Commit Graph

1952 Commits (124ff3b034135dab4289155ecdbc3a9885858853)

Author SHA1 Message Date
David Anderson 427bf2134f net/packet: rename from wgengine/packet.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson ebd96bf4a9 wgengine/router/dns: use OpenKeyWait to set DNS configuration.
Fixes tailscale/corp#839.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick 696e160cfc cmd/tailscale/cli: fix double tag: prefix in tailscale up
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 01ee638cca Change some os.IsNotExist to errors.Is(err, os.ErrNotExist) for non-os errors.
os.IsNotExist doesn't unwrap errors. errors.Is does.

The ioutil.ReadFile ones happened to be fine but I changed them so
we're consistent with the rule: if the error comes from os, you can
use os.IsNotExist, but from any other package, use errors.Is.
(errors.Is always would also work, but not worth updating all the code)

The motivation here was that we were logging about failure to migrate
legacy relay node prefs file on startup, even though the code tried
to avoid that.

See golang/go#41122
4 years ago
Brad Fitzpatrick 7e1a146e6c cmd/tailscaled: update depaware.txt 4 years ago
David Anderson 54e6c3a290 version: use OSS repo's version when building.
When building with redo, also include the git commit hash
from the proprietary repo, so that we have a precise commit
that identifies all build info (including Go toolchain version).

Add a top-level build script demonstrating to downstream distros
how to burn the right information into builds.

Adjust `tailscale version` to print commit hashes when available.

Fixes #841.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick cd07437ade cmd/tailscale/cli, tailcfg: allow tag without "tag:" prefix in 'tailscale up'
Fixes #861
4 years ago
Brad Fitzpatrick 7c8ca28c74 ipn: use cmd/cloner for Prefs.Clone
Also, make cmd/cloner's top-level "func Clone" generation opt-in.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 86c271caba types/logger: move RusagePrefixLog to logger package, disable by default
The RusagePrefixLog is rarely useful, hasn't been useful in a long
time, is rarely the measurement we need, and is pretty spammy (and
syscall-heavy). Disable it by default. We can enable it when we're
debugging memory.
4 years ago
Alex Brainman f2ce64f0c6 wgengine/router: unfork winipcfg-go package, use upstream
Use golang.zx2c4.com/wireguard/windows/tunnel/winipcfg
instead of github.com/tailscale/winipcfg-go package.

Updates #760

Signed-off-by: Alex Brainman <alex.brainman@gmail.com>
4 years ago
Brad Fitzpatrick 515866d7c6 ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.

This adds a new bool Pref, ForceDaemon, defined as:

// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.

Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.

The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.

The GUI can then enable/disable server mode at runtime, without using
the CLI.

But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.

Updates #275
4 years ago
Josh Bleecher Snyder a5103a4cae all: upgrade to latest version of depaware 4 years ago
Josh Bleecher Snyder 38dda1ea9e all: update depaware.txt
Broken by 8051ecff55.


Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Brad Fitzpatrick 90b7293b3b ipn: add/move some constants, update a comment
And make the StateStore implementations be Stringers, for error messages.
4 years ago
Brad Fitzpatrick 8b94a769be cmd/tailscaled: use the standard flag page instead of getopt
Per discussion with @crawshaw. The CLI tool already used std flag anyway.
If either of them, it would've made more sense for the CLI to use getopt.
4 years ago
Josh Bleecher Snyder 6e8328cba5 wgengine/tsdns: replace connections when net link changes (macOS)
When the network link changes, existing UDP sockets fail immediately
and permanently on macOS.

The forwarder set up a single UDP conn and never changed it.
As a result, any time there was a network link change,
all forwarded DNS queries failed.

To fix this, create a new connection when send requests
fail because of network unreachability.

This change is darwin-only, although extended it to other platforms
should be straightforward.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Brad Fitzpatrick 3528d28ed1 wgengine/router: move Tailscale's winipcfg additions into wgengine/router
Part of unforking our winipcfg-go and using upstream (#760), move our
additions into our repo. (We might upstream them later if upstream has
interest)

Originally these were:

@apenwarr: "Add ifc.SyncAddresses() and SyncRoutes()."
609dcf2df5

@bradfitz: "winipcfg: make Interface.AddRoutes do as much as possible, return combined error"
e9f93d53f3

@bradfitz: "prevent unnecessary Interface.SyncAddresses work; normalize IPNets in deltaNets"
decb9ee8e1
4 years ago
Brad Fitzpatrick 3bdcfa7193 ipn: remove DisableDERP pref
We depend on DERP for NAT traversal now[0] so disabling it entirely can't
work.

What we'll do instead in the future is let people specify
alternate/additional DERP servers. And perhaps in the future we could
also add a pref for nodes to say when they expect to never need/want
to use DERP for data (but allow it for NAT traversal communication).

But this isn't the right pref and it doesn't work, so delete it.

