Use common path in unix_socket default setting

distroless has proven a mantenance burden for us, and it has caused headaches for user when trying to debug issues in the container.

And in 2023, 20MB of extra disk space are neglectible.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -6,19 +6,24 @@ labels: ["bug"]
 assignees: ""
 ---
 
-<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the bug report in this language. -->
+<!--
+Before posting a bug report, discuss the behaviour you are expecting with the Discord community
+to make sure that it is truly a bug.
+The issue tracker is not the place to ask for support or how to set up Headscale.
 
-**Bug description**
+Bug reports without the sufficient information will be closed.
+
+Headscale is a multinational community across the globe. Our language is English.
+All bug reports needs to be in English.
+-->
+
+## Bug description
 
 <!-- A clear and concise description of what the bug is. Describe the expected bahavior
   and how it is currently different. If you are unsure if it is a bug, consider discussing
   it on our Discord server first. -->
 
-**To Reproduce**
-
-<!-- Steps to reproduce the behavior. -->
-
-**Context info**
+## Environment
 
 <!-- Please add relevant information about your system. For example:
 - Version of headscale used
@@ -28,3 +33,20 @@ assignees: ""
 - The relevant config parameters you used
 - Log output
 -->
+
+- OS:
+- Headscale version:
+- Tailscale version:
+
+<!--
+We do not support running Headscale in a container nor behind a (reverse) proxy.
+If either of these are true for your environment, ask the community in Discord
+instead of filing a bug report.
+-->
+
+- [ ] Headscale is behind a (reverse) proxy
+- [ ] Headscale runs in a container
+
+## To Reproduce
+
+<!-- Steps to reproduce the behavior. -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -6,12 +6,21 @@ labels: ["enhancement"]
 assignees: ""
 ---
 
-<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the feature request in this language. -->
+<!--
+We typically have a clear roadmap for what we want to improve and reserve the right
+to close feature requests that does not fit in the roadmap, or fit with the scope
+of the project, or we actually want to implement ourselves.
 
-**Feature request**
+Headscale is a multinational community across the globe. Our language is English.
+All bug reports needs to be in English.
+-->
 
-<!-- A clear and precise description of what new or changed feature you want. -->
+## Why
 
-<!-- Please include the reason, why you would need the feature. E.g. what problem
+<!-- Include the reason, why you would need the feature. E.g. what problem
   does it solve? Or which workflow is currently frustrating and will be improved by
   this? -->
+
+## Description
+
+<!-- A clear and precise description of what new or changed feature you want. -->

.github/ISSUE_TEMPLATE/other_issue.md

@@ -1,30 +0,0 @@
----
-name: "Other issue"
-about: "Report a different issue"
-title: ""
-labels: ["bug"]
-assignees: ""
----
-
-<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the issue in this language. -->
-
-<!-- If you have a question, please consider using our Discord for asking questions -->
-
-**Issue description**
-
-<!-- Please add your issue description. -->
-
-**To Reproduce**
-
-<!-- Steps to reproduce the behavior. -->
-
-**Context info**
-
-<!-- Please add relevant information about your system. For example:
-- Version of headscale used
-- Version of tailscale client
-- OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version
-- Kernel version
-- The relevant config parameters you used
-- Log output
--->

.github/pull_request_template.md

@@ -1,3 +1,15 @@
+<!--
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+This model has been chosen to reduce the risk of burnout by limiting the
+maintenance overhead of reviewing and validating third-party code.
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+If you find mistakes in the documentation, please submit a fix to the documentation.
+-->
+
 <!-- Please tick if the following things apply. You… -->
 
 - [ ] read the [CONTRIBUTING guidelines](README.md#contributing)

.github/renovate.json

@@ -6,31 +6,27 @@
   "onboarding": false,
   "extends": ["config:base", ":rebaseStalePrs"],
   "ignorePresets": [":prHourlyLimit2"],
-  "enabledManagers": ["dockerfile", "gomod", "github-actions","regex" ],
+  "enabledManagers": ["dockerfile", "gomod", "github-actions", "regex"],
   "includeForks": true,
   "repositories": ["juanfont/headscale"],
   "platform": "github",
   "packageRules": [
     {
-        "matchDatasources": ["go"],
-        "groupName": "Go modules",
-        "groupSlug": "gomod",
-        "separateMajorMinor": false
+      "matchDatasources": ["go"],
+      "groupName": "Go modules",
+      "groupSlug": "gomod",
+      "separateMajorMinor": false
     },
     {
-        "matchDatasources": ["docker"],
-        "groupName": "Dockerfiles",
-        "groupSlug": "dockerfiles"
-    } 
+      "matchDatasources": ["docker"],
+      "groupName": "Dockerfiles",
+      "groupSlug": "dockerfiles"
+    }
   ],
   "regexManagers": [
     {
-      "fileMatch": [
-          ".github/workflows/.*.yml$"
-      ],
-      "matchStrings": [
-        "\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"
-      ],
+      "fileMatch": [".github/workflows/.*.yml$"],
+      "matchStrings": ["\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"],
       "datasourceTemplate": "golang-version",
       "depNameTemplate": "actions/go-version"
     }

.github/workflows/test-integration-derp.yml

@@ -1,35 +0,0 @@
-name: Integration Test DERP
-
-on: [pull_request]
-
-jobs:
-  integration-test-derp:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
-        with:
-          swap-size-gb: 10
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run Embedded DERP server integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix develop --command -- make test_integration_derp

.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestCreateTailscale.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestDERPServerScenario.yaml

@@ -0,0 +1,63 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestDERPServerScenario
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestDERPServerScenario$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestEnablingRoutes.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestEphemeral.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestExpireNode.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestHeadscale.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestPingAllByHostname.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestPingAllByIP.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestTaildrop.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestUserCommand.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.goreleaser.yml

@@ -71,7 +71,7 @@ nfpms:
         file_info:
           mode: 0644
       - src: ./docs/packaging/headscale.systemd.service
-        dst: /etc/systemd/system/headscale.service
+        dst: /usr/lib/systemd/system/headscale.service
       - dst: /var/lib/headscale
         type: dir
       - dst: /var/run/headscale

CHANGELOG.md

@@ -4,11 +4,23 @@
 
 ### Changes
 
+## 0.22.2 (2023-05-10)
+
+### Changes
+
+- Add environment flags to enable pprof (profiling) [#1382](https://github.com/juanfont/headscale/pull/1382)
+  - Profiles are continously generated in our integration tests.
+- Fix systemd service file location in `.deb` packages [#1391](https://github.com/juanfont/headscale/pull/1391)
+- Improvements on Noise implementation [#1379](https://github.com/juanfont/headscale/pull/1379)
+- Replace node filter logic, ensuring nodes with access can see eachother [#1381](https://github.com/juanfont/headscale/pull/1381)
+- Disable (or delete) both exit routes at the same time [#1428](https://github.com/juanfont/headscale/pull/1428)
+- Ditch distroless for Docker image, create default socket dir in `/var/run/headscale` [#1450](https://github.com/juanfont/headscale/pull/1450)
+
 ## 0.22.1 (2023-04-20)
 
 ### Changes
 
-- Fix issue where SystemD could not bind to port 80 [#1365](https://github.com/juanfont/headscale/pull/1365)
+- Fix issue where systemd could not bind to port 80 [#1365](https://github.com/juanfont/headscale/pull/1365)
 
 ## 0.22.0 (2023-04-20)
 

Dockerfile

@@ -14,10 +14,12 @@ RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale
 
 # Production image
-FROM gcr.io/distroless/base-debian11
+FROM docker.io/debian:bullseye-slim
 
 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC
 
+RUN mkdir -p /var/run/headscale
+
 EXPOSE 8080/tcp
 CMD ["headscale"]

Dockerfile.debug

@@ -18,6 +18,8 @@ FROM docker.io/golang:1.20.0-bullseye
 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC
 
+RUN mkdir -p /var/run/headscale
+
 # Need to reset the entrypoint or everything will run as a busybox script
 ENTRYPOINT []
 EXPOSE 8080/tcp

Dockerfile.tailscale

@@ -1,19 +1,16 @@
-FROM ubuntu:latest
+FROM ubuntu:22.04
 
 ARG TAILSCALE_VERSION=*
 ARG TAILSCALE_CHANNEL=stable
 
 RUN apt-get update \
-    && apt-get install -y gnupg curl ssh \
-    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
+    && apt-get install -y gnupg curl ssh dnsutils ca-certificates \
+    && adduser --shell=/bin/bash ssh-it-user
+
+# Tailscale is deliberately split into a second stage so we can cash utils as a seperate layer.
+RUN curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
     && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
     && apt-get update \
-    && apt-get install -y ca-certificates tailscale=${TAILSCALE_VERSION} dnsutils \
+    && apt-get install -y tailscale=${TAILSCALE_VERSION} \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
-
-RUN adduser --shell=/bin/bash ssh-it-user
-
-ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
-RUN chmod 644 /usr/local/share/ca-certificates/server.crt
-
-RUN update-ca-certificates

Dockerfile.tailscale-HEAD

@@ -1,7 +1,7 @@
 FROM golang:latest
 
 RUN apt-get update \
-    && apt-get install -y ca-certificates dnsutils git iptables ssh \
+    && apt-get install -y dnsutils git iptables ssh ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 RUN useradd --shell=/bin/bash --create-home ssh-it-user
@@ -10,15 +10,8 @@ RUN git clone https://github.com/tailscale/tailscale.git
 
 WORKDIR /go/tailscale
 
-RUN git checkout main
-
-RUN sh build_dist.sh tailscale.com/cmd/tailscale
-RUN sh build_dist.sh tailscale.com/cmd/tailscaled
-
-RUN cp tailscale /usr/local/bin/
-RUN cp tailscaled /usr/local/bin/
-
-ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
-RUN chmod 644 /usr/local/share/ca-certificates/server.crt
-
-RUN update-ca-certificates
+RUN git checkout main \
+    && sh build_dist.sh tailscale.com/cmd/tailscale \
+    && sh build_dist.sh tailscale.com/cmd/tailscaled \
+    && cp tailscale /usr/local/bin/ \
+    && cp tailscaled /usr/local/bin/

Makefile

@@ -38,16 +38,6 @@ test_integration_cli:
 		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
 		go run gotest.tools/gotestsum@latest -- $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
 
-test_integration_derp:
-	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
-	docker network create headscale-test || true
-	docker run -t --rm \
-		--network headscale-test \
-		-v ~/.cache/hs-integration-go:/go \
-		-v $$PWD:$$PWD -w $$PWD \
-		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
-		go run gotest.tools/gotestsum@latest -- $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationDERP ./...
-
 test_integration_v2_general:
 	docker run \
 		-t --rm \

README.md

@@ -32,22 +32,18 @@ organisation.
 
 ## Design goal
 
-`headscale` aims to implement a self-hosted, open source alternative to the Tailscale
-control server. `headscale` has a narrower scope and an instance of `headscale`
-implements a _single_ Tailnet, which is typically what a single organisation, or
-home/personal setup would use.
+Headscale aims to implement a self-hosted, open source alternative to the Tailscale
+control server.
+Headscale's goal is to provide self-hosters and hobbyists with an open-source
+server they can use for their projects and labs.
+It implements a narrow scope, a single Tailnet, suitable for a personal use, or a small
+open-source organisation.
 
-`headscale` uses terms that maps to Tailscale's control server, consult the
-[glossary](./docs/glossary.md) for explainations.
-
-## Support
+## Supporting Headscale
 
 If you like `headscale` and find it useful, there is a sponsorship and donation
 buttons available in the repo.
 
-If you would like to sponsor features, bugs or prioritisation, reach out to
-one of the maintainers.
-
 ## Features
 
 - Full "base" support of Tailscale's features
@@ -79,16 +75,10 @@ one of the maintainers.
 
 ## Running headscale
 
-Please have a look at the documentation under [`docs/`](docs/).
+**Please note that we do not support nor encourage the use of reverse proxies
+and container to run Headscale.**
 
-## Graphical Control Panels
-
-Headscale provides an API for complete management of your Tailnet.
-These are community projects not directly affiliated with the Headscale project.
-
-| Name            | Repository Link                                      | Description                                            | Status |
-| --------------- | ---------------------------------------------------- | ------------------------------------------------------ | ------ |
-| headscale-webui | [Github](https://github.com/ifargle/headscale-webui) | A simple Headscale web UI for small-scale deployments. | Alpha  |
+Please have a look at the [`documentation`](https://headscale.net/).
 
 ## Talks
 
@@ -97,11 +87,23 @@ These are community projects not directly affiliated with the Headscale project.
 
 ## Disclaimer
 
-1. We have nothing to do with Tailscale, or Tailscale Inc.
+1. This project is not associated with Tailscale Inc.
 2. The purpose of Headscale is maintaining a working, self-hosted Tailscale control panel.
 
 ## Contributing
 
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+This model has been chosen to reduce the risk of burnout by limiting the
+maintenance overhead of reviewing and validating third-party code.
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+If you find mistakes in the documentation, please submit a fix to the documentation.
+
+### Requirements
+
 To contribute to headscale you would need the lastest version of [Go](https://golang.org)
 and [Buf](https://buf.build)(Protobuf generator).
 
@@ -109,8 +111,6 @@ We recommend using [Nix](https://nixos.org/) to setup a development environment.
 be done with `nix develop`, which will install the tools and give you a shell.
 This guarantees that you will have the same dev env as `headscale` maintainers.
 
