tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	f3c0023add	wgengine/netstack: add an SSH server experiment Disabled by default. To use, run tailscaled with: TS_SSH_ALLOW_LOGIN=you@bar.com And enable with: $ TAILSCALE_USE_WIP_CODE=true tailscale up --ssh=true Then ssh [any-user]@[your-tailscale-ip] for a root bash shell. (both the "root" and "bash" part are temporary) Updates #3802 Change-Id: I268f8c3c95c8eed5f3231d712a5dc89615a406f0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	41fd4eab5c	envknob: add new package for all the strconv.ParseBool(os.Getenv(..)) A new package can also later record/report which knobs are checked and set. It also makes the code cleaner & easier to grep for env knobs. Change-Id: Id8a123ab7539f1fadbd27e0cbeac79c2e4f09751 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
David Anderson	ff3442d92d	cmd/derper: record TLS versions used for requests. Surveying the fleet prior to turning off old/unused/insecure TLS versions. Updates tailscale/corp#3615 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	92dfaf53bb	cmd/tailscaled: include Go runtime metrics in /debug/metrics Fixes #3772 Change-Id: I237ea23268664d99e83d27890146018b04474556 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Josh Bleecher Snyder	a076aaecc6	cmd/tailscale: use html/template for synoTokenRedirect The GitHub code scanner flagged this as a security vulnerability. I don't believe it was, but I couldn't convince myself of it 100%. Err on the safe side and use html/template to generate the HTML, with all necessary escaping. Fixes tailscale/corp#2698 Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Maisem Ali	9e8a432146	cmd/tailscale/cli/web: fix typo where the html template data was being replaced instead of being appended to. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	e6626366a2	cmd/tailscale: let 'tailscale up --reset' do a pref edit The --reset shouldn't imply that a Backend.Start is necessary. With this, it can do a Backend.EditPrefs instead, which then doesn't do all the heavy work that Start does. Also, Start on Windows behaves slightly differently than Linux etc in some cases because of tailscaled running in client mode on Windows (where the GUI supplies the prefs). Fixes #3702 Change-Id: I75c9f08d5e0052bf623074030a3a7fcaa677abf6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	b8ad90c2bf	cmd/derper: in manual cert mode, don't discard error from VerifyHostname Updates #3701 Change-Id: If8ca5104bd8221c99cc390ca49ee3401aff09b62 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	64c2657448	cmd/printdep: add flag to print out Go toolchain tarball URL Updates #3669 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	3690bfecb0	ipn/ipnlocal: fix cert fetching on macOS GUI platforms And clarify the directory they get written to when under the sandbox. Fixes #3667 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	c8b63a409e	cmd/hello: also redirect https://hello.ipn.dev to hello.ts.net I apparently only did HTTP before, not HTTPS. Updates tailscale/corp#1327 Change-Id: I7d5265a0a25fcab5b142c8c3f21a0920f6cae39f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	e2d9c99e5b	cmd/hello: migrate to hello.ts.net as the hostname But still support hello.ipn.dev for a bit. Updates tailscale/corp#1327 Change-Id: Iab59cca0b260d69858af16f4e42677e54f9fe54a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	ebdd25920e	go.toolchain.rev: add Go toolchain rev, tool to print it out Updates tailscale/corp#3385 Change-Id: Ia0e285a0ae836744539c97ff6eff207588159688 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	7d9b1de3aa	netcheck,portmapper,magicsock: ignore some UDP write errors on Linux Treat UDP send EPERM errors as a lost UDP packet, not something super fatal. That's just the Linux firewall preventing it from going out. And add a leaf package net/neterror for that (and future) policy that all three packages can share, with tests. Updates #3619 Change-Id: Ibdb838c43ee9efe70f4f25f7fc7fdf4607ba9c1d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	96cab21383	cmd/tailscale: add debug restun, rebind subcommands In the hidden debug menu. Change-Id: I20213f1f4e2290d36f9ff561bac0cc767400d5fd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	ae319b4636	wgengine/magicsock: add HTML debug handler to see magicsock state Change-Id: Ibc46f4e9651e1c86ec6f5d139f5e9bdc7a488415 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	3dedcd1640	logpolicy, ipn/ipnserver: connect to logtail via tailscaled when needed This is for use by the