tailscale

Commit Graph

Author	SHA1	Message	Date
Nathan Dias	babd163aac	bencher: add config to suppress failures on benchmark regressions. This config update will let tailscale use bencher without worrying about the bencher check appearing as failed due to a benchmark regressing. Updates #2938 Signed-off-by: Nathan Dias <nathan@orijtech.com>	3 years ago
Brad Fitzpatrick	09c2462ae5	net/tlsdial: add forgotten test file for go mod tidy I forgot to include this file in the earlier `7cf8ec8108` commit. This exists purely to keep "go mod tidy" happy. Updates #1609 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	f62e6d83a9	cmd/tailscale: make cert subcommand give hints on access denied Lot of people have been hitting this. Now it says: $ tailscale cert tsdev.corp.ts.net Access denied: cert access denied Use 'sudo tailscale cert' or 'tailscale up --operator=$USER' to not require root. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	7cf8ec8108	net/tlsdial: bake in LetsEncrypt's ISRG Root X1 root We still try the host's x509 roots first, but if that fails (like if the host is old), we fall back to using LetsEncrypt's root and retrying with that. tlsdial was used in the three main places: logs, control, DERP. But it was missing in dnsfallback. So added it there too, so we can run fine now on a machine with no DNS config and no root CAs configured. Also, move SSLKEYLOGFILE support out of DERP. tlsdial is the logical place for that support. Fixes #1609 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	b10a55e4ed	cmd/tailscale/cli: fix typo in cert usage	3 years ago
Filippo Valsorda	d7ce2be5f4	net/dns/resolver: add unsecured Quad9 resolvers DNSSEC is an availability issue, as recently demonstrated by the Slack issue, with limited security advantage. DoH on the other hand is a critical security upgrade. This change adds DoH support for the non-DNSSEC endpoints of Quad9. https://www.quad9.net/service/service-addresses-and-features#unsec Signed-off-by: Filippo Valsorda <hi@filippo.io>	3 years ago
Brad Fitzpatrick	891e7986cc	cmd/tailscale: make cert give hints on usage failure Like mentioning which cert domain(s) are valid.	3 years ago
Brad Fitzpatrick	080381c79f	net/tstun: block looped disco traffic, take 17 It was in the wrong filter direction before, per CPU profiles we now have. Updates #1526 (maybe fixes? time will tell) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	3618e8d8ac	cmd/tailscaled: rename outbound HTTP proxy flag The old name invited confusion: * is this the HTTP proxy to use ourselves? (no, that's via an environment variable, per proxy conventions) * is this for LetsEncrypt https-to-localhost-http proxying? (no, that'll come later) So rename to super verbose --outbound-http-proxy-listen before the 1.16.0 release to make it clear what it is. It listens (serves) and it's for outbound, not inbound. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	b822b5c798	cmd/tailscale: let up --authkey be of form file:/path/to/secret Fixes #2958 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Aaron Klotz	e016eaf410	cmd/tailscaled: conditionally flush Windows DNS cache on SessionChange For the service, all we need to do is handle the `svc.SessionChange` command. Upon receipt of a `windows.WTS_SESSION_UNLOCK` event, we fire off a goroutine to flush the DNS cache. (Windows expects responses to service requests to be quick, so we don't want to do that synchronously.) This is gated on an integral registry value named `FlushDNSOnSessionUnlock`, whose value we obtain during service initialization. (See [this link](https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nc-winsvc-lphandler_function_ex) for information re: handling `SERVICE_CONTROL_SESSIONCHANGE`.) Fixes #2956 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Aaron Klotz	3386a86fe5	util/winutil: add GetRegInteger This helper allows us to retrieve `DWORD` and `QWORD` values from the Tailscale key in the Windows registry. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
dependabot[bot]	5809386525	go.mod: bump golang.zx2c4.com/wireguard/windows from 0.4.9 to 0.4.10 Bumps golang.zx2c4.com/wireguard/windows from 0.4.9 to 0.4.10. --- updated-dependencies: - dependency-name: golang.zx2c4.com/wireguard/windows dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	0fa1da2d1b	go.mod: bump golang.org/x/tools from 0.1.6 to 0.1.7 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.6 to 0.1.7. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.1.6...v0.1.7) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
Brad Fitzpatrick	173bbaa1a1	all: disable TCP keep-alives on iOS/Android Updates #2442 Updates tailscale/corp#2750 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	a7cb241db1	cmd/tailscaled: add support for running an HTTP proxy This adds support for tailscaled to be an HTTP proxy server. It shares the same backend dialing code as the SOCK5 server, but the client protocol is HTTP (including CONNECT), rather than SOCKS. Fixes #2289 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	29a8fb45d3	wgengine/netstack: include DNS.ExtraRecords in DNSMap So SOCKS5 dialer can dial HTTPS cert names, for instance. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	56d8c2da34	cmd/tailscaled: set StateDirectoryMode=0700 in tailscaled.service Updates #2934 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
