tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	d413850bd7	cmd/tailscale: add "debug via" subcommand to do CIDR math for via ranges $ tailscale debug via 0xb 10.2.0.0/16 fd7a:115c:a1e0:b1a:0🅱️a02:0/112 $ tailscale debug via fd7a:115c:a1e0:b1a:0🅱️a02:0/112 site 11 (0xb), 10.2.0.0/16 Previously: `3ae701f0eb` This adds a little debug tool to do CIDR math to make converting between those ranges easier for now. Updates #3616 Change-Id: I98302e95d17765bfaced3ecbb71cbd43e84bff46 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Xe Iaso	fc2f628d4c	cmd/nginx-auth: maintainer scripts and tailnet checking (#4460 ) * cmd/nginx-auth: add maintainer scripts Signed-off-by: Xe <xe@tailscale.com> * cmd/nginx-auth: add Expected-Tailnet header and documentation Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Blake Mizerany	33fa43252e	cmd/proxy-to-grafana: prevent premature termination This commit changes proxy-to-grafana to report errors while polling for tailscaled status instead of terminating at the first sign of an error. This allows tailscale some time to come up before the proxy decides to give up. Signed-off-by: Blake Mizerany <blake.mizerany@gmail.com>	2 years ago
Maisem Ali	945879fa38	cmd/tailscale: [ssh] enable StrictHostKeyChecking mode Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	8f5e5bff1e	cmd/tailscale, etc: make "tailscale up --ssh" fail fast when unavailable Fail on unsupported platforms (must be Linux or macOS tailscaled with WIP env) or when disabled by admin (with TS_DISABLE_SSH_SERVER=1) Updates #3802 Change-Id: I5ba191ed0d8ba4ddabe9b8fc1c6a0ead8754b286 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	f0e2272e04	cmd/tailscale: unhide 'up --ssh' behind WIP env var Updates #3802 Change-Id: I99c550c2e4450640b0ee6ab060f178dde1360553 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	8ee044ea4a	ssh/tailssh: make the SSH server a singleton, register with LocalBackend Remove the weird netstack -> tailssh dependency and instead have tailssh register itself with ipnlocal when linked. This makes tailssh.server a singleton, so we can have a global map of all sessions. Updates #3802 Change-Id: Iad5caec3a26a33011796878ab66b8e7b49339f29 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
phirework	83c734a6e0	net/dns, util/publicdns: extract public DNS mapping into own package (#4405 ) This extracts DOH mapping of known public DNS providers in forwarder.go into its own package, to be consumed by other repos Signed-off-by: Jenny Zhang <jz@tailscale.com>	2 years ago
James Tucker	8de7f9bff7	tailscaled: no longer tune gcpercent Usage of userspace-networking is increasing, and the aggressive GC tuning causes a significant reduction in performance in that mode. Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Xe Iaso	4f1d6c53cb	cmd/nginx-auth: create new Tailscale NGINX auth service (#4400 ) This conforms to the NGINX subrequest result authentication protocol[1] using the NGINX module `ngx_http_auth_request_module`. This is based on the example that @peterkeen provided on Twitter[2], but with several changes to make things more tightly locked down: * This listens over a UNIX socket instead of a TCP socket to prevent leakage to the network * This uses systemd socket activation so that systemd owns the socket and can then lock down the service to the bare minimum required to do its job without having to worry about dropping permissions * This provides additional information in HTTP response headers that can be useful for integrating with various services * This has a script to automagically create debian and redhat packages for easier distribution This will be written about on the Tailscale blog. There is more information in README.md. [1]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ [2]: https://github.com/peterkeen/tailscale/blob/main/cmd/nginx-auth-proxy/nginx-auth-proxy.go Signed-off-by: Xe Iaso <xe@tailscale.com>	2 years ago