Fixes #318

[0] https://tailscale.com/blog/how-nat-traversal-works/
4 years ago
Christina Wen f0e9dcdc0a
wgengine/router: restore /etc/resolv.conf after tailscale down is called
This change is to restore /etc/resolv.conf after tailscale down is called. This is done by setting the dns.Manager before errors occur. Error collection is also added.

Fixes #723
4 years ago
Josh Bleecher Snyder 7f97cf654d cmd/microproxy: add -insecure flag
This makes it easier to run microproxy locally during development.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Josh Bleecher Snyder 3fa863e6d9 cmd/derper: add missing html.EscapeString calls in /debug page
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Brad Fitzpatrick 931bcd44cb control/controlclient: report Synology "distro" + its version to control 4 years ago
David Anderson 8f5b52e571 net/netns: add windows support.
Also remove rebinding logic from the windows router. Magicsock will
instead rebind based on link change signals.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick 4f7751e025 Update depaware for previous ipnserver change. 4 years ago
Brad Fitzpatrick a084c44afc wgengine, wgengine/router, cmd/tailscale: force netfilter mode off on Synology
For now. Get it working again so it's not stuck on 0.98.

Subnet relay can come later.

Updates #451

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 8b60936913 depaware: update deps 4 years ago
Brad Fitzpatrick 22ed3c503e
Add depaware.txt files and GitHub checks. (#745)
See https://github.com/tailscale/depaware

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Josh Bleecher Snyder 7bd89359c9 cmd/cloner: generate a package-level Clone function
This Clone function knows how to clone any types
for which it has generated Clone methods.
This allows callers to efficiently clone
an inbound interface{} that might contain one of these types.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Josh Bleecher Snyder 99d223130c cmd/cloner: fix found type detection
This was causing any type to be reported as found,
as long as there were any type decls at all. Oops.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Josh Bleecher Snyder 2352690bde cmd/cloner: ensure cloner gets re-run when structs change
If you change a struct and don't re-run cloner,
your Cloner method might be inaccurate, leading to bad things.

To prevent this, write out the struct as it is at the moment that
cloner is caller, and attempt a conversion from that type.
If the struct gets changed in any way, this conversion will fail.

This will yield false positives: If you change a non-pointer field,
you will be forced to re-run cloner, even though the actual generated
code won't change. I think this is an acceptable cost: It is a minor
annoyance, which will prevent real bugs.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Brad Fitzpatrick 468bb3afce cmd/tailscale/cli: add debug -derp mode 4 years ago
Brad Fitzpatrick 1e0be5a458 tshttp, derphttp: send Proxy-Authorization, not Authorization, to proxies
Whoops. But weirdly, sending Authorization sometimes worked?
4 years ago
halulu 3af2d671e6
cmd/tailscale/cli: add new flag --force-reauth to up subcommand (#717)
Signed-off-by: Halulu <lzjluzijie@gmail.com>
4 years ago
halulu bd37e40d2b
cmd/tailscale/cli: status exit when disconnected (#720)
cmd/tailscale/cli: make status report stopped status, exit non-zero

Fixes #714
4 years ago
Brad Fitzpatrick 483141094c cmd/tailscale/cli: add basic 'down' subcommand
RELNOTE=yes
4 years ago
halulu f27a57911b
cmd/tailscale: add derp and endpoints status (#703)
cmd/tailscale: add local node's information to status output (by default)

RELNOTE=yes

Updates #477

Signed-off-by: Halulu <lzjluzijie@gmail.com>
4 years ago
Brad Fitzpatrick f915ab6552 net/tshttpproxy: add start of Kerberos Negotiate auth to proxies on Windows
For now only used by a new cmd/tailscale debug --get-url
subcommand. Not yet wired up to the places making HTTP requests.

Updates tailscale/corp#583
4 years ago
Brad Fitzpatrick 5e0375808b cmd/tailscale/cli: fix vet warning
And add vet to the "make check" target, like the CI has.
4 years ago
Brad Fitzpatrick 1be6c6dd70 cmd/tailscale/cli: add hidden debug subcommand 4 years ago
Brad Fitzpatrick e415991256 derp, derp/derphttp: remove one RTT from DERP setup
* advertise server's DERP public key following its ServerHello
* have client look for that DEPR public key in the response
  PeerCertificates
* let client advertise it's going into a "fast start" mode
  if it finds it
* modify server to support that fast start mode, just not
  sending the HTTP response header

Cuts down another round trip, bringing the latency of being able to
write our first DERP frame from SF to Bangalore from ~725ms
(3 RTT) to ~481ms (2 RTT: TCP and TLS).

