tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	8b81254992	ipn/ipnlocal: reject tailscale up --ssh if disabled on tailnet Updates #3802 Change-Id: I3f1e839391fe9b28270f506f4bb8d8e3d36716f5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	0ce67ccda6	wgengine/router: make supportsV6NAT check catch more cases Updates #4459 Change-Id: Ic27621569d2739298e652769d10e38608c6012be Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Xe Iaso	fc2f628d4c	cmd/nginx-auth: maintainer scripts and tailnet checking (#4460 ) * cmd/nginx-auth: add maintainer scripts Signed-off-by: Xe <xe@tailscale.com> * cmd/nginx-auth: add Expected-Tailnet header and documentation Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Blake Mizerany	33fa43252e	cmd/proxy-to-grafana: prevent premature termination This commit changes proxy-to-grafana to report errors while polling for tailscaled status instead of terminating at the first sign of an error. This allows tailscale some time to come up before the proxy decides to give up. Signed-off-by: Blake Mizerany <blake.mizerany@gmail.com>	2 years ago
Tom DNetto	c8f4dfc8c0	derp/derphttp,net/netcheck: improve netcheck behavior under MITM proxies In cases where tailscale is operating behind a MITM proxy, we need to consider that a lot more of the internals of our HTTP requests are visible and may be used as part of authorization checks. As such, we need to 'behave' as closely as possible to ideal. - Some proxies do authorization or consistency checks based the on Host header or HTTP URI, instead of just the IP/hostname/SNI. As such, we need to construct a `*http.Request` with a valid URI everytime HTTP is going to be used on the wire, even if its over TLS. Aside from the singular instance in net/netcheck, I couldn't find anywhere else a http.Request was constructed incorrectly. - Some proxies may deny requests, typically by returning a 403 status code. We should not consider these requests as a valid latency check, so netcheck semantics have been updated to consider >299 status codes as a failed probe. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	cc575fe4d6	net/dns: schedule DoH upgrade explicitly, fix Resolver.Addr confusion Two changes in one: * make DoH upgrades an explicitly scheduled send earlier, when we come up with the resolvers-and-delay send plan. Previously we were getting e.g. four Google DNS IPs and then spreading them out in time (for back when we only did UDP) but then later we added DoH upgrading at the UDP packet layer, which resulted in sometimes multiple DoH queries to the same provider running (each doing happy eyeballs dialing to 4x IPs themselves) for each of the 4 source IPs. Instead, take those 4 Google/Cloudflare IPs and schedule 5 things: first the DoH query (which can use all 4 IPs), and then each of the 4 IPs as UDP later. * clean up the dnstype.Resolver.Addr confusion; half the code was using it as an IP string (as documented) as half was using it as an IP:port (from some prior type we used), primarily for tests. Instead, document it was being primarily an IP string but also accepting an IP:port for tests, then add an accessor method on it to get the IPPort and use that consistently everywhere. Change-Id: Ifdd72b9e45433a5b9c029194d50db2b9f9217b53 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	e3a4952527	net/dns/resolver: count errors when racing DNS queries, fail earlier If all N queries failed, we waited until context timeout (in 5 seconds) to return. This makes (*forwarder).forward fail fast when the network's unavailable. Change-Id: Ibbb3efea7ed34acd3f3b29b5fee00ba8c7492569 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	d9efbd97cb	net/dns: remove an unused function Change-Id: I7c920c76223ffac37954ef2a18754afc52177598 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	c13be0c509	tailcfg: clarify how SSHPolicy.Rules are evaluated between auth phases Updates #3802 Change-Id: I321183a8a2b065a40dca8dd95ca90cd822a17ff8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	91a187bf87	ssh/tailssh: make checkStillValid also consider username changes Currently if the policy changes and the session is logged in with local user "u1" and the new policy says they can only login with "u2" now, the user doesn't get kicked out because they had requested `rando@<ssh-host>` and the defaulting had made that go to `u1`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	a04eebf59f	ipn/ipnlocal: also use SSHPolicies when updating filterHash Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Joe Tsai	d201d217df	go.toolchain.rev: update to go1.18.1 (#4438 ) Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Tom DNetto	24cd26534f	hostinfo, tailcfg: add desktop detection on Linux to hostinfo From the machines tab its hard to differenciate desktop Linux installs from server Linux installs. Transmitting this information should make this determination a lot easier. Due to the reality that tailscaled is likely a system process, the standard checks based on XDG_SESSION_TYPE or DISPLAY environment variables are not possible (those variables won't be set). Instead, we look for listening unix sockets that are typical of desktop installs. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	9f1dd716e8	tailcfg, logtail: provide Debug bit to disable logtail For people running self-hosted control planes who want a global opt-out knob instead of running their own logcatcher. Change-Id: I7f996c09f45850ff77b58bfd5a535e197971725a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	ecea6cb994	net/dns/resolver: make DoH dialer use existing dnscache happy eyeball dialer Simplify the ability to reason about the DoH dialing code by reusing the dnscache's dialer we already have. Also, reduce the scope of the "ip" variable we don't want to close over. This necessarily adds a new field to dnscache.Resolver: SingleHostStaticResult, for when the caller already knows the IPs to be returned. Change-Id: I9f2aef7926f649137a5a3e63eebad6a3fffa48c0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	e96dd00652	ipn/ipnlocal: add capability for debugging peers over peerapi The default is still users can debug their own nodes. But like `cd916b728b` did, this adds support for admins to grant additional capabilities with the new tailcfg.CapabilityDebugPeer cap. Updates #4217 Change-Id: Ifce3d9a1f8e8845797970a4f97b393194663d35f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	945879fa38	cmd/tailscale: [ssh] enable StrictHostKeyChecking mode Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	8f5e5bff1e	cmd/tailscale, etc: make "tailscale up --ssh" fail fast when unavailable Fail on unsupported platforms (must be Linux or macOS tailscaled with WIP env) or when disabled by admin (with TS_DISABLE_SSH_SERVER=1) Updates #3802 Change-Id: I5ba191ed0d8ba4ddabe9b8fc1c6a0ead8754b286 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	f0e2272e04	cmd/tailscale: unhide 'up --ssh' behind WIP env var Updates #3802 Change-Id: I99c550c2e4450640b0ee6ab060f178dde1360553 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	93221b4535	ssh/tailssh: cache public keys fetched from URLs Updates #3802 Change-Id: I96715bae02bce6ea19f16b1736d1bbcd7bcf3534 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	3ffd88a84a	wgengine/monitor: do not set timeJumped on iOS/Android In `(Mon).Start` we don't run a timer to update `(Mon).lastWall` on iOS and Android as their sleep patterns are bespoke. However, in the debounce goroutine we would notice that the the wall clock hadn't been updated since the last event would assume that a time jump had occurred. This would result in non-events being considered as major-change events. This commit makes it so that `(*Mon).timeJumped` is never set to `true` on iOS and Android. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	ade7bd8745	ssh/tailssh: close sessions on policy change if no longer allowed Updates #3802 Change-Id: I98503c2505b77ac9d0cc792614fcdb691761a70c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	4ec83fbad6	ipn/ipnlocal: only call updateFilter with mutex held And rename to updateFilterLocked to prevent future mistakes. Fixes #4427 Change-Id: I4d37b90027d5ff872a339ce8180f5723704848dc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	cd916b728b	ipn/ipnlocal: add start of inter-user Taildrop Controlled by server-sent capability policy. To be initially used for SSH servers to record sessions to other nodes. Not yet productized into something user-accessible. (Notably, the list of Taildrop targets from the sender side isn't augmented yet.) This purely permits expanding the set of expands a node will accept a drop from. Updates #3802 Updates #4217 Change-Id: Id7a5bccd686490f8ef2cdc7dae7c07c440dc0085 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	f4f76eb275	net/dnsfallback: update from 'go generate' Change-Id: I93e0e6d9a4a471953c1ffef07f32605c5724aed8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	16f3520089	all: add arbitrary capability support Updates #4217 RELNOTE=start of WhoIsResponse capability support Change-Id: I6522998a911fe49e2f003077dad6164c017eed9b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	c591c91653	tailcfg, control/controlclient: TSMP & disco pings tailcfg.PingResponse formalizes the TSMP & disco response message, and controlclient is wired to send POST responses containing tailcfg.PingResponse for TSMP and disco PingRequests. Updates tailscale/corp#754 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	