tailscale / tailscale Goto Github PK

The easiest, most secure way to use WireGuard and 2FA.

License: BSD 3-Clause "New" or "Revised" License

Go 96.16% Shell 0.95% Dockerfile 0.03% Makefile 0.07% Nix 0.11% HTML 0.18% CSS 0.16% TypeScript 2.09% JavaScript 0.04% Lua 0.08% PowerShell 0.13%

wireguard oauth sso 2fa vpn tailscale

tailscale's Introduction

Tailscale

https://tailscale.com

Private WireGuard® networks made easy

Overview

This repository contains the majority of Tailscale's open source code. Notably, it includes the tailscaled daemon and the tailscale CLI tool. The tailscaled daemon runs on Linux, Windows, macOS, and to varying degrees on FreeBSD and OpenBSD. The Tailscale iOS and Android apps use this repo's code, but this repo doesn't contain the mobile GUI code.

Other Tailscale repos of note:

the Android app is at https://github.com/tailscale/tailscale-android
the Synology package is at https://github.com/tailscale/tailscale-synology
the QNAP package is at https://github.com/tailscale/tailscale-qpkg
the Chocolatey packaging is at https://github.com/tailscale/tailscale-chocolatey

For background on which parts of Tailscale are open source and why, see https://tailscale.com/opensource/.

Using

We serve packages for a variety of distros and platforms at https://pkgs.tailscale.com.

Other clients

The macOS, iOS, and Windows clients use the code in this repository but additionally include small GUI wrappers. The GUI wrappers on non-open source platforms are themselves not open source.

Building

We always require the latest Go release, currently Go 1.22. (While we build releases with our Go fork, its use is not required.)

go install tailscale.com/cmd/tailscale{,d}

If you're packaging Tailscale for distribution, use build_dist.sh instead, to burn commit IDs and version info into the binaries:

./build_dist.sh tailscale.com/cmd/tailscale
./build_dist.sh tailscale.com/cmd/tailscaled

If your distro has conventions that preclude the use of build_dist.sh, please do the equivalent of what it does in your distro's way, so that bug reports contain useful version information.

Bugs

Please file any issues about this code or the hosted service on the issue tracker.

Contributing

PRs welcome! But please file bugs. Commit messages should reference bugs.

We require Developer Certificate of Origin Signed-off-by lines in commits.

See git log for our commit message style. It's basically the same as Go's style.

About Us

Tailscale is primarily developed by the people at https://github.com/orgs/tailscale/people. For other contributors, see:

Legal

WireGuard is a registered trademark of Jason A. Donenfeld.

tailscale's People

Contributors

Stargazers

Watchers

Forkers

meterup webp2p hasheddan wardn mdrollette hairyhenderson isgasho sysbot ceh-forks forkkit nguyendangminh rjammala backwardn martinbaillie neatnerdprime sb016565 mbrukman dolanor-galaxy hmble buxxux perryh debovema everesio trung tklauser omirror gabriel-samfira josmo fgergo hackumono mewil daniel-007 ripx80 kaplie jacobjohansen yamakadi ericlagergren alimy gettyio sterbur siggwer mfrank2016 emrul mohammad22 wuwx myusuf3 shelltips foxboron sbrichardson deasmi stablebits intfrr shyamalschandra costela swipswaps bgentry cxz sylr wadkar just1689 ediboko1980 heinrichsmythe saltsa khos2ow sudocurse nicholaswan eliasnaur pkopensrc bdd lzjluzijie kevindiffily bitmaskit-forks wahidsaeed xbl3 kingterry777 go2020my zeta1999 awnumar cynix juniorz uropygium nqv rnorth mabels peske shaneutt devenlu vs4vijay sonicon-software cloudxo defilan eduardok vanhuycntt kgersen danderson xdevs23 jbmedeiros peter-avila tsabirgaliev elagergren-spideroak

tailscale's Issues

Option to force a static UDP source port number

Some firewalls only allow UDP to pass if it is from a known port. We should have a way for clients to be configured to use a predictable port.

It's not clear yet whether this is a network-wide setting, or a client setting.

Improve support for running as a non-root user

Original title: Re-attempt lock down systemd unit configuration more

The tailscaled systemd service configuration is something I whipped up quickly, based on relaynode's config. It runs as root and unconfined on the system. This is too much privilege.

We should run tailscaled as a tailscale system user, with pinhole CAP_* granted to it. Then we can also start screwing down other sandboxing options like ProtectSystem et al.

One prerequisite for this is that we need to use netlink to directly configure the network stack, instead of shelling out to ip and iptables. That way we can do everything with CAP_NET_ADMIN in-process (although possibly ambient capabilities would let us shell out with appropriate privs as well? I can never remember the capability semantics)

In the time since this bug, we have added a good number of features that further extend the capabilities that we use, which are often granted by default to root, but not to non-root users.

We can track additional known challenges relating to root dependencies here, with an eye to eventually offering fuller feature support with reduced privileges.

tailscale.deb does not print a note about how to start the service

I ran:

sudo dpkg -i ./out/x86_64-linux/packages/tailscale.deb

...on Ubuntu. It installed everything, but did not print the systemd magic commands to install and start the service, as many other packages do. (You probably don't forget them as much as I do, the pointers are really helpful for me.)

Can't log in with a plain email address, need GSuite or Office365

Installed the linux client on the latest linux mint but it won't get past waiting for URL visit:

AuthURL is https://login2.tails...
sendStatus: authRoutine3: state:url-visit-required
To authenticate, visit:

        https://login2.tailscale.io/a/...

authRoutine: state:url-visit-required
direct.WaitLoginURL
doLogin(regen=false, hasUrl=true)
RegisterReq: onode=[empty] node=[wJVU…+tjE] fup=true

Tried in both Firefox and Chromium but same result.

atomicfile missing flush

Congrats on open sourcing!

I just happened to open up the first package and noticed the write a new file and rename trick.
I'm not sure this is safe because ioutil.WriteFile doesn't call f.Flush().

┆Issue is synchronized with this Asana task by Unito

meta: run Windows tests on actual Windows VMs

We don't currently run the GitHub actions on Windows VMs. We currently just cross-compile things.

