tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	f62e6d83a9	cmd/tailscale: make cert subcommand give hints on access denied Lot of people have been hitting this. Now it says: $ tailscale cert tsdev.corp.ts.net Access denied: cert access denied Use 'sudo tailscale cert' or 'tailscale up --operator=$USER' to not require root. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	b10a55e4ed	cmd/tailscale/cli: fix typo in cert usage	3 years ago
Brad Fitzpatrick	891e7986cc	cmd/tailscale: make cert give hints on usage failure Like mentioning which cert domain(s) are valid.	3 years ago
Brad Fitzpatrick	3618e8d8ac	cmd/tailscaled: rename outbound HTTP proxy flag The old name invited confusion: * is this the HTTP proxy to use ourselves? (no, that's via an environment variable, per proxy conventions) * is this for LetsEncrypt https-to-localhost-http proxying? (no, that'll come later) So rename to super verbose --outbound-http-proxy-listen before the 1.16.0 release to make it clear what it is. It listens (serves) and it's for outbound, not inbound. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	b822b5c798	cmd/tailscale: let up --authkey be of form file:/path/to/secret Fixes #2958 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Aaron Klotz	e016eaf410	cmd/tailscaled: conditionally flush Windows DNS cache on SessionChange For the service, all we need to do is handle the `svc.SessionChange` command. Upon receipt of a `windows.WTS_SESSION_UNLOCK` event, we fire off a goroutine to flush the DNS cache. (Windows expects responses to service requests to be quick, so we don't want to do that synchronously.) This is gated on an integral registry value named `FlushDNSOnSessionUnlock`, whose value we obtain during service initialization. (See [this link](https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nc-winsvc-lphandler_function_ex) for information re: handling `SERVICE_CONTROL_SESSIONCHANGE`.) Fixes #2956 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Brad Fitzpatrick	173bbaa1a1	all: disable TCP keep-alives on iOS/Android Updates #2442 Updates tailscale/corp#2750 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	a7cb241db1	cmd/tailscaled: add support for running an HTTP proxy This adds support for tailscaled to be an HTTP proxy server. It shares the same backend dialing code as the SOCK5 server, but the client protocol is HTTP (including CONNECT), rather than SOCKS. Fixes #2289 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	56d8c2da34	cmd/tailscaled: set StateDirectoryMode=0700 in tailscaled.service Updates #2934 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	ec2249b6f2	cmd/tailscale: add debug -env Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	ace2faf7ec	cmd/tailscale: make debug profiling output - mean stdout Because the macOS CLI runs in the sandbox, including the filesystem, so users would be confused that -cpu-profile=prof.cpu succeeds but doesn't write to their current directory, but rather in some random Library/Containers directory somewhere on the machine (which varies depending on the Mac build type: App Store vs System Extension) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	efb84ca60d	ipn/localapi, cmd/tailscale: add CPU & memory profile support, debug command This was already possible on Linux if you ran tailscaled with --debug (which runs net/http/pprof), but it requires the user have the Go toolchain around. Also, it wasn't possible on macOS, as there's no way to run the IPNExtension with a debug server (it doesn't run tailscaled). And on Windows it's super tedious: beyond what users want to do or what we want to explain. Instead, put it in "tailscale debug" so it works and works the same on all platforms. Then we can ask users to run it when we're debugging something and they can email us the output files. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Denton Gentry	27bc4e744c	cmd/tailscale/web: support TLS from env vars. pfSense stores its SSL certificate and key in the PHP config. We wrote PHP code to pull the two out of the PHP config and into environment variables before running "tailscale web". The pfSense web UI is served over https, we need "tailscale web" to also support https in order to put it in an <iframe>. Signed-off-by: Denton Gentry <dgentry@tailscale.com>	3 years ago
Brad Fitzpatrick	9ca334a560	cmd/tailscaled: appease a security scanner There are two reasons this can't ever go to actual logs, but rewrite it to make it happy. Fixes tailscale/corp#2695 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
David Anderson	18086c4cb7	go.mod: bump github.com/klauspost/compress to 1.13.6 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Aaron Klotz	9ebb5d4205	ipn, paths: ensure that the state directory for Windows has the correct perms ProgramData has a permissive ACL. For us to safely store machine-wide state information, we must set a more restrictive ACL on our state directory. We set the ACL so that only talescaled's user (ie, LocalSystem) and the Administrators group may access our directory. We must include Administrators to ensure that logs continue to be easily accessible; omitting that group would force users to use special tools to log in interactively as LocalSystem, which is not ideal. (Note that the ACL we apply matches the ACL that was used for LocalSystem's AppData\Local). There are two cases where we need to reset perms: One is during migration from the old location to the new. The second case is for clean installations where we are creating the file store for the first time. Updates #2856 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 years ago
