unmarshalling TKAHead: %v", err)
+			nm.TKAEnabled = false
+		}
+	}
+
 	if resp.Node != nil {
 		ms.lastNode = resp.Node
 	}

control/controlclient/map_test.go

@@ -466,7 +466,7 @@ func TestNetmapForResponse(t *testing.T) {
 	})
 }
 
-// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResposnes
+// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResponses
 // entirely or have their opt.Bool values unspecified between MapResponses in a
 // session and that should mean no change. (as of capver 37). But two Debug
 // fields existed prior to capver 37 that weren't opt.Bool; we test that we both

control/controlclient/noise.go

@@ -5,8 +5,10 @@
 package controlclient
 
 import (
+	"bytes"
 	"context"
 	"crypto/tls"
+	"encoding/json"
 	"math"
 	"net"
 	"net/http"
@@ -53,6 +55,11 @@ type noiseClient struct {
 	httpPort     string // the default port to call
 	httpsPort    string // the fallback Noise-over-https port
 
+	// dialPlan optionally returns a ControlDialPlan previously received
+	// from the control server; either the function or the return value can
+	// be nil.
+	dialPlan func() *tailcfg.ControlDialPlan
+
 	// mu only protects the following variables.
 	mu       sync.Mutex
 	nextID   int
@@ -61,7 +68,9 @@ type noiseClient struct {
 
 // newNoiseClient returns a new noiseClient for the provided server and machine key.
 // serverURL is of the form https://<host>:<port> (no trailing slash).
-func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer) (*noiseClient, error) {
+//
+// dialPlan may be nil
+func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer, dialPlan func() *tailcfg.ControlDialPlan) (*noiseClient, error) {
 	u, err := url.Parse(serverURL)
 	if err != nil {
 		return nil, err
@@ -89,6 +98,7 @@ func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, s
 		httpPort:     httpPort,
 		httpsPort:    httpsPort,
 		dialer:       dialer,
+		dialPlan:     dialPlan,
 	}
 
 	// Create the HTTP/2 Transport using a net/http.Transport
@@ -155,16 +165,51 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.nextID++
 	nc.mu.Unlock()
 
-	// Timeout is a little arbitrary, but plenty long enough for even the
-	// highest latency links.
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-
 	if tailcfg.CurrentCapabilityVersion > math.MaxUint16 {
 		// Panic, because a test should have started failing several
 		// thousand version numbers before getting to this point.
 		panic("capability version is too high to fit in the wire protocol")
 	}
+
+	var dialPlan *tailcfg.ControlDialPlan
+	if nc.dialPlan != nil {
+		dialPlan = nc.dialPlan()
+	}
+
+	// If we have a dial plan, then set our timeout as slightly longer than
+	// the maximum amount of time contained therein; we assume that
+	// explicit instructions on timeouts are more useful than a single
+	// hard-coded timeout.
+	//
+	// The default value of 5 is chosen so that, when there's no dial plan,
+	// we retain the previous behaviour of 10 seconds end-to-end timeout.
+	timeoutSec := 5.0
+	if dialPlan != nil {
+		for _, c := range dialPlan.Candidates {
+			if v := c.DialStartDelaySec + c.DialTimeoutSec; v > timeoutSec {
+				timeoutSec = v
+			}
+		}
+	}
+
+	// After we establish a connection, we need some time to actually
+	// upgrade it into a Noise connection. With a ballpark worst-case RTT
+	// of 1000ms, give ourselves an extra 5 seconds to complete the
+	// handshake.
+	timeoutSec += 5
+
+	// Be extremely defensive and ensure that the timeout is in the range
+	// [5, 60] seconds (e.g. if we accidentally get a negative number).
+	if timeoutSec > 60 {
+		timeoutSec = 60
+	} else if timeoutSec < 5 {
+		timeoutSec = 5
+	}
+
+	timeout := time.Duration(timeoutSec * float64(time.Second))
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
 	conn, err := (&controlhttp.Dialer{
 		Hostname:        nc.host,
 		HTTPPort:        nc.httpPort,
@@ -173,6 +218,7 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 		ControlKey:      nc.serverPubKey,
 		ProtocolVersion: uint16(tailcfg.CurrentCapabilityVersion),
 		Dialer:          nc.dialer.SystemDial,
+		DialPlan:        dialPlan,
 	}).Dial(ctx)
 	if err != nil {
 		return nil, err
@@ -184,3 +230,16 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	mak.Set(&nc.connPool, ncc.id, ncc)
 	return ncc, nil
 }
+
+func (nc *noiseClient) post(ctx context.Context, path string, body any) (*http.Response, error) {
+	jbody, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+	req, err := http.NewRequestWithContext(ctx, "POST", "https://"+nc.host+path, bytes.NewReader(jbody))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	return nc.Do(req)
+}

control/controlhttp/client.go

@@ -28,18 +28,25 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"net"
 	"net/http"
 	"net/http/httptrace"
+	"net/netip"
 	"net/url"
+	"sort"
+	"sync/atomic"
 	"time"
 
 	"tailscale.com/control/controlbase"
+	"tailscale.com/envknob"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/tailcfg"
+	"tailscale.com/util/multierr"
 )
 
 var stdDialer net.Dialer
@@ -82,7 +89,170 @@ func (a *Dialer) httpsFallbackDelay() time.Duration {
 	return 500 * time.Millisecond
 }
 
+var _ = envknob.RegisterBool("TS_USE_CONTROL_DIAL_PLAN") // to record at init time whether it's in use
+
 func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
+	// If we don't have a dial plan, just fall back to dialing the single
+	// host we know about.
+	useDialPlan := envknob.BoolDefaultTrue("TS_USE_CONTROL_DIAL_PLAN")
+	if !useDialPlan || a.DialPlan == nil || len(a.DialPlan.Candidates) == 0 {
+		return a.dialHost(ctx, netip.Addr{})
+	}
+	candidates := a.DialPlan.Candidates
+
+	// Otherwise, we try dialing per the plan. Store the highest priority
+	// in the list, so that if we get a connection to one of those
+	// candidates we can return quickly.
+	var highestPriority int = math.MinInt
+	for _, c := range candidates {
+		if c.Priority > highestPriority {
+			highestPriority = c.Priority
+		}
+	}
+
+	// This context allows us to cancel in-flight connections if we get a
+	// highest-priority connection before we're all done.
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	// Now, for each candidate, kick off a dial in parallel.
+	type dialResult struct {
+		conn     *controlbase.Conn
+		err      error
+		addr     netip.Addr
+		priority int
+	}
+	resultsCh := make(chan dialResult, len(candidates))
+
+	var pending atomic.Int32
+	pending.Store(int32(len(candidates)))
+	for _, c := range candidates {
+		go func(ctx context.Context, c tailcfg.ControlIPCandidate) {
+			var (
+				conn *controlbase.Conn
+				err  error
+			)
+
+			// Always send results back to our channel.
+			defer func() {
+				resultsCh <- dialResult{conn, err, c.IP, c.Priority}
+				if pending.Add(-1) == 0 {
+					close(resultsCh)
+				}
+			}()
+
+			// If non-zero, wait the configured start timeout
+			// before we do anything.
+			if c.DialStartDelaySec > 0 {
+				a.logf("[v2] controlhttp: waiting %.2f seconds before dialing %q @ %v", c.DialStartDelaySec, a.Hostname, c.IP)
+				tmr := time.NewTimer(time.Duration(c.DialStartDelaySec * float64(time.Second)))
+				defer tmr.Stop()
+				select {
+				case <-ctx.Done():
+					err = ctx.Err()
+					return
+				case <-tmr.C:
+				}
+			}
+
+			// Now, create a sub-context with the given timeout and
+			// try dialing the provided host.
+			ctx, cancel := context.WithTimeout(ctx, time.Duration(c.DialTimeoutSec*float64(time.Second)))
+			defer cancel()
+
+			// This will dial, and the defer above sends it back to our parent.
+			a.logf("[v2] controlhttp: trying to dial %q @ %v", a.Hostname, c.IP)
+			conn, err = a.dialHost(ctx, c.IP)
+		}(ctx, c)
+	}
+
+	var results []dialResult
+	for res := range resultsCh {
+		// If we get a response that has the highest priority, we don't
+		// need to wait for any of the other connections to finish; we
+		// can just return this connection.
+		//
+		// TODO(andrew): we could make this better by keeping track of
+		// the highest remaining priority dynamically, instead of just
+		// checking for the highest total
+		if res.priority == highestPriority && res.conn != nil {
+			a.logf("[v1] controlhttp: high-priority success dialing %q @ %v from dial plan", a.Hostname, res.addr)
+
+			// Drain the channel and any existing connections in
+			// the background.
+			go func() {
+				for _, res := range results {
+					if res.conn != nil {
+						res.conn.Close()
+					}
+				}
+				for res := range resultsCh {
+					if res.conn != nil {
+						res.conn.Close()
+					}
+				}
+				if a.drainFinished != nil {
+					close(a.drainFinished)
+				}
+			}()
+			return res.conn, nil
+		}
+
+		// This isn't a highest-priority result, so just store it until
+		// we're done.
+		results = append(results, res)
+	}
+
+	// After we finish this function, close any remaining open connections.
+	defer func() {
+		for _, result := range results {
+			// Note: below, we nil out the returned connection (if
+			// any) in the slice so we don't close it.
+			if result.conn != nil {
+				result.conn.Close()
+			}
+		}
+
+		// We don't drain asynchronously after this point, so notify our
+		// channel when we return.
+		if a.drainFinished != nil {
+			close(a.drainFinished)
+		}
+	}()
+
+	// Sort by priority, then take the first non-error response.
+	sort.Slice(results, func(i, j int) bool {
+		// NOTE: intentionally inverted so that the highest priority
+		// item comes first
+		return results[i].priority > results[j].priority
+	})
+
+	var (
+		conn *controlbase.Conn
+		errs []error
+	)
+	for i, result := range results {
+		if result.err != nil {
+			errs = append(errs, result.err)
+			continue
+		}
+
+		a.logf("[v1] controlhttp: succeeded dialing %q @ %v from dial plan", a.Hostname, result.addr)
+		conn = result.conn
+		results[i].conn = nil // so we don't close it in the defer
+		return conn, nil
+	}
+	merr := multierr.New(errs...)
+
+	// If we get here, then we didn't get anywhere with our dial plan; fall back to just using DNS.
+	a.logf("controlhttp: failed dialing using DialPlan, falling back to DNS; errs=%s", merr.Error())
+	return a.dialHost(ctx, netip.Addr{})
+}
+
+// dialHost connects to the configured Dialer.Hostname and upgrades the
+// connection into a controlbase.Conn. If addr is valid, then no DNS is used
+// and the connection will be made to the provided address.
+func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Conn, error) {
 	// Create one shared context used by both port 80 and port 443 dials.
 	// If port 80 is still in flight when 443 returns, this deferred cancel
 	// will stop the port 80 dial.
@@ -110,7 +280,7 @@ func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
 	}
 	ch := make(chan tryURLRes) // must be unbuffered
 	try := func(u *url.URL) {
-		cbConn, err := a.dialURL(ctx, u)
+		cbConn, err := a.dialURL(ctx, u, addr)
 		select {
 		case ch <- tryURLRes{u, cbConn, err}:
 		case <-ctx.Done():
@@ -161,12 +331,12 @@ func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
 }
 
 // dialURL attempts to connect to the given URL.
-func (a *Dialer) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, error) {
+func (a *Dialer) dialURL(ctx context.Context, u *url.URL, addr netip.Addr) (*controlbase.Conn, error) {
 	init, cont, err := controlbase.ClientDeferred(a.MachineKey, a.ControlKey, a.ProtocolVersion)
 	if err != nil {
 		return nil, err
 	}
-	netConn, err := a.tryURLUpgrade(ctx, u, init)
+	netConn, err := a.tryURLUpgrade(ctx, u, addr, init)
 	if err != nil {
 		return nil, err
 	}
@@ -178,14 +348,27 @@ func (a *Dialer) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, er
 	return cbConn, nil
 }
 
-// tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn.
+// tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn. If addr
+// is valid, then no DNS is used and the connection will be made to the
+// provided address.
 //
 // Only the provided ctx is used, not a.ctx.
-func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte) (net.Conn, error) {
-	dns := &dnscache.Resolver{
-		Forward:          dnscache.Get().Forward,
-		LookupIPFallback: dnsfallback.Lookup,
-		UseLastGood:      true,
+func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr, init []byte) (net.Conn, error) {
+	var dns *dnscache.Resolver
+
+	// If we were provided an address to dial, then create a resolver that just
+	// returns that value; otherwise, fall back to DNS.
+	if addr.IsValid() {
+		dns = &dnscache.Resolver{
+			SingleHostStaticResult: []netip.Addr{addr},
+			SingleHost:             u.Hostname(),
+		}
+	} else {
+		dns = &dnscache.Resolver{
+			Forward:          dnscache.Get().Forward,
+			LookupIPFallback: dnsfallback.Lookup,
+			UseLastGood:      true,
+		}
 	}
 
 	var dialer dnscache.DialContextFunc

control/controlhttp/client_js.go

@@ -29,9 +29,11 @@ func (d *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
 
 	wsScheme := "wss"
 	host := d.Hostname
-	if host == "localhost" {
+	// If using a custom control server (on a non-standard port), prefer that.
+	// This mirrors the port selection in newNoiseClient from noise.go.
+	if d.HTTPPort != "" && d.HTTPPort != "80" && d.HTTPSPort == "443" {
 		wsScheme = "ws"
-		host = net.JoinHostPort(host, strDef(d.HTTPPort, "80"))
+		host = net.JoinHostPort(host, d.HTTPPort)
 	}
 	wsURL := &url.URL{
 		Scheme: wsScheme,

control/controlhttp/constants.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"tailscale.com/net/dnscache"
+	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -70,9 +71,15 @@ type Dialer struct {
 	// dropped.
 	Logf logger.Logf
 
+	// DialPlan, if set, contains instructions from the control server on
+	// how to connect to it. If present, we will try the methods in this
+	// plan before falling back to DNS.
+	DialPlan *tailcfg.ControlDialPlan
+
 	proxyFunc func(*http.Request) (*url.URL, error) // or nil
 
 	// For tests only
+	drainFinished     chan struct{}
 	insecureTLS       bool
 	testFallbackDelay time.Duration
 }

control/controlhttp/http_test.go

@@ -13,16 +13,21 @@ import (
 	"net"
 	"net/http"
 	"net/http/httputil"
+	"net/netip"
 	"net/url"
+	"runtime"
 	"strconv"
 	"sync"
 	"testing"
 	"time"
 
 	"tailscale.com/control/controlbase"
+	"tailscale.com/net/dnscache"
 	"tailscale.com/net/socks5"
 	"tailscale.com/net/tsdial"
+	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
 )
 