But GitHub doesn't charge extra for Windows (like they do for macOS), so just use Windows and then actually run the tests.

panic when starting the relay node

I compiled the relaynode from source and when i try to start it i get a panic:

sudo /usr/sbin/relaynode --config=/var/lib/tailscale/relay.conf --tun=wg0 --port=41641 --acl-file=/etc/tailscale/acl.json                                                                                                                                                          :(
logtail started
Program starting: vLONGVER-TODO: []string{"/usr/sbin/relaynode", "--config=/var/lib/tailscale/relay.conf", "--tun=wg0", "--port=41641", "--acl-file=/etc/tailscale/acl.json"}
LogID: 560f0c00b49bd7c56b4018db6d3cb0d1760aaf3f0de6e3a3adede46b3701f4a3
7.0M/9.9M Starting userspace wireguard engine.
15.1M/10.2M external packet routing via --tun=wg0 enabled
15.5M/11.7M CreateTUN ok.
15.6M/11.9M Routine: event worker - started
15.6M/11.9M Interface set up
15.7M/11.9M UDP bind has been updated
15.8M/11.9M external route MTU: 1420 (<nil>)
15.8M/11.9M external route MTU: 1420 (<nil>)
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0x89581f]

goroutine 1 [running]:
tailscale.com/wgengine.(*linuxRouter).SetRoutes(0xc0007c03c0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /home/rkaufmann/go/src/tailscale.com/wgengine/router_linux.go:114 +0x9f
tailscale.com/wgengine.NewUserspaceEngineAdvanced(0xc00018e040, 0xa6f640, 0xc0007a2120, 0x9cc650, 0xa2a9, 0x0, 0x0, 0x10, 0x92d460)
        /home/rkaufmann/go/src/tailscale.com/wgengine/userspace.go:186 +0x68e
tailscale.com/wgengine.NewUserspaceEngine(0xc00018e040, 0x7ffdd13f075e, 0x3, 0xa2a9, 0xc000182180, 0x0, 0xc00021fcb0, 0x1)
        /home/rkaufmann/go/src/tailscale.com/wgengine/userspace.go:75 +0x288
main.main()
        /home/rkaufmann/go/src/tailscale.com/cmd/relaynode/relaynode.go:80 +0x1897

DERP test sometimes deadlocks

About 1 in 3 runs of go test -count=1000 -timeout=30s deadlocks and times out. Other runs complete the 1000 passes in ~3s.

panic: test timed out after 30s

goroutine 782 [running]:
testing.(*M).startAlarm.func1()
	/usr/lib/go/src/testing/testing.go:1377 +0xdf
created by time.goFunc
	/usr/lib/go/src/time/sleep.go:168 +0x44

goroutine 1 [chan receive]:
testing.(*T).Run(0xc0001aa700, 0x5f7c9a, 0xc, 0x602468, 0x47df06)
	/usr/lib/go/src/testing/testing.go:961 +0x377
testing.runTests.func1(0xc0001aa600)
	/usr/lib/go/src/testing/testing.go:1202 +0x78
testing.tRunner(0xc0001aa600, 0xc000058dc0)
	/usr/lib/go/src/testing/testing.go:909 +0xc9
testing.runTests(0xc0000b00a0, 0x750f70, 0x1, 0x1, 0x0)
	/usr/lib/go/src/testing/testing.go:1200 +0x2a7
testing.(*M).Run(0xc0000cc000, 0x0)
	/usr/lib/go/src/testing/testing.go:1117 +0x176
main.main()
	_testmain.go:44 +0x135

goroutine 753 [IO wait]:
internal/poll.runtime_pollWait(0x7f08f459f438, 0x72, 0xffffffffffffffff)
	/usr/lib/go/src/runtime/netpoll.go:184 +0x55
internal/poll.(*pollDesc).wait(0xc0004ccf18, 0x72, 0x1000, 0x1000, 0xffffffffffffffff)
	/usr/lib/go/src/internal/poll/fd_poll_runtime.go:87 +0x45
internal/poll.(*pollDesc).waitRead(...)
	/usr/lib/go/src/internal/poll/fd_poll_runtime.go:92
internal/poll.(*FD).Read(0xc0004ccf00, 0xc00039c000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
	/usr/lib/go/src/internal/poll/fd_unix.go:169 +0x1cf
net.(*netFD).Read(0xc0004ccf00, 0xc00039c000, 0x1000, 0x1000, 0x77314b86295c5, 0x31de88a8f7a83, 0x825decee2a01)
	/usr/lib/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc000306088, 0xc00039c000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
	/usr/lib/go/src/net/net.go:184 +0x68
bufio.(*Reader).Read(0xc000354e40, 0xc00001e870, 0x4, 0x4, 0xc0000ed998, 0x445d8c, 0x10)
	/usr/lib/go/src/bufio/bufio.go:226 +0x26a
io.ReadAtLeast(0x62ef20, 0xc000354e40, 0xc00001e870, 0x4, 0x4, 0x4, 0xa0, 0x98, 0x5e0b40)
	/usr/lib/go/src/io/io.go:310 +0x87
io.ReadFull(...)
	/usr/lib/go/src/io/io.go:329
tailscale.com/derp.readUint32(0x62ef20, 0xc000354e40, 0xffffffff, 0x44261b530dd35, 0xc0000eda90, 0x582dfa)
	/home/dave/tail/corp/oss/derp/derp.go:92 +0x8b
tailscale.com/derp.(*Client).recvServerKey(0xc0000ca460, 0xc0000ca460, 0x47cd4edbb5cfdde4)
	/home/dave/tail/corp/oss/derp/derp_client.go:57 +0x47
tailscale.com/derp.NewClient(0xf351173c4620dba1, 0xb6fd75af9c2a49e4, 0x47cd4edbb5cfdde4, 0xc79436433359349, 0x6329a0, 0xc000306088, 0xc0000ede50, 0xc0000604a0, 0xc0002225a0, 0x0, ...)
	/home/dave/tail/corp/oss/derp/derp_client.go:42 +0x112
tailscale.com/derp.TestSendRecv(0xc0001aa700)
	/home/dave/tail/corp/oss/derp/derp_test.go:67 +0xef5
testing.tRunner(0xc0001aa700, 0x602468)
	/usr/lib/go/src/testing/testing.go:909 +0xc9
created by testing.(*T).Run
	/usr/lib/go/src/testing/testing.go:960 +0x350

goroutine 778 [IO wait]:
internal/poll.runtime_pollWait(0x7f08f459f5d8, 0x72, 0xffffffffffffffff)
	/usr/lib/go/src/runtime/netpoll.go:184 +0x55
internal/poll.(*pollDesc).wait(0xc0004cd098, 0x72, 0x1000, 0x1000, 0xffffffffffffffff)
	/usr/lib/go/src/internal/poll/fd_poll_runtime.go:87 +0x45
internal/poll.(*pollDesc).waitRead(...)
	/usr/lib/go/src/internal/poll/fd_poll_runtime.go:92
internal/poll.(*FD).Read(0xc0004cd080, 0xc000360000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
	/usr/lib/go/src/internal/poll/fd_unix.go:169 +0x1cf
net.(*netFD).Read(0xc0004cd080, 0xc000360000, 0x1000, 0x1000, 0x8, 0xc00034e188, 0xc000029750)
	/usr/lib/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc0003060a0, 0xc000360000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
	/usr/lib/go/src/net/net.go:184 +0x68
bufio.(*Reader).fill(0xc000029500)
	/usr/lib/go/src/bufio/bufio.go:100 +0x103
bufio.(*Reader).ReadByte(0xc000029500, 0x10, 0xc00012a850, 0xc000029428)
	/usr/lib/go/src/bufio/bufio.go:252 +0x39
tailscale.com/derp.readType(0xc000029500, 0xc0000ff403, 0x5c19a0, 0x1c6834c46b8cb701)
	/home/dave/tail/corp/oss/derp/derp.go:73 +0x2f
tailscale.com/derp.(*Server).recvPacket(0xc0000293e0, 0xc000029500, 0xc0000293e0, 0x631700, 0xc000012a40, 0xc000029740, 0x0, 0x0, 0x0, 0x76, ...)
	/home/dave/tail/corp/oss/derp/derp_server.go:285 +0x4e
tailscale.com/derp.(*Server).accept(0xc0000293e0, 0x6329a0, 0xc0003060a0, 0xc00012a7d0, 0x0, 0x0)
	/home/dave/tail/corp/oss/derp/derp_server.go:161 +0x564
tailscale.com/derp.(*Server).Accept(0xc0000293e0, 0x6329a0, 0xc0003060a0, 0xc00012a7d0)
	/home/dave/tail/corp/oss/derp/derp_server.go:90 +0x18b
created by tailscale.com/derp.TestSendRecv
	/home/dave/tail/corp/oss/derp/derp_test.go:57 +0x7c9