dependabot[bot]	8949305820	go.mod: bump github.com/creack/pty from 1.1.15 to 1.1.16 Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.15 to 1.1.16. - [Release notes](https://github.com/creack/pty/releases) - [Commits](https://github.com/creack/pty/compare/v1.1.15...v1.1.16) --- updated-dependencies: - dependency-name: github.com/creack/pty dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
Brad Fitzpatrick	52737c14ac	wgengine/monitor: ignore ipsec link monitor events on iOS/macOS Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	5263c8d0b5	paths: skip unix chmod if state directory is already 0700 Updates #2934 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	3b3994f0db	ipn{,/localapi,ipnlocal}: infer cert dir from state file location This fixes "tailscale cert" on Synology where the var directory is typically like /volume2/@appdata/Tailscale, or any other tailscaled user who specifies a non-standard state file location. This is a interim fix on the way to #2932. Fixes #2927 Updates #2932 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
David Crawshaw	29fa8c17d2	.github: revert dependabot change for vm builder In `a56520c3c7` dependabot attempted to bump the setup-go action version. It appears to work for most builders, but not the self-hosted VM builder. Revert for now. Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	3 years ago
dependabot[bot]	7f0fcf8571	go.mod: bump github.com/pkg/sftp from 1.13.3 to 1.13.4 Bumps [github.com/pkg/sftp](https://github.com/pkg/sftp) from 1.13.3 to 1.13.4. - [Release notes](https://github.com/pkg/sftp/releases) - [Commits](https://github.com/pkg/sftp/compare/v1.13.3...v1.13.4) --- updated-dependencies: - dependency-name: github.com/pkg/sftp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
Brad Fitzpatrick	3a72ebb109	ipn: test TestFileStore in a fresh subdirectory Fixes #2923 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Aaron Klotz	21e9f98fc1	ipn, paths: unconditionally attempt to set state dir perms, but only if the state dir is ours We unconditionally set appropriate perms on the statefile dir. We look at the basename of the statefile dir, and if it is "tailscale", then we set perms as appropriate. Fixes #2925 Updates #2856 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Brad Fitzpatrick	82117f7a63	safesocket: actually fix CLI on macsys build Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	ec2249b6f2	cmd/tailscale: add debug -env Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	5bc6d17f87	safesocket: fix CLI for macsys GUI variant Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	ace2faf7ec	cmd/tailscale: make debug profiling output - mean stdout Because the macOS CLI runs in the sandbox, including the filesystem, so users would be confused that -cpu-profile=prof.cpu succeeds but doesn't write to their current directory, but rather in some random Library/Containers directory somewhere on the machine (which varies depending on the Mac build type: App Store vs System Extension) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	efb84ca60d	ipn/localapi, cmd/tailscale: add CPU & memory profile support, debug command This was already possible on Linux if you ran tailscaled with --debug (which runs net/http/pprof), but it requires the user have the Go toolchain around. Also, it wasn't possible on macOS, as there's no way to run the IPNExtension with a debug server (it doesn't run tailscaled). And on Windows it's super tedious: beyond what users want to do or what we want to explain. Instead, put it in "tailscale debug" so it works and works the same on all platforms. Then we can ask users to run it when we're debugging something and they can email us the output files. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Denton Gentry	27bc4e744c	cmd/tailscale/web: support TLS from env vars. pfSense stores its SSL certificate and key in the PHP config. We wrote PHP code to pull the two out of the PHP config and into environment variables before running "tailscale web". The pfSense web UI is served over https, we need "tailscale web" to also support https in order to put it in an <iframe>. Signed-off-by: Denton Gentry <dgentry@tailscale.com>	3 years ago
dependabot[bot]	b7b7d21514	go.mod: bump github.com/frankban/quicktest from 1.13.0 to 1.13.1 Bumps [github.com/frankban/quicktest](https://github.com/frankban/quicktest) from 1.13.0 to 1.13.1. - [Release notes](https://github.com/frankban/quicktest/releases) - [Commits](https://github.com/frankban/quicktest/compare/v1.13.0...v1.13.1) --- updated-dependencies: - dependency-name: github.com/frankban/quicktest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	46b59e8c48	go.mod: bump github.com/google/uuid from 1.1.2 to 1.3.0 Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.2 to 1.3.0. - [Release notes](https://github.com/google/uuid/releases) - [Commits](https://github.com/google/uuid/compare/v1.1.2...v1.3.0) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
