Commit Graph

3112 Commits (cc9cf97cbed5eb24be623f0233a6f3d3a47b9473)
 

Author SHA1 Message Date
David Crawshaw cc9cf97cbe cli: web advertise exit node button
A couple of gnarly assumptions in this code, as always with the async
message thing.

UI button is based on the DNS settings in the admin panel.

Co-authored-by: Maisem Ali <maisem@tailscale.com>
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
3 years ago
Brad Fitzpatrick 0410f1a35a util/groupmember: adjust build tags for osusergo
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 2a0d3f72c5 util/groupmember: fix typo of package's name in its package doc
And canonicalize a func comment while I'm here.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick cb4a2c00d1 ipn: remove unused Prefs.OSVersion and Prefs.DeviceModel
iOS and Android no longer use these. They both now (as of today)
use the hostinfo.SetFoo setters instead.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 67e5fabdbd hostinfo, ipn/ipnlocal: add SetPackage, remove ipnlocal hacks
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 81269fad28 hostinfo: add SetOSVersion like SetDeviceModel, deprecate ipn.Prefs way
Turns out the iOS client has been only sending the OS version it first
started at. This whole hostinfo-via-prefs mechanism was never a good idea.
Start removing it.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 98b3fa78aa cmd/tailscale: let certs/keys be written to stdout, warn about macOS sandbox
Fixes https://twitter.com/SeanHood/status/1443668378468720647

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 2d464cecd1 cmd/tailscale: make netcheck work when logged out
Fixes #2993

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 58e1475ec7 hostinfo: look up Synology hardware a more specific way
Fixes #2991

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick a71fb6428d version: new month, new date bump 3 years ago
Brad Fitzpatrick 22a1a5d7cf ipn/ipnlocal: for IPv6-only nodes, publish IPv6 MagicDNS records of peers
See https://github.com/tailscale/tailscale/issues/2970#issuecomment-931885268

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
David Crawshaw 45f51d4fa6 types/opt: implement Bool.Scan
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
3 years ago
Brad Fitzpatrick 6d43cbc325 ipn/ipnlocal: make sure mobile clients don't use the old control server URL
The new frontends are better for battery.

Updates #2442
Updates tailscale/corp#2750

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Nathan Dias babd163aac bencher: add config to suppress failures on benchmark regressions.
This config update will let tailscale use bencher without worrying about the bencher check appearing as failed due to a benchmark regressing.

Updates #2938

Signed-off-by: Nathan Dias <nathan@orijtech.com>
3 years ago
Brad Fitzpatrick 09c2462ae5 net/tlsdial: add forgotten test file for go mod tidy
I forgot to include this file in the earlier
7cf8ec8108 commit.

This exists purely to keep "go mod tidy" happy.

Updates #1609

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick f62e6d83a9 cmd/tailscale: make cert subcommand give hints on access denied
Lot of people have been hitting this.

Now it says:

    $ tailscale cert tsdev.corp.ts.net
    Access denied: cert access denied

    Use 'sudo tailscale cert' or 'tailscale up --operator=$USER' to not require root.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 7cf8ec8108 net/tlsdial: bake in LetsEncrypt's ISRG Root X1 root
We still try the host's x509 roots first, but if that fails (like if
the host is old), we fall back to using LetsEncrypt's root and
retrying with that.

tlsdial was used in the three main places: logs, control, DERP. But it
was missing in dnsfallback. So added it there too, so we can run fine
now on a machine with no DNS config and no root CAs configured.

Also, move SSLKEYLOGFILE support out of DERP. tlsdial is the logical place
for that support.

Fixes #1609

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick b10a55e4ed cmd/tailscale/cli: fix typo in cert usage 3 years ago
Filippo Valsorda d7ce2be5f4 net/dns/resolver: add unsecured Quad9 resolvers
DNSSEC is an availability issue, as recently demonstrated by the
Slack issue, with limited security advantage. DoH on the other hand
is a critical security upgrade. This change adds DoH support for the
non-DNSSEC endpoints of Quad9.

https://www.quad9.net/service/service-addresses-and-features#unsec
Signed-off-by: Filippo Valsorda <hi@filippo.io>
3 years ago
Brad Fitzpatrick 891e7986cc cmd/tailscale: make cert give hints on usage failure
Like mentioning which cert domain(s) are valid.
3 years ago
Brad Fitzpatrick 080381c79f net/tstun: block looped disco traffic, take 17
It was in the wrong filter direction before, per CPU profiles
we now have.