Fixes #693

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 771e9541c7 cmd/tailscale/cli: appease staticcheck 4 years ago
Brad Fitzpatrick adf4f3cce0 cmd/tailscale/cli: make netcheck sort regions, show full region names 4 years ago
David Anderson c2b63ba363 cmd/microproxy: add a quick hack for some malformed variables.
Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Brad Fitzpatrick 4e63a4fda3 cmd/tailscale/cli: remove already done TODO 4 years ago
Brad Fitzpatrick 84dc891843 cmd/tailscale/cli: add ping subcommand
For example:

$ tailscale ping -h
USAGE
  ping <hostname-or-IP>

FLAGS
  -c 10                   max number of pings to send
  -stop-once-direct true  stop once a direct path is established
  -verbose false          verbose output

$ tailscale ping mon.ts.tailscale.com
pong from monitoring (100.88.178.64) via DERP(sfo) in 65ms
pong from monitoring (100.88.178.64) via DERP(sfo) in 252ms
pong from monitoring (100.88.178.64) via [2604:a880:2:d1::36:d001]:41641 in 33ms

Fixes #661

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 87cbc067c2 cmd/tailscale/cli: validate advertised routes' IP address-vs-network bits
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Josh Bleecher Snyder b23f2263c1 derp: add server version to /debug, expvars
This will make it easier for a human to tell what
version is deployed, for (say) correlating line numbers
in profiles or panics to corresponding source code.

It'll also let us observe version changes in prometheus.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
4 years ago
Brad Fitzpatrick 6818bb843d Update README, remove old relaynode dredge 4 years ago
Mike Kramlich 08949d4ef1 --advertise-routes option enabled in Mac tailscale CLI; it checks for IP forwarding enabled
Signed-off-by: Mike Kramlich <groglogic@gmail.com>
4 years ago
David Anderson 9e26ffecf8 cmd/tailscaled: ignore SIGPIPE.
SIGPIPE can be generated when CLIs disconnect from tailscaled. This
should not terminate the process.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
David Anderson d64de1ddf7 Revert "cmd/tailscaled: exit gracefully on SIGPIPE"
tailscaled receives a SIGPIPE when CLIs disconnect from it. We shouldn't
shut down in that case.

This reverts commit 43b271cb26.

Signed-off-by: David Anderson <danderson@tailscale.com>
4 years ago
Dmytro Shynkevych 43b271cb26
cmd/tailscaled: exit gracefully on SIGPIPE
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
David Crawshaw 92e9a5ac15 tailscaled.service: use default restart limiting
It appears that systemd has sensible defaults for limiting
crash loops:

	DefaultStartLimitIntervalSec=10s
	DefaultStartLimitBurst=5

Remove our insta-restart configuration so that it works.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
4 years ago
Brad Fitzpatrick ff8c8db9d3 cmd/tailscaled: log on shutdown signal 4 years ago
Brad Fitzpatrick 4aba86cc03 ipn/ipnserver: make Engine argument a func that tries again for each connection
So a backend in server-an-error state (as used by Windows) can try to
create a new Engine again each time somebody re-connects, relaunching
the GUI app.

(The proper fix is actually fixing Windows issues, but this makes things better
in the short term)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick ec4feaf31c cmd/cloner, tailcfg: fix nil vs len 0 issues, add tests, use for Hostinfo
Also use go:generate and https://golang.org/s/generatedcode header style.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
David Crawshaw 961b9c8abf cmd/cloner: tool to generate Clone methods
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
4 years ago
Dmytro Shynkevych 318751c486 cmd/tailscaled: always flush logs properly
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Dmytro Shynkevych 4957360ecd
cmd/tailscale: rename use-dns to accept-dns
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Dmytro Shynkevych dd4e06f383 cmd/tailscale: add corpDNS flag
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Brad Fitzpatrick 2545575dd5 cmd/tailscale: default to not reporting daemon version
That's what I meant to do when I added "tailscale version" but
apparently I didn't.
4 years ago
Brad Fitzpatrick 6095a9b423 cmd/tailscale: add "version" subcommand
Fixes #448

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick f562c35c0d safesocket: support connecting to Mac TCP server from within App Sandbox 4 years ago
Brad Fitzpatrick 10ac066013 all: fix vet warnings 4 years ago
Dmytro Shynkevych 852136a03c cmd/tailscale: simplify hostname validation
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Dmytro Shynkevych 65d2537c05 cmd/tailscale: modify empty hostname case
Signed-Off-By: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Dmytro Shynkevych 8163521c33 cmd/tailscale: allow overriding hostname in tailscale up
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Brad Fitzpatrick 44baa3463f cmd/tailscale/cli: add initial predicate func ActLikeCLI 4 years ago
Dmytro Shynkevych 19d77ce6a3
cmd/tailscale: fix typo in license headers
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Brad Fitzpatrick 7ba148e54e cmd/tailscale: make tailscale status -active also filter in -json mode 4 years ago
Brad Fitzpatrick 60f4982f9b cmd/tailscale: move code into new reusable cmd/tailscale/cli package
cmd/tailscale's package main is now just a few lines.

