feature/featuretags: add features for c2n, peerapi, advertise/use routes/exit nodes

Saves 262 KB so far. I'm sure I missed some places, but shotizam says these were the low hanging fruit. Updates #12614 Change-Id: Ia31c01b454f627e6d0470229aae4e19d615e45e3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-12-01 17:49:02 +00:00 · 2025-10-01 19:18:46 -07:00
parent 2cd518a8b6
commit a208cb9fd5
29 changed files with 469 additions and 79 deletions
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -1409,6 +1409,9 @@ func (c *Direct) answerPing(pr *tailcfg.PingRequest) {
 		answerHeadPing(c.logf, httpc, pr)
 		return
 	case "c2n":
 		if !buildfeatures.HasC2N {
 			return
 		}
 		if !useNoise && !envknob.Bool("TS_DEBUG_PERMIT_HTTP_C2N") {
 			c.logf("refusing to answer c2n ping without noise")
 			return
--- a/feature/buildfeatures/feature_advertiseexitnode_disabled.go
+++ b/feature/buildfeatures/feature_advertiseexitnode_disabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build ts_omit_advertiseexitnode
 package buildfeatures
 // HasAdvertiseExitNode is whether the binary was built with support for modular feature "Run an exit node".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_advertiseexitnode" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasAdvertiseExitNode = false
--- a/feature/buildfeatures/feature_advertiseexitnode_enabled.go
+++ b/feature/buildfeatures/feature_advertiseexitnode_enabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build !ts_omit_advertiseexitnode
 package buildfeatures
 // HasAdvertiseExitNode is whether the binary was built with support for modular feature "Run an exit node".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_advertiseexitnode" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasAdvertiseExitNode = true
--- a/feature/buildfeatures/feature_advertiseroutes_disabled.go
+++ b/feature/buildfeatures/feature_advertiseroutes_disabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build ts_omit_advertiseroutes
 package buildfeatures
 // HasAdvertiseRoutes is whether the binary was built with support for modular feature "Advertise routes for other nodes to use".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_advertiseroutes" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasAdvertiseRoutes = false
--- a/feature/buildfeatures/feature_advertiseroutes_enabled.go
+++ b/feature/buildfeatures/feature_advertiseroutes_enabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build !ts_omit_advertiseroutes
 package buildfeatures
 // HasAdvertiseRoutes is whether the binary was built with support for modular feature "Advertise routes for other nodes to use".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_advertiseroutes" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasAdvertiseRoutes = true
--- a/feature/buildfeatures/feature_c2n_disabled.go
+++ b/feature/buildfeatures/feature_c2n_disabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build ts_omit_c2n
 package buildfeatures
 // HasC2N is whether the binary was built with support for modular feature "Control-to-node (C2N) support".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_c2n" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasC2N = false
--- a/feature/buildfeatures/feature_c2n_enabled.go
+++ b/feature/buildfeatures/feature_c2n_enabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build !ts_omit_c2n
 package buildfeatures
 // HasC2N is whether the binary was built with support for modular feature "Control-to-node (C2N) support".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_c2n" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasC2N = true
--- a/feature/buildfeatures/feature_peerapiclient_disabled.go
+++ b/feature/buildfeatures/feature_peerapiclient_disabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build ts_omit_peerapiclient
 package buildfeatures
 // HasPeerAPIClient is whether the binary was built with support for modular feature "PeerAPI client support".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_peerapiclient" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasPeerAPIClient = false
--- a/feature/buildfeatures/feature_peerapiclient_enabled.go
+++ b/feature/buildfeatures/feature_peerapiclient_enabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build !ts_omit_peerapiclient
 package buildfeatures
 // HasPeerAPIClient is whether the binary was built with support for modular feature "PeerAPI client support".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_peerapiclient" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasPeerAPIClient = true
--- a/feature/buildfeatures/feature_peerapiserver_disabled.go
+++ b/feature/buildfeatures/feature_peerapiserver_disabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build ts_omit_peerapiserver
 package buildfeatures
 // HasPeerAPIServer is whether the binary was built with support for modular feature "PeerAPI server support".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_peerapiserver" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasPeerAPIServer = false
--- a/feature/buildfeatures/feature_peerapiserver_enabled.go
+++ b/feature/buildfeatures/feature_peerapiserver_enabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build !ts_omit_peerapiserver
 package buildfeatures
 // HasPeerAPIServer is whether the binary was built with support for modular feature "PeerAPI server support".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_peerapiserver" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasPeerAPIServer = true
--- a/feature/buildfeatures/feature_useexitnode_disabled.go
+++ b/feature/buildfeatures/feature_useexitnode_disabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build ts_omit_useexitnode
 package buildfeatures
 // HasUseExitNode is whether the binary was built with support for modular feature "Use exit nodes".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_useexitnode" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasUseExitNode = false
--- a/feature/buildfeatures/feature_useexitnode_enabled.go
+++ b/feature/buildfeatures/feature_useexitnode_enabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build !ts_omit_useexitnode
 package buildfeatures
 // HasUseExitNode is whether the binary was built with support for modular feature "Use exit nodes".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_useexitnode" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasUseExitNode = true
--- a/feature/buildfeatures/feature_useroutes_disabled.go
+++ b/feature/buildfeatures/feature_useroutes_disabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build ts_omit_useroutes
 package buildfeatures
 // HasUseRoutes is whether the binary was built with support for modular feature "Use routes advertised by other nodes".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_useroutes" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasUseRoutes = false
--- a/feature/buildfeatures/feature_useroutes_enabled.go
+++ b/feature/buildfeatures/feature_useroutes_enabled.go
@@ -0,0 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Code generated by gen.go; DO NOT EDIT.
 //go:build !ts_omit_useroutes
 package buildfeatures
 // HasUseRoutes is whether the binary was built with support for modular feature "Use routes advertised by other nodes".