Updates #1526 (maybe fixes? time will tell)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 3618e8d8ac cmd/tailscaled: rename outbound HTTP proxy flag
The old name invited confusion:

* is this the HTTP proxy to use ourselves? (no, that's
  via an environment variable, per proxy conventions)
* is this for LetsEncrypt https-to-localhost-http
  proxying? (no, that'll come later)

So rename to super verbose --outbound-http-proxy-listen
before the 1.16.0 release to make it clear what it is.
It listens (serves) and it's for outbound, not inbound.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick b822b5c798 cmd/tailscale: let up --authkey be of form file:/path/to/secret
Fixes #2958

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Aaron Klotz e016eaf410 cmd/tailscaled: conditionally flush Windows DNS cache on SessionChange
For the service, all we need to do is handle the `svc.SessionChange` command.
Upon receipt of a `windows.WTS_SESSION_UNLOCK` event, we fire off a goroutine to flush the DNS cache.
(Windows expects responses to service requests to be quick, so we don't want to do that synchronously.)

This is gated on an integral registry value named `FlushDNSOnSessionUnlock`,
whose value we obtain during service initialization.

(See [this link](https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nc-winsvc-lphandler_function_ex) for information re: handling `SERVICE_CONTROL_SESSIONCHANGE`.)

Fixes #2956

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
3 years ago
Aaron Klotz 3386a86fe5 util/winutil: add GetRegInteger
This helper allows us to retrieve `DWORD` and `QWORD` values from the Tailscale key in the Windows registry.

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
3 years ago
dependabot[bot] 5809386525 go.mod: bump golang.zx2c4.com/wireguard/windows from 0.4.9 to 0.4.10
Bumps golang.zx2c4.com/wireguard/windows from 0.4.9 to 0.4.10.

---
updated-dependencies:
- dependency-name: golang.zx2c4.com/wireguard/windows
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
3 years ago
dependabot[bot] 0fa1da2d1b go.mod: bump golang.org/x/tools from 0.1.6 to 0.1.7
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.6 to 0.1.7.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.1.6...v0.1.7)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
3 years ago
Brad Fitzpatrick 173bbaa1a1 all: disable TCP keep-alives on iOS/Android
Updates #2442
Updates tailscale/corp#2750

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick a7cb241db1 cmd/tailscaled: add support for running an HTTP proxy
This adds support for tailscaled to be an HTTP proxy server.
It shares the same backend dialing code as the SOCK5 server, but the
client protocol is HTTP (including CONNECT), rather than SOCKS.

Fixes #2289

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 29a8fb45d3 wgengine/netstack: include DNS.ExtraRecords in DNSMap
So SOCKS5 dialer can dial HTTPS cert names, for instance.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 56d8c2da34 cmd/tailscaled: set StateDirectoryMode=0700 in tailscaled.service
Updates #2934

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
dependabot[bot] 8949305820 go.mod: bump github.com/creack/pty from 1.1.15 to 1.1.16
Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.15 to 1.1.16.
- [Release notes](https://github.com/creack/pty/releases)
- [Commits](https://github.com/creack/pty/compare/v1.1.15...v1.1.16)

---
updated-dependencies:
- dependency-name: github.com/creack/pty
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
3 years ago
Brad Fitzpatrick 52737c14ac wgengine/monitor: ignore ipsec link monitor events on iOS/macOS
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 5263c8d0b5 paths: skip unix chmod if state directory is already 0700
Updates #2934

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 3b3994f0db ipn{,/localapi,ipnlocal}: infer cert dir from state file location
This fixes "tailscale cert" on Synology where the var directory is
typically like /volume2/@appdata/Tailscale, or any other tailscaled
user who specifies a non-standard state file location.

This is a interim fix on the way to #2932.