 type httpTestParam struct {
@@ -444,3 +449,263 @@ func brokenMITMHandler(w http.ResponseWriter, r *http.Request) {
 	w.(http.Flusher).Flush()
 	<-r.Context().Done()
 }
+
+func TestDialPlan(t *testing.T) {
+	if runtime.GOOS != "linux" {
+		t.Skip("only works on Linux due to multiple localhost addresses")
+	}
+
+	client, server := key.NewMachine(), key.NewMachine()
+
+	const (
+		testProtocolVersion = 1
+
+		// We need consistent ports for each address; these are chosen
+		// randomly and we hope that they won't conflict during this test.
+		httpPort  = "40080"
+		httpsPort = "40443"
+	)
+
+	makeHandler := func(t *testing.T, name string, host netip.Addr, wrap func(http.Handler) http.Handler) {
+		done := make(chan struct{})
+		t.Cleanup(func() {
+			close(done)
+		})
+		var handler http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			conn, err := AcceptHTTP(context.Background(), w, r, server)
+			if err != nil {
+				log.Print(err)
+			} else {
+				defer conn.Close()
+			}
+			w.Header().Set("X-Handler-Name", name)
+			<-done
+		})
+		if wrap != nil {
+			handler = wrap(handler)
+		}
+
+		httpLn, err := net.Listen("tcp", host.String()+":"+httpPort)
+		if err != nil {
+			t.Fatalf("HTTP listen: %v", err)
+		}
+		httpsLn, err := net.Listen("tcp", host.String()+":"+httpsPort)
+		if err != nil {
+			t.Fatalf("HTTPS listen: %v", err)
+		}
+
+		httpServer := &http.Server{Handler: handler}
+		go httpServer.Serve(httpLn)
+		t.Cleanup(func() {
+			httpServer.Close()
+		})
+
+		httpsServer := &http.Server{
+			Handler:   handler,
+			TLSConfig: tlsConfig(t),
+			ErrorLog:  logger.StdLogger(logger.WithPrefix(t.Logf, "http.Server.ErrorLog: ")),
+		}
+		go httpsServer.ServeTLS(httpsLn, "", "")
+		t.Cleanup(func() {
+			httpsServer.Close()
+		})
+		return
+	}
+
+	fallbackAddr := netip.MustParseAddr("127.0.0.1")
+	goodAddr := netip.MustParseAddr("127.0.0.2")
+	otherAddr := netip.MustParseAddr("127.0.0.3")
+	other2Addr := netip.MustParseAddr("127.0.0.4")
+	brokenAddr := netip.MustParseAddr("127.0.0.10")
+
+	testCases := []struct {
+		name string
+		plan *tailcfg.ControlDialPlan
+		wrap func(http.Handler) http.Handler
+		want netip.Addr
+
+		allowFallback bool
+	}{
+		{
+			name: "single",
+			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
+				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
+			}},
+			want: goodAddr,
+		},
+		{
+			name: "broken-then-good",
+			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
+				// Dials the broken one, which fails, and then
+				// eventually dials the good one and succeeds
+				{IP: brokenAddr, Priority: 2, DialTimeoutSec: 10},
+				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10, DialStartDelaySec: 1},
+			}},
+			want: goodAddr,
+		},
+		{
+			name: "multiple-priority-fast-path",
+			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
+				// Dials some good IPs and our bad one (which
+				// hangs forever), which then hits the fast
+				// path where we bail without waiting.
+				{IP: brokenAddr, Priority: 1, DialTimeoutSec: 10},
+				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
+				{IP: other2Addr, Priority: 1, DialTimeoutSec: 10},
+				{IP: otherAddr, Priority: 2, DialTimeoutSec: 10},
+			}},
+			want: otherAddr,
+		},
+		{
+			name: "multiple-priority-slow-path",
+			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
+				// Our broken address is the highest priority,
+				// so we don't hit our fast path.
+				{IP: brokenAddr, Priority: 10, DialTimeoutSec: 10},
+				{IP: otherAddr, Priority: 2, DialTimeoutSec: 10},
+				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
+			}},
+			want: otherAddr,
+		},
+		{
+			name: "fallback",
+			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
+				{IP: brokenAddr, Priority: 1, DialTimeoutSec: 1},
+			}},
+			want:          fallbackAddr,
+			allowFallback: true,
+		},
+	}
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			makeHandler(t, "fallback", fallbackAddr, nil)
+			makeHandler(t, "good", goodAddr, nil)
+			makeHandler(t, "other", otherAddr, nil)
+			makeHandler(t, "other2", other2Addr, nil)
+			makeHandler(t, "broken", brokenAddr, func(h http.Handler) http.Handler {
+				return http.HandlerFunc(brokenMITMHandler)
+			})
+
+			dialer := closeTrackDialer{
+				t:     t,
+				inner: new(tsdial.Dialer).SystemDial,
+				conns: make(map[*closeTrackConn]bool),
+			}
+			defer dialer.Done()
+
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer cancel()
+
+			// By default, we intentionally point to something that
+			// we know won't connect, since we want a fallback to
+			// DNS to be an error.
+			host := "example.com"
+			if tt.allowFallback {
+				host = "localhost"
+			}
+
+			drained := make(chan struct{})
+			a := &Dialer{
+				Hostname:          host,
+				HTTPPort:          httpPort,
+				HTTPSPort:         httpsPort,
+				MachineKey:        client,
+				ControlKey:        server.Public(),
+				ProtocolVersion:   testProtocolVersion,
+				Dialer:            dialer.Dial,
+				Logf:              t.Logf,
+				DialPlan:          tt.plan,
+				proxyFunc:         func(*http.Request) (*url.URL, error) { return nil, nil },
+				drainFinished:     drained,
+				insecureTLS:       true,
+				testFallbackDelay: 50 * time.Millisecond,
+			}
+
+			conn, err := a.dial(ctx)
+			if err != nil {
+				t.Fatalf("dialing controlhttp: %v", err)
+			}
+			defer conn.Close()
+
+			raddr := conn.RemoteAddr().(*net.TCPAddr)
+
+			got, ok := netip.AddrFromSlice(raddr.IP)
+			if !ok {
+				t.Errorf("invalid remote IP: %v", raddr.IP)
+			} else if got != tt.want {
+				t.Errorf("got connection from %q; want %q", got, tt.want)
+			} else {
+				t.Logf("successfully connected to %q", raddr.String())
+			}
+
+			// Wait until our dialer drains so we can verify that
+			// all connections are closed.
+			<-drained
+		})
+	}
+}
+
+type closeTrackDialer struct {
+	t     testing.TB
+	inner dnscache.DialContextFunc
+	mu    sync.Mutex
+	conns map[*closeTrackConn]bool
+}
+
+func (d *closeTrackDialer) Dial(ctx context.Context, network, addr string) (net.Conn, error) {
+	c, err := d.inner(ctx, network, addr)
+	if err != nil {
+		return nil, err
+	}
+	ct := &closeTrackConn{Conn: c, d: d}
+
+	d.mu.Lock()
+	d.conns[ct] = true
+	d.mu.Unlock()
+	return ct, nil
+}
+
+func (d *closeTrackDialer) Done() {
+	// Unfortunately, tsdial.Dialer.SystemDial closes connections
+	// asynchronously in a goroutine, so we can't assume that everything is
+	// closed by the time we get here.
+	//
+	// Sleep/wait a few times on the assumption that things will close
+	// "eventually".
+	const iters = 100
+	for i := 0; i < iters; i++ {
+		d.mu.Lock()
+		if len(d.conns) == 0 {
+			d.mu.Unlock()
+			return
+		}
+
+		// Only error on last iteration
+		if i != iters-1 {
+			d.mu.Unlock()
+			time.Sleep(100 * time.Millisecond)
+			continue
+		}
+
+		for conn := range d.conns {
+			d.t.Errorf("expected close of conn %p; RemoteAddr=%q", conn, conn.RemoteAddr().String())
+		}
+		d.mu.Unlock()
+	}
+}
+
+func (d *closeTrackDialer) noteClose(c *closeTrackConn) {
+	d.mu.Lock()
+	delete(d.conns, c) // safe if already deleted
+	d.mu.Unlock()
+}
+
+type closeTrackConn struct {
+	net.Conn
+	d *closeTrackDialer
+}
+
+func (c *closeTrackConn) Close() error {
+	c.d.noteClose(c)
+	return c.Conn.Close()
+}

derp/derp_test.go

@@ -232,7 +232,7 @@ func TestSendFreeze(t *testing.T) {
 	//	alice --> bob
 	//	alice --> cathy
 	//
-	// Then cathy stops processing messsages.
+	// Then cathy stops processing messages.
 	// That should not interfere with alice talking to bob.
 
 	newClient := func(ctx context.Context, name string, k key.NodePrivate) (c *Client, clientConn nettest.Conn) {
@@ -772,7 +772,7 @@ func TestForwarderRegistration(t *testing.T) {
 	})
 
 	// Now pretend u1 was already connected locally (so clientsMesh[u1] is nil), and then we heard
-	// that they're also connected to a peer of ours. That sholdn't transition the forwarder
+	// that they're also connected to a peer of ours. That shouldn't transition the forwarder
 	// from nil to the new one, not a multiForwarder.
 	s.clients[u1] = singleClient{u1c}
 	s.clientsMesh[u1] = nil

derp/derphttp/derphttp_client.go

@@ -199,7 +199,7 @@ func (c *Client) urlString(node *tailcfg.DERPNode) string {
 	return fmt.Sprintf("https://%s/derp", node.HostName)
 }
 
-// AddressFamilySelector decides whethers IPv6 is preferred for
+// AddressFamilySelector decides whether IPv6 is preferred for
 // outbound dials.
 type AddressFamilySelector interface {
 	// PreferIPv6 reports whether IPv4 dials should be slightly

disco/disco.go

@@ -15,9 +15,9 @@
 // The recipient then decrypts the bytes following (the nacl secretbox)
 // and then the inner payload structure is:
 //
-//	messageType    byte  (the MessageType constants below)
-//	messageVersion byte  (0 for now; but always ignore bytes at the end)
-//	message-paylod [...]byte
+//	messageType     byte  (the MessageType constants below)
+//	messageVersion  byte  (0 for now; but always ignore bytes at the end)
+//	message-payload [...]byte
 package disco
 
 import (

docs/k8s/proxy.yaml

@@ -9,7 +9,7 @@ spec:
   serviceAccountName: "{{SA_NAME}}"
   initContainers:
     # In order to run as a proxy we need to enable IP Forwarding inside
-    # the container. The `net.ipv4.ip_forward` sysctl is not whitelisted
+    # the container. The `net.ipv4.ip_forward` sysctl is not allowlisted
     # in Kubelet by default.
   - name: sysctler
     image: busybox
@@ -18,7 +18,7 @@ spec:
     command: ["/bin/sh"]
     args:
       - -c
-      - sysctl -w net.ipv4.ip_forward=1 -w net.ipv6.conf.all.forwarding=1
+      - sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
     resources:
       requests:
         cpu: 1m
@@ -37,7 +37,7 @@ spec:
       valueFrom:
         secretKeyRef:
           name: tailscale-auth
-          key: AUTH_KEY
+          key: TS_AUTH_KEY
           optional: true
     - name: TS_DEST_IP
       value: "{{TS_DEST_IP}}"

docs/k8s/run.sh

@@ -17,10 +17,11 @@ TS_KUBE_SECRET="${TS_KUBE_SECRET:-tailscale}"
 TS_SOCKS5_SERVER="${TS_SOCKS5_SERVER:-}"
 TS_OUTBOUND_HTTP_PROXY_LISTEN="${TS_OUTBOUND_HTTP_PROXY_LISTEN:-}"
 TS_TAILSCALED_EXTRA_ARGS="${TS_TAILSCALED_EXTRA_ARGS:-}"
+TS_SOCKET="${TS_SOCKET:-/tmp/tailscaled.sock}"
 
 set -e
 
-TAILSCALED_ARGS="--socket=/tmp/tailscaled.sock"
+TAILSCALED_ARGS="--socket=${TS_SOCKET}"
 
 if [[ ! -z "${KUBERNETES_SERVICE_HOST}" ]]; then
   TAILSCALED_ARGS="${TAILSCALED_ARGS} --state=kube:${TS_KUBE_SECRET} --statedir=${TS_STATE_DIR:-/tmp}"
@@ -81,11 +82,11 @@ if [[ ! -z "${TS_EXTRA_ARGS}" ]]; then
 fi
 
 echo "Running tailscale up"
-tailscale --socket=/tmp/tailscaled.sock up ${UP_ARGS}
+tailscale --socket="${TS_SOCKET}" up ${UP_ARGS}
 
 if [[ ! -z "${TS_DEST_IP}" ]]; then
   echo "Adding iptables rule for DNAT"
-  iptables -t nat -I PREROUTING -d "$(tailscale --socket=/tmp/tailscaled.sock ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
+  iptables -t nat -I PREROUTING -d "$(tailscale --socket=${TS_SOCKET} ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
 fi
 
 echo "Waiting for tailscaled to exit"

docs/k8s/subnet.yaml

@@ -23,7 +23,7 @@ spec:
       valueFrom:
         secretKeyRef:
           name: tailscale-auth
-          key: AUTH_KEY
+          key: TS_AUTH_KEY
           optional: true
     - name: TS_ROUTES
       value: "{{TS_ROUTES}}"

docs/k8s/userspace-sidecar.yaml

@@ -26,5 +26,5 @@ spec:
       valueFrom:
         secretKeyRef:
           name: tailscale-auth
-          key: AUTH_KEY
+          key: TS_AUTH_KEY
           optional: true

doctor/doctor.go

@@ -0,0 +1,80 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package doctor contains more in-depth healthchecks that can be run to aid in
+// diagnosing Tailscale issues.
+package doctor
+
+import (
+	"context"
+	"sync"
+
+	"tailscale.com/types/logger"
+)
+
+// Check is the interface defining a singular check.
+//
+// A check should log information that it gathers using the provided log
+// function, and should attempt to make as much progress as possible in error
+// conditions.
+type Check interface {
+	// Name should return a name describing this check, in lower-kebab-case
+	// (i.e. "my-check", not "MyCheck" or "my_check").
+	Name() string
+	// Run executes the check, logging diagnostic information to the
+	// provided logger function.
+	Run(context.Context, logger.Logf) error
+}
+
+// RunChecks runs a list of checks in parallel, and logs any returned errors
+// after all checks have returned.
+func RunChecks(ctx context.Context, log logger.Logf, checks ...Check) {
+	if len(checks) == 0 {
+		return
+	}
+
+	type namedErr struct {
+		name string
+		err  error
+	}
+	errs := make(chan namedErr, len(checks))
+
+	var wg sync.WaitGroup
+	wg.Add(len(checks))
+	for _, check := range checks {
+		go func(c Check) {
+			defer wg.Done()
+
+			plog := logger.WithPrefix(log, c.Name()+": ")
+			errs <- namedErr{
+				name: c.Name(),
+				err:  c.Run(ctx, plog),
+			}
+		}(check)
+	}
+
+	wg.Wait()
+	close(errs)
+
+	for n := range errs {
+		if n.err == nil {
+			continue
+		}
+
+		log("check %s: %v", n.name, n.err)
+	}
+}
+
+// CheckFunc creates a Check from a name and a function.
+func CheckFunc(name string, run func(context.Context, logger.Logf) error) Check {
+	return checkFunc{name, run}
+}
+
+type checkFunc struct {
+	name string
+	run  func(context.Context, logger.Logf) error
+}
+
+func (c checkFunc) Name() string                                   { return c.name }
+func (c checkFunc) Run(ctx context.Context, log logger.Logf) error { return c.run(ctx, log) }

doctor/doctor_test.go

@@ -0,0 +1,50 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package doctor
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"testing"
+
+	qt "github.com/frankban/quicktest"
+	"tailscale.com/types/logger"
+)
+
+func TestRunChecks(t *testing.T) {
+	c := qt.New(t)
+	var (
+		mu    sync.Mutex
+		lines []string
+	)
+	logf := func(format string, args ...any) {
+		mu.Lock()
+		defer mu.Unlock()
+		lines = append(lines, fmt.Sprintf(format, args...))
+	}
+
+	ctx := context.Background()
+	RunChecks(ctx, logf,
+		testCheck1{},
+		CheckFunc("testcheck2", func(_ context.Context, log logger.Logf) error {
+			log("check 2")
+			return nil
+		}),
+	)
+
+	mu.Lock()
+	defer mu.Unlock()
+	c.Assert(lines, qt.Contains, "testcheck1: check 1")
+	c.Assert(lines, qt.Contains, "testcheck2: check 2")
+}
+
+type testCheck1 struct{}
+
+func (t testCheck1) Name() string { return "testcheck1" }
+func (t testCheck1) Run(_ context.Context, log logger.Logf) error {
+	log("check 1")
+	return nil
+}

doctor/routetable/routetable.go

@@ -0,0 +1,35 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package routetable provides a doctor.Check that dumps the current system's
+// route table to the log.
+package routetable
+
+import (
+	"context"
+
+	"tailscale.com/net/routetable"
+	"tailscale.com/types/logger"
+)
+
+// MaxRoutes is the maximum number of routes that will be displayed.
+const MaxRoutes = 1000
+
+// Check implements the doctor.Check interface.
+type Check struct{}
+
+func (Check) Name() string {
+	return "routetable"
+}
+
+func (Check) Run(_ context.Context, logf logger.Logf) error {
+	rs, err := routetable.Get(MaxRoutes)
+	if err != nil {
+		return err
+	}
+	for _, r := range rs {
+		logf("%s", r)
+	}
+	return nil
+}

envknob/envknob.go

@@ -277,6 +277,11 @@ func SSHPolicyFile() string { return String("TS_DEBUG_SSH_POLICY_FILE") }
 // SSHIgnoreTailnetPolicy is whether to ignore the Tailnet SSH policy for development.
 func SSHIgnoreTailnetPolicy() bool { return Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY") }
 
+
+// TKASkipSignatureCheck is whether to skip node-key signature checking for development.
+func TKASkipSignatureCheck() bool { return Bool("TS_UNSAFE_SKIP_NKS_VERIFICATION") }
+
+
 // NoLogsNoSupport reports whether the client's opted out of log uploads and
 // technical support.
 func NoLogsNoSupport() bool {

go.mod

@@ -44,7 +44,7 @@ require (
 	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1
+	github.com/tailscale/golang-x-crypto v0.0.0-20221009170451-62f465106986
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
 	github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89
@@ -57,9 +57,9 @@ require (
 	go4.org/netipx v0.0.0-20220725152314-7e7bdc8411bf
 	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
-	golang.org/x/net v0.0.0-20220607020251-c690dde0001d
+	golang.org/x/net v0.0.0-20221002022538-bcab6841153b
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
-	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8
+	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11
@@ -210,7 +210,6 @@ require (
 	github.com/nishanths/exhaustive v0.7.11 // indirect
 	github.com/nishanths/predeclared v0.2.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
 	github.com/pelletier/go-toml v1.9.4 // indirect
@@ -230,7 +229,7 @@ require (
 	github.com/ryancurrah/gomodguard v1.2.3 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.3.0 // indirect
 	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
-	github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b // indirect
+	github.com/sassoftware/go-rpmutils v0.1.0 // indirect
 	github.com/securego/gosec/v2 v2.9.3 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect

go.sum

@@ -876,7 +876,6 @@ github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
 github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
-github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -990,8 +989,9 @@ github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYI
 github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
 github.com/sanposhiho/wastedassign/v2 v2.0.7 h1:J+6nrY4VW+gC9xFzUc+XjPD3g3wF3je/NsJFwFK7Uxc=
 github.com/sanposhiho/wastedassign/v2 v2.0.7/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
-github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b h1:+gCnWOZV8Z/8jehJ2CdqB47Z3S+SREmQcuXkRFLNsiI=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
+github.com/sassoftware/go-rpmutils v0.1.0 h1:VLrna+tV+77Tclr956QkY/pTyyKomQlq2Xw6PuE8tsc=
+github.com/sassoftware/go-rpmutils v0.1.0/go.mod h1:euhXULoBpvAxqrBHEyJS4Tsu3hHxUmQWNymxoJbzgUY=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/securego/gosec/v2 v2.5.0/go.mod h1:L/CDXVntIff5ypVHIkqPXbtRpJiNCh6c6Amn68jXDjo=
 github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc=
@@ -1082,8 +1082,8 @@ github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HP
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1 h1:vsFV6BKSIgjRd8m8UfrGW4r+cc28fRF71K6IRo46rKs=
-github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
+github.com/tailscale/golang-x-crypto v0.0.0-20221009170451-62f465106986 h1:jWSwTR9CY13oa2oxhR3FInk1ybqC1NbF9cFeoWrrx+E=
+github.com/tailscale/golang-x-crypto v0.0.0-20221009170451-62f465106986/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f h1:n4r/sJ92cBSBHK8n9lR1XLFr0OiTVeGfN5TR+9LaN7E=
@@ -1235,6 +1235,7 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
@@ -1354,8 +1355,8 @@ golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d h1:4SFsTMi4UahlKoloni7L4eYzhFRifURQLw+yv0QDCx8=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20221002022538-bcab6841153b h1:6e93nYa3hNqAvLr0pD4PN1fFS+gKzp2zAXqrnTCstqU=
+golang.org/x/net v0.0.0-20221002022538-bcab6841153b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1490,8 +1491,9 @@ golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
+golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=

go.toolchain.rev

@@ -1 +1 @@
-b13188dd36c1ad2509796ce10b6a1231b200c36a
+3fd24dee31726924c1b61c8037a889b30b8aa0f6

ipn/backend.go

@@ -69,7 +69,7 @@ type Notify struct {
 	State         *State             // if non-nil, the new or current IPN state
 	Prefs         *Prefs             // if non-nil, the new or current preferences
 	NetMap        *netmap.NetworkMap // if non-nil, the new or current netmap
-	Engine        *EngineStatus      // if non-nil, the new or urrent wireguard stats
+	Engine        *EngineStatus      // if non-nil, the new or current wireguard stats
 	BrowseToURL   *string            // if non-nil, UI should open a browser right now
 	BackendLogID  *string            // if non-nil, the public logtail ID used by backend
 