goroutine 776 [IO wait]:
internal/poll.runtime_pollWait(0x7f08f459fab8, 0x72, 0xffffffffffffffff)
	/usr/lib/go/src/runtime/netpoll.go:184 +0x55
internal/poll.(*pollDesc).wait(0xc0004ccf98, 0x72, 0x1000, 0x1000, 0xffffffffffffffff)
	/usr/lib/go/src/internal/poll/fd_poll_runtime.go:87 +0x45
internal/poll.(*pollDesc).waitRead(...)
	/usr/lib/go/src/internal/poll/fd_poll_runtime.go:92
internal/poll.(*FD).Read(0xc0004ccf80, 0xc00035c000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
	/usr/lib/go/src/internal/poll/fd_unix.go:169 +0x1cf
net.(*netFD).Read(0xc0004ccf80, 0xc00035c000, 0x1000, 0x1000, 0x8, 0xc00034e168, 0xc000029630)
	/usr/lib/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc000306090, 0xc00035c000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
	/usr/lib/go/src/net/net.go:184 +0x68
bufio.(*Reader).fill(0xc000029440)
	/usr/lib/go/src/bufio/bufio.go:100 +0x103
bufio.(*Reader).ReadByte(0xc000029440, 0x10, 0xc00012a810, 0xc000029428)
	/usr/lib/go/src/bufio/bufio.go:252 +0x39
tailscale.com/derp.readType(0xc000029440, 0xc0000ff203, 0x5c19a0, 0x1c6834c46b8cb701)
	/home/dave/tail/corp/oss/derp/derp.go:73 +0x2f
tailscale.com/derp.(*Server).recvPacket(0xc0000293e0, 0xc000029440, 0xc0000293e0, 0x631700, 0xc0000129c0, 0xc000029620, 0x0, 0x0, 0x0, 0x0, ...)
	/home/dave/tail/corp/oss/derp/derp_server.go:285 +0x4e
tailscale.com/derp.(*Server).accept(0xc0000293e0, 0x6329a0, 0xc000306090, 0xc00012a7b0, 0x0, 0x0)
	/home/dave/tail/corp/oss/derp/derp_server.go:161 +0x564
tailscale.com/derp.(*Server).Accept(0xc0000293e0, 0x6329a0, 0xc000306090, 0xc00012a7b0)
	/home/dave/tail/corp/oss/derp/derp_server.go:90 +0x18b
created by tailscale.com/derp.TestSendRecv
	/home/dave/tail/corp/oss/derp/derp_test.go:57 +0x7c9

goroutine 780 [IO wait]:
internal/poll.runtime_pollWait(0x7f08f4623a88, 0x72, 0xffffffffffffffff)
	/usr/lib/go/src/runtime/netpoll.go:184 +0x55
internal/poll.(*pollDesc).wait(0xc0004ccd18, 0x72, 0x1000, 0x1000, 0xffffffffffffffff)
	/usr/lib/go/src/internal/poll/fd_poll_runtime.go:87 +0x45
internal/poll.(*pollDesc).waitRead(...)
	/usr/lib/go/src/internal/poll/fd_poll_runtime.go:92
internal/poll.(*FD).Read(0xc0004ccd00, 0xc000362000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
	/usr/lib/go/src/internal/poll/fd_unix.go:169 +0x1cf
net.(*netFD).Read(0xc0004ccd00, 0xc000362000, 0x1000, 0x1000, 0x18, 0xc00016b5c0, 0x483ea7)
	/usr/lib/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc000306078, 0xc000362000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
	/usr/lib/go/src/net/net.go:184 +0x68
bufio.(*Reader).fill(0xc0000295c0)
	/usr/lib/go/src/bufio/bufio.go:100 +0x103
bufio.(*Reader).ReadByte(0xc0000295c0, 0xbf8bd7412899df3f, 0x1c0685c47d, 0x759860)
	/usr/lib/go/src/bufio/bufio.go:252 +0x39
tailscale.com/derp.(*Client).Recv(0xc000222500, 0xc0003f0000, 0x10000, 0x10000, 0x0, 0x0, 0x0)
	/home/dave/tail/corp/oss/derp/derp_client.go:166 +0x10d
tailscale.com/derp.TestSendRecv.func1(0xc000222500, 0xc000029560, 0xc0000b0c80, 0x0)
	/home/dave/tail/corp/oss/derp/derp_test.go:77 +0x93
created by tailscale.com/derp.TestSendRecv
	/home/dave/tail/corp/oss/derp/derp_test.go:74 +0xc83

goroutine 758 [IO wait]:
internal/poll.runtime_pollWait(0x7f08f4623268, 0x72, 0xffffffffffffffff)
	/usr/lib/go/src/runtime/netpoll.go:184 +0x55
internal/poll.(*pollDesc).wait(0xc0004cce18, 0x72, 0x1000, 0x1000, 0xffffffffffffffff)
	/usr/lib/go/src/internal/poll/fd_poll_runtime.go:87 +0x45
internal/poll.(*pollDesc).waitRead(...)
	/usr/lib/go/src/internal/poll/fd_poll_runtime.go:92
internal/poll.(*FD).Read(0xc0004cce00, 0xc00039a000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
	/usr/lib/go/src/internal/poll/fd_unix.go:169 +0x1cf
net.(*netFD).Read(0xc0004cce00, 0xc00039a000, 0x1000, 0x1000, 0x18, 0xc0001685c0, 0x483ea7)
	/usr/lib/go/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc000306080, 0xc00039a000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
	/usr/lib/go/src/net/net.go:184 +0x68
bufio.(*Reader).fill(0xc0000296e0)
	/usr/lib/go/src/bufio/bufio.go:100 +0x103
bufio.(*Reader).ReadByte(0xc0000296e0, 0xbf8bd74128b4162b, 0x1c069ffbd7, 0x759860)
	/usr/lib/go/src/bufio/bufio.go:252 +0x39
tailscale.com/derp.(*Client).Recv(0xc0002225a0, 0xc000400000, 0x10000, 0x10000, 0x0, 0x0, 0x0)
	/home/dave/tail/corp/oss/derp/derp_client.go:166 +0x10d
tailscale.com/derp.TestSendRecv.func1(0xc0002225a0, 0xc000029560, 0xc0000b0c80, 0x1)
	/home/dave/tail/corp/oss/derp/derp_test.go:77 +0x93
created by tailscale.com/derp.TestSendRecv
	/home/dave/tail/corp/oss/derp/derp_test.go:74 +0xc83

