Commit Graph

626 Commits

Author SHA1 Message Date
Brad Fitzpatrick
e6fbc0cd54 cmd/tailscaled, ipn/ipnserver: refactor ipnserver
More work towards removing the massive ipnserver.Run and ipnserver.Options
and making composable pieces.

Work remains. (The getEngine retry loop on Windows complicates things.)
For now some duplicate code exists. Once the Windows side is fixed
to either not need the retry loop or to move the retry loop into a
custom wgengine.Engine wrapper, then we can unify tailscaled_windows.go
too.

Change-Id: If84d16e3cd15b54ead3c3bb301f27ae78d055f80
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-11-05 15:00:02 -07:00
Brad Fitzpatrick
2b082959db safesocket: add WindowsLocalPort const
Remove all the 41112 references.

Change-Id: I2d7ed330d457e3bb91b7e6416cfb2667611e50c4
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-11-05 14:05:13 -07:00
Brad Fitzpatrick
649f7556e8 cmd/tailscaled, ipn: add tailscaled --statedir flag for var directory
Fixes #2932

Change-Id: I1aa2b323ad542386d140f8336bcc4dcbb8310bd0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-11-03 13:12:38 -07:00
Josh Bleecher Snyder
3fd5f4380f util/multierr: new package
github.com/go-multierror/multierror served us well.
But we need a few feature from it (implement Is),
and it's not worth maintaining a fork of such a small module.

Instead, I did a clean room implementation inspired by its API.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-11-02 17:50:15 -07:00
Brad Fitzpatrick
ff1954cfd9 wgengine/router: use netlink for ip rules on Linux
Using temporary netlink fork in github.com/tailscale/netlink until we
get the necessary changes upstream in either vishvananda/netlink
or jsimonetti/rtnetlink.

Updates #391

Change-Id: I6e1de96cf0750ccba53dabff670aca0c56dffb7c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-11-01 15:40:36 -07:00
Brad Fitzpatrick
5dc5bd8d20 cmd/tailscaled, wgengine/netstack: always wire up netstack
Even if not in use. We plan to use it for more stuff later.

(not for iOS or macOS-GUIs yet; only tailscaled)

Change-Id: Idaef719d2a009be6a39f158fd8f57f8cca68e0ee
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-11-01 14:11:30 -07:00
oocococo
3a2b0fc36c cmd/derper: support custom TLS port when in manual mode (#3231)
Fixes #3232

Change-Id: I8dae5c01f9dfdfd6d45e34e4ca3534b642ae5c8e
Signed-off-by: oocococo <mercurial.lx@gmail.com>
2021-10-31 18:31:49 -07:00
David Anderson
27e83402a8 cmd/tailscaled: fix depaware. 2021-10-29 15:07:13 -07:00
David Anderson
37c150aee1 derp: use new node key type.
Update #3206

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-10-28 16:02:11 -07:00
David Anderson
15376f975b types/wgkey: delete, no longer used.
Updates #3206

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-10-28 14:53:38 -07:00
David Anderson
c41fe182f0 cmd/tailscaled: update depaware.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-10-28 14:28:59 -07:00
Josh Bleecher Snyder
640de1921f depaware: update
To fix build broken by c9bf773312.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-10-28 12:35:14 -07:00
Brad Fitzpatrick
dc2fbf5877 wgengine/router: start using netlink instead of 'ip' on Linux
Converts up, down, add/del addresses, add/del routes.

Not yet done: rules.

Updates #391

Change-Id: I02554ca07046d18f838e04a626ba99bbd35266fb
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-28 10:16:26 -07:00
Brad Fitzpatrick
31e4f60047 version: embed VERSION.txt in unstamped version
Temporary measure until we switch to Go 1.18.

    $ go run ./cmd/tailscale version
    1.17.0-date.20211022
      go version: go1.17

Updates #81

Change-Id: Ic82ebffa5f46789089e5fb9810b3f29e36a47f1a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-28 09:48:24 -07:00
David Anderson
a47158e14d cmd/derper: use new node key type.
Updates #3206

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-10-28 09:39:23 -07:00
Brad Fitzpatrick
675f9cd199 cmd/tailscale/cli: add, use log.Fatalf indirection for js/wasm
Updates #3157

Change-Id: I97a4962a44bd36313ff68388e3de0d852a8fa869
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-27 15:19:52 -07:00
Brad Fitzpatrick
5df7ac70d6 cmd/tailscale/cli: add Stdout, Stderr and output through them
So js/wasm can override where those go, without implementing
an *os.File pipe pair, etc.

Updates #3157

Change-Id: I14ba954d9f2349ff15b58796d95ecb1367e8ba3a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-27 14:53:46 -07:00
Brad Fitzpatrick
3b5ada1fd8 cmd/tailscale/cli: use errors.Is to check ff's wrapped flag errors
And also check from its Parse method.

Change-Id: I18754920575254cb6858a16b7954e74aa16483a1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-27 14:06:22 -07:00
Brad Fitzpatrick
75de4e9cc2 cmd/tailscale/cli: don't ExitOnError on js/wasm
An os.Exit brings down the whole wasm module.

