tailscale

Commit Graph

Author	SHA1	Message	Date
Percy Wegmann	c42a4e407a	tailfs: listen for local clients only on 100.100.100.100 FileSystemForLocal was listening on the node's Tailscale address, which potentially exposes the user's view of TailFS shares to other Tailnet users. Remote nodes should connect to exported shares via the peerapi. This removes that code so that FileSystemForLocal is only avaialable on 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Maisem Ali	370ecb4654	tailcfg: remove UserProfile.Groups Removing as per go/group-all-the-things. Updates tailscale/corp#17445 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 months ago
Percy Wegmann	87154a2f88	tailfs: fix startup issues on windows Starts TailFS for Windows too, initializes shares on startup. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	ddcffaef7a	tailfs: disable TailFSForLocal via policy Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	abab0d4197	tailfs: clean up naming and package structure - Restyles tailfs -> tailFS - Defines interfaces for main TailFS types - Moves implemenatation of TailFS into tailfsimpl package Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	993acf4475	tailfs: initial implementation Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Joe Tsai	94a4f701c2	all: use reflect.TypeFor now available in Go 1.22 (#11078 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 months ago
Andrea Gottardo	6c79f55d48	ipnlocal: force-regen new authURL when it is too old (#10971 ) Fixes tailscale/support-escalations#23. authURLs returned by control expire after 1 hour from creation. Customer reported that the Tailscale client on macOS would sending users to a stale authentication page when clicking on the `Login...` menu item. This can happen when clicking on Login after leaving the device unattended for several days. The device key expires, leading to the creation of a new authURL, however the client doesn't keep track of when the authURL was created. Meaning that `login-interactive` would send the user to an authURL that had expired server-side a long time before. This PR ensures that whenever `login-interactive` is called via LocalAPI, an authURL that is too old won't be used. We force control to give us a new authURL whenever it's been more than 30 minutes since the last authURL was sent down from control. Apply suggestions from code review Set interval to 6 days and 23 hours Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	4 months ago
Brad Fitzpatrick	2bd3c1474b	util/cmpx: delete now that we're using Go 1.22 Updates #11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
kari-ts	5595b61b96	ipn/localapi: more http status cleanup (#10995 ) Use Http.StatusOk instead of 200 Updates #cleanup	4 months ago
James Tucker	ba70cbb930	ipn/ipnlocal: fix app connector route advertisements on exit nodes If an app connector is also configured as an exit node, it should still advertise discovered routes that are not covered by advertised routes, excluding the exit node routes. Updates tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
James Tucker	e1a4b89dbe	appc,ipn/ipnlocal: add app connector routes if any part of a CNAME chain is routed If any domain along a CNAME chain matches any of the routed domains, add routes for the discovered domains. Fixes tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
James Tucker	b4b2ec7801	ipn/ipnlocal: fix pretty printing of multi-record peer DNS results The API on the DNS record parser is slightly subtle and requires explicit handling of unhandled records. Failure to advance previously resulted in an infinite loop in the pretty responder for any reply that contains a record other than A/AAAA/TXT. Updates tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