 // Specifically, it's whether the binary was NOT built with the "ts_omit_useroutes" build tag.
 // It's a const so it can be used for dead code elimination.
 const HasUseRoutes = true
--- a/feature/featuretags/featuretags.go
+++ b/feature/featuretags/featuretags.go
@@ -82,6 +82,12 @@ type FeatureMeta struct {
 	Sym  string       // exported Go symbol for boolean const
 	Desc string       // human-readable description
 	Deps []FeatureTag // other features this feature requires
 	// ImplementationDetail is whether the feature is an internal implementation
 	// detail. That is, it's not something a user wuold care about having or not
 	// having, but we'd like to able to omit from builds if no other
 	// user-visible features depend on it.
 	ImplementationDetail bool
 }
 // Features are the known Tailscale features that can be selectively included or
@@ -90,17 +96,45 @@ var Features = map[FeatureTag]FeatureMeta{
 	"acme":          {Sym: "ACME", Desc: "ACME TLS certificate management"},
 	"appconnectors": {Sym: "AppConnectors", Desc: "App Connectors support"},
 	"aws":           {Sym: "AWS", Desc: "AWS integration"},
-	"bakedroots":    {Sym: "BakedRoots", Desc: "Embed CA (LetsEncrypt) x509 roots to use as fallback"},
+	"advertiseexitnode": {
-	"bird":          {Sym: "Bird", Desc: "Bird BGP integration"},
+		Sym:  "AdvertiseExitNode",
 		Desc: "Run an exit node",
 		Deps: []FeatureTag{
 			"peerapiserver", // to run the ExitDNS server
 			"advertiseroutes",
 		},
 	},
 	"advertiseroutes": {
 		Sym:  "AdvertiseRoutes",
 		Desc: "Advertise routes for other nodes to use",
 		Deps: []FeatureTag{
 			"c2n", // for control plane to probe health for HA subnet router leader election
 		},
 	},
 	"bakedroots": {Sym: "BakedRoots", Desc: "Embed CA (LetsEncrypt) x509 roots to use as fallback"},
 	"bird":       {Sym: "Bird", Desc: "Bird BGP integration"},
 	"c2n": {
 		Sym:                  "C2N",
 		Desc:                 "Control-to-node (C2N) support",
 		ImplementationDetail: true,
 	},
 	"captiveportal": {Sym: "CaptivePortal", Desc: "Captive portal detection"},
 	"capture":       {Sym: "Capture", Desc: "Packet capture"},
 	"cloud":         {Sym: "Cloud", Desc: "detect cloud environment to learn instances IPs and DNS servers"},
 	"cli":           {Sym: "CLI", Desc: "embed the CLI into the tailscaled binary"},
 	"cliconndiag":   {Sym: "CLIConnDiag", Desc: "CLI connection error diagnostics"},
 	"clientmetrics": {Sym: "ClientMetrics", Desc: "Client metrics support"},
-	"clientupdate":  {Sym: "ClientUpdate", Desc: "Client auto-update support"},
+	"clientupdate": {
-	"completion":    {Sym: "Completion", Desc: "CLI shell completion"},
+		Sym:  "ClientUpdate",
-	"dbus":          {Sym: "DBus", Desc: "Linux DBus support"},
+		Desc: "Client auto-update support",
 		Deps: []FeatureTag{"c2n"},
 	},
 	"completion": {Sym: "Completion", Desc: "CLI shell completion"},
 	"cloud":      {Sym: "Cloud", Desc: "detect cloud environment to learn instances IPs and DNS servers"},
 	"dbus": {
 		Sym:                  "DBus",
 		Desc:                 "Linux DBus support",
 		ImplementationDetail: true,
 	},
 	"debug":         {Sym: "Debug", Desc: "various debug support, for things that don't have or need their own more specific feature"},
 	"debugeventbus": {Sym: "DebugEventBus", Desc: "eventbus debug support"},
 	"debugportmapper": {
@@ -144,6 +178,16 @@ var Features = map[FeatureTag]FeatureMeta{
 		// by some other feature are missing, then it's an error by default unless you accept
 		// that it's okay to proceed without that meta feature.
 	},
 	"peerapiclient": {
 		Sym:                  "PeerAPIClient",
 		Desc:                 "PeerAPI client support",
 		ImplementationDetail: true,
 	},
 	"peerapiserver": {
 		Sym:                  "PeerAPIServer",
 		Desc:                 "PeerAPI server support",
 		ImplementationDetail: true,
 	},
 	"portlist":   {Sym: "PortList", Desc: "Optionally advertise listening service ports"},
 	"portmapper": {Sym: "PortMapper", Desc: "NAT-PMP/PCP/UPnP port mapping support"},
 	"posture":    {Sym: "Posture", Desc: "Device posture checking support"},
@@ -180,7 +224,7 @@ var Features = map[FeatureTag]FeatureMeta{
 	"ssh": {
 		Sym:  "SSH",
 		Desc: "Tailscale SSH support",
-		Deps: []FeatureTag{"dbus", "netstack"},
+		Deps: []FeatureTag{"c2n", "dbus", "netstack"},
 	},
 	"synology": {
 		Sym:  "Synology",
@@ -192,7 +236,13 @@ var Features = map[FeatureTag]FeatureMeta{
 		Desc: "Linux system tray",
 		Deps: []FeatureTag{"dbus"},
 	},
-	"taildrop":    {Sym: "Taildrop", Desc: "Taildrop (file sending) support"},
+	"taildrop": {
 		Sym:  "Taildrop",
 		Desc: "Taildrop (file sending) support",
 		Deps: []FeatureTag{
 			"peerapiclient", "peerapiserver", // assume Taildrop is both sides for now
 		},
 	},
 	"tailnetlock": {Sym: "TailnetLock", Desc: "Tailnet Lock support"},
 	"tap":         {Sym: "Tap", Desc: "Experimental Layer 2 (ethernet) support"},
 	"tpm":         {Sym: "TPM", Desc: "TPM support"},
@@ -200,6 +250,15 @@ var Features = map[FeatureTag]FeatureMeta{
 		Sym:  "UnixSocketIdentity",
 		Desc: "differentiate between users accessing the LocalAPI over unix sockets (if omitted, all users have full access)",
 	},
 	"useroutes": {
 		Sym:  "UseRoutes",
 		Desc: "Use routes advertised by other nodes",
 	},
 	"useexitnode": {
 		Sym:  "UseExitNode",
 		Desc: "Use exit nodes",
 		Deps: []FeatureTag{"peerapiclient", "useroutes"},
 	},
 	"useproxy": {
 		Sym:  "UseProxy",
 		Desc: "Support using system proxies as specified by env vars or the system configuration to reach Tailscale servers.",
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -32,12 +32,17 @@ import (
 // c2nHandlers maps an HTTP method and URI path (without query parameters) to
 // its handler. The exact method+path match is preferred, but if no entry
 // exists for that, a map entry with an empty method is used as a fallback.