Brad Fitzpatrick	b0481ba37a	go.mod: bump x/tools Fixes #2912 (which had rebase issues) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
dependabot[bot]	9219ca49f5	go.mod: bump golang.zx2c4.com/wireguard/windows from 0.3.16 to 0.4.9 Bumps golang.zx2c4.com/wireguard/windows from 0.3.16 to 0.4.9. --- updated-dependencies: - dependency-name: golang.zx2c4.com/wireguard/windows dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
Brad Fitzpatrick	9ca334a560	cmd/tailscaled: appease a security scanner There are two reasons this can't ever go to actual logs, but rewrite it to make it happy. Fixes tailscale/corp#2695 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
David Anderson	1eabb5b2d9	ipn: don't log IPN messages that may contain an authkey. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
dependabot[bot]	c350321eec	go.mod: bump github.com/gliderlabs/ssh from 0.3.2 to 0.3.3 Bumps [github.com/gliderlabs/ssh](https://github.com/gliderlabs/ssh) from 0.3.2 to 0.3.3. - [Release notes](https://github.com/gliderlabs/ssh/releases) - [Commits](https://github.com/gliderlabs/ssh/compare/v0.3.2...v0.3.3) --- updated-dependencies: - dependency-name: github.com/gliderlabs/ssh dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	2bb915dd0a	go.mod: bump github.com/creack/pty from 1.1.9 to 1.1.15 Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.9 to 1.1.15. - [Release notes](https://github.com/creack/pty/releases) - [Commits](https://github.com/creack/pty/compare/v1.1.9...v1.1.15) --- updated-dependencies: - dependency-name: github.com/creack/pty dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	aaea175dd0	go.mod: bump github.com/godbus/dbus/v5 from 5.0.4 to 5.0.5 Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.0.4 to 5.0.5. - [Release notes](https://github.com/godbus/dbus/releases) - [Commits](https://github.com/godbus/dbus/compare/v5.0.4...v5.0.5) --- updated-dependencies: - dependency-name: github.com/godbus/dbus/v5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	eeee713c69	go.mod: bump github.com/miekg/dns from 1.1.42 to 1.1.43 Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.42 to 1.1.43. - [Release notes](https://github.com/miekg/dns/releases) - [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release) - [Commits](https://github.com/miekg/dns/compare/v1.1.42...v1.1.43) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	dbce536316	go.mod: bump github.com/pkg/sftp from 1.13.0 to 1.13.3 Bumps [github.com/pkg/sftp](https://github.com/pkg/sftp) from 1.13.0 to 1.13.3. - [Release notes](https://github.com/pkg/sftp/releases) - [Commits](https://github.com/pkg/sftp/compare/v1.13.0...v1.13.3) --- updated-dependencies: - dependency-name: github.com/pkg/sftp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
dependabot[bot]	a56520c3c7	.github: Bump actions/setup-go from 1 to 2.1.4 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 1 to 2.1.4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v1...v2.1.4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	3 years ago
David Anderson	562622a32c	.github: add dependabot config to update go.mod and github actions. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	4cf63b8df0	net/dnsfallback: update static map for new derp11. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	18086c4cb7	go.mod: bump github.com/klauspost/compress to 1.13.6 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Aaron Klotz	f0aa7f70a4	Merge pull request #2893 from tailscale/aaron/programdata-perms-2 ipn, paths: ensure that the state directory for Windows has the corre…	3 years ago
Aaron Klotz	9ebb5d4205	ipn, paths: ensure that the state directory for Windows has the correct perms ProgramData has a permissive ACL. For us to safely store machine-wide state information, we must set a more restrictive ACL on our state directory. We set the ACL so that only talescaled's user (ie, LocalSystem) and the Administrators group may access our directory. We must include Administrators to ensure that logs continue to be easily accessible; omitting that group would force users to use special tools to log in interactively as LocalSystem, which is not ideal. (Note that the ACL we apply matches the ACL that was used for LocalSystem's AppData\Local). There are two cases where we need to reset perms: One is during migration from the old location to the new. The second case is for clean installations where we are creating the file store for the first time. Updates #2856 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Brad Fitzpatrick	b1a2abf41b	client/tailscale/example/servetls: add demo program for docs Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago

1 2 3 4 5 ...

3099 Commits (babd163aacf410bba2e3763f5b035fbf6272154d) All Branches Search

3099 Commits (babd163aacf410bba2e3763f5b035fbf6272154d)

All Branches