Fixes #2927
Updates #2932

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
David Crawshaw 29fa8c17d2 .github: revert dependabot change for vm builder
In a56520c3c7 dependabot attempted to bump
the setup-go action version. It appears to work for most builders, but
not the self-hosted VM builder. Revert for now.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
3 years ago
dependabot[bot] 7f0fcf8571 go.mod: bump github.com/pkg/sftp from 1.13.3 to 1.13.4
Bumps [github.com/pkg/sftp](https://github.com/pkg/sftp) from 1.13.3 to 1.13.4.
- [Release notes](https://github.com/pkg/sftp/releases)
- [Commits](https://github.com/pkg/sftp/compare/v1.13.3...v1.13.4)

---
updated-dependencies:
- dependency-name: github.com/pkg/sftp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
3 years ago
Brad Fitzpatrick 3a72ebb109 ipn: test TestFileStore in a fresh subdirectory
Fixes #2923

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Aaron Klotz 21e9f98fc1 ipn, paths: unconditionally attempt to set state dir perms, but only if the state dir is ours
We unconditionally set appropriate perms on the statefile dir.

We look at the basename of the statefile dir, and if it is "tailscale", then
we set perms as appropriate.

Fixes #2925
Updates #2856

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
3 years ago
Brad Fitzpatrick 82117f7a63 safesocket: actually fix CLI on macsys build
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick ec2249b6f2 cmd/tailscale: add debug -env
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 5bc6d17f87 safesocket: fix CLI for macsys GUI variant
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick ace2faf7ec cmd/tailscale: make debug profiling output - mean stdout
Because the macOS CLI runs in the sandbox, including the filesystem,
so users would be confused that -cpu-profile=prof.cpu succeeds but doesn't
write to their current directory, but rather in some random Library/Containers
directory somewhere on the machine (which varies depending on the Mac build
type: App Store vs System Extension)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick efb84ca60d ipn/localapi, cmd/tailscale: add CPU & memory profile support, debug command
This was already possible on Linux if you ran tailscaled with --debug
(which runs net/http/pprof), but it requires the user have the Go
toolchain around.

Also, it wasn't possible on macOS, as there's no way to run the IPNExtension
with a debug server (it doesn't run tailscaled).

And on Windows it's super tedious: beyond what users want to do or
what we want to explain.

Instead, put it in "tailscale debug" so it works and works the same on
all platforms. Then we can ask users to run it when we're debugging something
and they can email us the output files.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Denton Gentry 27bc4e744c cmd/tailscale/web: support TLS from env vars.
pfSense stores its SSL certificate and key in the PHP config.
We wrote PHP code to pull the two out of the PHP config and
into environment variables before running "tailscale web".

The pfSense web UI is served over https, we need "tailscale web"
to also support https in order to put it in an <iframe>.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
3 years ago
dependabot[bot] b7b7d21514 go.mod: bump github.com/frankban/quicktest from 1.13.0 to 1.13.1
Bumps [github.com/frankban/quicktest](https://github.com/frankban/quicktest) from 1.13.0 to 1.13.1.
- [Release notes](https://github.com/frankban/quicktest/releases)
- [Commits](https://github.com/frankban/quicktest/compare/v1.13.0...v1.13.1)

---
updated-dependencies:
- dependency-name: github.com/frankban/quicktest
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
3 years ago
dependabot[bot] 46b59e8c48 go.mod: bump github.com/google/uuid from 1.1.2 to 1.3.0
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.2 to 1.3.0.
- [Release notes](https://github.com/google/uuid/releases)
- [Commits](https://github.com/google/uuid/compare/v1.1.2...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/google/uuid
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
3 years ago
Brad Fitzpatrick b0481ba37a go.mod: bump x/tools
Fixes #2912 (which had rebase issues)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
dependabot[bot] 9219ca49f5 go.mod: bump golang.zx2c4.com/wireguard/windows from 0.3.16 to 0.4.9
Bumps golang.zx2c4.com/wireguard/windows from 0.3.16 to 0.4.9.

---
updated-dependencies:
- dependency-name: golang.zx2c4.com/wireguard/windows
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
3 years ago
Brad Fitzpatrick 9ca334a560 cmd/tailscaled: appease a security scanner
There are two reasons this can't ever go to actual logs,
but rewrite it to make it happy.

Fixes tailscale/corp#2695

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago