tailscale

Commit Graph

Author	SHA1	Message	Date
Sonia Appasamy	bd534b971a	{client/web},{ipn/ipnlocal}: replace localapi debug-web-client endpoint This change removes the existing debug-web-client localapi endpoint and replaces it with functions passed directly to the web.ServerOpts when constructing a web.ManageServerMode client. The debug-web-client endpoint previously handled making noise requests to the control server via the /machine/webclient/ endpoints. The noise requests must be made from tailscaled, which has the noise connection open. But, now that the full client is served from tailscaled, we no longer need to proxy this request over the localapi. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Brad Fitzpatrick	cca27ef96a	ipn/ipnlocal: add c2n method to check on TLS cert fetch status So the control plane can delete TXT records more aggressively after client's done with ACME fetch. Updates tailscale/corp#15848 Change-Id: I4f1140305bee11ee3eee93d4fec3aef2bd6c5a7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Tyler Smalley	90eb5379f4	ipn/ipnlocal: log and don't return full file serve error (#10174 ) Previously we would return the full error from Stat or Open, possibily exposing the full file path. This change will log the error and return the generic error message "an error occurred reading the file or directory". Updates tailscale/corp#15485 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Brad Fitzpatrick	3bd382f369	wgengine/magicsock: add DERP homeless debug mode for testing In DERP homeless mode, a DERP home connection is not sought or maintained and the local node is not reachable. Updates #3363 Updates tailscale/corp#396 Change-Id: Ibc30488ac2e3cfe4810733b96c2c9f10a51b8331 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Sonia Appasamy	055394f3be	ipn/ipnlocal: add mutex to webClient struct Adds a new sync.Mutex field to the webClient struct, rather than using the general LocalBackend mutex. Since webClientGetOrInit (previously WebClientInit) gets called on every connection, we want to avoid holding the lock on LocalBackend just to check if the server is initialized. Moves all web_client.go funcs over to using the webClient.mu field. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	6f7a1b51a8	ipn/ipnlocal: rename SetWebLocalClient to ConfigureWebClient For consistency with the "WebClient" naming of the other functions here. Also fixed a doc typo. A #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	9b537f7c97	ipn: remove the preview-webclient node capability Now that 1.54 has released, and the new web client will be included in 1.56, we can remove the need for the node capability. This means that all 1.55 unstable builds, and then eventually the 1.56 build, will work without setting the node capability. The web client still requires the "webclient" user pref, so this does NOT mean that the web client will be on by default for all devices. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	1cb8d2ffdd	ipn/ipnlocal: only call serve handler if non-nil return early if handler is nil. Go ahead and return the error from handler, though in this case the caller isn't doing anything with it (which has always been the case). Updates #10177 Updates #10251 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	b7918341f9	ipn/ipnlocal: call serve handler for local traffic Tailscale serve maintains a set of listeners so that serve traffic from the local device can be properly served when running in kernel networking mode. #10177 refactored that logic so that it could be reused by the internal web client as well. However, in my refactoring I missed actually calling the serve handler to handle the traffic. Updates #10177 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	79719f05a9	ipn/ipnlocal: remove web client listeners after close This prevents a panic in some cases where WebClientShutdown is called multiple times. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Andrew Lytvynov	955e2fcbfb	ipn/ipnlocal: run "tailscale update" via systemd-run on Linux (#10229 ) When we run tailscled under systemd, restarting the unit kills all child processes, including "tailscale update". And during update, the package manager will restart the tailscaled unit. Specifically on Debian-based distros, interrupting `apt-get install` can get the system into a wedged state which requires the user to manually run `dpkg --configure` to recover. To avoid all this, use `systemd-run` where available to run the `tailscale update` process. This launches it in a separate temporary unit and doesn't kill it when parent unit is restarted. Also, detect when `apt-get install` complains about aborted update and try to restore the system by running `dpkg --configure tailscale`. This could help if the system unexpectedly shuts down during our auto-update. Fixes https://github.com/tailscale/corp/issues/15771 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Brad Fitzpatrick	1825d2337b	ipn/ipnlocal: respect ExitNodeAllowLANAccess on iOS (#10230 ) Updates tailscale/corp#15783 Change-Id: I1082fbfff61a241ebd3b8275be0f45e329b67561 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	103c00a175	ipn/ipnlocal: clean up c2n handling's big switch, add a mux table Updates #cleanup Change-Id: I29ec03db91e7831a3a66a63dcf6ff8e3f72ab045 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Joe Tsai	975c5f7684	taildrop: lazily perform full deletion scan after first taildrop use (#10137 ) Simply reading the taildrop directory can pop up security dialogs on platforms like macOS. Avoid this by only performing garbage collection of partial and deleted files after the first received taildrop file, which would have prompted the security dialog window. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Jordan Whited	e848736927	control/controlknobs,wgengine/magicsock: implement SilentDisco toggle (#10195 ) This change exposes SilentDisco as a control knob, and plumbs it down to magicsock.endpoint. No changes are being made to magicsock.endpoint disco behavior, yet. Updates #540 Signed-off-by: Jordan Whited <jordan@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