Maisem Ali	c87ed52ad4	cmd/tailscale: add id-token subcommand RELNOTE=Initial support for getting OIDC ID Tokens Updates tailscale/corp#4347 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	3ae701f0eb	net/tsaddr, wgengine/netstack: add IPv6 range that forwards to site-relative IPv4 This defines a new magic IPv6 prefix, fd7a:115c:a1e0:b1a::/64, a subset of our existing /48, where the final 32 bits are an IPv4 address, and the middle 32 bits are a user-chosen "site ID". (which must currently be 0000:00xx; the top 3 bytes must be zero for now) e.g., I can say my home LAN's "site ID" is "0000:00bb" and then advertise its 10.2.0.0/16 IPv4 range via IPv6, like: tailscale up --advertise-routes=fd7a:115c:a1e0:b1a::bb:10.2.0.0/112 (112 being /128 minuse the /96 v6 prefix length) Then people in my tailnet can: $ curl '[fd7a:115c:a1e0:b1a::bb:10.2.0.230]' <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" .... Updates #3616, etc RELNOTE=initial support for TS IPv6 addresses to route v4 "via" specific nodes Change-Id: I9b49b6ad10410a24b5866b9fbc69d3cae1f600ef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
David Eger	f992749b98	cmd/tailscale: Add file get --loop flag. To "automatically receive taildrop files to my Downloads directory," user currently has to run 'tailscale file get' in a loop. Make it easy to do this without shell. Updates: #2312 Signed-off-by: David Eger <david.eger@gmail.com>	2 years ago
Xiaochao Dong (@damnever)	7d97800d52	cmd/tailscale: make web mode preserve URL scheme in Synology redirect Signed-off-by: Xiaochao Dong (@damnever) <the.xcdong@gmail.com>	3 years ago
James Tucker	2550acfd9d	go.mod: bump netstack for clone reset fix (#4379 ) In tracking down issue #4144 and reading through the netstack code in detail, I discovered that the packet buf Clone path did not reset the packetbuf it was getting from the sync.Pool. The fix was sent upstream https://github.com/google/gvisor/pull/7385, and this bump pulls that in. At this time there is no known path that this fixes, however at the time of upstream submission this reset at least one field that could lead to incorrect packet routing if exercised, a situation that could therefore lead to an information leak. Signed-off-by: James Tucker <james@tailscale.com>	3 years ago
James Tucker	c6ac29bcc4	wgengine/netstack: disable refsvfs2 leak tracking (#4378 ) In addition an envknob (TS_DEBUG_NETSTACK_LEAK_MODE) now provides access to set leak tracking to more useful values. Fixes #4309 Signed-off-by: James Tucker <james@tailscale.com>	3 years ago
Xe Iaso	55161b3d92	cmd/mkpkg: use package flag (#4373 ) Also removes getopt Signed-off-by: Xe <xe@tailscale.com>	3 years ago
Xe Iaso	be861797b4	cmd/mkpkg: add name argument (#4372 ) * shell.nix: rename goimports to gotools Signed-off-by: Xe <xe@tailscale.com> * cmd/mkpkg: allow specifying description and name in flag args Signed-off-by: Xe <xe@tailscale.com>	3 years ago
oliverpool	0b273e1857	cmd/tailscale: drop special exit code 125 for gokrazy No needed since gokrazy doesn't restart successful processes anymore: https://github.com/gokrazy/gokrazy/pull/127 Signed-off-by: Olivier Charvin <git@olivier.pfad.fr>	3 years ago
Brad Fitzpatrick	5a44f9f5b5	tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh While we rearrange/upstream things. gliderlabs/ssh is forked into tempfork from our prior fork at `be8b7add40` x/crypto/ssh OTOH is forked at https://github.com/tailscale/golang-x-crypto because it was gnarlier to vendor with various internal packages, etc. Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d). Updates #3802 Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	753f1bfad4	cmd/tailscale: write fewer known_hosts, resolve ssh host to FQDN early Updates #3802 Change-Id: Ic44fa2e6661a9c046e725c04fa6b8213d3d4d2b2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	df93158aac	cmd/tailscale: generate known_hosts file for 'tailscale ssh' Updates #3802 Change-Id: I7a0052392f000ee44fc8e719f6666756aab91f3d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	8294915780	cmd/tailscale/cli: add start of 'ssh' subcommand Updates #3802 Change-Id: Iabc07c00c7e4f43944cfe7daec8d2b66ac002289 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	06fcf3b225	cmd/tailscale: make status --peers=false work earlier + in JSON mode And return an error if you use non-flag arguments. Change-Id: I0dd6c357eb5cabd0f17020f21ba86406aea21681 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	5df12b9059	client/tailscale, cmd/tailscale, localapi: add 'tailscale nc' (actually) Adds missing file from `fc12cbfcd3`. GitHub was having issues earlier and it was all green because the checks never actually ran, but the DCO non-Actions check at least did, so "green" and I merged, not realizing it hadn't really run anything. Updates #3802 Change-Id: I29f605eebe5336f1f3ca28ebb78b092dd99d9fd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	fc12cbfcd3	client/tailscale, cmd/tailscale, localapi: add 'tailscale nc' This adds a "tailscale nc" command that acts a bit like "nc", but dials out via tailscaled via localapi. This is a step towards a "tailscale ssh", as we'll use "tailscale nc" as a ProxyCommand for in some cases (notably in userspace mode). But this is also just useful for debugging & scripting. Updates #3802 RELNOTE=tailscale nc Change-Id: Ia5c37af2d51dd0259d5833d80264d3ad5f68446a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	77b4fe0afa	all: remove "no 1.18 support" failures We have worked around the issue in DERP, so the vanilla Go 1.18 toolchain now works. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	98984c1a9a	cmd/proxy-to-grafana: fix package doc code snippet Markdown isn't supported. Change-Id: I8d9bb92260c164dc277afbce624f64fc2faf5125 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Nick O'Neill	5fa502b5dc	cmd/proxy-to-grafana: use grafana's authproxy to log in tailnet users (#4208 ) Signed-off-by: Nick O'Neill <nick@tailscale.com>	3 years ago
Brad Fitzpatrick	f2041c9088	all: use strings.Cut even more Change-Id: I943ce72c6f339589235bddbe10d07799c4e37979 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Aaron Klotz	6e91f872af	net/tshttpproxy: ensure we pass the correct flags to WinHttpOpen on Win7 and Win8.0 The best flag to use on Win7 and Win8.0 is deprecated in Win8.1, so we resolve the flag depending on OS version info. Fixes https://github.com/tailscale/tailscale/issues/4201 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Brad Fitzpatrick	1db46919ab	cmd/tailscaled: make build fail nicely on older Go versions Due to a bug in Go (golang/go#51778), cmd/go doesn't warn about your Go version being older than the go.mod's declared Go version in that case that package loading fails before the build starts, such as when you use packages that are only in the current version of Go, like our use of net/netip. This change works around that Go bug by adding build tags and a pre-Go1.18-only file that will cause Go 1.17 and earlier to fail like: $ ~/sdk/go1.17/bin/go install ./cmd/tailscaled # tailscale.com/cmd/tailscaled ./required_version.go:11:2: undefined: you_need_Go_1_18_to_compile_Tailscale note: module requires Go 1.18 Change-Id: I39f5820de646703e19dde448dd86a7022252f75c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	0868329936	all: use any instead of interface{} My favorite part of generics. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	997b19545b	syncs: use TryLock and TryRLock instead of unsafe The docs say: Note that while correct uses of TryLock do exist, they are rare, and use of TryLock is often a sign of a deeper problem in a particular use of mutexes. Rare code! Or bad code! Who can tell! Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	ead16b24ec	cmd/tailscaled: fail early with nice error on macOS with go1.18 Due to golang/go#51759 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Denton Gentry	d8953bf2ba	cmd/derpprobe: don't alert for smaller failures. There is a Cosmic Background level of DERP Unreachability, with individual nodes or regions becoming unreachable briefly and returning a short time later. This is due to hosting provider outages or just the Internet sloshing about. Returning a 500 error pages a human. Being awoken at 3am for a transient error is annoying. For relatively small levels of badness don't page a human, just post to Slack. If the outage impacts a significant fraction of the DERP fleet, then page a human. Signed-off-by: Denton Gentry <dgentry@tailscale.com>	3 years ago