This'll let us embed the CLI in the Mac and Windows clients.

Updates #541
4 years ago
Brad Fitzpatrick e589c76e98 cmd/tailscaled: don't require --socket path on windows 4 years ago
Brad Fitzpatrick c1d9e41bef cmd/tailscaled: use "Tailscale" as default TUN device name on Windows
That's what's used in the Windows GUI version and seems special. If we don't use
that, Windows tries to rename it and fails.
4 years ago
Brad Fitzpatrick f98706bdb3 paths, cmd/tailscaled: on Windows, don't try to migrate from legacy relay.conf
Avoids confusing logspam on Windows.
4 years ago
Dmytro Shynkevych 61abab999e
cmd/tailscaled: graceful shutdown (#534)
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
4 years ago
Brad Fitzpatrick 0551bec95b cmd/tailscale: add -active flag to 'tailscale status' to filter out inactive peers 4 years ago
Brad Fitzpatrick 5c6d8e3053 netcheck, tailcfg, interfaces, magicsock: survey UPnP, NAT-PMP, PCP
Don't do anything with UPnP, NAT-PMP, PCP yet, but see how common they
are in the wild.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 32156330a8 net/interfaces: add func LikelyHomeRouterIP
For discovering where we might direct NAT-PMP/PCP/UPnP queries at in
the future.
4 years ago
Brad Fitzpatrick 630379a1d0 cmd/tailscale: add tailscale status region name, last write, consistently star
There's a lot of confusion around what tailscale status shows, so make it better:
show region names, last write time, and put stars around DERP too if active.

Now stars are always present if activity, and always somewhere.
4 years ago
Brad Fitzpatrick 3553512a71 cmd/derper: fix embarassing bug introduced in earlier refactor
The remove hook implementation was copy/pasted from the line above and
I didn't change the body, resulting in packet forwarding routes never
being removed.

Fortunately we weren't using this path yet, but it led to stats being
off, and (very) slow memory growth.
4 years ago
Brian Chu 2a8e064705 cmd/tailscale: Allow advertising subnet routes on *BSD.
Use sysctl to check IP forwarding state for better OS compatiblity.

Signed-off-by: Brian Chu <cynix@cynix.org>
4 years ago
Brad Fitzpatrick b87396b5d9 cmd/derper, derp: add some more varz and consistency check handler
I'm trying to hunt down a slow drift in numbers not agreeing.
4 years ago
Brad Fitzpatrick c8cf3169ba cmd/derper, derp/derphttp: move bulk of derp mesh code into derphttp
To be reused in various other tools.
5 years ago
Brad Fitzpatrick 7cbf6ab771 cmd/derper: remove unused parameter in runMeshClient 5 years ago
Brad Fitzpatrick abd79ea368 derp: reduce DERP memory use; don't require callers to pass in memory to use
The magicsock derpReader was holding onto 65KB for each DERP
connection forever, just in case.

Make the derp{,http}.Client be in charge of memory instead. It can
reuse its bufio.Reader buffer space.
5 years ago
Brad Fitzpatrick 1cb7dab881 cmd/derper: support forwarding packets amongst set of peer DERP servers
Updates #388

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick b663ab4685 cmd/derper: treat self-connection connection watch as no-op
Updates #388
5 years ago
Brad Fitzpatrick 5798826990 cmd/derper: add /home/bradfitz/keys to default mesh key search list 5 years ago
Brad Fitzpatrick 484b7fc9a3 derp, cmd/derper: add frameWatchConns, framePeerPresent for inter-DERP routing
This lets a trusted DERP client that knows a pre-shared key subscribe
to the connection list. Upon subscribing, they get the current set
of connected public keys, and then all changes over time.

This lets a set of DERP server peers within a region all stay connected to
each other and know which clients are connected to which nodes.

Updates #388

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson c62b80e00b cmd/tailscale: fix inverted flag meanings.
The flags were --no-blah for a brief time, then we switched them to
--blah=true/false with a default of true, but didn't fix the boolean
inversions in the code. So up was down, true was false, etc.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 83b6b06cc4 cmd/tailscale: fix broken build, result of borked stash pop. 5 years ago
David Anderson 3c7791f6bf cmd/tailscale: remove double negation arguments.
--no-snat becomes --snat-subnet-routes
--no-single-routes becomes --host-routes

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick 984a699219 cmd/tailscale: warn to stderr that netcheck -format=json isn't stable 5 years ago
Brad Fitzpatrick 0245bbe97b Make netcheck handle v6-only interfaces better, faster.
Also:

* add -verbose flag to cmd/tailscale netcheck
* remove some API from the interfaces package
* convert some of the interfaces package to netaddr.IP
* don't even send IPv4 probes on machines with no IPv4 (or only v4
  loopback)
* and once three regions have replied, stop waiting for other probes
  at 2x the slowest duration.

