tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	e84751217a	gokrazy: add prototype Tailscale appliance, build tooling, docs Updates #1866 Change-Id: I546316cb833bf2919e0d6f55cdc9951f375f165b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Maisem Ali	0b1a8586eb	cmd/natc: initial implementation of a NAT based connector This adds a new prototype `cmd/natc` which can be used to expose a services/domains to the tailnet. It requires the user to specify a set of IPv4 prefixes from the CGNAT range. It advertises these as normal subnet routes. It listens for DNS on the first IP of the first range provided to it. When it gets a DNS query it allocates an IP for that domain from the v4 range. Subsequent connections to the assigned IP are then tcp proxied to the domain. It is marked as a WIP prototype and requires the use of the `TAILSCALE_USE_WIP_CODE` env var. Updates tailscale/corp#20503 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 weeks ago
Maisem Ali	7b193de6b9	tsnet: return net.Listener from s.listen A `*listener` implements net.Listener which breaks a test in another repo. Regressed in `42cfbf427c`. Updates #12182 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 weeks ago
Adrian Dewhurst	3bf2bddbb5	ipn/ipnlocal: improve testability of random node selection In order to test the sticky last suggestion code, a test was written for LocalBackend.SuggestExitNode but it contains a random number generator which makes writing comprehensive tests very difficult. This doesn't change how the last suggestion works, but it adds some infrastructure to make that easier in a later PR. This adds func parameters for the two randomized parts: breaking ties between DERP regions and breaking ties between nodes. This way tests can validate the entire list of tied options, rather than expecting a particular outcome given a particular random seed. As a result of this, the global random number generator can be used rather than seeding a local one each time. In order to see the tied nodes for the location based (i.e. Mullvad) case, pickWeighted needed to return a slice instead of a single arbitrary option, so there is a small change in how that works. Updates tailscale/corp#19681 Change-Id: I83c48a752abdec0f59c58ccfd8bfb3f3f17d0ea8 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	4 weeks ago
Jordan Whited	d21c00205d	cmd/stunstamp: implement service to measure DERP STUN RTT (#12241 ) stunstamp timestamping includes userspace and SO_TIMESTAMPING kernel timestamping where available. Measurements are written locally to a sqlite DB, exposed over an HTTP API, and written to prometheus via remote-write protocol. Updates tailscale/corp#20344 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 weeks ago
License Updater	1fad06429e	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	4 weeks ago
Fran Bull	e06862b8d8	appc: log how often routeInfo is stored So that we have some debugging info if users have trouble with storing the routeInfo. Updates #11008 Signed-off-by: Fran Bull <fran@tailscale.com>	4 weeks ago
Adrian Dewhurst	db6447ce63	ipn/ipnlocal: simplify suggest exit node tests This mostly removes a lot of repetition by predefining some nodes and other data structures, plus adds some helpers for creating Peer entries in the netmap. Several existing test cases were reworked to ensure better coverage of edge cases, and several new test cases were added to handle some additional responsibility that is in (or will be shortly moving in) suggestExitNode(). Updates tailscale/corp#19681 Change-Id: Ie14c2988d7fd482f7d6a877f78525f7788669b85 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	4 weeks ago
Andrew Dunham	ced9a0d413	net/dns: fix typo in OSConfig logging (#12330 ) Updates tailscale/corp#20530 Change-Id: I48834a0a5944ed35509c63bdd2830aa34e1bddeb Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	4 weeks ago
Anton Tolchanov	01847e0123	ipn/ipnlocal: discard node keys that have been rotated out A non-signing node can be allowed to re-sign its new node keys following key renewal/rotation (e.g. via `tailscale up --force-reauth`). To be able to do this, node's TLK is written into WrappingPubkey field of the initial SigDirect signature, signed by a signing node. The intended use of this field implies that, for each WrappingPubkey, we typically expect to have at most one active node with a signature tracing back to that key. Multiple valid signatures referring to the same WrappingPubkey can occur if a client's state has been cloned, but it's something we explicitly discourage and don't support: https://tailscale.com/s/clone This change propagates rotation details (wrapping public key, a list of previous node keys that have been rotated out) to netmap processing, and adds tracking of obsolete node keys that, when found, will get filtered out. Updates tailscale/corp#19764 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	4 weeks ago
Maisem Ali	42cfbf427c	tsnet,wgengine/netstack: add ListenPacket and tests This adds a new ListenPacket function on tsnet.Server which acts mostly like `net.ListenPacket`. Unlike `Server.Listen`, this requires listening on a specific IP and does not automatically listen on both V4 and V6 addresses of the Server when the IP is unspecified. To test this, it also adds UDP support to tsdial.Dialer.UserDial and plumbs it through the localapi. Then an associated test to make sure the UDP functionality works from both sides. Updates #12182 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 month ago