67192a2323	go.mod: bump u-root We only use the termios subpackage, so we're unaffected by CVE-2020-7665, but the bump will let dependabot return to slumber. Fixes https://github.com/tailscale/tailscale/security/dependabot/2 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Brad Fitzpatrick	8ee044ea4a	ssh/tailssh: make the SSH server a singleton, register with LocalBackend Remove the weird netstack -> tailssh dependency and instead have tailssh register itself with ipnlocal when linked. This makes tailssh.server a singleton, so we can have a global map of all sessions. Updates #3802 Change-Id: Iad5caec3a26a33011796878ab66b8e7b49339f29 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	da14e024a8	tailcfg, ssh/tailssh: optionally support SSH public keys in wire policy And clean up logging. Updates #3802 Change-Id: I756dc2d579a16757537142283d791f1d0319f4f0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	df9ce972c7	tailcfg, ipn/ipnlocal: add debug flag to enable one-big-CGNAT/10 route To experiment with avoiding Chrome ERR_NETWORK_CHANGED errors on route changes. Updates #3102 Change-Id: I339da14c684fdac45ac261566aa21bf2198672ff Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
phirework	52d32c94d8	net/dns/publicdns: add missing call to sync.Once.Do (#4410 ) Signed-off-by: Jenny Zhang <jz@tailscale.com>	2 years ago
phirework	83c734a6e0	net/dns, util/publicdns: extract public DNS mapping into own package (#4405 ) This extracts DOH mapping of known public DNS providers in forwarder.go into its own package, to be consumed by other repos Signed-off-by: Jenny Zhang <jz@tailscale.com>	2 years ago
James Tucker	8de7f9bff7	tailscaled: no longer tune gcpercent Usage of userspace-networking is increasing, and the aggressive GC tuning causes a significant reduction in performance in that mode. Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Xe Iaso	4f1d6c53cb	cmd/nginx-auth: create new Tailscale NGINX auth service (#4400 ) This conforms to the NGINX subrequest result authentication protocol[1] using the NGINX module `ngx_http_auth_request_module`. This is based on the example that @peterkeen provided on Twitter[2], but with several changes to make things more tightly locked down: * This listens over a UNIX socket instead of a TCP socket to prevent leakage to the network * This uses systemd socket activation so that systemd owns the socket and can then lock down the service to the bare minimum required to do its job without having to worry about dropping permissions * This provides additional information in HTTP response headers that can be useful for integrating with various services * This has a script to automagically create debian and redhat packages for easier distribution This will be written about on the Tailscale blog. There is more information in README.md. [1]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ [2]: https://github.com/peterkeen/tailscale/blob/main/cmd/nginx-auth-proxy/nginx-auth-proxy.go Signed-off-by: Xe Iaso <xe@tailscale.com>	2 years ago
Maisem Ali	50b4b8b2c6	ipn/ipnlocal: make peerIPs return a sorted slice Currently peerIPs doesn't do any sorting of the routes it returns. This is typically fine, however imagine the case of an HA subnet router failover. When a route R moves from peer A to peer B, the output of peerIPs changes. This in turn causes all the deephash check inside wgengine to fail as the hashed value of [R1, R2] is different than the hashed value of [R2, R1]. When the hash check failes, it causes wgengine to reconfigure all routes in the OS. This is especially problematic for macOS and iOS where we use the NetworkExtension. This commit makes it that the peerIPs are always sorted when returned, thus making the hash be consistent as long as the list of routes remains static. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	a49d8d5200	Revert ".github/workflows: work around golang/go#51629" This reverts commit `2a412ac9ee`. Updates #4194 Change-Id: I0098b66b71d20bea301ca79058c1cdd201237dd0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	09c5c9eb83	go.mod: bump x/tools for go/packages generics fix Updates #4194 Change-Id: Ia992ffb14210d5ad53f8f98d12b80d64080998e6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom DNetto	dec68166e4	tstest/integration/vms: smoke test derphttp through mitm proxies Updates #4377 Very smoky/high-level test to ensure that derphttp internals play well with an agressive (stare + bump) meddler-in-the-middle proxy. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Ilya Mateyko	2748750aa2	ipn/ipnstate: make status page more mobile-friendly Signed-off-by: Ilya Mateyko <me@astrophena.name>	2 years ago
