cmd/gitops-pusher: things i forgot to push last PR

Signed-off-by: Xe <xe@tailscale.com>
cmd/gitops-pusher: add etag cache file for the three version problem
2022-07-22 15:14:39 -04:00 · 2022-07-22 13:53:20 -04:00
475 changed files with 7073 additions and 18885 deletions
--- a/.github/licenses.tmpl
+++ b/.github/licenses.tmpl
@@ -1,17 +0,0 @@
-# Tailscale CLI and daemon dependencies
-
-The following open source dependencies are used to build the [tailscale][] and
-[tailscaled][] commands. These are primarily used on Linux and BSD variants as
-well as an [option for macOS][].
-
-[tailscale]: https://pkg.go.dev/tailscale.com/cmd/tailscale
-[tailscaled]: https://pkg.go.dev/tailscale.com/cmd/tailscaled
-[option for macOS]: https://tailscale.com/kb/1065/macos-variants/
-
-## Go Packages
-
-Some packages may only be included on certain architectures or operating systems.
-
-{{ range . }}
- - [{{.Name}}](https://pkg.go.dev/{{.Name}}) ([{{.LicenseName}}]({{.LicenseURL}}))
-{{- end }}
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,10 +1,5 @@
 name: CIFuzz
 on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,10 +20,6 @@ on:
  schedule:
    - cron: '31 14 * * 5'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -8,10 +8,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -19,15 +15,16 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: macOS build cmd
      env:
        GOOS: darwin
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -8,10 +8,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -19,15 +15,16 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: FreeBSD build cmd
      env:
        GOOS: freebsd
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -8,10 +8,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -19,15 +15,16 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: OpenBSD build cmd
      env:
        GOOS: openbsd
--- a/.github/workflows/cross-wasm.yml
+++ b/.github/workflows/cross-wasm.yml
@@ -8,10 +8,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -19,27 +15,21 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: Wasm client build
      env:
        GOOS: js
        GOARCH: wasm
-      run: go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-
-    - name: tsconnect static build
-      # Use our custom Go toolchain, we set build tags (to control binary size)
-      # that depend on it.
-      run: |
-        ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect build-pkg
+      run: go build ./cmd/tsconnect/wasm

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -8,10 +8,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -19,15 +15,16 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: Windows build cmd
      env:
        GOOS: windows
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -8,25 +8,21 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest

    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18

-    - name: depaware
-      run: go run github.com/tailscale/depaware --check
-        tailscale.com/cmd/tailscaled
-        tailscale.com/cmd/tailscale
-        tailscale.com/cmd/derper
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: depaware tailscaled
+      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+
+    - name: depaware tailscale
+      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
--- a/.github/workflows/go-licenses.yml
+++ b/.github/workflows/go-licenses.yml
@@ -1,64 +0,0 @@
-name: go-licenses
-
-on:
-  # run action when a change lands in the main branch which updates go.mod or
-  # our license template file. Also allow manual triggering.
-  push:
-    branches:
-      - main
-    paths:
-      - go.mod
-      - .github/licenses.tmpl
-      - .github/workflows/go-licenses.yml
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  tailscale:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: Install go-licenses
-        run: |
-          go install github.com/google/go-licenses@v1.2.2-0.20220825154955-5eedde1c6584
-
-      - name: Run go-licenses
-        env:
-          # include all build tags to include platform-specific dependencies
-          GOFLAGS: "-tags=android,cgo,darwin,freebsd,ios,js,linux,openbsd,wasm,windows"
-        run: |
-          [ -d licenses ] || mkdir licenses
-          go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl
-
-      - name: Get access token
-        uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0
-        id: generate-token
-        with:
-          app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
-          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
-
-      - name: Send pull request
-        uses: peter-evans/create-pull-request@18f90432bedd2afd6a825469ffd38aa24712a91d #v4.1.1
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          author: License Updater <noreply@tailscale.com>
-          committer: License Updater <noreply@tailscale.com>
-          branch: licenses/cli
-          commit-message: "licenses: update tailscale{,d} licenses"
-          title: "licenses: update tailscale{,d} licenses"
-          body: Triggered by ${{ github.repository }}@${{ github.sha }}
-          signoff: true
-          delete-branch: true
-          team-reviewers: opensource-license-reviewers
--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@@ -9,25 +9,21 @@ on:
    branches:
      - "*"

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  check:
    runs-on: ubuntu-latest

    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.18
+
      - name: Check out code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
      - name: check 'go generate' is clean
        run: |
          if [[ "${{github.ref}}" == release-branch/* ]]
--- a/.github/workflows/go_mod_tidy.yml
+++ b/.github/workflows/go_mod_tidy.yml
@@ -1,35 +0,0 @@
-name: go mod tidy
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - "*"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: check 'go mod tidy' is clean
-        run: |
-          go mod tidy
-          echo
-          echo
-          git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -8,22 +8,18 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest

    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
+
+    - name: Check out code
+      uses: actions/checkout@v3

    - name: Run license checker
      run: ./scripts/check_license_headers.sh .
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -8,10 +8,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -19,15 +15,16 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: Basic build
      run: go build ./cmd/...

--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -8,10 +8,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -19,23 +15,19 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: Basic build
      run: go build ./cmd/...

-    - name: Build variants
-      run: |
-        go install --tags=ts_include_cli ./cmd/tailscaled
-        go install --tags=ts_omit_aws ./cmd/tailscaled
-
    - name: Get QEMU
      run: |
        # The qemu in Ubuntu 20.04 (Focal) is too old; we need 5.x something
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -8,10 +8,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -19,15 +15,16 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18
      id: go

+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
    - name: Basic build
      run: GOARCH=386 go build ./cmd/...

--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -1,112 +0,0 @@
-name: static-analysis
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  gofmt:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-    - name: Run gofmt (goimports)
-      run: go run golang.org/x/tools/cmd/goimports -d --format-only .
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
-  vet:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-    - name: Check out code
-      uses: actions/checkout@v3
-    - name: Run go vet
-      run: go vet ./...
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
-  staticcheck:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        goos: [linux, windows, darwin]
-        goarch: [amd64]
-        include:
-          - goos: windows
-            goarch: 386
-
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Install staticcheck
-      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
-
-    - name: Print staticcheck version
-      run: "staticcheck -version"
-
-    - name: "Run staticcheck (${{ matrix.goos }}/${{ matrix.goarch }})"
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-android.yml
+++ b/.github/workflows/cross-android.yml
@@ -1,4 +1,4 @@
-name: Android-Cross
+name: staticcheck

 on:
  push:
@@ -8,35 +8,51 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest

-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
-      id: go
+        go-version: 1.18

-    - name: Android smoke build
-      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
-      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
-      # some Android breakages early.
-      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Run go vet
+      run: go vet ./...
+
+    - name: Install staticcheck
+      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
+
+    - name: Print staticcheck version
+      run: "staticcheck -version"
+
+    - name: Run staticcheck (linux/amd64)
      env:
-        GOOS: android
-        GOARCH: arm64
-      run: go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
+        GOOS: linux
+        GOARCH: amd64
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - name: Run staticcheck (darwin/amd64)
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - name: Run staticcheck (windows/amd64)
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - name: Run staticcheck (windows/386)
+      env:
+        GOOS: windows
+        GOARCH: "386"
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/tsconnect-pkg-publish.yml
+++ b/.github/workflows/tsconnect-pkg-publish.yml
@@ -1,30 +0,0 @@
-name: "@tailscale/connect npm publish"
-
-on: workflow_dispatch
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Set up node
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16.x"
-          registry-url: "https://registry.npmjs.org"
-
-      - name: Build package
-        # Build with build_dist.sh to ensure that version information is embedded.
-        # GOROOT is specified so that the Go/Wasm that is trigged by build-pk
-        # also picks up our custom Go toolchain.
-        run: |
-          ./build_dist.sh tailscale.com/cmd/tsconnect
-          GOROOT="${HOME}/.cache/tailscale-go" ./tsconnect build-pkg
-
-      - name: Publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.TSCONNECT_NPM_PUBLISH_AUTH_TOKEN }}
-        run: ./tool/yarn --cwd ./cmd/tsconnect/pkg publish --access public
--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -5,10 +5,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  ubuntu2004-LTS-cloud-base:
    runs-on: [ self-hosted, linux, vm ]
@@ -19,13 +15,13 @@ jobs:
      - name: Set GOPATH
        run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV

-      - name: Checkout Code
-        uses: actions/checkout@v3
-
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version-file: go.mod
+          go-version: 1.18
+
+      - name: Checkout Code
+        uses: actions/checkout@v3

      - name: Run VM tests
        run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
--- a/.github/workflows/windows-race.yml
+++ b/.github/workflows/windows-race.yml
@@ -0,0 +1,77 @@
+name: Windows race
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  test:
+    runs-on: windows-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Install Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.18.x
+
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike some other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        # The -race- here ensures that non-race builds and race builds do not
+        # overwrite each others cache, as while they share some files, they
+        # differ in most by volume (build cache).
+        # TODO(raggi): add a go version here.
+        key: ${{ runner.os }}-go-2-race-${{ hashFiles('**/go.sum') }}
+
+    - name: Print toolchain details
+      run: gcc -v
+
+    # There is currently an issue in the race detector in Go on Windows when
+    # used with a newer version of GCC.
+    # See https://github.com/tailscale/tailscale/issues/4926.
+    - name: Downgrade MinGW
+      shell: bash
+      run: |
+        choco install mingw --version 10.2.0 --allow-downgrade
+
+    - name: Test with -race flag
+      # Don't use -bench=. -benchtime=1x.
+      # Somewhere in the layers (powershell?)
+      # the equals signs cause great confusion.
+      run: go test -race -bench . -benchtime 1x ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -8,10 +8,6 @@ on:
    branches:
      - '*'

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: windows-latest
@@ -19,13 +15,14 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-    - name: Checkout code
-      uses: actions/checkout@v3

    - name: Install Go
      uses: actions/setup-go@v3
      with:
-        go-version-file: go.mod
+        go-version: 1.18.x
+
+    - name: Checkout code
+      uses: actions/checkout@v3

    - name: Restore Cache
      uses: actions/cache@v3
--- a/2
+++ b/2
@@ -32,7 +32,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.19-alpine AS build-env
+FROM golang:1.18-alpine AS build-env

 WORKDIR /go/src/tailscale

--- a/19
+++ b/19
@@ -9,19 +9,15 @@ vet:
 	./tool/go vet ./...

 tidy:
-	./tool/go mod tidy
+	./tool/go mod tidy -compat=1.17

 updatedeps:
-	./tool/go run github.com/tailscale/depaware --update \
-		tailscale.com/cmd/tailscaled \
-		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
+	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
+	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale

 depaware:
-	./tool/go run github.com/tailscale/depaware --check \
-		tailscale.com/cmd/tailscaled \
-		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
+	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale

 buildwindows:
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
@@ -32,13 +28,10 @@ build386:
 buildlinuxarm:
 	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-buildwasm:
-	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-
 buildmultiarchimage:
 	./build_docker.sh

-check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm
+check: staticcheck vet depaware buildwindows build386 buildlinuxarm

 staticcheck:
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
--- a/README.md
+++ b/README.md
@@ -43,7 +43,10 @@ If your distro has conventions that preclude the use of
 `build_dist.sh`, please do the equivalent of what it does in your
 distro's way, so that bug reports contain useful version information.

-We require the latest Go release, currently Go 1.19.
+We only guarantee to support the latest Go release and any Go beta or
+release candidate builds (currently Go 1.18) in module mode. It might
+work in earlier Go versions or in GOPATH mode, but we're making no
+effort to keep those working.

 ## Bugs

--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.31.0
+1.29.0
--- a/api.md
+++ b/api.md
@@ -3,12 +3,11 @@
 The Tailscale API is a (mostly) RESTful API. Typically, POST bodies should be JSON encoded and responses will be JSON encoded.

 # Authentication
-
 Currently based on {some authentication method}. Visit the [admin panel](https://login.tailscale.com/admin) and navigate to the `Settings` page. Generate an API Key and keep it safe. Provide the key as the user key in basic auth when making calls to Tailscale API endpoints (leave the password blank).

 # APIs

- **[Devices](#device)**
+* **[Devices](#device)**
  - [GET device](#device-get)
  - [DELETE device](#device-delete)
  - Routes
@@ -20,12 +19,12 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
    - [POST device tags](#device-tags-post)
  - Key
    - [POST device key](#device-key-post)
- **[Tailnets](#tailnet)**
+* **[Tailnets](#tailnet)**
  - ACLs
    - [GET tailnet ACL](#tailnet-acl-get)
    - [POST tailnet ACL](#tailnet-acl-post)
    - [POST tailnet ACL preview](#tailnet-acl-preview-post)
-    - [POST tailnet ACL validate](#tailnet-acl-validate-post)
+	- [POST tailnet ACL validate](#tailnet-acl-validate-post)
  - [Devices](#tailnet-devices)
    - [GET tailnet devices](#tailnet-devices-get)
  - [Keys](#tailnet-keys)
@@ -42,9 +41,7 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
    - [POST tailnet DNS searchpaths](#tailnet-dns-searchpaths-post)

 ## Device
-
 <!-- TODO: description about what devices are -->
-
 Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id".
 You can use the deviceID to specify operations on a specific device, like retrieving its subnet routes.

@@ -55,23 +52,20 @@ This is your deviceID.
 <a name=device-get></a>

 #### `GET /api/v2/device/:deviceid` - lists the details for a device
-
 Returns the details for the specified device.
 Supply the device of interest in the path using its ID.
 Use the `fields` query parameter to explicitly indicate which fields are returned.

+
 ##### Parameters
-
 ##### Query Parameters
-
 `fields` - Controls which fields will be included in the returned response.
 Currently, supported options are:
-
- `all`: returns all fields in the response.
- `default`: return all fields except:
-  - `enabledRoutes`
-  - `advertisedRoutes`
-  - `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
+* `all`: returns all fields in the response.
+* `default`: return all fields except:
+  * `enabledRoutes`
+  * `advertisedRoutes`
+  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)

 Use commas to separate multiple options.
 If more than one option is indicated, then the union is used.
@@ -79,7 +73,6 @@ For example, for `fields=default,all`, all fields are returned.
 If the `fields` parameter is not provided, then the default option is used.

 ##### Example
-
 ```
 GET /api/v2/device/12345
 curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
@@ -87,7 +80,6 @@ curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
 ```

 Response
-
 ```
 {
  "addresses":[
@@ -149,18 +141,16 @@ Response
 <a name=device-delete></a>

 #### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
-
 Deletes the provided device from its tailnet.
 The device must belong to the user's tailnet.
 Deleting shared/external devices is not supported.
 Supply the device of interest in the path using its ID.

-##### Parameters

+##### Parameters
 No parameters.

 ##### Example
-
 ```
 DELETE /api/v2/device/12345
 curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
@@ -170,7 +160,6 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
 Response

 If successful, the response should be empty:
-
 ```
 < HTTP/1.1 200 OK
 ...
@@ -179,13 +168,13 @@ If successful, the response should be empty:
 ```

 If the device is not owned by your tailnet:
-
 ```
 < HTTP/1.1 501 Not Implemented
 ...
 {"message":"cannot delete devices outside of your tailnet"}
 ```

+
 <a name=device-routes-get></a>

 #### `GET /api/v2/device/:deviceID/routes` - fetch subnet routes that are advertised and enabled for a device
@@ -204,7 +193,6 @@ curl 'https://api.tailscale.com/api/v2/device/11055/routes' \
 ```

 Response
-
 ```
 {
   "advertisedRoutes" : [
@@ -225,9 +213,7 @@ Sets which subnet routes are enabled to be routed by a device by replacing the e
 ##### Parameters

 ###### POST Body
-
 `routes` - The new list of enabled subnet routes in JSON.
-
 ```
 {
  "routes": ["10.0.1.0/24", "1.2.0.0/16", "2.0.0.0/24"]
@@ -268,9 +254,7 @@ Marks a device as authorized, for Tailnets where device authorization is require
 ##### Parameters

 ###### POST Body
-
 `authorized` - whether the device is authorized; only `true` is currently supported.
-
 ```
 {
  "authorized": true
@@ -351,9 +335,9 @@ The response is 2xx on success. The response body is currently an empty JSON
 object.

 ## Tailnet
-
 A tailnet is the name of your Tailscale network.
-You can find it in the [Settings](https://login.tailscale.com/admin/settings/) page of the admin console.
+You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
+

 `alice@example.com` belongs to the `example.com` tailnet and would use the following format for API calls:

@@ -362,10 +346,10 @@ GET /api/v2/tailnet/example.com/...
 curl https://api.tailscale.com/api/v2/tailnet/example.com/...
 ```

+
 For solo plans, the tailnet is the email you signed up with.
 So `alice@gmail.com` has the tailnet `alice@gmail.com` since `@gmail.com` is a shared email host.
 Her API calls would have the following format:
-
 ```
 GET /api/v2/tailnet/alice@gmail.com/...
 curl https://api.tailscale.com/api/v2/tailnet/alice@gmail.com/...
@@ -386,19 +370,15 @@ Retrieves the ACL that is currently set for the given tailnet. Supply the tailne
 ##### Parameters

 ###### Headers
-
 `Accept` - Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.

 ##### Returns
-
 Returns the ACL HuJSON by default. Returns a parsed JSON of the ACL (sans comments) if the `Accept` type is explicitly set to `application/json`. An `ETag` header is also sent in the response, which can be optionally used in POST requests to avoid missed updates.
-
 <!-- TODO (chungdaniel): define error types and a set of docs for them -->

 ##### Example

 ###### Requesting a HuJSON response:
-
 ```
 GET /api/v2/tailnet/example.com/acl
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
@@ -408,7 +388,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
 ```

 Response
-
 ```
 ...
 Content-Type: application/hujson
@@ -447,7 +426,6 @@ Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"
 ```

 ###### Requesting a JSON response:
-
 ```
 GET /api/v2/tailnet/example.com/acl
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
@@ -457,7 +435,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
 ```

 Response
-
 ```
 ...
 Content-Type: application/json
@@ -500,7 +477,6 @@ Returns the updated ACL in JSON or HuJSON according to the `Accept` header on su
 ##### Parameters

 ###### Headers
-
 `If-Match` - A request header. Set this value to the ETag header provided in an `ACL GET` request to avoid missed updates.

 `Accept` - Sets the return type of the updated ACL. Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.
@@ -510,16 +486,15 @@ Returns the updated ACL in JSON or HuJSON according to the `Accept` header on su
 The POST body should be a JSON or [HuJSON](https://github.com/tailscale/hujson#hujson---human-json) formatted JSON object.
 An ACL policy may contain the following top-level properties:

- `Groups` - Static groups of users which can be used for ACL rules.
- `Hosts` - Hostname aliases to use in place of IP addresses or subnets.
- `ACLs` - Access control lists.
- `TagOwners` - Defines who is allowed to use which tags.
- `Tests` - Run on ACL updates to check correct functionality of defined ACLs.
+* `Groups` - Static groups of users which can be used for ACL rules.
+* `Hosts` - Hostname aliases to use in place of IP addresses or subnets.
+* `ACLs` - Access control lists.
+* `TagOwners` - Defines who is allowed to use which tags.
+* `Tests` - Run on ACL updates to check correct functionality of defined ACLs.

 See https://tailscale.com/kb/1018/acls for more information on those properties.

 ##### Example
-
 ```
 POST /api/v2/tailnet/example.com/acl
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
@@ -549,7 +524,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
 ```

 Response:
-
 ```
 // Example/default ACLs for unrestricted connections.
 {
@@ -575,7 +549,6 @@ Response:
 ```

 Failed test error response:
-
 ```
 {
    "message": "test(s) failed",
@@ -599,17 +572,14 @@ Determines what rules match for a user on an ACL without saving the ACL to the s
 ##### Parameters

 ###### Query Parameters
-
 `type` - can be 'user' or 'ipport'
 `previewFor` - if type=user, a user's email. If type=ipport, a IP address + port like "10.0.0.1:80".
 The provided ACL is queried with this parameter to determine which rules match.

 ###### POST Body
-
 ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)

 ##### Example
-
 ```
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/preview?previewFor=user1@example.com&type=user' \
  -u "tskey-yourapikey123:" \
@@ -637,7 +607,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/preview?previewFo
 ```

 Response:
-
 ```
 {"matches":[{"users":["*"],"ports":["*:*"],"lineNumber":19}],"user":"user1@example.com"}
 ```
@@ -662,7 +631,6 @@ The POST body should be a JSON formatted array of ACL Tests.
 See https://tailscale.com/kb/1018/acls for more information on the format of ACL tests.

