tailscale

Commit Graph

Author	SHA1	Message	Date
Flakes Updater	91c7dfe85c	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	5 months ago
Andrew Lytvynov	86e476c8d1	version/mkversion: allow version override with $TS_VERSION_OVERRIDE (#10799 ) This is useful to build local binaries with custom versions to test version-specific logic (like updates). Updates https://github.com/tailscale/corp/issues/16703 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Andrew Lytvynov	4ec6a78551	go.mod: update golang-x-crypto fork (#10786 ) Pick up a bunch of recent upstream commits. Updates #8593 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Will Norris	84ab040f02	safesocket: detect macsys from within tailscaled Use the helper method from the version package to detect that we are running the macsys network extension. This method does the same check for the HOME environment variable (which works fine in most cases) as well as the name of the executable (which is needed for the web client). Updates tailscale/corp#16393 Signed-off-by: Will Norris <will@tailscale.com>	5 months ago
OSS Updater	e7d52eb2f8	go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>	5 months ago
Irbe Krumina	35f49ac99e	cmd/k8s-operator: add Connector CRD to Helm chart and static manifests (#10775 ) cmd/k8s-operator: add CRD to chart and static manifest Add functionality to insert CRD to chart at package time. Insert CRD to static manifests as this is where they are currently consumed from. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Sonia Appasamy	ea9c7f991a	cli/set: add printout when web client started Prints a helpful message with the web UI's address when running tailscale set --webclient. Updates tailscale/corp#16345 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	5 months ago
Rhea Ghosh	4ce33c9758	taildrop: remove breaking abstraction layers for apple (#10728 ) Removes the avoidFinalRename logic and all associated code as it is no longer required by the Apple clients. Enables resume logic to be usable for Apple clients. Fixes tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	5 months ago
Andrew Lytvynov	7df9af2f5c	.github/workflows/govulncheck: migrate to a Github App (#10793 ) Send failures to a new channel using a github app token instead of webhook URL. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Andrew Dunham	20f3f706a4	net/netutil: allow 16-bit 4via6 site IDs The prefix has space for 32-bit site IDs, but the validateViaPrefix function would previously have disallowed site IDs greater than 255. Fixes tailscale/corp#16470 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4cdb0711dafb577fae72d86c4014cf623fa538ef	5 months ago
Irbe Krumina	05093ea7d9	cmd/k8s-operator,k8s-operator: allow the operator to deploy exit nodes via Connector custom resource (#10724 ) cmd/k8s-operator/deploy/crds,k8s-operator/apis/v1alpha1: allow to define an exit node via Connector CR. Make it possible to define an exit node to be deployed to a Kubernetes cluster via Connector Custom resource. Also changes to Connector API so that one Connector corresponds to one Tailnet node that can be either a subnet router or an exit node or both. The Kubernetes operator parses Connector custom resource and, if .spec.isExitNode is set, configures that Tailscale node deployed for that connector as an exit node. Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com>	5 months ago
James Tucker	953fa80c6f	cmd/{derper,stund},net/stunserver: add standalone stun server Add a standalone server for STUN that can be hosted independently of the derper, and factor that back into the derper. Fixes #8434 Closes #8435 Closes #10745 Signed-off-by: James Tucker <james@tailscale.com>	5 months ago
Will Norris	569b91417f	client/web: ensure path prefix has a leading slash This is simply an extra check to prevent hypothetical issues if a prefix such as `--prefix="javascript:alert(1)"` was provided. This isn't really necessary since the prefix is a configuration flag provided by the device owner, not user input. But it does enforce that we are always interpreting the provided value as a path relative to the root. Fixes: tailscale/corp#16268 Signed-off-by: Will Norris <will@tailscale.com>	5 months ago
License Updater	e26ee6952f	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	5 months ago
License Updater	7b113a2d06	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	5 months ago
