tailscale

Commit Graph

Author	SHA1	Message	Date
Mihai Parparita	cfe68d0a86	safesocket: log warning when running sandboxed Mac binary as root It won't work, provide a clue in the error output. Fixes #3063 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Brad Fitzpatrick	6f5b91c94c	go.mod: tidy Change-Id: If3b5fe42e7dd7858dcce02a3a24a5e59736815a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	2336c73d4d	go.mod: tidy Change-Id: If3b5fe42e7dd7858dcce02a3a24a5e59736815a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	96fec4b969	net/tshttpproxy: synology: pick proxy by scheme This updates the fix from #4562 to pick the proxy based on the request scheme. Updates #4395, #2605, #4562 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Maisem Ali	eff6a404a6	net/tshttpproxy: use http as the scheme for proxies Currently we try to use `https://` when we see `https_host`, however that doesn't work and results in errors like `Received error: fetch control key: Get "https://controlplane.tailscale.com/key?v=32": proxyconnect tcp: tls: first record does not look like a TLS handshake` This indiciates that we are trying to do a HTTPS request to a HTTP server. Googling suggests that the standard is to use `http` regardless of `https` or `http` proxy Updates #4395, #2605 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Walter Poupore	71d401cc4e	api.md: remove descriptions from TOC (#4561 )	2 years ago
Brad Fitzpatrick	1237000efe	control/controlhttp: don't assume port 80 upgrade response will work Just because we get an HTTP upgrade response over port 80, don't assume we'll be able to do bi-di Noise over it. There might be a MITM corp proxy or anti-virus/firewall interfering. Do a bit more work to validate the connection before proceeding to give up on the TLS port 443 dial. Updates #4557 (probably fixes) Change-Id: I0e1bcc195af21ad3d360ffe79daead730dfd86f1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	488e63979e	api.md: document new ACL validate mode Updates tailscale/corp#4932 Change-Id: Ie176ee79595c3b56d3376f1d81a441f9272e6ed4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	5a1ef1bbb9	net/tsdial: add SystemDial as a wrapper on netns.Dial The connections returned from SystemDial are automatically closed when there is a major link change. Also plumb through the dialer to the noise client so that connections are auto-reset when moving from cellular to WiFi etc. Updates #3363 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	e38d3dfc76	control/controlhttp: start port 443 fallback sooner if 80's stuck Fixes #4544 Change-Id: I39877e71915ad48c6668351c45cd8e33e2f5dbae Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	637cc1b5fc	ipn/ipnlocal/peerapi: add endpoint to list local interfaces Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
James Tucker	1aa75b1c9e	wgengine/netstack: always set TCP keepalive Setting keepalive ensures that idle connections will eventually be closed. In userspace mode, any application configured TCP keepalive is effectively swallowed by the host kernel, and is not easy to detect. Failure to close connections when a peer tailscaled goes offline or restarts may result in an otherwise indefinite connection for any protocol endpoint that does not initiate new traffic. This patch does not take any new opinion on a sensible default for the keepalive timers, though as noted in the TODO, doing so likely deserves further consideration. Update #4522 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Brad Fitzpatrick	adcb7e59d2	control/controlclient: fix log print with always-empty key In debugging #4541, I noticed this log print was always empty. The value printed was always zero at this point. Updates #4541 Change-Id: I0eef60c32717c293c1c853879446be65d9b2cef6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	c88506caa6	ipn/ipnlocal: add Wake-on-LAN function to peerapi No CLI support yet. Just the curl'able version if you know the peerapi port. (like via a TSMP ping) Updates #306 Change-Id: I0662ba6530f7ab58d0ddb24e3664167fcd1c4bcf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	3f7cc3563f	ipn: always treat login.tailscale.com as controlplane.tailscale.com Like `888e50e1`, but more aggressive. Updates #4538 (likely fixes) Updates #3488 Change-Id: I3924eee9110e47bdba926ce12954253bf2413040 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	c6c752cf64	net/tshttpproxy: fix typo Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	50eb8c5add	cmd/tailscale: mostly fix 'tailscale ssh' on macOS (sandbox) Still a little wonky, though. See the tcsetattr error and inability to hit Ctrl-D, for instance: bradfitz@laptop ~ % tailscale.app ssh foo@bar tcsetattr: Operation not permitted # Authentication checked with Tailscale SSH. # Time since last authentication: 1h13m22s foo@bar:~$ ^D ^D ^D Updates #4518 Updates #4529 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	48e5f4ff88	cmd/tailscale/cli: add 'debug stat' subcommand For debugging what's visible inside the macOS sandbox. But could also be useful for giving users portable commands during debugging without worrying about which OS they're on. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	21413392cf	safesocket: fix CLI on standalone mac GUI build Tested three macOS Tailscale daemons: - App Store (Network Extension) - Standalone (macsys) - tailscaled And two types of local IPC each: - IPN - HTTP And two CLI modes: - sandboxed (running the GUI binary as the CLI; normal way) - open source CLI hitting GUI (with #4525) Bonus: simplifies the code. Fixes tailscale/corp#4559 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	3601b43530	ipn: add IPCVersion override func I've done this a handful of times in the past and again today. Time to make it a supported thing for the future. Used while debugging tailscale/corp#4559 (macsys CLI issues) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	928d1fddd2	cmd/tailscale: s/-authkey/-auth-key/ in help text Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Tom DNetto	5fb8e01a8b	net/dns/resolver: add metric for number of truncated dns packets Updates #2067 This should help us determine if more robust control of edns parameters + implementing answer truncation is warranted, given its likely complexity. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Maisem Ali	80ba161c40	wgengine/monitor: do not ignore changes to pdp_ip* One current theory (among other things) on battery consumption is that magicsock is resorting to using the IPv6 over LTE even on WiFi. One thing that could explain this is that we do not get link change updates for the LTE modem as we ignore them in this list. This commit makes us not ignore changes to `pdp_ip` as a test. Updates #3363 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	1a19aed410	ipn/ipnlocal: do not initialize peer api listeners when shutting down Updates tailscale/corp#4824 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	e97209c6bf	net/dns: add tailscaled-on-macOS DNS OSConfigurator This populates DNS suffixes ("ts.net", etc) in /etc/resolver/* files to point to 100.100.100.100 so MagicDNS works. It also sets search domains. Updates #4276 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	bbca2c78cb	tsnet: fix mem.Store check for normal nodes There was a typo in the check it was doing `!ok` instead of `ok`, this restructures it a bit to read better. Fixes #4506 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Denton Gentry	d819bb3bb0	VERSION.txt: This is 1.25.0 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Maisem Ali	2265587d38	wgengine/{,magicsock}: add metrics for rebinds and restuns Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Tom DNetto	78fededaa5	net/dns/resolver: support magic resolution of via-<siteid>.<ip4> domains Updates #3616 Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	910ae68e0b	util/mak: move tailssh's mapSet into a new package for reuse elsewhere Change-Id: Idfe95db82275fd2be6ca88f245830731a0d5aecf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	c2eff20008	ssh/tailssh: avoid user ssh configuration in tests Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	700bd37730	tshttpproxy: support synology proxy configuration Fixes #4395 Fixes #2605 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Maisem Ali	90b5f6286c	cmd/tailscale: use double quotes in the ssh subcommands Single-quote escaping is insufficient apparently. Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	db70774685	cmd/tailscale/cli: do not use syscall.Exec from macOS sandbox Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Tom DNetto	37c94c07cd	shell.nix: update go toolchain Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