 ##### Example with tests
-
 ```
 POST /api/v2/tailnet/example.com/acl/validate
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
@@ -674,7 +642,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
 ```

 ##### Example with an ACL body
-
 ```
 POST /api/v2/tailnet/example.com/acl/validate
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
@@ -717,23 +684,21 @@ An empty body or a JSON object with no `message` is returned on success.
 <a name=tailnet-devices-get></a>

 #### <a name="getdevices"></a> `GET /api/v2/tailnet/:tailnet/devices` - list the devices for a tailnet
-
 Lists the devices in a tailnet.
 Supply the tailnet of interest in the path.
 Use the `fields` query parameter to explicitly indicate which fields are returned.

+
 ##### Parameters

 ###### Query Parameters
-
 `fields` - Controls which fields will be included in the returned response.
 Currently, supported options are:
-
- `all`: Returns all fields in the response.
- `default`: return all fields except:
-  - `enabledRoutes`
-  - `advertisedRoutes`
-  - `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
+* `all`: Returns all fields in the response.
+* `default`: return all fields except:
+  * `enabledRoutes`
+  * `advertisedRoutes`
+  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)

 Use commas to separate multiple options.
 If more than one option is indicated, then the union is used.
@@ -749,7 +714,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
 ```

 Response
-
 ```
 {
  "devices":[
@@ -812,7 +776,6 @@ for the user who owns the API key used to perform this query.
 Supply the tailnet of interest in the path.

 ##### Parameters
-
 No parameters.

 ##### Returns
@@ -829,7 +792,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys' \
 ```

 Response:
-
 ```
 {"keys": [
 	{"id": "kYKVU14CNTRL"},
@@ -850,9 +812,7 @@ Supply the tailnet in the path.
 ##### Parameters

 ###### POST Body
-
 `capabilities` - A mapping of resources to permissible actions.
-
 ```
 {
  "capabilities": {
@@ -899,7 +859,6 @@ echo '{
 ```

 Response:
-
 ```
 {
 	"id":           "k123456CNTRL",
@@ -918,7 +877,6 @@ Returns a JSON object with information about specific key.
 Supply the tailnet and key ID of interest in the path.

 ##### Parameters
-
 No parameters.

 ##### Returns
@@ -935,7 +893,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
 ```

 Response:
-
 ```
 {
  "id": "k123456CNTRL",
@@ -965,11 +922,9 @@ Deletes a specific key.
 Supply the tailnet and key ID of interest in the path.

 ##### Parameters
-
 No parameters.

 ##### Returns
-
 This reports status 200 upon success.

 ##### Example
@@ -986,12 +941,10 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k12345
 <a name=tailnet-dns-nameservers-get></a>

 #### `GET /api/v2/tailnet/:tailnet/dns/nameservers` - list the DNS nameservers for a tailnet
-
 Lists the DNS nameservers for a tailnet.
 Supply the tailnet of interest in the path.

 ##### Parameters
-
 No parameters.

 ##### Example
@@ -1003,7 +956,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
 ```

 Response
-
 ```
 {
  "dns": ["8.8.8.8"],
@@ -1013,17 +965,13 @@ Response
 <a name=tailnet-dns-nameservers-post></a>

 #### `POST /api/v2/tailnet/:tailnet/dns/nameservers` - replaces the list of DNS nameservers for a tailnet
-
 Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user.
 Supply the tailnet of interest in the path.
 Note that changing the list of DNS nameservers may also affect the status of MagicDNS (if MagicDNS is on).

 ##### Parameters
-
 ###### POST Body
-
 `dns` - The new list of DNS nameservers in JSON.
-
 ```
 {
  "dns":["8.8.8.8"]
@@ -1031,15 +979,12 @@ Note that changing the list of DNS nameservers may also affect the status of Mag
 ```

 ##### Returns
-
 Returns the new list of nameservers and the status of MagicDNS.

 If all nameservers have been removed, MagicDNS will be automatically disabled (until explicitly turned back on by the user).

 ##### Example
-
 ###### Adding DNS nameservers with the MagicDNS on:
-
 ```
 POST /api/v2/tailnet/example.com/dns/nameservers
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
@@ -1048,7 +993,6 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameserve
 ```

 Response:
-
 ```
 {
  "dns":["8.8.8.8"],
@@ -1057,7 +1001,6 @@ Response:
 ```

 ###### Removing all DNS nameservers with the MagicDNS on:
-
 ```
 POST /api/v2/tailnet/example.com/dns/nameservers
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
@@ -1066,7 +1009,6 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameserve
 ```

 Response:
-
 ```
 {
  "dns":[],
@@ -1077,16 +1019,13 @@ Response:
 <a name=tailnet-dns-preferences-get></a>

 #### `GET /api/v2/tailnet/:tailnet/dns/preferences` - retrieves the DNS preferences for a tailnet
-
 Retrieves the DNS preferences that are currently set for the given tailnet.
 Supply the tailnet of interest in the path.

 ##### Parameters
-
 No parameters.

 ##### Example
-
 ```
 GET /api/v2/tailnet/example.com/dns/preferences
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
@@ -1094,7 +1033,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
 ```

 Response:
-
 ```
 {
  "magicDNS":false,
@@ -1104,7 +1042,6 @@ Response:
 <a name=tailnet-dns-preferences-post></a>

 #### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet
-
 Replaces the DNS preferences for a tailnet, specifically, the MagicDNS setting.
 Note that MagicDNS is dependent on DNS servers.

@@ -1114,12 +1051,9 @@ Note that removing all nameservers will turn off MagicDNS.
 To reenable it, nameservers must be added back, and MagicDNS must be explicitly turned on.

 ##### Parameters
-
 ###### POST Body
-
 The DNS preferences in JSON. Currently, MagicDNS is the only setting available.
-`magicDNS` - Automatically registers DNS names for devices in your tailnet.
-
+`magicDNS` -  Automatically registers DNS names for devices in your tailnet.
 ```
 {
  "magicDNS": true
@@ -1127,7 +1061,6 @@ The DNS preferences in JSON. Currently, MagicDNS is the only setting available.
 ```

 ##### Example
-
 ```
 POST /api/v2/tailnet/example.com/dns/preferences
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
@@ -1135,10 +1068,10 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferenc
  --data-binary '{"magicDNS": true}'
 ```

+
 Response:

 If there are no DNS servers, it returns an error message:
-
 ```
 {
  "message":"need at least one nameserver to enable MagicDNS"
@@ -1146,7 +1079,6 @@ If there are no DNS servers, it returns an error message:
 ```

 If there are DNS servers:
-
 ```
 {
  "magicDNS":true,
@@ -1156,16 +1088,14 @@ If there are DNS servers:
 <a name=tailnet-dns-searchpaths-get></a>

 #### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet
-
 Retrieves the list of search paths that is currently set for the given tailnet.
 Supply the tailnet of interest in the path.

-##### Parameters

+##### Parameters
 No parameters.

 ##### Example
-
 ```
 GET /api/v2/tailnet/example.com/dns/searchpaths
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
@@ -1173,7 +1103,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
 ```

 Response:
-
 ```
 {
  "searchPaths": ["user1.example.com"],
@@ -1183,15 +1112,12 @@ Response:
 <a name=tailnet-dns-searchpaths-post></a>

 #### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet
-
 Replaces the list of searchpaths with the list supplied by the user and returns an error otherwise.

 ##### Parameters

 ###### POST Body
-
 `searchPaths` - A list of searchpaths in JSON.
-
 ```
 {
  "searchPaths": ["user1.example.com", "user2.example.com"]
@@ -1199,7 +1125,6 @@ Replaces the list of searchpaths with the list supplied by the user and returns
 ```

 ##### Example
-
 ```
 POST /api/v2/tailnet/example.com/dns/searchpaths
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
@@ -1208,7 +1133,6 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpat
 ```