-var c2nHandlers = map[methodAndPath]c2nHandler{
+var c2nHandlers map[methodAndPath]c2nHandler
 	// Debug.
 	req("/echo"): handleC2NEcho,
 }
 func init() {
 	c2nHandlers = map[methodAndPath]c2nHandler{}
 	if buildfeatures.HasC2N {
 		// Echo is the basic "ping" handler as used by the control plane to probe
 		// whether a node is reachable. In particular, it's important for
 		// high-availability subnet routers for the control plane to probe which of
 		// several candidate nodes is reachable and actually alive.
 		RegisterC2N("/echo", handleC2NEcho)
 	}
 	if buildfeatures.HasSSH {
 		RegisterC2N("/ssh/usernames", handleC2NSSHUsernames)
 	}
@@ -69,6 +74,9 @@ func init() {
 // A pattern is like "GET /foo" (specific to an HTTP method) or "/foo" (all
 // methods). It panics if the pattern is already registered.
 func RegisterC2N(pattern string, h func(*LocalBackend, http.ResponseWriter, *http.Request)) {
 	if !buildfeatures.HasC2N {
 		return
 	}
 	k := req(pattern)
 	if _, ok := c2nHandlers[k]; ok {
 		panic(fmt.Sprintf("c2n: duplicate handler for %q", pattern))
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -550,10 +550,12 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 	// Following changes are triggered via the eventbus.
 	b.linkChange(&netmon.ChangeDelta{New: netMon.InterfaceState()})
-	if tunWrap, ok := b.sys.Tun.GetOK(); ok {
+	if buildfeatures.HasPeerAPIServer {
-		tunWrap.PeerAPIPort = b.GetPeerAPIPort
+		if tunWrap, ok := b.sys.Tun.GetOK(); ok {
-	} else {
+			tunWrap.PeerAPIPort = b.GetPeerAPIPort
-		b.logf("[unexpected] failed to wire up PeerAPI port for engine %T", e)
+		} else {
 			b.logf("[unexpected] failed to wire up PeerAPI port for engine %T", e)
 		}
 	}
 	if buildfeatures.HasDebug {
@@ -972,15 +974,17 @@ func (b *LocalBackend) linkChange(delta *netmon.ChangeDelta) {
 	b.updateFilterLocked(prefs)
 	updateExitNodeUsageWarning(prefs, delta.New, b.health)
-	cn := b.currentNode()
+	if buildfeatures.HasPeerAPIServer {
-	nm := cn.NetMap()
+		cn := b.currentNode()
-	if peerAPIListenAsync && nm != nil && b.state == ipn.Running {
+		nm := cn.NetMap()
-		want := nm.GetAddresses().Len()
+		if peerAPIListenAsync && nm != nil && b.state == ipn.Running {
-		have := len(b.peerAPIListeners)
+			want := nm.GetAddresses().Len()
-		b.logf("[v1] linkChange: have %d peerAPIListeners, want %d", have, want)
+			have := len(b.peerAPIListeners)
-		if have < want {
+			b.logf("[v1] linkChange: have %d peerAPIListeners, want %d", have, want)
-			b.logf("linkChange: peerAPIListeners too low; trying again")
+			if have < want {
-			b.goTracker.Go(b.initPeerAPIListener)
+				b.logf("linkChange: peerAPIListeners too low; trying again")
 				b.goTracker.Go(b.initPeerAPIListener)
 			}
 		}
 	}
 }
@@ -1368,7 +1372,7 @@ func peerStatusFromNode(ps *ipnstate.PeerStatus, n tailcfg.NodeView) {
 	ps.PublicKey = n.Key()
 	ps.ID = n.StableID()
 	ps.Created = n.Created()
-	ps.ExitNodeOption = tsaddr.ContainsExitRoutes(n.AllowedIPs())
+	ps.ExitNodeOption = buildfeatures.HasUseExitNode && tsaddr.ContainsExitRoutes(n.AllowedIPs())
 	if n.Tags().Len() != 0 {
 		v := n.Tags()
 		ps.Tags = &v
@@ -1897,6 +1901,9 @@ func (b *LocalBackend) applySysPolicyLocked(prefs *ipn.Prefs) (anyChange bool) {
 //
 // b.mu must be held.
 func (b *LocalBackend) applyExitNodeSysPolicyLocked(prefs *ipn.Prefs) (anyChange bool) {
 	if !buildfeatures.HasUseExitNode {
 		return false
 	}
 	if exitNodeIDStr, _ := b.polc.GetString(pkey.ExitNodeID, ""); exitNodeIDStr != "" {
 		exitNodeID := tailcfg.StableNodeID(exitNodeIDStr)
@@ -2002,7 +2009,7 @@ func (b *LocalBackend) sysPolicyChanged(policy policyclient.PolicyChange) {
 		b.mu.Unlock()
 	}
-	if policy.HasChanged(pkey.AllowedSuggestedExitNodes) {
+	if buildfeatures.HasUseExitNode && policy.HasChanged(pkey.AllowedSuggestedExitNodes) {
 		b.refreshAllowedSuggestions()
 		// Re-evaluate exit node suggestion now that the policy setting has changed.
