diff --git a/control/controlclient/direct.go b/control/controlclient/direct.go
index a8cd83f12..682a3e98f 100644
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -42,13 +42,13 @@ type Persist struct {
 func (p *Persist) Pretty() string {
 	var mk, ok, nk wgcfg.Key
 	if !p.PrivateMachineKey.IsZero() {
-		mk = *p.PrivateMachineKey.Public()
+		mk = p.PrivateMachineKey.Public()
 	}
 	if !p.OldPrivateNodeKey.IsZero() {
-		ok = *p.OldPrivateNodeKey.Public()
+		ok = p.OldPrivateNodeKey.Public()
 	}
 	if !p.PrivateNodeKey.IsZero() {
-		nk = *p.PrivateNodeKey.Public()
+		nk = p.PrivateNodeKey.Public()
 	}
 	return fmt.Sprintf("Persist{m=%v, o=%v, n=%v u=%#v}",
 		mk.ShortString(), ok.ShortString(), nk.ShortString(),
@@ -218,7 +218,7 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 		if err != nil {
 			log.Fatal(err)
 		}
-		persist.PrivateMachineKey = *mkey
+		persist.PrivateMachineKey = mkey
 	}
 
 	if expired {
@@ -253,13 +253,13 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 			c.logf("login keygen: %v", err)
 			return regen, url, err
 		}
-		tryingNewKey = *key
+		tryingNewKey = key
 	} else {
 		// Try refreshing the current key first
 		tryingNewKey = persist.PrivateNodeKey
 	}
 	if persist.OldPrivateNodeKey != (wgcfg.PrivateKey{}) {
-		oldNodeKey = *persist.OldPrivateNodeKey.Public()
+		oldNodeKey = persist.OldPrivateNodeKey.Public()
 	}
 
 	if tryingNewKey == (wgcfg.PrivateKey{}) {
@@ -272,7 +272,7 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	request := tailcfg.RegisterRequest{
 		Version:    1,
 		OldNodeKey: tailcfg.NodeKey(oldNodeKey),
-		NodeKey:    tailcfg.NodeKey(*tryingNewKey.Public()),
+		NodeKey:    tailcfg.NodeKey(tryingNewKey.Public()),
 		Hostinfo:   c.hostinfo,
 		Followup:   url,
 	}
@@ -412,7 +412,7 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 	request := tailcfg.MapRequest{
 		Version:   4,
 		KeepAlive: c.keepAlive,
-		NodeKey:   tailcfg.NodeKey(*persist.PrivateNodeKey.Public()),
+		NodeKey:   tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
 		Endpoints: ep,
 		Stream:    allowStream,
 		Hostinfo:  hostinfo,
@@ -510,7 +510,7 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 		}
 