 Response:
-
 ```
 {
  "searchPaths": ["user1.example.com", "user2.example.com"],
--- a/atomicfile/atomicfile.go
+++ b/atomicfile/atomicfile.go
@@ -9,15 +9,16 @@
 package atomicfile // import "tailscale.com/atomicfile"

 import (
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
 )

 // WriteFile writes data to filename+some suffix, then renames it
-// into filename. The perm argument is ignored on Windows.
+// into filename.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
-	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
+	f, err := ioutil.TempFile(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err
 	}
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -45,25 +45,4 @@ EOF
 	exit 0
 fi

-tags=""
-ldflags="-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}"
-
-# build_dist.sh arguments must precede go build arguments.
-while [ "$#" -gt 1 ]; do
-	case "$1" in
-	--extra-small)
-		shift
-		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws"
-		;;
-	--box)
-		shift
-		tags="${tags:+$tags,}ts_include_cli"
-		;;
-	*)
-		break
-		;;
-	esac
-done
-
-exec ./tool/go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
+exec ./tool/go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
--- a/chirp/chirp.go
+++ b/chirp/chirp.go
@@ -11,31 +11,15 @@ import (
 	"fmt"
 	"net"
 	"strings"
-	"time"
-)
-
-const (
-	// Maximum amount of time we should wait when reading a response from BIRD.
-	responseTimeout = 10 * time.Second
 )

 // New creates a BIRDClient.
 func New(socket string) (*BIRDClient, error) {
-	return newWithTimeout(socket, responseTimeout)
-}
-
-func newWithTimeout(socket string, timeout time.Duration) (*BIRDClient, error) {
 	conn, err := net.Dial("unix", socket)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
 	}
-	b := &BIRDClient{
-		socket:  socket,
-		conn:    conn,
-		scanner: bufio.NewScanner(conn),
-		timeNow: time.Now,
-		timeout: timeout,
-	}
+	b := &BIRDClient{socket: socket, conn: conn, scanner: bufio.NewScanner(conn)}
 	// Read and discard the first line as that is the welcome message.
 	if _, err := b.readResponse(); err != nil {
 		return nil, err
@@ -48,8 +32,6 @@ type BIRDClient struct {
 	socket  string
 	conn    net.Conn
 	scanner *bufio.Scanner
-	timeNow func() time.Time
-	timeout time.Duration
 }

 // Close closes the underlying connection to BIRD.
@@ -99,15 +81,10 @@ func (b *BIRDClient) EnableProtocol(protocol string) error {
 // 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.

 func (b *BIRDClient) exec(cmd string, args ...any) (string, error) {
-	if err := b.conn.SetWriteDeadline(b.timeNow().Add(b.timeout)); err != nil {
-		return "", err
-	}
 	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
 		return "", err
 	}
-	if _, err := fmt.Fprintln(b.conn); err != nil {
-		return "", err
-	}
+	fmt.Fprintln(b.conn)
 	return b.readResponse()
 }

@@ -128,20 +105,14 @@ func hasResponseCode(s []byte) bool {
 }

 func (b *BIRDClient) readResponse() (string, error) {
-	// Set the read timeout before we start reading anything.
-	if err := b.conn.SetReadDeadline(b.timeNow().Add(b.timeout)); err != nil {
-		return "", err
-	}
-
 	var resp strings.Builder
 	var done bool
 	for !done {
 		if !b.scanner.Scan() {
-			if err := b.scanner.Err(); err != nil {
-				return "", err
-			}
-
-			return "", fmt.Errorf("reading response from bird failed (EOF): %q", resp.String())
+			return "", fmt.Errorf("reading response from bird failed: %q", resp.String())
+		}
+		if err := b.scanner.Err(); err != nil {
+			return "", err
 		}
 		out := b.scanner.Bytes()
 		if _, err := resp.Write(out); err != nil {
--- a/chirp/chirp_test.go
+++ b/chirp/chirp_test.go
@@ -8,12 +8,9 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"os"
 	"path/filepath"
 	"strings"
-	"sync"
 	"testing"
-	"time"
 )

 type fakeBIRD struct {
@@ -112,82 +109,3 @@ func TestChirp(t *testing.T) {
 		t.Fatalf("disabling %q succeded", "rando")
 	}
 }
-
-type hangingListener struct {
-	net.Listener
-	t    *testing.T
-	done chan struct{}
-	wg   sync.WaitGroup
-	sock string
-}
-
-func newHangingListener(t *testing.T) *hangingListener {
-	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return &hangingListener{
-		Listener: l,
-		t:        t,
-		done:     make(chan struct{}),
-		sock:     sock,
-	}
-}
-
-func (hl *hangingListener) Stop() {
-	hl.Close()
-	close(hl.done)
-	hl.wg.Wait()
-}
-
-func (hl *hangingListener) listen() error {
-	for {
-		c, err := hl.Accept()
-		if err != nil {
-			if errors.Is(err, net.ErrClosed) {
-				return nil
-			}
-			return err
-		}
-		hl.wg.Add(1)
-		go hl.handle(c)
-	}
-}
-
-func (hl *hangingListener) handle(c net.Conn) {
-	defer hl.wg.Done()
-
-	// Write our fake first line of response so that we get into the read loop
-	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
-
-	ticker := time.NewTicker(2 * time.Second)
-	defer ticker.Stop()
-	for {
-		select {
-		case <-ticker.C:
-			hl.t.Logf("connection still hanging")
-		case <-hl.done:
-			return
-		}
-	}
-}
-
-func TestChirpTimeout(t *testing.T) {
-	fb := newHangingListener(t)
-	defer fb.Stop()
-	go fb.listen()
-
-	c, err := newWithTimeout(fb.sock, 500*time.Millisecond)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = c.EnableProtocol("tailscale")
-	if err == nil {
-		t.Fatal("got err=nil, want timeout")
-	}
-	if !os.IsTimeout(err) {
-		t.Fatalf("got err=%v, want os.IsTimeout(err)=true", err)
-	}
-}
--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package tailscale

@@ -13,7 +13,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"net/netip"
+
+	"inet.af/netaddr"
 )

 // ACLRow defines a rule that grants access by a set of users or groups to a set
@@ -353,7 +354,7 @@ func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (r
 // Returns ACLPreview on success with matches in a slice. If there are no matches,
 // the call is still successful but Matches will be an empty slice.
 // Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netip.AddrPort) (res *ACLPreview, err error) {
+func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netaddr.IPPort) (res *ACLPreview, err error) {
 	// Format return errors to be descriptive.
 	defer func() {
 		if err != nil {
--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package tailscale

--- a/client/tailscale/dns.go
+++ b/client/tailscale/dns.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package tailscale

--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package tailscale

@@ -15,10 +15,10 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/http/httptrace"
-	"net/netip"
 	"net/url"
 	"os/exec"
 	"runtime"
@@ -28,6 +28,7 @@ import (
 	"time"

 	"go4.org/mem"
+	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -35,7 +36,6 @@ import (
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tka"
 )

 // defaultLocalClient is the default LocalClient when using the legacy
@@ -136,7 +136,7 @@ func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Respons
 			onVersionMismatch(ipn.IPCVersion(), server)
 		}
 		if res.StatusCode == 403 {
-			all, _ := io.ReadAll(res.Body)
+			all, _ := ioutil.ReadAll(res.Body)
 			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
 		}
 		return res, nil
@@ -206,7 +206,7 @@ func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus
 		return nil, err
 	}
 	defer res.Body.Close()
-	slurp, err := io.ReadAll(res.Body)
+	slurp, err := ioutil.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -364,7 +364,7 @@ func (lc *LocalClient) GetWaitingFile(ctx context.Context, baseName string) (rc
 		return nil, 0, fmt.Errorf("unexpected chunking")
 	}
 	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
+		body, _ := ioutil.ReadAll(res.Body)
 		res.Body.Close()
 		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
 	}
@@ -665,7 +665,7 @@ func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn str

 // Ping sends a ping of the provided type to the provided IP and waits
 // for its response.
-func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
+func (lc *LocalClient) Ping(ctx context.Context, ip netaddr.IP, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
 	v := url.Values{}
 	v.Set("ip", ip.String())
 	v.Set("type", string(pingtype))
@@ -680,42 +680,6 @@ func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg
 	return pr, nil
 }

-// NetworkLockStatus fetches information about the tailnet key authority, if one is configured.
-func (lc *LocalClient) NetworkLockStatus(ctx context.Context) (*ipnstate.NetworkLockStatus, error) {
-	body, err := lc.send(ctx, "GET", "/localapi/v0/tka/status", 200, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error: %w", err)
-	}
-	pr := new(ipnstate.NetworkLockStatus)
-	if err := json.Unmarshal(body, pr); err != nil {
-		return nil, err
-	}
-	return pr, nil
-}
-
-// NetworkLockInit initializes the tailnet key authority.
-func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
-	var b bytes.Buffer
-	type initRequest struct {
-		Keys []tka.Key
-	}
-
-	if err := json.NewEncoder(&b).Encode(initRequest{Keys: keys}); err != nil {
-		return nil, err
-	}
-
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/init", 200, &b)
-	if err != nil {
-		return nil, fmt.Errorf("error: %w", err)
-	}
-
-	pr := new(ipnstate.NetworkLockStatus)
-	if err := json.Unmarshal(body, pr); err != nil {
-		return nil, err
-	}
-	return pr, nil
-}
-
 // tailscaledConnectHint gives a little thing about why tailscaled (or
 // platform equivalent) is not answering localapi connections.
 //
--- a/client/tailscale/required_version.go
+++ b/client/tailscale/required_version.go
@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !go1.19
-// +build !go1.19
+//go:build !go1.18
+// +build !go1.18

 package tailscale

 func init() {
-	you_need_Go_1_19_to_compile_Tailscale()
+	you_need_Go_1_18_to_compile_Tailscale()
 }
--- a/client/tailscale/routes.go
+++ b/client/tailscale/routes.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package tailscale

@@ -13,14 +13,15 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"net/netip"
+
+	"inet.af/netaddr"
 )

 // Routes contains the lists of subnet routes that are currently advertised by a device,
 // as well as the subnets that are enabled to be routed by the device.
 type Routes struct {
-	AdvertisedRoutes []netip.Prefix `json:"advertisedRoutes"`
-	EnabledRoutes    []netip.Prefix `json:"enabledRoutes"`
+	AdvertisedRoutes []netaddr.IPPrefix `json:"advertisedRoutes"`
+	EnabledRoutes    []netaddr.IPPrefix `json:"enabledRoutes"`
 }

 // Routes retrieves the list of subnet routes that have been enabled for a device.
@@ -55,14 +56,14 @@ func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, e
 }

 type postRoutesParams struct {
-	Routes []netip.Prefix `json:"routes"`
+	Routes []netaddr.IPPrefix `json:"routes"`
 }

 // SetRoutes updates the list of subnets that are enabled for a device.
-// Subnets must be parsable by net/netip.ParsePrefix.
+// Subnets must be parsable by inet.af/netaddr.ParseIPPrefix.
 // Subnets do not have to be currently advertised by a device, they may be pre-enabled.
 // Returns the updated list of enabled and advertised subnet routes in a *Routes object.
-func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip.Prefix) (routes *Routes, err error) {
+func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netaddr.IPPrefix) (routes *Routes, err error) {
 	defer func() {
 		if err != nil {
 			err = fmt.Errorf("tailscale.SetRoutes: %w", err)
--- a/client/tailscale/tailnet.go
+++ b/client/tailscale/tailnet.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package tailscale

--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 // Package tailscale contains Go clients for the Tailscale Local API and
 // Tailscale control plane API.
@@ -17,6 +17,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 )

@@ -130,7 +131,7 @@ func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error)

 	// Read response. Limit the response to 10MB.
 	body := io.LimitReader(resp.Body, maxReadSize+1)
-	b, err := io.ReadAll(body)
+	b, err := ioutil.ReadAll(body)
 	if len(b) > maxReadSize {
 		err = errors.New("API response too large")
 	}
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -153,25 +153,18 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 			}
 			writef("}")
 		case *types.Map:
-			elem := ft.Elem()
 			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
-			if sliceType, isSlice := elem.(*types.Slice); isSlice {
+			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(ft.Elem()))
+			if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
 				n := it.QualifiedName(sliceType.Elem())
 				writef("\tfor k := range src.%s {", fname)
 				// use zero-length slice instead of nil to ensure
 				// the key is always copied.
 				writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
 				writef("\t}")
-			} else if codegen.ContainsPointers(elem) {
+			} else if codegen.ContainsPointers(ft.Elem()) {
 				writef("\tfor k, v := range src.%s {", fname)
-				switch elem.(type) {
-				case *types.Pointer:
-					writef("\t\tdst.%s[k] = v.Clone()", fname)
-				default:
-					writef("\t\tv2 := v.Clone()")
-					writef("\t\tdst.%s[k] = *v2", fname)
-				}
+				writef("\t\tdst.%s[k] = v.Clone()", fname)
 				writef("\t}")
 			} else {
 				writef("\tfor k, v := range src.%s {", fname)
--- a/cmd/derper/bootstrap_dns.go
+++ b/cmd/derper/bootstrap_dns.go
@@ -12,36 +12,20 @@ import (
 	"net"
 	"net/http"
 	"strings"
+	"sync/atomic"
 	"time"
-
-	"tailscale.com/syncs"
 )

-const refreshTimeout = time.Minute
+var dnsCache atomic.Value // of []byte

-type dnsEntryMap map[string][]net.IP
-
-var (
-	dnsCache            syncs.AtomicValue[dnsEntryMap]
-	dnsCacheBytes       syncs.AtomicValue[[]byte] // of JSON
-	unpublishedDNSCache syncs.AtomicValue[dnsEntryMap]
-)
-
-var (
-	bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
-	publishedDNSHits     = expvar.NewInt("counter_bootstrap_dns_published_hits")
-	publishedDNSMisses   = expvar.NewInt("counter_bootstrap_dns_published_misses")
-	unpublishedDNSHits   = expvar.NewInt("counter_bootstrap_dns_unpublished_hits")
-	unpublishedDNSMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
-)
+var bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")

 func refreshBootstrapDNSLoop() {
-	if *bootstrapDNS == "" && *unpublishedDNS == "" {
+	if *bootstrapDNS == "" {
 		return
 	}
 	for {
 		refreshBootstrapDNS()
-		refreshUnpublishedDNS()
 		time.Sleep(10 * time.Minute)
 	}
 }
@@ -50,34 +34,10 @@ func refreshBootstrapDNS() {
 	if *bootstrapDNS == "" {
 		return
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
+	dnsEntries := make(map[string][]net.IP)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	dnsEntries := resolveList(ctx, strings.Split(*bootstrapDNS, ","))
-	j, err := json.MarshalIndent(dnsEntries, "", "\t")
-	if err != nil {
-		// leave the old values in place
-		return
-	}
-
-	dnsCache.Store(dnsEntries)
-	dnsCacheBytes.Store(j)
-}
-
-func refreshUnpublishedDNS() {
-	if *unpublishedDNS == "" {
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
-	defer cancel()
-
-	dnsEntries := resolveList(ctx, strings.Split(*unpublishedDNS, ","))
-	unpublishedDNSCache.Store(dnsEntries)
-}
-
-func resolveList(ctx context.Context, names []string) dnsEntryMap {
-	dnsEntries := make(dnsEntryMap)
-
+	names := strings.Split(*bootstrapDNS, ",")
 	var r net.Resolver
 	for _, name := range names {
 		addrs, err := r.LookupIP(ctx, "ip", name)
@@ -87,47 +47,21 @@ func resolveList(ctx context.Context, names []string) dnsEntryMap {
 		}
 		dnsEntries[name] = addrs
 	}
-	return dnsEntries
+	j, err := json.MarshalIndent(dnsEntries, "", "\t")
+	if err != nil {
+		// leave the old values in place
+		return
+	}
+	dnsCache.Store(j)
 }

 func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	bootstrapDNSRequests.Add(1)
-
 	w.Header().Set("Content-Type", "application/json")
-	// Bootstrap DNS requests occur cross-regions, and are randomized per
-	// request, so keeping a connection open is pointlessly expensive.
+	j, _ := dnsCache.Load().([]byte)
+	// Bootstrap DNS requests occur cross-regions,
+	// and are randomized per request,
+	// so keeping a connection open is pointlessly expensive.
 	w.Header().Set("Connection", "close")
-
-	// Try answering a query from our hidden map first
-	if q := r.URL.Query().Get("q"); q != "" {
-		if ips, ok := unpublishedDNSCache.Load()[q]; ok && len(ips) > 0 {
-			unpublishedDNSHits.Add(1)
-
-			// Only return the specific query, not everything.
-			m := dnsEntryMap{q: ips}
-			j, err := json.MarshalIndent(m, "", "\t")
-			if err == nil {
-				w.Write(j)
-				return
-			}
-		}
-
-		// If we have a "q" query for a name in the published cache
-		// list, then track whether that's a hit/miss.
-		if m, ok := dnsCache.Load()[q]; ok {
-			if len(m) > 0 {
-				publishedDNSHits.Add(1)
-			} else {
-				publishedDNSMisses.Add(1)
-			}
-		} else {
-			// If it wasn't in either cache, treat this as a query
-			// for the unpublished cache, and thus a cache miss.
-			unpublishedDNSMisses.Add(1)
-		}
-	}
-
-	// Fall back to returning the public set of cached DNS names
-	j := dnsCacheBytes.Load()
 	w.Write(j)
 }
--- a/cmd/derper/bootstrap_dns_test.go
+++ b/cmd/derper/bootstrap_dns_test.go
@@ -5,12 +5,7 @@
 package main

 import (
-	"encoding/json"
-	"net"
 	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"reflect"
 	"testing"
 )

@@ -22,12 +17,11 @@ func BenchmarkHandleBootstrapDNS(b *testing.B) {
 	}()
 	refreshBootstrapDNS()
 	w := new(bitbucketResponseWriter)
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape("log.tailscale.io"), nil)
 	b.ReportAllocs()
 	b.ResetTimer()
 	b.RunParallel(func(b *testing.PB) {
 		for b.Next() {
-			handleBootstrapDNS(w, req)
+			handleBootstrapDNS(w, nil)
 		}
 	})
 }
@@ -39,116 +33,3 @@ func (b *bitbucketResponseWriter) Header() http.Header { return make(http.Header
 func (b *bitbucketResponseWriter) Write(p []byte) (int, error) { return len(p), nil }

 func (b *bitbucketResponseWriter) WriteHeader(statusCode int) {}
-
-func getBootstrapDNS(t *testing.T, q string) dnsEntryMap {
-	t.Helper()
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape(q), nil)
-	w := httptest.NewRecorder()
-	handleBootstrapDNS(w, req)
-
-	res := w.Result()
-	if res.StatusCode != 200 {
-		t.Fatalf("got status=%d; want %d", res.StatusCode, 200)
-	}
-	var ips dnsEntryMap
-	if err := json.NewDecoder(res.Body).Decode(&ips); err != nil {
-		t.Fatalf("error decoding response body: %v", err)
-	}
-	return ips
-}
-
-func TestUnpublishedDNS(t *testing.T) {
-	const published = "login.tailscale.com"
-	const unpublished = "log.tailscale.io"
-
-	prev1, prev2 := *bootstrapDNS, *unpublishedDNS
-	*bootstrapDNS = published
-	*unpublishedDNS = unpublished
-	t.Cleanup(func() {
-		*bootstrapDNS = prev1
-		*unpublishedDNS = prev2
-	})
-
-	refreshBootstrapDNS()
-	refreshUnpublishedDNS()
-
-	hasResponse := func(q string) bool {
-		_, found := getBootstrapDNS(t, q)[q]
-		return found
-	}
-
-	if !hasResponse(published) {
-		t.Errorf("expected response for: %s", published)
-	}
-	if !hasResponse(unpublished) {
-		t.Errorf("expected response for: %s", unpublished)
-	}
-
-	// Verify that querying for a random query or a real query does not
-	// leak our unpublished domain
-	m1 := getBootstrapDNS(t, published)
-	if _, found := m1[unpublished]; found {
-		t.Errorf("found unpublished domain %s: %+v", unpublished, m1)
-	}
-	m2 := getBootstrapDNS(t, "random.example.com")
-	if _, found := m2[unpublished]; found {
-		t.Errorf("found unpublished domain %s: %+v", unpublished, m2)
-	}
-}
-
-func resetMetrics() {
-	publishedDNSHits.Set(0)
-	publishedDNSMisses.Set(0)
-	unpublishedDNSHits.Set(0)
-	unpublishedDNSMisses.Set(0)
-}
-
-// Verify that we don't count an empty list in the unpublishedDNSCache as a
-// cache hit in our metrics.
-func TestUnpublishedDNSEmptyList(t *testing.T) {
-	pub := dnsEntryMap{
-		"tailscale.com": {net.IPv4(10, 10, 10, 10)},
-	}
-	dnsCache.Store(pub)
-	dnsCacheBytes.Store([]byte(`{"tailscale.com":["10.10.10.10"]}`))
-
-	unpublishedDNSCache.Store(dnsEntryMap{
-		"log.tailscale.io":           {},
-		"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)},
-	})
-
-	t.Run("CacheMiss", func(t *testing.T) {
-		// One domain in map but empty, one not in map at all
-		for _, q := range []string{"log.tailscale.io", "login.tailscale.com"} {
-			resetMetrics()
-			ips := getBootstrapDNS(t, q)
-
-			// Expected our public map to be returned on a cache miss
-			if !reflect.DeepEqual(ips, pub) {
-				t.Errorf("got ips=%+v; want %+v", ips, pub)
-			}
-			if v := unpublishedDNSHits.Value(); v != 0 {
-				t.Errorf("got hits=%d; want 0", v)
-			}
-			if v := unpublishedDNSMisses.Value(); v != 1 {
-				t.Errorf("got misses=%d; want 1", v)
-			}
-		}
-	})
-
-	// Verify that we do get a valid response and metric.
-	t.Run("CacheHit", func(t *testing.T) {
-		resetMetrics()
-		ips := getBootstrapDNS(t, "controlplane.tailscale.com")
-		want := dnsEntryMap{"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)}}
-		if !reflect.DeepEqual(ips, want) {
-			t.Errorf("got ips=%+v; want %+v", ips, want)
-		}
-		if v := unpublishedDNSHits.Value(); v != 1 {
-			t.Errorf("got hits=%d; want 1", v)
-		}
-		if v := unpublishedDNSMisses.Value(); v != 0 {
-			t.Errorf("got misses=%d; want 0", v)
-		}
-	})
-}
--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -20,11 +20,6 @@ var unsafeHostnameCharacters = regexp.MustCompile(`[^a-zA-Z0-9-\.]`)

 type certProvider interface {
 	// TLSConfig creates a new TLS config suitable for net/http.Server servers.
-	//
-	// The returned Config must have a GetCertificate function set and that
-	// function must return a unique *tls.Certificate for each call. The
-	// returned *tls.Certificate will be mutated by the caller to append to the
-	// (*tls.Certificate).Certificate field.
 	TLSConfig() *tls.Config
 	// HTTPHandler handle ACME related request, if any.
 	HTTPHandler(fallback http.Handler) http.Handler
@@ -92,13 +87,7 @@ func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certif
 	if hi.ServerName != m.hostname {
 		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
 	}
-
-	// Return a shallow copy of the cert so the caller can append to its
-	// Certificate field.
-	certCopy := new(tls.Certificate)
-	*certCopy = *m.cert
-	certCopy.Certificate = certCopy.Certificate[:len(certCopy.Certificate):len(certCopy.Certificate)]
-	return certCopy, nil
+	return m.cert, nil
 }

 func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -1,197 +0,0 @@
-tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depaware)
-
-        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
-        filippo.io/edwards25519/field                                from filippo.io/edwards25519
-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
-   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
-        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
-   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
-        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
-   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
-     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
-        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
-     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter
-   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
-        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
-        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
-        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
-        tailscale.com                                                from tailscale.com/version
-        tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
-        tailscale.com/client/tailscale                               from tailscale.com/derp
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale
-        tailscale.com/derp                                           from tailscale.com/cmd/derper+
-        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
-        tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/envknob                                        from tailscale.com/derp+
-        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
-        tailscale.com/ipn                                            from tailscale.com/client/tailscale