 		if _, err := b.SuggestExitNode(); err != nil && !errors.Is(err, ErrNoPreferredDERP) {
@@ -2073,6 +2080,9 @@ func (b *LocalBackend) UpdateNetmapDelta(muts []netmap.NodeMutation) (handled bo
 // mustationsAreWorthyOfRecalculatingSuggestedExitNode reports whether any mutation type in muts is
 // worthy of recalculating the suggested exit node.
 func mutationsAreWorthyOfRecalculatingSuggestedExitNode(muts []netmap.NodeMutation, cn *nodeBackend, sid tailcfg.StableNodeID) bool {
 	if !buildfeatures.HasUseExitNode {
 		return false
 	}
 	for _, m := range muts {
 		n, ok := cn.NodeByID(m.NodeIDBeingMutated())
 		if !ok {
@@ -2126,6 +2136,9 @@ func mutationsAreWorthyOfTellingIPNBus(muts []netmap.NodeMutation) bool {
 //
 // b.mu must be held.
 func (b *LocalBackend) resolveAutoExitNodeLocked(prefs *ipn.Prefs) (prefsChanged bool) {
 	if !buildfeatures.HasUseExitNode {
 		return false
 	}
 	// As of 2025-07-08, the only supported auto exit node expression is [ipn.AnyExitNode].
 	//
 	// However, to maintain forward compatibility with future auto exit node expressions,
@@ -2170,6 +2183,9 @@ func (b *LocalBackend) resolveAutoExitNodeLocked(prefs *ipn.Prefs) (prefsChanged
 //
 // b.mu must be held.
 func (b *LocalBackend) resolveExitNodeIPLocked(prefs *ipn.Prefs) (prefsChanged bool) {
 	if !buildfeatures.HasUseExitNode {
 		return false
 	}
 	// If we have a desired IP on file, try to find the corresponding node.
 	if !prefs.ExitNodeIP.IsValid() {
 		return false
@@ -2455,6 +2471,11 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		}
 	}
 	var c2nHandler http.Handler
 	if buildfeatures.HasC2N {
 		c2nHandler = http.HandlerFunc(b.handleC2N)
 	}
 	// TODO(apenwarr): The only way to change the ServerURL is to
 	// re-run b.Start, because this is the only place we create a
 	// new controlclient. EditPrefs allows you to overwrite ServerURL,
@@ -2475,7 +2496,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		PopBrowserURL:        b.tellClientToBrowseToURL,
 		Dialer:               b.Dialer(),
 		Observer:             b,
-		C2NHandler:           http.HandlerFunc(b.handleC2N),
+		C2NHandler:           c2nHandler,
 		DialPlan:             &b.dialPlan, // pointer because it can't be copied
 		ControlKnobs:         b.sys.ControlKnobs(),
 		Shutdown:             ccShutdown,
@@ -2623,31 +2644,33 @@ func (b *LocalBackend) updateFilterLocked(prefs ipn.PrefsView) {
 		}
 	}
 	if prefs.Valid() {
-		for _, r := range prefs.AdvertiseRoutes().All() {
+		if buildfeatures.HasAdvertiseRoutes {
-			if r.Bits() == 0 {
+			for _, r := range prefs.AdvertiseRoutes().All() {
-				// When offering a default route to the world, we
+				if r.Bits() == 0 {
-				// filter out locally reachable LANs, so that the
+					// When offering a default route to the world, we
-				// default route effectively appears to be a "guest
+					// filter out locally reachable LANs, so that the
-				// wifi": you get internet access, but to additionally
+					// default route effectively appears to be a "guest
-				// get LAN access the LAN(s) need to be offered
+					// wifi": you get internet access, but to additionally
-				// explicitly as well.
+					// get LAN access the LAN(s) need to be offered
-				localInterfaceRoutes, hostIPs, err := interfaceRoutes()
+					// explicitly as well.
-				if err != nil {
+					localInterfaceRoutes, hostIPs, err := interfaceRoutes()
-					b.logf("getting local interface routes: %v", err)
+					if err != nil {
-					continue
+						b.logf("getting local interface routes: %v", err)
 						continue
 					}
 					s, err := shrinkDefaultRoute(r, localInterfaceRoutes, hostIPs)
 					if err != nil {
 						b.logf("computing default route filter: %v", err)
 						continue
 					}
 					localNetsB.AddSet(s)
 				} else {
 					localNetsB.AddPrefix(r)
 					// When advertising a non-default route, we assume
 					// this is a corporate subnet that should be present
 					// in the audit logs.
 					logNetsB.AddPrefix(r)
 				}
 				s, err := shrinkDefaultRoute(r, localInterfaceRoutes, hostIPs)
 				if err != nil {
 					b.logf("computing default route filter: %v", err)
 					continue
 				}
 				localNetsB.AddSet(s)
 			} else {
 				localNetsB.AddPrefix(r)
 				// When advertising a non-default route, we assume
 				// this is a corporate subnet that should be present
 				// in the audit logs.
 				logNetsB.AddPrefix(r)
 			}
 		}
@@ -2658,7 +2681,7 @@ func (b *LocalBackend) updateFilterLocked(prefs ipn.PrefsView) {
 		// The correct filter rules are synthesized by the coordination server
 		// and sent down, but the address needs to be part of the 'local net' for the
 		// filter package to even bother checking the filter rules, so we set them here.