-PRs and suggestions are welcome.
-
 ### Code style
 
 To ensure we have some consistency with a growing number of contributions,

acls.go

@@ -13,7 +13,6 @@ import (
 	"time"
 
 	"github.com/rs/zerolog/log"
-	"github.com/samber/lo"
 	"github.com/tailscale/hujson"
 	"go4.org/netipx"
 	"gopkg.in/yaml.v3"
@@ -128,21 +127,14 @@ func (h *Headscale) UpdateACLRules() error {
 		return errEmptyPolicy
 	}
 
-	rules, err := generateACLRules(machines, *h.aclPolicy, h.cfg.OIDC.StripEmaildomain)
+	rules, err := h.aclPolicy.generateFilterRules(machines, h.cfg.OIDC.StripEmaildomain)
 	if err != nil {
 		return err
 	}
+
 	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
 	h.aclRules = rules
 
-	// Precompute a map of which sources can reach each destination, this is
-	// to provide quicker lookup when we calculate the peerlist for the map
-	// response to nodes.
-	aclPeerCacheMap := generateACLPeerCacheMap(rules)
-	h.aclPeerCacheMapRW.Lock()
-	h.aclPeerCacheMap = aclPeerCacheMap
-	h.aclPeerCacheMapRW.Unlock()
-
 	if featureEnableSSH() {
 		sshRules, err := h.generateSSHRules()
 		if err != nil {
@@ -160,91 +152,28 @@ func (h *Headscale) UpdateACLRules() error {
 	return nil
 }
 
-// generateACLPeerCacheMap takes a list of Tailscale filter rules and generates a map
-// of which Sources ("*" and IPs) can access destinations. This is to speed up the
-// process of generating MapResponses when deciding which Peers to inform nodes about.
-func generateACLPeerCacheMap(rules []tailcfg.FilterRule) map[string]map[string]struct{} {
-	aclCachePeerMap := make(map[string]map[string]struct{})
-	for _, rule := range rules {
-		for _, srcIP := range rule.SrcIPs {
-			for _, ip := range expandACLPeerAddr(srcIP) {
-				if data, ok := aclCachePeerMap[ip]; ok {
-					for _, dstPort := range rule.DstPorts {
-						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
-							data[dstIP] = struct{}{}
-						}
-					}
-				} else {
-					dstPortsMap := make(map[string]struct{}, len(rule.DstPorts))
-					for _, dstPort := range rule.DstPorts {
-						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
-							dstPortsMap[dstIP] = struct{}{}
-						}
-					}
-					aclCachePeerMap[ip] = dstPortsMap
-				}
-			}
-		}
-	}
-
-	log.Trace().Interface("ACL Cache Map", aclCachePeerMap).Msg("ACL Peer Cache Map generated")
-
-	return aclCachePeerMap
-}
-
-// expandACLPeerAddr takes a "tailcfg.FilterRule" "IP" and expands it into
-// something our cache logic can look up, which is "*" or single IP addresses.
-// This is probably quite inefficient, but it is a result of
-// "make it work, then make it fast", and a lot of the ACL stuff does not
-// work, but people have tried to make it fast.
-func expandACLPeerAddr(srcIP string) []string {
-	if ip, err := netip.ParseAddr(srcIP); err == nil {
-		return []string{ip.String()}
-	}
-
-	if cidr, err := netip.ParsePrefix(srcIP); err == nil {
-		addrs := []string{}
-
-		ipRange := netipx.RangeOfPrefix(cidr)
-
-		from := ipRange.From()
-		too := ipRange.To()
-
-		if from == too {
-			return []string{from.String()}
-		}
-
-		for from != too && from.Less(too) {
-			addrs = append(addrs, from.String())
-			from = from.Next()
-		}
-		addrs = append(addrs, too.String()) // Add the last IP address in the range
-
-		return addrs
-	}
-
-	// probably "*" or other string based "IP"
-	return []string{srcIP}
-}
-
-func generateACLRules(
+// generateFilterRules takes a set of machines and an ACLPolicy and generates a
+// set of Tailscale compatible FilterRules used to allow traffic on clients.
+func (pol *ACLPolicy) generateFilterRules(
 	machines []Machine,
-	aclPolicy ACLPolicy,
-	stripEmaildomain bool,
+	stripEmailDomain bool,
 ) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}
 
-	for index, acl := range aclPolicy.ACLs {
+	for index, acl := range pol.ACLs {
 		if acl.Action != "accept" {
 			return nil, errInvalidAction
 		}
 
 		srcIPs := []string{}
-		for innerIndex, src := range acl.Sources {
-			srcs, err := generateACLPolicySrc(machines, aclPolicy, src, stripEmaildomain)
+		for srcIndex, src := range acl.Sources {
+			srcs, err := pol.getIPsFromSource(src, machines, stripEmailDomain)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)
+					Interface("src", src).
+					Int("ACL index", index).
+					Int("Src index", srcIndex).
+					Msgf("Error parsing ACL")
 
 				return nil, err
 			}
@@ -260,17 +189,19 @@ func generateACLRules(
 		}
 
 		destPorts := []tailcfg.NetPortRange{}
-		for innerIndex, dest := range acl.Destinations {
-			dests, err := generateACLPolicyDest(
-				machines,
-				aclPolicy,
+		for destIndex, dest := range acl.Destinations {
+			dests, err := pol.getNetPortRangeFromDestination(
 				dest,
+				machines,
 				needsWildcard,
-				stripEmaildomain,
+				stripEmailDomain,
 			)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, Destination %d", index, innerIndex)
+					Interface("dest", dest).
+					Int("ACL index", index).
+					Int("dest index", destIndex).
+					Msgf("Error parsing ACL")
 
 				return nil, err
 			}
@@ -341,22 +272,41 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
 
 		principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
 		for innerIndex, rawSrc := range sshACL.Sources {
-			expandedSrcs, err := expandAlias(
-				machines,
-				*h.aclPolicy,
-				rawSrc,
-				h.cfg.OIDC.StripEmaildomain,
-			)
-			if err != nil {
-				log.Error().
-					Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
-
-				return nil, err
-			}
-			for _, expandedSrc := range expandedSrcs {
+			if isWildcard(rawSrc) {
 				principals = append(principals, &tailcfg.SSHPrincipal{
-					NodeIP: expandedSrc,
+					Any: true,
 				})
+			} else if isGroup(rawSrc) {
+				users, err := h.aclPolicy.getUsersInGroup(rawSrc, h.cfg.OIDC.StripEmaildomain)
+				if err != nil {
+					log.Error().
+						Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
+
+					return nil, err
+				}
+
+				for _, user := range users {
+					principals = append(principals, &tailcfg.SSHPrincipal{
+						UserLogin: user,
+					})
+				}
+			} else {
+				expandedSrcs, err := h.aclPolicy.expandAlias(
+					machines,
+					rawSrc,
+					h.cfg.OIDC.StripEmaildomain,
+				)
+				if err != nil {
+					log.Error().
+						Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
+
+					return nil, err
+				}
+				for _, expandedSrc := range expandedSrcs.Prefixes() {
+					principals = append(principals, &tailcfg.SSHPrincipal{
+						NodeIP: expandedSrc.Addr().String(),
+					})
+				}
 			}
 		}
 
@@ -365,10 +315,9 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
 			userMap[user] = "="
 		}
 		rules = append(rules, &tailcfg.SSHRule{
-			RuleExpires: nil,
-			Principals:  principals,
-			SSHUsers:    userMap,
-			Action:      &action,
+			Principals: principals,
+			SSHUsers:   userMap,
+			Action:     &action,
 		})
 	}
 
@@ -392,19 +341,32 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
 	}, nil
 }
 
-func generateACLPolicySrc(
-	machines []Machine,
-	aclPolicy ACLPolicy,
+// getIPsFromSource returns a set of Source IPs that would be associated
+// with the given src alias.
+func (pol *ACLPolicy) getIPsFromSource(
 	src string,
+	machines []Machine,
 	stripEmaildomain bool,
 ) ([]string, error) {
-	return expandAlias(machines, aclPolicy, src, stripEmaildomain)
+	ipSet, err := pol.expandAlias(machines, src, stripEmaildomain)
+	if err != nil {
+		return []string{}, err
+	}
+
+	prefixes := []string{}
+
+	for _, prefix := range ipSet.Prefixes() {
+		prefixes = append(prefixes, prefix.String())
+	}
+
+	return prefixes, nil
 }
 
-func generateACLPolicyDest(
-	machines []Machine,
-	aclPolicy ACLPolicy,
+// getNetPortRangeFromDestination returns a set of tailcfg.NetPortRange
+// which are associated with the dest alias.
+func (pol *ACLPolicy) getNetPortRangeFromDestination(
 	dest string,
+	machines []Machine,
 	needsWildcard bool,
 	stripEmaildomain bool,
 ) ([]tailcfg.NetPortRange, error) {
@@ -451,9 +413,8 @@ func generateACLPolicyDest(
 		alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
 	}
 
-	expanded, err := expandAlias(
+	expanded, err := pol.expandAlias(
 		machines,
-		aclPolicy,
 		alias,
 		stripEmaildomain,
 	)
@@ -466,11 +427,11 @@ func generateACLPolicyDest(
 	}
 
 	dests := []tailcfg.NetPortRange{}
-	for _, d := range expanded {
-		for _, p := range *ports {
+	for _, dest := range expanded.Prefixes() {
+		for _, port := range *ports {
 			pr := tailcfg.NetPortRange{
-				IP:    d,
-				Ports: p,
+				IP:    dest.String(),
+				Ports: port,
 			}
 			dests = append(dests, pr)
 		}
@@ -537,135 +498,64 @@ func parseProtocol(protocol string) ([]int, bool, error) {
 // - an ip
 // - a cidr
 // and transform these in IPAddresses.
-func expandAlias(
+func (pol *ACLPolicy) expandAlias(
 	machines Machines,
-	aclPolicy ACLPolicy,
 	alias string,
 	stripEmailDomain bool,
-) ([]string, error) {
-	ips := []string{}
-	if alias == "*" {
-		return []string{"*"}, nil
+) (*netipx.IPSet, error) {
+	if isWildcard(alias) {
+		return parseIPSet("*", nil)
 	}
 
+	build := netipx.IPSetBuilder{}
+
 	log.Debug().
 		Str("alias", alias).
 		Msg("Expanding")
 
-	if strings.HasPrefix(alias, "group:") {
-		users, err := expandGroup(aclPolicy, alias, stripEmailDomain)
-		if err != nil {
-			return ips, err
-		}
-		for _, n := range users {
-			nodes := filterMachinesByUser(machines, n)
-			for _, node := range nodes {
-				ips = append(ips, node.IPAddresses.ToStringSlice()...)
-			}
-		}
-
-		return ips, nil
+	// if alias is a group
+	if isGroup(alias) {
+		return pol.getIPsFromGroup(alias, machines, stripEmailDomain)
 	}
 
-	if strings.HasPrefix(alias, "tag:") {
-		// check for forced tags
-		for _, machine := range machines {
-			if contains(machine.ForcedTags, alias) {
-				ips = append(ips, machine.IPAddresses.ToStringSlice()...)
-			}
-		}
-
-		// find tag owners
-		owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
-		if err != nil {
-			if errors.Is(err, errInvalidTag) {
-				if len(ips) == 0 {
-					return ips, fmt.Errorf(
-						"%w. %v isn't owned by a TagOwner and no forced tags are defined",
-						errInvalidTag,
-						alias,
-					)
-				}
-
-				return ips, nil
-			} else {
-				return ips, err
-			}
-		}
-
-		// filter out machines per tag owner
-		for _, user := range owners {
-			machines := filterMachinesByUser(machines, user)
-			for _, machine := range machines {
-				hi := machine.GetHostInfo()
-				if contains(hi.RequestTags, alias) {
-					ips = append(ips, machine.IPAddresses.ToStringSlice()...)
-				}
-			}
-		}
-
-		return ips, nil
+	// if alias is a tag
+	if isTag(alias) {
+		return pol.getIPsFromTag(alias, machines, stripEmailDomain)
 	}
 
 	// if alias is a user
-	nodes := filterMachinesByUser(machines, alias)
-	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
-
-	for _, n := range nodes {
-		ips = append(ips, n.IPAddresses.ToStringSlice()...)
-	}
-	if len(ips) > 0 {
-		return ips, nil
+	if ips, err := pol.getIPsForUser(alias, machines, stripEmailDomain); ips != nil {
+		return ips, err
 	}
 
 	// if alias is an host
-	if h, ok := aclPolicy.Hosts[alias]; ok {
+	// Note, this is recursive.
+	if h, ok := pol.Hosts[alias]; ok {
 		log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry")
 
-		return expandAlias(machines, aclPolicy, h.String(), stripEmailDomain)
+		return pol.expandAlias(machines, h.String(), stripEmailDomain)
 	}
 
 	// if alias is an IP
 	if ip, err := netip.ParseAddr(alias); err == nil {
-		log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip")
-		ips := []string{ip.String()}
-		matches := machines.FilterByIP(ip)
-
-		for _, machine := range matches {
-			ips = append(ips, machine.IPAddresses.ToStringSlice()...)
-		}
-
-		return lo.Uniq(ips), nil
+		return pol.getIPsFromSingleIP(ip, machines)
 	}
 
-	if cidr, err := netip.ParsePrefix(alias); err == nil {
-		log.Trace().Str("cidr", cidr.String()).Msg("expandAlias got cidr")
-		val := []string{cidr.String()}
-		// This is suboptimal and quite expensive, but if we only add the cidr, we will miss all the relevant IPv6
-		// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
-		for _, machine := range machines {
-			for _, ip := range machine.IPAddresses {
-				// log.Trace().
-				// 	Msgf("checking if machine ip (%s) is part of cidr (%s): %v, is single ip cidr (%v), addr: %s", ip.String(), cidr.String(), cidr.Contains(ip), cidr.IsSingleIP(), cidr.Addr().String())
-				if cidr.Contains(ip) {
-					val = append(val, machine.IPAddresses.ToStringSlice()...)
-				}
-			}
-		}
-
-		return lo.Uniq(val), nil
+	// if alias is an IP Prefix (CIDR)
+	if prefix, err := netip.ParsePrefix(alias); err == nil {
+		return pol.getIPsFromIPPrefix(prefix, machines)
 	}
 
 	log.Warn().Msgf("No IPs found with the alias %v", alias)
 
-	return ips, nil
+	return build.IPSet()
 }
 
 // excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
 // that are correctly tagged since they should not be listed as being in the user
 // we assume in this function that we only have nodes from 1 user.
 func excludeCorrectlyTaggedNodes(
-	aclPolicy ACLPolicy,
+	aclPolicy *ACLPolicy,
 	nodes []Machine,
 	user string,
 	stripEmailDomain bool,
@@ -673,7 +563,7 @@ func excludeCorrectlyTaggedNodes(
 	out := []Machine{}
 	tags := []string{}
 	for tag := range aclPolicy.TagOwners {
-		owners, _ := expandTagOwners(aclPolicy, user, stripEmailDomain)
+		owners, _ := getTagOwners(aclPolicy, user, stripEmailDomain)
 		ns := append(owners, user)
 		if contains(ns, user) {
 			tags = append(tags, tag)
@@ -703,7 +593,7 @@ func excludeCorrectlyTaggedNodes(
 }
 
 func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, error) {
-	if portsStr == "*" {
+	if isWildcard(portsStr) {
 		return &[]tailcfg.PortRange{
 			{First: portRangeBegin, Last: portRangeEnd},
 		}, nil
@@ -761,15 +651,15 @@ func filterMachinesByUser(machines []Machine, user string) []Machine {
 	return out
 }
 