Windows GUI client to log via when an exit node is in use, so the logs don't go out via the exit node and instead go directly, like tailscaled's. The dialer tried to do that in the unprivileged GUI by binding to a specific interface, but the "Internet Kill Switch" installed by tailscaled for exit nodes precludes that from working and instead the GUI fails to dial out. So, go through tailscaled (with a CONNECT request) instead. Fixes tailscale/corp#3169 Change-Id: I17a8efdc1d4b8fed53a29d1c19995592b651b215 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	40e2b312b6	ipn/ipnserver, logpolicy: move Windows disk logging up earlier This moves the Windows-only initialization of the filelogger into logpolicy. Previously we only did it when babysitting the tailscaled subprocess, but this meant that log messages from the service itself never made it to disk. Examples that weren't logged to disk: * logtail unable to dial out, * DNS flush messages from the service * svc.ChangeRequest messages (#3581) This is basically the same fix as #3571 but staying in the Logf type, and avoiding build-tagged file (which wasn't quite a goal, but happened and seemed nice) Fixes #3570 Co-authored-by: Aaron Klotz <aaron@tailscale.com> Change-Id: Iacd80c4720b7218365ec80ae143339d030842702	3 years ago
Brad Fitzpatrick	689426d6bc	cmd/tailscaled: log Windows service change requests And add a little comment. Change-Id: If0bedf8aefd8d528149548fba829e7a9a8b2e114 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	4512e213d5	cmd/tailscale: improve ping error message when logged out Refactor out the pretty status printing code from status, use it in ping. Fixes #3549 Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	59f4f33f60	cmd/tailscaled: fix windows logtail integration I broke it in 1.17.x sometime while rewiring some logs stuff, mostly in `0653efb092` (but with a handful of logs-related changes around that time) Fixes tailscale/corp#3265 Change-Id: Icb5c07412dc6d55f1d9244c5d0b51dceca6a7e34 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	adc97e9c4d	cmd/tailscale: make --accept-routes default true on Windows, macOS GUI One of the most annoying parts of using the Tailscale CLI on Windows and the macOS GUI is that Tailscale's GUIs default to running with "Route All" (accept all non-exitnode subnet routes) but the CLI--being originally for Linux--uses the Linux default, which is to not accept subnets. Which means if a Windows user does, e.g.: tailscale up --advertise-exit-node Or: tailscale up --shields-up ... then it'd warn about reverting the --accept-routes option, which the user never explicitly used. Instead, make the CLI's default match the platform/GUI's default. Change-Id: I15c804b3d9b0266e9ca8651e0c09da0f96c9ef8d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	63cd581c3f	safesocket: add ConnectionStrategy, provide control over fallbacks `fee2d9fad` added support for cmd/tailscale to connect to IPNExtension. It came in two parts: If no socket was provided, dial IPNExtension first, and also, if dialing the socket failed, fall back to IPNExtension. The second half of that support caused the integration tests to fail when run on a machine that was also running IPNExtension. The integration tests want to wait until the tailscaled instances that they spun up are listening. They do that by dialing the new instance. But when that dial failed, it was falling back to IPNExtension, so it appeared (incorrectly) that tailscaled was running. Hilarity predictably ensued. If a user (or a test) explicitly provides a socket to dial, it is a reasonable assumption that they have a specific tailscaled in mind and don't want to fall back to IPNExtension. It is certainly true of the integration tests. Instead of adding a bool to Connect, split out the notion of a connection strategy. For now, the implementation remains the same, but with the details hidden a bit. Later, we can improve that. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	39ffa16853	net/dnscache, net/tsdial: add DNS caching to tsdial UserDial This is enough to handle the DNS queries as generated by Go's net package (which our HTTP/SOCKS client uses), and the responses generated by the ExitDNS DoH server. This isn't yet suitable for putting on 100.100.100.100 where a number of different DNS clients would hit it, as this doesn't yet do EDNS0. It might work, but it's untested and likely incomplete. Likewise, this doesn't handle anything about truncation, as the exchanges are entirely in memory between Go or DoH. That would also need to be handled later, if/when it's hooked up to 100.100.100.100. Updates #3507 Change-Id: I1736b0ad31eea85ea853b310c52c5e6bf65c6e2a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	a28d280b95	cmd/tailscaled: move start-up failure logging to one place The caller of func run said: // No need to log; the func already did But that wasn't true. Some return paths didn't log. So instead, return rich errors and have func main do the logging, so we can't miss anything in the future. Prior to this, safesocket.Listen for instance was causing tailscaled to os.Exit(1) on failure without any clue as to why. Change-Id: I9d71cc4d73d0fed4aa1b1902cae199f584f25793 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	c0701b130d	ipn/ipnstate, cmd/tailscale: add Online bool to tailscale status & --json Fixes #3533 Change-Id: I2f6f0d712cf3f987fba1c15be74cdb5c8d565f04 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Arnaud Dezandee	656809e4ee	cmd/derper: allow http port configuration Signed-off-by: Arnaud Dezandee <dezandee.arnaud@gmail.com>	3 years ago
Denton Gentry	ffb16cdffb	cmd/tailscale: add --json for up Print JSON to stdout containing everything needed for authentication. { "AuthURL": "https://login.tailscale.com/a/0123456789", "QR": "data:image/png;base64,iV...QmCC", "BackendState": "NeedsLogin" } { "BackendState": "Running" } Signed-off-by: Denton Gentry <dgentry@tailscale.com>	3 years ago
Brad Fitzpatrick	d3d503d997	ipn/ipnlocal: add HTTP/2 h2c server support to peerapi on non-mobile platforms To make ExitDNS cheaper. Might not finish client-side support in December before 1.20, but at least server support can start rolling out ahead of clients being ready for it. Tested with curl against peerapi. Updates #1713 Change-Id: I676fed5fb1aef67e78c542a3bc93bddd04dd11fe Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	9c5c9d0a50	ipn/ipnlocal, net/tsdial: make SOCKS/HTTP dials use ExitDNS And simplify, unexport some tsdial/netstack stuff in the the process. Fixes #3475 Change-Id: I186a5a5cbd8958e25c075b4676f7f6e70f3ff76e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	de635ac0a8	cmd/tailscale: print more detail in connection failure error message Before: failed to connect to local tailscaled (which appears to be running). Got error: Get "http://local-tailscaled.sock/localapi/v0/status": EOF After: failed to connect to local tailscaled (which appears to be running as IPNExtension, pid 2118). Got error: Get "http://local-tailscaled.sock/localapi/v0/status": EOF This was useful just now, as it made it clear that tailscaled I thought I was connecting to might not in fact be running; there was a second tailscaled running that made the error message slightly misleading. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	003089820d	cmd/tailscale: fix setting revert checker's finding an exit node It was using the wrong prefs (intended vs current) to map the current exit node ID to an IP. Fixes #3480 Change-Id: I9f117d99a84edddb4cd1cb0df44a2f486abde6c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	03a323de4e	cmd/tailscale: don't allow setting exit node to known invalid value Fixes #3081 Change-Id: I34c378dfd51ee013c21962dbe79c49b1ba06c0c5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	a8f60cf6e8	cmd/tailscale: clarify which prefless flags don't need revert protection Fixes #3482 Change-Id: Icb51476b0d78d3758cb04df3b565e372b8289a46 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	f91481075d	cmd/tailscale: let --exit-node= take a machine name in addition to IP If you're online, let tailscale up --exit-node=NAME map NAME to its IP. We don't store the exit node name server-side in prefs, avoiding the concern raised earlier. Fixes #3062 Change-Id: Ieea5ceec1a30befc67e9d6b8a530b3cb047b6b40 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	adc5997592	net/tsdial: give netstack a Dialer, start refactoring name resolution This starts to refactor tsdial.Dialer's name resolution to have different stages: in-memory MagicDNS vs system resolution. A future change will plug in ExitDNS resolution. This also plumbs a Dialer into netstack and unexports the dnsMap internals. And it removes some of the async AddNetworkMapCallback usage and replaces it with synchronous updates of the Dialer's netmap from LocalBackend, since the LocalBackend has the Dialer too. Updates #3475 Change-Id: Idcb7b1169878c74f0522f5151031ccbc49fe4cb4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	ad3d6e31f0	net/tsdial: move macOS/iOS peerapi sockopt logic from