-		if prefs.AppConnector().Advertise {
+		if buildfeatures.HasAppConnectors && prefs.AppConnector().Advertise {
 			localNetsB.Add(netip.MustParseAddr("0.0.0.0"))
 			localNetsB.Add(netip.MustParseAddr("::0"))
 		}
@@ -3712,6 +3735,9 @@ func (b *LocalBackend) Ping(ctx context.Context, ip netip.Addr, pingType tailcfg
 }
 func (b *LocalBackend) pingPeerAPI(ctx context.Context, ip netip.Addr) (peer tailcfg.NodeView, peerBase string, err error) {
 	if !buildfeatures.HasPeerAPIClient {
 		return peer, peerBase, feature.ErrUnavailable
 	}
 	var zero tailcfg.NodeView
 	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
@@ -4051,6 +4077,9 @@ var exitNodeMisconfigurationWarnable = health.Register(&health.Warnable{
 // updateExitNodeUsageWarning updates a warnable meant to notify users of
 // configuration issues that could break exit node usage.
 func updateExitNodeUsageWarning(p ipn.PrefsView, state *netmon.State, healthTracker *health.Tracker) {
 	if !buildfeatures.HasUseExitNode {
 		return
 	}
 	var msg string
 	if p.ExitNodeIP().IsValid() || p.ExitNodeID() != "" {
 		warn, _ := netutil.CheckReversePathFiltering(state)
@@ -4070,6 +4099,9 @@ func (b *LocalBackend) checkExitNodePrefsLocked(p *ipn.Prefs) error {
 	if !tryingToUseExitNode {
 		return nil
 	}
 	if !buildfeatures.HasUseExitNode {
 		return feature.ErrUnavailable
 	}
 	if err := featureknob.CanUseExitNode(); err != nil {
 		return err
@@ -4110,6 +4142,9 @@ func (b *LocalBackend) SetUseExitNodeEnabled(actor ipnauth.Actor, v bool) (ipn.P
 	defer unlock()
 	p0 := b.pm.CurrentPrefs()
 	if !buildfeatures.HasUseExitNode {
 		return p0, nil
 	}
 	if v && p0.ExitNodeID() != "" {
 		// Already on.
 		return p0, nil
@@ -4240,6 +4275,9 @@ func (b *LocalBackend) checkEditPrefsAccessLocked(actor ipnauth.Actor, prefs ipn
 //
 // b.mu must be held.
 func (b *LocalBackend) changeDisablesExitNodeLocked(prefs ipn.PrefsView, change *ipn.MaskedPrefs) bool {
 	if !buildfeatures.HasUseExitNode {
 		return false
 	}
 	if !change.AutoExitNodeSet && !change.ExitNodeIDSet && !change.ExitNodeIPSet {
 		// The change does not affect exit node usage.
 		return false
@@ -4577,6 +4615,9 @@ func (b *LocalBackend) setPrefsLockedOnEntry(newp *ipn.Prefs, unlock unlockOnce)
 // GetPeerAPIPort returns the port number for the peerapi server
 // running on the provided IP.
 func (b *LocalBackend) GetPeerAPIPort(ip netip.Addr) (port uint16, ok bool) {
 	if !buildfeatures.HasPeerAPIServer {
 		return 0, false
 	}
 	b.mu.Lock()
 	defer b.mu.Unlock()
 	for _, pln := range b.peerAPIListeners {
@@ -4936,10 +4977,12 @@ func (b *LocalBackend) authReconfig() {
 	// Keep the dialer updated about whether we're supposed to use
 	// an exit node's DNS server (so SOCKS5/HTTP outgoing dials
 	// can use it for name resolution)
-	if dohURLOK {
+	if buildfeatures.HasUseExitNode {
-		b.dialer.SetExitDNSDoH(dohURL)
+		if dohURLOK {
-	} else {
+			b.dialer.SetExitDNSDoH(dohURL)
-		b.dialer.SetExitDNSDoH("")
+		} else {
 			b.dialer.SetExitDNSDoH("")
 		}
 	}
 	cfg, err := nmcfg.WGCfg(nm, b.logf, flags, prefs.ExitNodeID())
@@ -5064,6 +5107,9 @@ func (b *LocalBackend) TailscaleVarRoot() string {
 //
 // b.mu must be held.
 func (b *LocalBackend) closePeerAPIListenersLocked() {
 	if !buildfeatures.HasPeerAPIServer {
 		return
 	}
 	b.peerAPIServer = nil
 	for _, pln := range b.peerAPIListeners {
 		pln.Close()
@@ -5079,6 +5125,9 @@ func (b *LocalBackend) closePeerAPIListenersLocked() {
 const peerAPIListenAsync = runtime.GOOS == "windows" || runtime.GOOS == "android"
 func (b *LocalBackend) initPeerAPIListener() {
 	if !buildfeatures.HasPeerAPIServer {
 		return
 	}
 	b.logf("[v1] initPeerAPIListener: entered")
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -5903,6 +5952,9 @@ func (b *LocalBackend) setNetInfo(ni *tailcfg.NetInfo) {
 // RefreshExitNode determines which exit node to use based on the current
 // prefs and netmap and switches to it if needed.
 func (b *LocalBackend) RefreshExitNode() {
 	if !buildfeatures.HasUseExitNode {
 		return
 	}
 	if b.resolveExitNode() {
 		b.authReconfig()
 	}
@@ -5918,6 +5970,9 @@ func (b *LocalBackend) RefreshExitNode() {
 //
 // b.mu must not be held.
 func (b *LocalBackend) resolveExitNode() (changed bool) {
 	if !buildfeatures.HasUseExitNode {
 		return false
 	}
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -6468,6 +6523,9 @@ func (b *LocalBackend) SetDeviceAttrs(ctx context.Context, attrs tailcfg.AttrUpd
 //
 // If exitNodeID is the zero valid, it returns "", false.