Percy Wegmann	fad6bae764	ipnlocal: log failure to get ssh host keys When reporting ssh host keys to control, log a warning if we're unable to get the SSH host keys. Updates tailscale/escalations#21 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Irbe Krumina	75f1d3e7d7	ipn/ipnlocal: fix failing test (#10937 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Irbe Krumina	6ee956333f	ipn/ipnlocal: fix proxy path that matches mount point (#10864 ) Don't append a trailing slash to a request path to the reverse proxy that matches the mount point exactly. Updates tailscale/tailscale#10730 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Jordan Whited	8b47322acc	wgengine/magicsock: implement probing of UDP path lifetime (#10844 ) This commit implements probing of UDP path lifetime on the tail end of an active direct connection. Probing configuration has two parts - Cliffs, which are various timeout cliffs of interest, and CycleCanStartEvery, which limits how often a probing cycle can start, per-endpoint. Initially a statically defined default configuration will be used. The default configuration has cliffs of 10s, 30s, and 60s, with a CycleCanStartEvery of 24h. Probing results are communicated via clientmetric counters. Probing is off by default, and can be enabled via control knob. Probing is purely informational and does not yet drive any magicsock behaviors. Updates #540 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Charlotte Brandhorst-Satzkorn	ce4553b988	appc,ipn/ipnlocal: optimize preference adjustments when routes update This change allows us to perform batch modification for new route advertisements and route removals. Additionally, we now handle the case where newly added routes are covered by existing ranges. This change also introduces a new appctest package that contains some shared functions used for testing. Updates tailscale/corp#16833 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	4 months ago
James Tucker	8250582fe6	ipn/ipnlocal: make app connector configuration concurrent If there are routes changes as a side effect of an app connector configuration update, the connector configuration may want to reenter a lock, so must be started asynchronously. Updates tailscale/corp#16833 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
James Tucker	24df1ef1ee	appc,ipn/ipnlocal,types/appctype: implement control provided routes Control can now send down a set of routes along with the domains, and the routes will be advertised, with any newly overlapped routes being removed to reduce the size of the routing table. Fixes tailscale/corp#16833 Signed-off-by: James Tucker <james@tailscale.com>	5 months ago
Joe Tsai	c25968e1c5	all: make use of ctxkey everywhere (#10846 ) Also perform minor cleanups on the ctxkey package itself. Provide guidance on when to use ctxkey.Key[T] over ctxkey.New. Also, allow for interface kinds because the value wrapping trick also happens to fix edge cases with interfaces in Go. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	5 months ago
Will Norris	236531c5fc	ipn/ipnserver: always allow Windows SYSTEM user to connect When establishing connections to the ipnserver, we validate that the local user is allowed to connect. If Tailscale is currently being managed by a different user (primarily for multi-user Windows installs), we don't allow the connection. With the new device web UI, the inbound connection is coming from tailscaled itself, which is often running as "NT AUTHORITY\SYSTEM". In this case, we still want to allow the connection, even though it doesn't match the user running the Tailscale GUI. The SYSTEM user has full access to everything on the system anyway, so this doesn't escalate privileges. Eventually, we want the device web UI to run outside of the tailscaled process, at which point this exception would probably not be needed. Updates tailscale/corp#16393 Signed-off-by: Will Norris <will@tailscale.com>	5 months ago
Rhea Ghosh	4ce33c9758	taildrop: remove breaking abstraction layers for apple (#10728 ) Removes the avoidFinalRename logic and all associated code as it is no longer required by the Apple clients. Enables resume logic to be usable for Apple clients. Fixes tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	5 months ago
Adrian Dewhurst	c05c4bdce4	ipn: apply ControlURL policy before login Unlike most prefs, the ControlURL policy needs to take effect before login. This resolves an issue where on first start, even when the ControlURL policy is set, it will generate a login URL to the Tailscale SaaS server. Updates tailscale/coral#118 Fixes #10736 Change-Id: I6da2a521f64028c15dbb6ac8175839fc3cc4e858 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	5 months ago
Andrew Dunham	d3574a350f	cmd/tailscale, ipn/ipnlocal: add 'debug dial-types' command This command allows observing whether a given dialer ("SystemDial", "UserDial", etc.) will successfully obtain a connection to a provided host, from inside tailscaled itself. This is intended to help debug a variety of issues from subnet routers to split DNS setups. Updates #9619 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie01ebb5469d3e287eac633ff656783960f697b84	5 months ago