Updates #376
5 years ago
Brad Fitzpatrick a96165679c cmd/tailscale: add netcheck flags for incremental reports, JSON output 5 years ago
Avery Pennarun 9ff51909a3 router_linux: fix behaviour when switching --netfilter-mode.
On startup, and when switching into =off and =nodivert, we were
deleting netfilter rules even if we weren't the ones that added them.

In order to avoid interfering with rules added by the sysadmin, we have
to be sure to delete rules only in the case that we added them in the
first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 85d93fc4e3 cmd/tailscale: make ip_forward warnings more actionable.
Let's actually list the file we checked
(/proc/sys/net/ipv4/ip_forward). That gives the admin something
specific to look for when they get this message.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun 99aa33469e cmd/tailscale: be quiet when no interaction or errors are needed.
We would print a message about "nothing more to do", which some people
thought was an error or warning. Let's only print a message after
authenticating if we previously asked for interaction, and let's
shorten that message to just "Success," which is what it means.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Dmytro Shynkevych 7508b67c54 cmd/tailscale: expose --enable-derp
Signed-off-by: Dmytro Shynkevych <dm.shynk@gmail.com>
5 years ago
Brad Fitzpatrick b0c10fa610 stun, netcheck: move under net 5 years ago
Brad Fitzpatrick e6b84f2159 all: make client use server-provided DERP map, add DERP region support
Instead of hard-coding the DERP map (except for cmd/tailscale netcheck
for now), get it from the control server at runtime.

And make the DERP map support multiple nodes per region with clients
picking the first one that's available. (The server will balance the
order presented to clients for load balancing)

This deletes the stunner package, merging it into the netcheck package
instead, to minimize all the config hooks that would've been
required.

Also fix some test flakes & races.

Fixes #387 (Don't hard-code the DERP map)
Updates #388 (Add DERP region support)
Fixes #399 (wgengine: flaky tests)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Avery Pennarun af9328c1b7 log rate limiting: reformat limiter messages, and use nonempty burst size.
- Reformat the warning about a message being rate limited to print the
  format string, rather than the formatted message. This helps give a
  clue what "type" of message is being limited.

- Change the rate limit warning to be [RATE LIMITED] in all caps. This
  uses less space on each line, plus is more noticeable.

- In tailscaled, change the frequency to be less often (once every 5
  seconds per format string) but to allow bursts of up to 5 messages.
  This greatly reduces the number of messages that are rate limited
  during startup, but allows us to tighten the limit even further during
  normal runtime.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun f2db4ac277 cmd/tailscaled: SetGCPercent() if GOGC is not set.
This cuts RSS from ~30MB to ~20MB on my machine, after the previous fix
to get rid of unnecessary zstd buffers.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Avery Pennarun d074ec6571 cmd/tailscaled: eliminate unnecessary use of an init() function.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
Wendi Yu bb55694c95
wgengine: log node IDs when peers are added/removed (#381)
Also stop logging data sent/received from nodes we're not connected to (ie all those `x`s being logged in the `peers: ` line)
Signed-off-by: Wendi <wendi.yu@yahoo.ca>
5 years ago
David Anderson 0fe262f093 ipn: plumb NetfilterMode all the way out to the CLI.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 292606a975 wgengine/router: support multiple levels of netfilter involvement.
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson bfdc8175b1 wgengine/router: add a setting to disable SNAT for subnet routes.
Part of #320.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson 8b0be7475b cmd/tailscale: warn subnet route users if IP forwarding is off. #320
Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
David Anderson ad1cfe8bbe cmd/tailscale: support IPs or CIDRs in -advertise-routes.
Fixes #370.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Brad Fitzpatrick 529e2cb31a ipn: add AllowVersionSkew bool to Notify & Message
For "tailscale status" on macOS (from separately downloaded
cmd/tailscale binary against App Store IPNExtension).

(This isn't all of it, but I've had this sitting around uncommitted.)
5 years ago
Wendi Yu 0c69b4e00d
Implement rate limiting on log messages (#356)
Implement rate limiting on log messages

Addresses issue #317, where logs can get spammed with the same message
nonstop. Created a rate limiting closure on logging functions, which
limits the number of messages being logged per second based on format
string. To keep memory usage as constant as possible, the previous cache
purging at periodic time intervals has been replaced by an LRU that
discards the oldest string when the capacity of the cache is reached.


Signed-off-by: Wendi Yu <wendi.yu@yahoo.ca>
5 years ago
Zijie Lu e3559d1c45 cmd/netcheck: better DERP latency checking output
Fixes #206

Signed-off-by: Zijie Lu <zijie@tailscale.com>
5 years ago
Dmytro Shynkevych 68a173bc24 cmd/mkpkg: support adding empty directories.
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
5 years ago
Avery Pennarun 9d1f48032a cmd/tailscale: add --advertise-tags option.
These will be used for dynamically changing the identity of a node, so
its ACL rights can be different from your own.

