tailscale

Commit Graph

Author	SHA1	Message	Date
Andrew Dunham	38e4d303a2	net/tshttpproxy: don't proxy through ourselves When running a SOCKS or HTTP proxy, configure the tshttpproxy package to drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment variables. Fixes #7407 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I6cd7cad7a609c639780484bad521c7514841764b	1 year ago
Maisem Ali	985535aebc	net/tstun,wgengine/*: add support for NAT to routes This adds support to make exit nodes and subnet routers work when in scenarios where NAT is required. It also updates the NATConfig to be generated from a `wgcfg.Config` as that handles merging prefs with the netmap, so it has the required information about whether an exit node is already configured and whether routes are accepted. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	c98652c333	doctor/permissions: add new check to print process permissions Since users can run tailscaled in a variety of ways (root, non-root, non-root with process capabilities on Linux), this check will print the current process permissions to the log to aid in debugging. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida93a206123f98271a0c664775d0baba98b330c7	1 year ago
James Tucker	a31e43f760	go.mod: bump gvisor to 20230320 for dispatcher locking Upstream improved code around an issue showing up in CI, where sometimes shutdown will race on endpoint.dispatcher being nil'd, causing a panic down stack of injectInbound. The upstream patch makes some usage more safe, but it does not itself fix the local issue. See panic in https://github.com/tailscale/tailscale/actions/runs/4548299564/jobs/8019187385#step:7:843 See fix in google/gvisor@13d7bf69d8 Updates #7715 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Anton Tolchanov	2a933c1903	cmd/tailscale: extend hostname validation (#7678 ) In addition to checking the total hostname length, validate characters used in each DNS label and label length. Updates https://github.com/tailscale/corp/issues/10012 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
shayne	43f7ec48ca	funnel: change references from alpha to beta (#7613 ) Updates CLI and docs to reference Funnel as beta Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
valscale	74eb99aed1	derp, derphttp, magicsock: send new unknown peer frame when destination is unknown (#7552 ) * wgengine/magicsock: add envknob to send CallMeMaybe to non-existent peer For testing older client version responses to the PeerGone packet format change. Updates #4326 Signed-off-by: Val <valerie@tailscale.com> * derp: remove dead sclient struct member replaceLimiter Leftover from an previous solution to the duplicate client problem. Updates #2751 Signed-off-by: Val <valerie@tailscale.com> * derp, derp/derphttp, wgengine/magicsock: add new PeerGone message type Not Here Extend the PeerGone message type by adding a reason byte. Send a PeerGone "Not Here" message when an endpoint sends a disco message to a peer that this server has no record of. Fixes #4326 Signed-off-by: Val <valerie@tailscale.com> --------- Signed-off-by: Val <valerie@tailscale.com>	1 year ago
Maisem Ali	8a11f76a0d	ipn/ipnlocal: fix cert storage in Kubernetes We were checking against the wrong directory, instead if we have a custom store configured just use that. Fixes #7588 Fixes #7665 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	df89b7de10	cmd/k8s-operator: disable HTTP/2 for the auth proxy Kubernetes uses SPDY/3.1 which is incompatible with HTTP/2, disable it in the transport and server. Fixes #7645 Fixes #7646 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	57a008a1e1	all: pass log IDs as the proper type rather than strings This change focuses on the backend log ID, which is the mostly commonly used in the client. Tests which don't seem to make use of the log ID just use the zero value. Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Tom DNetto	60cd4ac08d	cmd/tailscale/cli: move tskey-wrap functionality under lock sign Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Mihai Parparita	e1fb687104	cmd/tailscale/cli: fix inconsistency between serve text and example command Use the same local port number in both, and be more precise about what is being forwarded Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Anton Tolchanov	50d211d1a4	cmd/derpprobe: allow running all probes at the same time This allows disabling spread mode, which is helpful if you are manually running derpprobe in `--once` mode against a small number of DERP machines. Updates https://github.com/tailscale/corp/issues/9916 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
James 'zofrex' Sanderson	9534783758	tailscale/cmd: Warn for up --force-reauth over SSH without accepting the risk (#7575 ) Fixes #6377 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	1 year ago