James 'zofrex' Sanderson	10c595d962	ipn/ipnlocal: refresh node key without blocking if cap enabled (#10529 ) Updates tailscale/corp#16016 Signed-off-by: James Sanderson <jsanderson@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	5 months ago
Andrew Dunham	cae6edf485	ipn/ipnlocal: fix data race with capForcedNetfilter field Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1fdad454198d7ea4a898dbff3062818b0db35167	5 months ago
Andrew Lytvynov	2716250ee8	all: cleanup unused code, part 2 (#10670 ) And enable U1000 check in staticcheck. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Andrew Lytvynov	7a2eb22e94	ipn: remove use of reflect.MethodByName (#10652 ) Using reflect.MethodByName disables some linked deadcode optimizations and makes our binaries much bigger. Difference before/after this commit: ``` -rwxr-xr-x 1 awly awly 30M Dec 19 15:28 tailscaled.after* -rwxr-xr-x 1 awly awly 43M Dec 19 15:27 tailscaled.before* ``` Fixes #10627 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
James Tucker	0957258f84	appc,ipn: prevent undesirable route advertisements Individual route advertisements that are covered by existing routes are no longer advertised. If an upstream returns 0.0.0.0, 127.x, and other common unwanted addresses those are also rejected. Updates #16425 Signed-off-by: James Tucker <james@tailscale.com>	5 months ago
Andrew Dunham	a661287c4b	util/cmpx: remove code that's in the stdlib now The cmpx.Compare function (and associated interface) are now available in the standard library as cmp.Compare. Remove our version of it and use the version from the standard library. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4be3ac63d466c05eb7a0babb25cb0d41816fbd53	5 months ago
Andrew Lytvynov	945cf836ee	ipn: apply tailnet-wide default for auto-updates (#10508 ) When auto-update setting in local Prefs is unset, apply the tailnet default value from control. This only happens once, when we apply the default (or when the user manually overrides it), tailnet default no longer affects the node. Updates #16244 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Andrew Dunham	3ae562366b	ipn/ipnlocal: fix usage of slices.Compact Fixes #10595 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4e96e9c43b8dedb5f88b03368c01b0e46723e15b	6 months ago
Adrian Dewhurst	86aa0485a6	ipn/ipnlocal, util/syspolicy: make run exit node a preference option Previously, the "RunExitNode" policy merely controlled the visibility of the "run as exit node" menu item, not the setting itself. This migrates that setting to a preference option named "AdvertiseExitNode". Updates ENG-2138 Change-Id: Ia6a125beb6b4563d380c6162637ce4088f1117a0 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Andrew Lytvynov	e25f114916	ipn,cmd/tailscale/cli: support hierarchical MaskedPrefs (#10507 ) Some fields if `ipn.Prefs` are structs. `ipn.MaskedPrefs` has a single level of boolean `*Set` flags, which doesn't map well to nested structs within `ipn.Prefs`. Change `MaskedPrefs` and `ApplyEdits` to support `FooSet` struct fields that map to a nested struct of `ipn.Prefs` like `AutoUpdates`. Each struct field in `MaskedPrefs` is just a bundle of more `Set` bool fields or other structs. This allows you to have a `Set` flag for any arbitrarily-nested field of `ipn.Prefs`. Also, make `ApplyEdits` match fields between `Prefs` and `MaskedPrefs` by name instead of order, to make it a bit less finicky. It's probably slower but `ipn.ApplyEdits` should not be in any hot path. As a result, `AutoUpdate.Check` and `AutoUpdate.Apply` fields don't clobber each other when set individually. Updates #16247 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Adrian Dewhurst	f706a3abd0	ipn/ipnlocal, util/syspolicy: add auto update policy Due to the Sparkle preference naming convention, macsys already has a policy key named "ApplyUpdates" that merely shows or hides the menu item that controls if auto updates are installed, rather than directly controlling the setting. For other platforms, we are going to use "InstallUpdates" instead because it seemed better than the other options that were considered. Updates ENG-2127 Updates tailscale/corp#16247 Change-Id: Ia6a125beb6b4563d380c6162637ce4088f1117a0 