goroutine 779 [select]:
tailscale.com/derp.(*sclient).keepAliveLoop(0xc000029620, 0x631700, 0xc0000129c0, 0x0, 0x0)
	/home/dave/tail/corp/oss/derp/derp_server.go:328 +0x208
tailscale.com/derp.(*Server).sendClientKeepAlives(0xc0000293e0, 0x631700, 0xc0000129c0, 0xc000029620)
	/home/dave/tail/corp/oss/derp/derp_server.go:194 +0x46
created by tailscale.com/derp.(*Server).accept
	/home/dave/tail/corp/oss/derp/derp_server.go:158 +0x52c

goroutine 781 [select]:
tailscale.com/derp.(*sclient).keepAliveLoop(0xc000029740, 0x631700, 0xc000012a40, 0x0, 0x0)
	/home/dave/tail/corp/oss/derp/derp_server.go:328 +0x208
tailscale.com/derp.(*Server).sendClientKeepAlives(0xc0000293e0, 0x631700, 0xc000012a40, 0xc000029740)
	/home/dave/tail/corp/oss/derp/derp_server.go:194 +0x46
created by tailscale.com/derp.(*Server).accept
	/home/dave/tail/corp/oss/derp/derp_server.go:158 +0x52c
FAIL	tailscale.com/derp	30.006s
FAIL

`relaynode` failing to start on FreeBSD (FreeNAS)

Describe the bug
Following @danderson's instructions on getting tailscale working on FreeNAS, I built relaynode and taillogin with e.g. GOOS=freebsd go build ./cmd/relaynode. I then copied it over to my FreeNAS machine. I then ran:

> ./taillogin -f ./relay.conf
2020/02/16 00:41:07 logpolicy.Read ./relay.conf.log.conf: open ./relay.conf.log.
conf: no such file or directory                                  
logtail started                                                    
Program starting: vLONGVER-TODO: []string{"./taillogin", "-f", "./relay.conf"}
...
AuthURL is https://login2.tails...                                      
To authenticate, visit:                                            
                                                             
        https://login2.tailscale.io/a/8d4bd10b056                               
                                                                       
direct.WaitLoginURL                                                    
doLogin(regen=false, hasUrl=true)                                      
RegisterReq: onode=[empty] node=[pub:…skWv] fup=true              
RegisterReq: returned.                                       
No AuthURL                                                   
PollNetMap: stream=-1 :0 []                                   
Success.                                                               
flushing log.                                                             
logger closing down

To Reproduce
Steps to reproduce the behavior:

Run sudo ./relaynode --config=./relay.conf:

logtail started                                 
Program starting: vLONGVER-TODO: []string{"./relaynode", "--config=./relay.conf"}                          
LogID: f256ef7e33aa2d5fea1fd91146fef184d5541ce13249eee32e0038294f0d37a8
20.2M/10.1M Starting userspace wireguard engine.
20.3M/10.1M external packet routing via --tun=wg0 enabled
20.6M/10.1M CreateTUN ok.       
magicsock: bind: trying :0            
21.1M/10.1M Routine: event worker - started            
21.5M/10.1M UDP bind has been updated
21.3M/10.1M Interface set up
21.3M/10.1M wgengine: nil filter provided; no access restrictions.
Hostinfo: {LONGVER-TODO f256ef7e33aa2d5fea1fd91146fef184d5541ce13249eee32e003829
4f0d37a8 f256ef7e33aa2d5fea1fd91146fef184d5541ce13249eee32e0038294f0d37a8 freebs
d frednas.local [] []}             
direct.TryLogin(false, 0)                              
doLogin(regen=false, hasUrl=false)
STUN server stun.l.google.com:19302 reports public endpoint 73.222.29.208:17361
magicsock: found local 73.222.29.208:17361 (stun)
STUN server stun3.l.google.com:19302 reports public endpoint 73.222.29.208:17361
magicsock: found local 73.222.29.208:17361 (stun)
stunner: slow STUN response from stun3.l.google.com:19302: 1 retries
magicsock: found local 10.0.0.3:17361 (localAddresses)
27.5M/20.1M vLONGVER-TODO peers:
client.newEndpoints(0, [73.222.29.208:17361 10.0.0.3:17361])
RegisterReq: onode=[empty] node=[pub:…skWv] fup=false
RegisterReq: returned.
No AuthURL
PollNetMap: stream=-1 :0 [73.222.29.208:17361 10.0.0.3:17361]
51.9M/23.8M Reconfig(): configuring userspace wireguard engine.
52.0M/23.8M [tz/c…5Ugk] - Starting...
...
52.3M/23.8M Reconfiguring router. la=100.122.239.32/10 dns=[] dom=[]
52.3M/23.8M New routes: 100.122.239.32/10 [] [] [[100.121.82.10/32] [100.77.135.
88/32] [100.99.30.120/32] [100.78.184.30/32]]    
52.3M/23.8M addr add failed: [ifconfig wg0 inet 100.122.239.32/10 alias]: exit s
tatus 1                                               
ifconfig: ioctl (SIOCAIFADDR): Destination address required
52.3M/23.8M route add failed: [route -q -n add -inet 100.122.239.32/10 -iface 10
0.122.239.32]: exit status 65                        
route: interface '100.122.239.32' does not exist
52.3M/23.8M addr add failed: [route -q -n add -inet 100.77.135.88/32 -iface 100.
122.239.32]: exit status 65                                  
route: interface '100.122.239.32' does not exist               
52.3M/23.9M addr add failed: [route -q -n add -inet 100.99.30.120/32 -iface 100.
122.239.32]: exit status 65                                                    
route: interface '100.122.239.32' does not exist
52.3M/23.9M addr add failed: [route -q -n add -inet 100.78.184.30/32 -iface 100.
122.239.32]: exit status 65          
route: interface '100.122.239.32' does not exist                                
52.3M/23.9M addr add failed: [route -q -n add -inet 100.121.82.10/32 -iface 100.
122.239.32]: exit status 65          
route: interface '100.122.239.32' does not exist                                
52.3M/23.9M Reconfig() done.
Error reconfiguring engine: exit status 1

Expected behavior
relaynode sets up the routes on wg0 successfully.

Version information:

> uname -a
FreeBSD frednas.local 11.2-STABLE FreeBSD 11.2-STABLE #0 r325575+c9231c7d6bd(HEAD): Mon Nov 18 22:46:47 UTC 2019     root@nemesis:/freenas-releng/freenas/_BE/objs/freenas-releng/freenas/_BE/os/sys/FreeNAS.amd64  amd64

Cross-compiled from Linux at 9dbc52bb5bd4284706a86f13e3774efdd6af56a1

panic: Tried to generate emptyPrivateKey.Public()

Describe the bug
After running for a short-ish while (overnight), tailscaled crashed with a panic this morning:

panic: Tried to generate emptyPrivateKey.Public()

I don't think there was significant traffic - if any just background traffic as I was asleep.

I'm not really sure what other information you need to debug. Happy to answer questions.

To Reproduce
Don't know yet at this point.