Andrew Lytvynov	bcb55fdeb6	clientupdate: mention when Alpine system upgrade is needed (#12306 ) Alpine APK repos are versioned, and contain different package sets. Older APK releases and repos don't have the latest tailscale package. When we report "no update available", check whether pkgs.tailscale.com has a newer tarball release. If it does, it's possible that the system is on an older Alpine release. Print additional messages to suggest the user to upgrade their OS. Fixes #11309 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 month ago
Irbe Krumina	c2a4719e9e	cmd/tailscale/cli: allow 'tailscale up' to succeed if --stateful-filtering is not explicitly set on linux (#12312 ) This fixes an issue where, on containerized environments an upgrade 1.66.3 -> 1.66.4 failed with default containerboot configuration. This was because containerboot by default runs 'tailscale up' that requires all previously set flags to be explicitly provided on subsequent runs and we explicitly set --stateful-filtering to true on 1.66.3, removed that settingon 1.66.4. Updates tailscale/tailscale#12307 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Andrew Lytvynov <awly@tailscale.com>	1 month ago
Andrew Dunham	36d0ac6f8e	tailcfg: use strings.CutPrefix for CheckTag; add test Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I42eddc7547a6dd50c4d5b2a9fc88a19aac9767aa	1 month ago
ChandonPierre	0a5bd63d32	ipn/store/kubestore, cmd/containerboot: allow overriding client api server URL via ENV (#12115 ) Updates tailscale/tailscale#11397 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>	1 month ago
Irbe Krumina	1ec0273473	docs/k8s: fix subnet router manifests (#12305 ) In https://github.com/tailscale/tailscale/pull/11363 I changed the subnet router manifest to run in tun mode (for performance reasons), but did not change the security context to give it net_admin, which is required to for the tailscale socket. Updates tailscale/tailscale#12083 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Brad Fitzpatrick	f227083539	derp: add some guardrails for derpReason metrics getting out of sync The derp metrics got out of sync in `74eb99aed1` (2023-03). They were fixed in `0380cbc90d` (2024-05). This adds some further guardrails (atop the previous fix) to make sure they don't get out of sync again. Updates #12288 Change-Id: I809061a81f8ff92f45054d0253bc13871fc71634 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Marwan Sulaiman	7e357e1636	tsweb: rename AccessLogRecord's When to Time This change makes our access log record more consistent with the new log/tslog package formatting of "time". Note that we can change slog itself to call "time" "when" but we're chosing to make this breaking change to be consistent with the std lib's defaults. Updates tailscale/corp#17071 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	1 month ago
Spike Curtis	0380cbc90d	derp: fix dropReason metrics labels (#12288 ) Updates #2745 Updates #7552 Signed-off-by: Spike Curtis <spike@coder.com>	1 month ago
Anton Tolchanov	32120932a5	cmd/tailscale/cli: print node signature in `tailscale lock status` - Add current node signature to `ipnstate.NetworkLockStatus`; - Print current node signature in a human-friendly format as part of `tailscale lock status`. Examples: ``` $ tailscale lock status Tailnet lock is ENABLED. This node is accessible under tailnet lock. Node signature: SigKind: direct Pubkey: [OTB3a] KeyID: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943 WrappingPubkey: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943 This node's tailnet-lock key: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943 Trusted signing keys: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943 1 (self) tlpub:6fa21d242a202b290de85926ba3893a6861888679a73bc3a43f49539d67c9764 1 (pre-auth key kq3NzejWoS11KTM59) ``` For a node created via a signed auth key: ``` This node is accessible under tailnet lock. Node signature: SigKind: rotation Pubkey: [e3nAO] Nested: SigKind: credential KeyID: tlpub:6fa21d242a202b290de85926ba3893a6861888679a73bc3a43f49539d67c9764 WrappingPubkey: tlpub:3623b0412cab0029cb1918806435709b5947ae03554050f20caf66629f21220a ``` For a node that rotated its key a few times: ``` This node is accessible under tailnet lock. Node signature: SigKind: rotation Pubkey: [DOzL4] Nested: SigKind: rotation Pubkey: [S/9yU] Nested: SigKind: rotation Pubkey: [9E9v4] Nested: SigKind: direct Pubkey: [3QHTJ] KeyID: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943 WrappingPubkey: tlpub:2faa280025d3aba0884615f710d8c50590b052c01a004c2b4c2c9434702ae9d0 ``` Updates tailscale/corp#19764 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 month ago
Andrew Lytvynov	776a05223b	ipn/ipnlocal: support c2n updates with old systemd versions (#12296 ) The `--wait` flag for `systemd-run` was added in systemd 232. While it is quite old, it doesn't hurt to special-case them and skip the `--wait` flag. The consequence is that we lose the update command output in logs, but at least auto-updates will work. Fixes #12136 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 month ago