Updates #3157

Change-Id: I3daa97fd854715b901f3dbb04b57d841576b60b1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-27 13:59:12 -07:00
Brad Fitzpatrick
b0b0a80318 net/netcheck: implement netcheck for js/wasm clients
And the derper change to add a CORS endpoint for latency measurement.

And a little magicsock change to cut down some log spam on js/wasm.

Updates #3157

Change-Id: I5fd9e6f5098c815116ddc8ac90cbcd0602098a48
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-27 09:59:31 -07:00
Brad Fitzpatrick
505f844a43 cmd/derper, derp/derphttp: add websocket support
Updates #3157

Change-Id: I337a919a3b350bc7bd9af567b49c4d5d6616abdd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-22 12:51:30 -07:00
Maisem Ali
0bf515e780 cmd/tailscale: changes to --advertise-tags should wait for possible
reauth.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-10-20 10:31:40 -04:00
Aaron Klotz
c6ea282b3f utils/winutil utils/winutil/vss: add utility function for extracting data from Windows System Restore Point backups.
utils/winutil/vss contains just enough COM wrapping to query the Volume Shadow Copy service for snapshots.
WalkSnapshotsForLegacyStateDir is the friendlier interface that adds awareness of our actual use case,
mapping the snapshots and locating our legacy state directory.

Updates #3011

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-10-18 15:48:42 -06:00
Joe Tsai
9af27ba829 cmd/cloner: mangle "go:generate" in cloner.go
The "go generate" command blindly looks for "//go:generate" anywhere
in the file regardless of whether it is truly a comment.
Prevent this false positive in cloner.go by mangling the string
to look less like "//go:generate".

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2021-10-16 17:53:43 -07:00
Joe Tsai
2fa004a2a0
cmd/cloner: emit go:generate pragmas (#3082)
Emit a go:generate pragma with the full set of flags passed to cloner.
This allows the user to simply run "go generate" at the location
of the generate file to reproduce the file.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2021-10-14 12:25:55 -07:00
Aaron Klotz
1991a1ac6a net/tstun: update tun_windows for wintun 0.14 API revisions, update wireguard-go dependency to 82d2aa87aa623cb5143a41c3345da4fb875ad85d
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-10-12 16:07:46 -06:00
Maxime VISONNEAU
4528f448d6 ipn/store/aws, cmd/tailscaled: add AWS SSM ipn.StateStore implementation
From https://github.com/tailscale/tailscale/pull/1919 with
edits by bradfitz@.

This change introduces a new storage provider for the state file. It
allows users to leverage AWS SSM parameter store natively within
tailscaled, like:

    $ tailscaled --state=arn:aws:ssm:eu-west-1:123456789:parameter/foo

Known limitations:
- it is not currently possible to specific a custom KMS key ID

RELNOTE=tailscaled on Linux supports using AWS SSM for state

Edits-By: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com>
2021-10-12 13:51:13 -07:00
Brad Fitzpatrick
92215065eb cmd/derpprobe: fix fmt bug
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-11 20:27:31 -07:00
Brad Fitzpatrick
13ef8e3c06 cmd/derpprobe: also do UDP STUN probing
Updates #3049

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-11 20:25:14 -07:00
Brad Fitzpatrick
2d11503cff cmd/tailscale: add up --qr to show QR code
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-06 11:13:31 -07:00
Aaron Klotz
df7899759d cmd/tailscaled: set the correct flag for receiving Windows session change events
This feature wasn't working until I realized that we also need to opt into
the events. MSDN wasn't so generous as to make this easy to deduce.

Updates #2956

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-10-06 10:23:55 -06:00
David Crawshaw
cc9cf97cbe cli: web advertise exit node button
A couple of gnarly assumptions in this code, as always with the async
message thing.

UI button is based on the DNS settings in the admin panel.

Co-authored-by: Maisem Ali <maisem@tailscale.com>
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-10-06 07:35:43 -07:00
Brad Fitzpatrick
98b3fa78aa cmd/tailscale: let certs/keys be written to stdout, warn about macOS sandbox
Fixes https://twitter.com/SeanHood/status/1443668378468720647

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04 12:12:09 -07:00
Brad Fitzpatrick
2d464cecd1 cmd/tailscale: make netcheck work when logged out
Fixes #2993

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04 11:42:51 -07:00
Brad Fitzpatrick
f62e6d83a9 cmd/tailscale: make cert subcommand give hints on access denied
Lot of people have been hitting this.