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
-     💣 tailscale.com/metrics                                        from tailscale.com/cmd/derper+
-        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
-        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
-     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
-        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
-        tailscale.com/net/netknob                                    from tailscale.com/net/netns
-        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
-        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
-        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
-        tailscale.com/net/stun                                       from tailscale.com/cmd/derper
-        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
-        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
-     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
-        tailscale.com/paths                                          from tailscale.com/client/tailscale
-        tailscale.com/safesocket                                     from tailscale.com/client/tailscale
-        tailscale.com/syncs                                          from tailscale.com/cmd/derper+
-        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
-        tailscale.com/tka                                            from tailscale.com/client/tailscale
-   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
-        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
-        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
-        tailscale.com/types/empty                                    from tailscale.com/ipn
-        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
-        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
-        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
-        tailscale.com/types/netmap                                   from tailscale.com/ipn
-        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
-        tailscale.com/types/pad32                                    from tailscale.com/derp
-        tailscale.com/types/persist                                  from tailscale.com/ipn
-        tailscale.com/types/preftype                                 from tailscale.com/ipn
-        tailscale.com/types/structs                                  from tailscale.com/ipn+
-        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
-        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
-        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
-   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
-        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
-   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
-        tailscale.com/version                                        from tailscale.com/derp+
-        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
-        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
-        golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert
-        golang.org/x/crypto/acme/autocert                            from tailscale.com/cmd/derper
-        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/blake2s                                  from tailscale.com/tka
-        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
-        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
-        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
-        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
-        golang.org/x/crypto/curve25519                               from crypto/tls+
-        golang.org/x/crypto/hkdf                                     from crypto/tls
-        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
-        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
-        golang.org/x/net/dns/dnsmessage                              from net+
-        golang.org/x/net/http/httpguts                               from net/http
-        golang.org/x/net/http/httpproxy                              from net/http
-        golang.org/x/net/http2/hpack                                 from net/http
-        golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
-        golang.org/x/net/proxy                                       from tailscale.com/net/netns
-   D    golang.org/x/net/route                                       from net+
-        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
-   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
-   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
-        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
-        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
-        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
-        golang.org/x/time/rate                                       from tailscale.com/cmd/derper+
-        bufio                                                        from compress/flate+
-        bytes                                                        from bufio+
-        compress/flate                                               from compress/gzip+
-        compress/gzip                                                from internal/profile+
-        container/list                                               from crypto/tls+
-        context                                                      from crypto/tls+
-        crypto                                                       from crypto/ecdsa+
-        crypto/aes                                                   from crypto/ecdsa+
-        crypto/cipher                                                from crypto/aes+
-        crypto/des                                                   from crypto/tls+
-        crypto/dsa                                                   from crypto/x509
-        crypto/ecdsa                                                 from crypto/tls+
-        crypto/ed25519                                               from crypto/tls+
-        crypto/elliptic                                              from crypto/ecdsa+
-        crypto/hmac                                                  from crypto/tls+
-        crypto/md5                                                   from crypto/tls+
-        crypto/rand                                                  from crypto/ed25519+
-        crypto/rc4                                                   from crypto/tls
-        crypto/rsa                                                   from crypto/tls+
-        crypto/sha1                                                  from crypto/tls+
-        crypto/sha256                                                from crypto/tls+
-        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
-        crypto/tls                                                   from golang.org/x/crypto/acme+
-        crypto/x509                                                  from crypto/tls+
-        crypto/x509/pkix                                             from crypto/x509+
-        embed                                                        from crypto/internal/nistec+
-        encoding                                                     from encoding/json+
-        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
-        encoding/base64                                              from encoding/json+
-        encoding/binary                                              from compress/gzip+
-        encoding/hex                                                 from crypto/x509+
-        encoding/json                                                from expvar+
-        encoding/pem                                                 from crypto/tls+
-        errors                                                       from bufio+
-        expvar                                                       from tailscale.com/cmd/derper+
-        flag                                                         from tailscale.com/cmd/derper
-        fmt                                                          from compress/flate+
-        hash                                                         from crypto+
-        hash/crc32                                                   from compress/gzip+
-        hash/maphash                                                 from go4.org/mem
-        html                                                         from net/http/pprof+
-        io                                                           from bufio+
-        io/fs                                                        from crypto/x509+
-        io/ioutil                                                    from github.com/mitchellh/go-ps+
-        log                                                          from expvar+
-        math                                                         from compress/flate+
-        math/big                                                     from crypto/dsa+
-        math/bits                                                    from compress/flate+
-        math/rand                                                    from github.com/mdlayher/netlink+
-        mime                                                         from mime/multipart+
-        mime/multipart                                               from net/http
-        mime/quotedprintable                                         from mime/multipart
-        net                                                          from crypto/tls+
-        net/http                                                     from expvar+
-        net/http/httptrace                                           from net/http+
-        net/http/internal                                            from net/http
-        net/http/pprof                                               from tailscale.com/tsweb
-        net/netip                                                    from go4.org/netipx+
-        net/textproto                                                from golang.org/x/net/http/httpguts+
-        net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
-        os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-        path                                                         from golang.org/x/crypto/acme/autocert+
-        path/filepath                                                from crypto/x509+
-        reflect                                                      from crypto/x509+
-        regexp                                                       from internal/profile+
-        regexp/syntax                                                from regexp
-        runtime/debug                                                from golang.org/x/crypto/acme+
-        runtime/pprof                                                from net/http/pprof
-        runtime/trace                                                from net/http/pprof
-        sort                                                         from compress/flate+
-        strconv                                                      from compress/flate+
-        strings                                                      from bufio+
-        sync                                                         from compress/flate+
-        sync/atomic                                                  from context+
-        syscall                                                      from crypto/rand+
-        text/tabwriter                                               from runtime/pprof
-        time                                                         from compress/gzip+
-        unicode                                                      from bytes+
-        unicode/utf16                                                from crypto/x509+
-        unicode/utf8                                                 from bufio+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -14,22 +14,22 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"math"
 	"net"
 	"net/http"
-	"net/netip"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"time"

-	"go4.org/mem"
 	"golang.org/x/time/rate"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
+	"tailscale.com/logpolicy"
 	"tailscale.com/metrics"
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
@@ -37,22 +37,21 @@ import (
 )

 var (
-	dev        = flag.Bool("dev", false, "run in localhost development mode")
-	addr       = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
-	httpPort   = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	stunPort   = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	configPath = flag.String("c", "", "config file path")
-	certMode   = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
-	certDir    = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
-	hostname   = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
-	runSTUN    = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
-	runDERP    = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
+	dev           = flag.Bool("dev", false, "run in localhost development mode")
+	addr          = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
+	httpPort      = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	stunPort      = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	configPath    = flag.String("c", "", "config file path")
+	certMode      = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
+	certDir       = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
+	hostname      = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
+	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
+	runSTUN       = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")

-	meshPSKFile    = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
-	meshWith       = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
-	bootstrapDNS   = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	unpublishedDNS = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list")
-	verifyClients  = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
+	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
+	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
+	bootstrapDNS  = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
+	verifyClients = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")

 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
@@ -98,7 +97,7 @@ func loadConfig() config {
 		}
 		log.Printf("no config path specified; using %s", *configPath)
 	}
-	b, err := os.ReadFile(*configPath)
+	b, err := ioutil.ReadFile(*configPath)
 	switch {
 	case errors.Is(err, os.ErrNotExist):
 		return writeNewConfig()
@@ -136,6 +135,7 @@ func main() {
 	flag.Parse()

 	if *dev {
+		*logCollection = ""
 		*addr = ":3340" // above the keys DERP
 		log.Printf("Running in dev mode.")
 		tsweb.DevMode = true
@@ -146,6 +146,12 @@ func main() {
 		log.Fatalf("invalid server address: %v", err)
 	}

+	var logPol *logpolicy.Policy
+	if *logCollection != "" {
+		logPol = logpolicy.New(*logCollection)
+		log.SetOutput(logPol.Logtail)
+	}
+
 	cfg := loadConfig()

 	serveTLS := tsweb.IsProd443(*addr) || *certMode == "manual"
@@ -154,7 +160,7 @@ func main() {
 	s.SetVerifyClient(*verifyClients)

 	if *meshPSKFile != "" {
-		b, err := os.ReadFile(*meshPSKFile)
+		b, err := ioutil.ReadFile(*meshPSKFile)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -171,15 +177,9 @@ func main() {
 	expvar.Publish("derp", s.ExpVar())

 	mux := http.NewServeMux()
-	if *runDERP {
-		derpHandler := derphttp.Handler(s)
-		derpHandler = addWebSocketSupport(s, derpHandler)
-		mux.Handle("/derp", derpHandler)
-	} else {
-		mux.Handle("/derp", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			http.Error(w, "derp server disabled", http.StatusNotFound)
-		}))
-	}
+	derpHandler := derphttp.Handler(s)
+	derpHandler = addWebSocketSupport(s, derpHandler)
+	mux.Handle("/derp", derpHandler)
 	mux.HandleFunc("/derp/probe", probeHandler)
 	go refreshBootstrapDNSLoop()
 	mux.HandleFunc("/bootstrap-dns", handleBootstrapDNS)
@@ -195,17 +195,10 @@ func main() {
  server.
 </p>
 `)
-		if !*runDERP {
-			io.WriteString(w, `<p>Status: <b>disabled</b></p>`)
-		}
 		if tsweb.AllowDebugAccess(r) {
 			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
 		}
 	}))
-	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		io.WriteString(w, "User-agent: *\nDisallow: /\n")
-	}))
-	mux.Handle("/generate_204", http.HandlerFunc(serveNoContent))
 	debug := tsweb.Debugger(mux)
 	debug.KV("TLS hostname", *hostname)
 	debug.KV("Mesh key", s.HasMeshKey())
@@ -223,11 +216,9 @@ func main() {
 		go serveSTUN(listenHost, *stunPort)
 	}

-	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
-		Addr:     *addr,
-		Handler:  mux,
-		ErrorLog: quietLogger,
+		Addr:    *addr,
+		Handler: mux,

 		// Set read/write timeout. For derper, this basically
 		// only affects TLS setup, as read/write deadlines are
@@ -293,13 +284,9 @@ func main() {
 		})
 		if *httpPort > -1 {
 			go func() {
-				port80mux := http.NewServeMux()
-				port80mux.HandleFunc("/generate_204", serveNoContent)
-				port80mux.Handle("/", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 				port80srv := &http.Server{
 					Addr:        net.JoinHostPort(listenHost, fmt.Sprintf("%d", *httpPort)),
-					Handler:     port80mux,
-					ErrorLog:    quietLogger,
+					Handler:     certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}),
 					ReadTimeout: 30 * time.Second,
 					// Crank up WriteTimeout a bit more than usually
 					// necessary just so we can do long CPU profiles
@@ -325,11 +312,6 @@ func main() {
 	}
 }

-// For captive portal detection
-func serveNoContent(w http.ResponseWriter, r *http.Request) {
-	w.WriteHeader(http.StatusNoContent)
-}
-
 // probeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
 func probeHandler(w http.ResponseWriter, r *http.Request) {
@@ -383,8 +365,7 @@ func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
 		} else {
 			stunIPv6.Add(1)
 		}
-		addr, _ := netip.AddrFromSlice(ua.IP)
-		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(ua.Port)))
+		res := stun.Response(txid, ua.IP, uint16(ua.Port))
 		_, err = pc.WriteTo(res, ua)
 		if err != nil {
 			stunWriteError.Add(1)
@@ -475,22 +456,3 @@ func (l *rateLimitedListener) Accept() (net.Conn, error) {
 	l.numAccepts.Add(1)
 	return cn, nil
 }
-
-// logFilter is used to filter out useless error logs that are logged to
-// the net/http.Server.ErrorLog logger.
-type logFilter struct{}
-
-func (logFilter) Write(p []byte) (int, error) {
-	b := mem.B(p)
-	if mem.HasSuffix(b, mem.S(": EOF\n")) ||
-		mem.HasSuffix(b, mem.S(": i/o timeout\n")) ||
-		mem.HasSuffix(b, mem.S(": read: connection reset by peer\n")) ||
-		mem.HasSuffix(b, mem.S(": remote error: tls: bad certificate\n")) ||
-		mem.HasSuffix(b, mem.S(": tls: first record does not look like a TLS handshake\n")) {
-		// Skip this log message, but say that we processed it
-		return len(p), nil
-	}
-
-	log.Printf("%s", p)
-	return len(p), nil
-}
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -33,12 +33,6 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
 			Subprotocols:   []string{"derp"},
 			OriginPatterns: []string{"*"},
-			// Disable compression because we transmit WireGuard messages that
-			// are not compressible.
-			// Additionally, Safari has a broken implementation of compression
-			// (see https://github.com/nhooyr/websocket/issues/218) that makes
-			// enabling it actively harmful.
-			CompressionMode: websocket.CompressionDisabled,
 		})
 		if err != nil {
 			log.Printf("websocket.Accept: %v", err)
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -360,7 +360,7 @@ func probeUDP(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (la
 				time.Sleep(100 * time.Millisecond)
 				continue
 			}
-			txBack, _, err := stun.ParseResponse(buf[:n])
+			txBack, _, _, err := stun.ParseResponse(buf[:n])
 			if err != nil {
 				return 0, fmt.Errorf("parsing STUN response from %v: %v", ip, err)
 			}
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -8,7 +8,6 @@
 package main

 import (
-	"bytes"
 	"context"
 	"crypto/sha256"
 	"encoding/json"
@@ -31,14 +30,17 @@ var (
 	cacheFname   = rootFlagSet.String("cache-file", "./version-cache.json", "filename for the previous known version hash")
 	timeout      = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run")
 	githubSyntax = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)")
+
+	modifiedExternallyFailure = make(chan struct{}, 1)
 )

 func modifiedExternallyError() {
 	if *githubSyntax {
-		fmt.Printf("::warning file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.\n", *policyFname)
+		fmt.Printf("::error file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.\n", *policyFname)
 	} else {
 		fmt.Printf("The policy file was modified externally in the admin console.\n")
 	}
+	modifiedExternallyFailure <- struct{}{}
 }

 func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
@@ -205,6 +207,10 @@ func main() {
 		fmt.Println(err)
 		os.Exit(1)
 	}
+
+	if len(modifiedExternallyFailure) != 0 {
+		os.Exit(1)
+	}
 }

 func sumFile(fname string) (string, error) {
@@ -265,16 +271,13 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
 }

 func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error {
-	data, err := os.ReadFile(policyFname)
-	if err != nil {
-		return err
-	}
-	data, err = hujson.Standardize(data)
+	fin, err := os.Open(policyFname)
 	if err != nil {
 		return err
 	}
+	defer fin.Close()

-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), bytes.NewBuffer(data))
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), fin)
 	if err != nil {
 		return err
 	}
@@ -288,6 +291,12 @@ func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error
 	}
 	defer resp.Body.Close()

+	got := resp.StatusCode
+	want := http.StatusOK
+	if got != want {
+		return fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
+	}
+
 	var ate ACLTestError
 	err = json.NewDecoder(resp.Body).Decode(&ate)
 	if err != nil {
@@ -298,12 +307,6 @@ func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error
 		return ate
 	}

-	got := resp.StatusCode
-	want := http.StatusOK
-	if got != want {
-		return fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
-	}
-
 	return nil
 }

--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -13,6 +13,7 @@ import (
 	"errors"
 	"flag"
 	"html/template"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -105,7 +106,7 @@ func devMode() bool { return *httpsAddr == "" && *httpAddr != "" }

 func getTmpl() (*template.Template, error) {
 	if devMode() {
-		tmplData, err := os.ReadFile("hello.tmpl.html")
+		tmplData, err := ioutil.ReadFile("hello.tmpl.html")
 		if os.IsNotExist(err) {
 			log.Printf("using baked-in template in dev mode; can't find hello.tmpl.html in current directory")
 			return tmpl, nil
@@ -134,13 +135,13 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 		return ""
 	}
 	for _, nodeIP := range who.Node.Addresses {
-		if nodeIP.Addr().Is4() && nodeIP.IsSingleIP() {
-			return nodeIP.Addr().String()
+		if nodeIP.IP().Is4() && nodeIP.IsSingleIP() {
+			return nodeIP.IP().String()
 		}
 	}
 	for _, nodeIP := range who.Node.Addresses {
 		if nodeIP.IsSingleIP() {
-			return nodeIP.Addr().String()
+			return nodeIP.IP().String()
 		}
 	}
 	return ""
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@@ -63,19 +63,17 @@ func main() {
 			return
 		}

-		// tailnet of connected node. When accessing shared nodes, this
-		// will be empty because the tailnet of the sharee is not exposed.
-		var tailnet string
-
-		if !info.Node.Hostinfo.ShareeNode() {
-			var ok bool
-			_, tailnet, ok = strings.Cut(info.Node.Name, info.Node.ComputedName+".")
-			if !ok {
-				w.WriteHeader(http.StatusUnauthorized)
-				log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
-				return
-			}
-			tailnet = strings.TrimSuffix(tailnet, ".beta.tailscale.net")
+		_, tailnet, ok := strings.Cut(info.Node.Name, info.Node.ComputedName+".")
+		if !ok {
+			w.WriteHeader(http.StatusUnauthorized)
+			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
+			return
