tailscale

Commit Graph

Author	SHA1	Message	Date
Will Norris	236531c5fc	ipn/ipnserver: always allow Windows SYSTEM user to connect When establishing connections to the ipnserver, we validate that the local user is allowed to connect. If Tailscale is currently being managed by a different user (primarily for multi-user Windows installs), we don't allow the connection. With the new device web UI, the inbound connection is coming from tailscaled itself, which is often running as "NT AUTHORITY\SYSTEM". In this case, we still want to allow the connection, even though it doesn't match the user running the Tailscale GUI. The SYSTEM user has full access to everything on the system anyway, so this doesn't escalate privileges. Eventually, we want the device web UI to run outside of the tailscaled process, at which point this exception would probably not be needed. Updates tailscale/corp#16393 Signed-off-by: Will Norris <will@tailscale.com>	5 months ago
James Tucker	7100b6e721	derp: optimize another per client field alignment Updates #self Signed-off-by: James Tucker <james@tailscale.com>	5 months ago
James Tucker	ee20327496	derp: remove unused per-client struct field Updates #self Signed-off-by: James Tucker <james@tailscale.com>	5 months ago
OSS Updater	d841ddcb13	go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>	5 months ago
James Tucker	a7f65b40c5	derp: optimize field order to reduce GC cost See the field alignment lints for more information. Reductions are 64->24 and 64->32 respectively. Updates #self Signed-off-by: James Tucker <james@tailscale.com>	5 months ago
Charlotte Brandhorst-Satzkorn	e6910974ca	cmd/tailscale/cli: add description to exit-node CLI command This change adds a description to the exit-node CLI command. This description will be displayed when using `tailscale -h` and `tailscale exit-node -h`. Fixes #10787 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	5 months ago
Irbe Krumina	169778e23b	cmd/k8s-operator: minor fix in name gen (#10830 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Will Norris	b89c113365	client/web: skip connectivity check on https The manage client always listens on http (non-secure) port 5252. If the login client is loaded over https, then the connectivity check to `/ok` will fail with a mixed-content error. Mixed-content enforcement is a browser setting that we have no control over, so there's no way around this. In this case of the login client being loaded over https, we skip the connectivity check entirely. We will always render the sign-in button, though we don't know for sure if the user has connectivity, so we provide some additional help text in case they have trouble signing in. Updates hassio-addons/addon-tailscale#314 Signed-off-by: Will Norris <will@tailscale.com>	5 months ago
James Tucker	ff9c1ebb4a	derp: reduce excess goroutines blocking on broadcasts Observed on one busy derp node, there were 600 goroutines blocked writing to this channel, which represents not only more blocked routines than we need, but also excess wake-ups downstream as the latent goroutines writes represent no new work. Updates #self Signed-off-by: James Tucker <james@tailscale.com>	5 months ago
Irbe Krumina	5cc1bfe82d	cmd/k8s-operator: remove configuration knob for Connector (#10791 ) The configuration knob (that defaulted to Connector being disabled) was added largely because the Connector CRD had to be installed in a separate step. Now when the CRD has been added to both chart and static manifest, we can have it on by default. Updates tailscale/tailscale#10878 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Irbe Krumina	469af614b0	cmd/k8s-operator: fix base truncating for extra long Service names (#10825 ) cmd/k8s-operator: fix base truncating for extra long Service names StatefulSet names for ingress/egress proxies are calculated using Kubernetes name generator and the parent resource name as a base. The name generator also cuts the base, but has a higher max cap. This commit fixes a bug where, if we get a shortened base back from the generator, we cut off too little as the base that we have cut will be passed into the generator again, which will then itself cut less because the base is shorter- so we end up with a too long name again. Updates tailscale/tailscale#10807 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Irbe Krumina <irbekrm@gmail.com>	5 months ago
Sonia Appasamy	331a6d105f	client/web: add initial types for using peer capabilities Sets up peer capability types for future use within the web client views and APIs. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	5 months ago