shayne	2b892ad6e7	cmd/tailscale/cli: [serve] rework commands based on feedback (#6521 ) ``` $ tailscale serve https:<port> <mount-point> <source> [off] $ tailscale serve tcp:<port> tcp://localhost:<local-port> [off] $ tailscale serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off] $ tailscale serve status [--json] $ tailscale funnel <serve-port> {on\|off} $ tailscale funnel status [--json] ``` Fixes: #6674 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Maisem Ali	c87782ba9d	cmd/k8s-operator: drop trailing dot in tagged node name Also update tailcfg docs. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	a1d9f65354	ipn,log: add logger for sockstat deltas Signed-off-by: Will Norris <will@tailscale.com> Co-authored-by: Melanie Warrick <warrick@tailscale.com>	1 year ago
Maisem Ali	5e8a80b845	all: replace /kb/ links with /s/ equivalents Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	558735bc63	cmd/k8s-operator: require HTTPS to be enabled for AuthProxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	489e27f085	cmd/k8s-operator: make auth proxy pass tags as Impersonate-Group We were not handling tags at all, pass them through as Impersonate-Group headers. And use the FQDN for tagged nodes as Impersonate-User. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	09aed46d44	cmd/tailscale/cli: update docs and unhide configure Also call out Alpha. Updates #7220 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	223713d4a1	tailcfg,all: add and use Node.IsTagged() Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	3ff44b2307	ipn: add Funnel port check from nodeAttr Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	ccdd534e81	tsnet: add ListenFunnel This lets a tsnet binary share a server out over Tailscale Funnel. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Tom DNetto	92fc243755	cmd/tailscale: annotate tailnet-lock keys which wrap pre-auth keys Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Tom DNetto	3471fbf8dc	cmd/tailscale: surface node-key for locked out tailnet-lock peers Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Maisem Ali	be027a9899	control/controlclient: improve handling of concurrent lite map requests This reverts commit `6eca47b16c` and fixes forward. Previously the first ever streaming MapRequest that a client sent would also set ReadOnly to true as it didn't have any endpoints and expected/relied on the map poll to restart as soon as it got endpoints. However with `48f6c1eba4`, we would no longer restart MapRequests as frequently as we used to, so control would only ever get the first streaming MapRequest which had ReadOnly=true. Control would treat this as an uninteresting request and would not send it any further netmaps, while the client would happily stay in the map poll forever while litemap updates happened in parallel. This makes it so that we never set `ReadOnly=true` when we are doing a streaming MapRequest. This is no longer necessary either as most endpoint discovery happens over disco anyway. Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Tom DNetto	ce99474317	all: implement preauth-key support with tailnet lock Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Andrew Dunham	be107f92d3	wgengine/magicsock: track per-endpoint changes in ringbuffer This change adds a ringbuffer to each magicsock endpoint that keeps a fixed set of "changes"–debug information about what updates have been made to that endpoint. Additionally, this adds a LocalAPI endpoint and associated "debug peer-status" CLI subcommand to fetch the set of changes for a given IP or hostname. Updates tailscale/corp#9364 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I34f726a71bddd0dfa36ec05ebafffb24f6e0516a	1 year ago
shayne	f7a7957a11	sniproxy: add promote-https (#7487 ) Adds support for an HTTP server that promotes all requests to HTTPS. The flag is `-promote-https` and defaults to true. Updates #1748	1 year ago
Denton Gentry	b46c5ae82a	cmd/sniproxy: draw the rest of the DNS owl. Add a DNS server which always responds as its own IP addresses. Additionally add a tsnet TailscaleIPs() function to return the IP addresses, both IPv4 and IPv6. Updates https://github.com/tailscale/tailscale/issues/1748 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Tom DNetto	2263d9c44b	cmd/tsconnect: pop CTA to make everything work with tailnet lock Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Brad Fitzpatrick	0f4359116e	tsnet: add UDP support to Server.Listen No ListenPacket support yet, but Listen with a udp network type fit easier into netstack's model to start. Then added an example of using it to cmd/sniproxy with a little udp :53 handler. No tests in tsnet yet because we don't have support for dialing over UDP in tsnet yet. When that's done, a new test can test both sides. Updates #5871 Updates #1748 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Maisem Ali	1a30b2d73f	all: use tstest.Replace more Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	b9ebf7cf14	tstest: add method to Replace values for tests We have many function pointers that we replace for the duration of test and restore it on test completion, add method to do that. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	73fa7dd7af	util/slicesx: add package for generic slice functions, use Now that we're using rand.Shuffle in a few locations, create a generic shuffle function and use it instead. While we're at it, move the interleaveSlices function to the same package for use. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I0b00920e5b3eea846b6cedc30bd34d978a049fd3	1 year ago