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Adrian Dewhurst	1a4d423328	ipn/ipnlocal: add additional syspolicy enforcement This adds support for enforcing exit node LAN access, DNS and subnet routes. Adding new preference policies was getting repetitive, so this turns some of the boilerplate into a table. Updates tailscale/corp#15585 Updates ENG-2240 Change-Id: Iabd3c42b0ae120b3145fac066c5caa7fc4d67824 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Adrian Dewhurst	af32d1c120	ipn/ipnlocal: better enforce system policies Previously, policies affected the default prefs for a new profile, but that does not affect existing profiles. This change ensures that policies are applied whenever preferences are loaded or changed, so a CLI or GUI client that does not respect the policies will still be overridden. Exit node IP is dropped from this PR as it was implemented elsewhere in #10172. Fixes tailscale/corp#15585 Change-Id: Ide4c3a4b00a64e43f506fa1fab70ef591407663f Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Sonia Appasamy	ac6f671c54	ipn/localapi: use clientupdate.CanAutoUpdate from serveUpdateCheck Fixes #10486 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Naman Sood	0a59754eda	linuxfw,wgengine/route,ipn: add c2n and nodeattrs to control linux netfilter Updates tailscale/corp#14029. Signed-off-by: Naman Sood <mail@nsood.in>	6 months ago
Matt Layher	a217f1fccf	all: fix nilness issues Signed-off-by: Matt Layher <mdlayher@gmail.com>	6 months ago
Sonia Appasamy	7a4ba609d9	client/web: show features based on platform support Hiding/disabling UI features when not available on the running client. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Sonia Appasamy	bcc9b44cb1	client/web: hide admin panel links for non-tailscale control servers Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Claire Wang	8af503b0c5	syspolicy: add exit node related policies (#10172 ) Adds policy keys ExitNodeID and ExitNodeIP. Uses the policy keys to determine the exit node in preferences. Fixes tailscale/corp#15683 Signed-off-by: Claire Wang <claire@tailscale.com>	6 months ago
Sonia Appasamy	bc4e303846	ipn/ipnstate: add AllowedIPs to PeerStatus Adds AllowedIPs to PeerStatus, allowing for easier lookup of the routes allowed to be routed to a node. Will be using the AllowedIPs of the self node from the web client interface to display approval status of advertised routes. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Andrew Lytvynov	ac4b416c5b	cmd/tailscale,ipn/ipnlocal: pass available update as health message (#10420 ) To be consistent with the formatting of other warnings, pass available update health message instead of handling ClientVersion in he CLI. Fixes #10312 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Tom DNetto	8a660a6513	ipn/ipnlocal: update hostinfo when app connector state is toggled Updates: https://github.com/tailscale/corp/issues/16041 Signed-off-by: Tom DNetto <tom@tailscale.com>	6 months ago
Andrew Lytvynov	5a9e935597	clientupdate: implement update for Unraid (#10344 ) Use the [`plugin` CLI](https://forums.unraid.net/topic/72240-solved-is-there-a-way-to-installuninstall-plugins-from-script/#comment-676870) to fetch and apply the update. Updates https://github.com/tailscale/tailscale/issues/10184 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Tom DNetto	611e0a5bcc	appc,ipn/local: support wildcard when matching app-connectors Updates: ENG-2453 Signed-off-by: Tom DNetto <tom@tailscale.com>	6 months ago
Marwan Sulaiman	2dc0645368	ipn/ipnlocal,cmd/tailscale: persist tailnet name in user profile This PR starts to persist the NetMap tailnet name in SetPrefs so that tailscaled clients can use this value to disambiguate fast user switching from one tailnet to another that are under the same exact login. We will also try to backfill this information during backend starts and profile switches so that users don't have to re-authenticate their profile. The first client to use this new information is the CLI in 'tailscale switch -list' which now uses text/tabwriter to display the ID, Tailnet, and Account. Since account names are ambiguous, we allow the user to pass 'tailscale switch ID' to specify the exact tailnet they want to switch to. Updates #9286 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	7 months ago

1 2 3 4 5 ...

1311 Commits (f4e3ee53ea4605d400df2ef6b6005b026661f96b)