tailscale

Commit Graph

Author	SHA1	Message	Date
Andrew Dunham	0cc397e96d	cmd/derper, net/netcheck: add challenge/response to generate_204 endpoint The Lufthansa in-flight wifi generates a synthetic 204 response to the DERP server's /generate_204 endpoint. This PR adds a basic challenge/response to the endpoint; something sufficiently complicated that it's unlikely to be implemented by a captive portal. We can then check for the expected response to verify whether we're being MITM'd. Follow-up to #5601 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I94a68c9a16a7be7290200eea6a549b64f02ff48f (cherry picked from commit `223126fe5b`)	2 years ago
Mihai Parparita	78dec82736	net/wsconn: add back custom wrapper for turning a websocket.Conn into a net.Conn We removed it in #4806 in favor of the built-in functionality from the nhooyr.io/websocket package. However, it has an issue with deadlines that has not been fixed yet (see nhooyr/websocket#350). Temporarily go back to using a custom wrapper (using the fix from our fork) so that derpers will stop closing connections too aggressively. Updates #5921 Change-Id: I1597644e8ba47b413e33f2201eab935145566c0e Signed-off-by: Mihai Parparita <mihai@tailscale.com> (cherry picked from commit `9d04ffc782`)	2 years ago
Brad Fitzpatrick	7c2fdcd028	ipn/ipnlocal: fix E.G.G. port number accounting Change-Id: Id35461fdde79448372271ba54f6e6af586f2304d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit `9475801ebe`)	2 years ago
Denton Gentry	30afe38cb9	cmd/tailscale: correct --cpu-profile help text Signed-off-by: Denton Gentry <dgentry@tailscale.com> (cherry picked from commit `19dfdeb1bb`)	2 years ago
Andrew Dunham	2a6afafc76	cmd/tailscale, ipn: enable debug logs when --report flag is passed to bugreport (#5830 ) Change-Id: Id22e9f4a2dcf35cecb9cd19dd844389e38c922ec Signed-off-by: Andrew Dunham <andrew@tailscale.com> (cherry picked from commit `c32f9f5865`)	2 years ago
Brad Fitzpatrick	8a187159b2	cmd/ssh-auth-none-demo: add demo SSH server that acts like Tailscale SSH For SSH client authors to fix their clients without setting up Tailscale stuff. Change-Id: I8c7049398512de6cb91c13716d4dcebed4d47b9c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	92ad56ddcb	cmd/tsconnect: close the SSH session an unload event instead of beforeunload The window may not end up getting unloaded (if other beforeunload handlers prevent the event), thus we should only close the SSH session if it's truly getting unloaded. Updates tailscale/corp#7304 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Joe Tsai	24ebf161e8	net/tstun: instrument Wrapper with statistics gathering (#5847 ) If Wrapper.StatisticsEnable is enabled, then per-connection counters are maintained. If enabled, Wrapper.StatisticsExtract must be periodically called otherwise there is unbounded memory growth. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
David Anderson	fde20f3403	cmd/pgproxy: link to blog post at the top. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Mihai Parparita	7ffd2fe005	cmd/tsconnect: switch to non-beta versions of xterm and related packages xterm 5.0 was released a few weeks ago, and it picks up xtermjs/xterm.js#4069, which was the main reason why we were on a 5.0 beta. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
David Anderson	bdf3d2a63f	cmd/pgproxy: open-source our postgres TLS-enforcing proxy. From the original commit that implemented it: It accepts Postgres connections over Tailscale only, dials out to the configured upstream database with TLS (using strong settings, not the swiss cheese that postgres defaults to), and proxies the client through. It also keeps an audit log of the sessions it passed through, along with the Tailscale-provided machine and user identity of the connecting client. In our other repo, this was: commit 92e5edf98e8c2be362f564a408939a5fc3f8c539, Change-Id I742959faaa9c7c302bc312c7dc0d3327e677dc28. Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	1841d0bf98	wgengine/magicsock: make debug-level stuff not logged by default And add a CLI/localapi and c2n mechanism to enable it for a fixed amount of time. Updates #1548 Change-Id: I71674aaf959a9c6761ff33bbf4a417ffd42195a7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	5c69961a57	cmd/tailscale/cli: add --record flag to bugreport (#5826 ) Change-Id: I02bdc37a5c1a5a5d030c136ec5e84eb4c9ab1752 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Andrew Dunham	e5636997c5	wgengine: don't re-allocate trimmedNodes map (#5825 ) Change-Id: I512945b662ba952c47309d3bf8a1b243e05a4736 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Mihai Parparita	8343b243e7	all: consistently initialize Logf when creating tsdial.Dialers Most visible when using tsnet.Server, but could have resulted in dropped messages in a few other places too. Fixes #5743 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Josh Soref	d4811f11a0	all: fix spelling mistakes Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2 years ago
Adrian Dewhurst	c581ce7b00	cmd/tailscale, client, ipn, tailcfg: add network lock modify command Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	2 years ago
Aaron Klotz	44f13d32d7	cmd/tailscaled, util/winutil: log Windows service diagnostics when the wintun device fails to install I added new functions to winutil to obtain the state of a service and all its depedencies, serialize them to JSON, and write them to a Logf. When tstun.New returns a wrapped ERROR_DEVICE_NOT_AVAILABLE, we know that wintun installation failed. We then log the service graph rooted at "NetSetupSvc". We are interested in that specific service because network devices will not install if that service is not running. Updates https://github.com/tailscale/tailscale/issues/5531 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Emmanuel T Odeke	f981b1d9da	all: fix resource leaks with missing .Close() calls Fixes #5706 Signed-off-by: Emmanuel T Odeke <emmanuel@orijtech.com>	2 years ago