 func exitNodeCanProxyDNS(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.NodeView, exitNodeID tailcfg.StableNodeID) (dohURL string, ok bool) {
 	if !buildfeatures.HasUseExitNode {
 		return "", false
 	}
 	if exitNodeID.IsZero() {
 		return "", false
 	}
@@ -7084,6 +7142,9 @@ var ErrNoPreferredDERP = errors.New("no preferred DERP, try again later")
 //
 // b.mu.lock() must be held.
 func (b *LocalBackend) suggestExitNodeLocked() (response apitype.ExitNodeSuggestionResponse, err error) {
 	if !buildfeatures.HasUseExitNode {
 		return response, feature.ErrUnavailable
 	}
 	lastReport := b.MagicConn().GetLastNetcheckReport(b.ctx)
 	prevSuggestion := b.lastSuggestedExitNode
@@ -7101,6 +7162,9 @@ func (b *LocalBackend) suggestExitNodeLocked() (response apitype.ExitNodeSuggest
 }
 func (b *LocalBackend) SuggestExitNode() (response apitype.ExitNodeSuggestionResponse, err error) {
 	if !buildfeatures.HasUseExitNode {
 		return response, feature.ErrUnavailable
 	}
 	b.mu.Lock()
 	defer b.mu.Unlock()
 	return b.suggestExitNodeLocked()
@@ -7117,6 +7181,9 @@ func (b *LocalBackend) getAllowedSuggestions() set.Set[tailcfg.StableNodeID] {
 // refreshAllowedSuggestions rebuilds the set of permitted exit nodes
 // from the current [pkey.AllowedSuggestedExitNodes] value.
 func (b *LocalBackend) refreshAllowedSuggestions() {
 	if !buildfeatures.HasUseExitNode {
 		return
 	}
 	b.allowedSuggestedExitNodesMu.Lock()
 	defer b.allowedSuggestedExitNodesMu.Unlock()
 	b.allowedSuggestedExitNodes = fillAllowedSuggestions(b.polc)
--- a/ipn/ipnlocal/node_backend.go
+++ b/ipn/ipnlocal/node_backend.go
@@ -530,6 +530,9 @@ func (nb *nodeBackend) dnsConfigForNetmap(prefs ipn.PrefsView, selfExpired bool,
 }
 func (nb *nodeBackend) exitNodeCanProxyDNS(exitNodeID tailcfg.StableNodeID) (dohURL string, ok bool) {
 	if !buildfeatures.HasUseExitNode {
 		return "", false
 	}
 	nb.mu.Lock()
 	defer nb.mu.Unlock()
 	return exitNodeCanProxyDNS(nb.netMap, nb.peers, exitNodeID)
@@ -769,18 +772,20 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.
 	// If we're using an exit node and that exit node is new enough (1.19.x+)
 	// to run a DoH DNS proxy, then send all our DNS traffic through it,
 	// unless we find resolvers with UseWithExitNode set, in which case we use that.
-	if dohURL, ok := exitNodeCanProxyDNS(nm, peers, prefs.ExitNodeID()); ok {
+	if buildfeatures.HasUseExitNode {
-		filtered := useWithExitNodeResolvers(nm.DNS.Resolvers)
+		if dohURL, ok := exitNodeCanProxyDNS(nm, peers, prefs.ExitNodeID()); ok {
-		if len(filtered) > 0 {
+			filtered := useWithExitNodeResolvers(nm.DNS.Resolvers)
-			addDefault(filtered)
+			if len(filtered) > 0 {
-		} else {
+				addDefault(filtered)
-			// If no default global resolvers with the override
+			} else {
-			// are configured, configure the exit node's resolver.
+				// If no default global resolvers with the override
-			addDefault([]*dnstype.Resolver{{Addr: dohURL}})
+				// are configured, configure the exit node's resolver.
-		}
+				addDefault([]*dnstype.Resolver{{Addr: dohURL}})
 			}
-		addSplitDNSRoutes(useWithExitNodeRoutes(nm.DNS.Routes))
+			addSplitDNSRoutes(useWithExitNodeRoutes(nm.DNS.Routes))
-		return dcfg
+			return dcfg
 		}
 	}
 	// If the user has set default resolvers ("override local DNS"), prefer to
@@ -788,7 +793,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.
 	// node resolvers, use those as the default.
 	if len(nm.DNS.Resolvers) > 0 {
 		addDefault(nm.DNS.Resolvers)
-	} else {
+	} else if buildfeatures.HasUseExitNode {
 		if resolvers, ok := wireguardExitNodeDNSResolvers(nm, peers, prefs.ExitNodeID()); ok {
 			addDefault(resolvers)
 		}
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -26,6 +26,7 @@ import (
 	"golang.org/x/net/dns/dnsmessage"
 	"golang.org/x/net/http/httpguts"
 	"tailscale.com/envknob"
 	"tailscale.com/feature"
 	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
@@ -131,6 +132,9 @@ type peerAPIListener struct {
 }
 func (pln *peerAPIListener) Close() error {
 	if !buildfeatures.HasPeerAPIServer {
 		return nil
 	}
 	if pln.ln != nil {
 		return pln.ln.Close()
 	}
@@ -138,6 +142,9 @@ func (pln *peerAPIListener) Close() error {
 }
 func (pln *peerAPIListener) serve() {
 	if !buildfeatures.HasPeerAPIServer {
 		return
 	}
 	if pln.ln == nil {
 		return
 	}
@@ -319,6 +326,9 @@ func peerAPIRequestShouldGetSecurityHeaders(r *http.Request) bool {
 //
 // It panics if the path is already registered.