Expected behavior
Not to panic :-)

Screenshots
If applicable, add screenshots to help explain your problem.

Version information:

Device: Server, amd64
OS: FreeBSD
OS version: 12.1-RELEASE-p2
Tailscale version: git c47f907

[simon@fsrv0:tailscale] git rev-parse HEAD
c47f907

(Not experienced git user, so I hope this identifies the version. I cloned repo last evening 2020-02-20)

Additional context
Had been started with:
~simon/go/bin/tailscaled --state /var/db/tailscaled.state

Terminal output:

91.1M/59.6M netmap packet filter: [=>:*]
91.1M/59.6M Configuring wireguard connection.
91.1M/59.6M reconfig: ra=false dns=true 0x01
91.1M/59.6M Reconfig(): configuring userspace wireguard engine.
91.1M/59.6M ...unchanged config, skipping.
91.1M/59.6M SetPrefs: Prefs{ra=false mesh=true dns=true want=true notepad=false pf=true routes=[] Persist{m=[pub:_/iWz], o=[empty], n=[pub:_0koN] u="REDACTED"}}
91.1M/59.6M Switching ipn state Running -> NeedsLogin (WantRunning=true)
91.1M/59.6M blockEngineUpdates(true)
91.1M/59.6M Reconfig(): configuring userspace wireguard engine.
91.1M/59.6M [nCr2_ciUA] - Stopping...
91.1M/59.6M [EDlz_xXjU] - Stopping...
91.1M/59.6M [I2nU_mekE] - Stopping...
panic: Tried to generate emptyPrivateKey.Public()

goroutine 1306 [running]:
github.com/tailscale/wireguard-go/wgcfg.(*PrivateKey).Public(0xc0019e54f8, 0x0, 0x0, 0x0, 0x0)
/home/simon/go/pkg/mod/github.com/tailscale/[email protected]/wgcfg/key.go:158 +0x12b
github.com/tailscale/wireguard-go/device.(*Device).SetPrivateKey(0xc0000ce580, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
/home/simon/go/pkg/mod/github.com/tailscale/[email protected]/device/device.go:269 +0x3c3
github.com/tailscale/wireguard-go/device.(*Device).Reconfig(0xc0000ce580, 0xc00010eb00, 0x0, 0x0)
/home/simon/go/pkg/mod/github.com/tailscale/[email protected]/device/config.go:82 +0xd14
tailscale.com/wgengine.(*userspaceEngine).Reconfig(0xc000172000, 0xc00010eb00, 0x0, 0x0, 0x0, 0x0, 0x0)
/home/simon/src/tailscale/wgengine/userspace.go:234 +0x2f5
tailscale.com/wgengine.(*watchdogEngine).Reconfig.func1(0x80420a768, 0xc00019fe00)
/home/simon/src/tailscale/wgengine/watchdog.go:64 +0x56
tailscale.com/wgengine.(*watchdogEngine).watchdogErr.func1(0xc00016c1e0, 0xc0005bcba0)
/home/simon/src/tailscale/wgengine/watchdog.go:40 +0x27
created by tailscale.com/wgengine.(*watchdogEngine).watchdogErr
/home/simon/src/tailscale/wgengine/watchdog.go:39 +0x77

Set up issue labels

We should configure this project's labels:

https://github.com/tailscale/tailscale/labels

Ideas:

by client type / OS
"connectivity"

What else?

/cc @danderson @apenwarr @crawshaw @dfcarney

┆Issue is synchronized with this Asana task by Unito

do STUN lookup periodically

Copying bug from @apenwarr elsewhere:

STUN should re-run sometimes, not just at startup time, in case local IP address or NAT changes.

This matters on Linux especially because the local network might not be up at boot time.

We just had a bug report from a user whose ISP gives them a new IP pretty regularly and they had to manual restart the tailscale service for it to unbreak after those ISP changes.

/cc @danderson

wireguard-go/wgcfg: write good implementation of CIDR.Contains

(Using tailscale/tailscale's bug tracker instead of wireguard-go's)

I saw this code in https://github.com/tailscale/wireguard-go/blob/master/wgcfg/ip.go#L109 ....

func (r *CIDR) Contains(ip *IP) bool {
	if r == nil || ip == nil {
		return false
	}
	// TODO: this isn't hard, write a more efficient implementation.
	return r.IPNet().Contains(ip.IP())
}

This bug is for that TODO. The current version allocates and does a lot of work.

Then again, I don't see anything calling it, so low priority.

Add a code of conduct

cmd/tailscaled: data races

I built & ran tailscaled with the race detector:

2020/02/28 07:51:13 7.0M/78.3M external packet routing via --tun=tailscale0 enabled
2020/02/28 07:51:13 15.2M/78.8M CreateTUN ok.
2020/02/28 07:51:13 magicsock: bind: trying :0
2020/02/28 07:51:13 16.1M/82.2M Routine: event worker - started
==================
WARNING: DATA RACE
Write at 0x00c00007e3d0 by main goroutine:
  github.com/tailscale/wireguard-go/tun.(*NativeTun).Name()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/tun/tun_linux.go:302 +0x48a
  tailscale.com/wgengine.newUserspaceRouter()
      /home/bradfitz/src/tailscale.com/wgengine/router_linux.go:32 +0x45
  tailscale.com/wgengine.newUserspaceEngineAdvanced()
      /home/bradfitz/src/tailscale.com/wgengine/userspace.go:190 +0xbf6
  tailscale.com/wgengine.NewUserspaceEngine()
      /home/bradfitz/src/tailscale.com/wgengine/userspace.go:96 +0x2f0
  main.main()
      /home/bradfitz/src/tailscale.com/cmd/tailscaled/tailscaled.go:72 +0xbfd

Previous read at 0x00c00007e3d0 by goroutine 49:
  github.com/tailscale/wireguard-go/tun.(*NativeTun).MTU()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/tun/tun_linux.go:262 +0xfb
  github.com/tailscale/wireguard-go/device.(*Device).RoutineTUNEventReader()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/tun.go:27 +0x353

Goroutine 49 (running) created at:
  github.com/tailscale/wireguard-go/device.NewDevice()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/device.go:410 +0x62d
  tailscale.com/wgengine.newUserspaceEngineAdvanced()
      /home/bradfitz/src/tailscale.com/wgengine/userspace.go:183 +0xaea
  tailscale.com/wgengine.NewUserspaceEngine()
      /home/bradfitz/src/tailscale.com/wgengine/userspace.go:96 +0x2f0
  main.main()
      /home/bradfitz/src/tailscale.com/cmd/tailscaled/tailscaled.go:72 +0xbfd
==================
2020/02/28 07:51:13 16.3M/82.4M UDP bind has been updated
2020/02/28 07:51:13 16.4M/82.4M Interface set up
2020/02/28 07:51:13 16.4M/82.4M external route MTU: 1420 (<nil>)
2020/02/28 07:51:13 16.4M/82.4M Listening on tailscaled.sock