LocalBackend Change-Id: I812cae027c40c70cdc701427b1a1850cd9bcd60c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	c7fb26acdb	net/tsdial: also plumb TUN name and monitor into tsdial.Dialer In prep for moving stuff out of LocalBackend. Change-Id: I9725aa9c3ebc7275f8c40e040b326483c0340127 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	c37af58ea4	net/tsdial: move more weirdo dialing into new tsdial package, plumb Not done yet, but this move more of the outbound dial special casing from random packages into tsdial, which aspires to be the one unified place for all outbound dialing shenanigans. Then this plumbs it all around, so everybody is ultimately holding on to the same dialer. As of this commit, macOS/iOS using an exit node should be able to reach to the exit node's DoH DNS proxy over peerapi, doing the sockopt to stay within the Network Extension. A number of steps remain, including but limited to: * move a bunch more random dialing stuff * make netstack-mode tailscaled be able to use exit node's DNS proxy, teaching tsdial's resolver to use it when an exit node is in use. Updates #1713 Change-Id: I1e8ee378f125421c2b816f47bc2c6d913ddcd2f5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	d5405c66b7	net/tsdial: start of new package to unify all outbound dialing complexity For now this just deletes the net/socks5/tssocks implementation (and the DNSMap stuff from wgengine/netstack) and moves it into net/tsdial. Then initialize a Dialer early in tailscaled, currently only use for the outbound and SOCKS5 proxies. It will be plumbed more later. Notably, it needs to get down into the DNS forwarder for exit node DNS forwading in netstack mode. But it will also absorb all the peerapi setsockopt and netns Dial and tlsdial complexity too. Updates #1713 Change-Id: Ibc6d56ae21a22655b2fa1002d8fc3f2b2ae8b6df Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	2a95ee4680	cmd/tailscale, ipn/ipnstate: note which nodes are exit nodes in status Fixes #3446 Change-Id: Ib41d588e7fa434c02d134fa449f85b0e15083683 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Josh Bleecher Snyder	38d90fa330	net/portmapper: add clientmetrics for PCP/PMP responses Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Brad Fitzpatrick	3181bbb8e4	cmd/tailscale: make file cp send files via tailscaled localapi So Taildrop sends work even if the local tailscaled is running in netstack mode, as it often is on Synology, etc. Updates #2179 (which is primarily about receiving, but both important) Change-Id: I9bd1afdc8d25717e0ab6802c7cf2f5e0bd89a3b2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
David Anderson	6e584ffa33	cmd/tailscaled: allow running the SOCKS5 and HTTP proxies on the same port. Fixes #3248 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
David Crawshaw	1e8b4e770a	update github.com/aws/aws-sdk-go-v2 Replaces #3464, #3365, #3366 with a PR that includes the depaware fix. Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	3 years ago
Brad Fitzpatrick	105c545366	cmd/tailscale/cli: don't complain about --accept-routes true->false on Synology Fixes #3176 Change-Id: I844883e741dccfa5e7771c853180e9f65fb7f7a4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Thomas Weiß	6dc6ea9b37	cmd/tailscaled: log error on state store init failure Signed-off-by: Thomas Weiß <panos@unbunt.org>	3 years ago
David Anderson	db800ddeac	cmd/derper: set Content-Security-Policy on DERPs. It's a basic "deny everything" policy, since DERP's HTTP server is very uninteresting from a browser POV. But it stops every security scanner under the sun from reporting "dangerously configured" HTTP servers. Updates tailscale/corp#3119 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Josh Bleecher Snyder	73beaaf360	net/tstun: rate limit "self disco out packet" logging When this happens, it is incredibly noisy in the logs. It accounts for about a third of all remaining "unexpected" log lines from a recent investigation. It's not clear that we know how to fix this, we have a functioning workaround, and we now have a (cheap and efficient) metric for this that we can use for measurements. So reduce the logging to approximately once per minute. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
Josh Bleecher Snyder	b0d543f7a1	cmd/tailscale: add ip -1 flag This limits the output to a single IP address. RELNOTE=tailscale ip now has a -1 flag (TODO: update docs to use it) Fixes #1921 Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago

1 2 3 4 5 ...

693 Commits (f3c0023addc13ea4212db9daf04fd317585d28c3)