 func RegisterPeerAPIHandler(path string, f func(PeerAPIHandler, http.ResponseWriter, *http.Request)) {
 	if !buildfeatures.HasPeerAPIServer {
 		return
 	}
 	if _, ok := peerAPIHandlers[path]; ok {
 		panic(fmt.Sprintf("duplicate PeerAPI handler %q", path))
 	}
@@ -337,6 +347,10 @@ var (
 )
 func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if !buildfeatures.HasPeerAPIServer {
 		http.Error(w, feature.ErrUnavailable.Error(), http.StatusNotImplemented)
 		return
 	}
 	if err := h.validatePeerAPIRequest(r); err != nil {
 		metricInvalidRequests.Add(1)
 		h.logf("invalid request from %v: %v", h.remoteAddr, err)
--- a/ipn/ipnlocal/prefs_metrics.go
+++ b/ipn/ipnlocal/prefs_metrics.go
@@ -6,6 +6,7 @@ package ipnlocal
 import (
 	"errors"
 	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/clientmetric"
@@ -85,6 +86,9 @@ func (e *prefsMetricsEditEvent) record() error {
 // false otherwise.  The caller is responsible for ensuring that the id belongs to
 // an exit node.
 func (e *prefsMetricsEditEvent) exitNodeType(id tailcfg.StableNodeID) (props []exitNodeProperty, isNode bool) {
 	if !buildfeatures.HasUseExitNode {
 		return nil, false
 	}
 	var peer tailcfg.NodeView
 	if peer, isNode = e.node.PeerByStableID(id); isNode {
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -72,7 +72,6 @@ var handler = map[string]LocalAPIHandler{
 	// The other /localapi/v0/NAME handlers are exact matches and contain only NAME
 	// without a trailing slash:
 	"alpha-set-device-attrs":       (*Handler).serveSetDeviceAttrs, // see tailscale/corp#24690
 	"bugreport":                    (*Handler).serveBugReport,
 	"check-ip-forwarding":          (*Handler).serveCheckIPForwarding,
 	"check-prefs":                  (*Handler).serveCheckPrefs,
 	"check-reverse-path-filtering": (*Handler).serveCheckReversePathFiltering,
@@ -90,21 +89,17 @@ var handler = map[string]LocalAPIHandler{
 	"logtap":                       (*Handler).serveLogTap,
 	"metrics":                      (*Handler).serveMetrics,
 	"ping":                         (*Handler).servePing,
 	"pprof":                        (*Handler).servePprof,
 	"prefs":                        (*Handler).servePrefs,
 	"query-feature":                (*Handler).serveQueryFeature,
 	"reload-config":                (*Handler).reloadConfig,
 	"reset-auth":                   (*Handler).serveResetAuth,
 	"set-dns":                      (*Handler).serveSetDNS,
 	"set-expiry-sooner":            (*Handler).serveSetExpirySooner,
 	"set-gui-visible":              (*Handler).serveSetGUIVisible,
 	"set-push-device-token":        (*Handler).serveSetPushDeviceToken,
 	"set-udp-gro-forwarding":       (*Handler).serveSetUDPGROForwarding,
 	"set-use-exit-node-enabled":    (*Handler).serveSetUseExitNodeEnabled,
 	"shutdown":                     (*Handler).serveShutdown,
 	"start":                        (*Handler).serveStart,
 	"status":                       (*Handler).serveStatus,
 	"suggest-exit-node":            (*Handler).serveSuggestExitNode,
 	"update/check":                 (*Handler).serveUpdateCheck,
 	"upload-client-metrics":        (*Handler).serveUploadClientMetrics,
 	"usermetrics":                  (*Handler).serveUserMetrics,
@@ -116,6 +111,17 @@ func init() {
 	if buildfeatures.HasAppConnectors {
 		Register("appc-route-info", (*Handler).serveGetAppcRouteInfo)
 	}
 	if buildfeatures.HasUseExitNode {
 		Register("suggest-exit-node", (*Handler).serveSuggestExitNode)
 		Register("set-use-exit-node-enabled", (*Handler).serveSetUseExitNodeEnabled)
 	}
 	if buildfeatures.HasACME {
 		Register("set-dns", (*Handler).serveSetDNS)
 	}
 	if buildfeatures.HasDebug {
 		Register("bugreport", (*Handler).serveBugReport)
 		Register("pprof", (*Handler).servePprof)
 	}
 }
 // Register registers a new LocalAPI handler for the given name.
@@ -1291,6 +1297,10 @@ func (h *Handler) serveSetGUIVisible(w http.ResponseWriter, r *http.Request) {
 }
 func (h *Handler) serveSetUseExitNodeEnabled(w http.ResponseWriter, r *http.Request) {
 	if !buildfeatures.HasUseExitNode {
 		http.Error(w, feature.ErrUnavailable.Error(), http.StatusNotImplemented)
 		return
 	}
 	if r.Method != httpm.POST {
 		http.Error(w, "use POST", http.StatusMethodNotAllowed)
 		return
@@ -1629,6 +1639,10 @@ func dnsMessageTypeForString(s string) (t dnsmessage.Type, err error) {
 // serveSuggestExitNode serves a POST endpoint for returning a suggested exit node.
 func (h *Handler) serveSuggestExitNode(w http.ResponseWriter, r *http.Request) {
 	if !buildfeatures.HasUseExitNode {
 		http.Error(w, feature.ErrUnavailable.Error(), http.StatusNotImplemented)
 		return
 	}
 	if r.Method != httpm.GET {
 		http.Error(w, "only GET allowed", http.StatusMethodNotAllowed)
 		return
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -20,6 +20,7 @@ import (
 	"tailscale.com/atomicfile"
 	"tailscale.com/drive"
 	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
@@ -787,6 +788,9 @@ func (p *Prefs) AdvertisesExitNode() bool {
 // SetAdvertiseExitNode mutates p (if non-nil) to add or remove the two
 // /0 exit node routes.