2020/02/28 07:51:13 21.7M/95.8M control: authRoutine: state:new
2020/02/28 07:51:13 21.7M/95.8M control: mapRoutine: state:new
==================
WARNING: DATA RACE
Write at 0x00c000140148 by goroutine 99:
  tailscale.com/wgengine.(*userspaceEngine).SetStatusCallback()
      /home/bradfitz/src/tailscale.com/wgengine/userspace.go:419 +0x43
  tailscale.com/wgengine.(*watchdogEngine).SetStatusCallback.func1()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:70 +0x71
  tailscale.com/wgengine.(*watchdogEngine).watchdog.func1()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:58 +0x3d
  tailscale.com/wgengine.(*watchdogEngine).watchdogErr.func1()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:40 +0x34

Previous read at 0x00c000140148 by goroutine 26:
  tailscale.com/wgengine.(*userspaceEngine).RequestStatus()
      /home/bradfitz/src/tailscale.com/wgengine/userspace.go:546 +0xf5
  tailscale.com/wgengine.newUserspaceEngineAdvanced.func2()
      /home/bradfitz/src/tailscale.com/wgengine/userspace.go:119 +0x13a
  tailscale.com/wgengine/magicsock.(*Conn).epUpdate.func1()
      /home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:208 +0x2ea

Goroutine 99 (running) created at:
  tailscale.com/wgengine.(*watchdogEngine).watchdogErr()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:39 +0x87
  tailscale.com/wgengine.(*watchdogEngine).watchdog()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:57 +0xb0
  tailscale.com/wgengine.(*watchdogEngine).SetStatusCallback()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:70 +0xde
  tailscale.com/ipn.(*LocalBackend).Start()
      /home/bradfitz/src/tailscale.com/ipn/local.go:253 +0xa86
  tailscale.com/ipn.(*BackendServer).GotCommand()
      /home/bradfitz/src/tailscale.com/ipn/message.go:105 +0x575
  tailscale.com/ipn/ipnserver.Run()
      /home/bradfitz/src/tailscale.com/ipn/ipnserver/server.go:127 +0xe1a
  main.main()
      /home/bradfitz/src/tailscale.com/cmd/tailscaled/tailscaled.go:86 +0x985

Goroutine 26 (finished) created at:
  tailscale.com/wgengine/magicsock.(*Conn).epUpdate()
      /home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:195 +0x110
==================
2020/02/28 07:51:13 21.7M/95.9M Backend: logs: be:d8110230555bdb199b48ca6ca71c3802b758e9373cd104d785b8e5c2d1eb8d27 fe:
2020/02/28 07:51:13 21.8M/96.1M control: client.Login(false, 0)
2020/02/28 07:51:13 21.8M/96.1M control: authRoutine: context done.


2020/02/28 07:51:14 48.3M/120.9M [z6DZ…Mo3g] - Starting...
2020/02/28 07:51:14 magicsock: CreateEndpoint: key=[pub:…ZXWj]: 127.3.3.40:1,64.137.139.195:61988,192.0.0.1:61988,10.88.111.5:61988
2020/02/28 07:51:14 [0xc00011e150] derphttp.Client.Send: connecting
==================
WARNING: DATA RACE
Write at 0x00c0001940db by goroutine 25:
  tailscale.com/wgengine.(*userspaceEngine).Reconfig()
      /home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:743 +0x768
  tailscale.com/wgengine.(*watchdogEngine).Reconfig.func1()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:64 +0x95
  tailscale.com/wgengine.(*watchdogEngine).watchdogErr.func1()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:40 +0x34

Previous read at 0x00c0001940db by goroutine 161:
  tailscale.com/wgengine/magicsock.(*Conn).derpWriteChanOfAddr()
      /home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:535 +0x2ad
  tailscale.com/wgengine/magicsock.(*Conn).sendAddr()
      /home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:491 +0x60
  tailscale.com/wgengine/magicsock.(*Conn).Send()
      /home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:467 +0x388
  github.com/tailscale/wireguard-go/device.(*Peer).SendBuffer()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/peer.go:179 +0x29a
  github.com/tailscale/wireguard-go/device.(*Peer).SendHandshakeInitiation()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:169 +0x552
  github.com/tailscale/wireguard-go/device.(*Peer).RoutineNonce()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:475 +0x296

Goroutine 25 (running) created at:
  tailscale.com/wgengine.(*watchdogEngine).watchdogErr()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:39 +0x87
  tailscale.com/wgengine.(*watchdogEngine).Reconfig()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:64 +0x126
  tailscale.com/ipn.(*LocalBackend).authReconfig()
      /home/bradfitz/src/tailscale.com/ipn/local.go:622 +0x56b
  tailscale.com/ipn.(*LocalBackend).SetPrefs()
      /home/bradfitz/src/tailscale.com/ipn/local.go:551 +0x4f3
  tailscale.com/ipn.(*LocalBackend).Start.func1()
      /home/bradfitz/src/tailscale.com/ipn/local.go:248 +0x16f
  tailscale.com/control/controlclient.(*Client).sendStatus()
      /home/bradfitz/src/tailscale.com/control/controlclient/auto.go:538 +0x471
  tailscale.com/control/controlclient.(*Client).mapRoutine.func2()
      /home/bradfitz/src/tailscale.com/control/controlclient/auto.go:457 +0x338
  tailscale.com/control/controlclient.(*Direct).PollNetMap()
      /home/bradfitz/src/tailscale.com/control/controlclient/direct.go:572 +0x1b1a
  tailscale.com/control/controlclient.(*Client).mapRoutine()
      /home/bradfitz/src/tailscale.com/control/controlclient/auto.go:428 +0x3a6

Goroutine 161 (running) created at:
  github.com/tailscale/wireguard-go/device.(*Peer).Start()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/peer.go:239 +0x4cf
  github.com/tailscale/wireguard-go/device.(*Device).NewPeer()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/peer.go:139 +0x834
  github.com/tailscale/wireguard-go/device.(*Device).Reconfig()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/config.go:102 +0xeb8
  tailscale.com/wgengine.(*userspaceEngine).Reconfig()
      /home/bradfitz/src/tailscale.com/wgengine/userspace.go:328 +0x598
  tailscale.com/wgengine.(*watchdogEngine).Reconfig.func1()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:64 +0x95
  tailscale.com/wgengine.(*watchdogEngine).watchdogErr.func1()
      /home/bradfitz/src/tailscale.com/wgengine/watchdog.go:40 +0x34
==================
2020/02/28 07:51:14 49.9M/121.1M Reconfiguring router. la=100.120.74.110/10 dns=[8.8.8.8 8.8.4.4] dom=[in.tailscale.com]
2020/02/28 07:51:14 magicsock: Conn.Send(127.3.3.40:1): too many DERP packets queued; dropping
2020/02/28 07:51:14 49.9M/121.1M New routes: 100.120.74.110/10 [8.8.8.8 8.8.4.4] [in.tailscale.com] [[100.125.152.110/32] [100.106.144.123/32] [100.96.181.91/32] [100.88.232.119/32] [100.67.55.67/32] [100.97.182.82/32] [100.81.251.94/32] [100.109.156.26/32] [100.99.142.13/32] [100.68.74.102/32] [100.91.57.75/32] [100.71.176.115/32] [100.123.101.40/32] [100.96.237.84/32] [100.85.197.98/32] [100.75.157.1/32] [100.101.102.103/32] [100.76.113.46/32] [100.89.143.94/32] [100.100.32.69/32] [100.112.88.8/32] [100.81.195.72/32] [100.114.136.105/32] [100.116.73.104/32]]