Brad Fitzpatrick	1ea100e2e5	cmd/tailscaled, ipn/conffile: support ec2 user-data config file Updates #1412 Updates #1866 Change-Id: I4d08fb233b80c2078b3b28ffc18559baabb4a081 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	2d2b62c400	wgengine/router: probe generally-unused "ip" command style lazily This busybox fwmaskWorks check was added before we moved away from using the "ip" command to using netlink directly. So it's now just wasted work (and log spam on Gokrazy) to check the "ip" command capabilities if we're never going to use it. Do it lazily instead. Updates #12277 Change-Id: I8ab9acf64f9c0d8240ce068cb9ec8c0f6b1ecee7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	909a292a8d	util/linuxfw: don't try cleaning iptables on gokrazy It just generates log spam. Updates #12277 Change-Id: I5f65c0859e86de0a5349f9d26c9805e7c26b9371 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Walter Poupore	0acb61fbf8	serve.go, tsnet.go: Fix "in in" typo (#12279 ) Fixes #cleanup Signed-off-by: Walter Poupore <walterp@tailscale.com>	1 month ago
Andrea Gottardo	dd77111462	xcode/iOS: set MatchDomains when no route requires a custom DNS resolver (#10576 ) Updates https://github.com/tailscale/corp/issues/15802. On iOS exclusively, this PR adds logic to use a split DNS configuration in more cases, with the goal of improving battery life. Acting as the global DNS resolver on iOS should be avoided, as it leads to frequent wakes of IPNExtension. We try to determine if we can have Tailscale only handle DNS queries for resources inside the tailnet, that is, all routes in the DNS configuration do not require a custom resolver (this is the case for app connectors, for instance). If so, we set all Routes as MatchDomains. This enables a split DNS configuration which will help preserve battery life. Effectively, for the average Tailscale user who only relies on MagicDNS to resolve *.ts.net domains, this means that Tailscale DNS will only be used for those domains. This PR doesn't affect users with Override Local DNS enabled. For these users, there should be no difference and Tailscale will continue acting as a global DNS resolver. Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	1 month ago
Percy Wegmann	08a9551a73	ssh/tailssh: fall back to using su when no TTY available on Linux This allows pam authentication to run for ssh sessions, triggering automation like pam_mkhomedir. Updates #11854 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 month ago
Claire Wang	f1d10c12ac	ipn/ipnlocal: allowed suggested exit nodes policy (#12240 ) Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	1 month ago
signed-long	5ad0dad15e	go generate directives reorder for 'make kube-generate-all' (#12210 ) Fixes #11980 Signed-off-by: Michael Long <michaelongdev@gmail.com>	1 month ago
Irbe Krumina	d0d33f257f	cmd/k8s-operator: add a note pointing at ProxyClass (#12246 ) Updates tailscale/tailscale#12242 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Andrew Dunham	8e4a29433f	util/pool: add package for storing and using a pool of items This can be used to implement a persistent pool (i.e. one that isn't cleared like sync.Pool is) of items–e.g. database connections. Some benchmarks vs. a naive implementation that uses a single map iteration show a pretty meaningful improvement: $ benchstat -col /impl ./bench.txt goos: darwin goarch: arm64 pkg: tailscale.com/util/pool │ Pool │ map │ │ sec/op │ sec/op vs base │ Pool_AddDelete-10 10.56n ± 2% 15.11n ± 1% +42.97% (p=0.000 n=10) Pool_TakeRandom-10 56.75n ± 4% 1899.50n ± 20% +3246.84% (p=0.000 n=10) geomean 24.49n 169.4n +591.74% Updates tailscale/corp#19900 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie509cb65573c4726cfc3da9a97093e61c216ca18	1 month ago
James Tucker	87ee559b6f	net/netcheck: apply some polish suggested from #12161 Apply some post-submit code review suggestions. Updates #12161 Updates tailscale/corp#19106 Signed-off-by: James Tucker <james@tailscale.com>	1 month ago
Maisem Ali	9a64c06a20	all: do not depend on the testing package Discovered while looking for something else. Updates tailscale/corp#18935 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 month ago
Jordan Whited	4214e5f71b	logtail/backoff: update Backoff.BackOff docs (#12229 ) Update #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
James Tucker	538c2e8f7c	tool/gocross: add debug data to CGO builds We don't build a lot of tools with CGO, but we do build some, and it's extremely valuable for production services in particular to have symbols included - for perf and so on. I tested various other builds that could be affected negatively, in particular macOS/iOS, but those use split-dwarf already as part of their build path, and Android which does not currently use gocross. One binary which is normally 120mb only grew to 123mb, so the trade-off is definitely worthwhile in context. Updates tailscale/corp#20296 Signed-off-by: James Tucker <james@tailscale.com>	1 month ago
Brad Fitzpatrick	3c9be07214	cmd/derper: support TXT-mediated unpublished bootstrap DNS rollouts Updates tailscale/coral#127 Change-Id: I2712c50630d0d1272c30305fa5a1899a19ffacef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Irbe Krumina	72f0f53ed0	cmd/k8s-operator: fix typo (#12217 ) Fixes#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