@@ -168,6 +168,11 @@ type PartialFile struct {
 //     LocalBackend.userID, a string like "user-$USER_ID" (used in
 //     server mode).
 //   - on Linux/etc, it's always "_daemon" (ipn.GlobalDaemonStateKey)
+//
+// Additionally, the StateKey can be debug setting name:
+//
+//   - "_debug_magicsock_until" with value being a unix timestamp stringified
+//   - "_debug_<component>_until" with value being a unix timestamp stringified
 type StateKey string
 
 type Options struct {

ipn/ipnlocal/c2n.go

@@ -8,16 +8,47 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"strconv"
+	"time"
 
 	"tailscale.com/tailcfg"
+	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/goroutines"
 )
 
 func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
+	writeJSON := func(v any) {
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(v)
+	}
 	switch r.URL.Path {
 	case "/echo":
 		// Test handler.
 		body, _ := io.ReadAll(r.Body)
 		w.Write(body)
+	case "/debug/goroutines":
+		w.Header().Set("Content-Type", "text/plain")
+		w.Write(goroutines.ScrubbedGoroutineDump())
+	case "/debug/prefs":
+		writeJSON(b.Prefs())
+	case "/debug/metrics":
+		w.Header().Set("Content-Type", "text/plain")
+		clientmetric.WritePrometheusExpositionFormat(w)
+	case "/debug/component-logging":
+		component := r.FormValue("component")
+		secs, _ := strconv.Atoi(r.FormValue("secs"))
+		if secs == 0 {
+			secs -= 1
+		}
+		until := time.Now().Add(time.Duration(secs) * time.Second)
+		err := b.SetComponentDebugLogging(component, until)
+		var res struct {
+			Error string `json:",omitempty"`
+		}
+		if err != nil {
+			res.Error = err.Error()
+		}
+		writeJSON(res)
 	case "/ssh/usernames":
 		var req tailcfg.C2NSSHUsernamesRequest
 		if r.Method == "POST" {
@@ -31,8 +62,7 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, err.Error(), 500)
 			return
 		}
-		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(res)
+		writeJSON(res)
 	default:
 		http.Error(w, "unknown c2n path", http.StatusBadRequest)
 	}

ipn/ipnlocal/local.go

@@ -24,8 +24,11 @@ import (
 	"time"
 
 	"go4.org/netipx"
+	"golang.org/x/exp/slices"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
+	"tailscale.com/doctor"
+	"tailscale.com/doctor/routetable"
 	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
@@ -53,6 +56,7 @@ import (
 	"tailscale.com/types/views"
 	"tailscale.com/util/deephash"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/util/mak"
 	"tailscale.com/util/multierr"
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/systemd"
@@ -184,11 +188,16 @@ type LocalBackend struct {
 	// *.partial file to its final name on completion.
 	directFileRoot          string
 	directFileDoFinalRename bool // false on macOS, true on several NAS platforms
+	componentLogUntil       map[string]componentLogState
 
 	// statusLock must be held before calling statusChanged.Wait() or
 	// statusChanged.Broadcast().
 	statusLock    sync.Mutex
 	statusChanged *sync.Cond
+
+	// dialPlan is any dial plan that we've received from the control
+	// server during a previous connection; it is cleared on logout.
+	dialPlan atomic.Pointer[tailcfg.ControlDialPlan]
 }
 
 // clientGen is a func that creates a control plane client.
@@ -208,7 +217,7 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 	logf.JSON(1, "Hostinfo", hi)
 	envknob.LogCurrent(logf)
 	if dialer == nil {
-		dialer = new(tsdial.Dialer)
+		dialer = &tsdial.Dialer{Logf: logf}
 	}
 
 	osshare.SetFileSharingEnabled(false, logf)
@@ -261,9 +270,91 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 		b.logf("[unexpected] failed to wire up peer API port for engine %T", e)
 	}
 
+	for _, component := range debuggableComponents {
+		key := componentStateKey(component)
+		if ut, err := ipn.ReadStoreInt(store, key); err == nil {
+			if until := time.Unix(ut, 0); until.After(time.Now()) {
+				// conditional to avoid log spam at start when off
+				b.SetComponentDebugLogging(component, until)
+			}
+		}
+	}
+
 	return b, nil
 }
 
+type componentLogState struct {
+	until time.Time
+	timer *time.Timer // if non-nil, the AfterFunc to disable it
+}
+
+var debuggableComponents = []string{
+	"magicsock",
+}
+
+func componentStateKey(component string) ipn.StateKey {
+	return ipn.StateKey("_debug_" + component + "_until")
+}
+
+// SetComponentDebugLogging sets component's debug logging enabled until the until time.
+// If until is in the past, the component's debug logging is disabled.
+//
+// The following components are recognized:
+//
+//   - magicsock
+func (b *LocalBackend) SetComponentDebugLogging(component string, until time.Time) error {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	var setEnabled func(bool)
+	switch component {
+	case "magicsock":
+		mc, err := b.magicConn()
+		if err != nil {
+			return err
+		}
+		setEnabled = mc.SetDebugLoggingEnabled
+	}
+	if setEnabled == nil || !slices.Contains(debuggableComponents, component) {
+		return fmt.Errorf("unknown component %q", component)
+	}
+	timeUnixOrZero := func(t time.Time) int64 {
+		if t.IsZero() {
+			return 0
+		}
+		return t.Unix()
+	}
+	ipn.PutStoreInt(b.store, componentStateKey(component), timeUnixOrZero(until))
+	now := time.Now()
+	on := now.Before(until)
+	setEnabled(on)
+	var onFor time.Duration
+	if on {
+		onFor = until.Sub(now)
+		b.logf("debugging logging for component %q enabled for %v (until %v)", component, onFor.Round(time.Second), until.UTC().Format(time.RFC3339))
+	} else {
+		b.logf("debugging logging for component %q disabled", component)
+	}
+	if oldSt, ok := b.componentLogUntil[component]; ok && oldSt.timer != nil {
+		oldSt.timer.Stop()
+	}
+	newSt := componentLogState{until: until}
+	if on {
+		newSt.timer = time.AfterFunc(onFor, func() {
+			// Turn off logging after the timer fires, as long as the state is
+			// unchanged when the timer actually fires.
+			b.mu.Lock()
+			defer b.mu.Unlock()
+			if ls := b.componentLogUntil[component]; ls.until == until {
+				setEnabled(false)
+				b.logf("debugging logging for component %q disabled (by timer)", component)
+			}
+		})
+	}
+	mak.Set(&b.componentLogUntil, component, newSt)
+	return nil
+}
+
 // Dialer returns the backend's dialer.
 func (b *LocalBackend) Dialer() *tsdial.Dialer {
 	return b.dialer
@@ -684,6 +775,12 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		}
 	}
 	if st.NetMap != nil {
+		if err := b.tkaSyncIfNeededLocked(st.NetMap); err != nil {
+			b.logf("[v1] TKA sync error: %v", err)
+		}
+		if !envknob.TKASkipSignatureCheck() {
+			b.tkaFilterNetmapLocked(st.NetMap)
+		}
 		if b.findExitNodeIDLocked(st.NetMap) {
 			prefsChanged = true
 		}
@@ -1084,6 +1181,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		Dialer:               b.Dialer(),
 		Status:               b.setClientStatus,
 		C2NHandler:           http.HandlerFunc(b.handleC2N),
+		DialPlan:             &b.dialPlan, // pointer because it can't be copied
 
 		// Don't warn about broken Linux IP forwarding when
 		// netstack is being used.
@@ -2163,7 +2261,7 @@ func (b *LocalBackend) GetPeerAPIPort(ip netip.Addr) (port uint16, ok bool) {
 // ServePeerAPIConnection serves an already-accepted connection c.
 //
 // The remote parameter is the remote address.
-// The local paramater is the local address (either a Tailscale IPv4
+// The local parameter is the local address (either a Tailscale IPv4
 // or IPv6 IP and the peerapi port for that address).
 //
 // The connection will be closed by ServePeerAPIConnection.
@@ -3017,7 +3115,7 @@ func (b *LocalBackend) RequestEngineStatus() {
 // that have happened. It is invoked from the various callbacks that
 // feed events into LocalBackend.
 //
-// TODO(apenwarr): use a channel or something to prevent re-entrancy?
+// TODO(apenwarr): use a channel or something to prevent reentrancy?
 // Or maybe just call the state machine from fewer places.
 func (b *LocalBackend) stateMachine() {
 	b.enterState(b.nextState())
@@ -3077,7 +3175,7 @@ func (b *LocalBackend) ResetForClientDisconnect() {
 
 func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && envknob.CanSSHD() }
 
-// ShouldHandleViaIP reports whether whether ip is an IPv6 address in the
+// ShouldHandleViaIP reports whether ip is an IPv6 address in the
 // Tailscale ULA's v6 "via" range embedding an IPv4 address to be forwarded to
 // by Tailscale.
 func (b *LocalBackend) ShouldHandleViaIP(ip netip.Addr) bool {
@@ -3109,6 +3207,9 @@ func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 		Prefs:          ipn.Prefs{WantRunning: false, LoggedOut: true},
 	})
 
+	// Clear any previous dial plan(s), if set.
+	b.dialPlan.Store(nil)
+
 	if cc == nil {
 		// Double Logout can happen via repeated IPN
 		// connections to ipnserver making it repeatedly
@@ -3225,6 +3326,17 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	}
 }
 
+// operatorUserName returns the current pref's OperatorUser's name, or the
+// empty string if none.
+func (b *LocalBackend) operatorUserName() string {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.prefs == nil {
+		return ""
+	}
+	return b.prefs.OperatorUser
+}
+
 // OperatorUserID returns the current pref's OperatorUser's ID (in
 // os/user.User.Uid string form), or the empty string if none.
 func (b *LocalBackend) OperatorUserID() string {
@@ -3307,10 +3419,7 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 		return nil, errors.New("file sharing not enabled by Tailscale admin")
 	}
 	for _, p := range nm.Peers {
-		if len(p.Addresses) == 0 {
-			continue
-		}
-		if p.User != nm.User && b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityFileSharing) {
+		if !b.peerIsTaildropTargetLocked(p) {
 			continue
 		}
 		peerAPI := peerAPIBase(b.netMap, p)
@@ -3326,6 +3435,26 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 	return ret, nil
 }
 
+// peerIsTaildropTargetLocked reports whether p is a valid Taildrop file
+// recipient from this node according to its ownership and the capabilities in
+// the netmap.
+//
+// b.mu must be locked.
+func (b *LocalBackend) peerIsTaildropTargetLocked(p *tailcfg.Node) bool {
+	if b.netMap == nil || p == nil {
+		return false
+	}
+	if b.netMap.User == p.User {
+		return true
+	}
+	if len(p.Addresses) > 0 &&
+		b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityFileSharingTarget) {
+		// Explicitly noted in the netmap ACL caps as a target.
+		return true
+	}
+	return false
+}
+
 func (b *LocalBackend) peerHasCapLocked(addr netip.Addr, wantCap string) bool {
 	for _, hasCap := range b.peerCapsLocked(addr) {
 		if hasCap == wantCap {
@@ -3581,7 +3710,7 @@ func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
 	return mc, nil
 }
 
-// DoNoiseRequest sends a request to URL over the the control plane
+// DoNoiseRequest sends a request to URL over the control plane
 // Noise connection.
 func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 	b.mu.Lock()
@@ -3593,6 +3722,17 @@ func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error)
 	return cc.DoNoiseRequest(req)
 }
 
+// tailscaleSSHEnabled reports whether Tailscale SSH is currently enabled based
+// on prefs. It returns false if there are no prefs set.
+func (b *LocalBackend) tailscaleSSHEnabled() bool {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.prefs == nil {
+		return false
+	}
+	return b.prefs.RunSSH
+}
+
 func (b *LocalBackend) sshServerOrInit() (_ SSHServer, err error) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -3651,3 +3791,19 @@ func (b *LocalBackend) handleQuad100Port80Conn(w http.ResponseWriter, r *http.Re
 	}
 	io.WriteString(w, "</ul>\n")
 }
+
+func (b *LocalBackend) Doctor(ctx context.Context, logf logger.Logf) {
+	var checks []doctor.Check
+
+	checks = append(checks, routetable.Check{})
+
+	// TODO(andrew): more
+
+	numChecks := len(checks)
+	checks = append(checks, doctor.CheckFunc("numchecks", func(_ context.Context, log logger.Logf) error {
+		log("%d checks", numChecks)
+		return nil
+	}))
+
+	doctor.RunChecks(ctx, logf, checks...)
+}

ipn/ipnlocal/network-lock.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
@@ -12,11 +12,12 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"os"
+	"path/filepath"
 	"time"
 
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/logtail/backoff"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
@@ -24,33 +25,278 @@ import (
 	"tailscale.com/types/tkatype"
 )
 
-var networkLockAvailable = envknob.RegisterBool("TS_EXPERIMENTAL_NETWORK_LOCK")
+// TODO(tom): RPC retry/backoff was broken and has been removed. Fix?
+
+var (
+	errMissingNetmap        = errors.New("missing netmap: verify that you are logged in")
+	errNetworkLockNotActive = errors.New("network-lock is not active")
+)
 
 type tkaState struct {
 	authority *tka.Authority
 	storage   *tka.FS
 }
 
-// CanSupportNetworkLock returns true if tailscaled is able to operate
-// a local tailnet key authority (and hence enforce network lock).
-func (b *LocalBackend) CanSupportNetworkLock() bool {
-	if b.tka != nil {
-		// The TKA is being used, so yeah its supported.
-		return true
+// tkaFilterNetmapLocked checks the signatures on each node key, dropping
+// nodes from the netmap who's signature does not verify.
+func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
+	if !envknob.UseWIPCode() {
+		return // Feature-flag till network-lock is in Alpha.
+	}
+	if b.tka == nil {
+		return // TKA not enabled.
 	}
 
-	if b.TailscaleVarRoot() != "" {
-		// Theres a var root (aka --statedir), so if network lock gets
-		// initialized we have somewhere to store our AUMs. Thats all
-		// we need.
-		return true
+	toDelete := make(map[int]struct{}, len(nm.Peers))
+	for i, p := range nm.Peers {
+		if len(p.KeySignature) == 0 {
+			b.logf("Network lock is dropping peer %v(%v) due to missing signature", p.ID, p.StableID)
+			toDelete[i] = struct{}{}
+		} else {
+			if err := b.tka.authority.NodeKeyAuthorized(p.Key, p.KeySignature); err != nil {
+				b.logf("Network lock is dropping peer %v(%v) due to failed signature check: %v", p.ID, p.StableID, err)
+				toDelete[i] = struct{}{}
+			}
+		}
 	}
-	return false
+
+	// nm.Peers is ordered, so deletion must be order-preserving.
+	peers := make([]*tailcfg.Node, 0, len(nm.Peers))
+	for i, p := range nm.Peers {
+		if _, delete := toDelete[i]; !delete {
+			peers = append(peers, p)
+		}
+	}
+	nm.Peers = peers
+}
+
+// tkaSyncIfNeededLocked examines TKA info reported from the control plane,
+// performing the steps necessary to synchronize local tka state.
+//
+// There are 4 scenarios handled here:
+//   - Enablement: nm.TKAEnabled but b.tka == nil
+//     ∴ reach out to /machine/tka/bootstrap to get the genesis AUM, then
+//     initialize TKA.
+//   - Disablement: !nm.TKAEnabled but b.tka != nil
+//     ∴ reach out to /machine/tka/bootstrap to read the disablement secret,
+//     then verify and clear tka local state.
+//   - Sync needed: b.tka.Head != nm.TKAHead
+//     ∴ complete multi-step synchronization flow.
+//   - Everything up to date: All other cases.
+//     ∴ no action necessary.
+//
+// b.mu must be held. b.mu will be stepped out of (and back in) during network
+// RPCs.
+func (b *LocalBackend) tkaSyncIfNeededLocked(nm *netmap.NetworkMap) error {
+	if !envknob.UseWIPCode() {
+		// If the feature flag is not enabled, pretend we don't exist.
+		return nil
+	}
+	ourNodeKey := b.prefs.Persist.PrivateNodeKey.Public()
+
+	isEnabled := b.tka != nil
+	wantEnabled := nm.TKAEnabled
+	if isEnabled != wantEnabled {
+		var ourHead tka.AUMHash
+		if b.tka != nil {
+			ourHead = b.tka.authority.Head()
+		}
+
+		// Regardless of whether we are moving to disabled or enabled, we
+		// need information from the tka bootstrap endpoint.
+		b.mu.Unlock()
+		bs, err := b.tkaFetchBootstrap(ourNodeKey, ourHead)
+		b.mu.Lock()
+		if err != nil {
+			return fmt.Errorf("fetching bootstrap: %w", err)
+		}
+
+		if wantEnabled && !isEnabled {
+			if err := b.tkaBootstrapFromGenesisLocked(bs.GenesisAUM); err != nil {
+				return fmt.Errorf("bootstrap: %w", err)
+			}
+			isEnabled = true
+		} else if !wantEnabled && isEnabled {
+			if b.tka.authority.ValidDisablement(bs.DisablementSecret) {
+				b.tka = nil
+				isEnabled = false
+
+				if err := os.RemoveAll(b.chonkPath()); err != nil {
+					return fmt.Errorf("os.RemoveAll: %v", err)
+				}
+			} else {
+				b.logf("Disablement secret did not verify, leaving TKA enabled.")
+			}
+		} else {
+			return fmt.Errorf("[bug] unreachable invariant of wantEnabled /w isEnabled")
+		}
+	}
+
+	if isEnabled && b.tka.authority.Head() != nm.TKAHead {
+		if err := b.tkaSyncLocked(ourNodeKey); err != nil {
+			return fmt.Errorf("tka sync: %w", err)
+		}
+	}
+
+	return nil
+}
+
+func toSyncOffer(head string, ancestors []string) (tka.SyncOffer, error) {
+	var out tka.SyncOffer
+	if err := out.Head.UnmarshalText([]byte(head)); err != nil {
+		return tka.SyncOffer{}, fmt.Errorf("head.UnmarshalText: %v", err)
+	}
+	out.Ancestors = make([]tka.AUMHash, len(ancestors))
+	for i, a := range ancestors {
+		if err := out.Ancestors[i].UnmarshalText([]byte(a)); err != nil {
+			return tka.SyncOffer{}, fmt.Errorf("ancestor[%d].UnmarshalText: %v", i, err)
+		}
+	}
+	return out, nil
+}
+
+// tkaSyncLocked synchronizes TKA state with control. b.mu must be held
+// and tka must be initialized. b.mu will be stepped out of (and back into)
+// during network RPCs.
+func (b *LocalBackend) tkaSyncLocked(ourNodeKey key.NodePublic) error {
+	offer, err := b.tka.authority.SyncOffer(b.tka.storage)
+	if err != nil {
+		return fmt.Errorf("offer: %w", err)
+	}
+
+	b.mu.Unlock()
+	offerResp, err := b.tkaDoSyncOffer(ourNodeKey, offer)
+	b.mu.Lock()
+	if err != nil {
+		return fmt.Errorf("offer RPC: %w", err)
+	}
+	controlOffer, err := toSyncOffer(offerResp.Head, offerResp.Ancestors)
+	if err != nil {
+		return fmt.Errorf("control offer: %v", err)
+	}
+
+	if controlOffer.Head == offer.Head {
+		// We are up to date.
+		return nil
+	}
+
+	// Compute missing AUMs before we apply any AUMs from the control-plane,
+	// so we still submit AUMs to control even if they are not part of the
+	// active chain.
+	toSendAUMs, err := b.tka.authority.MissingAUMs(b.tka.storage, controlOffer)
+	if err != nil {
+		return fmt.Errorf("computing missing AUMs: %w", err)
+	}
+
+	// If we got this far, then we are not up to date. Either the control-plane
+	// has updates for us, or we have updates for the control plane.
+	//
+	// TODO(tom): Do we want to keep processing even if the Inform fails? Need
+	// to think through if theres holdback concerns here or not.
+	if len(offerResp.MissingAUMs) > 0 {
+		aums := make([]tka.AUM, len(offerResp.MissingAUMs))
+		for i, a := range offerResp.MissingAUMs {
+			if err := aums[i].Unserialize(a); err != nil {
+				return fmt.Errorf("MissingAUMs[%d]: %v", i, err)
+			}
+		}
+
+		if err := b.tka.authority.Inform(b.tka.storage, aums); err != nil {
+			return fmt.Errorf("inform failed: %v", err)
+		}
+	}
+
+	// NOTE(tom): We could short-circuit here if our HEAD equals the
+	// control-plane's head, but we don't just so control always has a
+	// copy of all forks that clients had.
+
+	b.mu.Unlock()
+	sendResp, err := b.tkaDoSyncSend(ourNodeKey, toSendAUMs, false)
+	b.mu.Lock()
+	if err != nil {
+		return fmt.Errorf("send RPC: %v", err)
+	}
+
+	var remoteHead tka.AUMHash
+	if err := remoteHead.UnmarshalText([]byte(sendResp.Head)); err != nil {
+		return fmt.Errorf("head unmarshal: %v", err)
+	}
+	if remoteHead != b.tka.authority.Head() {
+		b.logf("TKA desync: expected consensus after sync but our head is %v and the control plane's is %v", b.tka.authority.Head(), remoteHead)
+	}
+
+	return nil
+}
+
+// chonkPath returns the absolute path to the directory in which TKA
+// state (the 'tailchonk') is stored.
+func (b *LocalBackend) chonkPath() string {
+	return filepath.Join(b.TailscaleVarRoot(), "tka")
+}
+
+// tkaBootstrapFromGenesisLocked initializes the local (on-disk) state of the
+// tailnet key authority, based on the given genesis AUM.
+//
+// b.mu must be held.
+func (b *LocalBackend) tkaBootstrapFromGenesisLocked(g tkatype.MarshaledAUM) error {
+	if err := b.CanSupportNetworkLock(); err != nil {
+		return err
+	}
+
+	var genesis tka.AUM
+	if err := genesis.Unserialize(g); err != nil {
+		return fmt.Errorf("reading genesis: %v", err)
+	}
+
+	chonkDir := b.chonkPath()
+	if err := os.Mkdir(chonkDir, 0755); err != nil && !os.IsExist(err) {
+		return fmt.Errorf("mkdir: %v", err)
+	}
+
+	chonk, err := tka.ChonkDir(chonkDir)
+	if err != nil {
+		return fmt.Errorf("chonk: %v", err)
+	}
+	authority, err := tka.Bootstrap(chonk, genesis)
+	if err != nil {
+		return fmt.Errorf("tka bootstrap: %v", err)
+	}
+
+	b.tka = &tkaState{
+		authority: authority,
+		storage:   chonk,
+	}
+	return nil
+}
+
+// CanSupportNetworkLock returns nil if tailscaled is able to operate
+// a local tailnet key authority (and hence enforce network lock).
+func (b *LocalBackend) CanSupportNetworkLock() error {
+	if !envknob.UseWIPCode() {
+		return errors.New("this feature is not yet complete, a later release may support this functionality")
+	}
+
+	if b.tka != nil {
+		// If the TKA is being used, it is supported.
+		return nil
+	}
+
+	if b.TailscaleVarRoot() == "" {
+		return errors.New("network-lock is not supported in this configuration, try setting --statedir")
+	}
+
+	// There's a var root (aka --statedir), so if network lock gets
+	// initialized we have somewhere to store our AUMs. That's all
+	// we need.
+	return nil
 }
 