-// expandTagOwners will return a list of user. An owner can be either a user or a group
+// getTagOwners will return a list of user. An owner can be either a user or a group
 // a group cannot be composed of groups.
-func expandTagOwners(
-	aclPolicy ACLPolicy,
+func getTagOwners(
+	pol *ACLPolicy,
 	tag string,
 	stripEmailDomain bool,
 ) ([]string, error) {
 	var owners []string
-	ows, ok := aclPolicy.TagOwners[tag]
+	ows, ok := pol.TagOwners[tag]
 	if !ok {
 		return []string{}, fmt.Errorf(
 			"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners",
@@ -778,8 +668,8 @@ func expandTagOwners(
 		)
 	}
 	for _, owner := range ows {
-		if strings.HasPrefix(owner, "group:") {
-			gs, err := expandGroup(aclPolicy, owner, stripEmailDomain)
+		if isGroup(owner) {
+			gs, err := pol.getUsersInGroup(owner, stripEmailDomain)
 			if err != nil {
 				return []string{}, err
 			}
@@ -792,15 +682,15 @@ func expandTagOwners(
 	return owners, nil
 }
 
-// expandGroup will return the list of user inside the group
+// getUsersInGroup will return the list of user inside the group
 // after some validation.
-func expandGroup(
-	aclPolicy ACLPolicy,
+func (pol *ACLPolicy) getUsersInGroup(
 	group string,
 	stripEmailDomain bool,
 ) ([]string, error) {
-	outGroups := []string{}
-	aclGroups, ok := aclPolicy.Groups[group]
+	users := []string{}
+	log.Trace().Caller().Interface("pol", pol).Msg("test")
+	aclGroups, ok := pol.Groups[group]
 	if !ok {
 		return []string{}, fmt.Errorf(
 			"group %v isn't registered. %w",
@@ -809,7 +699,7 @@ func expandGroup(
 		)
 	}
 	for _, group := range aclGroups {
-		if strings.HasPrefix(group, "group:") {
+		if isGroup(group) {
 			return []string{}, fmt.Errorf(
 				"%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups",
 				errInvalidGroup,
@@ -823,8 +713,151 @@ func expandGroup(
 				errInvalidGroup,
 			)
 		}
-		outGroups = append(outGroups, grp)
+		users = append(users, grp)
 	}
 
-	return outGroups, nil
+	return users, nil
+}
+
+func (pol *ACLPolicy) getIPsFromGroup(
+	group string,
+	machines Machines,
+	stripEmailDomain bool,
+) (*netipx.IPSet, error) {
+	build := netipx.IPSetBuilder{}
+
+	users, err := pol.getUsersInGroup(group, stripEmailDomain)
+	if err != nil {
+		return &netipx.IPSet{}, err
+	}
+	for _, user := range users {
+		filteredMachines := filterMachinesByUser(machines, user)
+		for _, machine := range filteredMachines {
+			machine.IPAddresses.AppendToIPSet(&build)
+		}
+	}
+
+	return build.IPSet()
+}
+
+func (pol *ACLPolicy) getIPsFromTag(
+	alias string,
+	machines Machines,
+	stripEmailDomain bool,
+) (*netipx.IPSet, error) {
+	build := netipx.IPSetBuilder{}
+
+	// check for forced tags
+	for _, machine := range machines {
+		if contains(machine.ForcedTags, alias) {
+			machine.IPAddresses.AppendToIPSet(&build)
+		}
+	}
+
+	// find tag owners
+	owners, err := getTagOwners(pol, alias, stripEmailDomain)
+	if err != nil {
+		if errors.Is(err, errInvalidTag) {
+			ipSet, _ := build.IPSet()
+			if len(ipSet.Prefixes()) == 0 {
+				return ipSet, fmt.Errorf(
+					"%w. %v isn't owned by a TagOwner and no forced tags are defined",
+					errInvalidTag,
+					alias,
+				)
+			}
+
+			return build.IPSet()
+		} else {
+			return nil, err
+		}
+	}
+
+	// filter out machines per tag owner
+	for _, user := range owners {
+		machines := filterMachinesByUser(machines, user)
+		for _, machine := range machines {
+			hi := machine.GetHostInfo()
+			if contains(hi.RequestTags, alias) {
+				machine.IPAddresses.AppendToIPSet(&build)
+			}
+		}
+	}
+
+	return build.IPSet()
+}
+
+func (pol *ACLPolicy) getIPsForUser(
+	user string,
+	machines Machines,
+	stripEmailDomain bool,
+) (*netipx.IPSet, error) {
+	build := netipx.IPSetBuilder{}
+
+	filteredMachines := filterMachinesByUser(machines, user)
+	filteredMachines = excludeCorrectlyTaggedNodes(pol, filteredMachines, user, stripEmailDomain)
+
+	// shortcurcuit if we have no machines to get ips from.
+	if len(filteredMachines) == 0 {
+		return nil, nil //nolint
+	}
+
+	for _, machine := range filteredMachines {
+		machine.IPAddresses.AppendToIPSet(&build)
+	}
+
+	return build.IPSet()
+}
+
+func (pol *ACLPolicy) getIPsFromSingleIP(
+	ip netip.Addr,
+	machines Machines,
+) (*netipx.IPSet, error) {
+	log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip")
+
+	matches := machines.FilterByIP(ip)
+
+	build := netipx.IPSetBuilder{}
+	build.Add(ip)
+
+	for _, machine := range matches {
+		machine.IPAddresses.AppendToIPSet(&build)
+	}
+
+	return build.IPSet()
+}
+
+func (pol *ACLPolicy) getIPsFromIPPrefix(
+	prefix netip.Prefix,
+	machines Machines,
+) (*netipx.IPSet, error) {
+	log.Trace().Str("prefix", prefix.String()).Msg("expandAlias got prefix")
+	build := netipx.IPSetBuilder{}
+	build.AddPrefix(prefix)
+
+	// This is suboptimal and quite expensive, but if we only add the prefix, we will miss all the relevant IPv6
+	// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
+	for _, machine := range machines {
+		for _, ip := range machine.IPAddresses {
+			// log.Trace().
+			// 	Msgf("checking if machine ip (%s) is part of prefix (%s): %v, is single ip prefix (%v), addr: %s", ip.String(), prefix.String(), prefix.Contains(ip), prefix.IsSingleIP(), prefix.Addr().String())
+			if prefix.Contains(ip) {
+				machine.IPAddresses.AppendToIPSet(&build)
+			}
+		}
+	}
+
+	return build.IPSet()
+}
+
+func isWildcard(str string) bool {
+	return str == "*"
+}
+
+func isGroup(str string) bool {
+	return strings.HasPrefix(str, "group:")
+}
+
+func isTag(str string) bool {
+	return strings.HasPrefix(str, "tag:")
 }

acls_types.go

@@ -111,8 +111,8 @@ func (hosts *Hosts) UnmarshalYAML(data []byte) error {
 }
 
 // IsZero is perhaps a bit naive here.
-func (policy ACLPolicy) IsZero() bool {
-	if len(policy.Groups) == 0 && len(policy.Hosts) == 0 && len(policy.ACLs) == 0 {
+func (pol ACLPolicy) IsZero() bool {
+	if len(pol.Groups) == 0 && len(pol.Hosts) == 0 && len(pol.ACLs) == 0 {
 		return true
 	}
 

app.go

@@ -84,11 +84,9 @@ type Headscale struct {
 	DERPMap    *tailcfg.DERPMap
 	DERPServer *DERPServer
 
-	aclPolicy         *ACLPolicy
-	aclRules          []tailcfg.FilterRule
-	aclPeerCacheMapRW sync.RWMutex
-	aclPeerCacheMap   map[string]map[string]struct{}
-	sshPolicy         *tailcfg.SSHPolicy
+	aclPolicy *ACLPolicy
+	aclRules  []tailcfg.FilterRule
+	sshPolicy *tailcfg.SSHPolicy
 
 	lastStateChange *xsync.MapOf[string, time.Time]
 
@@ -820,7 +818,6 @@ func (h *Headscale) Serve() error {
 
 				// And we're done:
 				cancel()
-				os.Exit(0)
 			}
 		}
 	}

cmd/build-docker-img/main.go

@@ -0,0 +1,47 @@
+package main
+
+import (
+	"log"
+
+	"github.com/juanfont/headscale/integration"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/ory/dockertest/v3"
+)
+
+func main() {
+	log.Printf("creating docker pool")
+	pool, err := dockertest.NewPool("")
+	if err != nil {
+		log.Fatalf("could not connect to docker: %s", err)
+	}
+
+	log.Printf("creating docker network")
+	network, err := pool.CreateNetwork("docker-integration-net")
+	if err != nil {
+		log.Fatalf("failed to create or get network: %s", err)
+	}
+
+	for _, version := range integration.TailscaleVersions {
+		log.Printf("creating container image for Tailscale (%s)", version)
+
+		tsClient, err := tsic.New(
+			pool,
+			version,
+			network,
+		)
+		if err != nil {
+			log.Fatalf("failed to create tailscale node: %s", err)
+		}
+
+		err = tsClient.Shutdown()
+		if err != nil {
+			log.Fatalf("failed to shut down container: %s", err)
+		}
+	}
+
+	network.Close()
+	err = pool.RemoveNetwork(network)
+	if err != nil {
+		log.Fatalf("failed to remove network: %s", err)
+	}
+}

cmd/gh-action-integration-generator/main.go

@@ -76,6 +76,12 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
 `),
 	)
 )

cmd/headscale/headscale.go

@@ -6,11 +6,25 @@ import (
 
 	"github.com/efekarakus/termcolor"
 	"github.com/juanfont/headscale/cmd/headscale/cli"
+	"github.com/pkg/profile"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 )
 
 func main() {
+	if _, enableProfile := os.LookupEnv("HEADSCALE_PROFILING_ENABLED"); enableProfile {
+		if profilePath, ok := os.LookupEnv("HEADSCALE_PROFILING_PATH"); ok {
+			err := os.MkdirAll(profilePath, os.ModePerm)
+			if err != nil {
+				log.Fatal().Err(err).Msg("failed to create profiling directory")
+			}
+
+			defer profile.Start(profile.ProfilePath(profilePath)).Stop()
+		} else {
+			defer profile.Start().Stop()
+		}
+	}
+
 	var colors bool
 	switch l := termcolor.SupportLevel(os.Stderr); l {
 	case termcolor.Level16M:

config-example.yaml

@@ -58,11 +58,12 @@ noise:
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
-# While this looks like it can take arbitrary values, it
-# needs to be within IP ranges supported by the Tailscale
-# client.
+# It must be within IP ranges supported by the Tailscale
+# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
+# See below:
 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
+# Any other range is NOT supported, and it will cause unexpected issues.
 ip_prefixes:
   - fd7a:115c:a1e0::/48
   - 100.64.0.0/10

config.go

@@ -16,6 +16,7 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/viper"
 	"go4.org/netipx"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 )
@@ -174,7 +175,7 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("derp.server.enabled", false)
 	viper.SetDefault("derp.server.stun.enabled", true)
 
-	viper.SetDefault("unix_socket", "/var/run/headscale.sock")
+	viper.SetDefault("unix_socket", "/var/run/headscale/headscale.sock")
 	viper.SetDefault("unix_socket_permission", "0o770")
 
 	viper.SetDefault("grpc_listen_addr", ":50443")
@@ -515,6 +516,29 @@ func GetHeadscaleConfig() (*Config, error) {
 		if err != nil {
 			panic(fmt.Errorf("failed to parse ip_prefixes[%d]: %w", i, err))
 		}
+
+		if prefix.Addr().Is4() {
+			builder := netipx.IPSetBuilder{}
+			builder.AddPrefix(tsaddr.CGNATRange())
+			ipSet, _ := builder.IPSet()
+			if !ipSet.ContainsPrefix(prefix) {
+				log.Warn().
+					Msgf("Prefix %s is not in the %s range. This is an unsupported configuration.",
+						prefixInConfig, tsaddr.CGNATRange())
+			}
+		}
+
+		if prefix.Addr().Is6() {
+			builder := netipx.IPSetBuilder{}
+			builder.AddPrefix(tsaddr.TailscaleULARange())
+			ipSet, _ := builder.IPSet()
+			if !ipSet.ContainsPrefix(prefix) {
+				log.Warn().
+					Msgf("Prefix %s is not in the %s range. This is an unsupported configuration.",
+						prefixInConfig, tsaddr.TailscaleULARange())
+			}
+		}
+
 		parsedPrefixes = append(parsedPrefixes, prefix)
 	}
 

docs/exit-node.md

@@ -14,6 +14,8 @@ If the node is already registered, it can advertise exit capabilities like this:
 $ sudo tailscale set --advertise-exit-node
 ```
 
+To use a node as an exit node, IP forwarding must be enabled on the node. Check the official [Tailscale documentation](https://tailscale.com/kb/1019/subnets/?tab=linux#enable-ip-forwarding) for how to enable IP fowarding.
+
 ## On the control server
 
 ```console

docs/faq.md

@@ -0,0 +1,53 @@
+---
+hide:
+  - navigation
+---
+
+# Frequently Asked Questions
+
+## What is the design goal of headscale?
+
+`headscale` aims to implement a self-hosted, open source alternative to the [Tailscale](https://tailscale.com/)
+control server.
+`headscale`'s goal is to provide self-hosters and hobbyists with an open-source
+server they can use for their projects and labs.
+It implements a narrow scope, a _single_ Tailnet, suitable for a personal use, or a small
+open-source organisation.
+
+## How can I contribute?
+
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+If you find mistakes in the documentation, please also submit a fix to the documentation.
+
+## Why is 'acknowledged contribution' the chosen model?
+
+Both maintainers have full-time jobs and families, and we want to avoid burnout. We also want to avoid frustration from contributors when their PRs are not accepted.
+
+We are more than happy to exchange emails, or to have dedicated calls before a PR is submitted.
+
+## When/Why is Feature X going to be implemented?
+
+We don't know. We might be working on it. If you want to help, please send us a PR.
+
+Please be aware that there are a number of reasons why we might not accept specific contributions:
+
+- It is not possible to implement the feature in a way that makes sense in a self-hosted environment.
+- Given that we are reverse-engineering Tailscale to satify our own curiosity, we might be interested in implementing the feature ourselves.
+- You are not sending unit and integration tests with it.
+
+## Do you support Y method of deploying Headscale?
+
+We currently support deploying `headscale` using our binaries and the DEB packages. Both can be found in the
+[GitHub releases page](https://github.com/juanfont/headscale/releases).
+
+In addition to that, there are semi-official RPM packages by the Fedora infra team https://copr.fedorainfracloud.org/coprs/jonathanspw/headscale/
+
+For convenience, we also build Docker images with `headscale`. But **please be aware that we don't officially support deploying `headscale` using Docker**. We have a [Discord channel](https://discord.com/channels/896711691637780480/1070619770942148618) where you can ask for Docker-specific help to the community.
+
+## Why is my reverse proxy not working with Headscale?
+
+We don't know. We don't use reverse proxies with `headscale` ourselves, so we don't have any experience with them. We have [community documentation](https://headscale.net/reverse-proxy/) on how to configure various reverse proxies, and a dedicated [Discord channel](https://discord.com/channels/896711691637780480/1070619818346164324) where you can ask for help to the community.

docs/index.md

@@ -4,9 +4,40 @@ hide:
   - toc
 ---
 
-# headscale documentation
+# headscale
 
-This site contains the official and community contributed documentation for `headscale`.
+`headscale` is an open source, self-hosted implementation of the Tailscale control server.
 