 func (p *Prefs) SetAdvertiseExitNode(runExit bool) {
 	if !buildfeatures.HasAdvertiseExitNode {
 		return
 	}
 	if p == nil {
 		return
 	}
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -27,6 +27,7 @@ import (
 	dns "golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/control/controlknobs"
 	"tailscale.com/envknob"
 	"tailscale.com/feature"
 	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/health"
 	"tailscale.com/net/dns/publicdns"
@@ -530,6 +531,9 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 		}()
 	}
 	if strings.HasPrefix(rr.name.Addr, "http://") {
 		if !buildfeatures.HasPeerAPIClient {
 			return nil, feature.ErrUnavailable
 		}
 		return f.sendDoH(ctx, rr.name.Addr, f.dialer.PeerAPIHTTPClient(), fq.packet)
 	}
 	if strings.HasPrefix(rr.name.Addr, "https://") {
--- a/net/netmon/interfaces_linux.go
+++ b/net/netmon/interfaces_linux.go
@@ -22,6 +22,7 @@ import (
 	"github.com/mdlayher/netlink"
 	"go4.org/mem"
 	"golang.org/x/sys/unix"
 	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/util/lineiter"
 )
@@ -41,6 +42,9 @@ ens18   00000000        0100000A        0003    0       0       0       00000000
 ens18   0000000A        00000000        0001    0       0       0       0000FFFF        0       0       0
 */
 func likelyHomeRouterIPLinux() (ret netip.Addr, myIP netip.Addr, ok bool) {
 	if !buildfeatures.HasPortMapper {
 		return
 	}
 	if procNetRouteErr.Load() {
 		// If we failed to read /proc/net/route previously, don't keep trying.
 		return ret, myIP, false
--- a/net/netmon/netmon.go
+++ b/net/netmon/netmon.go
@@ -14,6 +14,7 @@ import (
 	"sync"
 	"time"
 	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/eventbus"
@@ -181,6 +182,9 @@ func (m *Monitor) SetTailscaleInterfaceName(ifName string) {
 // It's the same as interfaces.LikelyHomeRouterIP, but it caches the
 // result until the monitor detects a network change.
 func (m *Monitor) GatewayAndSelfIP() (gw, myIP netip.Addr, ok bool) {
 	if !buildfeatures.HasPortMapper {
 		return
 	}
 	if m.static {
 		return
 	}
--- a/net/netmon/state.go
+++ b/net/netmon/state.go
@@ -573,6 +573,9 @@ var disableLikelyHomeRouterIPSelf = envknob.RegisterBool("TS_DEBUG_DISABLE_LIKEL
 // the LAN using that gateway.
 // This is used as the destination for UPnP, NAT-PMP, PCP, etc queries.
 func LikelyHomeRouterIP() (gateway, myIP netip.Addr, ok bool) {
 	if !buildfeatures.HasPortMapper {
 		return
 	}
 	// If we don't have a way to get the home router IP, then we can't do
 	// anything; just return.
 	if likelyHomeRouterIP == nil {
--- a/net/portmapper/portmapper.go
+++ b/net/portmapper/portmapper.go
@@ -20,6 +20,7 @@ import (
 	"go4.org/mem"
 	"tailscale.com/envknob"
 	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/neterror"
 	"tailscale.com/net/netmon"
@@ -262,10 +263,13 @@ func NewClient(c Config) *Client {
 		panic("nil EventBus")
 	}
 	ret := &Client{
-		logf:         c.Logf,
+		logf:     c.Logf,
-		netMon:       c.NetMon,
+		netMon:   c.NetMon,
-		ipAndGateway: netmon.LikelyHomeRouterIP, // TODO(bradfitz): move this to method on netMon
+		onChange: c.OnChange,
-		onChange:     c.OnChange,
+	}
 	if buildfeatures.HasPortMapper {
 		// TODO(bradfitz): move this to method on netMon
 		ret.ipAndGateway = netmon.LikelyHomeRouterIP
 	}
 	ret.pubClient = c.EventBus.Client("portmapper")
 	ret.updates = eventbus.Publish[portmappertype.Mapping](ret.pubClient)
--- a/net/tsdial/tsdial.go
+++ b/net/tsdial/tsdial.go
@@ -19,6 +19,8 @@ import (
 	"time"
 	"github.com/gaissmai/bart"
 	"tailscale.com/feature"
 	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netknob"
 	"tailscale.com/net/netmon"
@@ -135,6 +137,9 @@ func (d *Dialer) TUNName() string {
 //
 // For example, "http://100.68.82.120:47830/dns-query".
 func (d *Dialer) SetExitDNSDoH(doh string) {
 	if !buildfeatures.HasUseExitNode {
 		return
 	}
 	d.mu.Lock()
 	defer d.mu.Unlock()
 	if d.exitDNSDoHBase == doh {
@@ -372,7 +377,7 @@ func (d *Dialer) userDialResolve(ctx context.Context, network, addr string) (net
 	}
 	var r net.Resolver
-	if exitDNSDoH != "" {
+	if buildfeatures.HasUseExitNode && buildfeatures.HasPeerAPIClient && exitDNSDoH != "" {
 		r.PreferGo = true
 		r.Dial = func(ctx context.Context, network, address string) (net.Conn, error) {
 			return &dohConn{
@@ -509,6 +514,9 @@ func (d *Dialer) UserDial(ctx context.Context, network, addr string) (net.Conn,
 // network must a "tcp" type, and addr must be an ip:port. Name resolution
 // is not supported.
 func (d *Dialer) dialPeerAPI(ctx context.Context, network, addr string) (net.Conn, error) {
 	if !buildfeatures.HasPeerAPIClient {
 		return nil, feature.ErrUnavailable
 	}
 	switch network {
 	case "tcp", "tcp6", "tcp4":
 	default:
@@ -551,6 +559,9 @@ func (d *Dialer) getPeerDialer() *net.Dialer {
 // The returned Client must not be mutated; it's owned by the Dialer
 // and shared by callers.
 func (d *Dialer) PeerAPIHTTPClient() *http.Client {
 	if !buildfeatures.HasPeerAPIClient {
 		panic("unreachable")
 	}
 	d.peerClientOnce.Do(func() {
 		t := http.DefaultTransport.(*http.Transport).Clone()
 		t.Dial = nil