+		}
+		tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net")
+		if !ok {
+			w.WriteHeader(http.StatusUnauthorized)
+			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
+			return
 		}

 		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {
--- a/cmd/proxy-to-grafana/proxy-to-grafana.go
+++ b/cmd/proxy-to-grafana/proxy-to-grafana.go
@@ -14,14 +14,14 @@
 //
 // Use this Grafana configuration to enable the auth proxy:
 //
-//	[auth.proxy]
-//	enabled = true
-//	header_name = X-WEBAUTH-USER
-//	header_property = username
-//	auto_sign_up = true
-//	whitelist = 127.0.0.1
-//	headers = Name:X-WEBAUTH-NAME
-//	enable_login_token = true
+//     [auth.proxy]
+//     enabled = true
+//     header_name = X-WEBAUTH-USER
+//     header_property = username
+//     auto_sign_up = true
+//     whitelist = 127.0.0.1
+//     headers = Name:X-WEBAUTH-NAME
+//     enable_login_token = true
 package main

 import (
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -29,7 +29,7 @@ var certCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("cert")
 		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output key file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
+		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
 		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
 		return fs
 	})(),
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -29,6 +29,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
+	"tailscale.com/syncs"
 	"tailscale.com/version/distro"
 )

@@ -169,8 +170,6 @@ change in the future.
 			fileCmd,
 			bugReportCmd,
 			certCmd,
-			netlockCmd,
-			licensesCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
@@ -231,6 +230,8 @@ var rootArgs struct {
 	socket string
 }

+var gotSignal syncs.AtomicBool
+
 func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context, context.CancelFunc) {
 	s := safesocket.DefaultConnectionStrategy(rootArgs.socket)
 	c, err := safesocket.Connect(s)
@@ -256,6 +257,7 @@ func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context
 			signal.Reset(syscall.SIGINT, syscall.SIGTERM)
 			return
 		}
+		gotSignal.Set(true)
 		c.Close()
 		cancel()
 	}()
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -9,13 +9,13 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"net/netip"
 	"reflect"
 	"strings"
 	"testing"

 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp"
+	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tstest"
@@ -56,7 +56,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		flags    []string // argv to be parsed by FlagSet
 		curPrefs *ipn.Prefs

-		curExitNodeIP netip.Addr
+		curExitNodeIP netaddr.IP
 		curUser       string // os.Getenv("USER") on the client side
 		goos          string // empty means "linux"
 		distro        distro.Distro
@@ -152,10 +152,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.42.0/24"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-routes=10.0.42.0/24 --advertise-exit-node",
@@ -168,10 +168,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.42.0/24"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
 			want: "",
@@ -184,10 +184,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.42.0/24"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
 			want: "",
@@ -212,8 +212,8 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,

-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -226,10 +226,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -255,16 +255,16 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				ControlURL:       ipn.DefaultControlURL,
 				RouteAll:         true,
 				AllowSingleHosts: false,
-				ExitNodeIP:       netip.MustParseAddr("100.64.5.6"),
+				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
 				CorpDNS:          false,
 				ShieldsUp:        true,
 				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
 				Hostname:         "myhostname",
 				ForceDaemon:      true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.0.0/16"),
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.0.0/16"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 				NetfilterMode: preftype.NetfilterNoDivert,
 				OperatorUser:  "alice",
@@ -280,14 +280,14 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				ControlURL:       ipn.DefaultControlURL,
 				RouteAll:         true,
 				AllowSingleHosts: false,
-				ExitNodeIP:       netip.MustParseAddr("100.64.5.6"),
+				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
 				CorpDNS:          false,
 				ShieldsUp:        true,
 				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
 				Hostname:         "myhostname",
 				ForceDaemon:      true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("10.0.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.0.0/16"),
 				},
 				NetfilterMode: preftype.NetfilterNoDivert,
 				OperatorUser:  "alice",
@@ -344,10 +344,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --operator=expbits --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -360,10 +360,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
-					netip.MustParsePrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-routes=1.2.0.0/16 --operator=expbits --advertise-exit-node",
@@ -391,14 +391,14 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,

-				ExitNodeIP: netip.MustParseAddr("100.64.5.4"),
+				ExitNodeIP: netaddr.MustParseIP("100.64.5.4"),
 			},
 			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.4",
 		},
 		{
 			name:          "error_exit_node_omit_with_id_pref",
 			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netip.MustParseAddr("100.64.5.7"),
+			curExitNodeIP: netaddr.MustParseIP("100.64.5.7"),
 			curPrefs: &ipn.Prefs{
 				ControlURL:       ipn.DefaultControlURL,
 				AllowSingleHosts: true,
@@ -412,7 +412,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		{
 			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
 			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
+			curExitNodeIP: netaddr.MustParseIP("100.2.3.4"),
 			curPrefs: &ipn.Prefs{
 				ControlURL:       ipn.DefaultControlURL,
 				AllowSingleHosts: true,
@@ -562,9 +562,9 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				WantRunning:      true,
 				AllowSingleHosts: true,
 				CorpDNS:          true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("0.0.0.0/0"),
-					netip.MustParsePrefix("::/0"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
 				},
 				NetfilterMode: preftype.NetfilterOn,
 			},
@@ -631,7 +631,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				exitNodeIP: "100.105.106.107",
 			},
 			st: &ipnstate.Status{
-				TailscaleIPs: []netip.Addr{netip.MustParseAddr("100.105.106.107")},
+				TailscaleIPs: []netaddr.IP{netaddr.MustParseIP("100.105.106.107")},
 			},
 			wantErr: `cannot use 100.105.106.107 as an exit node as it is a local IP address to this machine; did you mean --advertise-exit-node?`,
 		},
@@ -671,8 +671,8 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			want: &ipn.Prefs{
 				WantRunning: true,
 				NoSNAT:      true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
 				},
 			},
 		},
@@ -762,9 +762,6 @@ func TestPrefFlagMapping(t *testing.T) {
 		case "NotepadURLs":
 			// TODO(bradfitz): https://github.com/tailscale/tailscale/issues/1830
 			continue
-		case "Egg":
-			// Not applicable.
-			continue
 		}
 		t.Errorf("unexpected new ipn.Pref field %q is not handled by up.go (see addPrefFlagMapping and checkForAccidentalSettingReverts)", prefName)
 	}
@@ -789,10 +786,6 @@ func TestUpdatePrefs(t *testing.T) {
 		curPrefs *ipn.Prefs
 		env      upCheckEnv // empty goos means "linux"

-		// sshOverTailscale specifies if the cmd being run over SSH over Tailscale.
-		// It is used to test the --accept-risks flag.
-		sshOverTailscale bool
-
 		// checkUpdatePrefsMutations, if non-nil, is run with the new prefs after
 		// updatePrefs might've mutated them (from applyImplicitPrefs).
 		checkUpdatePrefsMutations func(t *testing.T, newPrefs *ipn.Prefs)
@@ -920,159 +913,15 @@ func TestUpdatePrefs(t *testing.T) {
 				}
 			},
 		},
-		{
-			name:  "enable_ssh",
-			flags: []string{"--ssh"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
-		{
-			name:  "disable_ssh",
-			flags: []string{"--ssh=false"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				RunSSH:           true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to false")
-				}
-			},
-			env: upCheckEnv{backendState: "Running", upArgs: upArgsT{
-				runSSH: true,
-			}},
-		},
-		{
-			name:             "disable_ssh_over_ssh_no_risk",
-			flags:            []string{"--ssh=false"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				RunSSH:           true,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env:          upCheckEnv{backendState: "Running"},
-			wantErrSubtr: "aborted, no changes made",
-		},
-		{
-			name:             "enable_ssh_over_ssh_no_risk",
-			flags:            []string{"--ssh=true"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env:          upCheckEnv{backendState: "Running"},
-			wantErrSubtr: "aborted, no changes made",
-		},
-		{
-			name:             "enable_ssh_over_ssh",
-			flags:            []string{"--ssh=true", "--accept-risk=lose-ssh"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
-		{
-			name:             "disable_ssh_over_ssh",
-			flags:            []string{"--ssh=false", "--accept-risk=lose-ssh"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				RunSSH:           true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to false")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.sshOverTailscale {
-				old := getSSHClientEnvVar
-				getSSHClientEnvVar = func() string { return "100.100.100.100 1 1" }
-				t.Cleanup(func() { getSSHClientEnvVar = old })
-			}
 			if tt.env.goos == "" {
 				tt.env.goos = "linux"
 			}
 			tt.env.flagSet = newUpFlagSet(tt.env.goos, &tt.env.upArgs)
 			flags := CleanUpArgs(tt.flags)
-			if err := tt.env.flagSet.Parse(flags); err != nil {
-				t.Fatal(err)
-			}
+			tt.env.flagSet.Parse(flags)

 			newPrefs, err := prefsFromUpArgs(tt.env.upArgs, t.Logf, new(ipnstate.Status), tt.env.goos)
 			if err != nil {
@@ -1087,8 +936,6 @@ func TestUpdatePrefs(t *testing.T) {
 					return
 				}
 				t.Fatal(err)
-			} else if tt.wantErrSubtr != "" {
-				t.Fatalf("want error %q, got nil", tt.wantErrSubtr)
 			}
 			if tt.checkUpdatePrefsMutations != nil {
 				tt.checkUpdatePrefsMutations(t, newPrefs)
@@ -1102,19 +949,14 @@ func TestUpdatePrefs(t *testing.T) {
 				justEditMP.Prefs = ipn.Prefs{} // uninteresting
 			}
 			if !reflect.DeepEqual(justEditMP, tt.wantJustEditMP) {
-				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was \n%v", asJSON(oldEditPrefs))
+				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was %+v", oldEditPrefs)
 				t.Fatalf("justEditMP: %v\n\n: ", cmp.Diff(justEditMP, tt.wantJustEditMP, cmpIP))
 			}
 		})
 	}
 }

-func asJSON(v any) string {
-	b, _ := json.MarshalIndent(v, "", "\t")
-	return string(b)
-}
-
-var cmpIP = cmp.Comparer(func(a, b netip.Addr) bool {
+var cmpIP = cmp.Comparer(func(a, b netaddr.IP) bool {
 	return a == b
 })

--- a/cmd/tailscale/cli/configure-host.go
+++ b/cmd/tailscale/cli/configure-host.go
@@ -62,14 +62,11 @@ func runConfigureHost(ctx context.Context, args []string) error {
 			return fmt.Errorf("creating /dev/net/tun: %v, %s", err, out)
 		}
 	}
-	if err := os.Chmod("/dev/net", 0755); err != nil {
-		return err
-	}
 	if err := os.Chmod("/dev/net/tun", 0666); err != nil {
 		return err
 	}
 	if isDSM6 {
-		printf("/dev/net/tun exists and has permissions 0666. Skipping setcap on DSM6.\n")
+		fmt.Printf("/dev/net/tun exists and has permissions 0666. Skipping setcap on DSM6.\n")
 		return nil
 	}

@@ -83,6 +80,6 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if out, err := exec.Command("/bin/setcap", "cap_net_admin,cap_net_raw+eip", daemonBin).CombinedOutput(); err != nil {
 		return fmt.Errorf("setcap: %v, %s", err, out)
 	}
-	printf("Done. To restart Tailscale to use the new permissions, run:\n\n  sudo synosystemctl restart pkgctl-Tailscale.service\n\n")
+	fmt.Printf("Done. To restart Tailscale to use the new permissions, run:\n\n  sudo synosystemctl restart pkgctl-Tailscale.service\n\n")
 	return nil
 }
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -17,7 +17,6 @@ import (
 	"log"
 	"net"
 	"net/http"
-	"net/netip"
 	"os"
 	"runtime"
 	"strconv"
@@ -25,6 +24,7 @@ import (
 	"time"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/control/controlhttp"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
@@ -308,18 +308,18 @@ func runStat(ctx context.Context, args []string) error {
 	for _, a := range args {
 		fi, err := os.Lstat(a)
 		if err != nil {
-			printf("%s: %v\n", a, err)
+			fmt.Printf("%s: %v\n", a, err)
 			continue
 		}
-		printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
+		fmt.Printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
 		if fi.IsDir() {
 			ents, _ := os.ReadDir(a)
 			for i, ent := range ents {
 				if i == 25 {
-					printf("  ...\n")
+					fmt.Printf("  ...\n")
 					break
 				}
-				printf("  - %s\n", ent.Name())
+				fmt.Printf("  - %s\n", ent.Name())
 			}
 		}
 	}
@@ -404,23 +404,23 @@ func runVia(ctx context.Context, args []string) error {
 	default:
 		return errors.New("expect either <site-id> <v4-cidr> or <v6-route>")
 	case 1:
-		ipp, err := netip.ParsePrefix(args[0])
+		ipp, err := netaddr.ParseIPPrefix(args[0])
 		if err != nil {
 			return err
 		}
-		if !ipp.Addr().Is6() {
+		if !ipp.IP().Is6() {
 			return errors.New("with one argument, expect an IPv6 CIDR")
 		}
-		if !tsaddr.TailscaleViaRange().Contains(ipp.Addr()) {
+		if !tsaddr.TailscaleViaRange().Contains(ipp.IP()) {
 			return errors.New("not a via route")
 		}
 		if ipp.Bits() < 96 {
 			return errors.New("short length, want /96 or more")
 		}
-		v4 := tsaddr.UnmapVia(ipp.Addr())
-		a := ipp.Addr().As16()
+		v4 := tsaddr.UnmapVia(ipp.IP())
+		a := ipp.IP().As16()
 		siteID := binary.BigEndian.Uint32(a[8:12])
-		printf("site %v (0x%x), %v\n", siteID, siteID, netip.PrefixFrom(v4, ipp.Bits()-96))
+		fmt.Printf("site %v (0x%x), %v\n", siteID, siteID, netaddr.IPPrefixFrom(v4, ipp.Bits()-96))
 	case 2:
 		siteID, err := strconv.ParseUint(args[0], 0, 32)
 		if err != nil {
@@ -429,7 +429,7 @@ func runVia(ctx context.Context, args []string) error {
 		if siteID > 0xff {
 			return fmt.Errorf("site-id values over 255 are currently reserved")
 		}
-		ipp, err := netip.ParsePrefix(args[1])
+		ipp, err := netaddr.ParseIPPrefix(args[1])
 		if err != nil {
 			return err
 		}
@@ -437,7 +437,7 @@ func runVia(ctx context.Context, args []string) error {
 		if err != nil {
 			return err
 		}
-		outln(via)
+		fmt.Println(via)
 	}
 	return nil
 }
@@ -489,15 +489,7 @@ func runTS2021(ctx context.Context, args []string) error {
 		return c, err
 	}

-	conn, err := (&controlhttp.Dialer{
-		Hostname:        ts2021Args.host,
-		HTTPPort:        "80",
-		HTTPSPort:       "443",
-		MachineKey:      machinePrivate,
-		ControlKey:      keys.PublicKey,
-		ProtocolVersion: uint16(ts2021Args.version),
-		Dialer:          dialFunc,
-	}).Dial(ctx)
+	conn, err := controlhttp.Dial(ctx, net.JoinHostPort(ts2021Args.host, "80"), machinePrivate, keys.PublicKey, uint16(ts2021Args.version), dialFunc)
 	log.Printf("controlhttp.Dial = %p, %v", conn, err)
 	if err != nil {
 		return err
--- a/cmd/tailscale/cli/down.go
+++ b/cmd/tailscale/cli/down.go
@@ -22,13 +22,9 @@ var downCmd = &ffcli.Command{
 	FlagSet: newDownFlagSet(),
 }

-var downArgs struct {
-	acceptedRisks string
-}
-
 func newDownFlagSet() *flag.FlagSet {
 	downf := newFlagSet("down")
-	registerAcceptRiskFlag(downf, &downArgs.acceptedRisks)
+	registerAcceptRiskFlag(downf)
 	return downf
 }

@@ -38,7 +34,7 @@ func runDown(ctx context.Context, args []string) error {
 	}

 	if isSSHOverTailscale() {
-		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`, downArgs.acceptedRisks); err != nil {
+		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`); err != nil {
 			return err
 		}
 	}
--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -14,7 +14,6 @@ import (
 	"log"
 	"mime"
 	"net/http"
-	"net/netip"
 	"os"
 	"path"
 	"path/filepath"
@@ -24,6 +23,7 @@ import (

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/time/rate"
+	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -85,7 +85,7 @@ func runCp(ctx context.Context, args []string) error {
 		hadBrackets = true
 		target = strings.TrimSuffix(strings.TrimPrefix(target, "["), "]")
 	}
-	if ip, err := netip.ParseAddr(target); err == nil && ip.Is6() && !hadBrackets {
+	if ip, err := netaddr.ParseIP(target); err == nil && ip.Is6() && !hadBrackets {
 		return fmt.Errorf("an IPv6 literal must be written as [%s]", ip)
 	} else if hadBrackets && (err != nil || !ip.Is6()) {
 		return errors.New("unexpected brackets around target")
@@ -168,7 +168,7 @@ func runCp(ctx context.Context, args []string) error {
 }

 func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNodeID, isOffline bool, err error) {
-	ip, err := netip.ParseAddr(ipStr)
+	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
 		return "", false, err
 	}
@@ -179,7 +179,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 	for _, ft := range fts {
 		n := ft.Node
 		for _, a := range n.Addresses {
-			if a.Addr() != ip {
+			if a.IP() != ip {
 				continue
 			}
 			isOffline = n.Online != nil && !*n.Online
@@ -191,7 +191,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode

 // fileTargetErrorDetail returns a non-nil error saying why ip is an
 // invalid file sharing target.
-func fileTargetErrorDetail(ctx context.Context, ip netip.Addr) error {
+func fileTargetErrorDetail(ctx context.Context, ip netaddr.IP) error {
 	found := false
 	if st, err := localClient.Status(ctx); err == nil && st.Self != nil {
 		for _, peer := range st.Peer {
@@ -281,7 +281,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 		if detail != "" {
 			detail = "\t" + detail
 		}
-		printf("%s\t%s%s\n", n.Addresses[0].Addr(), n.ComputedName, detail)
+		printf("%s\t%s%s\n", n.Addresses[0].IP(), n.ComputedName, detail)
 	}
 	return nil
 }
--- a/cmd/tailscale/cli/id-token.go
+++ b/cmd/tailscale/cli/id-token.go
@@ -7,6 +7,7 @@ package cli
 import (
 	"context"
 	"errors"
+	"fmt"

 	"github.com/peterbourgon/ff/v3/ffcli"
 )
@@ -28,6 +29,6 @@ func runIDToken(ctx context.Context, args []string) error {
 		return err
 	}

-	outln(tr.IDToken)
+	fmt.Println(tr.IDToken)
 	return nil
 }
--- a/cmd/tailscale/cli/ip.go
+++ b/cmd/tailscale/cli/ip.go
@@ -9,9 +9,9 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"net/netip"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnstate"
 )

@@ -100,7 +100,7 @@ func runIP(ctx context.Context, args []string) error {
 }

 func peerMatchingIP(st *ipnstate.Status, ipStr string) (ps *ipnstate.PeerStatus, ok bool) {
-	ip, err := netip.ParseAddr(ipStr)
+	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
 		return
 	}
--- a/cmd/tailscale/cli/licenses.go
+++ b/cmd/tailscale/cli/licenses.go
@@ -1,45 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"runtime"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-)
-
-var licensesCmd = &ffcli.Command{
-	Name:       "licenses",
-	ShortUsage: "licenses",
-	ShortHelp:  "Get open source license information",
-	LongHelp:   "Get open source license information",
-	Exec:       runLicenses,
-}
-
-// licensesURL returns the absolute URL containing open source license information for the current platform.
-func licensesURL() string {
-	switch runtime.GOOS {
-	case "android":
-		return "https://tailscale.com/licenses/android"
-	case "darwin", "ios":
-		return "https://tailscale.com/licenses/apple"
-	case "windows":
-		return "https://tailscale.com/licenses/windows"
-	default:
-		return "https://tailscale.com/licenses/tailscale"
-	}
-}
-
-func runLicenses(ctx context.Context, args []string) error {
-	licenses := licensesURL()
-	outln(`
-Tailscale wouldn't be possible without the contributions of thousands of open
-source developers. To see the open source packages included in Tailscale and
-their respective license information, visit:
-
-    ` + licenses)
-	return nil
-}
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -10,6 +10,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"sort"
@@ -201,7 +202,7 @@ func prodDERPMap(ctx context.Context, httpc *http.Client) (*tailcfg.DERPMap, err
 		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
 	}
 	defer res.Body.Close()
-	b, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
 	}
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -1,101 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strconv"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/tka"
-	"tailscale.com/types/key"
-)
-
-var netlockCmd = &ffcli.Command{
-	Name:        "lock",
-	ShortUsage:  "lock <sub-command> <arguments>",
-	ShortHelp:   "Manipulate the tailnet key authority",
-	Subcommands: []*ffcli.Command{nlInitCmd, nlStatusCmd},
-	Exec:        runNetworkLockStatus,
-}
-
-var nlInitCmd = &ffcli.Command{
-	Name:       "init",
-	ShortUsage: "init <public-key>...",
-	ShortHelp:  "Initialize the tailnet key authority",
-	Exec:       runNetworkLockInit,
-}
-
-func runNetworkLockInit(ctx context.Context, args []string) error {
-	st, err := localClient.NetworkLockStatus(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	if st.Enabled {
-		return errors.New("network-lock is already enabled")
-	}
-
-	// Parse the set of initially-trusted keys.
-	// Keys are specified using their key.NLPublic.MarshalText representation,
-	// with an optional '?<votes>' suffix.
-	var keys []tka.Key
-	for i, a := range args {
-		var key key.NLPublic
-		spl := strings.SplitN(a, "?", 2)
-		if err := key.UnmarshalText([]byte(spl[0])); err != nil {
-			return fmt.Errorf("parsing key %d: %v", i+1, err)
-		}
-
-		k := tka.Key{
-			Kind:   tka.Key25519,
-			Public: key.Verifier(),
-			Votes:  1,
-		}
-		if len(spl) > 1 {
-			votes, err := strconv.Atoi(spl[1])
-			if err != nil {
-				return fmt.Errorf("parsing key %d votes: %v", i+1, err)
-			}
-			k.Votes = uint(votes)
-		}
-		keys = append(keys, k)
-	}
-
-	status, err := localClient.NetworkLockInit(ctx, keys)
-	if err != nil {
-		return err
-	}
-
-	fmt.Printf("Status: %+v\n\n", status)
-	return nil
-}
-
-var nlStatusCmd = &ffcli.Command{
-	Name:       "status",
-	ShortUsage: "status",
-	ShortHelp:  "Outputs the state of network lock",
-	Exec:       runNetworkLockStatus,
-}
-
-func runNetworkLockStatus(ctx context.Context, args []string) error {
-	st, err := localClient.NetworkLockStatus(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	if st.Enabled {
-		fmt.Println("Network-lock is ENABLED.")
-	} else {
-		fmt.Println("Network-lock is NOT enabled.")
-	}
-	p, err := st.PublicKey.MarshalText()
-	if err != nil {
-		return err
-	}
-	fmt.Printf("our public-key: %s\n", p)
-	return nil
-}
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -11,12 +11,12 @@ import (
 	"fmt"
 	"log"
 	"net"
-	"net/netip"
 	"os"
 	"strings"
 	"time"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 )
@@ -116,7 +116,7 @@ func runPing(ctx context.Context, args []string) error {
 	for {
 		n++
 		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
-		pr, err := localClient.Ping(ctx, netip.MustParseAddr(ip), pingType())
+		pr, err := localClient.Ping(ctx, netaddr.MustParseIP(ip), pingType())
 		cancel()
 		if err != nil {
 			if errors.Is(err, context.DeadlineExceeded) {
--- a/cmd/tailscale/cli/risks.go
+++ b/cmd/tailscale/cli/risks.go
@@ -16,8 +16,9 @@ import (
 )

 var (
-	riskTypes   []string
-	riskLoseSSH = registerRiskType("lose-ssh")
+	riskTypes     []string
+	acceptedRisks string
+	riskLoseSSH   = registerRiskType("lose-ssh")
 )

 func registerRiskType(riskType string) string {
@@ -27,13 +28,12 @@ func registerRiskType(riskType string) string {

 // registerAcceptRiskFlag registers the --accept-risk flag. Accepted risks are accounted for
 // in presentRiskToUser.
-func registerAcceptRiskFlag(f *flag.FlagSet, acceptedRisks *string) {
-	f.StringVar(acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
+func registerAcceptRiskFlag(f *flag.FlagSet) {
+	f.StringVar(&acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
 }