-If you are having trouble with following the documentation or get unexpected results,
-please ask on [Discord](https://discord.gg/c84AZQhmpx) instead of opening an Issue.
+This page contains the documentation for the latest version of headscale. Please also check our [FAQ](/faq/).
+
+Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat and community support.
+
+## Design goal
+
+Headscale aims to implement a self-hosted, open source alternative to the Tailscale
+control server.
+Headscale's goal is to provide self-hosters and hobbyists with an open-source
+server they can use for their projects and labs.
+It implements a narrower scope, a single Tailnet, suitable for a personal use, or a small
+open-source organisation.
+
+## Supporting headscale
+
+If you like `headscale` and find it useful, there is a sponsorship and donation
+buttons available in the repo.
+
+## Contributing
+
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+This model has been chosen to reduce the risk of burnout by limiting the
+maintenance overhead of reviewing and validating third-party code.
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+If you find mistakes in the documentation, please submit a fix to the documentation.
+
+## About
+
+`headscale` is maintained by [Kristoffer Dalby](https://kradalby.no/) and [Juan Font](https://font.eu).

docs/running-headscale-linux.md

@@ -20,7 +20,7 @@ configuration (`/etc/headscale/config.yaml`).
 
 ## Installation
 
-1. Download the lastest Headscale package for your platform (`.deb` for Ubuntu and Debian) from [Headscale's releases page]():
+1. Download the lastest Headscale package for your platform (`.deb` for Ubuntu and Debian) from [Headscale's releases page](https://github.com/juanfont/headscale/releases):
 
 ```shell
 wget --output-document=headscale.deb \

docs/web-ui.md

@@ -0,0 +1,14 @@
+# Headscale web interface
+
+!!! warning "Community contributions"
+
+    This page contains community contributions. The projects listed here are not
+    maintained by the Headscale authors and are written by community members.
+
+| Name            | Repository Link                                         | Description                                                               | Status |
+| --------------- | ------------------------------------------------------- | ------------------------------------------------------------------------- | ------ |
+| headscale-webui | [Github](https://github.com/ifargle/headscale-webui)    | A simple Headscale web UI for small-scale deployments.                    | Alpha  |
+| headscale-ui    | [Github](https://github.com/gurucomputing/headscale-ui) | A web frontend for the headscale Tailscale-compatible coordination server | Alpha  |
+| HeadscaleUi     | [GitHub](https://github.com/simcu/headscale-ui)         | A static headscale admin ui, no backend enviroment required               | Alpha  |
+
+You can ask for support on our dedicated [Discord channel](https://discord.com/channels/896711691637780480/1105842846386356294).

flake.nix

@@ -36,7 +36,7 @@
 
             # When updating go.mod or go.sum, a new sha will need to be calculated,
             # update this if you have a mismatch after doing a change to thos files.
-            vendorSha256 = "sha256-+JxS4Q6rTpdBwms2nkVDY/Kluv2qu2T0BaOIjfeX85M=";
+            vendorSha256 = "sha256-cmDNYWYTgQp6CPgpL4d3TbkpAe7rhNAF+o8njJsgL7E=";
 
             ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
           };
@@ -99,6 +99,11 @@
             goreleaser
             nfpm
             gotestsum
+            gotests
+
+            # 'dot' is needed for pprof graphs
+            # go tool pprof -http=: <source>
+            graphviz
 
             # Protobuf dependencies
             protobuf

go.mod

@@ -4,7 +4,6 @@ go 1.20
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.6
-	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
 	github.com/cenkalti/backoff/v4 v4.2.0
 	github.com/coreos/go-oidc/v3 v3.5.0
 	github.com/davecgh/go-spew v1.1.1
@@ -12,6 +11,7 @@ require (
 	github.com/efekarakus/termcolor v1.0.1
 	github.com/glebarez/sqlite v1.7.0
 	github.com/gofrs/uuid/v5 v5.0.0
+	github.com/google/go-cmp v0.5.9
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2
@@ -20,6 +20,7 @@ require (
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
+	github.com/pkg/profile v1.7.0
 	github.com/prometheus/client_golang v1.14.0
 	github.com/prometheus/common v0.42.0
 	github.com/pterm/pterm v0.12.58
@@ -64,6 +65,7 @@ require (
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/felixge/fgprof v0.9.3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/glebarez/go-sqlite v1.20.3 // indirect
@@ -72,9 +74,9 @@ require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gookit/color v1.5.3 // indirect
@@ -141,6 +143,7 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gotest.tools/v3 v3.4.0 // indirect
 	modernc.org/libc v1.22.2 // indirect
 	modernc.org/mathutil v1.5.0 // indirect
 	modernc.org/memory v1.5.0 // indirect

go.sum

@@ -74,8 +74,6 @@ github.com/atomicgo/cursor v0.0.1/go.mod h1:cBON2QmmrysudxNBFthvMtN32r3jxVRIvzkU
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029 h1:POmUHfxXdeyM8Aomg4tKDcwATCFuW+cYLkj6pwsw9pc=
-github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029/go.mod h1:Rpr5n9cGHYdM3S3IK8ROSUUUYjQOu+MSUCZDcJbYWi8=
 github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
 github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -129,6 +127,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
+github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
@@ -238,7 +238,9 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
+github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
@@ -272,6 +274,7 @@ github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
 github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -384,6 +387,8 @@ github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsK
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
+github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -669,6 +674,7 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -894,7 +900,8 @@ gorm.io/driver/postgres v1.4.8/go.mod h1:O9MruWGNLUBUWVYfWuBClpf3HeGjOoybY0SNmCs
 gorm.io/gorm v1.24.2/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
 gorm.io/gorm v1.24.6 h1:wy98aq9oFEetsc4CAbKD2SoBCdMzsbSIvSUUFJuHi5s=
 gorm.io/gorm v1.24.6/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
-gotest.tools/v3 v3.2.0 h1:I0DwBVMGAx26dttAj1BtJLAkVGncrkkUXfJLC4Flt/I=
+gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
+gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

integration/acl_test.go

@@ -12,6 +12,39 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+var veryLargeDestination = []string{
+	"0.0.0.0/5:*",
+	"8.0.0.0/7:*",
+	"11.0.0.0/8:*",
+	"12.0.0.0/6:*",
+	"16.0.0.0/4:*",
+	"32.0.0.0/3:*",
+	"64.0.0.0/2:*",
+	"128.0.0.0/3:*",
+	"160.0.0.0/5:*",
+	"168.0.0.0/6:*",
+	"172.0.0.0/12:*",
+	"172.32.0.0/11:*",
+	"172.64.0.0/10:*",
+	"172.128.0.0/9:*",
+	"173.0.0.0/8:*",
+	"174.0.0.0/7:*",
+	"176.0.0.0/4:*",
+	"192.0.0.0/9:*",
+	"192.128.0.0/11:*",
+	"192.160.0.0/13:*",
+	"192.169.0.0/16:*",
+	"192.170.0.0/15:*",
+	"192.172.0.0/14:*",
+	"192.176.0.0/12:*",
+	"192.192.0.0/10:*",
+	"193.0.0.0/8:*",
+	"194.0.0.0/7:*",
+	"196.0.0.0/6:*",
+	"200.0.0.0/5:*",
+	"208.0.0.0/4:*",
+}
+
 func aclScenario(t *testing.T, policy *headscale.ACLPolicy, clientsPerUser int) *Scenario {
 	t.Helper()
 	scenario, err := NewScenario()
@@ -176,6 +209,34 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 				"user2": 3, // ns1 + ns2 (return path)
 			},
 		},
+		"very-large-destination-prefix-1372": {
+			users: map[string]int{
+				"user1": 2,
+				"user2": 2,
+			},
+			policy: headscale.ACLPolicy{
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"user1"},
+						Destinations: append([]string{"user1:*"}, veryLargeDestination...),
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"user2"},
+						Destinations: append([]string{"user2:*"}, veryLargeDestination...),
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"user1"},
+						Destinations: append([]string{"user2:*"}, veryLargeDestination...),
+					},
+				},
+			}, want: map[string]int{
+				"user1": 3, // ns1 + ns2
+				"user2": 3, // ns1 + ns2 (return path)
+			},
+		},
 	}
 
 	for name, testCase := range tests {
@@ -188,7 +249,6 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 			err = scenario.CreateHeadscaleEnv(spec,
 				[]tsic.Option{},
 				hsic.WithACLPolicy(&testCase.policy),
-				// hsic.WithTestName(fmt.Sprintf("aclinnetmap%s", name)),
 			)
 			assert.NoError(t, err)
 
@@ -198,9 +258,6 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 			err = scenario.WaitForTailscaleSync()
 			assert.NoError(t, err)
 
-			// allHostnames, err := scenario.ListTailscaleClientsFQDNs()
-			// assert.NoError(t, err)
-
 			for _, client := range allClients {
 				status, err := client.Status()
 				assert.NoError(t, err)

integration/control.go

@@ -2,12 +2,15 @@ package integration
 
 import (
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/ory/dockertest/v3"
 )
 
 type ControlServer interface {
 	Shutdown() error
 	SaveLog(string) error
+	SaveProfile(string) error
 	Execute(command []string) (string, error)
+	ConnectToNetwork(network *dockertest.Network) error
 	GetHealthEndpoint() string
 	GetEndpoint() string
 	WaitForReady() error

integration/embedded_derp_test.go

@@ -0,0 +1,236 @@
+package integration
+
+import (
+	"fmt"
+	"log"
+	"net/url"
+	"testing"
+
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/ory/dockertest/v3"
+)
+
+type EmbeddedDERPServerScenario struct {
+	*Scenario
+
+	tsicNetworks map[string]*dockertest.Network
+}
+
+func TestDERPServerScenario(t *testing.T) {
+	IntegrationSkip(t)
+	// t.Parallel()
+
+	baseScenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	scenario := EmbeddedDERPServerScenario{
+		Scenario:     baseScenario,
+		tsicNetworks: map[string]*dockertest.Network{},
+	}
+
+	spec := map[string]int{
+		"user1": len(TailscaleVersions),
+	}
+
+	headscaleConfig := map[string]string{}
+	headscaleConfig["HEADSCALE_DERP_URLS"] = ""
+	headscaleConfig["HEADSCALE_DERP_SERVER_ENABLED"] = "true"
+	headscaleConfig["HEADSCALE_DERP_SERVER_REGION_ID"] = "999"
+	headscaleConfig["HEADSCALE_DERP_SERVER_REGION_CODE"] = "headscale"
+	headscaleConfig["HEADSCALE_DERP_SERVER_REGION_NAME"] = "Headscale Embedded DERP"
+	headscaleConfig["HEADSCALE_DERP_SERVER_STUN_LISTEN_ADDR"] = "0.0.0.0:3478"
+
+	err = scenario.CreateHeadscaleEnv(
+		spec,
+		hsic.WithConfigEnv(headscaleConfig),
+		hsic.WithTestName("derpserver"),
+		hsic.WithExtraPorts([]string{"3478/udp"}),
+		hsic.WithTLS(),
+		hsic.WithHostnameAsServerURL(),
+	)
+
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	allHostnames, err := scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	success := pingDerpAllHelper(t, allClients, allHostnames)
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func (s *EmbeddedDERPServerScenario) CreateHeadscaleEnv(
+	users map[string]int,
+	opts ...hsic.Option,
+) error {
+	hsServer, err := s.Headscale(opts...)
+	if err != nil {
+		return err
+	}
+
+	headscaleEndpoint := hsServer.GetEndpoint()
+	headscaleURL, err := url.Parse(headscaleEndpoint)
+	if err != nil {
+		return err
+	}
+
+	headscaleURL.Host = fmt.Sprintf("%s:%s", hsServer.GetHostname(), headscaleURL.Port())
+
+	err = hsServer.WaitForReady()
+	if err != nil {
+		return err
+	}
+
+	hash, err := headscale.GenerateRandomStringDNSSafe(scenarioHashLength)
+	if err != nil {
+		return err
+	}
+
+	for userName, clientCount := range users {
+		err = s.CreateUser(userName)
+		if err != nil {
+			return err
+		}
+
+		err = s.CreateTailscaleIsolatedNodesInUser(
+			hash,
+			userName,
+			"all",
+			clientCount,
+		)
+		if err != nil {
+			return err
+		}
+
+		key, err := s.CreatePreAuthKey(userName, true, false)
+		if err != nil {
+			return err
+		}
+
+		err = s.RunTailscaleUp(userName, headscaleURL.String(), key.GetKey())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *EmbeddedDERPServerScenario) CreateTailscaleIsolatedNodesInUser(
+	hash string,
+	userStr string,
+	requestedVersion string,
+	count int,
+	opts ...tsic.Option,
+) error {
+	hsServer, err := s.Headscale()
+	if err != nil {
+		return err
+	}
+
+	if user, ok := s.users[userStr]; ok {
+		for clientN := 0; clientN < count; clientN++ {
+			networkName := fmt.Sprintf("tsnet-%s-%s-%d",
+				hash,
+				userStr,
+				clientN,
+			)
+			network, err := dockertestutil.GetFirstOrCreateNetwork(
+				s.pool,
+				networkName,
+			)
+			if err != nil {
+				return fmt.Errorf("failed to create or get %s network: %w", networkName, err)
+			}
+
+			s.tsicNetworks[networkName] = network
+
+			err = hsServer.ConnectToNetwork(network)
+			if err != nil {
+				return fmt.Errorf("failed to connect headscale to %s network: %w", networkName, err)
+			}
+