 // NetworkLockStatus returns a structure describing the state of the
 // tailnet key authority, if any.
 func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
 	if b.tka == nil {
 		return &ipnstate.NetworkLockStatus{
 			Enabled:   false,
@@ -79,18 +325,18 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 // The Finish RPC submits signatures for all these nodes, at which point
 // Control has everything it needs to atomically enable network lock.
 func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
-	if b.tka != nil {
-		return errors.New("network-lock is already initialized")
+	if err := b.CanSupportNetworkLock(); err != nil {
+		return err
 	}
-	if !networkLockAvailable() {
-		return errors.New("this is an experimental feature in your version of tailscale - Please upgrade to the latest to use this.")
+
+	var ourNodeKey key.NodePublic
+	b.mu.Lock()
+	if b.prefs != nil {
+		ourNodeKey = b.prefs.Persist.PrivateNodeKey.Public()
 	}
-	if !b.CanSupportNetworkLock() {
-		return errors.New("network-lock is not supported in this configuration. Did you supply a --statedir?")
-	}
-	nm := b.NetMap()
-	if nm == nil {
-		return errors.New("no netmap: are you logged into tailscale?")
+	b.mu.Unlock()
+	if ourNodeKey.IsZero() {
+		return errors.New("no node-key: is tailscale logged in?")
 	}
 
 	// Generates a genesis AUM representing trust in the provided keys.
@@ -112,7 +358,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
 	}
 
 	// Phase 1/2 of initialization: Transmit the genesis AUM to Control.
-	initResp, err := b.tkaInitBegin(nm, genesisAUM)
+	initResp, err := b.tkaInitBegin(ourNodeKey, genesisAUM)
 	if err != nil {
 		return fmt.Errorf("tka init-begin RPC: %w", err)
 	}
@@ -133,10 +379,91 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
 	}
 
 	// Finalize enablement by transmitting signature for all nodes to Control.
-	_, err = b.tkaInitFinish(nm, sigs)
+	_, err = b.tkaInitFinish(ourNodeKey, sigs)
 	return err
 }
 
+// Only use is in tests.
+func (b *LocalBackend) NetworkLockVerifySignatureForTest(nks tkatype.MarshaledSignature, nodeKey key.NodePublic) error {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.tka == nil {
+		return errNetworkLockNotActive
+	}
+	return b.tka.authority.NodeKeyAuthorized(nodeKey, nks)
+}
+
+// Only use is in tests.
+func (b *LocalBackend) NetworkLockKeyTrustedForTest(keyID tkatype.KeyID) bool {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.tka == nil {
+		panic("network lock not initialized")
+	}
+	return b.tka.authority.KeyTrusted(keyID)
+}
+
+// NetworkLockModify adds and/or removes keys in the tailnet's key authority.
+func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("modify network-lock keys: %w", err)
+		}
+	}()
+
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	if err := b.CanSupportNetworkLock(); err != nil {
+		return err
+	}
+	if b.tka == nil {
+		return errNetworkLockNotActive
+	}
+
+	updater := b.tka.authority.NewUpdater(b.nlPrivKey)
+
+	for _, addKey := range addKeys {
+		if err := updater.AddKey(addKey); err != nil {
+			return err
+		}
+	}
+	for _, removeKey := range removeKeys {
+		if err := updater.RemoveKey(removeKey.ID()); err != nil {
+			return err
+		}
+	}
+
+	aums, err := updater.Finalize(b.tka.storage)
+	if err != nil {
+		return err
+	}
+
+	if len(aums) == 0 {
+		return nil
+	}
+
+	ourNodeKey := b.prefs.Persist.PrivateNodeKey.Public()
+	b.mu.Unlock()
+	resp, err := b.tkaDoSyncSend(ourNodeKey, aums, true)
+	b.mu.Lock()
+	if err != nil {
+		return err
+	}
+
+	var controlHead tka.AUMHash
+	if err := controlHead.UnmarshalText([]byte(resp.Head)); err != nil {
+		return err
+	}
+
+	lastHead := aums[len(aums)-1].Hash()
+	if controlHead != lastHead {
+		return errors.New("central tka head differs from submitted AUM, try again")
+	}
+
+	return nil
+}
+
 func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeKeySignature, error) {
 	p, err := nodeInfo.NodePublic.MarshalBinary()
 	if err != nil {
@@ -156,10 +483,11 @@ func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeK
 	return &sig, nil
 }
 
-func (b *LocalBackend) tkaInitBegin(nm *netmap.NetworkMap, aum tka.AUM) (*tailcfg.TKAInitBeginResponse, error) {
+func (b *LocalBackend) tkaInitBegin(ourNodeKey key.NodePublic, aum tka.AUM) (*tailcfg.TKAInitBeginResponse, error) {
 	var req bytes.Buffer
 	if err := json.NewEncoder(&req).Encode(tailcfg.TKAInitBeginRequest{
-		NodeID:     nm.SelfNode.ID,
+		Version:    tailcfg.CurrentCapabilityVersion,
+		NodeKey:    ourNodeKey,
 		GenesisAUM: aum.Serialize(),
 	}); err != nil {
 		return nil, fmt.Errorf("encoding request: %v", err)
@@ -167,40 +495,34 @@ func (b *LocalBackend) tkaInitBegin(nm *netmap.NetworkMap, aum tka.AUM) (*tailcf
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	bo := backoff.NewBackoff("tka-init-begin", b.logf, 5*time.Second)
-	for {
-		if err := ctx.Err(); err != nil {
-			return nil, fmt.Errorf("ctx: %w", err)
-		}
-		req, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/begin", &req)
-		if err != nil {
-			return nil, fmt.Errorf("req: %w", err)
-		}
-		res, err := b.DoNoiseRequest(req)
-		if err != nil {
-			bo.BackOff(ctx, err)
-			continue
-		}
-		if res.StatusCode != 200 {
-			body, _ := io.ReadAll(res.Body)
-			res.Body.Close()
-			return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
-		}
-		a := new(tailcfg.TKAInitBeginResponse)
-		err = json.NewDecoder(res.Body).Decode(a)
-		res.Body.Close()
-		if err != nil {
-			return nil, fmt.Errorf("decoding JSON: %w", err)
-		}
-
-		return a, nil
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/begin", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
 	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKAInitBeginResponse)
+	err = json.NewDecoder(res.Body).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
 }
 
-func (b *LocalBackend) tkaInitFinish(nm *netmap.NetworkMap, nks map[tailcfg.NodeID]tkatype.MarshaledSignature) (*tailcfg.TKAInitFinishResponse, error) {
+func (b *LocalBackend) tkaInitFinish(ourNodeKey key.NodePublic, nks map[tailcfg.NodeID]tkatype.MarshaledSignature) (*tailcfg.TKAInitFinishResponse, error) {
 	var req bytes.Buffer
 	if err := json.NewEncoder(&req).Encode(tailcfg.TKAInitFinishRequest{
-		NodeID:     nm.SelfNode.ID,
+		Version:    tailcfg.CurrentCapabilityVersion,
+		NodeKey:    ourNodeKey,
 		Signatures: nks,
 	}); err != nil {
 		return nil, fmt.Errorf("encoding request: %v", err)
@@ -208,32 +530,178 @@ func (b *LocalBackend) tkaInitFinish(nm *netmap.NetworkMap, nks map[tailcfg.Node
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	bo := backoff.NewBackoff("tka-init-finish", b.logf, 5*time.Second)
-	for {
-		if err := ctx.Err(); err != nil {
-			return nil, fmt.Errorf("ctx: %w", err)
-		}
-		req, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/finish", &req)
-		if err != nil {
-			return nil, fmt.Errorf("req: %w", err)
-		}
-		res, err := b.DoNoiseRequest(req)
-		if err != nil {
-			bo.BackOff(ctx, err)
-			continue
-		}
-		if res.StatusCode != 200 {
-			body, _ := io.ReadAll(res.Body)
-			res.Body.Close()
-			return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
-		}
-		a := new(tailcfg.TKAInitFinishResponse)
-		err = json.NewDecoder(res.Body).Decode(a)
-		res.Body.Close()
-		if err != nil {
-			return nil, fmt.Errorf("decoding JSON: %w", err)
-		}
 
-		return a, nil
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/finish", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
 	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKAInitFinishResponse)
+	err = json.NewDecoder(res.Body).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
+}
+
+// tkaFetchBootstrap sends a /machine/tka/bootstrap RPC to the control plane
+// over noise. This is used to get values necessary to enable or disable TKA.
+func (b *LocalBackend) tkaFetchBootstrap(ourNodeKey key.NodePublic, head tka.AUMHash) (*tailcfg.TKABootstrapResponse, error) {
+	bootstrapReq := tailcfg.TKABootstrapRequest{
+		Version: tailcfg.CurrentCapabilityVersion,
+		NodeKey: ourNodeKey,
+	}
+	if !head.IsZero() {
+		head, err := head.MarshalText()
+		if err != nil {
+			return nil, fmt.Errorf("head.MarshalText failed: %v", err)
+		}
+		bootstrapReq.Head = string(head)
+	}
+
+	var req bytes.Buffer
+	if err := json.NewEncoder(&req).Encode(bootstrapReq); err != nil {
+		return nil, fmt.Errorf("encoding request: %v", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+	if err := ctx.Err(); err != nil {
+		return nil, fmt.Errorf("ctx: %w", err)
+	}
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/bootstrap", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
+	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKABootstrapResponse)
+	err = json.NewDecoder(res.Body).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
+}
+
+func fromSyncOffer(offer tka.SyncOffer) (head string, ancestors []string, err error) {
+	headBytes, err := offer.Head.MarshalText()
+	if err != nil {
+		return "", nil, fmt.Errorf("head.MarshalText: %v", err)
+	}
+
+	ancestors = make([]string, len(offer.Ancestors))
+	for i, ancestor := range offer.Ancestors {
+		hash, err := ancestor.MarshalText()
+		if err != nil {
+			return "", nil, fmt.Errorf("ancestor[%d].MarshalText: %v", i, err)
+		}
+		ancestors[i] = string(hash)
+	}
+	return string(headBytes), ancestors, nil
+}
+
+// tkaDoSyncOffer sends a /machine/tka/sync/offer RPC to the control plane
+// over noise. This is the first of two RPCs implementing tka synchronization.
+func (b *LocalBackend) tkaDoSyncOffer(ourNodeKey key.NodePublic, offer tka.SyncOffer) (*tailcfg.TKASyncOfferResponse, error) {
+	head, ancestors, err := fromSyncOffer(offer)
+	if err != nil {
+		return nil, fmt.Errorf("encoding offer: %v", err)
+	}
+	syncReq := tailcfg.TKASyncOfferRequest{
+		Version:   tailcfg.CurrentCapabilityVersion,
+		NodeKey:   ourNodeKey,
+		Head:      head,
+		Ancestors: ancestors,
+	}
+
+	var req bytes.Buffer
+	if err := json.NewEncoder(&req).Encode(syncReq); err != nil {
+		return nil, fmt.Errorf("encoding request: %v", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/sync/offer", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
+	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKASyncOfferResponse)
+	err = json.NewDecoder(res.Body).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
+}
+
+// tkaDoSyncSend sends a /machine/tka/sync/send RPC to the control plane
+// over noise. This is the second of two RPCs implementing tka synchronization.
+func (b *LocalBackend) tkaDoSyncSend(ourNodeKey key.NodePublic, aums []tka.AUM, interactive bool) (*tailcfg.TKASyncSendResponse, error) {
+	sendReq := tailcfg.TKASyncSendRequest{
+		Version:     tailcfg.CurrentCapabilityVersion,
+		NodeKey:     ourNodeKey,
+		MissingAUMs: make([]tkatype.MarshaledAUM, len(aums)),
+		Interactive: interactive,
+	}
+	for i, a := range aums {
+		sendReq.MissingAUMs[i] = a.Serialize()
+	}
+
+	var req bytes.Buffer
+	if err := json.NewEncoder(&req).Encode(sendReq); err != nil {
+		return nil, fmt.Errorf("encoding request: %v", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/sync/send", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
+	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKASyncSendResponse)
+	err = json.NewDecoder(res.Body).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
 }