Brad Fitzpatrick	9bdf0cd8cd	ipn/ipnlocal: add c2n /debug/{goroutines,prefs,metrics} * and move goroutine scrubbing code to its own package for reuse * bump capver to 45 Change-Id: I9b4dfa5af44d2ecada6cc044cd1b5674ee427575 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	b1867457a6	doctor: add package for running in-depth healthchecks; use in bugreport (#5413 ) Change-Id: Iaa4e5b021a545447f319cfe8b3da2bd3e5e5782b Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
James Tucker	f7cb535693	net/speedtest: retune to meet iperf on localhost in a VM - removed some in-flow time calls - increase buffer size to 2MB to overcome syscall cost - move relative time computation from record to report time Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Andrew Dunham	e1bdbfe710	tailcfg, control/controlhttp, control/controlclient: add ControlDialPlan field (#5648 ) * tailcfg, control/controlhttp, control/controlclient: add ControlDialPlan field This field allows the control server to provide explicit information about how to connect to it; useful if the client's link status can change after the initial connection, or if the DNS settings pushed by the control server break future connections. Change-Id: I720afe6289ec27d40a41b3dcb310ec45bd7e5f3e Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Brad Fitzpatrick	2c447de6cc	cmd/tailscaled: use explicit equal sign in --port=$PORT in tailscaled.service Personal preference (so it's obvious it's not a bool flag), but it also matches the --state= before it. Bonus: stop allowing PORT to sneak in extra flags to be passed as their own arguments, as $FOO and ${FOO} expand differently. (${FOO} is required to concat to strings) Change-Id: I994626a5663fe0948116b46a971e5eb2c4023216 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	a7a0baf6b9	cmd/tsconnect: add error callback for SSH sessions We were just logging them to the console, which is useful for debugging, but we may want to show them in the UI too. Updates tailscale/corp#6939 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Tom DNetto	e9b98dd2e1	control/controlclient,ipn/ipnlocal: wire tka enable/disable Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Andrew Dunham	c6162c2a94	net/netcheck: add check for captive portal (#5593 ) This doesn't change any behaviour for now, other than maybe running a full netcheck more often. The intent is to start gathering data on captive portals, and additionally, seeing this in the 'tailscale netcheck' command should provide a bit of additional information to users. Updates #1634 Change-Id: I6ba08f9c584dc0200619fa97f9fde1a319f25c76 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Berk D. Demir	ff13c66f55	cmd/tailscale: fix configure-host command for Synology `d5e7e309` changed the `hostinfo.GetVersion` from distro and distro version to UTS Name Release and moved distribution information under `hostinfo.Distro*`. `tailscale configure-host` command implementation for Synology DSM environments relies on the old semantics of this string for matching DSM Major version so it's been broken for a few days. Pull in `hostinfo` and prefix match `hostinfo.DistroVersion` to match DSM major version. Signed-off-by: Berk D. Demir <bdd@mindcast.org>	2 years ago
Brad Fitzpatrick	ed248b04a7	cmd/tailscale: remove leftover debug prints from earlier commit From `6632504f45` Change-Id: If21789232b3ecc14c1639cf87814af6fa73f535f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	8158dd2edc	cmd/tsconnect: allow SSH connection timeout to be overridden 5 seconds may not be enough if we're still loading the derp map and connecting to a slow machine. Updates #5693 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Maisem Ali	6632504f45	cmd/tailscale/cli: [up] move lose-ssh check after other validations The check was happening too early and in the case of error would wait 5 s and then error out. This makes it so that it does validations before the SSH check. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	41bb47de0e	cmd/tailscaled: respect $PORT on all platforms, not just Linux Updates #5114 Change-Id: I6c6e28c493d6a026a03088157d08f9fd182ef373 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	3562b5bdfa	envknob, health: support Synology, show parse errors in status Updates #5114 Change-Id: I8ac7a22a511f5a7d0dcb8cac470d4a403aa8c817 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	65c24b6334	envknob: generalize Windows tailscaled-env.txt support ipnserver previously had support for a Windows-only environment variable mechanism that further only worked when Windows was running as a service, not from a console. But we want it to work from tailscaed too, and we want it to work on macOS and Synology. So move it to envknob, now that envknob can change values at runtime post-init. A future change will wire this up for more platforms, and do something more for CLI flags like --port, which the bug was originally about. Updates #5114 Change-Id: I9fd69a9a91bb0f308fc264d4a6c33e0cbe352d71 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	9b71008ef2	control/controlhttp: move Dial options into options struct (#5661 ) This turns 'dialParams' into something more like net.Dialer, where configuration fields are public on the struct. Split out of #5648 Change-Id: I0c56fd151dc5489c3c94fb40d18fd639e06473bc Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Eng Zer Jun	f0347e841f	refactor: move from io/ioutil to io and os packages The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Reference: https://golang.org/doc/go1.16#ioutil Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2 years ago