Josh Bleecher Snyder	8c2cb4b431	go.mod: update to latest certstore It includes a fix to allow us to use Go 1.18. We can now remove our Tailscale-only build tags. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	1f22507c06	version: use Go 1.18's git stamping as default implementation No more manual version bumps! Fixes #81 Change-Id: I3a9e544a7248f0b83bcbacbaabbc4dabc435e62d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	26021b07ec	control/controlclient: only build certstore-related code with the Tailscale Go toolchain The certstore code is impacted by golang/go#51726. The Tailscale Go toolchain fork contains a temporary workaround, so it can compile it. Once the upstream toolchain can compile certstore, presumably in Go 1.18.1, we can revert this change. Note that depaware runs with the upstream toolchain. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	1b57b0380d	wgengine/magicsock: remove final alloc from ReceiveFrom And now that we don't have to play escape analysis and inlining games, simplify the code. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	71b535fc94	go.mod: require Go 1.18 Also, update depaware for Go 1.18's dependency tree. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
David Eger	5be42c0af1	cmd/tailscale: add file get options for dealing with existing files A new flag --conflict=(skip\|overwrite\|rename) lets users specify what to do when receiving files that match a same-named file in the target directory. Updates #3548 Signed-off-by: David Eger <david.eger@gmail.com>	3 years ago
Maisem Ali	da6ce27416	go.mod: move from github.com/gliderlabs/ssh to github.com/tailscale/ssh Updates #4146 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Brad Fitzpatrick	ba1adf6c24	ssh/tailssh: make pty termios options match OpenSSH Still not sure the exact rules of how/when/who's supposed to set these, but this works for now on making them match. Baby steps. Will research more and adjust later. Updates #4146 (but not enough to fix it, something's still wrong) Updates #3802 Change-Id: I496d8cd7e31d45fe9ede88fc8894f35dc096de67 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Aaron Klotz	f8a4df66de	cmd/tailscale/cli, ipn: move exit node IP parsing and validation from cli into prefs. We need to be able to provide the ability for the GUI clients to resolve and set the exit node IP from an untrusted string, thus enabling the ability to specify that information via enterprise policy. This patch moves the relevant code out of the handler for `tailscale up`, into a method on `Prefs` that may then be called by GUI clients. We also update tests accordingly. Updates https://github.com/tailscale/corp/issues/4239 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Joonas Kuorilehto	c1b3500a05	cmd/tailscale: allow use of flags in gokrazy Enable use of command line arguments with tailscale cli on gokrazy. Before this change using arguments like "up" would cause tailscale cli to be repeatedly restarted by gokrazy process supervisor. We never want to have gokrazy restart tailscale cli, even if user would manually start the process. Expected usage is that user creates files: flags/tailscale.com/cmd/tailscale/flags.txt: up flags/tailscale.com/cmd/tailscaled/flags.txt: --statedir=/perm/tailscaled/ --tun=userspace-networking Then tailscale prints URL for user to log in with browser. Alternatively it should be possible to use up with auth key to allow unattended gokrazy installs. Signed-off-by: Joonas Kuorilehto <joneskoo@derbian.fi>	3 years ago
Maisem Ali	06c147d848	ssh/tailssh: create login sessions for new connections Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Brad Fitzpatrick	740e3c006c	cmd/derper: add --stun-port flag And flesh out docs on the --http-port flag. Change-Id: If9d42665f67409082081cb9a25ad74e98869337b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Maisem Ali	0f31a0fc76	control/controlclient: add Noise client Updates #3488 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Brad Fitzpatrick	f18bb6397b	cmd/tailscale: tell gokrazy to not manage the CLI as a daemon In the future we'll probably want to run the "tailscale web" server instead, but for now stop the infinite restart loop. See https://gokrazy.org/userguide/process-interface/ for details. Updates #1866 Change-Id: I4133a5fdb859b848813972620495865727fe397a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago

1 2 3 4 5 ...

777 Commits (2b8b887d5518d08eee9a121bd70c33059c3b71c1)