Andrew Lytvynov	d96e0a553f	tstest/integration: add tests for auto-update defaulting behavior (#10763 ) Updates #16244 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Sonia Appasamy	55d302b48e	client/web: rename Disconnect to Log out For consistency w/ the CLI command. And to be more accurate to what is actually happening on this action - node key is expired. Also updates the disconnected view shown after logout. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	5 months ago
Irbe Krumina	133699284e	cmd/containerboot: add EXPERIMENTAL_TS_CONFIGFILE_PATH env var to allow passing tailscaled config in a file (#10759 ) * cmd/containerboot: optionally configure tailscaled with a configfile. If EXPERIMENTAL_TS_CONFIGFILE_PATH env var is set, only run tailscaled with the provided config file. Do not run 'tailscale up' or 'tailscale set'. * cmd/containerboot: store containerboot accept_dns val in bool pointer So that we can distinguish between the value being set to false explicitly bs being unset. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Adrian Dewhurst	c05c4bdce4	ipn: apply ControlURL policy before login Unlike most prefs, the ControlURL policy needs to take effect before login. This resolves an issue where on first start, even when the ControlURL policy is set, it will generate a login URL to the Tailscale SaaS server. Updates tailscale/coral#118 Fixes #10736 Change-Id: I6da2a521f64028c15dbb6ac8175839fc3cc4e858 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	5 months ago
Adrian Dewhurst	d50303bef7	docs: add Windows administrative template To make setting Windows policies easier, this adds ADMX policy descriptions. Fixes #6495 Updates ENG-2515 Change-Id: If4613c9d8ec734afec8bd781575e24b4aef9bb73 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	5 months ago
Andrew Dunham	35c303227a	net/dns/resolver: add ID to verbose logs in forwarder To make it easier to correlate the starting/ending log messages. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I2802d53ad98e19bc8914bc58f8c04d4443227b26	5 months ago
Rhea Ghosh	dbe70962b1	taildrop: Allow category Z unicode characters (#10750 ) This will expand the unicode character categories that we allow for valid filenames to go from "L, M, N, P, S, and the ASCII space character" to "L, M, N, P, S, Zs" Fixes #10105 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	5 months ago
Andrew Dunham	d3574a350f	cmd/tailscale, ipn/ipnlocal: add 'debug dial-types' command This command allows observing whether a given dialer ("SystemDial", "UserDial", etc.) will successfully obtain a connection to a provided host, from inside tailscaled itself. This is intended to help debug a variety of issues from subnet routers to split DNS setups. Updates #9619 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie01ebb5469d3e287eac633ff656783960f697b84	5 months ago
Aaron Klotz	aed2cfec4e	util/winutil: add some missing docs to restartmgr errors Just a quick #cleanup. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	5 months ago
Andrew Dunham	46bdbb3878	cmd/tailscaled, tsnet: don't return an interface containing a nil pointer This tripped me up when I was testing something and wrote: if conn != nil { conn.Close() } In netstack mode, when an error occurred we were getting a non-nil error and a non-nil interface that contained a nil pointer. Instead, just return a nil interface value. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id9ef3dd24529e0e8c53adc60ed914c31fbb10cc4	5 months ago
Andrew Lytvynov	29e98e18f8	ssh/tailssh: use a local error instead of gossh.ErrDenied (#10743 ) ErrDenied was added in [our fork of x/crypto/ssh](`acc6f8fe8d`) to short-circuit auth attempts once one fails. In the case of our callbacks, this error is returned when SSH policy check determines that a connection should not be allowed. Both `NoClientAuthCallback` and `PublicKeyHandler` check the policy and will fail anyway. The `fakePasswordHandler` returns true only if `NoClientAuthCallback` succeeds the policy check, so it checks it indirectly too. The difference here is that a client might attempt all 2-3 auth methods instead of just `none` but will fail to authenticate regardless. Updates #8593 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
James 'zofrex' Sanderson	124dc10261	controlclient,tailcfg,types: expose MaxKeyDuration via localapi (#10401 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	5 months ago