ipn/ipnlocal/network-lock_test.go

@@ -0,0 +1,546 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipnlocal
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"tailscale.com/control/controlclient"
+	"tailscale.com/envknob"
+	"tailscale.com/hostinfo"
+	"tailscale.com/ipn"
+	"tailscale.com/tailcfg"
+	"tailscale.com/tka"
+	"tailscale.com/types/key"
+	"tailscale.com/types/netmap"
+	"tailscale.com/types/persist"
+	"tailscale.com/types/tkatype"
+)
+
+func fakeControlClient(t *testing.T, c *http.Client) *controlclient.Auto {
+	hi := hostinfo.New()
+	ni := tailcfg.NetInfo{LinkType: "wired"}
+	hi.NetInfo = &ni
+
+	k := key.NewMachine()
+	opts := controlclient.Options{
+		ServerURL: "https://example.com",
+		Hostinfo:  hi,
+		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
+			return k, nil
+		},
+		HTTPTestClient:  c,
+		NoiseTestClient: c,
+		Status:          func(controlclient.Status) {},
+	}
+
+	cc, err := controlclient.NewNoStart(opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return cc
+}
+
+func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server, *http.Client) {
+	ts := httptest.NewUnstartedServer(handler)
+	ts.StartTLS()
+	client := ts.Client()
+	client.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify = true
+	client.Transport.(*http.Transport).DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
+		return (&net.Dialer{}).DialContext(ctx, network, ts.Listener.Addr().String())
+	}
+	return ts, client
+}
+
+func TestTKAEnablementFlow(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	nodePriv := key.NewNode()
+
+	// Make a fake TKA authority, getting a usable genesis AUM which
+	// our mock server can communicate.
+	nlPriv := key.NewNLPrivate()
+	key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
+	a1, genesisAUM, err := tka.Create(&tka.Mem{}, tka.State{
+		Keys:               []tka.Key{key},
+		DisablementSecrets: [][]byte{bytes.Repeat([]byte{0xa5}, 32)},
+	}, nlPriv)
+	if err != nil {
+		t.Fatalf("tka.Create() failed: %v", err)
+	}
+
+	ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+		switch r.URL.Path {
+		case "/machine/tka/bootstrap":
+			body := new(tailcfg.TKABootstrapRequest)
+			if err := json.NewDecoder(r.Body).Decode(body); err != nil {
+				t.Fatal(err)
+			}
+			if body.Version != tailcfg.CurrentCapabilityVersion {
+				t.Errorf("bootstrap CapVer = %v, want %v", body.Version, tailcfg.CurrentCapabilityVersion)
+			}
+			if body.NodeKey != nodePriv.Public() {
+				t.Errorf("bootstrap nodeKey=%v, want %v", body.NodeKey, nodePriv.Public())
+			}
+			if body.Head != "" {
+				t.Errorf("bootstrap head=%s, want empty hash", body.Head)
+			}
+
+			w.WriteHeader(200)
+			out := tailcfg.TKABootstrapResponse{
+				GenesisAUM: genesisAUM.Serialize(),
+			}
+			if err := json.NewEncoder(w).Encode(out); err != nil {
+				t.Fatal(err)
+			}
+
+		case "/machine/tka/sync/offer", "/machine/tka/sync/send":
+			t.Error("node attempted to sync, but should have been up to date")
+
+		default:
+			t.Errorf("unhandled endpoint path: %v", r.URL.Path)
+			w.WriteHeader(404)
+		}
+	}))
+	defer ts.Close()
+	temp := t.TempDir()
+
+	cc := fakeControlClient(t, client)
+	b := LocalBackend{
+		varRoot: temp,
+		cc:      cc,
+		ccAuto:  cc,
+		logf:    t.Logf,
+		prefs: &ipn.Prefs{
+			Persist: &persist.Persist{PrivateNodeKey: nodePriv},
+		},
+	}
+
+	b.mu.Lock()
+	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
+		TKAEnabled: true,
+		TKAHead:    a1.Head(),
+	})
+	b.mu.Unlock()
+	if err != nil {
+		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
+	}
+	if b.tka == nil {
+		t.Fatal("tka was not initialized")
+	}
+	if b.tka.authority.Head() != a1.Head() {
+		t.Errorf("authority.Head() = %x, want %x", b.tka.authority.Head(), a1.Head())
+	}
+}
+
+func TestTKADisablementFlow(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	temp := t.TempDir()
+	os.Mkdir(filepath.Join(temp, "tka"), 0755)
+	nodePriv := key.NewNode()
+
+	// Make a fake TKA authority, to seed local state.
+	disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
+	nlPriv := key.NewNLPrivate()
+	key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
+	chonk, err := tka.ChonkDir(filepath.Join(temp, "tka"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	authority, _, err := tka.Create(chonk, tka.State{
+		Keys:               []tka.Key{key},
+		DisablementSecrets: [][]byte{tka.DisablementKDF(disablementSecret)},
+	}, nlPriv)
+	if err != nil {
+		t.Fatalf("tka.Create() failed: %v", err)
+	}
+
+	returnWrongSecret := false
+	ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+		switch r.URL.Path {
+		case "/machine/tka/bootstrap":
+			body := new(tailcfg.TKABootstrapRequest)
+			if err := json.NewDecoder(r.Body).Decode(body); err != nil {
+				t.Fatal(err)
+			}
+			if body.Version != tailcfg.CurrentCapabilityVersion {
+				t.Errorf("bootstrap CapVer = %v, want %v", body.Version, tailcfg.CurrentCapabilityVersion)
+			}
+			if body.NodeKey != nodePriv.Public() {
+				t.Errorf("nodeKey=%v, want %v", body.NodeKey, nodePriv.Public())
+			}
+			var head tka.AUMHash
+			if err := head.UnmarshalText([]byte(body.Head)); err != nil {
+				t.Fatalf("failed unmarshal of body.Head: %v", err)
+			}
+			if head != authority.Head() {
+				t.Errorf("reported head = %x, want %x", head, authority.Head())
+			}
+
+			var disablement []byte
+			if returnWrongSecret {
+				disablement = bytes.Repeat([]byte{0x42}, 32) // wrong secret
+			} else {
+				disablement = disablementSecret
+			}
+
+			w.WriteHeader(200)
+			out := tailcfg.TKABootstrapResponse{
+				DisablementSecret: disablement,
+			}
+			if err := json.NewEncoder(w).Encode(out); err != nil {
+				t.Fatal(err)
+			}
+
+		default:
+			t.Errorf("unhandled endpoint path: %v", r.URL.Path)
+			w.WriteHeader(404)
+		}
+	}))
+	defer ts.Close()
+
+	cc := fakeControlClient(t, client)
+	b := LocalBackend{
+		varRoot: temp,
+		cc:      cc,
+		ccAuto:  cc,
+		logf:    t.Logf,
+		tka: &tkaState{
+			authority: authority,
+			storage:   chonk,
+		},
+		prefs: &ipn.Prefs{
+			Persist: &persist.Persist{PrivateNodeKey: nodePriv},
+		},
+	}
+
+	// Test that the wrong disablement secret does not shut down the authority.
+	returnWrongSecret = true
+	b.mu.Lock()
+	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
+		TKAEnabled: false,
+		TKAHead:    authority.Head(),
+	})
+	b.mu.Unlock()
+	if err != nil {
+		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
+	}
+	if b.tka == nil {
+		t.Error("TKA was disabled despite incorrect disablement secret")
+	}
+
+	// Test the correct disablement secret shuts down the authority.
+	returnWrongSecret = false
+	b.mu.Lock()
+	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
+		TKAEnabled: false,
+		TKAHead:    authority.Head(),
+	})
+	b.mu.Unlock()
+	if err != nil {
+		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
+	}
+
+	if b.tka != nil {
+		t.Fatal("tka was not shut down")
+	}
+	if _, err := os.Stat(b.chonkPath()); err == nil || !os.IsNotExist(err) {
+		t.Errorf("os.Stat(chonkDir) = %v, want ErrNotExist", err)
+	}
+}
+
+func TestTKASync(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+
+	someKeyPriv := key.NewNLPrivate()
+	someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1}
+
+	type tkaSyncScenario struct {
+		name string
+		// controlAUMs is called (if non-nil) to get any AUMs which the tka state
+		// on control should be seeded with.
+		controlAUMs func(*testing.T, *tka.Authority, tka.Chonk, tka.Signer) []tka.AUM
+		// controlAUMs is called (if non-nil) to get any AUMs which the tka state
+		// on the node should be seeded with.
+		nodeAUMs func(*testing.T, *tka.Authority, tka.Chonk, tka.Signer) []tka.AUM
+	}
+
+	tcs := []tkaSyncScenario{
+		{name: "up to date"},
+		{
+			name: "control has an update",
+			controlAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
+				b := a.NewUpdater(signer)
+				if err := b.RemoveKey(someKey.ID()); err != nil {
+					t.Fatal(err)
+				}
+				aums, err := b.Finalize(storage)
+				if err != nil {
+					t.Fatal(err)
+				}
+				return aums
+			},
+		},
+		{
+			// AKA 'control data loss' scenario
+			name: "node has an update",
+			nodeAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
+				b := a.NewUpdater(signer)
+				if err := b.RemoveKey(someKey.ID()); err != nil {
+					t.Fatal(err)
+				}
+				aums, err := b.Finalize(storage)
+				if err != nil {
+					t.Fatal(err)
+				}
+				return aums
+			},
+		},
+		{
+			// AKA 'control data loss + update in the meantime' scenario
+			name: "node and control diverge",
+			controlAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
+				b := a.NewUpdater(signer)
+				if err := b.SetKeyMeta(someKey.ID(), map[string]string{"ye": "swiggity"}); err != nil {
+					t.Fatal(err)
+				}
+				aums, err := b.Finalize(storage)
+				if err != nil {
+					t.Fatal(err)
+				}
+				return aums
+			},
+			nodeAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
+				b := a.NewUpdater(signer)
+				if err := b.SetKeyMeta(someKey.ID(), map[string]string{"ye": "swooty"}); err != nil {
+					t.Fatal(err)
+				}
+				aums, err := b.Finalize(storage)
+				if err != nil {
+					t.Fatal(err)
+				}
+				return aums
+			},
+		},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.name, func(t *testing.T) {
+			temp := t.TempDir()
+			os.Mkdir(filepath.Join(temp, "tka"), 0755)
+			nodePriv := key.NewNode()
+			nlPriv := key.NewNLPrivate()
+
+			// Setup the tka authority on the control plane.
+			key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
+			controlStorage := &tka.Mem{}
+			controlAuthority, bootstrap, err := tka.Create(controlStorage, tka.State{
+				Keys:               []tka.Key{key, someKey},
+				DisablementSecrets: [][]byte{bytes.Repeat([]byte{0xa5}, 32)},
+			}, nlPriv)
+			if err != nil {
+				t.Fatalf("tka.Create() failed: %v", err)
+			}
+			if tc.controlAUMs != nil {
+				if err := controlAuthority.Inform(controlStorage, tc.controlAUMs(t, controlAuthority, controlStorage, nlPriv)); err != nil {
+					t.Fatalf("controlAuthority.Inform() failed: %v", err)
+				}
+			}
+
+			// Setup the TKA authority on the node.
+			nodeStorage, err := tka.ChonkDir(filepath.Join(temp, "tka"))
+			if err != nil {
+				t.Fatal(err)
+			}
+			nodeAuthority, err := tka.Bootstrap(nodeStorage, bootstrap)
+			if err != nil {
+				t.Fatalf("tka.Bootstrap() failed: %v", err)
+			}
+			if tc.nodeAUMs != nil {
+				if err := nodeAuthority.Inform(nodeStorage, tc.nodeAUMs(t, nodeAuthority, nodeStorage, nlPriv)); err != nil {
+					t.Fatalf("nodeAuthority.Inform() failed: %v", err)
+				}
+			}
+
+			// Make a mock control server.
+			ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				defer r.Body.Close()
+				switch r.URL.Path {
+				case "/machine/tka/sync/offer":
+					body := new(tailcfg.TKASyncOfferRequest)
+					if err := json.NewDecoder(r.Body).Decode(body); err != nil {
+						t.Fatal(err)
+					}
+					t.Logf("got sync offer:\n%+v", body)
+					nodeOffer, err := toSyncOffer(body.Head, body.Ancestors)
+					if err != nil {
+						t.Fatal(err)
+					}
+					controlOffer, err := controlAuthority.SyncOffer(controlStorage)
+					if err != nil {
+						t.Fatal(err)
+					}
+					sendAUMs, err := controlAuthority.MissingAUMs(controlStorage, nodeOffer)
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					head, ancestors, err := fromSyncOffer(controlOffer)
+					if err != nil {
+						t.Fatal(err)
+					}
+					resp := tailcfg.TKASyncOfferResponse{
+						Head:        head,
+						Ancestors:   ancestors,
+						MissingAUMs: make([]tkatype.MarshaledAUM, len(sendAUMs)),
+					}
+					for i, a := range sendAUMs {
+						resp.MissingAUMs[i] = a.Serialize()
+					}
+
+					t.Logf("responding to sync offer with:\n%+v", resp)
+					w.WriteHeader(200)
+					if err := json.NewEncoder(w).Encode(resp); err != nil {
+						t.Fatal(err)
+					}
+
+				case "/machine/tka/sync/send":
+					body := new(tailcfg.TKASyncSendRequest)
+					if err := json.NewDecoder(r.Body).Decode(body); err != nil {
+						t.Fatal(err)
+					}
+					t.Logf("got sync send:\n%+v", body)
+					toApply := make([]tka.AUM, len(body.MissingAUMs))
+					for i, a := range body.MissingAUMs {
+						if err := toApply[i].Unserialize(a); err != nil {
+							t.Fatalf("decoding missingAUM[%d]: %v", i, err)
+						}
+					}
+
+					if len(toApply) > 0 {
+						if err := controlAuthority.Inform(controlStorage, toApply); err != nil {
+							t.Fatalf("control.Inform(%+v) failed: %v", toApply, err)
+						}
+					}
+					head, err := controlAuthority.Head().MarshalText()
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					w.WriteHeader(200)
+					if err := json.NewEncoder(w).Encode(tailcfg.TKASyncSendResponse{Head: string(head)}); err != nil {
+						t.Fatal(err)
+					}
+
+				default:
+					t.Errorf("unhandled endpoint path: %v", r.URL.Path)
+					w.WriteHeader(404)
+				}
+			}))
+			defer ts.Close()
+
+			// Setup the client.
+			cc := fakeControlClient(t, client)
+			b := LocalBackend{
+				varRoot: temp,
+				cc:      cc,
+				ccAuto:  cc,
+				logf:    t.Logf,
+				tka: &tkaState{
+					authority: nodeAuthority,
+					storage:   nodeStorage,
+				},
+				prefs: &ipn.Prefs{
+					Persist: &persist.Persist{PrivateNodeKey: nodePriv},
+				},
+			}
+
+			// Finally, lets trigger a sync.
+			b.mu.Lock()
+			err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
+				TKAEnabled: true,
+				TKAHead:    controlAuthority.Head(),
+			})
+			b.mu.Unlock()
+			if err != nil {
+				t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
+			}
+
+			// Check that at the end of this ordeal, the node and the control
+			// plane are in sync.
+			if nodeHead, controlHead := b.tka.authority.Head(), controlAuthority.Head(); nodeHead != controlHead {
+				t.Errorf("node head = %v, want %v", nodeHead, controlHead)
+			}
+		})
+	}
+}
+
+func TestTKAFilterNetmap(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+
+	nlPriv := key.NewNLPrivate()
+	nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
+	storage := &tka.Mem{}
+	authority, _, err := tka.Create(storage, tka.State{
+		Keys:               []tka.Key{nlKey},
+		DisablementSecrets: [][]byte{bytes.Repeat([]byte{0xa5}, 32)},
+	}, nlPriv)
+	if err != nil {
+		t.Fatalf("tka.Create() failed: %v", err)
+	}
+
+	n1, n2, n3, n4, n5 := key.NewNode(), key.NewNode(), key.NewNode(), key.NewNode(), key.NewNode()
+	n1GoodSig, err := signNodeKey(tailcfg.TKASignInfo{NodePublic: n1.Public()}, nlPriv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	n4Sig, err := signNodeKey(tailcfg.TKASignInfo{NodePublic: n4.Public()}, nlPriv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	n4Sig.Signature[3] = 42 // mess up the signature
+	n4Sig.Signature[4] = 42 // mess up the signature
+	n5GoodSig, err := signNodeKey(tailcfg.TKASignInfo{NodePublic: n5.Public()}, nlPriv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	nm := netmap.NetworkMap{
+		Peers: []*tailcfg.Node{
+			{ID: 1, Key: n1.Public(), KeySignature: n1GoodSig.Serialize()},
+			{ID: 2, Key: n2.Public(), KeySignature: nil},                   // missing sig
+			{ID: 3, Key: n3.Public(), KeySignature: n1GoodSig.Serialize()}, // someone elses sig
+			{ID: 4, Key: n4.Public(), KeySignature: n4Sig.Serialize()},     // messed-up signature
+			{ID: 5, Key: n5.Public(), KeySignature: n5GoodSig.Serialize()},
+		},
+	}
+
+	b := &LocalBackend{
+		logf: t.Logf,
+		tka:  &tkaState{authority: authority},
+	}
+	b.tkaFilterNetmapLocked(&nm)
+
+	want := []*tailcfg.Node{
+		{ID: 1, Key: n1.Public(), KeySignature: n1GoodSig.Serialize()},
+		{ID: 5, Key: n5.Public(), KeySignature: n5GoodSig.Serialize()},
+	}
+	nodePubComparer := cmp.Comparer(func(x, y key.NodePublic) bool {
+		return x.Raw32() == y.Raw32()
+	})
+	if diff := cmp.Diff(nm.Peers, want, nodePubComparer); diff != "" {
+		t.Errorf("filtered netmap differs (-want, +got):\n%s", diff)
+	}
+}

ipn/ipnlocal/peerapi.go

@@ -79,7 +79,7 @@ type peerAPIServer struct {
 }
 
 const (
-	// partialSuffix is the suffix appened to files while they're
+	// partialSuffix is the suffix appended to files while they're
 	// still in the process of being transferred.
 	partialSuffix = ".partial"
 
@@ -1184,7 +1184,7 @@ func newFakePeerAPIListener(ip netip.Addr) net.Listener {
 // even if the kernel isn't cooperating (like on Android: Issue 4449, 4293, etc)
 // or we lack permission to listen on a port. It's okay to not actually listen via
 // the kernel because on almost all platforms (except iOS as of 2022-04-20) we
-// also intercept netstack TCP requests in to our peerapi port and hand it over
+// also intercept incoming netstack TCP requests to our peerapi port and hand them over
 // directly to peerapi, without involving the kernel. So this doesn't need to be
 // real. But the port number we return (1, in this case) is the port number we advertise
 // to peers and they connect to. 1 seems pretty safe to use. Even if the kernel's

ipn/ipnlocal/peerapi_test.go

@@ -109,7 +109,7 @@ func TestHandlePeerAPI(t *testing.T) {
 	tests := []struct {
 		name       string
 		isSelf     bool // the peer sending the request is owned by us
-		capSharing bool // self node has file sharing capabilty
+		capSharing bool // self node has file sharing capability
 		omitRoot   bool // don't configure
 		req        *http.Request
 		checks     []check

ipn/ipnlocal/ssh.go

@@ -38,15 +38,16 @@ import (
 // running as root.
 var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
 
+// getSSHUsernames discovers and returns the list of usernames that are
+// potential Tailscale SSH user targets.
+//
+// Invariant: must not be called with b.mu held.
 func (b *LocalBackend) getSSHUsernames(req *tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {
 	res := new(tailcfg.C2NSSHUsernamesResponse)
-
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if b.sshServer == nil {
+	if !b.tailscaleSSHEnabled() {
 		return res, nil
 	}
+
 	max := 10
 	if req != nil && req.Max != 0 {
 		max = req.Max
@@ -70,8 +71,8 @@ func (b *LocalBackend) getSSHUsernames(req *tailcfg.C2NSSHUsernamesRequest) (*ta
 		res.Usernames = append(res.Usernames, u)
 	}
 