+			version := requestedVersion
+			if requestedVersion == "all" {
+				version = TailscaleVersions[clientN%len(TailscaleVersions)]
+			}
+
+			cert := hsServer.GetCert()
+
+			user.createWaitGroup.Add(1)
+
+			opts = append(opts,
+				tsic.WithHeadscaleTLS(cert),
+			)
+
+			go func() {
+				defer user.createWaitGroup.Done()
+
+				// TODO(kradalby): error handle this
+				tsClient, err := tsic.New(
+					s.pool,
+					version,
+					network,
+					opts...,
+				)
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to create tailscale node: %s", err)
+				}
+
+				err = tsClient.WaitForReady()
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to wait for tailscaled: %s", err)
+				}
+
+				user.Clients[tsClient.Hostname()] = tsClient
+			}()
+		}
+		user.createWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to add tailscale node: %w", errNoUserAvailable)
+}
+
+func (s *EmbeddedDERPServerScenario) Shutdown() error {
+	for _, network := range s.tsicNetworks {
+		err := s.pool.RemoveNetwork(network)
+		if err != nil {
+			return err
+		}
+	}
+
+	return s.Scenario.Shutdown()
+}

integration/hsic/hsic.go

@@ -15,6 +15,10 @@ import (
 	"math/big"
 	"net"
 	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"strings"
 	"time"
 
 	"github.com/davecgh/go-spew/spew"
@@ -23,6 +27,7 @@ import (
 	"github.com/juanfont/headscale/integration/dockertestutil"
 	"github.com/juanfont/headscale/integration/integrationutil"
 	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
 )
 
 const (
@@ -52,6 +57,8 @@ type HeadscaleInContainer struct {
 
 	// optional config
 	port             int
+	extraPorts       []string
+	hostPortBindings map[string][]string
 	aclPolicy        *headscale.ACLPolicy
 	env              map[string]string
 	tlsCert          []byte
@@ -77,7 +84,7 @@ func WithACLPolicy(acl *headscale.ACLPolicy) Option {
 // WithTLS creates certificates and enables HTTPS.
 func WithTLS() Option {
 	return func(hsic *HeadscaleInContainer) {
-		cert, key, err := createCertificate()
+		cert, key, err := createCertificate(hsic.hostname)
 		if err != nil {
 			log.Fatalf("failed to create certificates for headscale test: %s", err)
 		}
@@ -108,6 +115,19 @@ func WithPort(port int) Option {
 	}
 }
 
+// WithExtraPorts exposes additional ports on the container (e.g. 3478/udp for STUN).
+func WithExtraPorts(ports []string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.extraPorts = ports
+	}
+}
+
+func WithHostPortBindings(bindings map[string][]string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.hostPortBindings = bindings
+	}
+}
+
 // WithTestName sets a name for the test, this will be reflected
 // in the Docker container name.
 func WithTestName(testName string) Option {
@@ -173,12 +193,25 @@ func New(
 
 	portProto := fmt.Sprintf("%d/tcp", hsic.port)
 
+	serverURL, err := url.Parse(hsic.env["HEADSCALE_SERVER_URL"])
+	if err != nil {
+		return nil, err
+	}
+
+	if len(hsic.tlsCert) != 0 && len(hsic.tlsKey) != 0 {
+		serverURL.Scheme = "https"
+		hsic.env["HEADSCALE_SERVER_URL"] = serverURL.String()
+	}
+
 	headscaleBuildOptions := &dockertest.BuildOptions{
 		Dockerfile: "Dockerfile.debug",
 		ContextDir: dockerContextPath,
 	}
 
-	env := []string{}
+	env := []string{
+		"HEADSCALE_PROFILING_ENABLED=1",
+		"HEADSCALE_PROFILING_PATH=/tmp/profile",
+	}
 	for key, value := range hsic.env {
 		env = append(env, fmt.Sprintf("%s=%s", key, value))
 	}
@@ -187,15 +220,27 @@ func New(
 
 	runOptions := &dockertest.RunOptions{
 		Name:         hsic.hostname,
-		ExposedPorts: []string{portProto},
+		ExposedPorts: append([]string{portProto}, hsic.extraPorts...),
 		Networks:     []*dockertest.Network{network},
 		// Cmd:          []string{"headscale", "serve"},
 		// TODO(kradalby): Get rid of this hack, we currently need to give us some
 		// to inject the headscale configuration further down.
-		Entrypoint: []string{"/bin/bash", "-c", "/bin/sleep 3 ; headscale serve"},
+		Entrypoint: []string{"/bin/bash", "-c", "/bin/sleep 3 ; headscale serve ; /bin/sleep 30"},
 		Env:        env,
 	}
 
+	if len(hsic.hostPortBindings) > 0 {
+		runOptions.PortBindings = map[docker.Port][]docker.PortBinding{}
+		for port, hostPorts := range hsic.hostPortBindings {
+			runOptions.PortBindings[docker.Port(port)] = []docker.PortBinding{}
+			for _, hostPort := range hostPorts {
+				runOptions.PortBindings[docker.Port(port)] = append(
+					runOptions.PortBindings[docker.Port(port)],
+					docker.PortBinding{HostPort: hostPort})
+			}
+		}
+	}
+
 	// dockertest isnt very good at handling containers that has already
 	// been created, this is an attempt to make sure this container isnt
 	// present.
@@ -256,12 +301,43 @@ func New(
 	return hsic, nil
 }
 
+func (t *HeadscaleInContainer) ConnectToNetwork(network *dockertest.Network) error {
+	return t.container.ConnectToNetwork(network)
+}
+
 func (t *HeadscaleInContainer) hasTLS() bool {
 	return len(t.tlsCert) != 0 && len(t.tlsKey) != 0
 }
 
 // Shutdown stops and cleans up the Headscale container.
 func (t *HeadscaleInContainer) Shutdown() error {
+	err := t.SaveLog("/tmp/control")
+	if err != nil {
+		log.Printf(
+			"Failed to save log from control: %s",
+			fmt.Errorf("failed to save log from control: %w", err),
+		)
+	}
+
+	// Send a interrupt signal to the "headscale" process inside the container
+	// allowing it to shut down gracefully and flush the profile to disk.
+	// The container will live for a bit longer due to the sleep at the end.
+	err = t.SendInterrupt()
+	if err != nil {
+		log.Printf(
+			"Failed to send graceful interrupt to control: %s",
+			fmt.Errorf("failed to send graceful interrupt to control: %w", err),
+		)
+	}
+
+	err = t.SaveProfile("/tmp/control")
+	if err != nil {
+		log.Printf(
+			"Failed to save profile from control: %s",
+			fmt.Errorf("failed to save profile from control: %w", err),
+		)
+	}
+
 	return t.pool.Purge(t.container)
 }
 
@@ -271,6 +347,24 @@ func (t *HeadscaleInContainer) SaveLog(path string) error {
 	return dockertestutil.SaveLog(t.pool, t.container, path)
 }
 
+func (t *HeadscaleInContainer) SaveProfile(savePath string) error {
+	tarFile, err := t.FetchPath("/tmp/profile")
+	if err != nil {
+		return err
+	}
+
+	err = os.WriteFile(
+		path.Join(savePath, t.hostname+".pprof.tar"),
+		tarFile,
+		os.ModePerm,
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // Execute runs a command inside the Headscale container and returns the
 // result of stdout as a string.
 func (t *HeadscaleInContainer) Execute(
@@ -455,8 +549,28 @@ func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error {
 	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
 }
 
+// FetchPath gets a path from inside the Headscale container and returns a tar
+// file as byte array.
+func (t *HeadscaleInContainer) FetchPath(path string) ([]byte, error) {
+	return integrationutil.FetchPathFromContainer(t.pool, t.container, path)
+}
+
+func (t *HeadscaleInContainer) SendInterrupt() error {
+	pid, err := t.Execute([]string{"pidof", "headscale"})
+	if err != nil {
+		return err
+	}
+
+	_, err = t.Execute([]string{"kill", "-2", strings.Trim(pid, "'\n")})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // nolint
-func createCertificate() ([]byte, []byte, error) {
+func createCertificate(hostname string) ([]byte, []byte, error) {
 	// From:
 	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
 
@@ -468,7 +582,7 @@ func createCertificate() ([]byte, []byte, error) {
 			Locality:     []string{"Leiden"},
 		},
 		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(30 * time.Minute),
+		NotAfter:  time.Now().Add(60 * time.Minute),
 		IsCA:      true,
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageClientAuth,
@@ -486,16 +600,17 @@ func createCertificate() ([]byte, []byte, error) {
 	cert := &x509.Certificate{
 		SerialNumber: big.NewInt(1658),
 		Subject: pkix.Name{
+			CommonName:   hostname,
 			Organization: []string{"Headscale testing INC"},
 			Country:      []string{"NL"},
 			Locality:     []string{"Leiden"},
 		},
-		IPAddresses:  []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
 		NotBefore:    time.Now(),
-		NotAfter:     time.Now().Add(30 * time.Minute),
+		NotAfter:     time.Now().Add(60 * time.Minute),
 		SubjectKeyId: []byte{1, 2, 3, 4, 6},
 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 		KeyUsage:     x509.KeyUsageDigitalSignature,
+		DNSNames:     []string{hostname},
 	}
 
 	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)

integration/integrationutil/util.go

@@ -72,3 +72,24 @@ func WriteFileToContainer(
 
 	return nil
 }
+
+func FetchPathFromContainer(
+	pool *dockertest.Pool,
+	container *dockertest.Resource,
+	path string,
+) ([]byte, error) {
+	buf := bytes.NewBuffer([]byte{})
+
+	err := pool.Client.DownloadFromContainer(
+		container.Container.ID,
+		docker.DownloadFromContainerOptions{
+			OutputStream: buf,
+			Path:         path,
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return buf.Bytes(), nil
+}

integration/scenario.go

@@ -33,6 +33,7 @@ var (
 	tailscaleVersions2021 = []string{
 		"head",
 		"unstable",
+		"1.40.0",
 		"1.38.4",
 		"1.36.2",
 		"1.34.2",
@@ -149,15 +150,7 @@ func NewScenario() (*Scenario, error) {
 // environment running the tests.
 func (s *Scenario) Shutdown() error {
 	s.controlServers.Range(func(_ string, control ControlServer) bool {
-		err := control.SaveLog("/tmp/control")
-		if err != nil {
-			log.Printf(
-				"Failed to save log from control: %s",
-				fmt.Errorf("failed to save log from control: %w", err),
-			)
-		}
-
-		err = control.Shutdown()
+		err := control.Shutdown()
 		if err != nil {
 			log.Printf(
 				"Failed to shut down control: %s",
@@ -287,7 +280,7 @@ func (s *Scenario) CreateTailscaleNodesInUser(
 
 			headscale, err := s.Headscale()
 			if err != nil {
-				return fmt.Errorf("failed to create tailscale node: %w", err)
+				return fmt.Errorf("failed to create tailscale node (version: %s): %w", version, err)
 			}
 
 			cert := headscale.GetCert()

integration/ssh_test.go

@@ -424,7 +424,7 @@ func TestSSUserOnlyIsolation(t *testing.T) {
 	// TODO(kradalby,evenh): ACLs do currently not cover reject
 	// cases properly, and currently will accept all incomming connections
 	// as long as a rule is present.
-	//
+
 	// for _, client := range ssh1Clients {
 	// 	for _, peer := range ssh2Clients {
 	// 		if client.Hostname() == peer.Hostname() {

integration/tailscale.go

@@ -4,6 +4,7 @@ import (
 	"net/netip"
 	"net/url"
 
+	"github.com/juanfont/headscale/integration/dockertestutil"
 	"github.com/juanfont/headscale/integration/tsic"
 	"tailscale.com/ipn/ipnstate"
 )
@@ -13,7 +14,7 @@ type TailscaleClient interface {
 	Hostname() string
 	Shutdown() error
 	Version() string
-	Execute(command []string) (string, string, error)
+	Execute(command []string, options ...dockertestutil.ExecuteCommandOption) (string, string, error)
 	Up(loginServer, authKey string) error
 	UpWithLoginURL(loginServer string) (*url.URL, error)
 	Logout() error

integration/tsic/tsic.go

@@ -29,6 +29,7 @@ const (
 
 var (
 	errTailscalePingFailed             = errors.New("ping failed")
+	errTailscalePingNotDERP            = errors.New("ping not via DERP")
 	errTailscaleNotLoggedIn            = errors.New("tailscale not logged in")
 	errTailscaleWrongPeerCount         = errors.New("wrong peer count")
 	errTailscaleCannotUpWithoutAuthkey = errors.New("cannot up without authkey")
@@ -56,6 +57,7 @@ type TailscaleInContainer struct {
 	withSSH           bool
 	withTags          []string
 	withEntrypoint    []string
+	withExtraHosts    []string
 	workdir           string
 }
 
@@ -124,6 +126,12 @@ func WithDockerWorkdir(dir string) Option {
 	}
 }
 
+func WithExtraHosts(hosts []string) Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.withExtraHosts = hosts
+	}
+}
+
 // WithDockerEntrypoint allows the docker entrypoint of the container
 // to be overridden. This is a dangerous option which can make
 // the container not work as intended as a typo might prevent
@@ -169,11 +177,12 @@ func New(
 
 	tailscaleOptions := &dockertest.RunOptions{
 		Name:     hostname,
-		Networks: []*dockertest.Network{network},
+		Networks: []*dockertest.Network{tsic.network},
 		// Cmd: []string{
 		// 	"tailscaled", "--tun=tsdev",
 		// },
 		Entrypoint: tsic.withEntrypoint,
+		ExtraHosts: tsic.withExtraHosts,
 	}
 
 	if tsic.headscaleHostname != "" {
@@ -203,7 +212,11 @@ func New(
 		dockertestutil.DockerAllowNetworkAdministration,
 	)
 	if err != nil {
-		return nil, fmt.Errorf("could not start tailscale container: %w", err)
+		return nil, fmt.Errorf(
+			"could not start tailscale container (version: %s): %w",
+			version,
+			err,
+		)
 	}
 	log.Printf("Created %s container\n", hostname)
 
@@ -248,11 +261,13 @@ func (t *TailscaleInContainer) ID() string {
 // result of stdout as a string.
 func (t *TailscaleInContainer) Execute(
 	command []string,
+	options ...dockertestutil.ExecuteCommandOption,