Andrea Gottardo	d9aeb30281	net/interfaces: handle iOS network transitions (#10680 ) Updates #8022 Updates #6075 On iOS, we currently rely on delegated interface information to figure out the default route interface. The NetworkExtension framework in iOS seems to set the delegate interface only once, upon the creation of the VPN tunnel. If a network transition (e.g. from Wi-Fi to Cellular) happens while the tunnel is connected, it will be ignored and we will still try to set Wi-Fi as the default route because the delegated interface is not getting updated as connectivity transitions. Here we work around this on the Swift side with a NWPathMonitor instance that observes the interface name of the first currently satisfied network path. Our Swift code will call into `UpdateLastKnownDefaultRouteInterface`, so we can rely on that when it is set. If for any reason the Swift machinery didn't work and we don't get any updates, here we also have some fallback logic: we try finding a hardcoded Wi-Fi interface called en0. If en0 is down, we fall back to cellular (pdp_ip0) as a last resort. This doesn't handle all edge cases like USB-Ethernet adapters or multiple Ethernet interfaces, but it is good enough to ensure connectivity isn't broken. I tested this on iPhones and iPads running iOS 17.1 and it appears to work. Switching between different cellular plans on a dual SIM configuration also works (the interface name remains pdp_ip0). Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	5 months ago
James 'zofrex' Sanderson	10c595d962	ipn/ipnlocal: refresh node key without blocking if cap enabled (#10529 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	5 months ago
Irbe Krumina	3a9450bc06	cmd/containerboot: don't parse empty subnet routes (#10738 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Irbe Krumina	5a2eb26db3	cmd/containerboot: ensure that subnet routes can be unset. (#10734 ) A Tailnet node can be told to stop advertise subnets by passing an empty string to --advertise-routes flag. Respect an explicitly passed empty value to TS_ROUTES env var so that users have a way to stop containerboot acting as a subnet router without recreating it. Distinguish between TS_ROUTES being unset and empty. Updates tailscale/tailscale#10708 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Aaron Klotz	e32a064659	cmd/tailscaled: don't create a network monitor in the parent tailscaled on Windows The service is only used as a watchdog and for piping logs from the child process. We shouldn't be creating a network monitor in that case. Fixes #10732 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	5 months ago
Andrew Dunham	fa3639783c	net/portmapper: check returned epoch from PMP and PCP protocols If the epoch that we see during a Probe is less than the existing epoch, it means that the gateway has either restarted or reset its configuration, and an existing mapping is no longer valid. Reset any saved mapping(s) if we detect this case so that a future createOrGetMapping will not attempt to re-use it. Updates #10597 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie3cddaf625cb94a29885f7a1eeea25dbf6b97b47	5 months ago
Jordan Whited	b084888e4d	wgengine/magicsock: fix typos in docs (#10729 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Chris Palmer	1f1ab74250	tsweb: use object-src instead of plugin-types (#10719 ) plugin-types is deprecated, and setting object-src: 'none' is best practice. This should result in no functional change. Fixes #10718 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	5 months ago
Adrian Dewhurst	3d57c885bf	logpolicy: use syspolicy to override LogTarget Previously, for Windows clients only, a registry value named LogTarget could override the log server, but only if the environment variable was unset. To allow administrators to enforce using a particular log server, switch this to make the registry value take precedence over the environment variable, and switch to the newer syspolicy.GetString so that the log target can be specified by a GPO more easily. Updates ENG-2515 Change-Id: Ia618986b0e07715d7db4c6df170a24d511c904c9 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	5 months ago
Flakes Updater	1406a9d494	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	5 months ago
Irbe Krumina	e72f2b7791	go.{mod,sum}: bump mkctr (#10722 ) go get github.com/tailscale/mkctr@bf50773ba7349ced8de812c3d5437e8618bd4fa7 Updates tailscale/tailscale#9902 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Anton Tolchanov	1d22265f69	release: add shebang to the debian postinst script Seems like an omission, since we have it in postrm and prerm. Fixes #10705 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	5 months ago