-	if b.prefs != nil && b.prefs.OperatorUser != "" {
-		add(b.prefs.OperatorUser)
+	if opUser := b.operatorUserName(); opUser != "" {
+		add(opUser)
 	}
 
 	// Check popular usernames and see if they exist with a real shell.

ipn/ipnlocal/tailpipe.go

@@ -0,0 +1,104 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipnlocal
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/http/httptrace"
+	"net/netip"
+
+	"golang.org/x/exp/slices"
+	"tailscale.com/ipn"
+	"tailscale.com/net/netutil"
+	"tailscale.com/net/tsaddr"
+	"tailscale.com/tailcfg"
+)
+
+// PipeDialPeerAPIURL ....
+func (b *LocalBackend) PipeDialPeerAPIURL(ip netip.Addr) (peerAPIURL string, err error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	nm := b.netMap
+	if b.state != ipn.Running || nm == nil {
+		return "", errors.New("not connected to the tailnet")
+	}
+	ipa := netip.PrefixFrom(ip, ip.BitLen())
+	for _, p := range nm.Peers {
+		if slices.Contains(p.Addresses, ipa) {
+			if p.User == nm.User ||
+				len(p.Addresses) > 0 && b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityTailpipeTarget) {
+				peerAPI := peerAPIBase(b.netMap, p)
+				if peerAPI == "" {
+					continue
+				}
+			}
+			return "", errors.New("invalid target")
+		}
+	}
+	return "", errors.New("target not found")
+}
+
+func (b *LocalBackend) DialTailpipe(ctx context.Context, tailscaleIPStr, portName string) (net.Conn, error) {
+	ip, err := netip.ParseAddr(tailscaleIPStr)
+	if err != nil || !tsaddr.IsTailscaleIP(ip) {
+		return nil, fmt.Errorf("host must be a Tailscale IP for now, not %q", tailscaleIPStr)
+	}
+
+	hc := b.dialer.PeerAPIHTTPClient()
+
+	peerAPIBase, err := b.PipeDialPeerAPIURL(ip)
+	if err != nil {
+		return nil, err
+	}
+	connCh := make(chan net.Conn, 1)
+	trace := httptrace.ClientTrace{
+		GotConn: func(info httptrace.GotConnInfo) {
+			connCh <- info.Conn
+		},
+	}
+	ctx = httptrace.WithClientTrace(ctx, &trace)
+	req, err := http.NewRequestWithContext(ctx, "POST", peerAPIBase+"/localapi/v0/connect-to-open-tailpipe", nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header = http.Header{
+		"Upgrade":    []string{"tailpipe"},
+		"Connection": []string{"upgrade"},
+		"Port-Name":  []string{portName},
+	}
+	res, err := hc.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != http.StatusSwitchingProtocols {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
+	}
+	// From here on, the underlying net.Conn is ours to use, but there
+	// is still a read buffer attached to it within resp.Body. So, we
+	// must direct I/O through resp.Body, but we can still use the
+	// underlying net.Conn for stuff like deadlines.
+	var switchedConn net.Conn
+	select {
+	case switchedConn = <-connCh:
+	default:
+	}
+	if switchedConn == nil {
+		res.Body.Close()
+		return nil, fmt.Errorf("httptrace didn't provide a connection")
+	}
+	rwc, ok := res.Body.(io.ReadWriteCloser)
+	if !ok {
+		res.Body.Close()
+		return nil, errors.New("http Transport did not provide a writable body")
+	}
+	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
+}

ipn/ipnserver/server.go

@@ -57,7 +57,7 @@ import (
 
 // Options is the configuration of the Tailscale node agent.
 type Options struct {
-	// VarRoot is the the Tailscale daemon's private writable
+	// VarRoot is the Tailscale daemon's private writable
 	// directory (usually "/var/lib/tailscale" on Linux) that
 	// contains the "tailscaled.state" file, the "certs" directory
 	// for TLS certs, and the "files" directory for incoming
@@ -772,7 +772,7 @@ func New(logf logger.Logf, logid string, store ipn.StateStore, eng wgengine.Engi
 	})
 
 	if root := b.TailscaleVarRoot(); root != "" {
-		chonkDir := filepath.Join(root, "chonk")
+		chonkDir := filepath.Join(root, "tka")
 		if _, err := os.Stat(chonkDir); err == nil {
 			// The directory exists, which means network-lock has been initialized.
 			storage, err := tka.ChonkDir(chonkDir)

ipn/localapi/localapi.go

@@ -26,6 +26,8 @@ import (
 
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
+	"tailscale.com/health"
+	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnstate"
@@ -35,9 +37,50 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/mak"
+	"tailscale.com/util/strs"
 	"tailscale.com/version"
 )
 
+type localAPIHandler func(*Handler, http.ResponseWriter, *http.Request)
+
+// handler is the set of LocalAPI handlers, keyed by the part of the
+// Request.URL.Path after "/localapi/v0/". If the key ends with a trailing slash
+// then it's a prefix match.
+var handler = map[string]localAPIHandler{
+	// The prefix match handlers end with a slash:
+	"cert/":     (*Handler).serveCert,
+	"file-put/": (*Handler).serveFilePut,
+	"files/":    (*Handler).serveFiles,
+
+	// The other /localapi/v0/NAME handlers are exact matches and contain only NAME
+	// without a trailing slash:
+	"bugreport":               (*Handler).serveBugReport,
+	"check-ip-forwarding":     (*Handler).serveCheckIPForwarding,
+	"check-prefs":             (*Handler).serveCheckPrefs,
+	"component-debug-logging": (*Handler).serveComponentDebugLogging,
+	"debug":                   (*Handler).serveDebug,
+	"derpmap":                 (*Handler).serveDERPMap,
+	"dial":                    (*Handler).serveDial,
+	"file-targets":            (*Handler).serveFileTargets,
+	"goroutines":              (*Handler).serveGoroutines,
+	"id-token":                (*Handler).serveIDToken,
+	"login-interactive":       (*Handler).serveLoginInteractive,
+	"logout":                  (*Handler).serveLogout,
+	"metrics":                 (*Handler).serveMetrics,
+	"open-bidi-pipe":          (*Handler).serveOpenBidiPipe,
+	"ping":                    (*Handler).servePing,
+	"prefs":                   (*Handler).servePrefs,
+	"profile":                 (*Handler).serveProfile,
+	"set-dns":                 (*Handler).serveSetDNS,
+	"set-expiry-sooner":       (*Handler).serveSetExpirySooner,
+	"status":                  (*Handler).serveStatus,
+	"tka/init":                (*Handler).serveTKAInit,
+	"tka/modify":              (*Handler).serveTKAModify,
+	"tka/status":              (*Handler).serveTKAStatus,
+	"upload-client-metrics":   (*Handler).serveUploadClientMetrics,
+	"whois":                   (*Handler).serveWhoIs,
+}
+
 func randHex(n int) string {
 	b := make([]byte, n)
 	rand.Read(b)
@@ -99,68 +142,45 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-	if strings.HasPrefix(r.URL.Path, "/localapi/v0/files/") {
-		h.serveFiles(w, r)
-		return
+	if fn, ok := handlerForPath(r.URL.Path); ok {
+		fn(h, w, r)
+	} else {
+		http.NotFound(w, r)
 	}
-	if strings.HasPrefix(r.URL.Path, "/localapi/v0/file-put/") {
-		h.serveFilePut(w, r)
-		return
+}
+
+// handlerForPath returns the LocalAPI handler for the provided Request.URI.Path.
+// (the path doesn't include any query parameters)
+func handlerForPath(urlPath string) (h localAPIHandler, ok bool) {
+	if urlPath == "/" {
+		return (*Handler).serveLocalAPIRoot, true
 	}
-	if strings.HasPrefix(r.URL.Path, "/localapi/v0/cert/") {
-		h.serveCert(w, r)
-		return
+	suff, ok := strs.CutPrefix(urlPath, "/localapi/v0/")
+	if !ok {
+		// Currently all LocalAPI methods start with "/localapi/v0/" to signal
+		// to people that they're not necessarily stable APIs. In practice we'll
+		// probably need to keep them pretty stable anyway, but for now treat
+		// them as an internal implementation detail.
+		return nil, false
 	}
-	switch r.URL.Path {
-	case "/localapi/v0/whois":
-		h.serveWhoIs(w, r)
-	case "/localapi/v0/goroutines":
-		h.serveGoroutines(w, r)
-	case "/localapi/v0/profile":
-		h.serveProfile(w, r)
-	case "/localapi/v0/status":
-		h.serveStatus(w, r)
-	case "/localapi/v0/logout":
-		h.serveLogout(w, r)
-	case "/localapi/v0/login-interactive":
-		h.serveLoginInteractive(w, r)
-	case "/localapi/v0/prefs":
-		h.servePrefs(w, r)
-	case "/localapi/v0/ping":
-		h.servePing(w, r)
-	case "/localapi/v0/check-prefs":
-		h.serveCheckPrefs(w, r)
-	case "/localapi/v0/check-ip-forwarding":
-		h.serveCheckIPForwarding(w, r)
-	case "/localapi/v0/bugreport":
-		h.serveBugReport(w, r)
-	case "/localapi/v0/file-targets":
-		h.serveFileTargets(w, r)
-	case "/localapi/v0/set-dns":
-		h.serveSetDNS(w, r)
-	case "/localapi/v0/derpmap":
-		h.serveDERPMap(w, r)
-	case "/localapi/v0/metrics":
-		h.serveMetrics(w, r)
-	case "/localapi/v0/debug":
-		h.serveDebug(w, r)
-	case "/localapi/v0/set-expiry-sooner":
-		h.serveSetExpirySooner(w, r)
-	case "/localapi/v0/dial":
-		h.serveDial(w, r)
-	case "/localapi/v0/id-token":
-		h.serveIDToken(w, r)
-	case "/localapi/v0/upload-client-metrics":
-		h.serveUploadClientMetrics(w, r)
-	case "/localapi/v0/tka/status":
-		h.serveTkaStatus(w, r)
-	case "/localapi/v0/tka/init":
-		h.serveTkaInit(w, r)
-	case "/":
-		io.WriteString(w, "tailscaled\n")
-	default:
-		http.Error(w, "404 not found", 404)
+	if fn, ok := handler[suff]; ok {
+		// Here we match exact handler suffixes like "status" or ones with a
+		// slash already in their name, like "tka/status".
+		return fn, true
 	}
+	// Otherwise, it might be a prefix match like "files/*" which we look up
+	// by the prefix including first trailing slash.
+	if i := strings.IndexByte(suff, '/'); i != -1 {
+		suff = suff[:i+1]
+		if fn, ok := handler[suff]; ok {
+			return fn, true
+		}
+	}
+	return nil, false
+}
+
+func (*Handler) serveLocalAPIRoot(w http.ResponseWriter, r *http.Request) {
+	io.WriteString(w, "tailscaled\n")
 }
 
 // serveIDToken handles requests to get an OIDC ID token.
@@ -221,6 +241,16 @@ func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
 	if note := r.FormValue("note"); len(note) > 0 {
 		h.logf("user bugreport note: %s", note)
 	}
+	hi, _ := json.Marshal(hostinfo.New())
+	h.logf("user bugreport hostinfo: %s", hi)
+	if err := health.OverallError(); err != nil {
+		h.logf("user bugreport health: %s", err.Error())
+	} else {
+		h.logf("user bugreport health: ok")
+	}
+	if defBool(r.FormValue("diagnose"), false) {
+		h.b.Doctor(r.Context(), logger.WithPrefix(h.logf, "diag: "))
+	}
 	w.Header().Set("Content-Type", "text/plain")
 	fmt.Fprintln(w, logMarker)
 }
@@ -315,6 +345,24 @@ func (h *Handler) serveDebug(w http.ResponseWriter, r *http.Request) {
 	io.WriteString(w, "done\n")
 }
 
+func (h *Handler) serveComponentDebugLogging(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "debug access denied", http.StatusForbidden)
+		return
+	}
+	component := r.FormValue("component")
+	secs, _ := strconv.Atoi(r.FormValue("secs"))
+	err := h.b.SetComponentDebugLogging(component, time.Now().Add(time.Duration(secs)*time.Second))
+	var res struct {
+		Error string
+	}
+	if err != nil {
+		res.Error = err.Error()
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(res)
+}
+
 // serveProfileFunc is the implementation of Handler.serveProfile, after auth,
 // for platforms where we want to link it in.
 var serveProfileFunc func(http.ResponseWriter, *http.Request)
@@ -717,8 +765,16 @@ func (h *Handler) serveDial(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	addr := net.JoinHostPort(hostStr, portStr)
-	outConn, err := h.b.Dialer().UserDial(r.Context(), "tcp", addr)
+	dial := func() (net.Conn, error) {
+		if strings.HasPrefix(portStr, "tailpipe-") {
+			// hostStr is expected to be a Tailscale IP at this point.
+			return h.b.DialTailpipe(r.Context(), hostStr, portStr)
+		}
+		addr := net.JoinHostPort(hostStr, portStr)
+		return h.b.Dialer().UserDial(r.Context(), "tcp", addr)
+	}
+
+	outConn, err := dial()
 	if err != nil {
 		http.Error(w, "dial failure: "+err.Error(), http.StatusBadGateway)
 		return
@@ -800,13 +856,13 @@ func (h *Handler) serveUploadClientMetrics(w http.ResponseWriter, r *http.Reques
 	json.NewEncoder(w).Encode(struct{}{})
 }
 
-func (h *Handler) serveTkaStatus(w http.ResponseWriter, r *http.Request) {
+func (h *Handler) serveTKAStatus(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitRead {
 		http.Error(w, "lock status access denied", http.StatusForbidden)
 		return
 	}
 	if r.Method != http.MethodGet {
-		http.Error(w, "use Get", http.StatusMethodNotAllowed)
+		http.Error(w, "use GET", http.StatusMethodNotAllowed)
 		return
 	}
 
@@ -819,7 +875,7 @@ func (h *Handler) serveTkaStatus(w http.ResponseWriter, r *http.Request) {
 	w.Write(j)
 }
 
-func (h *Handler) serveTkaInit(w http.ResponseWriter, r *http.Request) {
+func (h *Handler) serveTKAInit(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "lock init access denied", http.StatusForbidden)
 		return
@@ -852,6 +908,63 @@ func (h *Handler) serveTkaInit(w http.ResponseWriter, r *http.Request) {
 	w.Write(j)
 }
 
+func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != http.MethodPost {
+		http.Error(w, "use POST", http.StatusMethodNotAllowed)
+		return
+	}
+
+	type modifyRequest struct {
+		AddKeys    []tka.Key
+		RemoveKeys []tka.Key
+	}
+	var req modifyRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "invalid JSON body", 400)
+		return
+	}
+
+	if err := h.b.NetworkLockModify(req.AddKeys, req.RemoveKeys); err != nil {
+		http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	j, err := json.MarshalIndent(h.b.NetworkLockStatus(), "", "\t")
+	if err != nil {
+		http.Error(w, "JSON encoding error", 500)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.Write(j)
+}
+
+func (h *Handler) serveOpenBidiPipe(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "use POST", http.StatusMethodNotAllowed)
+		return
+	}
+	name := r.FormValue("name")
+	if name != "" && !h.PermitWrite {
+		http.Error(w, "naming a bidi pipe requires write access", http.StatusForbidden)
+		return
+	}
+
+	w.Header().Set("Foo", "bar")
+	w.WriteHeader(http.StatusProcessing) // informational code 102
+
+	time.Sleep(time.Second)
+
+	w.Header().Set("Foo", "baz")
+	w.WriteHeader(http.StatusProcessing) // informational code 102
+
+	w.Header()["Foo"] = nil
+	io.WriteString(w, "the body")
+}
+
 func defBool(a string, def bool) bool {
 	if a == "" {
 		return def

ipn/prefs_test.go

@@ -470,7 +470,7 @@ func TestLoadPrefsNotExist(t *testing.T) {
 	t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
 }
 
-// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs hanldes corrupted input files.
+// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs handles corrupted input files.
 // See issue #954 for details.
 func TestLoadPrefsFileWithZeroInIt(t *testing.T) {
 	f, err := os.CreateTemp("", "TestLoadPrefsFileWithZeroInIt")

ipn/store.go

@@ -6,6 +6,8 @@ package ipn
 
 import (
 	"errors"
+	"fmt"
+	"strconv"
 )
 
 // ErrStateNotExist is returned by StateStore.ReadState when the
@@ -35,7 +37,7 @@ const (
 	// StateKey "user-1234".
 	ServerModeStartKey = StateKey("server-mode-start-key")
 