Andrew Dunham	6540d1f018	wgengine/router: look up absolute path to netsh.exe on Windows This is in response to logs from a customer that show that we're unable to run netsh due to the following error: router: firewall: adding Tailscale-Process rule to allow UDP for "C:\\Program Files\\Tailscale\\tailscaled.exe" ... router: firewall: error adding Tailscale-Process rule: exec: "netsh": cannot run executable found relative to current directory: There's approximately no reason to ever dynamically look up the path of a system utility like netsh.exe, so instead let's first look for it in the System32 directory and only if that fails fall back to the previous behaviour. Updates #10804 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I68cfeb4cab091c79ccff3187d35f50359a690573	5 months ago
Irbe Krumina	ca48db0d60	Makefile,build_docker.sh: allow to configure target platform. (#10806 ) Build dev tailscale and k8s-operator images for linux/amd64 only by default, make it possible to configure target build platform via PLATFORM var. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Flakes Updater	91c7dfe85c	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	5 months ago
Andrew Lytvynov	86e476c8d1	version/mkversion: allow version override with $TS_VERSION_OVERRIDE (#10799 ) This is useful to build local binaries with custom versions to test version-specific logic (like updates). Updates https://github.com/tailscale/corp/issues/16703 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Andrew Lytvynov	4ec6a78551	go.mod: update golang-x-crypto fork (#10786 ) Pick up a bunch of recent upstream commits. Updates #8593 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Will Norris	84ab040f02	safesocket: detect macsys from within tailscaled Use the helper method from the version package to detect that we are running the macsys network extension. This method does the same check for the HOME environment variable (which works fine in most cases) as well as the name of the executable (which is needed for the web client). Updates tailscale/corp#16393 Signed-off-by: Will Norris <will@tailscale.com>	5 months ago
OSS Updater	e7d52eb2f8	go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>	5 months ago
Irbe Krumina	35f49ac99e	cmd/k8s-operator: add Connector CRD to Helm chart and static manifests (#10775 ) cmd/k8s-operator: add CRD to chart and static manifest Add functionality to insert CRD to chart at package time. Insert CRD to static manifests as this is where they are currently consumed from. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Sonia Appasamy	ea9c7f991a	cli/set: add printout when web client started Prints a helpful message with the web UI's address when running tailscale set --webclient. Updates tailscale/corp#16345 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	5 months ago
Rhea Ghosh	4ce33c9758	taildrop: remove breaking abstraction layers for apple (#10728 ) Removes the avoidFinalRename logic and all associated code as it is no longer required by the Apple clients. Enables resume logic to be usable for Apple clients. Fixes tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	5 months ago
Andrew Lytvynov	7df9af2f5c	.github/workflows/govulncheck: migrate to a Github App (#10793 ) Send failures to a new channel using a github app token instead of webhook URL. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Andrew Dunham	20f3f706a4	net/netutil: allow 16-bit 4via6 site IDs The prefix has space for 32-bit site IDs, but the validateViaPrefix function would previously have disallowed site IDs greater than 255. Fixes tailscale/corp#16470 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4cdb0711dafb577fae72d86c4014cf623fa538ef	5 months ago
Irbe Krumina	05093ea7d9	cmd/k8s-operator,k8s-operator: allow the operator to deploy exit nodes via Connector custom resource (#10724 ) cmd/k8s-operator/deploy/crds,k8s-operator/apis/v1alpha1: allow to define an exit node via Connector CR. Make it possible to define an exit node to be deployed to a Kubernetes cluster via Connector Custom resource. Also changes to Connector API so that one Connector corresponds to one Tailnet node that can be either a subnet router or an exit node or both. The Kubernetes operator parses Connector custom resource and, if .spec.isExitNode is set, configures that Tailscale node deployed for that connector as an exit node. Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com>	5 months ago
James Tucker	953fa80c6f	cmd/{derper,stund},net/stunserver: add standalone stun server Add a standalone server for STUN that can be hosted independently of the derper, and factor that back into the derper. Fixes #8434 Closes #8435 Closes #10745 Signed-off-by: James Tucker <james@tailscale.com>	5 months ago