Tom DNetto	e2d652ec4d	ipn,cmd/tailscale: implement resigning nodes on tka key removal Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Andrew Dunham	3f8e8b04fd	cmd/tailscale, cmd/tailscaled: move portmapper debugging into tailscale CLI The debug flag on tailscaled isn't available in the macOS App Store build, since we don't have a tailscaled binary; move it to the 'tailscale debug' CLI that is available on all platforms instead, accessed over LocalAPI. Updates #7377 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I47bffe4461e036fab577c2e51e173f4003592ff7	1 year ago
Mihai Parparita	3e71e0ef68	net/sockstats: remove explicit dependency on wgengine/monitor Followup to #7177 to avoid adding extra dependencies to the CLI. We instead declare an interface for the link monitor. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
shayne	d92ef4c215	cmd/derper: randomize IPs on refreshBootstrapDNS (#7440 ) This is to address a possible DNS failure on startup. Before this change IPv6 addresses would be listed first, and the client dialer would fail for hosts without IPv6 connectivity.	1 year ago
Brad Fitzpatrick	1410682fb6	cmd/sniproxy: add start of a tsnet-based SNI proxy $ curl https://canhazip.com/ 170.173.0.21 $ curl --resolve canhazip.com:443:100.85.165.81 https://canhazip.com/ 34.223.127.151 Updates #1748 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Maisem Ali	e1530cdfcc	cmd/containerboot,kube: consolidate the two kube clients We had two implemenetations of the kube client, merge them. containerboot was also using a raw http.Transport, this also has the side effect of making it use a http.Client Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Denton Gentry	51288221ce	cmd/tailscale: use request Schema+Host for QNAP authLogin.cgi QNAP allows users to set the port number for the management WebUI, which includes authLogin.cgi. If they do, then connecting to localhost:8080 fails. https://github.com/tailscale/tailscale-qpkg/issues/74#issuecomment-1407486911 Fixes https://github.com/tailscale/tailscale/issues/7108 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Aaron Klotz	f18beaa1e4	cmd/mkmanifest, cmd/tailscale, cmd/tailscaled: remove Windows arm32 resources from OSS Given recent changes in corp, I originally thought we could remove all of the syso files, but then I realized that we still need them so that binaries built purely from OSS (without going through corp) will still receive a manifest. We can remove the arm32 one though, since we don't support 32-bit ARM on Windows. Updates https://github.com/tailscale/corp/issues/9576 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Sonia Appasamy	7985f5243a	cmd/k8s-operator: update device authorization copy "Device Authorization" was recently renamed to "Device Approval" on the control side. This change updates the k8s operator to match. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Sonia Appasamy	bb7033174c	cmd/tsconnect: update device authorization copy "Device Authorization" was recently renamed to "Device Approval" on the control side. This change updates tsconnect to match. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Mihai Parparita	9cb332f0e2	sockstats: instrument networking code paths Uses the hooks added by tailscale/go#45 to instrument the reads and writes on the major code paths that do network I/O in the client. The convention is to use "<package>.<type>:<label>" as the annotation for the responsible code path. Enabled on iOS, macOS and Android only, since mobile platforms are the ones we're most interested in, and we are less sensitive to any throughput degradation due to the per-I/O callback overhead (macOS is also enabled for ease of testing during development). For now just exposed as counters on a /v0/sockstats PeerAPI endpoint. We also keep track of the current interface so that we can break out the stats by interface. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Sonia Appasamy	0c1510739c	cmd/tailscale/cli: update device authorization copy "Device Authorization" was recently renamed to "Device Approval" on the control side. This change updates the linux cli to match. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Joe Tsai	0d19f5d421	all: replace logtail.{Public,Private}ID with logid.{Public,Private}ID (#7404 ) The log ID types were moved to a separate package so that code that only depend on log ID types do not need to link in the logic for the logtail client itself. Not all code need the logtail client. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Vladimir Pouzanov	e3211ff88b	Add support for OAuth tokens #7394 (#7393 ) Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com>	1 year ago

1 2 3 4 5 ...

1253 Commits (e0d291ab8a622f39d6fe8492abcb3224ed6730dd)