Maisem Ali	c87ed52ad4	cmd/tailscale: add id-token subcommand RELNOTE=Initial support for getting OIDC ID Tokens Updates tailscale/corp#4347 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	3ae701f0eb	net/tsaddr, wgengine/netstack: add IPv6 range that forwards to site-relative IPv4 This defines a new magic IPv6 prefix, fd7a:115c:a1e0:b1a::/64, a subset of our existing /48, where the final 32 bits are an IPv4 address, and the middle 32 bits are a user-chosen "site ID". (which must currently be 0000:00xx; the top 3 bytes must be zero for now) e.g., I can say my home LAN's "site ID" is "0000:00bb" and then advertise its 10.2.0.0/16 IPv4 range via IPv6, like: tailscale up --advertise-routes=fd7a:115c:a1e0:b1a::bb:10.2.0.0/112 (112 being /128 minuse the /96 v6 prefix length) Then people in my tailnet can: $ curl '[fd7a:115c:a1e0:b1a::bb:10.2.0.230]' <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" .... Updates #3616, etc RELNOTE=initial support for TS IPv6 addresses to route v4 "via" specific nodes Change-Id: I9b49b6ad10410a24b5866b9fbc69d3cae1f600ef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
David Eger	f992749b98	cmd/tailscale: Add file get --loop flag. To "automatically receive taildrop files to my Downloads directory," user currently has to run 'tailscale file get' in a loop. Make it easy to do this without shell. Updates: #2312 Signed-off-by: David Eger <david.eger@gmail.com>	2 years ago
James Tucker	f4aad61e67	wgengine/monitor: ignore duplicate RTM_NEWADDRs Ignoring the events at this layer is the simpler path for right now, a broader change should follow to suppress irrelevant change events in a higher layer so as to avoid related problems with other monitoring paths on other platforms. This approach may also carry a small risk that it applies an at-most-once invariant low in the chain that could be assumed otherwise higher in the code. I adjusted the newAddrMessage type to include interface index rather than a label, as labels are not always supplied, and in particular on my test hosts they were consistently missing for ipv6 address messages. I adjusted the newAddrMessage.Addr field to be populated from Attributes.Address rather than Attributes.Local, as again for ipv6 .Local was always empty, and with ipv4 the .Address and .Local contained the same contents in each of my test environments. Update #4282 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	2f69c383a5	wgengine/monitor: add envknob TS_DEBUG_NETLINK While I trust the test behavior, I also want to assert the behavior in a reproduction environment, this envknob gives me the log information I need to do so. Update #4282 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Tom DNetto	8f6d8cf979	tstest/integration/vms: test on stable nixos (21.11) I would like to do some more customized integration tests in the future, (specifically, bringing up a mitm proxy and testing tailscaled through that) so hoping to bring back the nixos wiring to support that. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
James Tucker	8226f1482c	go.mod: bump rtnetlink for address label encoding (#4386 ) This will enable me to land tests for the upcoming monitor change in PR #4385. Update #4385 Update #4282 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Tom DNetto	f923ce6f87	shell.nix: use tailscale-go for compilation This change builds a derivation for tailscale-go and makes it available in the users development environment. This is consistent with the shell.nix in corp/. Once go1.18 is in a stable Nixpkgs release we can avoid relying on derivations from nixpkgs head. For now, this works well, and the fetched derivations are cached in the Nix store according to the usual rules. Fixes #4231 Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom	24bdcbe5c7	net/dns, net/dns/resolver, wgengine: refactor DNS request path (#4364 ) * net/dns, net/dns/resolver, wgengine: refactor DNS request path Previously, method calls into the DNS manager/resolver types handled DNS requests rather than DNS packets. This is fine for UDP as one packet corresponds to one request or response, however will not suit an implementation that supports DNS over TCP. To support PRs implementing this in the future, wgengine delegates all handling/construction of packets to the magic DNS endpoint, to the DNS types themselves. Handling IP packets at this level enables future support for both UDP and TCP. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	3b3d1b9350	tstest/integration/vms: consistently use two dashes for command-line switches Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago

1 2 3 4 5 ...

3921 Commits (8b8125499228a5608d7cf099e71d804bc58c7b0a) All Branches Search

3921 Commits (8b8125499228a5608d7cf099e71d804bc58c7b0a)

All Branches