Will Norris	569b91417f	client/web: ensure path prefix has a leading slash This is simply an extra check to prevent hypothetical issues if a prefix such as `--prefix="javascript:alert(1)"` was provided. This isn't really necessary since the prefix is a configuration flag provided by the device owner, not user input. But it does enforce that we are always interpreting the provided value as a path relative to the root. Fixes: tailscale/corp#16268 Signed-off-by: Will Norris <will@tailscale.com>	5 months ago
License Updater	e26ee6952f	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	5 months ago
License Updater	7b113a2d06	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	5 months ago
Andrew Lytvynov	d96e0a553f	tstest/integration: add tests for auto-update defaulting behavior (#10763 ) Updates #16244 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Sonia Appasamy	55d302b48e	client/web: rename Disconnect to Log out For consistency w/ the CLI command. And to be more accurate to what is actually happening on this action - node key is expired. Also updates the disconnected view shown after logout. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	5 months ago
Irbe Krumina	133699284e	cmd/containerboot: add EXPERIMENTAL_TS_CONFIGFILE_PATH env var to allow passing tailscaled config in a file (#10759 ) * cmd/containerboot: optionally configure tailscaled with a configfile. If EXPERIMENTAL_TS_CONFIGFILE_PATH env var is set, only run tailscaled with the provided config file. Do not run 'tailscale up' or 'tailscale set'. * cmd/containerboot: store containerboot accept_dns val in bool pointer So that we can distinguish between the value being set to false explicitly bs being unset. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Adrian Dewhurst	c05c4bdce4	ipn: apply ControlURL policy before login Unlike most prefs, the ControlURL policy needs to take effect before login. This resolves an issue where on first start, even when the ControlURL policy is set, it will generate a login URL to the Tailscale SaaS server. Updates tailscale/coral#118 Fixes #10736 Change-Id: I6da2a521f64028c15dbb6ac8175839fc3cc4e858 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	5 months ago
Adrian Dewhurst	d50303bef7	docs: add Windows administrative template To make setting Windows policies easier, this adds ADMX policy descriptions. Fixes #6495 Updates ENG-2515 Change-Id: If4613c9d8ec734afec8bd781575e24b4aef9bb73 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	5 months ago
Andrew Dunham	35c303227a	net/dns/resolver: add ID to verbose logs in forwarder To make it easier to correlate the starting/ending log messages. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I2802d53ad98e19bc8914bc58f8c04d4443227b26	5 months ago
Rhea Ghosh	dbe70962b1	taildrop: Allow category Z unicode characters (#10750 ) This will expand the unicode character categories that we allow for valid filenames to go from "L, M, N, P, S, and the ASCII space character" to "L, M, N, P, S, Zs" Fixes #10105 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	5 months ago
Andrew Dunham	d3574a350f	cmd/tailscale, ipn/ipnlocal: add 'debug dial-types' command This command allows observing whether a given dialer ("SystemDial", "UserDial", etc.) will successfully obtain a connection to a provided host, from inside tailscaled itself. This is intended to help debug a variety of issues from subnet routers to split DNS setups. Updates #9619 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie01ebb5469d3e287eac633ff656783960f697b84	5 months ago
Aaron Klotz	aed2cfec4e	util/winutil: add some missing docs to restartmgr errors Just a quick #cleanup. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	5 months ago
Andrew Dunham	46bdbb3878	cmd/tailscaled, tsnet: don't return an interface containing a nil pointer This tripped me up when I was testing something and wrote: if conn != nil { conn.Close() } In netstack mode, when an error occurred we were getting a non-nil error and a non-nil interface that contained a nil pointer. Instead, just return a nil interface value. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id9ef3dd24529e0e8c53adc60ed914c31fbb10cc4	5 months ago
Andrew Lytvynov	29e98e18f8	ssh/tailssh: use a local error instead of gossh.ErrDenied (#10743 ) ErrDenied was added in [our fork of x/crypto/ssh](`acc6f8fe8d`) to short-circuit auth attempts once one fails. In the case of our callbacks, this error is returned when SSH policy check determines that a connection should not be allowed. Both `NoClientAuthCallback` and `PublicKeyHandler` check the policy and will fail anyway. The `fakePasswordHandler` returns true only if `NoClientAuthCallback` succeeds the policy check, so it checks it indirectly too. The difference here is that a client might attempt all 2-3 auth methods instead of just `none` but will fail to authenticate regardless. Updates #8593 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