-	// NLKeyStateKey is the key under which we store the nodes'
+	// NLKeyStateKey is the key under which we store the node's
 	// network-lock node key, in its key.NLPrivate.MarshalText representation.
 	NLKeyStateKey = StateKey("_nl-node-key")
 )
@@ -48,3 +50,17 @@ type StateStore interface {
 	// WriteState saves bs as the state associated with ID.
 	WriteState(id StateKey, bs []byte) error
 }
+
+// ReadStoreInt reads an integer from a StateStore.
+func ReadStoreInt(store StateStore, id StateKey) (int64, error) {
+	v, err := store.ReadState(id)
+	if err != nil {
+		return 0, err
+	}
+	return strconv.ParseInt(string(v), 10, 64)
+}
+
+// PutStoreInt puts an integer into a StateStore.
+func PutStoreInt(store StateStore, id StateKey, val int64) error {
+	return store.WriteState(id, fmt.Appendf(nil, "%d", val))
+}

licenses/android.md

@@ -38,7 +38,7 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.2.3/LICENSE.md))
  - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
  - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/0b941c09a5e1/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/777337dba4cf/LICENSE))
  - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
  - [github.com/tailscale/tailscale-android](https://pkg.go.dev/github.com/tailscale/tailscale-android) ([BSD-3-Clause](https://github.com/tailscale/tailscale-android/blob/HEAD/LICENSE))
@@ -55,9 +55,9 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
  - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/807a2327:shiny/LICENSE))
  - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/a66eb644:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
  - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))

licenses/apple.md

@@ -27,7 +27,7 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/mdlayher/sdnotify](https://pkg.go.dev/github.com/mdlayher/sdnotify) ([MIT](https://github.com/mdlayher/sdnotify/blob/v1.0.0/LICENSE.md))
  - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.2.3/LICENSE.md))
  - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/0b941c09a5e1/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/62f465106986/LICENSE))
  - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
  - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
@@ -39,9 +39,9 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
  - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/6f7dac96:LICENSE))
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/886fb937:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
  - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=b51010ba13f0))

licenses/tailscale.md

@@ -58,7 +58,7 @@ Some packages may only be included on certain architectures or operating systems
  - [github.com/pkg/sftp](https://pkg.go.dev/github.com/pkg/sftp) ([BSD-2-Clause](https://github.com/pkg/sftp/blob/v1.13.4/LICENSE))
  - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
  - [github.com/tailscale/certstore](https://pkg.go.dev/github.com/tailscale/certstore) ([MIT](https://github.com/tailscale/certstore/blob/78d6e1c49d8d/LICENSE.md))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/0b941c09a5e1/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/62f465106986/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
  - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
  - [github.com/toqueteos/webbrowser](https://pkg.go.dev/github.com/toqueteos/webbrowser) ([MIT](https://github.com/toqueteos/webbrowser/blob/v1.2.0/LICENSE.md))
@@ -71,9 +71,9 @@ Some packages may only be included on certain architectures or operating systems
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
  - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/eb4f295c:LICENSE))
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
  - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))

licenses/win.md

@@ -1,47 +0,0 @@
-# Tailscale for Windows dependencies
-
-The following open source dependencies are used to build the [Tailscale client
-for windows][].  See also the dependencies in the [Tailscale CLI][].
-
-[Tailscale client for windows]: https://tailscale.com/kb/1022/install-windows/
-[Tailscale CLI]: ./tailscale.md
-
-## Go Packages
-
-
- - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0-rc.1/LICENSE))
- - [github.com/alexbrainman/sspi](https://pkg.go.dev/github.com/alexbrainman/sspi) ([BSD-3-Clause](https://github.com/alexbrainman/sspi/blob/909beea2cc74/LICENSE))
- - [github.com/apenwarr/fixconsole](https://pkg.go.dev/github.com/apenwarr/fixconsole) ([Apache-2.0](https://github.com/apenwarr/fixconsole/blob/5a9f6489cc29/LICENSE))
- - [github.com/apenwarr/w32](https://pkg.go.dev/github.com/apenwarr/w32) ([BSD-3-Clause](https://github.com/apenwarr/w32/blob/aa00fece76ab/LICENSE))
- - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
- - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
- - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
- - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/v1.0.0/license))
- - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.5/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.15.5/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.15.5/zstd/internal/xxhash/LICENSE.txt))
- - [github.com/lxn/walk](https://pkg.go.dev/github.com/lxn/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/ed127cfb919a/LICENSE))
- - [github.com/lxn/win](https://pkg.go.dev/github.com/lxn/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/c3f813abca9f/LICENSE))
- - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.6.0/LICENSE.md))
- - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.2.3/LICENSE.md))
- - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
- - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
- - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
- - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
- - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/6f7dac96:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
- - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
- - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.4.10))
- - [gopkg.in/Knetic/govaluate.v3](https://pkg.go.dev/gopkg.in/Knetic/govaluate.v3) ([MIT](https://github.com/Knetic/govaluate/blob/v3.0.0/LICENSE))
- - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/f81723ceac3f/LICENSE))
-
-## Additional Dependencies
-
- - [Nullsoft Scriptable Install System](https://nsis.sourceforge.io/) ([zlib/libpng](https://nsis.sourceforge.io/License))
- - [Wintun](https://www.wintun.net/) ([Prebuilt Binaries License](https://git.zx2c4.com/wintun/tree/prebuilt-binaries-license.txt))
- - [wireguard-windows](https://git.zx2c4.com/wireguard-windows/) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING))

licenses/windows.md

@@ -31,9 +31,9 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
  - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/6f7dac96:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/886fb937:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
  - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
  - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
  - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))

logpolicy/logpolicy.go

@@ -70,11 +70,24 @@ func getLogTarget() string {
 	return getLogTargetOnce.v
 }
 
+// LogURL is the base URL for the configured logtail server, or the default.
+// It is guaranteed to not terminate with any forward slashes.
+func LogURL() string {
+	if v := getLogTarget(); v != "" {
+		return strings.TrimRight(v, "/")
+	}
+	return "https://" + logtail.DefaultHost
+}
+
 // LogHost returns the hostname only (without port) of the configured
 // logtail server, or the default.
+//
+// Deprecated: Use LogURL instead.
 func LogHost() string {
 	if v := getLogTarget(); v != "" {
-		return v
+		if u, err := url.Parse(v); err == nil {
+			return u.Hostname()
+		}
 	}
 	return logtail.DefaultHost
 }
@@ -596,7 +609,7 @@ func NewWithConfigPath(collection, dir, cmdName string) *Policy {
 		}
 	}
 
-	log.SetFlags(0) // other logflags are set on console, not here
+	log.SetFlags(0) // other log flags are set on console, not here
 	log.SetOutput(logOutput)
 
 	log.Printf("Program starting: v%v, Go %v: %#v",

logpolicy/logpolicy_test.go

@@ -0,0 +1,37 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package logpolicy
+
+import (
+	"os"
+	"reflect"
+	"testing"
+)
+
+func TestLogHost(t *testing.T) {
+	v := reflect.ValueOf(&getLogTargetOnce).Elem()
+	reset := func() {
+		v.Set(reflect.Zero(v.Type()))
+	}
+	defer reset()
+
+	tests := []struct {
+		env  string
+		want string
+	}{
+		{"", "log.tailscale.io"},
+		{"http://foo.com", "foo.com"},
+		{"https://foo.com", "foo.com"},
+		{"https://foo.com/", "foo.com"},
+		{"https://foo.com:123/", "foo.com"},
+	}
+	for _, tt := range tests {
+		reset()
+		os.Setenv("TS_LOG_TARGET", tt.env)
+		if got := LogHost(); got != tt.want {
+			t.Errorf("for env %q, got %q, want %q", tt.env, got, tt.want)
+		}
+	}
+}

logtail/id.go

@@ -34,7 +34,7 @@ func NewPrivateID() (id PrivateID, err error) {
 func (id PrivateID) MarshalText() ([]byte, error) {
 	b := make([]byte, hex.EncodedLen(len(id)))
 	if i := hex.Encode(b, id[:]); i != len(b) {
-		return nil, fmt.Errorf("logtail.PrivateID.MarhsalText: i=%d", i)
+		return nil, fmt.Errorf("logtail.PrivateID.MarshalText: i=%d", i)
 	}
 	return b, nil
 }
@@ -122,7 +122,7 @@ func MustParsePublicID(s string) PublicID {
 func (id PublicID) MarshalText() ([]byte, error) {
 	b := make([]byte, hex.EncodedLen(len(id)))
 	if i := hex.Encode(b, id[:]); i != len(b) {
-		return nil, fmt.Errorf("logtail.PublicID.MarhsalText: i=%d", i)
+		return nil, fmt.Errorf("logtail.PublicID.MarshalText: i=%d", i)
 	}
 	return b, nil
 }

logtail/logtail.go

@@ -44,12 +44,13 @@ type Encoder interface {
 
 type Config struct {
 	Collection     string           // collection name, a domain name
-	PrivateID      PrivateID        // machine-specific private identifier
+	PrivateID      PrivateID        // private ID for the primary log stream
+	CopyPrivateID  PrivateID        // private ID for a log stream that is a superset of this log stream
 	BaseURL        string           // if empty defaults to "https://log.tailscale.io"
 	HTTPC          *http.Client     // if empty defaults to http.DefaultClient
 	SkipClientTime bool             // if true, client_time is not written to logs
 	LowMemory      bool             // if true, logtail minimizes memory use
-	TimeNow        func() time.Time // if set, subsitutes uses of time.Now
+	TimeNow        func() time.Time // if set, substitutes uses of time.Now
 	Stderr         io.Writer        // if set, logs are sent here instead of os.Stderr
 	StderrLevel    int              // max verbosity level to write to stderr; 0 means the non-verbose messages only
 	Buffer         Buffer           // temp storage, if nil a MemoryBuffer
@@ -73,7 +74,7 @@ type Config struct {
 
 	// IncludeProcSequence, if true, results in an ephemeral sequence number
 	// being included in the logs. The sequence number is incremented for each
-	// log message sent, but is not peristed across process restarts.
+	// log message sent, but is not persisted across process restarts.
 	IncludeProcSequence bool
 }
 
@@ -112,12 +113,16 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 	stdLogf := func(f string, a ...any) {
 		fmt.Fprintf(cfg.Stderr, strings.TrimSuffix(f, "\n")+"\n", a...)
 	}
+	var urlSuffix string
+	if !cfg.CopyPrivateID.IsZero() {
+		urlSuffix = "?copyId=" + cfg.CopyPrivateID.String()
+	}
 	l := &Logger{
 		privateID:      cfg.PrivateID,
 		stderr:         cfg.Stderr,
 		stderrLevel:    int64(cfg.StderrLevel),
 		httpc:          cfg.HTTPC,
-		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String(),
+		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String() + urlSuffix,
 		lowMem:         cfg.LowMemory,
 		buffer:         cfg.Buffer,
 		skipClientTime: cfg.SkipClientTime,
@@ -519,7 +524,7 @@ func (l *Logger) encodeText(buf []byte, skipClientTime bool, procID uint32, proc
 		b = append(b, `"logtail": {`...)
 		if !skipClientTime {
 			b = append(b, `"client_time": "`...)
-			b = now.AppendFormat(b, time.RFC3339Nano)
+			b = now.UTC().AppendFormat(b, time.RFC3339Nano)
 			b = append(b, `",`...)
 		}
 		if procID != 0 {
@@ -612,7 +617,7 @@ func (l *Logger) encodeLocked(buf []byte, level int) []byte {
 	if !l.skipClientTime || l.procID != 0 || l.procSequence != 0 {
 		logtail := map[string]any{}
 		if !l.skipClientTime {
-			logtail["client_time"] = now.Format(time.RFC3339Nano)
+			logtail["client_time"] = now.UTC().Format(time.RFC3339Nano)
 		}
 		if l.procID != 0 {
 			logtail["proc_id"] = l.procID

net/dns/manager.go

@@ -381,7 +381,7 @@ func (m *Manager) NextPacket() ([]byte, error) {
 	return buf, nil
 }
 
-// Query executes a DNS query recieved from the given address. The query is
+// Query executes a DNS query received from the given address. The query is
 // provided in bs as a wire-encoded DNS query without any transport header.
 // This method is called for requests arriving over UDP and TCP.
 func (m *Manager) Query(ctx context.Context, bs []byte, from netip.AddrPort) ([]byte, error) {
@@ -540,7 +540,7 @@ func Cleanup(logf logger.Logf, interfaceName string) {
 		logf("creating dns cleanup: %v", err)
 		return
 	}
-	dns := NewManager(logf, oscfg, nil, new(tsdial.Dialer), nil)
+	dns := NewManager(logf, oscfg, nil, &tsdial.Dialer{Logf: logf}, nil)
 	if err := dns.Down(); err != nil {
 		logf("dns down: %v", err)
 	}

net/dns/manager_windows_test.go

@@ -274,7 +274,7 @@ func runTest(t *testing.T, isLocal bool) {
 	runCase := func(n int) {
 		t.Logf("Test case: %d domains\n", n)
 		if !isLocal {
-			// When !isLocal, we want to check that a GP notification occured for
+			// When !isLocal, we want to check that a GP notification occurred for
 			// every single test case.
 			trk, err = newGPNotificationTracker()
 			if err != nil {

net/dns/nm.go

@@ -302,7 +302,7 @@ func (m *nmManager) GetBaseConfig() (OSConfig, error) {
 	for _, cfg := range cfgs {
 		if name, ok := cfg["interface"]; ok {
 			if s, ok := name.Value().(string); ok && s == m.interfaceName {
-				// Config for the taislcale interface, skip.
+				// Config for the tailscale interface, skip.
 				continue
 			}
 		}

net/dns/nrpt_windows.go

@@ -58,7 +58,7 @@ var (
 
 const _RP_FORCE = 1 // Flag for RefreshPolicyEx
 
-// nrptRuleDatabase ensapsulates access to the Windows Name Resolution Policy
+// nrptRuleDatabase encapsulates access to the Windows Name Resolution Policy
 // Table (NRPT).
 type nrptRuleDatabase struct {
 	logf               logger.Logf

net/dns/osconfig.go

@@ -5,9 +5,12 @@
 package dns
 
 import (
+	"bufio"
 	"errors"
+	"fmt"
 	"net/netip"
 
+	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
 )
 
@@ -97,6 +100,44 @@ func (a OSConfig) Equal(b OSConfig) bool {
 	return true
 }
 
+// Format implements the fmt.Formatter interface to ensure that Hosts is
+// printed correctly (i.e. not as a bunch of pointers).
+//
+// Fixes https://github.com/tailscale/tailscale/issues/5669
+func (a OSConfig) Format(f fmt.State, verb rune) {
+	logger.ArgWriter(func(w *bufio.Writer) {
+		w.WriteString(`{Nameservers:[`)
+		for i, ns := range a.Nameservers {
+			if i != 0 {
+				w.WriteString(" ")
+			}
+			fmt.Fprintf(w, "%+v", ns)
+		}
+		w.WriteString(`] SearchDomains:[`)
+		for i, domain := range a.SearchDomains {
+			if i != 0 {
+				w.WriteString(" ")
+			}
+			fmt.Fprintf(w, "%+v", domain)
+		}
+		w.WriteString(`] MatchDomains:[`)
+		for i, domain := range a.MatchDomains {
+			if i != 0 {
+				w.WriteString(" ")
+			}
+			fmt.Fprintf(w, "%+v", domain)
+		}
+		w.WriteString(`] Hosts:[`)
+		for i, host := range a.Hosts {
+			if i != 0 {
+				w.WriteString(" ")
+			}
+			fmt.Fprintf(w, "%+v", host)
+		}
+		w.WriteString(`]}`)
+	}).Format(f, verb)
+}
+
 // ErrGetBaseConfigNotSupported is the error
 // OSConfigurator.GetBaseConfig returns when the OSConfigurator
 // doesn't support reading the underlying configuration out of the OS.

net/dns/osconfig_test.go

@@ -0,0 +1,44 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package dns
+
+import (
+	"fmt"
+	"net/netip"
+	"testing"
+
+	"tailscale.com/util/dnsname"
+)
+
+func TestOSConfigPrintable(t *testing.T) {
+	ocfg := OSConfig{
+		Hosts: []*HostEntry{
+			{
+				Addr:  netip.AddrFrom4([4]byte{100, 1, 2, 3}),
+				Hosts: []string{"server", "client"},
+			},
+			{
+				Addr:  netip.AddrFrom4([4]byte{100, 1, 2, 4}),
+				Hosts: []string{"otherhost"},
+			},
+		},
+		Nameservers: []netip.Addr{
+			netip.AddrFrom4([4]byte{8, 8, 8, 8}),
+		},
+		SearchDomains: []dnsname.FQDN{
+			dnsname.FQDN("foo.beta.tailscale.net."),
+			dnsname.FQDN("bar.beta.tailscale.net."),
+		},
+		MatchDomains: []dnsname.FQDN{
+			dnsname.FQDN("ts.com."),
+		},
+	}
+	s := fmt.Sprintf("%+v", ocfg)
+
+	const expected = `{Nameservers:[8.8.8.8] SearchDomains:[foo.beta.tailscale.net. bar.beta.tailscale.net.] MatchDomains:[ts.com.] Hosts:[&{Addr:100.1.2.3 Hosts:[server client]} &{Addr:100.1.2.4 Hosts:[otherhost]}]}`
+	if s != expected {
+		t.Errorf("format mismatch:\n   got: %s\n  want: %s", s, expected)
+	}
+}

net/dns/publicdns/publicdns.go

@@ -37,15 +37,15 @@ func DoHEndpointFromIP(ip netip.Addr) (dohBase string, dohOnly bool, ok bool) {
 	}
 
 	// NextDNS DoH URLs are of the form "https://dns.nextdns.io/c3a884"
-	// where the path component is the lower 8 bytes of the IPv6 address
+	// where the path component is the lower 12 bytes of the IPv6 address
 	// in lowercase hex without any zero padding.
 	if nextDNSv6RangeA.Contains(ip) || nextDNSv6RangeB.Contains(ip) {
 		a := ip.As16()
 		var sb strings.Builder
 		const base = "https://dns.nextdns.io/"
-		sb.Grow(len(base) + 8)
+		sb.Grow(len(base) + 12)
 		sb.WriteString(base)
-		for _, b := range bytes.TrimLeft(a[8:], "\x00") {
+		for _, b := range bytes.TrimLeft(a[4:], "\x00") {
 			fmt.Fprintf(&sb, "%02x", b)
 		}
 		return sb.String(), true, true
@@ -100,7 +100,7 @@ func DoHIPsOfBase(dohBase string) []netip.Addr {
 		// conventional for them and not required (it'll already be in the DoH path).
 		// (Really we shouldn't use either IPv4 or IPv6 anycast for DoH once we
 		// resolve "dns.nextdns.io".)
-		if b, err := hex.DecodeString(hexStr); err == nil && len(b) <= 8 && len(b) > 0 {
+		if b, err := hex.DecodeString(hexStr); err == nil && len(b) <= 12 && len(b) > 0 {
 			return []netip.Addr{
 				nextDNSv4One,
 				nextDNSv4Two,
@@ -215,7 +215,7 @@ var (
 // nextDNSv6Gen generates a NextDNS IPv6 address from the upper 8 bytes in the
 // provided ip and using id as the lowest 0-8 bytes.
 func nextDNSv6Gen(ip netip.Addr, id []byte) netip.Addr {
-	if len(id) > 8 {
+	if len(id) > 12 {
 		return netip.Addr{}
 	}
 	a := ip.As16()

net/dns/publicdns/publicdns_test.go

@@ -86,6 +86,19 @@ func TestDoHIPsOfBase(t *testing.T) {
 				"2a07:a8c1::c3:a884",
 			),
 		},
+		{
+			base: "https://dns.nextdns.io/112233445566778899aabbcc",
+			want: ips(
+				"45.90.28.0",
+				"45.90.30.0",
+				"2a07:a8c0:1122:3344:5566:7788:99aa:bbcc",
+				"2a07:a8c1:1122:3344:5566:7788:99aa:bbcc",
+			),
+		},
+		{
+			base: "https://dns.nextdns.io/112233445566778899aabbccdd",
+			want: ips(), // nothing; profile length is over 12 bytes
+		},
 		{
 			base: "https://dns.nextdns.io/c3a884/with/more/stuff",
 			want: ips(

net/dns/resolver/forwarder.go

@@ -180,7 +180,7 @@ type resolverAndDelay struct {
 type forwarder struct {
 	logf    logger.Logf
 	linkMon *monitor.Mon
-	linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absords it
+	linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absorbs it
 	dialer  *tsdial.Dialer
 	dohSem  chan struct{}
 