2020/02/28 07:51:14 52.7M/123.5M vLONGVER-TODO peers: 92/180 x x x x 92/180 x x x x x x 211/251 x x x 92/180 x x x x x x x
2020/02/28 07:51:14 52.8M/123.6M netmap diff:

==================
WARNING: DATA RACE
Write at 0x00c000330880 by goroutine 98:
  tailscale.com/ipn.(*LocalBackend).Start.func1()
      /home/bradfitz/src/tailscale.com/ipn/local.go:223 +0x48d
  tailscale.com/control/controlclient.(*Client).sendStatus()
      /home/bradfitz/src/tailscale.com/control/controlclient/auto.go:538 +0x471
  tailscale.com/control/controlclient.(*Client).mapRoutine.func2()
      /home/bradfitz/src/tailscale.com/control/controlclient/auto.go:457 +0x338
  tailscale.com/control/controlclient.(*Direct).PollNetMap()
      /home/bradfitz/src/tailscale.com/control/controlclient/direct.go:572 +0x1b1a
  tailscale.com/control/controlclient.(*Client).mapRoutine()
      /home/bradfitz/src/tailscale.com/control/controlclient/auto.go:428 +0x3a6

Previous read at 0x00c000330880 by goroutine 173:
  tailscale.com/ipn.(*LocalBackend).nextState()
      /home/bradfitz/src/tailscale.com/ipn/local.go:671 +0x94
  tailscale.com/ipn.(*LocalBackend).stateMachine()
      /home/bradfitz/src/tailscale.com/ipn/local.go:710 +0x38
  tailscale.com/ipn.(*LocalBackend).Start.func2()
      /home/bradfitz/src/tailscale.com/ipn/local.go:273 +0x422
  tailscale.com/wgengine.(*userspaceEngine).RequestStatus()
      /home/bradfitz/src/tailscale.com/wgengine/userspace.go:547 +0x13a

Goroutine 98 (running) created at:
  tailscale.com/control/controlclient.(*Client).Start()
      /home/bradfitz/src/tailscale.com/control/controlclient/auto.go:169 +0x6e
  tailscale.com/control/controlclient.New()
      /home/bradfitz/src/tailscale.com/control/controlclient/auto.go:136 +0xe5
  tailscale.com/ipn.(*LocalBackend).Start()
      /home/bradfitz/src/tailscale.com/ipn/local.go:180 +0x8ad
  tailscale.com/ipn.(*BackendServer).GotCommand()
      /home/bradfitz/src/tailscale.com/ipn/message.go:105 +0x575
  tailscale.com/ipn/ipnserver.Run()
      /home/bradfitz/src/tailscale.com/ipn/ipnserver/server.go:127 +0xe1a
  main.main()
      /home/bradfitz/src/tailscale.com/cmd/tailscaled/tailscaled.go:86 +0x985

Goroutine 173 (finished) created at:
  tailscale.com/wgengine.newUserspaceEngineAdvanced.func4()
      /home/bradfitz/src/tailscale.com/wgengine/userspace.go:158 +0x84
  github.com/tailscale/wireguard-go/device.(*Peer).handshakeDoneCallback()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:399 +0x1c5
  github.com/tailscale/wireguard-go/device.(*Peer).RoutineNonce()
      /home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:484 +0x1f0
==================
2020/02/28 07:51:14 magicsock: rx [pub:…00sP] from 160.39.145.122:51774 (1/2), set as new priority
2020/02/28 07:51:14 52.9M/124.1M [k2e0…9PQ0] - Received handshake response from 160.39.145.122:51774
2020/02/28 07:51:14 52.9M/124.1M [k2e0…9PQ0] - Obtained awaited keypair
2020/02/28 07:51:14 52.9M/124.1M generating initial ping traffic to [pub:…00sP] (100.89.143.94)

So, yeah.

Improve NAT traversal

Meta-bug for getting traffic through more types of NATs.

Our current traversal logic works fairly well with NATs that use endpoint-independent mapping (aka "full cone NAT" to use the old terminology) and endpoint-dependent firewalling. This covers most linux-based routers and basic enterprise NATs.

We don't yet work when both nodes are behind endpoint-dependent mapping (aka "Restricted Cone" or "Port-restricted").

We don't yet work reliably when both nodes are behind the same NAT, but have to hairpin through the NAT device to get connectivity.

Installing for Go noobs

enrai ~ $ go install tailscale.com/cmd/tailscale
can't load package: package tailscale.com/cmd/tailscale: cannot find package "tailscale.com/cmd/tailscale" in any of:
	/usr/lib/go/src/tailscale.com/cmd/tailscale (from $GOROOT)
	/home/djc/go/src/tailscale.com/cmd/tailscale (from $GOPATH)
enrai ~ $ go install tailscale.com/cmd/tailscaled
can't load package: package tailscale.com/cmd/tailscaled: cannot find package "tailscale.com/cmd/tailscaled" in any of:
	/usr/lib/go/src/tailscale.com/cmd/tailscaled (from $GOROOT)
	/home/djc/go/src/tailscale.com/cmd/tailscaled (from $GOPATH)

What are the magic incantations required to make this work (this is a Gentoo Linux box)?

stun: index out of range

Packet from [2604:a880:2:d1::c5:7001]:3478: "\x01\x01\x00H!\x12\xa4B\x06\xf5f\x85Ҋ\xf3\xe6\x9c\xe3A\xe2\x00\x01\x00\x14\x00\x02\x90\xce&\x02\x00Ѵ\xcf\xc1\x008\xb21\xff\xfe\xef\x96\xf6\x80+\x00\x14\x00\x02\r\x96&\x04\xa8\x80\x00\x02\x00\xd1\x00\x00\x00\x00\x00\xc5p\x01\x00 \x00\x14\x00\x02\xb1\xdc\a\x10\xa4\x93\xb2:\xa7\x85\xea8\xc2\x19b\f\xd7\x14"
panic: runtime error: index out of range [4] with length 4 
 
goroutine 12 [running]: 
tailscale.com/stun.xorMappedAddress(0xe6f38ad28566f506, 0xe241e39c, 0xc0001dc048, 0x14, 0xffb8, 0x4d46d1, 0xba7740, 0x85afc0, 0xc0002a2000, 0xc00004fd50, ...) 
        /home/bradfitz/src/tailscale.com/stun/stun.go:165 +0x27e 
tailscale.com/stun.ParseResponse(0xc0001dc000, 0x14, 0xffbc, 0xe6f38ad28566f506, 0xc0e241e39c, 0x3, 0xc00004fdd8, 0x4d46d1, 0x8, 0xc00004fd60, ...) 
        /home/bradfitz/src/tailscale.com/stun/stun.go:107 +0x462 
tailscale.com/stunner.(*Stunner).Receive(0xc000012780, 0xc0001dc000, 0x5c, 0x10000, 0xc00029e450) 
        /home/bradfitz/src/tailscale.com/stunner/stunner.go:54 +0x71 
tailscale.com/ipn.(*LocalBackend).populateNetworkConditions.func3(0xc000012780, 0x907160, 0xc0000100a0) 
        /home/bradfitz/src/tailscale.com/ipn/local.go:833 +0x1e9 
created by tailscale.com/ipn.(*LocalBackend).populateNetworkConditions 
        /home/bradfitz/src/tailscale.com/ipn/local.go:857 +0x9c3 
FAIL    tailscale.com/ipn       0.068s 
FAIL

/cc @crawshaw but I can also figure this out if you're busy. I should learn STUN anyway.