James 'zofrex' Sanderson	124dc10261	controlclient,tailcfg,types: expose MaxKeyDuration via localapi (#10401 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	5 months ago
Andrea Gottardo	d9aeb30281	net/interfaces: handle iOS network transitions (#10680 ) Updates #8022 Updates #6075 On iOS, we currently rely on delegated interface information to figure out the default route interface. The NetworkExtension framework in iOS seems to set the delegate interface only once, upon the creation of the VPN tunnel. If a network transition (e.g. from Wi-Fi to Cellular) happens while the tunnel is connected, it will be ignored and we will still try to set Wi-Fi as the default route because the delegated interface is not getting updated as connectivity transitions. Here we work around this on the Swift side with a NWPathMonitor instance that observes the interface name of the first currently satisfied network path. Our Swift code will call into `UpdateLastKnownDefaultRouteInterface`, so we can rely on that when it is set. If for any reason the Swift machinery didn't work and we don't get any updates, here we also have some fallback logic: we try finding a hardcoded Wi-Fi interface called en0. If en0 is down, we fall back to cellular (pdp_ip0) as a last resort. This doesn't handle all edge cases like USB-Ethernet adapters or multiple Ethernet interfaces, but it is good enough to ensure connectivity isn't broken. I tested this on iPhones and iPads running iOS 17.1 and it appears to work. Switching between different cellular plans on a dual SIM configuration also works (the interface name remains pdp_ip0). Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	5 months ago
James 'zofrex' Sanderson	10c595d962	ipn/ipnlocal: refresh node key without blocking if cap enabled (#10529 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	5 months ago
Irbe Krumina	3a9450bc06	cmd/containerboot: don't parse empty subnet routes (#10738 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Irbe Krumina	5a2eb26db3	cmd/containerboot: ensure that subnet routes can be unset. (#10734 ) A Tailnet node can be told to stop advertise subnets by passing an empty string to --advertise-routes flag. Respect an explicitly passed empty value to TS_ROUTES env var so that users have a way to stop containerboot acting as a subnet router without recreating it. Distinguish between TS_ROUTES being unset and empty. Updates tailscale/tailscale#10708 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Aaron Klotz	e32a064659	cmd/tailscaled: don't create a network monitor in the parent tailscaled on Windows The service is only used as a watchdog and for piping logs from the child process. We shouldn't be creating a network monitor in that case. Fixes #10732 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	5 months ago
Andrew Dunham	fa3639783c	net/portmapper: check returned epoch from PMP and PCP protocols If the epoch that we see during a Probe is less than the existing epoch, it means that the gateway has either restarted or reset its configuration, and an existing mapping is no longer valid. Reset any saved mapping(s) if we detect this case so that a future createOrGetMapping will not attempt to re-use it. Updates #10597 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie3cddaf625cb94a29885f7a1eeea25dbf6b97b47	5 months ago
Jordan Whited	b084888e4d	wgengine/magicsock: fix typos in docs (#10729 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Chris Palmer	1f1ab74250	tsweb: use object-src instead of plugin-types (#10719 ) plugin-types is deprecated, and setting object-src: 'none' is best practice. This should result in no functional change. Fixes #10718 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	5 months ago
Adrian Dewhurst	3d57c885bf	logpolicy: use syspolicy to override LogTarget Previously, for Windows clients only, a registry value named LogTarget could override the log server, but only if the environment variable was unset. To allow administrators to enforce using a particular log server, switch this to make the registry value take precedence over the environment variable, and switch to the newer syspolicy.GetString so that the log target can be specified by a GPO more easily. Updates ENG-2515 Change-Id: Ia618986b0e07715d7db4c6df170a24d511c904c9 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	5 months ago

1 2 3 4 5 ...

7038 Commits (236531c5fc6d7295f8832f47a569e49fceca76eb) All Branches Search

7038 Commits (236531c5fc6d7295f8832f47a569e49fceca76eb)

All Branches