@@ -502,7 +502,7 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 		// Only known DoH providers are supported currently. Specifically, we
 		// only support DoH providers where we can TCP connect to them on port
 		// 443 at the same IP address they serve normal UDP DNS from (1.1.1.1,
-		// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custon DoH providers
+		// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custom DoH providers
 		// aren't currently supported. There's no backup DNS resolution path for
 		// them.
 		urlBase := rr.name.Addr

net/dns/resolver/tsdns.go

@@ -609,7 +609,7 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netip.Addr,
 		metricDNSResolveLocalOKAll.Add(1)
 		return addrs[0], dns.RCodeSuccess
 
-	// Leave some some record types explicitly unimplemented.
+	// Leave some record types explicitly unimplemented.
 	// These types relate to recursive resolution or special
 	// DNS semantics and might be implemented in the future.
 	case dns.TypeNS, dns.TypeSOA, dns.TypeAXFR, dns.TypeHINFO:

net/dnscache/messagecache.go

@@ -99,7 +99,7 @@ type msgResource struct {
 }
 
 // ErrCacheMiss is a sentinel error returned by MessageCache.ReplyFromCache
-// when the request can not be satisified from cache.
+// when the request can not be satisfied from cache.
 var ErrCacheMiss = errors.New("cache miss")
 
 var parserPool = &sync.Pool{
@@ -264,7 +264,7 @@ func asciiLowerName(n dnsmessage.Name) dnsmessage.Name {
 }
 
 // packDNSResponse builds a DNS response for the given question and
-// transaction ID. The response resource records will have have the
+// transaction ID. The response resource records will have the
 // same provided TTL.
 func packDNSResponse(q msgQ, txID uint16, ttl uint32, answers []msgResource) ([]byte, error) {
 	var baseMem []byte // TODO: guess a max size based on looping over answers?

net/flowtrack/flowtrack.go

@@ -20,9 +20,9 @@ import (
 
 // Tuple is a 5-tuple of proto, source and destination IP and port.
 type Tuple struct {
-	Proto ipproto.Proto
-	Src   netip.AddrPort
-	Dst   netip.AddrPort
+	Proto ipproto.Proto  `json:"proto"`
+	Src   netip.AddrPort `json:"src"`
+	Dst   netip.AddrPort `json:"dst"`
 }
 
 func (t Tuple) String() string {

net/interfaces/interfaces.go

@@ -441,13 +441,13 @@ func prefixesEqual(a, b []netip.Prefix) bool {
 
 // UseInterestingInterfaces is an InterfaceFilter that reports whether i is an interesting interface.
 // An interesting interface if it is (a) not owned by Tailscale and (b) routes interesting IP addresses.
-// See UseInterestingIPs for the defition of an interesting IP address.
+// See UseInterestingIPs for the definition of an interesting IP address.
 func UseInterestingInterfaces(i Interface, ips []netip.Prefix) bool {
 	return !isTailscaleInterface(i.Name, ips) && anyInterestingIP(ips)
 }
 
 // UseInterestingIPs is an IPFilter that reports whether ip is an interesting IP address.
-// An IP address is interesting if it is neither a lopback not a link local unicast IP address.
+// An IP address is interesting if it is neither a loopback nor a link local unicast IP address.
 func UseInterestingIPs(ip netip.Addr) bool {
 	return isInterestingIP(ip)
 }
@@ -455,7 +455,7 @@ func UseInterestingIPs(ip netip.Addr) bool {
 // UseAllInterfaces is an InterfaceFilter that includes all interfaces.
 func UseAllInterfaces(i Interface, ips []netip.Prefix) bool { return true }
 
-// UseAllIPs is an IPFilter that includes all all IPs.
+// UseAllIPs is an IPFilter that includes all IPs.
 func UseAllIPs(ips netip.Addr) bool { return true }
 
 func (s *State) HasPAC() bool { return s != nil && s.PAC != "" }

net/netcheck/netcheck.go

@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"math/rand"
 	"net"
 	"net/http"
 	"net/netip"
@@ -112,6 +113,10 @@ type Report struct {
 	GlobalV4 string // ip:port of global IPv4
 	GlobalV6 string // [ip]:port of global IPv6
 
+	// CaptivePortal is set when we think there's a captive portal that is
+	// intercepting HTTP traffic.
+	CaptivePortal opt.Bool
+
 	// TODO: update Clone when adding new fields
 }
 
@@ -156,7 +161,7 @@ type Client struct {
 
 	// GetSTUNConn4 optionally provides a func to return the
 	// connection to use for sending & receiving IPv4 packets. If
-	// nil, an emphemeral one is created as needed.
+	// nil, an ephemeral one is created as needed.
 	GetSTUNConn4 func() STUNConn
 
 	// GetSTUNConn6 is like GetSTUNConn4, but for IPv6.
@@ -175,6 +180,10 @@ type Client struct {
 	// If nil, portmap discovery is not done.
 	PortMapper *portmapper.Client // lazily initialized on first use
 
+	// For tests
+	testEnoughRegions      int
+	testCaptivePortalDelay time.Duration
+
 	mu       sync.Mutex            // guards following
 	nextFull bool                  // do a full region scan, even if last != nil
 	prev     map[time.Time]*Report // some previous reports
@@ -192,6 +201,9 @@ type STUNConn interface {
 }
 
 func (c *Client) enoughRegions() int {
+	if c.testEnoughRegions > 0 {
+		return c.testEnoughRegions
+	}
 	if c.Verbose {
 		// Abuse verbose a bit here so netcheck can show all region latencies
 		// in verbose mode.
@@ -200,6 +212,14 @@ func (c *Client) enoughRegions() int {
 	return 3
 }
 
+func (c *Client) captivePortalDelay() time.Duration {
+	if c.testCaptivePortalDelay > 0 {
+		return c.testCaptivePortalDelay
+	}
+	// Chosen semi-arbitrarily
+	return 200 * time.Millisecond
+}
+
 func (c *Client) logf(format string, a ...any) {
 	if c.Logf != nil {
 		c.Logf(format, a...)
@@ -783,13 +803,35 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (_ *Report,
 	}
 	c.curState = rs
 	last := c.last
+
+	// Even if we're doing a non-incremental update, we may want to try our
+	// preferred DERP region for captive portal detection. Save that, if we
+	// have it.
+	var preferredDERP int
+	if last != nil {
+		preferredDERP = last.PreferredDERP
+	}
+
 	now := c.timeNow()
+
+	doFull := false
 	if c.nextFull || now.Sub(c.lastFull) > 5*time.Minute {
+		doFull = true
+	}
+	// If the last report had a captive portal and reported no UDP access,
+	// it's possible that we didn't get a useful netcheck due to the
+	// captive portal blocking us. If so, make this report a full
+	// (non-incremental) one.
+	if !doFull && last != nil {
+		doFull = !last.UDP && last.CaptivePortal.EqualBool(true)
+	}
+	if doFull {
 		last = nil // causes makeProbePlan below to do a full (initial) plan
 		c.nextFull = false
 		c.lastFull = now
 		metricNumGetReportFull.Add(1)
 	}
+
 	rs.incremental = last != nil
 	c.mu.Unlock()
 
@@ -874,6 +916,48 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (_ *Report,
 
 	plan := makeProbePlan(dm, ifState, last)
 
+	// If we're doing a full probe, also check for a captive portal. We
+	// delay by a bit to wait for UDP STUN to finish, to avoid the probe if
+	// it's unnecessary.
+	captivePortalDone := syncs.ClosedChan()
+	captivePortalStop := func() {}
+	if !rs.incremental {
+		// NOTE(andrew): we can't simply add this goroutine to the
+		// `NewWaitGroupChan` below, since we don't wait for that
+		// waitgroup to finish when exiting this function and thus get
+		// a data race.
+		ch := make(chan struct{})
+		captivePortalDone = ch
+
+		tmr := time.AfterFunc(c.captivePortalDelay(), func() {
+			defer close(ch)
+			found, err := c.checkCaptivePortal(ctx, dm, preferredDERP)
+			if err != nil {
+				c.logf("[v1] checkCaptivePortal: %v", err)
+				return
+			}
+			rs.report.CaptivePortal.Set(found)
+		})
+
+		captivePortalStop = func() {
+			// Don't cancel our captive portal check if we're
+			// explicitly doing a verbose netcheck.
+			if c.Verbose {
+				return
+			}
+
+			if tmr.Stop() {
+				// Stopped successfully; need to close the
+				// signal channel ourselves.
+				close(ch)
+				return
+			}
+
+			// Did not stop; do nothing and it'll finish by itself
+			// and close the signal channel.
+		}
+	}
+
 	wg := syncs.NewWaitGroupChan()
 	wg.Add(len(plan))
 	for _, probeSet := range plan {
@@ -894,9 +978,17 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (_ *Report,
 	case <-stunTimer.C:
 	case <-ctx.Done():
 	case <-wg.DoneChan():
+		// All of our probes finished, so if we have >0 responses, we
+		// stop our captive portal check.
+		if rs.anyUDP() {
+			captivePortalStop()
+		}
 	case <-rs.stopProbeCh:
 		// Saw enough regions.
 		c.vlogf("saw enough regions; not waiting for rest")
+		// We can stop the captive portal check since we know that we
+		// got a bunch of STUN responses.
+		captivePortalStop()
 	}
 
 	rs.waitHairCheck(ctx)
@@ -965,6 +1057,9 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (_ *Report,
 		wg.Wait()
 	}
 
+	// Wait for captive portal check before finishing the report.
+	<-captivePortalDone
+
 	return c.finishAndStoreReport(rs, dm), nil
 }
 
@@ -979,6 +1074,54 @@ func (c *Client) finishAndStoreReport(rs *reportState, dm *tailcfg.DERPMap) *Rep
 	return report
 }
 
+var noRedirectClient = &http.Client{
+	// No redirects allowed
+	CheckRedirect: func(req *http.Request, via []*http.Request) error {
+		return http.ErrUseLastResponse
+	},
+
+	// Remaining fields are the same as the default client.
+	Transport: http.DefaultClient.Transport,
+	Jar:       http.DefaultClient.Jar,
+	Timeout:   http.DefaultClient.Timeout,
+}
+
+// checkCaptivePortal reports whether or not we think the system is behind a
+// captive portal, detected by making a request to a URL that we know should
+// return a "204 No Content" response and checking if that's what we get.
+//
+// The boolean return is whether we think we have a captive portal.
+func (c *Client) checkCaptivePortal(ctx context.Context, dm *tailcfg.DERPMap, preferredDERP int) (bool, error) {
+	defer noRedirectClient.CloseIdleConnections()
+
+	// If we have a preferred DERP region with more than one node, try
+	// that; otherwise, pick a random one not marked as "Avoid".
+	if preferredDERP == 0 || dm.Regions[preferredDERP] == nil ||
+		(preferredDERP != 0 && len(dm.Regions[preferredDERP].Nodes) == 0) {
+		rids := make([]int, 0, len(dm.Regions))
+		for id, reg := range dm.Regions {
+			if reg == nil || reg.Avoid || len(reg.Nodes) == 0 {
+				continue
+			}
+			rids = append(rids, id)
+		}
+		preferredDERP = rids[rand.Intn(len(rids))]
+	}
+
+	node := dm.Regions[preferredDERP].Nodes[0]
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+node.HostName+"/generate_204", nil)
+	if err != nil {
+		return false, err
+	}
+	r, err := noRedirectClient.Do(req)
+	if err != nil {
+		return false, err
+	}
+	c.logf("[v2] checkCaptivePortal url=%q status_code=%d", req.URL.String(), r.StatusCode)
+
+	return r.StatusCode != 204, nil
+}
+
 // runHTTPOnlyChecks is the netcheck done by environments that can
 // only do HTTP requests, such as ws/wasm.
 func (c *Client) runHTTPOnlyChecks(ctx context.Context, last *Report, rs *reportState, dm *tailcfg.DERPMap) error {
@@ -1045,6 +1188,8 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	var ip netip.Addr
 
 	dc := derphttp.NewNetcheckClient(c.logf)
+	defer dc.Close()
+
 	tlsConn, tcpConn, node, err := dc.DialRegionTLS(ctx, reg)
 	if err != nil {
 		return 0, ip, err
@@ -1200,6 +1345,9 @@ func (c *Client) logConciseReport(r *Report, dm *tailcfg.DERPMap) {
 		if r.GlobalV6 != "" {
 			fmt.Fprintf(w, " v6a=%v", r.GlobalV6)
 		}
+		if r.CaptivePortal != "" {
+			fmt.Fprintf(w, " captiveportal=%v", r.CaptivePortal)
+		}
 		fmt.Fprintf(w, " derp=%v", r.PreferredDERP)
 		if r.PreferredDERP != 0 {
 			fmt.Fprintf(w, " derpdist=")

net/netcheck/netcheck_test.go

@@ -9,11 +9,13 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/http"
 	"net/netip"
 	"reflect"
 	"sort"
 	"strconv"
 	"strings"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -115,6 +117,9 @@ func TestWorksWhenUDPBlocked(t *testing.T) {
 	// OS IPv6 test is irrelevant here, accept whatever the current
 	// machine has.
 	want.OSHasIPv6 = r.OSHasIPv6
+	// Captive portal test is irrelevant; accept what the current report
+	// has.
+	want.CaptivePortal = r.CaptivePortal
 
 	if !reflect.DeepEqual(r, want) {
 		t.Errorf("mismatch\n got: %+v\nwant: %+v\n", r, want)
@@ -661,3 +666,57 @@ func TestSortRegions(t *testing.T) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 }
+
+func TestNoCaptivePortalWhenUDP(t *testing.T) {
+	// Override noRedirectClient to handle the /generate_204 endpoint
+	var generate204Called atomic.Bool
+	tr := RoundTripFunc(func(req *http.Request) *http.Response {
+		if !strings.HasSuffix(req.URL.String(), "/generate_204") {
+			panic("bad URL: " + req.URL.String())
+		}
+		generate204Called.Store(true)
+		return &http.Response{
+			StatusCode: http.StatusNoContent,
+			Header:     make(http.Header),
+		}
+	})
+
+	oldTransport := noRedirectClient.Transport
+	t.Cleanup(func() { noRedirectClient.Transport = oldTransport })
+	noRedirectClient.Transport = tr
+
+	stunAddr, cleanup := stuntest.Serve(t)
+	defer cleanup()
+
+	c := &Client{
+		Logf:              t.Logf,
+		UDPBindAddr:       "127.0.0.1:0",
+		testEnoughRegions: 1,
+
+		// Set the delay long enough that we have time to cancel it
+		// when our STUN probe succeeds.
+		testCaptivePortalDelay: 10 * time.Second,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+	defer cancel()
+
+	r, err := c.GetReport(ctx, stuntest.DERPMapOf(stunAddr.String()))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Should not have called our captive portal function.
+	if generate204Called.Load() {
+		t.Errorf("captive portal check called; expected no call")
+	}
+	if r.CaptivePortal != "" {
+		t.Errorf("got CaptivePortal=%q, want empty", r.CaptivePortal)
+	}
+}
+
+type RoundTripFunc func(req *http.Request) *http.Response
+
+func (f RoundTripFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return f(req), nil
+}

net/nettest/conn.go

@@ -6,6 +6,7 @@ package nettest
 
 import (
 	"net"
+	"net/netip"
 	"time"
 )
 
@@ -32,20 +33,38 @@ func NewConn(name string, maxBuf int) (Conn, Conn) {
 	return &connHalf{r: r, w: w}, &connHalf{r: w, w: r}
 }
 
+// NewTCPConn creates a pair of Conns that are wired together by pipes.
+func NewTCPConn(src, dst netip.AddrPort, maxBuf int) (local Conn, remote Conn) {
+	r := NewPipe(src.String(), maxBuf)
+	w := NewPipe(dst.String(), maxBuf)
+
+	lAddr := net.TCPAddrFromAddrPort(src)
+	rAddr := net.TCPAddrFromAddrPort(dst)
+
+	return &connHalf{r: r, w: w, remote: rAddr, local: lAddr}, &connHalf{r: w, w: r, remote: lAddr, local: rAddr}
+}
+
 type connAddr string
 
 func (a connAddr) Network() string { return "mem" }
 func (a connAddr) String() string  { return string(a) }
 
 type connHalf struct {
-	r, w *Pipe
+	local, remote net.Addr
+	r, w          *Pipe
 }
 
 func (c *connHalf) LocalAddr() net.Addr {
+	if c.local != nil {
+		return c.local
+	}
 	return connAddr(c.r.name)
 }
 
 func (c *connHalf) RemoteAddr() net.Addr {
+	if c.remote != nil {
+		return c.remote
+	}
 	return connAddr(c.w.name)
 }
 

net/nettest/listener.go

@@ -15,7 +15,7 @@ const (
 	bufferSize = 256 * 1024
 )
 
-// Listener is a net.Listener using using NewConn to create pairs of network
+// Listener is a net.Listener using NewConn to create pairs of network
 // connections connected in memory using a buffered pipe. It also provides a
 // Dial method to establish new connections.
 type Listener struct {
@@ -61,7 +61,7 @@ func (l *Listener) Accept() (net.Conn, error) {
 // The provided Context must be non-nil. If the context expires before the
 // connection is complete, an error is returned. Once successfully connected
 // any expiration of the context will not affect the connection.
-func (l *Listener) Dial(ctx context.Context, network, addr string) (net.Conn, error) {
+func (l *Listener) Dial(ctx context.Context, network, addr string) (_ net.Conn, err error) {
 	if !strings.HasSuffix(network, "tcp") {
 		return nil, net.UnknownNetworkError(network)
 	}
@@ -72,6 +72,13 @@ func (l *Listener) Dial(ctx context.Context, network, addr string) (net.Conn, er
 		}
 	}
 	c, s := NewConn(addr, bufferSize)
+	defer func() {
+		if err != nil {
+			c.Close()
+			s.Close()
+		}
+	}()
+
 	select {
 	case <-ctx.Done():
 		return nil, ctx.Err()

net/netutil/ip_forward.go

@@ -195,7 +195,7 @@ const (
 // given interface.
 // The iface param determines which interface to check against, "" means to check
 // global config.
-// It tries to lookup the value directly from `/proc/sys`, and fallsback to
+// It tries to lookup the value directly from `/proc/sys`, and falls back to
 // using `sysctl` on failure.
 func ipForwardingEnabledLinux(p protocol, iface string) (bool, error) {
 	k := ipForwardSysctlKey(slashFormat, p, iface)