Now it says:

    $ tailscale cert tsdev.corp.ts.net
    Access denied: cert access denied

    Use 'sudo tailscale cert' or 'tailscale up --operator=$USER' to not require root.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-01 10:27:48 -07:00
Brad Fitzpatrick
b10a55e4ed cmd/tailscale/cli: fix typo in cert usage 2021-09-30 21:23:18 -07:00
Brad Fitzpatrick
891e7986cc cmd/tailscale: make cert give hints on usage failure
Like mentioning which cert domain(s) are valid.
2021-09-29 14:35:00 -07:00
Brad Fitzpatrick
3618e8d8ac cmd/tailscaled: rename outbound HTTP proxy flag
The old name invited confusion:

* is this the HTTP proxy to use ourselves? (no, that's
  via an environment variable, per proxy conventions)
* is this for LetsEncrypt https-to-localhost-http
  proxying? (no, that'll come later)

So rename to super verbose --outbound-http-proxy-listen
before the 1.16.0 release to make it clear what it is.
It listens (serves) and it's for outbound, not inbound.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-29 11:25:09 -07:00
Brad Fitzpatrick
b822b5c798 cmd/tailscale: let up --authkey be of form file:/path/to/secret
Fixes #2958

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-29 09:27:17 -07:00
Aaron Klotz
e016eaf410 cmd/tailscaled: conditionally flush Windows DNS cache on SessionChange
For the service, all we need to do is handle the `svc.SessionChange` command.
Upon receipt of a `windows.WTS_SESSION_UNLOCK` event, we fire off a goroutine to flush the DNS cache.
(Windows expects responses to service requests to be quick, so we don't want to do that synchronously.)

This is gated on an integral registry value named `FlushDNSOnSessionUnlock`,
whose value we obtain during service initialization.

(See [this link](https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nc-winsvc-lphandler_function_ex) for information re: handling `SERVICE_CONTROL_SESSIONCHANGE`.)

Fixes #2956

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-09-29 09:43:22 -06:00
Brad Fitzpatrick
173bbaa1a1 all: disable TCP keep-alives on iOS/Android
Updates #2442
Updates tailscale/corp#2750

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-28 12:03:18 -07:00
Brad Fitzpatrick
a7cb241db1 cmd/tailscaled: add support for running an HTTP proxy
This adds support for tailscaled to be an HTTP proxy server.
It shares the same backend dialing code as the SOCK5 server, but the
client protocol is HTTP (including CONNECT), rather than SOCKS.

Fixes #2289

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-28 10:57:46 -07:00
Brad Fitzpatrick
56d8c2da34 cmd/tailscaled: set StateDirectoryMode=0700 in tailscaled.service
Updates #2934

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-28 09:09:24 -07:00
Brad Fitzpatrick
ec2249b6f2 cmd/tailscale: add debug -env
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-24 13:57:45 -07:00
Brad Fitzpatrick
ace2faf7ec cmd/tailscale: make debug profiling output - mean stdout
Because the macOS CLI runs in the sandbox, including the filesystem,
so users would be confused that -cpu-profile=prof.cpu succeeds but doesn't
write to their current directory, but rather in some random Library/Containers
directory somewhere on the machine (which varies depending on the Mac build
type: App Store vs System Extension)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-23 15:06:53 -07:00
Brad Fitzpatrick
efb84ca60d ipn/localapi, cmd/tailscale: add CPU & memory profile support, debug command
This was already possible on Linux if you ran tailscaled with --debug
(which runs net/http/pprof), but it requires the user have the Go
toolchain around.

Also, it wasn't possible on macOS, as there's no way to run the IPNExtension
with a debug server (it doesn't run tailscaled).

And on Windows it's super tedious: beyond what users want to do or
what we want to explain.

Instead, put it in "tailscale debug" so it works and works the same on
all platforms. Then we can ask users to run it when we're debugging something
and they can email us the output files.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-23 10:01:14 -07:00
Denton Gentry
27bc4e744c cmd/tailscale/web: support TLS from env vars.
pfSense stores its SSL certificate and key in the PHP config.
We wrote PHP code to pull the two out of the PHP config and
into environment variables before running "tailscale web".

The pfSense web UI is served over https, we need "tailscale web"
to also support https in order to put it in an <iframe>.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-09-23 08:15:33 -07:00
Brad Fitzpatrick
9ca334a560 cmd/tailscaled: appease a security scanner
There are two reasons this can't ever go to actual logs,
but rewrite it to make it happy.

Fixes tailscale/corp#2695

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-22 23:23:47 -07:00
David Anderson
18086c4cb7 go.mod: bump github.com/klauspost/compress to 1.13.6
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-09-22 15:11:25 -07:00
Aaron Klotz
9ebb5d4205 ipn, paths: ensure that the state directory for Windows has the correct perms
ProgramData has a permissive ACL. For us to safely store machine-wide
state information, we must set a more restrictive ACL on our state directory.
We set the ACL so that only talescaled's user (ie, LocalSystem) and the
Administrators group may access our directory.

We must include Administrators to ensure that logs continue to be easily
accessible; omitting that group would force users to use special tools to
log in interactively as LocalSystem, which is not ideal.

(Note that the ACL we apply matches the ACL that was used for LocalSystem's
AppData\Local).

There are two cases where we need to reset perms: One is during migration
from the old location to the new. The second case is for clean installations
where we are creating the file store for the first time.

Updates #2856

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-09-22 14:50:00 -06:00