 ) (string, string, error) {
 	stdout, stderr, err := dockertestutil.ExecuteCommand(
 		t.container,
 		command,
 		[]string{},
+		options...,
 	)
 	if err != nil {
 		log.Printf("command stderr: %s\n", stderr)
@@ -477,7 +492,7 @@ func (t *TailscaleInContainer) WaitForPeers(expected int) error {
 }
 
 type (
-	// PingOption repreent optional settings that can be given
+	// PingOption represent optional settings that can be given
 	// to ping another host.
 	PingOption = func(args *pingArgs)
 
@@ -535,7 +550,12 @@ func (t *TailscaleInContainer) Ping(hostnameOrIP string, opts ...PingOption) err
 	command = append(command, hostnameOrIP)
 
 	return t.pool.Retry(func() error {
-		result, _, err := t.Execute(command)
+		result, _, err := t.Execute(
+			command,
+			dockertestutil.ExecuteCommandTimeout(
+				time.Duration(int64(args.timeout)*int64(args.count)),
+			),
+		)
 		if err != nil {
 			log.Printf(
 				"failed to run ping command from %s to %s, err: %s",
@@ -547,10 +567,22 @@ func (t *TailscaleInContainer) Ping(hostnameOrIP string, opts ...PingOption) err
 			return err
 		}
 
-		if !strings.Contains(result, "pong") && !strings.Contains(result, "is local") {
+		if strings.Contains(result, "is local") {
+			return nil
+		}
+
+		if !strings.Contains(result, "pong") {
 			return backoff.Permanent(errTailscalePingFailed)
 		}
 
+		if !args.direct {
+			if strings.Contains(result, "via DERP") {
+				return nil
+			} else {
+				return backoff.Permanent(errTailscalePingNotDERP)
+			}
+		}
+
 		return nil
 	})
 }

integration/utils.go

@@ -2,6 +2,14 @@ package integration
 
 import (
 	"testing"
+	"time"
+
+	"github.com/juanfont/headscale/integration/tsic"
+)
+
+const (
+	derpPingTimeout = 2 * time.Second
+	derpPingCount   = 10
 )
 
 func pingAllHelper(t *testing.T, clients []TailscaleClient, addrs []string) int {
@@ -22,6 +30,52 @@ func pingAllHelper(t *testing.T, clients []TailscaleClient, addrs []string) int
 	return success
 }
 
+func pingDerpAllHelper(t *testing.T, clients []TailscaleClient, addrs []string) int {
+	t.Helper()
+	success := 0
+
+	for _, client := range clients {
+		for _, addr := range addrs {
+			if isSelfClient(client, addr) {
+				continue
+			}
+
+			err := client.Ping(
+				addr,
+				tsic.WithPingTimeout(derpPingTimeout),
+				tsic.WithPingCount(derpPingCount),
+				tsic.WithPingUntilDirect(false),
+			)
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", addr, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	return success
+}
+
+func isSelfClient(client TailscaleClient, addr string) bool {
+	if addr == client.Hostname() {
+		return true
+	}
+
+	ips, err := client.IPs()
+	if err != nil {
+		return false
+	}
+
+	for _, ip := range ips {
+		if ip.String() == addr {
+			return true
+		}
+	}
+
+	return false
+}
+
 // pingAllNegativeHelper is intended to have 1 or more nodes timeing out from the ping,
 // it counts failures instead of successes.
 // func pingAllNegativeHelper(t *testing.T, clients []TailscaleClient, addrs []string) int {

integration_embedded_derp_test.go

@@ -1,453 +0,0 @@
-// nolint
-package headscale
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"path"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/ccding/go-stun/stun"
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/suite"
-)
-
-const (
-	headscaleDerpHostname = "headscale-derp"
-	userName              = "derpuser"
-	totalContainers       = 3
-)
-
-type IntegrationDERPTestSuite struct {
-	suite.Suite
-	stats *suite.SuiteInformation
-
-	pool              dockertest.Pool
-	network           dockertest.Network
-	containerNetworks map[int]dockertest.Network // so we keep the containers isolated
-	headscale         dockertest.Resource
-	saveLogs          bool
-
-	tailscales    map[string]dockertest.Resource
-	joinWaitGroup sync.WaitGroup
-}
-
-func TestIntegrationDERPTestSuite(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping integration tests due to short flag")
-	}
-
-	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
-	if err != nil {
-		saveLogs = false
-	}
-
-	s := new(IntegrationDERPTestSuite)
-
-	s.tailscales = make(map[string]dockertest.Resource)
-	s.containerNetworks = make(map[int]dockertest.Network)
-	s.saveLogs = saveLogs
-
-	suite.Run(t, s)
-
-	// HandleStats, which allows us to check if we passed and save logs
-	// is called after TearDown, so we cannot tear down containers before
-	// we have potentially saved the logs.
-	if s.saveLogs {
-		for _, tailscale := range s.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-
-		if !s.stats.Passed() {
-			err := s.saveLog(&s.headscale, "test_output")
-			if err != nil {
-				log.Printf("Could not save log: %s\n", err)
-			}
-		}
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		for _, network := range s.containerNetworks {
-			if err := network.Close(); err != nil {
-				log.Printf("Could not close network: %s\n", err)
-			}
-		}
-	}
-}
-
-func (s *IntegrationDERPTestSuite) SetupSuite() {
-	if ppool, err := dockertest.NewPool(""); err == nil {
-		s.pool = *ppool
-	} else {
-		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
-	}
-
-	network, err := GetFirstOrCreateNetwork(&s.pool, headscaleNetwork)
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Failed to create or get network: %s", err), "")
-	}
-	s.network = network
-
-	for i := 0; i < totalContainers; i++ {
-		if pnetwork, err := s.pool.CreateNetwork(fmt.Sprintf("headscale-derp-%d", i)); err == nil {
-			s.containerNetworks[i] = *pnetwork
-		} else {
-			s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
-		}
-	}
-
-	headscaleBuildOptions := &dockertest.BuildOptions{
-		Dockerfile: "Dockerfile",
-		ContextDir: ".",
-	}
-
-	currentPath, err := os.Getwd()
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
-	}
-
-	headscaleOptions := &dockertest.RunOptions{
-		Name: headscaleDerpHostname,
-		Mounts: []string{
-			fmt.Sprintf(
-				"%s/integration_test/etc_embedded_derp:/etc/headscale",
-				currentPath,
-			),
-		},
-		Cmd:          []string{"headscale", "serve"},
-		Networks:     []*dockertest.Network{&s.network},
-		ExposedPorts: []string{"8443/tcp", "3478/udp"},
-		PortBindings: map[docker.Port][]docker.PortBinding{
-			"8443/tcp": {{HostPort: "8443"}},
-			"3478/udp": {{HostPort: "3478"}},
-		},
-	}
-
-	err = s.pool.RemoveContainerByName(headscaleDerpHostname)
-	if err != nil {
-		s.FailNow(
-			fmt.Sprintf(
-				"Could not remove existing container before building test: %s",
-				err,
-			),
-			"",
-		)
-	}
-
-	log.Println("Creating headscale container for DERP integration tests")
-	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
-		s.headscale = *pheadscale
-	} else {
-		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
-	}
-	log.Println("Created headscale container for embedded DERP tests")
-
-	log.Println("Creating tailscale containers for embedded DERP tests")
-
-	for i := 0; i < totalContainers; i++ {
-		version := tailscaleVersions[i%len(tailscaleVersions)]
-		hostname, container := s.tailscaleContainer(
-			fmt.Sprint(i),
-			version,
-			s.containerNetworks[i],
-		)
-		s.tailscales[hostname] = *container
-	}
-
-	log.Println("Waiting for headscale to be ready for embedded DERP tests")
-	hostEndpoint := fmt.Sprintf("%s:%s",
-		s.headscale.GetIPInNetwork(&s.network),
-		s.headscale.GetPort("8443/tcp"))
-
-	if err := s.pool.Retry(func() error {
-		url := fmt.Sprintf("https://%s/health", hostEndpoint)
-		insecureTransport := http.DefaultTransport.(*http.Transport).Clone()
-		insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-		client := &http.Client{Transport: insecureTransport}
-		resp, err := client.Get(url)
-		if err != nil {
-			fmt.Printf("headscale for embedded DERP tests is not ready: %s\n", err)
-			return err
-		}
-
-		if resp.StatusCode != http.StatusOK {
-			return fmt.Errorf("status code not OK")
-		}
-
-		return nil
-	}); err != nil {
-		// TODO(kradalby): If we cannot access headscale, or any other fatal error during
-		// test setup, we need to abort and tear down. However, testify does not seem to
-		// support that at the moment:
-		// https://github.com/stretchr/testify/issues/849
-		return // fmt.Errorf("Could not connect to headscale: %s", err)
-	}
-	log.Println("headscale container is ready for embedded DERP tests")
-
-	log.Printf("Creating headscale user: %s\n", userName)
-	result, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{"headscale", "users", "create", userName},
-		[]string{},
-	)
-	log.Println("headscale create user result: ", result)
-	assert.Nil(s.T(), err)
-
-	log.Printf("Creating pre auth key for %s\n", userName)
-	preAuthResult, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"--user",
-			userName,
-			"preauthkeys",
-			"create",
-			"--reusable",
-			"--expiration",
-			"24h",
-			"--output",
-			"json",
-		},
-		[]string{"LOG_LEVEL=error"},
-	)
-	assert.Nil(s.T(), err)
-
-	var preAuthKey v1.PreAuthKey
-	err = json.Unmarshal([]byte(preAuthResult), &preAuthKey)
-	assert.Nil(s.T(), err)
-	assert.True(s.T(), preAuthKey.Reusable)
-
-	headscaleEndpoint := fmt.Sprintf(
-		"https://headscale:%s",
-		s.headscale.GetPort("8443/tcp"),
-	)
-
-	log.Printf(
-		"Joining tailscale containers to headscale at %s\n",
-		headscaleEndpoint,
-	)
-	for hostname, tailscale := range s.tailscales {
-		s.joinWaitGroup.Add(1)
-		go s.Join(headscaleEndpoint, preAuthKey.Key, hostname, tailscale)
-	}
-
-	s.joinWaitGroup.Wait()
-
-	// The nodes need a bit of time to get their updated maps from headscale
-	// TODO: See if we can have a more deterministic wait here.
-	time.Sleep(60 * time.Second)
-}
-
-func (s *IntegrationDERPTestSuite) Join(
-	endpoint, key, hostname string,
-	tailscale dockertest.Resource,
-) {
-	defer s.joinWaitGroup.Done()
-
-	command := []string{
-		"tailscale",
-		"up",
-		"-login-server",
-		endpoint,
-		"--authkey",
-		key,
-		"--hostname",
-		hostname,
-	}
-
-	log.Println("Join command:", command)
-	log.Printf("Running join command for %s\n", hostname)
-	_, _, err := ExecuteCommand(
-		&tailscale,
-		command,
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-	log.Printf("%s joined\n", hostname)
-}
-
-func (s *IntegrationDERPTestSuite) tailscaleContainer(
-	identifier, version string,
-	network dockertest.Network,
-) (string, *dockertest.Resource) {
-	tailscaleBuildOptions := getDockerBuildOptions(version)
-
-	hostname := fmt.Sprintf(
-		"tailscale-%s-%s",
-		strings.Replace(version, ".", "-", -1),
-		identifier,
-	)
-	tailscaleOptions := &dockertest.RunOptions{
-		Name:     hostname,
-		Networks: []*dockertest.Network{&network},
-		Cmd: []string{
-			"tailscaled", "--tun=tsdev",
-		},
-
-		// expose the host IP address, so we can access it from inside the container
-		ExtraHosts: []string{
-			"host.docker.internal:host-gateway",
-			"headscale:host-gateway",
-		},
-	}
-
-	pts, err := s.pool.BuildAndRunWithBuildOptions(
-		tailscaleBuildOptions,
-		tailscaleOptions,
-		DockerRestartPolicy,
-		DockerAllowLocalIPv6,
-		DockerAllowNetworkAdministration,
-	)
-	if err != nil {
-		log.Fatalf("Could not start tailscale container version %s: %s", version, err)
-	}
-	log.Printf("Created %s container\n", hostname)
-
-	return hostname, pts
-}
-
-func (s *IntegrationDERPTestSuite) TearDownSuite() {
-	if !s.saveLogs {
-		for _, tailscale := range s.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		for _, network := range s.containerNetworks {
-			if err := network.Close(); err != nil {
-				log.Printf("Could not close network: %s\n", err)
-			}
-		}
-	}
-}
-
-func (s *IntegrationDERPTestSuite) HandleStats(
-	suiteName string,
-	stats *suite.SuiteInformation,
-) {
-	s.stats = stats
-}
-
-func (s *IntegrationDERPTestSuite) saveLog(
-	resource *dockertest.Resource,
-	basePath string,
-) error {
-	err := os.MkdirAll(basePath, os.ModePerm)
-	if err != nil {
-		return err
-	}
-
-	var stdout bytes.Buffer
-	var stderr bytes.Buffer
-
-	err = s.pool.Client.Logs(
-		docker.LogsOptions{
-			Context:      context.TODO(),
-			Container:    resource.Container.ID,
-			OutputStream: &stdout,
-			ErrorStream:  &stderr,
-			Tail:         "all",
-			RawTerminal:  false,
-			Stdout:       true,
-			Stderr:       true,
-			Follow:       false,
-			Timestamps:   false,
-		},
-	)
-	if err != nil {
-		return err
-	}
-
-	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stdout.log"),
-		stderr.Bytes(),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stderr.log"),
-		stderr.Bytes(),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (s *IntegrationDERPTestSuite) TestPingAllPeersByHostname() {
-	hostnames, err := getDNSNames(&s.headscale)
-	assert.Nil(s.T(), err)
-
-	log.Printf("Hostnames: %#v\n", hostnames)
-
-	for hostname, tailscale := range s.tailscales {
-		for _, peername := range hostnames {
-			if strings.Contains(peername, hostname) {
-				continue
-			}
-			s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
-				command := []string{
-					"tailscale", "ping",