Chris Palmer	5deeb56b95	cmd/tailscale/cli: document usage more clearly (#10681 ) The IP argument is required; only the port is optional. Updates #10605 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	5 months ago
Aaron Klotz	5812093d31	util/winutil: publicize existing functions for opening read-only connections to the Windows Service Control Manager We're going to need to access these from code outside winutil. Updates #10215 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	5 months ago
Andrew Dunham	cae6edf485	ipn/ipnlocal: fix data race with capForcedNetfilter field Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1fdad454198d7ea4a898dbff3062818b0db35167	5 months ago
Andrew Lytvynov	2716250ee8	all: cleanup unused code, part 2 (#10670 ) And enable U1000 check in staticcheck. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Nick Khyl	c9836b454d	net/netmon: fix goroutine leak in winMon if the monitor is never started When the portable Monitor creates a winMon via newOSMon, we register address and route change callbacks with Windows. Once a callback is hit, it starts a goroutine that attempts to send the event into messagec and returns. The newly started goroutine then blocks until it can send to the channel. However, if the monitor is never started and winMon.Receive is never called, the goroutines remain indefinitely blocked, leading to goroutine leaks and significant memory consumption in the tailscaled service process on Windows. Unlike the tailscaled subprocess, the service process creates but never starts a Monitor. This PR adds a check within the callbacks to confirm the monitor's active status, and exits immediately if the monitor hasn't started. Updates #9864 Signed-off-by: Nick Khyl <nickk@tailscale.com>	5 months ago
Andrew Lytvynov	2e956713de	safesocket: remove ConnectionStrategy (#10662 ) This type seems to be a migration shim for TCP tailscaled sockets (instead of unix/windows pipes). The `port` field was never set, so it was effectively used as a string (`path` field). Remove the whole type and simplify call sites to pass the socket path directly to `safesocket.Connect`. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Andrew Lytvynov	1302bd1181	all: cleanup unused code, part 1 (#10661 ) Run `staticcheck` with `U1000` to find unused code. This cleans up about a half of it. I'll do the other half separately to keep PRs manageable. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Andrew Dunham	3c333f6341	net/portmapper: add logs about obtained mapping(s) This logs additional information about what mapping(s) are obtained during the creation process, including whether we return an existing cached mapping. Updates #10597 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I9ff25071f064c91691db9ab0b9365ccc5f948d6e	5 months ago
David Crawshaw	f815d66a88	api.md: add docs for setting an IP address Updates tailscale/corp#16453 Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	5 months ago
Andrew Dunham	01286af82b	net/interfaces: better handle multiple interfaces in LikelyHomeRouterIP Currently, we get the "likely home router" gateway IP and then iterate through all IPs for all interfaces trying to match IPs to determine the source IP. However, on many platforms we know what interface the gateway is through, and thus we don't need to iterate through all interfaces checking IPs. Instead, use the IP address of the associated interface. This better handles the case where we have multiple interfaces on a system all connected to the same gateway, and where the first interface that we visit (as iterated by ForeachInterfaceAddress) isn't also the default internet route. Updates #8992 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8632f577f1136930f4ec60c76376527a19a47d1f	5 months ago
Andrew Lytvynov	7a2eb22e94	ipn: remove use of reflect.MethodByName (#10652 ) Using reflect.MethodByName disables some linked deadcode optimizations and makes our binaries much bigger. Difference before/after this commit: ``` -rwxr-xr-x 1 awly awly 30M Dec 19 15:28 tailscaled.after* -rwxr-xr-x 1 awly awly 43M Dec 19 15:27 tailscaled.before* ``` Fixes #10627 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago

1 2 3 4 5 ...

7024 Commits (91c7dfe85c686e4ab55cb26c68935932d45bc476) All Branches Search

7024 Commits (91c7dfe85c686e4ab55cb26c68935932d45bc476)

All Branches