-// isRiskAccepted reports whether riskType is in the comma-separated list of
-// risks in acceptedRisks.
-func isRiskAccepted(riskType, acceptedRisks string) bool {
+// riskAccepted reports whether riskType is in acceptedRisks.
+func riskAccepted(riskType string) bool {
 	for _, r := range strings.Split(acceptedRisks, ",") {
 		if r == riskType {
 			return true
@@ -49,18 +49,14 @@ var errAborted = errors.New("aborted, no changes made")
 // It is used by the presentRiskToUser function below.
 const riskAbortTimeSeconds = 5

-// presentRiskToUser displays the risk message and waits for the user to cancel.
-// It returns errorAborted if the user aborts. In tests it returns errAborted
-// immediately unless the risk has been explicitly accepted.
-func presentRiskToUser(riskType, riskMessage, acceptedRisks string) error {
-	if isRiskAccepted(riskType, acceptedRisks) {
+// presentRiskToUser displays the risk message and waits for the user to
+// cancel. It returns errorAborted if the user aborts.
+func presentRiskToUser(riskType, riskMessage string) error {
+	if riskAccepted(riskType) {
 		return nil
 	}
-	if inTest() {
-		return errAborted
-	}
-	outln(riskMessage)
-	printf("To skip this warning, use --accept-risk=%s\n", riskType)
+	fmt.Println(riskMessage)
+	fmt.Printf("To skip this warning, use --accept-risk=%s\n", riskType)

 	interrupt := make(chan os.Signal, 1)
 	signal.Notify(interrupt, syscall.SIGINT)
@@ -68,15 +64,15 @@ func presentRiskToUser(riskType, riskMessage, acceptedRisks string) error {
 	for left := riskAbortTimeSeconds; left > 0; left-- {
 		msg := fmt.Sprintf("\rContinuing in %d seconds...", left)
 		msgLen = len(msg)
-		printf(msg)
+		fmt.Print(msg)
 		select {
 		case <-interrupt:
-			printf("\r%s\r", strings.Repeat("x", msgLen+1))
+			fmt.Printf("\r%s\r", strings.Repeat(" ", msgLen+1))
 			return errAborted
 		case <-time.After(time.Second):
 			continue
 		}
 	}
-	printf("\r%s\r", strings.Repeat(" ", msgLen))
+	fmt.Printf("\r%s\r", strings.Repeat(" ", msgLen))
 	return errAborted
 }
--- a/cmd/tailscale/cli/ssh.go
+++ b/cmd/tailscale/cli/ssh.go
@@ -10,7 +10,6 @@ import (
 	"errors"
 	"fmt"
 	"log"
-	"net/netip"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -18,6 +17,7 @@ import (
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -163,10 +163,10 @@ func nodeDNSNameFromArg(st *ipnstate.Status, arg string) (dnsName string, ok boo
 	if arg == "" {
 		return
 	}
-	argIP, _ := netip.ParseAddr(arg)
+	argIP, _ := netaddr.ParseIP(arg)
 	for _, ps := range st.Peer {
 		dnsName = ps.DNSName
-		if argIP.IsValid() {
+		if !argIP.IsZero() {
 			for _, ip := range ps.TailscaleIPs {
 				if ip == argIP {
 					return dnsName, true
@@ -202,7 +202,7 @@ func isSSHOverTailscale() bool {
 	if !ok {
 		return false
 	}
-	ip, err := netip.ParseAddr(ipStr)
+	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
 		return false
 	}
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -13,12 +13,12 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"net/netip"
 	"os"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/toqueteos/webbrowser"
+	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
@@ -260,7 +260,7 @@ func ownerLogin(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	return u.LoginName
 }

-func firstIPString(v []netip.Addr) string {
+func firstIPString(v []netaddr.IP) string {
 	if len(v) == 0 {
 		return ""
 	}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -13,7 +13,6 @@ import (
 	"flag"
 	"fmt"
 	"log"
-	"net/netip"
 	"os"
 	"reflect"
 	"runtime"
@@ -25,6 +24,7 @@ import (
 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
+	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -116,7 +116,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 		upf.BoolVar(&upArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
 	}
 	upf.DurationVar(&upArgs.timeout, "timeout", 0, "maximum amount of time to wait for tailscaled to enter a Running state; default (0s) blocks forever")
-	registerAcceptRiskFlag(upf, &upArgs.acceptedRisks)
+	registerAcceptRiskFlag(upf)
 	return upf
 }

@@ -150,7 +150,6 @@ type upArgsT struct {
 	opUser                 string
 	json                   bool
 	timeout                time.Duration
-	acceptedRisks          string
 }

 func (a upArgsT) getAuthKey() (string, error) {
@@ -179,16 +178,15 @@ var upArgs upArgsT
 // JSON block will be output. The AuthURL and QR fields will not be present, the
 // BackendState and Error fields will give the result of the authentication.
 // Ex:
+// {
+//    "AuthURL": "https://login.tailscale.com/a/0123456789abcdef",
+//    "QR": "data:image/png;base64,0123...cdef"
+//    "BackendState": "NeedsLogin"
+// }
+// {
+//    "BackendState": "Running"
+// }
 //
-//	{
-//	   "AuthURL": "https://login.tailscale.com/a/0123456789abcdef",
-//	   "QR": "data:image/png;base64,0123...cdef"
-//	   "BackendState": "NeedsLogin"
-//	}
-//
-//	{
-//	   "BackendState": "Running"
-//	}
 type upOutputJSON struct {
 	AuthURL      string `json:",omitempty"` // Authentication URL of the form https://login.tailscale.com/a/0123456789
 	QR           string `json:",omitempty"` // a DataURL (base64) PNG of a QR code AuthURL
@@ -201,18 +199,18 @@ func warnf(format string, args ...any) {
 }

 var (
-	ipv4default = netip.MustParsePrefix("0.0.0.0/0")
-	ipv6default = netip.MustParsePrefix("::/0")
+	ipv4default = netaddr.MustParseIPPrefix("0.0.0.0/0")
+	ipv6default = netaddr.MustParseIPPrefix("::/0")
 )

-func validateViaPrefix(ipp netip.Prefix) error {
+func validateViaPrefix(ipp netaddr.IPPrefix) error {
 	if !tsaddr.IsViaPrefix(ipp) {
 		return fmt.Errorf("%v is not a 4-in-6 prefix", ipp)
 	}
 	if ipp.Bits() < (128 - 32) {
 		return fmt.Errorf("%v 4-in-6 prefix must be at least a /%v", ipp, 128-32)
 	}
-	a := ipp.Addr().As16()
+	a := ipp.IP().As16()
 	// The first 64 bits of a are the via prefix.
 	// The next 32 bits are the "site ID".
 	// The last 32 bits are the IPv4.
@@ -225,13 +223,13 @@ func validateViaPrefix(ipp netip.Prefix) error {
 	return nil
 }

-func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netip.Prefix, error) {
-	routeMap := map[netip.Prefix]bool{}
+func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netaddr.IPPrefix, error) {
+	routeMap := map[netaddr.IPPrefix]bool{}
 	if advertiseRoutes != "" {
 		var default4, default6 bool
 		advroutes := strings.Split(advertiseRoutes, ",")
 		for _, s := range advroutes {
-			ipp, err := netip.ParsePrefix(s)
+			ipp, err := netaddr.ParseIPPrefix(s)
 			if err != nil {
 				return nil, fmt.Errorf("%q is not a valid IP address or CIDR prefix", s)
 			}
@@ -253,14 +251,14 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 		if default4 && !default6 {
 			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv4default, ipv6default)
 		} else if default6 && !default4 {
-			return nil, fmt.Errorf("%s advertised without its IPv4 counterpart, please also advertise %s", ipv6default, ipv4default)
+			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv6default, ipv4default)
 		}
 	}
 	if advertiseDefaultRoute {
-		routeMap[netip.MustParsePrefix("0.0.0.0/0")] = true
-		routeMap[netip.MustParsePrefix("::/0")] = true
+		routeMap[netaddr.MustParseIPPrefix("0.0.0.0/0")] = true
+		routeMap[netaddr.MustParseIPPrefix("::/0")] = true
 	}
-	routes := make([]netip.Prefix, 0, len(routeMap))
+	routes := make([]netaddr.IPPrefix, 0, len(routeMap))
 	for r := range routeMap {
 		routes = append(routes, r)
 	}
@@ -268,7 +266,7 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 		if routes[i].Bits() != routes[j].Bits() {
 			return routes[i].Bits() < routes[j].Bits()
 		}
-		return routes[i].Addr().Less(routes[j].Addr())
+		return routes[i].IP().Less(routes[j].IP())
 	})
 	return routes, nil
 }
@@ -377,21 +375,6 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 		return false, nil, fmt.Errorf("can't change --login-server without --force-reauth")
 	}

-	// Do this after validations to avoid the 5s delay if we're going to error
-	// out anyway.
-	wantSSH, haveSSH := env.upArgs.runSSH, curPrefs.RunSSH
-	fmt.Println("wantSSH", wantSSH, "haveSSH", haveSSH)
-	if wantSSH != haveSSH && isSSHOverTailscale() {
-		if wantSSH {
-			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, env.upArgs.acceptedRisks)
-		} else {
-			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`, env.upArgs.acceptedRisks)
-		}
-		if err != nil {
-			return false, nil, err
-		}
-	}
-
 	tagsChanged := !reflect.DeepEqual(curPrefs.AdvertiseTags, prefs.AdvertiseTags)

 	simpleUp = env.flagSet.NFlag() == 0 &&
@@ -422,12 +405,8 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 }

 func runUp(ctx context.Context, args []string) (retErr error) {
-	var egg bool
 	if len(args) > 0 {
-		egg = fmt.Sprint(args) == "[up down down left right left right b a]"
-		if !egg {
-			fatalf("too many non-flag arguments: %q", args)
-		}
+		fatalf("too many non-flag arguments: %q", args)
 	}

 	st, err := localClient.Status(ctx)
@@ -491,6 +470,17 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		curExitNodeIP: exitNodeIP(curPrefs, st),
 	}

+	if upArgs.runSSH != curPrefs.RunSSH && isSSHOverTailscale() {
+		if upArgs.runSSH {
+			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`)
+		} else {
+			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`)
+		}
+		if err != nil {
+			return err
+		}
+	}
+
 	defer func() {
 		if retErr == nil {
 			checkSSHUpWarnings(ctx)
@@ -502,7 +492,6 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
-		justEditMP.EggSet = true
 		_, err := localClient.EditPrefs(ctx, justEditMP)
 		return err
 	}
@@ -581,9 +570,9 @@ func runUp(ctx context.Context, args []string) (retErr error) {

 				data, err := json.MarshalIndent(js, "", "\t")
 				if err != nil {
-					printf("upOutputJSON marshalling error: %v", err)
+					log.Printf("upOutputJSON marshalling error: %v", err)
 				} else {
-					outln(string(data))
+					fmt.Println(string(data))
 				}
 			} else {
 				fmt.Fprintf(Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
@@ -721,7 +710,7 @@ func printUpDoneJSON(state ipn.State, errorString string) {
 	if err != nil {
 		log.Printf("printUpDoneJSON marshalling error: %v", err)
 	} else {
-		outln(string(data))
+		fmt.Println(string(data))
 	}
 }

@@ -801,7 +790,7 @@ type upCheckEnv struct {
 	flagSet       *flag.FlagSet
 	upArgs        upArgsT
 	backendState  string
-	curExitNodeIP netip.Addr
+	curExitNodeIP netaddr.IP
 	distro        distro.Distro
 }

@@ -924,10 +913,10 @@ func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]any) {
 	ret := make(map[string]any)

 	exitNodeIPStr := func() string {
-		if prefs.ExitNodeIP.IsValid() {
+		if !prefs.ExitNodeIP.IsZero() {
 			return prefs.ExitNodeIP.String()
 		}
-		if prefs.ExitNodeID.IsZero() || !env.curExitNodeIP.IsValid() {
+		if prefs.ExitNodeID.IsZero() || env.curExitNodeIP.IsZero() {
 			return ""
 		}
 		return env.curExitNodeIP.String()
@@ -1002,13 +991,13 @@ func fmtFlagValueArg(flagName string, val any) string {
 	return fmt.Sprintf("--%s=%v", flagName, shellquote.Join(fmt.Sprint(val)))
 }

-func hasExitNodeRoutes(rr []netip.Prefix) bool {
+func hasExitNodeRoutes(rr []netaddr.IPPrefix) bool {
 	var v4, v6 bool
 	for _, r := range rr {
 		if r.Bits() == 0 {
-			if r.Addr().Is4() {
+			if r.IP().Is4() {
 				v4 = true
-			} else if r.Addr().Is6() {
+			} else if r.IP().Is6() {
 				v6 = true
 			}
 		}
@@ -1019,11 +1008,11 @@ func hasExitNodeRoutes(rr []netip.Prefix) bool {
 // withoutExitNodes returns rr unchanged if it has only 1 or 0 /0
 // routes. If it has both IPv4 and IPv6 /0 routes, then it returns
 // a copy with all /0 routes removed.
-func withoutExitNodes(rr []netip.Prefix) []netip.Prefix {
+func withoutExitNodes(rr []netaddr.IPPrefix) []netaddr.IPPrefix {
 	if !hasExitNodeRoutes(rr) {
 		return rr
 	}
-	var out []netip.Prefix
+	var out []netaddr.IPPrefix
 	for _, r := range rr {
 		if r.Bits() > 0 {
 			out = append(out, r)
@@ -1034,11 +1023,11 @@ func withoutExitNodes(rr []netip.Prefix) []netip.Prefix {

 // exitNodeIP returns the exit node IP from p, using st to map
 // it from its ID form to an IP address if needed.
-func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netip.Addr) {
+func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netaddr.IP) {
 	if p == nil {
 		return
 	}
-	if p.ExitNodeIP.IsValid() {
+	if !p.ExitNodeIP.IsZero() {
 		return p.ExitNodeIP
 	}
 	id := p.ExitNodeID
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -15,11 +15,11 @@ import (
 	"fmt"
 	"html/template"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"net/http/cgi"
-	"net/netip"
 	"net/url"
 	"os"
 	"os/exec"
@@ -27,6 +27,7 @@ import (
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
@@ -58,7 +59,6 @@ type tmplData struct {
 	IP                string
 	AdvertiseExitNode bool
 	AdvertiseRoutes   string
-	LicensesURL       string
 }

 var webCmd = &ffcli.Command{
@@ -253,7 +253,7 @@ func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
 		return "", nil, err
 	}
 	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
+	out, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", nil, err
 	}
@@ -392,10 +392,9 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		Profile:      profile,
 		Status:       st.BackendState,
 		DeviceName:   deviceName,
-		LicensesURL:  licensesURL(),
 	}
-	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
-	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
+	exitNodeRouteV4 := netaddr.MustParseIPPrefix("0.0.0.0/0")
+	exitNodeRouteV6 := netaddr.MustParseIPPrefix("::/0")
 	for _, r := range prefs.AdvertiseRoutes {
 		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
 			data.AdvertiseExitNode = true
--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
@@ -11,7 +11,7 @@
 </head>

 <body class="py-14">
-<main class="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
+<main class="container max-w-lg mx-auto py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
 	<header class="flex justify-between items-center min-width-0 py-2 mb-8">
 		<svg width="26" height="26" viewBox="0 0 23 23" title="Tailscale" fill="none" xmlns="http://www.w3.org/2000/svg"
 			class="flex-shrink-0 mr-4">
@@ -100,9 +100,6 @@
 	</div>
 	{{ end }}
 </main>
-<footer class="container max-w-lg mx-auto text-center">
-	<a class="text-xs text-gray-500 hover:text-gray-600" href="{{ .LicensesURL }}">Open Source Licenses</a>
-</footer>
 <script>(function () {
 const advertiseExitNode = {{.AdvertiseExitNode}};
 let fetchingUrl = false;
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -1,13 +1,9 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)

-        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
-        filippo.io/edwards25519/field                                from filippo.io/edwards25519
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
@@ -30,10 +26,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
-        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
+     💣 go4.org/intern                                               from inet.af/netaddr
     💣 go4.org/mem                                                  from tailscale.com/derp+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter
+        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
        nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
@@ -57,14 +54,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp
        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
        tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
        tailscale.com/net/netknob                                    from tailscale.com/net/netns
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
-        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
@@ -72,9 +67,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
+        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/tka                                            from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
@@ -84,13 +78,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/key                                      from tailscale.com/derp+
        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
-        tailscale.com/types/nettype                                  from tailscale.com/net/netcheck+
        tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
        tailscale.com/types/pad32                                    from tailscale.com/derp
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/structs                                  from tailscale.com/ipn+
-        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
        tailscale.com/types/views                                    from tailscale.com/tailcfg+
        tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
@@ -99,16 +91,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
-        tailscale.com/util/mak                                       from tailscale.com/net/netcheck
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
-        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/blake2s                                  from tailscale.com/control/controlbase+
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/blake2s                                  from tailscale.com/control/controlbase
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
@@ -118,15 +107,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http+
        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2/hpack                                 from net/http
-        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.org/x/net/icmp+
-        golang.org/x/net/ipv6                                        from golang.org/x/net/icmp
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from tailscale.com/derp+
@@ -169,7 +155,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        embed                                                        from tailscale.com/cmd/tailscale/cli+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
@@ -190,7 +175,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        image/color                                                  from github.com/skip2/go-qrcode+
        image/png                                                    from github.com/skip2/go-qrcode
        io                                                           from bufio+
-        io/fs                                                        from crypto/x509+
+        io/fs                                                        from crypto/rand+
        io/ioutil                                                    from golang.org/x/sys/cpu+
        log                                                          from expvar+
        math                                                         from compress/flate+
@@ -205,7 +190,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        net/http/cgi                                                 from tailscale.com/cmd/tailscale/cli
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
        net/http/internal                                            from net/http
-        net/netip                                                    from net+
+        net/netip                                                    from net
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package main

@@ -15,16 +15,17 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"net/http/httptrace"
-	"net/netip"
 	"net/url"
 	"os"
 	"strings"
 	"time"

+	"inet.af/netaddr"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -172,7 +173,7 @@ func checkDerp(ctx context.Context, derpRegion string) error {
 		return fmt.Errorf("fetch derp map failed: %w", err)
 	}
 	defer res.Body.Close()
-	b, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return fmt.Errorf("fetch derp map failed: %w", err)
 	}
@@ -265,11 +266,11 @@ func debugPortmap(ctx context.Context) error {
 		return err
 	}

-	gatewayAndSelfIP := func() (gw, self netip.Addr, ok bool) {
+	gatewayAndSelfIP := func() (gw, self netaddr.IP, ok bool) {
 		if v := os.Getenv("TS_DEBUG_GW_SELF"); strings.Contains(v, "/") {
 			i := strings.Index(v, "/")
-			gw = netip.MustParseAddr(v[:i])
-			self = netip.MustParseAddr(v[i+1:])
+			gw = netaddr.MustParseIP(v[:i])
+			self = netaddr.MustParseIP(v[i+1:])
 			return gw, self, true
 		}
 		return linkMon.GatewayAndSelfIP()
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -1,7 +1,5 @@
 tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)

-        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
-        filippo.io/edwards25519/field                                from filippo.io/edwards25519
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
@@ -64,13 +62,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
  LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns+
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
@@ -117,9 +113,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
-        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
+     💣 go4.org/intern                                               from inet.af/netaddr
     💣 go4.org/mem                                                  from tailscale.com/control/controlbase+
-        go4.org/netipx                                               from tailscale.com/ipn/ipnlocal+
+        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
   W 💣 golang.zx2c4.com/wintun                                      from golang.zx2c4.com/wireguard/tun
     💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
   W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
@@ -172,6 +168,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from tailscale.com/net/tstun+
        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
+        inet.af/netaddr                                              from tailscale.com/control/controlclient+
        inet.af/peercred                                             from tailscale.com/ipn/ipnserver
   W 💣 inet.af/wf                                                   from tailscale.com/wf
        nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
@@ -212,14 +209,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
     💣 tailscale.com/metrics                                        from tailscale.com/derp+
        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver+
+        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver
        tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
        tailscale.com/net/dns/resolver                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient+
        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/control/controlclient+
-        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
        tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
        tailscale.com/net/netknob                                    from tailscale.com/net/netns+
@@ -227,7 +223,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
        tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/packet                                     from tailscale.com/net/tstun+
-        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
        tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
        tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
@@ -242,10 +237,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
-        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
+        tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
-        tailscale.com/tka                                            from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
@@ -258,13 +252,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/key                                      from tailscale.com/control/controlbase+
        tailscale.com/types/logger                                   from tailscale.com/control/controlclient+
        tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
-        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock+
+        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
        tailscale.com/types/pad32                                    from tailscale.com/derp
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
-        tailscale.com/types/tkatype                                  from tailscale.com/tka+
        tailscale.com/types/views                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/clientmetric                              from tailscale.com/control/controlclient+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
@@ -273,15 +266,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
-     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
+        tailscale.com/util/netconv                                   from tailscale.com/wgengine/magicsock
        tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
        tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
-        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
     💣 tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
@@ -290,18 +282,16 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
-     💣 tailscale.com/wgengine/wgint                                 from tailscale.com/wgengine
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
-        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
  LD    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf+
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305+
@@ -316,8 +306,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
-        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
@@ -325,9 +313,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/http2                                       from golang.org/x/net/http2/h2c+
        golang.org/x/net/http2/h2c                                   from tailscale.com/ipn/ipnlocal
        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
-        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device+
+        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device
        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
@@ -375,7 +362,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        embed                                                        from tailscale.com+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
@@ -392,7 +378,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        hash/maphash                                                 from go4.org/mem
        html                                                         from tailscale.com/ipn/ipnlocal+
        io                                                           from bufio+
-        io/fs                                                        from crypto/x509+
+        io/fs                                                        from crypto/rand+
        io/ioutil                                                    from github.com/godbus/dbus/v5+
        log                                                          from expvar+
  LD    log/syslog                                                   from tailscale.com/ssh/tailssh
@@ -405,7 +391,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        mime/quotedprintable                                         from mime/multipart
        net                                                          from crypto/tls+
        net/http                                                     from expvar+
-        net/http/httptest                                            from tailscale.com/control/controlclient
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
        net/http/internal                                            from net/http+
--- a/cmd/tailscaled/install_darwin.go
+++ b/cmd/tailscaled/install_darwin.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package main

@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -141,7 +142,7 @@ func installSystemDaemonDarwin(args []string) (err error) {
 		return err
 	}

-	if err := os.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
+	if err := ioutil.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
 		return err
 	}

--- a/cmd/tailscaled/install_windows.go
+++ b/cmd/tailscaled/install_windows.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package main

--- a/cmd/tailscaled/proxy.go
+++ b/cmd/tailscaled/proxy.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 // HTTP proxy code

--- a/cmd/tailscaled/required_version.go
+++ b/cmd/tailscaled/required_version.go
@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !go1.19
-// +build !go1.19
+//go:build !go1.18
+// +build !go1.18

 package main

 func init() {
-	you_need_Go_1_19_to_compile_Tailscale()
+	you_need_Go_1_18_to_compile_Tailscale()
 }
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 // The tailscaled program is the Tailscale client daemon. It's configured
 // and controlled via the tailscale CLI program.
@@ -21,16 +21,15 @@ import (
 	"net"
 	"net/http"
 	"net/http/pprof"
-	"net/netip"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"runtime"
-	"strconv"
 	"strings"
 	"syscall"
 	"time"

+	"inet.af/netaddr"
 	"tailscale.com/cmd/tailscaled/childproc"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
@@ -98,20 +97,6 @@ func defaultTunName() string {
 	return "tailscale0"
 }

-// defaultPort returns the default UDP port to listen on for disco+wireguard.
-// By default it returns 0, to pick one randomly from the kernel.
-// If the environment variable PORT is set, that's used instead.
-// The PORT environment variable is chosen to match what the Linux systemd
-// unit uses, to make documentation more consistent.
-func defaultPort() uint16 {
-	if s := envknob.String("PORT"); s != "" {
-		if p, err := strconv.ParseUint(s, 10, 16); err == nil {
-			return uint16(p)
-		}
-	}
-	return 0
-}
-
 var args struct {
 	// tunname is a /dev/net/tun tunnel name ("tailscale0"), the
 	// string "userspace-networking", "tap:TAPNAME[:BRIDGENAME]"
@@ -128,7 +113,6 @@ var args struct {
 	verbose        int
 	socksAddr      string // listen address for SOCKS5 server
 	httpProxyAddr  string // listen address for HTTP proxy server
-	disableLogs    bool
 }

 var (
@@ -144,12 +128,7 @@ var subCommands = map[string]*func([]string) error{
 	"be-child":                &beChildFunc,
 }

-var beCLI func() // non-nil if CLI is linked in
-
 func main() {
-	envknob.PanicIfAnyEnvCheckedInInit()
-	envknob.ApplyDiskConfig()
-
 	printVersion := false
 	flag.IntVar(&args.verbose, "verbose", 0, "log verbosity level; 0 is default, 1 or higher are increasingly verbose")
 	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
@@ -157,18 +136,12 @@ func main() {
 	flag.StringVar(&args.socksAddr, "socks5-server", "", `optional [ip]:port to run a SOCK5 server (e.g. "localhost:1080")`)
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
-	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
+	flag.Var(flagtype.PortValue(&args.port, 0), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
 	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
 	flag.BoolVar(&printVersion, "version", false, "print version information and exit")
-	flag.BoolVar(&args.disableLogs, "no-logs-no-support", false, "disable log uploads; this also disables any technical support")
-
-	if len(os.Args) > 0 && filepath.Base(os.Args[0]) == "tailscale" && beCLI != nil {
-		beCLI()
-		return
-	}

 	if len(os.Args) > 1 {
 		sub := os.Args[1]
@@ -219,10 +192,6 @@ func main() {
 		args.statepath = paths.DefaultTailscaledStateFile()
 	}

-	if args.disableLogs {
-		envknob.SetNoLogsNoSupport()
-	}
-
 	if beWindowsSubprocess() {
 		return
 	}
@@ -326,10 +295,6 @@ func run() error {
 		pol.Shutdown(ctx)
 	}()

-	if err := envknob.ApplyDiskConfigError(); err != nil {
-		log.Printf("Error reading environment config: %v", err)
-	}
-
 	if isWindowsService() {
 		// Run the IPN server from the Windows service manager.
 		log.Printf("Running service...")
@@ -398,14 +363,14 @@ func run() error {
 		return fmt.Errorf("newNetstack: %w", err)
 	}
 	ns.ProcessLocalIPs = useNetstack
-	ns.ProcessSubnets = useNetstack || shouldWrapNetstack()
+	ns.ProcessSubnets = useNetstack || wrapNetstack

 	if useNetstack {
-		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
+		dialer.UseNetstackForIP = func(ip netaddr.IP) bool {
 			_, ok := e.PeerForIP(ip)
 			return ok
 		}
-		dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
+		dialer.NetstackDialTCP = func(ctx context.Context, dst netaddr.IPPort) (net.Conn, error) {
 			return ns.DialContextTCP(ctx, dst)
 		}
 	}
@@ -499,6 +464,8 @@ func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer)
 	return nil, false, multierr.New(errs...)
 }

+var wrapNetstack = shouldWrapNetstack()
+
 func shouldWrapNetstack() bool {
 	if v, ok := envknob.LookupBool("TS_DEBUG_WRAP_NETSTACK"); ok {
 		return v
@@ -507,7 +474,7 @@ func shouldWrapNetstack() bool {
 		return true
 	}
 	switch runtime.GOOS {
-	case "windows", "darwin", "freebsd", "openbsd":
+	case "windows", "darwin", "freebsd":
 		// Enable on Windows and tailscaled-on-macOS (this doesn't
 		// affect the GUI clients), and on FreeBSD.
 		return true
@@ -569,7 +536,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 		}
 		conf.DNS = d
 		conf.Router = r
-		if shouldWrapNetstack() {
+		if wrapNetstack {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
 		}
 	}
--- a/cmd/tailscaled/tailscaled_bird.go
+++ b/cmd/tailscaled/tailscaled_bird.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19 && (linux || darwin || freebsd || openbsd)
-// +build go1.19
+//go:build go1.18 && (linux || darwin || freebsd || openbsd)
+// +build go1.18
 // +build linux darwin freebsd openbsd

 package main
--- a/cmd/tailscaled/tailscaled_notwindows.go
+++ b/cmd/tailscaled/tailscaled_notwindows.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows && go1.19
-// +build !windows,go1.19
+//go:build !windows && go1.18
+// +build !windows,go1.18

 package main // import "tailscale.com/cmd/tailscaled"

--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build go1.19
-// +build go1.19
+//go:build go1.18
+// +build go1.18

 package main // import "tailscale.com/cmd/tailscaled"

@@ -25,7 +25,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
-	"net/netip"
 	"os"
 	"time"

@@ -33,6 +32,7 @@ import (
 	"golang.org/x/sys/windows/svc"
 	"golang.org/x/sys/windows/svc/eventlog"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/ipn/store"
@@ -197,9 +197,6 @@ func beWindowsSubprocess() bool {

 	log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
 	log.Printf("subproc mode: logid=%v", logid)
-	if err := envknob.ApplyDiskConfigError(); err != nil {
-		log.Printf("Error reading environment config: %v", err)
-	}

 	go func() {
 		b := make([]byte, 16)
@@ -248,7 +245,7 @@ func beFirewallKillswitch() bool {
 	// is passed in via stdin encoded in json.
 	dcd := json.NewDecoder(os.Stdin)
 	for {
-		var routes []netip.Prefix
+		var routes []netaddr.IPPrefix
 		if err := dcd.Decode(&routes); err != nil {
 			log.Fatalf("parent process died or requested exit, exiting (%v)", err)
 		}
@@ -277,7 +274,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 			dev.Close()
 			return nil, nil, fmt.Errorf("router: %w", err)
 		}
-		if shouldWrapNetstack() {
+		if wrapNetstack {
 			r = netstack.NewSubnetRouterWrapper(r)
 		}
 		d, err := dns.NewOSConfigurator(logf, devName)
@@ -304,7 +301,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 			return nil, nil, fmt.Errorf("newNetstack: %w", err)
 		}
 		ns.ProcessLocalIPs = false
-		ns.ProcessSubnets = shouldWrapNetstack()
+		ns.ProcessSubnets = wrapNetstack
 		if err := ns.Start(); err != nil {
 			return nil, nil, fmt.Errorf("failed to start netstack: %w", err)
 		}
--- a/cmd/tailscaled/with_cli.go
+++ b/cmd/tailscaled/with_cli.go
@@ -1,25 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build ts_include_cli
-// +build ts_include_cli
-
-package main
-
-import (
-	"fmt"
-	"os"
-
-	"tailscale.com/cmd/tailscale/cli"
-)
-
-func init() {
-	beCLI = func() {
-		args := os.Args[1:]
-		if err := cli.Run(args); err != nil {
-			fmt.Fprintln(os.Stderr, err)
-			os.Exit(1)
-		}
-	}
-}
--- a/cmd/tsconnect/.gitignore
+++ b/cmd/tsconnect/.gitignore
@@ -1,3 +1,4 @@
+src/wasm_exec.js
+src/main.wasm
 node_modules/
-/dist
-/pkg
+dist/
--- a/cmd/tsconnect/README.md
+++ b/cmd/tsconnect/README.md
@@ -1,49 +0,0 @@
-# tsconnect
-
-The tsconnect command builds and serves the static site that is generated for
-the Tailscale Connect JS/WASM client.
-
-## Development
-
-To start the development server:
-
-```
-./tool/go run ./cmd/tsconnect dev
-```
-
-The site is served at http://localhost:9090/. JavaScript and CSS changes can be picked up with a browser reload. Go changes (including to the `wasm` package) require the server to be stopped and restarted. In development mode the state the Tailscale client is stored in `sessionStorage` and will thus survive page reloads (but not the tab being closed).
-
-## Deployment
-
-To build the static assets necessary for serving, run:
-
-```
-./tool/go run ./cmd/tsconnect build
-```
-
-To serve them, run:
-
-```
-./tool/go run ./cmd/tsconnect serve
-```
-
-By default the build output is placed in the `dist/` directory and embedded in the binary, but this can be controlled by the `-distdir` flag. The `-addr` flag controls the interface and port that the serve listens on.
-
-# Library / NPM Package
-
-The client is also available as an NPM package. To build it, run:
-
-```
-./tool/go run ./cmd/tsconnect build-pkg
-```
-
-That places the output in the `pkg/` directory, which may then be uploaded to a package registry (or installed from the file path directly).
-
-To do two-sided development (on both the NPM package and code that uses it), run:
-
-```
-./tool/go run ./cmd/tsconnect dev-pkg
-
-```
-
-This serves the module at http://localhost:9090/pkg/pkg.js and the generated wasm file at http://localhost:9090/pkg/main.wasm. The two files can be used as drop-in replacements for normal imports of the NPM module.
--- a/cmd/tsconnect/build-pkg.go
+++ b/cmd/tsconnect/build-pkg.go
@@ -1,74 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"log"
-	"os"
-	"path"
-
-	"github.com/tailscale/hujson"
-	"tailscale.com/version"
-)
-
-func runBuildPkg() {
-	buildOptions, err := commonPkgSetup(prodMode)
-	if err != nil {
-		log.Fatalf("Cannot setup: %v", err)
-	}
-
-	log.Printf("Linting...\n")
-	if err := runYarn("lint"); err != nil {
-		log.Fatalf("Linting failed: %v", err)
-	}
-
-	if err := cleanDir(*pkgDir, "package.json"); err != nil {
-		log.Fatalf("Cannot clean %s: %v", *pkgDir, err)
-	}
-
-	buildOptions.Write = true
-	buildOptions.MinifyWhitespace = true
-	buildOptions.MinifyIdentifiers = true
-	buildOptions.MinifySyntax = true
-
-	runEsbuild(*buildOptions)
-
-	log.Printf("Generating types...\n")
-	if err := runYarn("pkg-types"); err != nil {
-		log.Fatalf("Type generation failed: %v", err)
-	}
-
-	if err := updateVersion(); err != nil {
-		log.Fatalf("Cannot update version: %v", err)
-	}
-
-	log.Printf("Built package version %s", version.Long)
-}
-
-func updateVersion() error {
-	packageJSONBytes, err := os.ReadFile("package.json.tmpl")
-	if err != nil {
-		return fmt.Errorf("Could not read package.json: %w", err)
-	}
-
-	var packageJSON map[string]any
-	packageJSONBytes, err = hujson.Standardize(packageJSONBytes)
-	if err != nil {
-		return fmt.Errorf("Could not standardize template package.json: %w", err)
-	}
-	if err := json.Unmarshal(packageJSONBytes, &packageJSON); err != nil {
-		return fmt.Errorf("Could not unmarshal package.json: %w", err)
-	}
-	packageJSON["version"] = version.Long
-
-	packageJSONBytes, err = json.MarshalIndent(packageJSON, "", "  ")
-	if err != nil {
-		return fmt.Errorf("Could not marshal package.json: %w", err)
-	}
-
-	return os.WriteFile(path.Join(*pkgDir, "package.json"), packageJSONBytes, 0644)
-}
--- a/cmd/tsconnect/build.go
+++ b/cmd/tsconnect/build.go
@@ -5,14 +5,21 @@
 package main

 import (
+	"bytes"
+	"compress/gzip"
 	"encoding/json"
 	"fmt"
+	"io"
+	"io/fs"
+	"io/ioutil"
 	"log"
 	"os"
 	"path"
 	"path/filepath"

-	"tailscale.com/util/precompress"
+	"github.com/andybalholm/brotli"
+	esbuild "github.com/evanw/esbuild/pkg/api"
+	"golang.org/x/sync/errgroup"
 )

 func runBuild() {
@@ -21,12 +28,7 @@ func runBuild() {
 		log.Fatalf("Cannot setup: %v", err)
 	}

-	log.Printf("Linting...\n")
-	if err := runYarn("lint"); err != nil {
-		log.Fatalf("Linting failed: %v", err)
-	}
-
-	if err := cleanDir(*distDir, "placeholder"); err != nil {
+	if err := cleanDist(); err != nil {
 		log.Fatalf("Cannot clean %s: %v", *distDir, err)
 	}

@@ -39,18 +41,32 @@ func runBuild() {
 	buildOptions.AssetNames = "[name]-[hash]"
 	buildOptions.Metafile = true

-	result := runEsbuild(*buildOptions)
+	log.Printf("Running esbuild...\n")
+	result := esbuild.Build(*buildOptions)
+	if len(result.Errors) > 0 {
+		log.Printf("ESBuild Error:\n")
+		for _, e := range result.Errors {
+			log.Printf("%v", e)
+		}
+		log.Fatal("Build failed")
+	}
+	if len(result.Warnings) > 0 {
+		log.Printf("ESBuild Warnings:\n")
+		for _, w := range result.Warnings {
+			log.Printf("%v", w)
+		}
+	}

 	// Preserve build metadata so we can extract hashed file names for serving.
 	metadataBytes, err := fixEsbuildMetadataPaths(result.Metafile)
 	if err != nil {
 		log.Fatalf("Cannot fix esbuild metadata paths: %v", err)
 	}
-	if err := os.WriteFile(path.Join(*distDir, "/esbuild-metadata.json"), metadataBytes, 0666); err != nil {
+	if err := ioutil.WriteFile(path.Join(*distDir, "/esbuild-metadata.json"), metadataBytes, 0666); err != nil {
 		log.Fatalf("Cannot write metadata: %v", err)
 	}

-	if er := precompressDist(*fastCompression); err != nil {
+	if er := precompressDist(); err != nil {
 		log.Fatalf("Cannot precompress resources: %v", er)
 	}
 }
@@ -82,6 +98,8 @@ func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
 	return json.Marshal(metadata)
 }

+// cleanDist removes files from the dist build directory, except the placeholder
+// one that we keep to make sure Git still creates the directory.
 func cleanDist() error {
 	log.Printf("Cleaning %s...\n", *distDir)
 	files, err := os.ReadDir(*distDir)
@@ -102,12 +120,71 @@ func cleanDist() error {
 	return nil
 }

-func precompressDist(fastCompression bool) error {
+func precompressDist() error {
 	log.Printf("Pre-compressing files in %s/...\n", *distDir)
-	return precompress.PrecompressDir(*distDir, precompress.Options{
-		FastCompression: fastCompression,
-		ProgressFn: func(path string) {
-			log.Printf("Pre-compressing %v\n", path)
-		},
+	var eg errgroup.Group
+	err := fs.WalkDir(os.DirFS(*distDir), ".", func(p string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if d.IsDir() {
+			return nil
+		}
+		if !compressibleExtensions[filepath.Ext(p)] {
+			return nil
+		}
+		p = path.Join(*distDir, p)
+		log.Printf("Pre-compressing %v\n", p)
+
+		eg.Go(func() error {
+			return precompress(p)
+		})
+		return nil
 	})
+	if err != nil {
+		return err
+	}
+	return eg.Wait()
+}
+
+var compressibleExtensions = map[string]bool{
+	".js":   true,
+	".css":  true,
+	".wasm": true,
+}
+
+func precompress(path string) error {
+	contents, err := os.ReadFile(path)
+	if err != nil {
+		return err
+	}
+	fi, err := os.Lstat(path)
+	if err != nil {
+		return err
+	}
+
+	err = writeCompressed(contents, func(w io.Writer) (io.WriteCloser, error) {
+		return gzip.NewWriterLevel(w, gzip.BestCompression)
+	}, path+".gz", fi.Mode())
+	if err != nil {
+		return err
+	}
+	return writeCompressed(contents, func(w io.Writer) (io.WriteCloser, error) {
+		return brotli.NewWriterLevel(w, brotli.BestCompression), nil
+	}, path+".br", fi.Mode())
+}
+
+func writeCompressed(contents []byte, compressedWriterCreator func(io.Writer) (io.WriteCloser, error), outputPath string, outputMode fs.FileMode) error {
+	var buf bytes.Buffer
+	compressedWriter, err := compressedWriterCreator(&buf)
+	if err != nil {
+		return err
+	}
+	if _, err := compressedWriter.Write(contents); err != nil {
+		return err
+	}
+	if err := compressedWriter.Close(); err != nil {
+		return err
+	}
+	return os.WriteFile(outputPath, buf.Bytes(), outputMode)
 }
--- a/cmd/tsconnect/common.go
+++ b/cmd/tsconnect/common.go
@@ -7,17 +7,14 @@ package main
 import (
 	"fmt"
 	"log"
-	"net"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"runtime"
 	"strconv"
-	"time"

 	esbuild "github.com/evanw/esbuild/pkg/api"
-	"golang.org/x/exp/slices"
 )

 const (
@@ -34,198 +31,77 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 			return nil, fmt.Errorf("Cannot change cwd: %w", err)
 		}
 	}
-	if err := installJSDeps(); err != nil {
-		return nil, fmt.Errorf("Cannot install JS deps: %w", err)
+	if err := buildDeps(dev); err != nil {
+		return nil, fmt.Errorf("Cannot build deps: %w", err)
 	}

 	return &esbuild.BuildOptions{
-		EntryPoints: []string{"src/app/index.ts", "src/app/index.css"},
+		EntryPoints: []string{"src/index.js", "src/index.css"},
+		Loader:      map[string]esbuild.Loader{".wasm": esbuild.LoaderFile},
 		Outdir:      *distDir,
 		Bundle:      true,
 		Sourcemap:   esbuild.SourceMapLinked,
 		LogLevel:    esbuild.LogLevelInfo,
 		Define:      map[string]string{"DEBUG": strconv.FormatBool(dev)},
 		Target:      esbuild.ES2017,
-		Plugins: []esbuild.Plugin{
-			{
-				Name: "tailscale-tailwind",
-				Setup: func(build esbuild.PluginBuild) {
-					setupEsbuildTailwind(build, dev)
-				},
-			},
-			{
-				Name:  "tailscale-go-wasm-exec-js",
-				Setup: setupEsbuildWasmExecJS,
-			},
-			{
-				Name: "tailscale-wasm",
-				Setup: func(build esbuild.PluginBuild) {
-					setupEsbuildWasm(build, dev)
-				},
-			},
-		},
-		JSXMode: esbuild.JSXModeAutomatic,
 	}, nil
 }

-func commonPkgSetup(dev bool) (*esbuild.BuildOptions, error) {
-	buildOptions, err := commonSetup(dev)
-	if err != nil {
-		return nil, err
+// buildDeps builds the static assets that are needed for the server (except for
+// JS/CSS bundling, which is  handled by esbuild).
+func buildDeps(dev bool) error {
+	if err := copyWasmExec(); err != nil {
+		return fmt.Errorf("Cannot copy wasm_exec.js: %w", err)
 	}
-	buildOptions.EntryPoints = []string{"src/pkg/pkg.ts", "src/pkg/pkg.css"}
-	buildOptions.Outdir = *pkgDir
-	buildOptions.Format = esbuild.FormatESModule
-	buildOptions.AssetNames = "[name]"
-	return buildOptions, nil
-}
-
-// cleanDir removes files from dirPath, except the ones specified by
-// preserveFiles.
-func cleanDir(dirPath string, preserveFiles ...string) error {
-	log.Printf("Cleaning %s...\n", dirPath)
-	files, err := os.ReadDir(dirPath)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return os.MkdirAll(dirPath, 0755)
-		}
-		return err
+	if err := buildWasm(dev); err != nil {
+		return fmt.Errorf("Cannot build main.wasm: %w", err)
 	}
-
-	for _, file := range files {
-		if !slices.Contains(preserveFiles, file.Name()) {
-			if err := os.Remove(filepath.Join(dirPath, file.Name())); err != nil {
-				return err
-			}
-		}
+	if err := installJSDeps(); err != nil {
+		return fmt.Errorf("Cannot install JS deps: %w", err)
 	}
 	return nil
 }

-func runEsbuildServe(buildOptions esbuild.BuildOptions) {
-	host, portStr, err := net.SplitHostPort(*addr)
-	if err != nil {
-		log.Fatalf("Cannot parse addr: %v", err)
-	}
-	port, err := strconv.ParseUint(portStr, 10, 16)
-	if err != nil {
-		log.Fatalf("Cannot parse port: %v", err)
-	}
-	result, err := esbuild.Serve(esbuild.ServeOptions{
-		Port:     uint16(port),
-		Host:     host,
-		Servedir: "./",
-	}, buildOptions)
-	if err != nil {
-		log.Fatalf("Cannot start esbuild server: %v", err)
-	}
-	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
-	result.Wait()
-}
-
-func runEsbuild(buildOptions esbuild.BuildOptions) esbuild.BuildResult {
-	log.Printf("Running esbuild...\n")
-	result := esbuild.Build(buildOptions)
-	if len(result.Errors) > 0 {
-		log.Printf("ESBuild Error:\n")
-		for _, e := range result.Errors {
-			log.Printf("%v", e)
-		}
-		log.Fatal("Build failed")
-	}
-	if len(result.Warnings) > 0 {
-		log.Printf("ESBuild Warnings:\n")
-		for _, w := range result.Warnings {
-			log.Printf("%v", w)
-		}
-	}
-	return result
-}
-
-// setupEsbuildWasmExecJS generates an esbuild plugin that serves the current
-// wasm_exec.js runtime helper library from the Go toolchain.
-func setupEsbuildWasmExecJS(build esbuild.PluginBuild) {
+// copyWasmExec grabs the current wasm_exec.js runtime helper library from the
+// Go toolchain.
+func copyWasmExec() error {
+	log.Printf("Copying wasm_exec.js...\n")
 	wasmExecSrcPath := filepath.Join(runtime.GOROOT(), "misc", "wasm", "wasm_exec.js")