-					"--timeout=10s",
-					"--c=5",
-					"--until-direct=false",
-					peername,
-				}
-
-				log.Printf(
-					"Pinging using hostname from %s to %s\n",
-					hostname,
-					peername,
-				)
-				log.Println(command)
-				result, _, err := ExecuteCommand(
-					&tailscale,
-					command,
-					[]string{},
-				)
-				assert.Nil(t, err)
-				log.Printf("Result for %s: %s\n", hostname, result)
-				assert.Contains(t, result, "via DERP(headscale)")
-			})
-		}
-	}
-}
-
-func (s *IntegrationDERPTestSuite) TestDERPSTUN() {
-	headscaleSTUNAddr := fmt.Sprintf("%s:%s",
-		s.headscale.GetIPInNetwork(&s.network),
-		s.headscale.GetPort("3478/udp"))
-	client := stun.NewClient()
-	client.SetVerbose(true)
-	client.SetVVerbose(true)
-	client.SetServerAddr(headscaleSTUNAddr)
-	_, _, err := client.Discover()
-	assert.Nil(s.T(), err)
-}

machine.go

@@ -8,12 +8,12 @@ import (
 	"sort"
 	"strconv"
 	"strings"
-	"sync"
 	"time"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
 	"github.com/samber/lo"
+	"go4.org/netipx"
 	"google.golang.org/protobuf/types/known/timestamppb"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
@@ -98,6 +98,14 @@ func (ma MachineAddresses) ToStringSlice() []string {
 	return strSlice
 }
 
+// AppendToIPSet adds the individual ips in MachineAddresses to a
+// given netipx.IPSetBuilder.
+func (ma MachineAddresses) AppendToIPSet(build *netipx.IPSetBuilder) {
+	for _, ip := range ma {
+		build.Add(ip)
+	}
+}
+
 func (ma *MachineAddresses) Scan(destination interface{}) error {
 	switch value := destination.(type) {
 	case string:
@@ -161,125 +169,48 @@ func (machine *Machine) isEphemeral() bool {
 	return machine.AuthKey != nil && machine.AuthKey.Ephemeral
 }
 
+func (machine *Machine) canAccess(filter []tailcfg.FilterRule, machine2 *Machine) bool {
+	for _, rule := range filter {
+		// TODO(kradalby): Cache or pregen this
+		matcher := MatchFromFilterRule(rule)
+
+		if !matcher.SrcsContainsIPs([]netip.Addr(machine.IPAddresses)) {
+			continue
+		}
+
+		if matcher.DestsContainsIP([]netip.Addr(machine2.IPAddresses)) {
+			return true
+		}
+	}
+
+	return false
+}
+
 // filterMachinesByACL wrapper function to not have devs pass around locks and maps
 // related to the application outside of tests.
 func (h *Headscale) filterMachinesByACL(currentMachine *Machine, peers Machines) Machines {
-	return filterMachinesByACL(currentMachine, peers, &h.aclPeerCacheMapRW, h.aclPeerCacheMap)
+	return filterMachinesByACL(currentMachine, peers, h.aclRules)
 }
 
 // filterMachinesByACL returns the list of peers authorized to be accessed from a given machine.
 func filterMachinesByACL(
 	machine *Machine,
 	machines Machines,
-	lock *sync.RWMutex,
-	aclPeerCacheMap map[string]map[string]struct{},
+	filter []tailcfg.FilterRule,
 ) Machines {
-	log.Trace().
-		Caller().
-		Str("self", machine.Hostname).
-		Str("input", machines.String()).
-		Msg("Finding peers filtered by ACLs")
+	result := Machines{}
 
-	peers := make(map[uint64]Machine)
-	// Aclfilter peers here. We are itering through machines in all users and search through the computed aclRules
-	// for match between rule SrcIPs and DstPorts. If the rule is a match we allow the machine to be viewable.
-	machineIPs := machine.IPAddresses.ToStringSlice()
-
-	// TODO(kradalby): Remove this lock, I suspect its not a good idea, and might not be necessary,
-	// we only set this at startup atm (reading ACLs) and it might become a bottleneck.
-	lock.RLock()
-
-	for _, peer := range machines {
+	for index, peer := range machines {
 		if peer.ID == machine.ID {
 			continue
 		}
-		peerIPs := peer.IPAddresses.ToStringSlice()
 
-		if dstMap, ok := aclPeerCacheMap["*"]; ok {
-			// match source and all destination
-			if _, dstOk := dstMap["*"]; dstOk {
-				peers[peer.ID] = peer
-
-				continue
-			}
-
-			// match source and all destination
-			for _, peerIP := range peerIPs {
-				if _, dstOk := dstMap[peerIP]; dstOk {
-					peers[peer.ID] = peer
-
-					continue
-				}
-			}
-
-			// match all sources and source
-			for _, machineIP := range machineIPs {
-				if _, dstOk := dstMap[machineIP]; dstOk {
-					peers[peer.ID] = peer
-
-					continue
-				}
-			}
-		}
-
-		for _, machineIP := range machineIPs {
-			if dstMap, ok := aclPeerCacheMap[machineIP]; ok {
-				// match source and all destination
-				if _, dstOk := dstMap["*"]; dstOk {
-					peers[peer.ID] = peer
-
-					continue
-				}
-
-				// match source and destination
-				for _, peerIP := range peerIPs {
-					if _, dstOk := dstMap[peerIP]; dstOk {
-						peers[peer.ID] = peer
-
-						continue
-					}
-				}
-			}
-		}
-
-		for _, peerIP := range peerIPs {
-			if dstMap, ok := aclPeerCacheMap[peerIP]; ok {
-				// match source and all destination
-				if _, dstOk := dstMap["*"]; dstOk {
-					peers[peer.ID] = peer
-
-					continue
-				}
-				// match return path
-				for _, machineIP := range machineIPs {
-					if _, dstOk := dstMap[machineIP]; dstOk {
-						peers[peer.ID] = peer
-
-						continue
-					}
-				}
-			}
+		if machine.canAccess(filter, &machines[index]) || peer.canAccess(filter, machine) {
+			result = append(result, peer)
 		}
 	}
 
-	lock.RUnlock()
-
-	authorizedPeers := make(Machines, 0, len(peers))
-	for _, m := range peers {
-		authorizedPeers = append(authorizedPeers, m)
-	}
-	sort.Slice(
-		authorizedPeers,
-		func(i, j int) bool { return authorizedPeers[i].ID < authorizedPeers[j].ID },
-	)
-
-	log.Trace().
-		Caller().
-		Str("self", machine.Hostname).
-		Str("peers", authorizedPeers.String()).
-		Msg("Authorized peers")
-
-	return authorizedPeers
+	return result
 }
 
 func (h *Headscale) ListPeers(machine *Machine) (Machines, error) {
@@ -868,7 +799,7 @@ func getTags(
 	validTagMap := make(map[string]bool)
 	invalidTagMap := make(map[string]bool)
 	for _, tag := range machine.HostInfo.RequestTags {
-		owners, err := expandTagOwners(*aclPolicy, tag, stripEmailDomain)
+		owners, err := getTagOwners(aclPolicy, tag, stripEmailDomain)
 		if errors.Is(err, errInvalidTag) {
 			invalidTagMap[tag] = true
 
@@ -1182,7 +1113,7 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
 			if approvedAlias == machine.User.Name {
 				approvedRoutes = append(approvedRoutes, advertisedRoute)
 			} else {
-				approvedIps, err := expandAlias([]Machine{*machine}, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
+				approvedIps, err := h.aclPolicy.expandAlias([]Machine{*machine}, approvedAlias, h.cfg.OIDC.StripEmaildomain)
 				if err != nil {
 					log.Err(err).
 						Str("alias", approvedAlias).
@@ -1192,7 +1123,7 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
 				}
 
 				// approvedIPs should contain all of machine's IPs if it matches the rule, so check for first
-				if contains(approvedIps, machine.IPAddresses[0].String()) {
+				if approvedIps.Contains(machine.IPAddresses[0]) {
 					approvedRoutes = append(approvedRoutes, advertisedRoute)
 				}
 			}

machine_test.go

@@ -6,7 +6,6 @@ import (
 	"reflect"
 	"regexp"
 	"strconv"
-	"sync"
 	"testing"
 	"time"
 
@@ -1041,16 +1040,12 @@ func Test_getFilteredByACLPeers(t *testing.T) {
 			},
 		},
 	}
-	var lock sync.RWMutex
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			aclRulesMap := generateACLPeerCacheMap(tt.args.rules)
-
 			got := filterMachinesByACL(
 				tt.args.machine,
 				tt.args.machines,
-				&lock,
-				aclRulesMap,
+				tt.args.rules,
 			)
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("filterMachinesByACL() = %v, want %v", got, tt.want)
@@ -1264,3 +1259,131 @@ func (s *Suite) TestAutoApproveRoutes(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(enabledRoutes, check.HasLen, 3)
 }
+
+func TestMachine_canAccess(t *testing.T) {
+	type args struct {
+		filter   []tailcfg.FilterRule
+		machine2 *Machine
+	}
+	tests := []struct {
+		name    string
+		machine Machine
+		args    args
+		want    bool
+	}{
+		{
+			name: "no-rules",
+			machine: Machine{
+				IPAddresses: MachineAddresses{
+					netip.MustParseAddr("10.0.0.1"),
+				},
+			},
+			args: args{
+				filter: []tailcfg.FilterRule{},
+				machine2: &Machine{
+					IPAddresses: MachineAddresses{
+						netip.MustParseAddr("10.0.0.2"),
+					},
+				},
+			},
+			want: false,
+		},
+		{
+			name: "wildcard",
+			machine: Machine{
+				IPAddresses: MachineAddresses{
+					netip.MustParseAddr("10.0.0.1"),
+				},
+			},
+			args: args{
+				filter: []tailcfg.FilterRule{
+					{
+						SrcIPs: []string{"*"},
+						DstPorts: []tailcfg.NetPortRange{
+							{
+								IP: "*",
+								Ports: tailcfg.PortRange{
+									First: 0,
+									Last:  65535,
+								},
+							},
+						},
+					},
+				},
+				machine2: &Machine{
+					IPAddresses: MachineAddresses{
+						netip.MustParseAddr("10.0.0.2"),
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "explicit-m1-to-m2",
+			machine: Machine{
+				IPAddresses: MachineAddresses{
+					netip.MustParseAddr("10.0.0.1"),
+				},
+			},
+			args: args{
+				filter: []tailcfg.FilterRule{
+					{
+						SrcIPs: []string{"10.0.0.1"},
+						DstPorts: []tailcfg.NetPortRange{
+							{
+								IP: "10.0.0.2",
+								Ports: tailcfg.PortRange{
+									First: 0,
+									Last:  65535,
+								},
+							},
+						},
+					},
+				},
+				machine2: &Machine{
+					IPAddresses: MachineAddresses{
+						netip.MustParseAddr("10.0.0.2"),
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "explicit-m2-to-m1",
+			machine: Machine{
+				IPAddresses: MachineAddresses{
+					netip.MustParseAddr("10.0.0.1"),
+				},
+			},
+			args: args{
+				filter: []tailcfg.FilterRule{
+					{
+						SrcIPs: []string{"10.0.0.2"},
+						DstPorts: []tailcfg.NetPortRange{
+							{
+								IP: "10.0.0.1",
+								Ports: tailcfg.PortRange{
+									First: 0,
+									Last:  65535,
+								},
+							},
+						},
+					},
+				},
+				machine2: &Machine{
+					IPAddresses: MachineAddresses{
+						netip.MustParseAddr("10.0.0.2"),
+					},
+				},
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.machine.canAccess(tt.args.filter, tt.args.machine2); got != tt.want {
+				t.Errorf("Machine.canAccess() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

matcher.go

@@ -0,0 +1,142 @@
+package headscale
+
+import (
+	"fmt"
+	"net/netip"
+	"strings"
+
+	"go4.org/netipx"
+	"tailscale.com/tailcfg"
+)
+
+// This is borrowed from, and updated to use IPSet
+// https://github.com/tailscale/tailscale/blob/71029cea2ddf82007b80f465b256d027eab0f02d/wgengine/filter/tailcfg.go#L97-L162
+// TODO(kradalby): contribute upstream and make public.
+var (
+	zeroIP4 = netip.AddrFrom4([4]byte{})
+	zeroIP6 = netip.AddrFrom16([16]byte{})
+)
+
+// parseIPSet parses arg as one:
+//
+//   - an IP address (IPv4 or IPv6)
+//   - the string "*" to match everything (both IPv4 & IPv6)
+//   - a CIDR (e.g. "192.168.0.0/16")
+//   - a range of two IPs, inclusive, separated by hyphen ("2eff::1-2eff::0800")
+//
+// bits, if non-nil, is the legacy SrcBits CIDR length to make a IP
+// address (without a slash) treated as a CIDR of *bits length.
+// nolint
+func parseIPSet(arg string, bits *int) (*netipx.IPSet, error) {
+	var ipSet netipx.IPSetBuilder
+	if arg == "*" {
+		ipSet.AddPrefix(netip.PrefixFrom(zeroIP4, 0))
+		ipSet.AddPrefix(netip.PrefixFrom(zeroIP6, 0))
+
+		return ipSet.IPSet()
+	}
+	if strings.Contains(arg, "/") {
+		pfx, err := netip.ParsePrefix(arg)
+		if err != nil {
+			return nil, err
+		}
+		if pfx != pfx.Masked() {
+			return nil, fmt.Errorf("%v contains non-network bits set", pfx)
+		}
+
+		ipSet.AddPrefix(pfx)
+
+		return ipSet.IPSet()
+	}
+	if strings.Count(arg, "-") == 1 {
+		ip1s, ip2s, _ := strings.Cut(arg, "-")
+
+		ip1, err := netip.ParseAddr(ip1s)
+		if err != nil {
+			return nil, err
+		}
+
+		ip2, err := netip.ParseAddr(ip2s)
+		if err != nil {
+			return nil, err
+		}
+
+		r := netipx.IPRangeFrom(ip1, ip2)
+		if !r.IsValid() {
+			return nil, fmt.Errorf("invalid IP range %q", arg)
+		}
+
+		for _, prefix := range r.Prefixes() {
+			ipSet.AddPrefix(prefix)
+		}
+
+		return ipSet.IPSet()
+	}
+	ip, err := netip.ParseAddr(arg)
+	if err != nil {
+		return nil, fmt.Errorf("invalid IP address %q", arg)
+	}
+	bits8 := uint8(ip.BitLen())
+	if bits != nil {
+		if *bits < 0 || *bits > int(bits8) {
+			return nil, fmt.Errorf("invalid CIDR size %d for IP %q", *bits, arg)
+		}
+		bits8 = uint8(*bits)
+	}
+
+	ipSet.AddPrefix(netip.PrefixFrom(ip, int(bits8)))
+
+	return ipSet.IPSet()
+}
+
+type Match struct {
+	Srcs  *netipx.IPSet
+	Dests *netipx.IPSet
+}
+
+func MatchFromFilterRule(rule tailcfg.FilterRule) Match {
+	srcs := new(netipx.IPSetBuilder)
+	dests := new(netipx.IPSetBuilder)
+
+	for _, srcIP := range rule.SrcIPs {
+		set, _ := parseIPSet(srcIP, nil)
+
+		srcs.AddSet(set)
+	}
+
+	for _, dest := range rule.DstPorts {
+		set, _ := parseIPSet(dest.IP, nil)
+
+		dests.AddSet(set)
+	}
+
+	srcsSet, _ := srcs.IPSet()
+	destsSet, _ := dests.IPSet()
+
+	match := Match{
+		Srcs:  srcsSet,
+		Dests: destsSet,