James Tucker	c54d680682	ipn,tailconfig: clean up unreleased and removed app connector service This was never released, and is replaced by HostInfo.AppConnector. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	0b6636295e	tailcfg,ipn/ipnlocal: add hostinfo field to replace service entry Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Andrew Lytvynov	1f4a38ed49	clientupdate: add support for QNAP (#10179 ) Use the `qpkg_cli` to check for updates and install them. There are a couple special things about this compare to other updaters: * qpkg_cli can tell you when upgrade is available, but not what the version is * qpkg_cli --add Tailscale works for new installs, upgrades and reinstalling existing version; even reinstall of existing version takes a while Updates #10178 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
James Tucker	45be37cb01	ipn/ipnlocal: ensure that hostinfo is updated on app connector preference changes Some conditional paths may otherwise skip the hostinfo update, so kick it off asynchronously as other code paths do. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Naman Sood	e57fd9cda4	ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update (#10188 ) * ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * depaware Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * address review feedback Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	8 months ago
Jordan Whited	12d5c99b04	client/tailscale,ipn/{ipnlocal,localapi}: check UDP GRO config (#10071 ) Updates tailscale/corp#9990 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Will Norris	09de240934	ipn/ipnlocal: allow connecting to local web client The local web client has the same characteristic as tailscale serve, in that it needs a local listener to allow for connections from the local machine itself when running in kernel networking mode. This change renames and adapts the existing serveListener to allow it to be used by the web client as well. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Andrew Lytvynov	bff786520e	clientupdate,ipn/ipnlocal: fix c2n update on freebsd (#10168 ) The c2n part was broken because we were not looking up the tailscale binary for that GOOS. The rest of the update was failing at the `pkg upgrade` confirmation prompt. We also need to manually restart tailscaled after update. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Tom DNetto	11a20f371a	ipn/ipnlocal: fix nil control client panic while updating TKA head As part of tailnet-lock netmap processing, the LocalBackend mutex is unlocked so we can potentially make a network call. Its possible (during shutdown or while the control client is being reset) for b.cc to become nil before the lock is picked up again. Fixes: #9554 Signed-off-by: Tom DNetto <tom@tailscale.com>	8 months ago
Tom DNetto	3496d62ed3	ipn/ipnlocal: add empty address to the app-connector localNets set App connectors handle DNS requests for app domains over PeerAPI, but a safety check verifies the requesting peer has at least permission to send traffic to 0.0.0.0:53 (or 2000:: for IPv6) before handling the DNS request. The correct filter rules are synthesized by the coordination server and sent down, but the address needs to be part of the 'local net' for the filter package to even bother checking the filter rules, so we set them here. See: https://github.com/tailscale/corp/issues/11961 for more information. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: ENG-2405	8 months ago
Charlotte Brandhorst-Satzkorn	f937cb6794	tailcfg,ipn,appc: add c2n endpoint for appc domain routes This change introduces a c2n endpoint that returns a map of domains to a slice of resolved IP addresses for the domain. Fixes tailscale/corp#15657 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	8 months ago
Will Norris	6b956b49e0	client/web: add some security checks for full client Require that requests to servers in manage mode are made to the Tailscale IP (either ipv4 or ipv6) or quad-100. Also set various security headers on those responses. These might be too restrictive, but we can relax them as needed. Allow requests to /ok (even in manage mode) with no checks. This will be used for the connectivity check from a login client to see if the management client is reachable. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	658971d7c0	ipn/ipnlocal: serve web client on quad100 if enabled if the user pref and nodecap for the new web client are enabled, serve the client over requests to 100.100.100.100. Today, that is just a static page that lists the local Tailcale IP addresses. For now, this will render the readonly full management client, with an "access" button that sends the user through check mode. After completing check mode, they will still be in the read-only view, since they are not accessing the client over Tailscale. Instead, quad100 should serve the lobby client that has a "manage" button that will open the management client on the Tailscale IP (and trigger check mode). That is something we'll fix in a subsequent PR in the web client code itself. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	0ecfc1d5c3	client/web: fill devMode from an env var Avoids the need to pipe a web client dev flag through the tailscaled command. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	191e2ce719	client/web: add ServerMode to web.Server Adds a new Mode to the web server, indicating the specific scenario the constructed server is intended to be run in. Also starts filling this from the cli/web and ipn/ipnlocal callers. From cli/web this gets filled conditionally based on whether the preview web client node cap is set. If not set, the existing "legacy" client is served. If set, both a login/lobby and full management client are started (in "login" and "manage" modes respectively). Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