 		nm := &NetworkMap{
-			NodeKey:      tailcfg.NodeKey(*persist.PrivateNodeKey.Public()),
+			NodeKey:      tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
 			PrivateKey:   persist.PrivateNodeKey,
 			Expiry:       resp.Node.KeyExpiry,
 			Addresses:    resp.Node.Addresses,
@@ -652,5 +652,5 @@ func loadServerKey(ctx context.Context, httpc *http.Client, serverURL string) (w
 	if err != nil {
 		return wgcfg.Key{}, fmt.Errorf("fetch control key: %v", err)
 	}
-	return *key, nil
+	return key, nil
 }
diff --git a/go.mod b/go.mod
index 716262722..5d0453de2 100644
--- a/go.mod
+++ b/go.mod
@@ -11,8 +11,8 @@ require (
 	github.com/mdlayher/netlink v1.1.0
 	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/tailscale/hujson v0.0.0-20190930033718-5098e564d9b3
-	github.com/tailscale/wireguard-go v0.0.0-20200208214841-2981baf46731
-	golang.org/x/crypto v0.0.0-20200208060501-ecb85df21340
+	github.com/tailscale/wireguard-go v0.0.0-20200211020303-f39bc8eeee1b
+	golang.org/x/crypto v0.0.0-20200210222208-86ce3cb69678
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5
 	gortc.io/stun v1.22.1
diff --git a/go.sum b/go.sum
index 50c838299..56a83e9d5 100644
--- a/go.sum
+++ b/go.sum
@@ -33,12 +33,16 @@ github.com/tailscale/wireguard-go v0.0.0-20200208161837-3cd0a483944a h1:vIyObUBv
 github.com/tailscale/wireguard-go v0.0.0-20200208161837-3cd0a483944a/go.mod h1:JPm5cTfu1K+qDFRbiHy0sOlHUylYQbpl356sdYFD8V4=
 github.com/tailscale/wireguard-go v0.0.0-20200208214841-2981baf46731 h1:sNmny/5pHqHdm081Fx8rcNFnwt0zTGuee/0+Jz+tXCA=
 github.com/tailscale/wireguard-go v0.0.0-20200208214841-2981baf46731/go.mod h1:JPm5cTfu1K+qDFRbiHy0sOlHUylYQbpl356sdYFD8V4=
+github.com/tailscale/wireguard-go v0.0.0-20200211020303-f39bc8eeee1b h1:99LOgoPy0PcmT+yg1HiPJXk/aV/KWeGGh4WtSVB7noM=
+github.com/tailscale/wireguard-go v0.0.0-20200211020303-f39bc8eeee1b/go.mod h1:JPm5cTfu1K+qDFRbiHy0sOlHUylYQbpl356sdYFD8V4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200206161412-a0c6ece9d31a h1:aczoJ0HPNE92XKa7DrIzkNN6esOKO2TBwiiYoKcINhA=
 golang.org/x/crypto v0.0.0-20200206161412-a0c6ece9d31a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200208060501-ecb85df21340 h1:KOcEaR10tFr7gdJV2GCKw8Os5yED1u1aOqHjOAb6d2Y=
 golang.org/x/crypto v0.0.0-20200208060501-ecb85df21340/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200210222208-86ce3cb69678 h1:wCWoJcFExDgyYx2m2hpHgwz8W3+FPdfldvIgzqDIhyg=
+golang.org/x/crypto v0.0.0-20200210222208-86ce3cb69678/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
diff --git a/wgengine/magicsock/magicsock.go b/wgengine/magicsock/magicsock.go
index 661fc2427..d9d03a03d 100644
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -667,6 +667,26 @@ func (a *AddrSet) String() string {
 	return buf.String()
 }
 
+func (a *AddrSet) Addrs() []wgcfg.Endpoint {
+	var eps []wgcfg.Endpoint
+	for _, addr := range a.addrs {
+		eps = append(eps, wgcfg.Endpoint{
+			Host: addr.IP.String(),
+			Port: uint16(addr.Port),
+		})
+	}
+
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	if a.roamAddr != nil {
+		eps = append(eps, wgcfg.Endpoint{
+			Host: a.roamAddr.IP.String(),
+			Port: uint16(a.roamAddr.Port),
+		})
+	}
+	return eps
+}
+
 func (c *Conn) CreateEndpoint(key [32]byte, s string) (device.Endpoint, error) {
 	pk := wgcfg.Key(key)
 	log.Printf("magicsock: CreateEndpoint: key=%s: %s", pk.ShortString(), s)
@@ -723,6 +743,12 @@ func (e *singleEndpoint) DstToBytes() []byte {
 func (e *singleEndpoint) UpdateDst(dst *net.UDPAddr) error {
 	return fmt.Errorf("magicsock.singleEndpoint(%s).UpdateDst(%s): should never be called", (*net.UDPAddr)(e), dst)
 }
+func (e *singleEndpoint) Addrs() []wgcfg.Endpoint {
+	return []wgcfg.Endpoint{{
+		Host: e.IP.String(),
+		Port: uint16(e.Port),
+	}}
+}
 
 // RebindingUDPConn is a UDP socket that can be re-bound.
 // Unix has no notion of re-binding a socket, so we swap it out for a new one.
diff --git a/wgengine/userspace.go b/wgengine/userspace.go
index 3057d3f0a..2593bab3d 100644
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -356,9 +356,9 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 				log.Fatalf("IpcGetOperation: invalid key %#v\n", v)
 			}
 			p = &PeerStatus{}
-			pp[*pk] = p
+			pp[pk] = p
 
-			key := tailcfg.NodeKey(*pk)
+			key := tailcfg.NodeKey(pk)
 			p.NodeKey = key
 		case "rx_bytes":
 			n, err = strconv.ParseInt(v, 10, 64)