James Tucker	9351eec3e1	net/netcheck: remove hairpin probes Palo Alto reported interpreting hairpin probes as LAND attacks, and the firewalls may be responding to this by shutting down otherwise in use NAT sessions prematurely. We don't currently make use of the outcome of the hairpin probes, and they contribute to other user confusion with e.g. the AirPort Extreme hairpin session workaround. We decided in response to remove the whole probe feature as a result. Updates #188 Updates tailscale/corp#19106 Updates tailscale/corp#19116 Signed-off-by: James Tucker <james@tailscale.com>	1 month ago
Andrew Lytvynov	c9179bc261	various: disable stateful filtering by default (#12197 ) After some analysis, stateful filtering is only necessary in tailnets that use `autogroup:danger-all` in `src` in ACLs. And in those cases users explicitly specify that hosts outside of the tailnet should be able to reach their nodes. To fix local DNS breakage in containers, we disable stateful filtering by default. Updates #12108 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 month ago
License Updater	6db1219185	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 month ago
Charlotte Brandhorst-Satzkorn	4f4f317174	api.md: direct TOC links to new publicapi docs location This change updates the existing api.md TOC links to point at the new publicapi folder/files. It also removes the body of the docs from the file, to avoid the docs becoming out of sync. This change also renames overview.md to readme.md. Updates tailscale/corp#19526 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	1 month ago
Brad Fitzpatrick	964282d34f	ipn,wgengine: remove vestigial Prefs.AllowSingleHosts It was requested by the first customer 4-5 years ago and only used for a brief moment of time. We later added netmap visibility trimming which removes the need for this. It's been hidden by the CLI for quite some time and never documented anywhere else. This keeps the CLI flag, though, out of caution. It just returns an error if it's set to anything but true (its default). Fixes #12058 Change-Id: I7514ba572e7b82519b04ed603ff9f3bdbaecfda7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	1384c24e41	control/controlclient: delete unused Client.Login Oauth2Token field Updates #12172 (then need to update other repos) Change-Id: I439f65e0119b09e00da2ef5c7a4f002f93558578 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Dunham	47b3476eb7	util/lru: add Clear method Updates tailscale/corp#20109 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I751a669251a70f0134dd1540c19b274a97608a93	2 months ago
Charlotte Brandhorst-Satzkorn	c56e0c4934	publicapi: include device and user invites API documentation (#12168 ) This change includes the device and user invites API docs in the new publicapi documentation structure. Updates tailscale/corp#19526 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Jordan Whited	adb7a86559	cmd/stunc: support ipv6 address targets (#12166 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
James Tucker	8d1249550a	net/netcheck,wgengine/magicsock: add potential workaround for Palo Alto DIPP misbehavior Palo Alto firewalls have a typically hard NAT, but also have a mode called Persistent DIPP that is supposed to provide consistent port mapping suitable for STUN resolution of public ports. Persistent DIPP works initially on most Palo Alto firewalls, but some models/software versions have a bug which this works around. The bug symptom presents as follows: - STUN sessions resolve a consistent public IP:port to start with - Much later netchecks report the same IP:Port for a subset of sessions, most often the users active DERP, and/or the port related to sustained traffic. - The broader set of DERPs in a full netcheck will now consistently observe a new IP:Port. - After this point of observation, new inbound connections will only succeed to the new IP:Port observed, and existing/old sessions will only work to the old binding. In this patch we now advertise the lowest latency global endpoint discovered as we always have, but in addition any global endpoints that are observed more than once in a single netcheck report. This should provide viable endpoints for potential connection establishment across a NAT with this behavior. Updates tailscale/corp#19106 Signed-off-by: James Tucker <james@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	6831a29f8b	publicapi: create new home for API docs and split into catagory files (#12116 ) This change creates a new folder called publicapi that will become the future home to the Tailscale public API docs. This change also splits the existing API docs (still located in api.md) into separate files, for easier reading and contribution. Updates tailscale/corp#19526 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Andrea Gottardo	e5f67f90a2	xcode: allow ICMP ping relay on macOS + iOS platforms (#12048 ) Fixes tailscale/tailscale#10393 Fixes tailscale/corp#15412 Fixes tailscale/corp#19808 On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using. Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 months ago
Percy Wegmann	59848fe14b	drive: rewrite LOCK paths Fixes #12097 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago

1 2 3 4 5 ...

7704 Commits (ccdd2e6650e9ab3c877037957be205992d44221a) All Branches Search

7704 Commits (ccdd2e6650e9ab3c877037957be205992d44221a)

All Branches