Mihai Parparita	1ce0e558a7	cmd/derper, control/controlhttp: disable WebSocket compression The data that we send over WebSockets is encrypted and thus not compressible. Additionally, Safari has a broken implementation of compression (see nhooyr/websocket#218) that makes enabling it actively harmful. Fixes tailscale/corp#6943 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Brad Fitzpatrick	74674b110d	envknob: support changing envknobs post-init Updates #5114 Change-Id: Ia423fc7486e1b3f3180a26308278be0086fae49b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	9c6bdae556	cmd/tsconnect: use the parent window for `beforeunload` event listener The SSH session may be rendered in a different window that the one that is executing the script. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Brad Fitzpatrick	45a3de14a6	cmd/tailscaled, tailcfg, hostinfo: add flag to disable logging + support As noted in #5617, our documented method of blocking log.tailscale.io DNS no longer works due to bootstrap DNS. Instead, provide an explicit flag (--no-logs-no-support) and/or env variable (TS_NO_LOGS_NO_SUPPORT=true) to explicitly disable logcatcher uploads. It also sets a bit on Hostinfo to say that the node is in that mode so we can end any support tickets from such nodes more quickly. This does not yet provide an easy mechanism for users on some platforms (such as Windows, macOS, Synology) to set flags/env. On Linux you'd used /etc/default/tailscaled typically. Making it easier to set flags for other platforms is tracked in #5114. Fixes #5617 Fixes tailscale/corp#1475 Change-Id: I72404e1789f9e56ec47f9b7021b44c025f7a373a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	b22b565947	cmd/tsconnect: allow xterm.js terminal options to be passed in Allows clients to use a custom theme and other xterm.js customization options. Fixes #5610 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Mihai Parparita	c312e0d264	cmd/tsconnect: allow hostname to be specified The auto-generated hostname is nice as a default, but there are cases where the client has a more specific name that it can generate. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Mihai Parparita	11fcc3a7b0	cmd/tsconnect: fix xterm.js link opening not working when rendered into another window The default WebLinksAddon handler uses window.open(), but that gets blocked by the popup blocker when the event being handled is another window. We instead need to invoke open() on the window that the event was triggered in. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Will Norris	f03a63910d	cmd/tailscale: add licenses link to web UI The `tailscale web` UI is the primary interface for Synology and Home Assistant users (and perhaps others), so is the logical place to put our open source license notices. I don't love adding things to what is currently a very minimal UI, but I'm not sure of a better option. Updates tailscale/corp#5780 Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Andrew Dunham	eb5939289c	cmd/derper: add /generate_204 endpoint (#5601 ) For captive portal detection. Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Mihai Parparita	b302742137	cmd/tsconnect: enable web links addon in the terminal More user friendly, and as a side-effect we handle SSH check mode better, since the URL that's output is now clickable. Fixes #5247 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Mihai Parparita	62035d6485	cmd/tsconnect: switch back to public version of xterm npm package xtermjs/xterm.js#4069 was merged and published (in 5.0.0-beta.58), no need for the fork added by `01e6565e8a`. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Brad Fitzpatrick	89fee056d3	cmd/derper: add robots.txt to disallow all Fixes #5565 Change-Id: I5626ec2116d9be451caef651dc301b7a82e35550 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	58abae1f83	net/dns/{publicdns,resolver}: add NextDNS DoH support NextDNS is unique in that users create accounts and then get user-specific DNS IPs & DoH URLs. For DoH, the customer ID is in the URL path. For IPv6, the IP address includes the customer ID in the lower bits. For IPv4, there's a fragile "IP linking" mechanism to associate your public IPv4 with an assigned NextDNS IPv4 and that tuple maps to your customer ID. We don't use the IP linking mechanism. Instead, NextDNS is DoH-only. Which means using NextDNS necessarily shunts all DNS traffic through 100.100.100.100 (programming the OS to use 100.100.100.100 as the global resolver) because operating systems can't usually do DoH themselves. Once it's in Tailscale's DoH client, we then connect out to the known NextDNS IPv4/IPv6 anycast addresses. If the control plane sends the client a NextDNS IPv6 address, we then map it to the corresponding NextDNS DoH with the same client ID, and we dial that DoH server using the combination of v4/v6 anycast IPs. Updates #2452 Change-Id: I3439d798d21d5fc9df5a2701839910f5bef85463 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	01e6565e8a	cmd/tsconnect: temporarily switch to xterm.js fork that handles popup windows Allows other work to be unblocked while xtermjs/xterm.js#4069 is worked through. To enable testing the popup window handling, the standalone app allows opening of SSH sessions in new windows by holding down the alt key while pressing the SSH button. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago

1 2 3 4 5 ...

969 Commits (54e8fa172b725b354598daaa7007d261fd932d10)