+	}
+
+	return match
+}
+
+func (m *Match) SrcsContainsIPs(ips []netip.Addr) bool {
+	for _, ip := range ips {
+		if m.Srcs.Contains(ip) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (m *Match) DestsContainsIP(ips []netip.Addr) bool {
+	for _, ip := range ips {
+		if m.Dests.Contains(ip) {
+			return true
+		}
+	}
+
+	return false
+}

matcher_test.go

@@ -0,0 +1,119 @@
+package headscale
+
+import (
+	"net/netip"
+	"reflect"
+	"testing"
+
+	"go4.org/netipx"
+)
+
+func Test_parseIPSet(t *testing.T) {
+	set := func(ips []string, prefixes []string) *netipx.IPSet {
+		var builder netipx.IPSetBuilder
+
+		for _, ip := range ips {
+			builder.Add(netip.MustParseAddr(ip))
+		}
+
+		for _, pre := range prefixes {
+			builder.AddPrefix(netip.MustParsePrefix(pre))
+		}
+
+		s, _ := builder.IPSet()
+
+		return s
+	}
+
+	type args struct {
+		arg  string
+		bits *int
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *netipx.IPSet
+		wantErr bool
+	}{
+		{
+			name: "simple ip4",
+			args: args{
+				arg:  "10.0.0.1",
+				bits: nil,
+			},
+			want: set([]string{
+				"10.0.0.1",
+			}, []string{}),
+			wantErr: false,
+		},
+		{
+			name: "simple ip6",
+			args: args{
+				arg:  "2001:db8:abcd:1234::2",
+				bits: nil,
+			},
+			want: set([]string{
+				"2001:db8:abcd:1234::2",
+			}, []string{}),
+			wantErr: false,
+		},
+		{
+			name: "wildcard",
+			args: args{
+				arg:  "*",
+				bits: nil,
+			},
+			want: set([]string{}, []string{
+				"0.0.0.0/0",
+				"::/0",
+			}),
+			wantErr: false,
+		},
+		{
+			name: "prefix4",
+			args: args{
+				arg:  "192.168.0.0/16",
+				bits: nil,
+			},
+			want: set([]string{}, []string{
+				"192.168.0.0/16",
+			}),
+			wantErr: false,
+		},
+		{
+			name: "prefix6",
+			args: args{
+				arg:  "2001:db8:abcd:1234::/64",
+				bits: nil,
+			},
+			want: set([]string{}, []string{
+				"2001:db8:abcd:1234::/64",
+			}),
+			wantErr: false,
+		},
+		{
+			name: "range4",
+			args: args{
+				arg:  "192.168.0.0-192.168.255.255",
+				bits: nil,
+			},
+			want: set([]string{}, []string{
+				"192.168.0.0/16",
+			}),
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := parseIPSet(tt.args.arg, tt.args.bits)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("parseIPSet() error = %v, wantErr %v", err, tt.wantErr)
+
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("parseIPSet() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

mkdocs.yml

@@ -1,5 +1,6 @@
 site_name: Headscale
 site_url: https://juanfont.github.io/headscale
+edit_uri: blob/main/docs/ # Change the master branch to main as we are using main as a main branch
 site_author: Headscale authors
 site_description: >-
   An open source, self-hosted implementation of the Tailscale control server.
@@ -121,12 +122,14 @@ markdown_extensions:
 # Page tree
 nav:
   - Home: index.md
+  - FAQ: faq.md
   - Getting started:
       - Installation:
           - Linux: running-headscale-linux.md
           - OpenBSD: running-headscale-openbsd.md
           - Container: running-headscale-container.md
       - Configuration:
+          - Web UI: web-ui.md
           - OIDC authentication: oidc.md
           - Exit node: exit-node.md
           - Reverse proxy: reverse-proxy.md

noise.go

@@ -1,6 +1,9 @@
 package headscale
 
 import (
+	"encoding/binary"
+	"encoding/json"
+	"io"
 	"net/http"
 
 	"github.com/gorilla/mux"
@@ -9,18 +12,37 @@ import (
 	"golang.org/x/net/http2/h2c"
 	"tailscale.com/control/controlbase"
 	"tailscale.com/control/controlhttp"
-	"tailscale.com/net/netutil"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
 )
 
 const (
 	// ts2021UpgradePath is the path that the server listens on for the WebSockets upgrade.
 	ts2021UpgradePath = "/ts2021"
+
+	// The first 9 bytes from the server to client over Noise are either an HTTP/2
+	// settings frame (a normal HTTP/2 setup) or, as Tailscale added later, an "early payload"
+	// header that's also 9 bytes long: 5 bytes (earlyPayloadMagic) followed by 4 bytes
+	// of length. Then that many bytes of JSON-encoded tailcfg.EarlyNoise.
+	// The early payload is optional. Some servers may not send it... But we do!
+	earlyPayloadMagic = "\xff\xff\xffTS"
+
+	// EarlyNoise was added in protocol version 49.
+	earlyNoiseCapabilityVersion = 49
 )
 
-type ts2021App struct {
+type noiseServer struct {
 	headscale *Headscale
 
-	conn *controlbase.Conn
+	httpBaseConfig *http.Server
+	http2Server    *http2.Server
+	conn           *controlbase.Conn
+	machineKey     key.MachinePublic
+	nodeKey        key.NodePublic
+
+	// EarlyNoise-related stuff
+	challenge       key.ChallengePrivate
+	protocolVersion int
 }
 
 // NoiseUpgradeHandler is to upgrade the connection and hijack the net.Conn
@@ -44,7 +66,18 @@ func (h *Headscale) NoiseUpgradeHandler(
 		return
 	}
 
-	noiseConn, err := controlhttp.AcceptHTTP(req.Context(), writer, req, *h.noisePrivateKey, nil)
+	noiseServer := noiseServer{
+		headscale: h,
+		challenge: key.NewChallenge(),
+	}
+
+	noiseConn, err := controlhttp.AcceptHTTP(
+		req.Context(),
+		writer,
+		req,
+		*h.noisePrivateKey,
+		noiseServer.earlyNoise,
+	)
 	if err != nil {
 		log.Error().Err(err).Msg("noise upgrade failed")
 		http.Error(writer, err.Error(), http.StatusInternalServerError)
@@ -52,10 +85,9 @@ func (h *Headscale) NoiseUpgradeHandler(
 		return
 	}
 
-	ts2021App := ts2021App{
-		headscale: h,
-		conn:      noiseConn,
-	}
+	noiseServer.conn = noiseConn
+	noiseServer.machineKey = noiseServer.conn.Peer()
+	noiseServer.protocolVersion = noiseServer.conn.ProtocolVersion()
 
 	// This router is served only over the Noise connection, and exposes only the new API.
 	//
@@ -63,16 +95,70 @@ func (h *Headscale) NoiseUpgradeHandler(
 	// a single hijacked connection from /ts2021, using netutil.NewOneConnListener
 	router := mux.NewRouter()
 
-	router.HandleFunc("/machine/register", ts2021App.NoiseRegistrationHandler).
+	router.HandleFunc("/machine/register", noiseServer.NoiseRegistrationHandler).
 		Methods(http.MethodPost)
-	router.HandleFunc("/machine/map", ts2021App.NoisePollNetMapHandler)
+	router.HandleFunc("/machine/map", noiseServer.NoisePollNetMapHandler)
 
 	server := http.Server{
 		ReadTimeout: HTTPReadTimeout,
 	}
-	server.Handler = h2c.NewHandler(router, &http2.Server{})
-	err = server.Serve(netutil.NewOneConnListener(noiseConn, nil))
-	if err != nil {
-		log.Info().Err(err).Msg("The HTTP2 server was closed")
+
+	noiseServer.httpBaseConfig = &http.Server{
+		Handler:           router,
+		ReadHeaderTimeout: HTTPReadTimeout,
 	}
+	noiseServer.http2Server = &http2.Server{}
+
+	server.Handler = h2c.NewHandler(router, noiseServer.http2Server)
+
+	noiseServer.http2Server.ServeConn(
+		noiseConn,
+		&http2.ServeConnOpts{
+			BaseConfig: noiseServer.httpBaseConfig,
+		},
+	)
+}
+
+func (ns *noiseServer) earlyNoise(protocolVersion int, writer io.Writer) error {
+	log.Trace().
+		Caller().
+		Int("protocol_version", protocolVersion).
+		Str("challenge", ns.challenge.Public().String()).
+		Msg("earlyNoise called")
+
+	if protocolVersion < earlyNoiseCapabilityVersion {
+		log.Trace().
+			Caller().
+			Msgf("protocol version %d does not support early noise", protocolVersion)
+
+		return nil
+	}
+
+	earlyJSON, err := json.Marshal(&tailcfg.EarlyNoise{
+		NodeKeyChallenge: ns.challenge.Public(),
+	})
+	if err != nil {
+		return err
+	}
+
+	// 5 bytes that won't be mistaken for an HTTP/2 frame:
+	// https://httpwg.org/specs/rfc7540.html#rfc.section.4.1 (Especially not
+	// an HTTP/2 settings frame, which isn't of type 'T')
+	var notH2Frame [5]byte
+	copy(notH2Frame[:], earlyPayloadMagic)
+	var lenBuf [4]byte
+	binary.BigEndian.PutUint32(lenBuf[:], uint32(len(earlyJSON)))
+	// These writes are all buffered by caller, so fine to do them
+	// separately:
+	if _, err := writer.Write(notH2Frame[:]); err != nil {
+		return err
+	}
+	if _, err := writer.Write(lenBuf[:]); err != nil {
+		return err
+	}
+	if _, err := writer.Write(earlyJSON); err != nil {
+		return err
+	}
+
+	return nil
 }

protocol_noise.go

@@ -10,7 +10,7 @@ import (
 )
 
 // // NoiseRegistrationHandler handles the actual registration process of a machine.
-func (t *ts2021App) NoiseRegistrationHandler(
+func (ns *noiseServer) NoiseRegistrationHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
@@ -20,6 +20,11 @@ func (t *ts2021App) NoiseRegistrationHandler(
 
 		return
 	}
+
+	log.Trace().
+		Any("headers", req.Header).
+		Msg("Headers")
+
 	body, _ := io.ReadAll(req.Body)
 	registerRequest := tailcfg.RegisterRequest{}
 	if err := json.Unmarshal(body, &registerRequest); err != nil {
@@ -33,5 +38,7 @@ func (t *ts2021App) NoiseRegistrationHandler(
 		return
 	}
 
-	t.headscale.handleRegisterCommon(writer, req, registerRequest, t.conn.Peer(), true)
+	ns.nodeKey = registerRequest.NodeKey
+
+	ns.headscale.handleRegisterCommon(writer, req, registerRequest, ns.conn.Peer(), true)
 }

protocol_noise_poll.go

@@ -21,13 +21,18 @@ import (
 // only after their first request (marked with the ReadOnly field).
 //
 // At this moment the updates are sent in a quite horrendous way, but they kinda work.
-func (t *ts2021App) NoisePollNetMapHandler(
+func (ns *noiseServer) NoisePollNetMapHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
 	log.Trace().
 		Str("handler", "NoisePollNetMap").
 		Msg("PollNetMapHandler called")
+
+	log.Trace().
+		Any("headers", req.Header).
+		Msg("Headers")
+
 	body, _ := io.ReadAll(req.Body)
 
 	mapRequest := tailcfg.MapRequest{}
@@ -41,7 +46,9 @@ func (t *ts2021App) NoisePollNetMapHandler(
 		return
 	}
 
-	machine, err := t.headscale.GetMachineByAnyKey(t.conn.Peer(), mapRequest.NodeKey, key.NodePublic{})
+	ns.nodeKey = mapRequest.NodeKey
+
+	machine, err := ns.headscale.GetMachineByAnyKey(ns.conn.Peer(), mapRequest.NodeKey, key.NodePublic{})
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			log.Warn().
@@ -63,5 +70,5 @@ func (t *ts2021App) NoisePollNetMapHandler(
 		Str("machine", machine.Hostname).
 		Msg("A machine is entering polling via the Noise protocol")
 
-	t.headscale.handlePollCommon(writer, req.Context(), machine, mapRequest, true)
+	ns.headscale.handlePollCommon(writer, req.Context(), machine, mapRequest, true)
 }

routes.go

@@ -106,13 +106,36 @@ func (h *Headscale) DisableRoute(id uint64) error {
 		return err
 	}
 
-	route.Enabled = false
-	route.IsPrimary = false
-	err = h.db.Save(route).Error
+	// Tailscale requires both IPv4 and IPv6 exit routes to
+	// be enabled at the same time, as per
+	// https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002
+	if !route.isExitRoute() {
+		route.Enabled = false
+		route.IsPrimary = false
+		err = h.db.Save(route).Error
+		if err != nil {
+			return err
+		}
+
+		return h.handlePrimarySubnetFailover()
+	}
+
+	routes, err := h.GetMachineRoutes(&route.Machine)
 	if err != nil {
 		return err
 	}
 
+	for i := range routes {
+		if routes[i].isExitRoute() {
+			routes[i].Enabled = false
+			routes[i].IsPrimary = false
+			err = h.db.Save(&routes[i]).Error
+			if err != nil {
+				return err
+			}
+		}
+	}
+
 	return h.handlePrimarySubnetFailover()
 }
 
@@ -122,7 +145,30 @@ func (h *Headscale) DeleteRoute(id uint64) error {
 		return err
 	}
 
-	if err := h.db.Unscoped().Delete(&route).Error; err != nil {
+	// Tailscale requires both IPv4 and IPv6 exit routes to
+	// be enabled at the same time, as per
+	// https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002
+	if !route.isExitRoute() {
+		if err := h.db.Unscoped().Delete(&route).Error; err != nil {
+			return err
+		}
+
+		return h.handlePrimarySubnetFailover()
+	}
+
+	routes, err := h.GetMachineRoutes(&route.Machine)
+	if err != nil {
+		return err
+	}
+
+	routesToDelete := []Route{}
+	for _, r := range routes {
+		if r.isExitRoute() {
+			routesToDelete = append(routesToDelete, r)
+		}
+	}
+
+	if err := h.db.Unscoped().Delete(&routesToDelete).Error; err != nil {
 		return err
 	}
 

routes_test.go

@@ -457,6 +457,37 @@ func (s *Suite) TestAllowedIPRoutes(c *check.C) {
 
 	c.Assert(foundExitNodeV4, check.Equals, true)
 	c.Assert(foundExitNodeV6, check.Equals, true)
+
+	// Now we disable only one of the exit routes
+	// and we see if both are disabled
+	var exitRouteV4 Route
+	for _, route := range routes {
+		if route.isExitRoute() && netip.Prefix(route.Prefix) == prefixExitNodeV4 {
+			exitRouteV4 = route
+
+			break
+		}
+	}
+
+	err = app.DisableRoute(uint64(exitRouteV4.ID))
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes1, err = app.GetEnabledRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes1), check.Equals, 1)
+
+	// and now we delete only one of the exit routes
+	// and we check if both are deleted
+	routes, err = app.GetMachineRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 4)
+
+	err = app.DeleteRoute(uint64(exitRouteV4.ID))
+	c.Assert(err, check.IsNil)
+
+	routes, err = app.GetMachineRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 2)
 }
 
 func (s *Suite) TestDeleteRoutes(c *check.C) {