Note: Not all implemented yet on the server side, but we need this so
we can request the tagged rights in the first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
David Anderson 1ac570def7 wgengine/router: split out from wgengine.
The router implementations are logically separate, with their own API.

Signed-off-by: David Anderson <danderson@tailscale.com>
5 years ago
Avery Pennarun d7429b9a8d Add prefs.ShieldsUp and --shields-up option.
This sets a default packet filter that blocks all incoming requests,
giving end users more control over who can get into their machine, even
if the admin hasn't set any central ACLs.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
5 years ago
wardn d052586da7 cmd/taillogin: delete it
Signed-off-by: wardn <wardn@users.noreply.github.com>
5 years ago
Brad Fitzpatrick 45f2b53aca all: remove unnecessary trailing newlines in format patterns for consistency
And document on logger.Logf that it's unnecessary.
5 years ago
Brad Fitzpatrick 73249f8032 netcheck: aggregate spammy logging onto one concise line 5 years ago
David Crawshaw f8b72d2b5b cmd/tailscale: add up --authkey flag
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
Sylvain Rabot a279032998 cmd/mkpkg: fix missing default value for --depends
Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
5 years ago
Brad Fitzpatrick 64334143a1 tsweb: rename Handler to ReturnHandler
The name's been bugging me for a long time.

I liked neither the overlap between tsweb.Handler and http.Handler,
nor the name "ServeHTTPErr" which sounds like it's an error being
returned, like it's an error handler and not sometimes a happy path.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson ba2774ea27 cmd/mkpkg: support depending on stuff.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 362d6af4e2 cmd/tailscaled: set CacheDirectory in service.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 48d7ee1c6a cmd/microproxy: adjust to export node stats and a Go expvar server's stats.
This is a temporary specialization to what tailscale prod needs right now,
it'll go back to something more generic later.
5 years ago
David Anderson c14bc028ac cmd/microproxy: tiny TLS proxy that borrows autocert x509 certs. 5 years ago
Brad Fitzpatrick a4ef345737 cmd/tailscale: add status subcommand
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 8ebee05fbd cmd/tailscale: remove unnecessary logpolicy/logtail logging 5 years ago
Brad Fitzpatrick 322499473e cmd/tailscaled, wgengine, ipn: add /debug/ipn handler with world state
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Avery Pennarun a56e853b72 cmd/relaynode: delete it!
tailscale+tailscaled now completely obsoletes relaynode, so let's let
it finally go away.
5 years ago
David Anderson 1e031001db derp: move write timeout to package constant.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson dbfc916273 derp: add short queues between reader and writer, drop on overload.
This avoids the server blocking on misbehaving or heavily contended
clients. We attempt to drop from the head of the queue to keep
overall queueing time lower.

Also:
 - fixes server->client keepalives, which weren't happening.
 - removes read rate-limiter, deferring instead to kernel-level
   global limiter/fair queuer.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
Brad Fitzpatrick e085aec8ef all: update to wireguard-go API changes
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 8de67844bd cmd/tailscale: make failure message when tailscaled down less technical 5 years ago
Brad Fitzpatrick 5aafe0ee96 cmd/tailscale: don't crash on too many non-flag args 5 years ago
David Anderson ea0836dce9 cmd/tailscaled: remove default user/group from systemd. 5 years ago
Brad Fitzpatrick 6c3820e8c4 cmd/tailscaled: rename relaynode reference in defaults file comment 5 years ago
Avery Pennarun b4897e7de8 controlclient/netmap: write our own b.ConciseDiffFrom(a) function.
This removes the need for go-cmp, which is extremely bloaty so we had
to leave it out of iOS. As a result, we had also left it out of macOS,
and so we didn't print netmap diffs at all on darwin-based platforms.
Oops.

As a bonus, the output format of the new function is way better.

Minor oddity: because I used the dumbest possible diff algorithm, the
sort order is a bit dumb. We print all "removed" lines and then print
all "added" lines, rather than doing the usual diff-like thing of
interspersing them. This probably doesn't matter (maybe it's an
improvement).
5 years ago
Brad Fitzpatrick b9c6d3ceb8 netcheck: work behind UDP-blocked networks again, add tests
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Crawshaw 5ad947c761 cmd/derper: set a write timeout
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
5 years ago
Avery Pennarun 509247bf42 tailscale, tailscaled: update safesocket port number.
This makes them able to connect to each other on Windows.
5 years ago
Brad Fitzpatrick 5c1e443d34 wgengine/monitor: don't call LinkChange when interfaces look unchanged
Basically, don't trust the OS-level link monitor to only tell you
interesting things. Sanity check it.