David Anderson	a364bf2b62	ssh/tailssh: various typo fixes, clarifications. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	c994eba763	ssh/tailssh: simplify matchRule with Reject rules Updates #3802 Change-Id: I59fe111eef5ac8abbcbcec922e293712a65a4830 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	31094d557b	ssh/tailssh: chmod the auth socket to be only user accessible Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	337c77964b	ssh/tailssh: set groups and gid in the incubated process Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	8ac4d52b59	ssh/tailssh: filter accepted environment variables Noted by @danderson Updates #3802 Change-Id: Iac70717ed57f11726209ac1ea93ddc6696605f94 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	89832c1a95	tailcfg: fix typo in SessionDuration field name Noted by @danderson. Updates #3802 Change-Id: Ide15f3f28e30f6abb5c94d7dcd218bd9482752a0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	695f8a1d7e	ssh/tailssh: add support for sftp Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	53588f632d	Revert "wgengine/router,util/kmod: load & log xt_mark" This reverts commit `8d6793fd70`. Reason: breaks Android build (cgo/pthreads addition) We can try again next cycle. Change-Id: I5e7e1730a8bf399a8acfce546a6d22e11fb835d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom DNetto	df26c63793	net/dns/resolver, net/tsaddr: fix reverse lookups in 4to6 IP range Fixes #4439 Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
James Tucker	8d6793fd70	wgengine/router,util/kmod: load & log xt_mark Attempt to load the xt_mark kernel module when it is not present. If the load fails, log error information. It may be tempting to promote this failure to an error once it has been in use for some time, so as to avoid reaching an error with the iptables invocation, however, there are conditions under which the two stages may disagree - this change adds more useful breadcrumbs. Example new output from tailscaled running under my WSL2: ``` router: ensure module xt_mark: "/usr/sbin/modprobe xt_mark" failed: exit status 1; modprobe: FATAL: Module xt_mark not found in directory /lib/modules/5.10.43.3-microsoft-standard-WSL2 ``` Background: There are two places to lookup modules, one is `/proc/modules` "old", the other is `/sys/module/` "new". There was query_modules(2) in linux <2.6, alas, it is gone. In a docker container in the default configuration, you would get /proc/modules and /sys/module/ both populated. lsmod may work file, modprobe will fail with EPERM at `finit_module()` for an unpriviliged container. In a priviliged container the load may succeed, if some conditions are met. This condition should be avoided, but the code landing in this change does not attempt to avoid this scenario as it is both difficult to detect, and has a very uncertain impact. In an nspawn container `/proc/modules` is populated, but `/sys/module` does not exist. Modern `lsmod` versions will fail to gather most module information, without sysfs being populated with module information. In WSL2 modules are likely missing, as the in-use kernel typically is not provided by the distribution filesystem, and WSL does not mount in a module filesystem of its own. Notably the WSL2 kernel supports iptables marks without listing the xt_mark module in /sys/module, and /proc/modules is empty. On a recent kernel, we can ask the capabilities system about SYS_MODULE, that will help to disambiguate between the non-privileged container case and just being root. On older kernels these calls may fail. Update #4329 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Brad Fitzpatrick	f7cb6630e7	tailcfg: document SSHPrincipal.PubKeys URL expansions From `f74ee80abe` which lacked docs. Updates #3802 Change-Id: Ia7df05a486ae383cc6d9aca9dfe487b04e243ad5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	5b4154342e	ssh/tailssh: fix double SSH-2.0- prefix in greeting banner gliderlabs/ssh was already adding the "SSH-2.0-" prefix. Updates #3802 Change-Id: I19a1cd9308371a2898e7883cf26e94c9b54bab29 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7a097ccc83	ipn/ipnlocal: close peerapi listeners on LocalBackend.Shutdown For tests. Now that we can always listen (whereas we used to fail prior to `a2c330c496`), some goroutine leak checks were failing in tests in another repo after that change. Change-Id: Id95a4b71167eca61962a48616d79741b9991e0bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	2b8b887d55	ssh/tailssh: send banner messages during auth, move more to conn (VSCode Live Share between Brad & Maisem!) Updates #3802 Change-Id: Id8edca4481b0811debfdf56d4ccb1a46f71dd6d3 Co-Authored-By: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Denton Gentry	13f75b9667	scripts/install: add Alma Linux. Tested using an Alma Linux 8.5 VM. Updates https://github.com/tailscale/tailscale/issues/2915 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago

1 2 3 4 5 ...

3982 Commits (cfe68d0a8678261989eb7202e7b3681e82fb1481) All Branches Search

3982 Commits (cfe68d0a8678261989eb7202e7b3681e82fb1481)

All Branches