Josh Bleecher Snyder	b14db5d943	util/codegen: reorder AssertStructUnchanged args The fully qualified name of the type is thisPkg.tname, so write the args like that too. Suggested-by: Joe Tsai <joetsai@digital-static.net> Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	3cd85c0ca6	util/codegen: add ContainsPointers And use it in cmd/cloner. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	d5a0a4297e	cmd/cloner: unify switch cases And in the process, fix a bug: The fmt formatting was being applied by writef, not fmt.Sprintf, thus emitting a MISSING string. And there's no guarantee that fmt will be imported in the generated code. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	d8a8f70000	util/codegen: add NamedTypes And use it in cmd/cloner. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	367a973dc2	cmd/cloner: delete some debug code Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	081be3e96b	cmd/cloner: simplify code Change from a single-case type switch to a type assertion with an early return. That exposes that the name arg to gen is unneeded. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	d5ab18b2e6	cmd/cloner: add Clone context to regen struct assignments Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	618376dbc0	util/codegen: add AssertStructUnchanged Refactored out from cmd/cloner. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	fb66ff7c78	util/codegen: add package This is a package for shared utilities used in doing codegen programs. The inaugural API is for writing gofmt'd code to a file. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	4549d3151c	cmd/tailscale: make status show health check problems Fixes #2775 RELNOTE=tailscale status now shows health check problems Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	4bbf5a8636	cmd/cloner: reduce diff noise when changing command Spelling out the command to run for every type means that changing the command makes for a large, repetitive diff. Stop doing that. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	865d8c0d23	cmd: upgrade to ffcli v3 None of the breaking changes from v2 to v3 are relevant to us. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	0be26599ca	cmd/derper: refactor STUN path for testing, add serverSTUN benchmark Real goal is to eliminate some allocs in the STUN path, but that requires work in the standard library. See comments in #2783. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	4f648e6fcc	cmd/tailscaled: disable netns earlier in userspace-networking mode The earlier `382b349c54` was too late, as engine creation itself needed to listen on things. Fixes #2827 Updates #2822 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	382b349c54	cmd/tailscaled: disable netns in userspace-networking mode Updates #2827 Updates #2822 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	d5851d2e06	cmd/derper: fix real staticcheck failure from prior commit Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Silver Bullet	d8c5d00ecb	cmd/derper: support manual TLS certificate mode (#2793 ) Add a mode control for derp server, and add a "manual" mode to get derp server certificate. Under manual mode, certificate is searched in the directory given by "--cert-dir". Certificate should in PEM format, and use "hostname.{key,crt}" as filename. If no hostname is used, search by the hostname given for listen. Fixes #2794 Signed-off-by: SilverBut <SilverBut@users.noreply.github.com>	3 years ago
Brad Fitzpatrick	640134421e	all: update tests to use tstest.MemLogger And give MemLogger a mutex, as one caller had, which does match the logf contract better. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	7bfd4f521d	cmd/tailscale: fix "tailscale ip $self-host-hostname" And in the process, fix the related confusing error messages from pinging your own IP or hostname. Fixes #2803 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	4917a96aec	cmd/tailscale: fix typo/pasteo in error message text Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Dave Anderson	980acc38ba	types/key: add a special key with custom serialization for control private keys (#2792 ) * Revert "Revert "types/key: add MachinePrivate and MachinePublic."" This reverts commit `61c3b98a24`. Signed-off-by: David Anderson <danderson@tailscale.com> * types/key: add ControlPrivate, with custom serialization. ControlPrivate is just a MachinePrivate that serializes differently in JSON, to be compatible with how the Tailscale control plane historically serialized its private key. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Anderson	61c3b98a24	Revert "types/key: add MachinePrivate and MachinePublic." Broke the tailscale control plane due to surprise different serialization. This reverts commit `4fdb88efe1`.	3 years ago
David Anderson	4fdb88efe1	types/key: add MachinePrivate and MachinePublic. Plumb throughout the codebase as a replacement for the mixed use of tailcfg.MachineKey and wgkey.Private/Public. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Brad Fitzpatrick	99a1c74a6a	metrics: optimize CurrentFDs to not allocate on Linux It was 50% of our allocs on one of our servers. (!!) Updates #2784 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	5d800152d9	cmd/derper: increase port 80's WriteTimeout to permit longer CPU profiles Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Chuangbo Li	e4e4d336d9	cmd/derper: listen on host of flag server addr for port 80 and 3478 (#2768 ) cmd/derper: listen on host of flag server addr for port 80 and 3478 When using custom derp on the server with multiple IP addresses, we would like to bind derp 80, 443 and stun 3478 to a certain IP. derp command provides flag `-a` to customize which address to bind for port 443. But port :80 and :3478 were hard-coded. Fixes #2767 Signed-off-by: Li Chuangbo <im@chuangbo.li>	3 years ago
Maisem Ali	0842e2f45b	ipn/store: add ability to store data as k8s secrets. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Brad Fitzpatrick	7f29dcaac1	cmd/tailscale/cli: make up block until state Running, not just Starting At "Starting", the DERP connection isn't yet up. After the first netmap and DERP connect, then it transitions into "Running". Fixes #2708 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	7a7aa8f2b0	cmd/derper: also add port 80 timeouts Didn't notice this one in earlier `00b3c1c042` Updates tailscale/corp#2486 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	3c8ca4b357	client/tailscale, cmd/tailscale/cli: move version mismatch check to CLI So people can use the package for whois checks etc without version skew errors. The earlier change `faa891c1f2` for #1905 was a bit too aggressive. Fixes #2757 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	21cb0b361f	safesocket: add connect retry loop to wait for tailscaled Updates #2708 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	00b3c1c042	cmd/derper: add missing read/write timeouts Updates tailscale/corp#2486 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
David Anderson	97693f2e42	wgengine/magicsock: delete legacy AddrSet endpoints. Instead of using the legacy codepath, teach discoEndpoint to handle peers that have a home DERP, but no disco key. We can still communicate with them, but only over DERP. Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Maisem Ali	fd4838dc57	wgengine/userspace: add support to automatically enable/disable the tailscale protocol in BIRD, when the node is a primary subnet router as determined by control. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago

1 2 3 4 5 ...

592 Commits (babd163aacf410bba2e3763f5b035fbf6272154d)