Also, move the interfaces package into the net directory now that we
have it.
5 years ago
Brad Fitzpatrick 39c0ae1dba derp/derpmap: new DERP config package, merge netcheck into magicsock more
Fixes #153
Updates #162
Updates #163

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Martin Baillie 8ae3ba0cf5 wgengine: define default tunname for each platform
The device name "tailscale0" will be used for all platforms except for
OpenBSD where "tun" is enforced by the kernel. `CreateTUN()` in
`wireguard-go` will select the next available "tunX" device name on the
OpenBSD system.

Signed-off-by: Martin Baillie <martin@baillie.email>
5 years ago
Brad Fitzpatrick 8abdbbdd1f cmd/derper: also link to /debug/varz 5 years ago
Brad Fitzpatrick ff6b3c2c38 netcheck: include two more DERP nodes, show more in CLI report 5 years ago
David Anderson f192c05413 metrics: add a LabelMap type for variables with 1 label dimension.
This lets us publish sets of vars that are breakdowns along one
dimension in a format that Prometheus and Grafana natively know
how to do useful things with.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 20da44eae3 cmd/mkpkg: support scripts for rpm as well. 5 years ago
Brad Fitzpatrick e371520cc5 tsweb, derp: add expvar http.Handler for Prometheus's format
And add some opinions.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson 21fc5ec371 cmd/mkpkg: support specifying that a package replaces another.
Both RPM and Deb require us to specify both Replaces and Conflicts:
Conflicts tells them that the packages cannot coexist on the system,
Replaces tells them which one to keep.
5 years ago
Brad Fitzpatrick dd68debd64 cmd/derper: set autocert Email
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 65e7c58aa4 cmd/tailscale, cmd/tailscaled, paths: add paths package for default paths
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick a399ef3dc7 cmd/derper: appease staticcheck 5 years ago
Brad Fitzpatrick 051b6ef141 cmd/derper: accept more LetsEncrypt hostnames without explicit config 5 years ago
Brad Fitzpatrick bcf3719b9e netcheck: add hairpinning detection
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick f3c0ea23d9 netcheck, stunner: reduce log spam
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson 78654ee1bd cmd/tailscale: switch to an ffcli based CLI.
Two commands for now, `up` and `netcheck`. The commands and the flags they take
will change a bunch in the future, but this is good enough to launch on parity
with relaynode.

Signed-Off-By: David Anderson <dave@natulte.net>
5 years ago
Brad Fitzpatrick 14559340ee Start of netcheck package & including network state in Hostinfo.
* adds new packet "netcheck" to do the checking of UDP, IPv6, and
  nearest DERP server, and the Report type for all that (and more
  in the future, probably pulling in danderson's natprobe)
* new tailcfg.NetInfo type
* cmd/tailscale netcheck subcommand (tentative name, likely to
  change/move) to print out the netcheck.Report.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 00ad93ec25 cmd/derper: add a STUN server
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick d8de11a01b control: make Hostinfo accessed by pointer
Fix potential races in copying aliased slices by value.

Also few little doc updates.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 824f825552 tsweb, cmd/derper: move common web/debug stuff from derper to new tsweb
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson accf868130 cmd/mkpkg: add flags for debian scripts. 5 years ago
Brad Fitzpatrick c763901b1a cmd/derper: provide debug access over port 80 to trusted (tailscale) IPs
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson cc44e8a443 cmd/mkpkg: add small wrapper around nfpm to build deb/rpm packages.
Signed-Off-By: David Anderson <dave@natulte.net>
5 years ago
Brad Fitzpatrick 2612e54ad1 derp, cmd/derper: add debug handlers, stats
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 433b917977 interfaces, cmd/tsshd: move interface lookup from tsshd to its own package
For reuse by derper, etc.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 37e115834e cmd/derper: support logging to logtail
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
Brad Fitzpatrick 88f1cc0c98 derp, cmd/derper: add rate limiting support, add default 5Mbps limit
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson c47f907a27 ipn: use *Prefs rather than Prefs throughout.
Prefs has become a heavy object with non-memcpy copy
semantics. We should not pass such a thing by value.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 0c55777fed ipn: temporary support for loading legacy relaynode configs.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 5868dd1a77 Lint: remove unused function.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
Avery Pennarun 57bbafde84 cmd/relaynode: drop local --acl-file in favour of central packet filter.
relaynode itself is not long for this world, deprecated in favour of
tailscale/tailscaled. But now that the control server supports central
distribution of packet filters, let's actually take advantage of it in
a final, backward compatible release of relaynode.
5 years ago
David Anderson 15b4d26d92 logpolicy: automatically figure out paths and filenames.
The autoselection should pick sensible paths for all of:
 - Windows (LocalAppData)
 - Mac (Library/Caches)
 - Unix user (XDG_CACHE_DIR)
 - Linux systemd service (CACHE_DIRECTORY)

As a last resort, if cache dir lookup fails, plops sufficiently
uniquely named files into the current working directory.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson cf1e386cbd ipn: move Options.ServerURL into Prefs.
We can't rely on a frontend to provide a control
server URL, so this naturally belongs in server-persisted
state.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson c4f6f622f0 tailscaled: remove comment from systemd unit.
No need to ship TODOs to end user systems.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 20e6fc1d78 tailscaled: fix systemd unit definition.
Port number has to be by itself for substitution to work.