-	build.OnResolve(esbuild.OnResolveOptions{
-		Filter: "./wasm_exec$",
-	}, func(args esbuild.OnResolveArgs) (esbuild.OnResolveResult, error) {
-		return esbuild.OnResolveResult{Path: wasmExecSrcPath}, nil
-	})
-}
-
-// setupEsbuildWasm generates an esbuild plugin that builds the Tailscale wasm
-// binary and serves it as a file that the JS can load.
-func setupEsbuildWasm(build esbuild.PluginBuild, dev bool) {
-	// Add a resolve hook to convince esbuild that the path exists.
-	build.OnResolve(esbuild.OnResolveOptions{
-		Filter: "./main.wasm$",
-	}, func(args esbuild.OnResolveArgs) (esbuild.OnResolveResult, error) {
-		return esbuild.OnResolveResult{
-			Path:      "./src/main.wasm",
-			Namespace: "generated",
-		}, nil
-	})
-	build.OnLoad(esbuild.OnLoadOptions{
-		Filter: "./src/main.wasm$",
-	}, func(args esbuild.OnLoadArgs) (esbuild.OnLoadResult, error) {
-		contents, err := buildWasm(dev)
-		if err != nil {
-			return esbuild.OnLoadResult{}, fmt.Errorf("Cannot build main.wasm: %w", err)
-		}
-		contentsStr := string(contents)
-		return esbuild.OnLoadResult{
-			Contents: &contentsStr,
-			Loader:   esbuild.LoaderFile,
-		}, nil
-	})
-}
-
-func buildWasm(dev bool) ([]byte, error) {
-	start := time.Now()
-	outputFile, err := os.CreateTemp("", "main.*.wasm")
+	wasmExecDstPath := filepath.Join("src", "wasm_exec.js")
+	contents, err := os.ReadFile(wasmExecSrcPath)
 	if err != nil {
-		return nil, fmt.Errorf("Cannot create main.wasm output file: %w", err)
+		return err
 	}
-	outputPath := outputFile.Name()
-	defer os.Remove(outputPath)
+	return os.WriteFile(wasmExecDstPath, contents, 0600)
+}

+// buildWasm builds the Tailscale wasm binary and places it where the JS can
+// load it.
+func buildWasm(dev bool) error {
+	log.Printf("Building wasm...\n")
 	args := []string{"build", "-tags", "tailscale_go,osusergo,netgo,nethttpomithttp2,omitidna,omitpemdecrypt"}
 	if !dev {
-		if *devControl != "" {
-			return nil, fmt.Errorf("Development control URL can only be used in dev mode.")
-		}
 		// Omit long paths and debug symbols in release builds, to reduce the
 		// generated WASM binary size.
 		args = append(args, "-trimpath", "-ldflags", "-s -w")
-	} else if *devControl != "" {
-		args = append(args, "-ldflags", fmt.Sprintf("-X 'main.ControlURL=%v'", *devControl))
 	}
-
-	args = append(args, "-o", outputPath, "./wasm")
+	args = append(args, "-o", "src/main.wasm", "./wasm")
 	cmd := exec.Command(filepath.Join(runtime.GOROOT(), "bin", "go"), args...)
 	cmd.Env = append(os.Environ(), "GOOS=js", "GOARCH=wasm")
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
-	err = cmd.Run()
-	if err != nil {
-		return nil, fmt.Errorf("Cannot build main.wasm: %w", err)
-	}
-	log.Printf("Built wasm in %v\n", time.Since(start))
-	return os.ReadFile(outputPath)
+	return cmd.Run()
 }

 // installJSDeps installs the JavaScript dependencies specified by package.json
 func installJSDeps() error {
 	log.Printf("Installing JS deps...\n")
-	return runYarn()
-}
-
-func runYarn(args ...string) error {
-	cmd := exec.Command(*yarnPath, args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	return cmd.Run()
+	stdoutStderr, err := exec.Command("yarn").CombinedOutput()
+	if err != nil {
+		log.Printf("yarn failed: %s", stdoutStderr)
+	}
+	return err
 }

 // EsbuildMetadata is the subset of metadata struct (described by
@@ -233,36 +109,6 @@ func runYarn(args ...string) error {
 // from entry points to hashed file names.
 type EsbuildMetadata struct {
 	Outputs map[string]struct {
-		Inputs map[string]struct {
-			BytesInOutput int64 `json:"bytesInOutput"`
-		} `json:"inputs,omitempty"`
 		EntryPoint string `json:"entryPoint,omitempty"`
 	} `json:"outputs,omitempty"`
 }
-
-func setupEsbuildTailwind(build esbuild.PluginBuild, dev bool) {
-	build.OnLoad(esbuild.OnLoadOptions{
-		Filter: "./src/.*\\.css$",
-	}, func(args esbuild.OnLoadArgs) (esbuild.OnLoadResult, error) {
-		start := time.Now()
-		yarnArgs := []string{"--silent", "tailwind", "-i", args.Path}
-		if !dev {
-			yarnArgs = append(yarnArgs, "--minify")
-		}
-		cmd := exec.Command(*yarnPath, yarnArgs...)
-		tailwindOutput, err := cmd.Output()
-		log.Printf("Ran tailwind in %v\n", time.Since(start))
-		if err != nil {
-			if exitErr, ok := err.(*exec.ExitError); ok {
-				log.Printf("Tailwind stderr: %s", exitErr.Stderr)
-			}
-			return esbuild.OnLoadResult{}, fmt.Errorf("Cannot run tailwind: %w", err)
-		}
-		tailwindOutputStr := string(tailwindOutput)
-		return esbuild.OnLoadResult{
-			Contents: &tailwindOutputStr,
-			Loader:   esbuild.LoaderCSS,
-		}, nil
-
-	})
-}
--- a/cmd/tsconnect/dev-pkg.go
+++ b/cmd/tsconnect/dev-pkg.go
@@ -1,17 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"log"
-)
-
-func runDevPkg() {
-	buildOptions, err := commonPkgSetup(devMode)
-	if err != nil {
-		log.Fatalf("Cannot setup: %v", err)
-	}
-	runEsbuildServe(*buildOptions)
-}
--- a/cmd/tsconnect/dev.go
+++ b/cmd/tsconnect/dev.go
@@ -6,6 +6,10 @@ package main

 import (
 	"log"
+	"net"
+	"strconv"
+
+	esbuild "github.com/evanw/esbuild/pkg/api"
 )

 func runDev() {
@@ -13,5 +17,22 @@ func runDev() {
 	if err != nil {
 		log.Fatalf("Cannot setup: %v", err)
 	}
-	runEsbuildServe(*buildOptions)
+	host, portStr, err := net.SplitHostPort(*addr)
+	if err != nil {
+		log.Fatalf("Cannot parse addr: %v", err)
+	}
+	port, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		log.Fatalf("Cannot parse port: %v", err)
+	}
+	result, err := esbuild.Serve(esbuild.ServeOptions{
+		Port:     uint16(port),
+		Host:     host,
+		Servedir: "./",
+	}, *buildOptions)
+	if err != nil {
+		log.Fatalf("Cannot start esbuild server: %v", err)
+	}
+	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
+	result.Wait()
 }
--- a/cmd/tsconnect/index.html
+++ b/cmd/tsconnect/index.html
@@ -3,18 +3,14 @@
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>Tailscale Connect</title>
    <link rel="stylesheet" type="text/css" href="dist/index.css" />
-    <script src="dist/index.js" defer></script>
  </head>
-  <body class="flex flex-col h-screen overflow-hidden">
-    <!-- Placeholder so that we don't have an empty page while the JS loads.
-      It should match the markup generated by Header component. -->
-    <div class="bg-gray-100 border-b border-gray-200 pt-4 pb-2">
-      <header class="container mx-auto px-4 flex flex-row items-center">
-        <h1 class="text-3xl font-bold grow">Tailscale Connect</h1>
-        <div class="text-gray-600">Loading…</div>
-      </header>
+  <body>
+    <div id="header">
+      <h1>Tailscale Connect</h1>
+      <div id="state">Loading…</div>
    </div>
+    <div id="peers"></div>
+    <script src="dist/index.js"></script>
  </body>
 </html>
--- a/cmd/tsconnect/package.json
+++ b/cmd/tsconnect/package.json
@@ -1,22 +1,9 @@
 {
-  "name": "tsconnect",
+  "name": "@tailscale/ssh",
  "version": "0.0.1",
-  "license": "BSD-3-Clause",
  "devDependencies": {
-    "@types/golang-wasm-exec": "^1.15.0",
-    "@types/qrcode": "^1.4.2",
-    "dts-bundle-generator": "^6.12.0",
-    "preact": "^10.10.0",
    "qrcode": "^1.5.0",
-    "tailwindcss": "^3.1.6",
-    "typescript": "^4.7.4",
-    "xterm": "5.0.0-beta.58",
-    "xterm-addon-fit": "^0.5.0",
-    "xterm-addon-web-links": "0.7.0-beta.6"
-  },
-  "scripts": {
-    "lint": "tsc --noEmit",
-    "pkg-types": "dts-bundle-generator --inline-declare-global=true --no-banner -o pkg/pkg.d.ts src/pkg/pkg.ts"
+    "xterm": "^4.18.0"
  },
  "prettier": {
    "semi": false,
--- a/cmd/tsconnect/package.json.tmpl
+++ b/cmd/tsconnect/package.json.tmpl
@@ -1,17 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Template for the package.json that is generated by the build-pkg command.
-// The version number will be replaced by the current Tailscale client version
-// number.
-{
-  "author": "Tailscale Inc.",
-  "description": "Tailscale Connect SDK",
-  "license": "BSD-3-Clause",
-  "name": "tailscale-connect",
-  "type": "module",
-  "main": "./pkg.js",
-  "types": "./pkg.d.ts",
-  "version": "AUTO_GENERATED"
-}
--- a/cmd/tsconnect/serve.go
+++ b/cmd/tsconnect/serve.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -18,7 +19,6 @@ import (
 	"time"

 	"tailscale.com/tsweb"
-	"tailscale.com/util/precompress"
 )

 //go:embed index.html
@@ -74,7 +74,7 @@ func generateServeIndex(distFS fs.FS) ([]byte, error) {
 		return nil, fmt.Errorf("Could not open esbuild-metadata.json: %w", err)
 	}
 	defer esbuildMetadataFile.Close()
-	esbuildMetadataBytes, err := io.ReadAll(esbuildMetadataFile)
+	esbuildMetadataBytes, err := ioutil.ReadAll(esbuildMetadataFile)
 	if err != nil {
 		return nil, fmt.Errorf("Could not read esbuild-metadata.json: %w", err)
 	}
@@ -83,19 +83,10 @@ func generateServeIndex(distFS fs.FS) ([]byte, error) {
 		return nil, fmt.Errorf("Could not parse esbuild-metadata.json: %w", err)
 	}
 	entryPointsToHashedDistPaths := make(map[string]string)
-	mainWasmPath := ""
 	for outputPath, output := range esbuildMetadata.Outputs {
 		if output.EntryPoint != "" {
 			entryPointsToHashedDistPaths[output.EntryPoint] = path.Join("dist", outputPath)
 		}
-		if path.Ext(outputPath) == ".wasm" {
-			for input := range output.Inputs {
-				if input == "src/main.wasm" {
-					mainWasmPath = path.Join("dist", outputPath)
-					break
-				}
-			}
-		}
 	}

 	indexBytes := rawIndexBytes
@@ -105,25 +96,39 @@ func generateServeIndex(distFS fs.FS) ([]byte, error) {
 			indexBytes = bytes.ReplaceAll(indexBytes, []byte(defaultDistPath), []byte(hashedDistPath))
 		}
 	}
-	if mainWasmPath != "" {
-		mainWasmPrefetch := fmt.Sprintf("</title>\n<link rel='preload' as='fetch' crossorigin='anonymous' href='%s'>", mainWasmPath)
-		indexBytes = bytes.ReplaceAll(indexBytes, []byte("</title>"), []byte(mainWasmPrefetch))
-	}

 	return indexBytes, nil
 }

 var entryPointsToDefaultDistPaths = map[string]string{
-	"src/app/index.css": "dist/index.css",
-	"src/app/index.ts":  "dist/index.js",
+	"src/index.css": "dist/index.css",
+	"src/index.js":  "dist/index.js",
 }

 func handleServeDist(w http.ResponseWriter, r *http.Request, distFS fs.FS) {
 	path := r.URL.Path
-	f, err := precompress.OpenPrecompressedFile(w, r, path, distFS)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusNotFound)
-		return
+	var f fs.File
+	// Prefer pre-compressed versions generated during the build step.
+	if tsweb.AcceptsEncoding(r, "br") {
+		if brotliFile, err := distFS.Open(path + ".br"); err == nil {
+			f = brotliFile
+			w.Header().Set("Content-Encoding", "br")
+		}
+	}
+	if f == nil && tsweb.AcceptsEncoding(r, "gzip") {
+		if gzipFile, err := distFS.Open(path + ".gz"); err == nil {
+			f = gzipFile
+			w.Header().Set("Content-Encoding", "gzip")
+		}
+	}
+
+	if f == nil {
+		if rawFile, err := distFS.Open(path); err == nil {
+			f = rawFile
+		} else {
+			http.Error(w, err.Error(), http.StatusNotFound)
+			return
+		}
 	}
 	defer f.Close()

--- a/cmd/tsconnect/src/app/app.tsx
+++ b/cmd/tsconnect/src/app/app.tsx
@@ -1,129 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import { render, Component } from "preact"
-import { URLDisplay } from "./url-display"
-import { Header } from "./header"
-import { GoPanicDisplay } from "./go-panic-display"
-import { SSH } from "./ssh"
-
-type AppState = {
-  ipn?: IPN
-  ipnState: IPNState
-  netMap?: IPNNetMap
-  browseToURL?: string
-  goPanicError?: string
-}
-
-class App extends Component<{}, AppState> {
-  state: AppState = { ipnState: "NoState" }
-  #goPanicTimeout?: number
-
-  render() {
-    const { ipn, ipnState, goPanicError, netMap, browseToURL } = this.state
-
-    let goPanicDisplay
-    if (goPanicError) {
-      goPanicDisplay = (
-        <GoPanicDisplay error={goPanicError} dismiss={this.clearGoPanic} />
-      )
-    }
-
-    let urlDisplay
-    if (browseToURL) {
-      urlDisplay = <URLDisplay url={browseToURL} />
-    }
-
-    let machineAuthInstructions
-    if (ipnState === "NeedsMachineAuth") {
-      machineAuthInstructions = (
-        <div class="container mx-auto px-4 text-center">
-          An administrator needs to authorize this device.
-        </div>
-      )
-    }
-
-    let ssh
-    if (ipn && ipnState === "Running" && netMap) {
-      ssh = <SSH netMap={netMap} ipn={ipn} />
-    }
-
-    return (
-      <>
-        <Header state={ipnState} ipn={ipn} />
-        {goPanicDisplay}
-        <div class="flex-grow flex flex-col justify-center overflow-hidden">
-          {urlDisplay}
-          {machineAuthInstructions}
-          {ssh}
-        </div>
-      </>
-    )
-  }
-
-  runWithIPN(ipn: IPN) {
-    this.setState({ ipn }, () => {
-      ipn.run({
-        notifyState: this.handleIPNState,
-        notifyNetMap: this.handleNetMap,
-        notifyBrowseToURL: this.handleBrowseToURL,
-        notifyPanicRecover: this.handleGoPanic,
-      })
-    })
-  }
-
-  handleIPNState = (state: IPNState) => {
-    const { ipn } = this.state
-    this.setState({ ipnState: state })
-    if (state === "NeedsLogin") {
-      ipn?.login()
-    } else if (["Running", "NeedsMachineAuth"].includes(state)) {
-      this.setState({ browseToURL: undefined })
-    }
-  }
-
-  handleNetMap = (netMapStr: string) => {
-    const netMap = JSON.parse(netMapStr) as IPNNetMap
-    if (DEBUG) {
-      console.log("Received net map: " + JSON.stringify(netMap, null, 2))
-    }
-    this.setState({ netMap })
-  }
-
-  handleBrowseToURL = (url: string) => {
-    if (this.state.ipnState === "Running") {
-      // Ignore URL requests if we're already running -- it's most likely an
-      // SSH check mode trigger and we already linkify the displayed URL
-      // in the terminal.
-      return
-    }
-    this.setState({ browseToURL: url })
-  }
-
-  handleGoPanic = (error: string) => {
-    if (DEBUG) {
-      console.error("Go panic", error)
-    }
-    this.setState({ goPanicError: error })
-    if (this.#goPanicTimeout) {
-      window.clearTimeout(this.#goPanicTimeout)
-    }
-    this.#goPanicTimeout = window.setTimeout(this.clearGoPanic, 10000)
-  }
-
-  clearGoPanic = () => {
-    window.clearTimeout(this.#goPanicTimeout)
-    this.#goPanicTimeout = undefined
-    this.setState({ goPanicError: undefined })
-  }
-}
-
-export function renderApp(): Promise<App> {
-  return new Promise((resolve) => {
-    render(
-      <App ref={(app) => (app ? resolve(app) : undefined)} />,
-      document.body
-    )
-  })
-}
--- a/cmd/tsconnect/src/app/go-panic-display.tsx
+++ b/cmd/tsconnect/src/app/go-panic-display.tsx
@@ -1,21 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-export function GoPanicDisplay({
-  error,
-  dismiss,
-}: {
-  error: string
-  dismiss: () => void
-}) {
-  return (
-    <div
-      class="rounded bg-red-500 p-2 absolute top-2 right-2 text-white font-bold text-right cursor-pointer"
-      onClick={dismiss}
-    >
-      Tailscale has encountered an error.
-      <div class="text-sm font-normal">Click to reload</div>
-    </div>
-  )
-}
--- a/cmd/tsconnect/src/app/header.tsx
+++ b/cmd/tsconnect/src/app/header.tsx
@@ -1,38 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-export function Header({ state, ipn }: { state: IPNState; ipn?: IPN }) {
-  const stateText = STATE_LABELS[state]
-
-  let logoutButton
-  if (state === "Running") {
-    logoutButton = (
-      <button
-        class="button bg-gray-500 border-gray-500 text-white hover:bg-gray-600 hover:border-gray-600 ml-2 font-bold"
-        onClick={() => ipn?.logout()}
-      >
-        Logout
-      </button>
-    )
-  }
-  return (
-    <div class="bg-gray-100 border-b border-gray-200 pt-4 pb-2">
-      <header class="container mx-auto px-4 flex flex-row items-center">
-        <h1 class="text-3xl font-bold grow">Tailscale Connect</h1>
-        <div class="text-gray-600">{stateText}</div>
-        {logoutButton}
-      </header>
-    </div>
-  )
-}
-
-const STATE_LABELS = {
-  NoState: "Initializing…",
-  InUseOtherUser: "In-use by another user",
-  NeedsLogin: "Needs login",
-  NeedsMachineAuth: "Needs authorization",
-  Stopped: "Stopped",
-  Starting: "Starting…",
-  Running: "Running",
-} as const
--- a/cmd/tsconnect/src/app/index.css
+++ b/cmd/tsconnect/src/app/index.css
@@ -1,75 +0,0 @@
-/* Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved. */
-/* Use of this source code is governed by a BSD-style */
-/* license that can be found in the LICENSE file. */
-
-@import "xterm/css/xterm.css";
-
-@tailwind base;
-@tailwind components;
-@tailwind utilities;
-
-.link {
-  @apply text-blue-600;
-}
-
-.link:hover {
-  @apply underline;
-}
-
-.button {
-  @apply font-medium py-1 px-2 rounded-md border border-transparent text-center cursor-pointer;
-  transition-property: background-color, border-color, color, box-shadow;
-  transition-duration: 120ms;
-  box-shadow: 0 1px 1px rgba(0, 0, 0, 0.04);
-  min-width: 80px;
-}
-.button:focus {
-  @apply outline-none ring;
-}
-.button:disabled {
-  @apply pointer-events-none select-none;
-}
-
-.input {
-  @apply appearance-none leading-tight rounded-md bg-white border border-gray-300 hover:border-gray-400 transition-colors px-3;
-  height: 2.375rem;
-}
-
-.input::placeholder {
-  @apply text-gray-400;
-}
-
-.input:disabled {
-  @apply border-gray-200;
-  @apply bg-gray-50;
-  @apply cursor-not-allowed;
-}
-
-.input:focus {
-  @apply outline-none ring border-transparent;
-}
-
-.select {
-  @apply appearance-none py-2 px-3 leading-tight rounded-md bg-white border border-gray-300;
-}
-
-.select-with-arrow {
-  @apply relative;
-}
-
-.select-with-arrow .select {
-  width: 100%;
-}
-
-.select-with-arrow::after {
-  @apply absolute;
-  content: "";
-  top: 50%;
-  right: 0.5rem;
-  transform: translate(-0.3em, -0.15em);
-  width: 0.6em;
-  height: 0.4em;
-  opacity: 0.6;
-  background-color: currentColor;
-  clip-path: polygon(100% 0%, 0 0%, 50% 100%);
-}
--- a/cmd/tsconnect/src/app/index.ts
+++ b/cmd/tsconnect/src/app/index.ts
@@ -1,37 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import "../wasm_exec"
-import wasmUrl from "./main.wasm"
-import { sessionStateStorage } from "../lib/js-state-store"
-import { renderApp } from "./app"
-
-async function main() {
-  const app = await renderApp()
-  const go = new Go()
-  const wasmInstance = await WebAssembly.instantiateStreaming(
-    fetch(`./dist/${wasmUrl}`),
-    go.importObject
-  )
-  // The Go process should never exit, if it does then it's an unhandled panic.
-  go.run(wasmInstance.instance).then(() =>
-    app.handleGoPanic("Unexpected shutdown")
-  )
-
-  const params = new URLSearchParams(window.location.search)
-  const authKey = params.get("authkey") ?? undefined
-
-  const ipn = newIPN({
-    // Persist IPN state in sessionStorage in development, so that we don't need
-    // to re-authorize every time we reload the page.
-    stateStorage: DEBUG ? sessionStateStorage : undefined,
-    // authKey allows for an auth key to be
-    // specified as a url param which automatically
-    // authorizes the client for use.
-    authKey: DEBUG ? authKey : undefined,
-  })
-  app.runWithIPN(ipn)
-}
-
-main()
--- a/cmd/tsconnect/src/app/ssh.tsx
+++ b/cmd/tsconnect/src/app/ssh.tsx
@@ -1,153 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import { useState, useCallback, useMemo, useEffect, useRef } from "preact/hooks"
-import { createPortal } from "preact/compat"
-import type { VNode } from "preact"
-import { runSSHSession, SSHSessionDef } from "../lib/ssh"
-
-export function SSH({ netMap, ipn }: { netMap: IPNNetMap; ipn: IPN }) {
-  const [sshSessionDef, setSSHSessionDef] = useState<SSHFormSessionDef | null>(
-    null
-  )
-  const clearSSHSessionDef = useCallback(() => setSSHSessionDef(null), [])
-  if (sshSessionDef) {
-    const sshSession = (
-      <SSHSession def={sshSessionDef} ipn={ipn} onDone={clearSSHSessionDef} />
-    )
-    if (sshSessionDef.newWindow) {
-      return <NewWindow close={clearSSHSessionDef}>{sshSession}</NewWindow>
-    }
-    return sshSession
-  }
-  const sshPeers = netMap.peers.filter(
-    (p) => p.tailscaleSSHEnabled && p.online !== false
-  )
-
-  if (sshPeers.length == 0) {
-    return <NoSSHPeers />
-  }
-
-  return <SSHForm sshPeers={sshPeers} onSubmit={setSSHSessionDef} />
-}
-
-type SSHFormSessionDef = SSHSessionDef & { newWindow?: boolean }
-
-function SSHSession({
-  def,
-  ipn,
-  onDone,
-}: {
-  def: SSHSessionDef
-  ipn: IPN
-  onDone: () => void
-}) {
-  const ref = useRef<HTMLDivElement>(null)
-  useEffect(() => {
-    if (ref.current) {
-      runSSHSession(ref.current, def, ipn, onDone)
-    }
-  }, [ref])
-
-  return <div class="flex-grow bg-black p-2 overflow-hidden" ref={ref} />
-}
-
-function NoSSHPeers() {
-  return (
-    <div class="container mx-auto px-4 text-center">
-      None of your machines have
-      <a href="https://tailscale.com/kb/1193/tailscale-ssh/" class="link">
-        Tailscale SSH
-      </a>
-      enabled. Give it a try!
-    </div>
-  )
-}
-
-function SSHForm({
-  sshPeers,
-  onSubmit,
-}: {
-  sshPeers: IPNNetMapPeerNode[]
-  onSubmit: (def: SSHFormSessionDef) => void
-}) {
-  sshPeers = sshPeers.slice().sort((a, b) => a.name.localeCompare(b.name))
-  const [username, setUsername] = useState("")
-  const [hostname, setHostname] = useState(sshPeers[0].name)
-  return (
-    <form
-      class="container mx-auto px-4 flex justify-center"
-      onSubmit={(e) => {
-        e.preventDefault()
-        onSubmit({ username, hostname })
-      }}
-    >
-      <input
-        type="text"
-        class="input username"
-        placeholder="Username"
-        onChange={(e) => setUsername(e.currentTarget.value)}
-      />
-      <div class="select-with-arrow mx-2">
-        <select
-          class="select"
-          onChange={(e) => setHostname(e.currentTarget.value)}
-        >
-          {sshPeers.map((p) => (
-            <option key={p.nodeKey}>{p.name.split(".")[0]}</option>
-          ))}
-        </select>
-      </div>
-      <input
-        type="submit"
-        class="button bg-green-500 border-green-500 text-white hover:bg-green-600 hover:border-green-600"
-        value="SSH"
-        onClick={(e) => {
-          if (e.altKey) {
-            e.preventDefault()
-            e.stopPropagation()
-            onSubmit({ username, hostname, newWindow: true })
-          }
-        }}
-      />
-    </form>
-  )
-}
-
-const NewWindow = ({
-  children,
-  close,
-}: {
-  children: VNode
-  close: () => void
-}) => {
-  const newWindow = useMemo(() => {
-    const newWindow = window.open(undefined, undefined, "width=600,height=400")
-    if (newWindow) {
-      const containerNode = newWindow.document.createElement("div")
-      containerNode.className = "h-screen flex flex-col overflow-hidden"
-      newWindow.document.body.appendChild(containerNode)
-
-      for (const linkNode of document.querySelectorAll(
-        "head link[rel=stylesheet]"
-      )) {
-        const newLink = document.createElement("link")
-        newLink.rel = "stylesheet"
-        newLink.href = (linkNode as HTMLLinkElement).href
-        newWindow.document.head.appendChild(newLink)
-      }
-    }
-    return newWindow
-  }, [])
-  if (!newWindow) {
-    console.error("Could not open window")
-    return null
-  }
-  newWindow.onbeforeunload = () => {
-    close()
-  }
-
-  useEffect(() => () => newWindow.close(), [])
-  return createPortal(children, newWindow.document.body.lastChild as Element)
-}
--- a/cmd/tsconnect/src/app/url-display.tsx
+++ b/cmd/tsconnect/src/app/url-display.tsx
@@ -1,32 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import { useState } from "preact/hooks"
-import * as qrcode from "qrcode"
-
-export function URLDisplay({ url }: { url: string }) {
-  const [dataURL, setDataURL] = useState("")
-  qrcode.toDataURL(url, { width: 512 }, (err, dataURL) => {
-    if (err) {
-      console.error("Error generating QR code", err)
-    } else {
-      setDataURL(dataURL)
-    }
-  })
-
-  return (
-    <div class="flex flex-col items-center justify-items-center">
-      <a href={url} class="link" target="_blank">
-        <img
-          src={dataURL}
-          class="mx-auto"
-          width="256"
-          height="256"
-          alt="QR Code of URL"
-        />
-        {url}
-      </a>
-    </div>
-  )
-}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .31.0
 .29.0