James Tucker	f27b2cf569	appc,cmd/sniproxy,ipn/ipnlocal: split sniproxy configuration code out of appc The design changed during integration and testing, resulting in the earlier implementation growing in the appc package to be intended now only for the sniproxy implementation. That code is moved to it's final location, and the current App Connector code is now renamed. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Sonia Appasamy	aa5af06165	ipn/ipnlocal: include web client port in setTCPPortsIntercepted Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	b370274b29	ipn/ipnlocal: pull CapabilityPreviewWebClient into webClientAtomicBool Now uses webClientAtomicBool as the source of truth for whether the web client should be running in tailscaled, with it updated when either the RunWebClient pref or CapabilityPreviewWebClient node capability changes. This avoids requiring holding the LocalBackend lock on each call to ShouldRunWebClient to check for the CapabilityPreviewWebClient value. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
James Tucker	228a82f178	ipn/ipnlocal,tailcfg: add AppConnector service to HostInfo when configured Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	6ad54fed00	appc,ipn/ipnlocal: add App Connector domain configuration from mapcap The AppConnector is now configured by the mapcap from the control plane. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	b48b7d82d0	appc,ipn/ipnlocal,net/dns/resolver: add App Connector wiring when enabled in prefs An EmbeddedAppConnector is added that when configured observes DNS responses from the PeerAPI. If a response is found matching a configured domain, routes are advertised when necessary. The wiring from a configuration in the netmap capmap is not yet done, so while the connector can be enabled, no domains can yet be added. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Will Norris	e7482f0df0	ipn/ipnlocal: prevent deadlock on WebClientShutdown WebClientShutdown tries to acquire the b.mu lock, so run it in a go routine so that it can finish shutdown after setPrefsLockedOnEntry is finished. This is the same reason b.sshServer.Shutdown is run in a go routine. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
James Tucker	0ee4573a41	ipn/ipnlocal: fix small typo Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Will Norris	66c7af3dd3	ipn: replace web client debug flag with node capability Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	44175653dc	ipn/ipnlocal: rename web fields/structs to webClient For consistency and clarity around what the LocalBackend.web field is used for. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	ea599b018c	ipn: serve web client requests from LocalBackend instead of starting a separate server listening on a particular port, use the TCPHandlerForDst method to intercept requests for the special web client port (currently 5252, probably configurable later). Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	28ad910840	ipn: add user pref for running web client This is not currently exposed as a user-settable preference through `tailscale up` or `tailscale set`. Instead, the preference is set when turning the web client on and off via localapi. In a subsequent commit, the pref will be used to automatically start the web client on startup when appropriate. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	89953b015b	ipn/ipnlocal,client/web: add web client to tailscaled Allows for serving the web interface from tailscaled, with the ability to start and stop the server via localapi endpoints (/web/start and /web/stop). This will be used to run the new full management web client, which will only be accessible over Tailscale (with an extra auth check step over noise) from the daemon. This switch also allows us to run the web interface as a long-lived service in environments where the CLI version is restricted to CGI, allowing us to manage certain auth state in memory. ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for ios builds to satisfy ios restriction from adding "text/template" and "html/template" dependencies. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Rhea Ghosh	387a98fe28	ipn/ipnlocal: exclude tvOS devices from taildrop file targets (#10002 )	8 months ago
Aaron Klotz	95671b71a6	ipn, safesocket: use Windows token in LocalAPI On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Andrea Gottardo	741d7bcefe	Revert "ipn/ipnlocal: add new DNS and subnet router policies" (#9962 ) This reverts commit `32194cdc70`. Signed-off-by: Nick O'Neill <nick@tailscale.com>	8 months ago
Adrian Dewhurst	32194cdc70	ipn/ipnlocal: add new DNS and subnet router policies In addition to the new policy keys for the new options, some already-in-use but missing policy keys are also being added to util/syspolicy. Updates ENG-2133 Change-Id: Iad08ca47f839ea6a65f81b76b4f9ef21183ebdc6 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	8 months ago
Andrew Lytvynov	593c086866	clientupdate: distinguish when auto-updates are possible (#9896 ) clientupdate.Updater will have a non-nil Update func in a few cases where it doesn't actually perform an update: * on Arch-like distros, where it prints instructions on how to update * on macOS app store version, where it opens the app store page Add a new clientupdate.Arguments field to cause NewUpdater to fail when we hit one of these cases. This results in c2n updates being "not supported" and `tailscale set --auto-update` returning an error. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Maisem Ali	17b2072b72	ipn/ipnlocal: set the push device token correctly It would end up resetting whatever hostinfo we had constructed and leave the backend statemachine in a broken state. This fixes that by storing the PushDeviceToken on the LocalBackend and populating it on Hostinfo before passing it to controlclient. Updates tailscale/corp#8940 Updates tailscale/corp#15367 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	0e89245c0f	ipn/ipnlocal: drop hostinfo param from doSetHostinfoFilterServices The value being passed was the same as whats on b.hostinfo, so just use that directly. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago

1 2 3 4 5 ...

813 Commits (bd534b971a797c1fd7a876262d2a77de7b97db05)