Disabling the restart rate-limiting has to be in [Unit] not
[Service].

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 5d4b96b8f2 tailscaled: add a systemd unit.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 85ac82c386 tailscaled: default to a sock in current dir, for development.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 76819e7432 tailscaled: call the network interface tailscale0, not ts0.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 4460bd638b safesocket: simplify API.
On unix, we want to provide a full path to the desired unix socket.

On windows, currently we want to provide a TCP port, but someday
we'll also provide a "path-ish" object for a named pipe.

For now, simplify the API down to exactly a path and a TCP port.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
Brad Fitzpatrick b72e6446e2 cmd/derper: add a basic DERP server
Mostly Crawshaw's earlier code, refactored a bit.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson 47da432991 ipn: handle advertised routes provided by frontend.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 62fb652eef cmd/tailscaled: run off internal state autonomously.
With this change, tailscaled can be restarted and reconnect
without interaction from `tailscale`, and `tailscale` is merely
there to provide login assistance and adjust preferences.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
Brad Fitzpatrick 79295b1138 wgengine: simplify, change some signatures
* make RouterGen return an error, not take both tunname and tundev
* also remove RouteGen taking a wireguard/device.Device; currently unused
* remove derp parameter (it'll work differently)
* unexport NewUserspaceRouter in per-OS impls, add documented wrapper

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson dec5d64593 ipn/ipnserver: remove Options.AllowQuit.
It was previously used by the MacOS client, but it now does
something different. ipnserver should never obey a client's
request to exit.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 4796f6fd67 cmd/tailscale: document pump().
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 47820db381 cmd/tailscale{,d}: rename main file.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson b0f5751a76 cmd/tailscale: remove statekey for now.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
David Anderson 5bc632271b Introduce a state store to LocalBackend.
The store is passed-in by callers of NewLocalBackend and
ipnserver.Run, but currently all callers are hardcoded to
an in-memory store. The store is unused.

Signed-Off-By: David Anderson <dave@natulte.net>
5 years ago
David Anderson 21280ca2d1 Make ipn.Options.Prefs a pointer.
This is a prelude to making it truly optional, once state
management has moved into the backend. For now though, it's
still required. This change is just isolating the bubbling-up
of the pointerification into other layers.

Signed-Off-By: David Anderson <dave@natulte.net>
5 years ago
David Anderson f6f154193f Remove LoginFlags from Backend options.
- It was only used in one currently-unused client.
- It's an imperative command, not a configuration setting.
- The LoginFlags stuff in controlclient feels like it needs
  a refactor anyway.

I'll put this logic back once ipnd owns its state and Backend
commands reflect that.

Signed-Off-By: David Anderson <dave@natulte.net>
5 years ago
David Crawshaw a631466587 cmd/tsshd: empty file for windows build
Signed-off-by: David Crawshaw <david@zentus.com>
5 years ago
Brad Fitzpatrick 745c8c92b1 wgengine: fix windows build for winipcfg-go
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson 67c1b2c6ef cmd/tsshd: fix lint.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
Martin Baillie 3d5ef74f26 tailscaled: add tunnel name and port flags
OpenBSD tunnel names are prefixed with `tun`.

Controlling the port allows for deterministic configuration of firewall
rules (using `pf` in this case).

Signed-off-by: Martin Baillie <martin@baillie.email>
5 years ago
Brad Fitzpatrick 13dc12814e cmd/tsshd: fix log text 5 years ago
Brad Fitzpatrick d404f1caed cmd/tsshd: add basic SSH server 5 years ago
David Anderson ea11d58e96 debian: fix changelog generation.
It seems changelog generation got broken by moving the code between
corp and OSS repos, because one of the commit SHAs doesn't have an
associated tag.

In the interest of fixing the build, and because we're not yet trying
to upstream the debian package, I fixed this by allowing hash-based
versions to show up in the changelog. This maybe wrong from a
debian standards perspective, but for our current point in life
it'll work until we learn to do it better.

Signed-Off-By: David Anderson <dave@natulte.net>
5 years ago
David Anderson 14af0c4eb3 taillogin: check err in controlclient.New.
Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
Brad Fitzpatrick 516a15ee58 cmd: add import comments
See https://golang.org/cmd/go/#hdr-Import_path_checking
5 years ago
Earl Lee a8d8b8719a Move Linux client & common packages into a public repo. 5 years ago