Link github from tailscale.com

https://tailscale.com/ should have a link to this GitHub repo somewhere.

Header? Footer? Get Started?

I have no strong opinions.

Anybody? @dfcarney @apenwarr @danderson @crawshaw

┆Issue is synchronized with this Asana task by Unito

FR: Support better DNS transports (DoH, DoT) in Tailscale central DNS policy

It would be nice if the admin console allowed for storing more than just an IP address for DNS, e.g. DNS over TLS: 1.1.1.1@853

Front conversations

Support IPv6 inside the tunnel

We don't support IPv6 on the virtual network. We should.

(This bug is unrelated to supporting IPv6 addresses for the peer-to-peer connections - see #18 for that.)

OpenBSD cannot use non-tunX names for tun interfaces

On a Debian stretch box, Tailscale failed to start after installing following the .deb instructions.

Specifically, it failed after running the systemctl start step (which silently succeeds), when relaynode doesn't appear in the process list per ps.

Looking at log output, saw:

CreateTUN: invalid argument
Error starting wireguard engine: invalid argument

On this machine, there is already a wg0 interface from a previous Wireguard non-Tailscale installation.

Upon manually running relaynode (i.e., not through systemctl) with --tun=wg1 (picked arbitrary unused name), Tailscale starts up successfully.

It appears that the systemd service file hard-codes wg0 in the invocation; I edited the file but am conscious that a future update will clobber it.

Opt-in default routes: send all Internet traffic through a given node

A clear and concise description of what the problem is. Ex.

There are specific times when traveling that I need all my traffic on the client to be routed over the gateway node even thought most of the time I'd rather split routing.

Describe the solution you'd like
I'd love to be able to have the option much like other vpns settings to check the "route all" and have all traffic go over the gateway node that allows 0.0.0.0 traffic.

Describe alternatives you've considered

Looking at possibly writing a script to update the client config for wireguard (although I'm not sure where it's located on the client side, might need to also "add" the config somehow in the gateway side, but it would be nice if it was a built in feature)

Front conversations

Admin panel overhaul: configure who's the admin, add logout button, etc.

At this moment, it's not possible to do the following basic action:

Promote another user to admin (at this moment, only the first user to login in a domain is the admin)
Logout
...

┆Issue is synchronized with this Asana task by Unito

Unused closure of code in logtail

In investigating #22, staticcheck reported a fairly large closure of code that's unused in logtail.

It's all unexported symbols, and I can't find any reference in either the OSS or corp repo, so I'm fairly sure it's right... Unless this was preparation for some radical new thing, and I'll cheese someone off by deleting it.

@apenwarr you'd know! Can I remove these bits and bobs?

logtail/logtail.go:235:5: var clientSentinelPrefix is unused (U1000)
logtail/logtail.go:238:2: const noSentinel is unused (U1000)
logtail/logtail.go:239:2: const stopSentinel is unused (U1000)
logtail/logtail.go:246:6: func newSentinel is unused (U1000)
logtail/logtail.go:260:6: func readSentinel is unused (U1000)
logtail/logtail.go:346:5: var errHasLogtail is unused (U1000)

`go mod download` returns unknown revision for wireguard-go

After cloning the repo in a non-GOPATH location, running go mod download returns an error:

go: finding github.com/tailscale/wireguard-go v0.0.0-20200211020303-f39bc8eeee1b
go: github.com/tailscale/[email protected]: unknown revision f39bc8eeee1b
go: error loading module requirements

I tried both go 1.13.5 and 1.13.8 giving the same error. Commit f39bc8eeee1b seems to be appeared in the wireguard-go repo.

Not sure if i'm doing anything wrong here.

Make Synology package

We've had a few requests for a Tailscale Synology package.

From Perkeep: see https://github.com/perkeep/perkeep/blob/master/doc/synology.md and https://github.com/perkeep/perkeep/tree/master/misc/docker/synology and its build_syno.go which spits out the *.spk file

version: come up with good default implementation

When we do tailscale binary releases, we stamp version info into the binaries with the Go linker.

But for people just using "go get" the default way, we don't have that info.

Since Go modules, we at least see the summary of all our deps (and Go's version itself; I'm running a devel build) automatically stamped into the binaries:

$ go version -m ~/bin/tailscaled
/home/bradfitz/bin/tailscaled: devel +e7f9e17b79 Tue Jan 28 22:08:43 2020 +0000
        path    tailscale.com/cmd/tailscaled
        mod     tailscale.com   (devel)
        dep     github.com/apenwarr/fixconsole  v0.0.0-20191012055117-5a9f6489cc29      h1:muXWUcay7DDy1/hEQWrYlBy+g0EuwT70sBHg65SeUc4=            
        dep     github.com/golang/groupcache    v0.0.0-20200121045136-8c9f03a8e57e      h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=    
        dep     github.com/google/go-cmp        v0.4.0  h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
        dep     github.com/klauspost/compress   v1.9.8  h1:VMAMUUOh+gaxKTMk+zqbjsSjsIcUcL/LF4o63i82QyA=
        dep     github.com/mdlayher/netlink     v1.1.0  h1:mpdLgm+brq10nI9zM1BpX1kpDbh3NLl3RSnVq6ZSkfg=
        dep     github.com/pborman/getopt       v0.0.0-20190409184431-ee0cd42419d3      h1:YtFkrqsMEj7YqpIhRteVxJxCeC3jJBieuLr0d4C4rSA=
        dep     github.com/tailscale/wireguard-go       v0.0.0-20200213180345-a7c4b7719b1d      h1:LVJovgZxbmPxtY6kJm4vwMtk0HpcNeI+vU2jB3T8M40=
        dep     golang.org/x/crypto     v0.0.0-20200210222208-86ce3cb69678      h1:wCWoJcFExDgyYx2m2hpHgwz8W3+FPdfldvIgzqDIhyg=
        dep     golang.org/x/net        v0.0.0-20200202094626-16171245cfb2      h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
        dep     golang.org/x/oauth2     v0.0.0-20200107190931-bf48bf16ab8d      h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
        dep     golang.org/x/sys        v0.0.0-20200217220822-9197077df867      h1:JoRuNIf+rpHl+VhScRQQvzbHed86tKkqwPMV34T8myw=
        dep     rsc.io/goversion        v1.2.0  h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=

We can get that at runtime (using https://godoc.org/rsc.io/goversion/version) but for better or worse, that doesn't include that the Git hash of the top-level module, only the deps.

So one thing we could do is add a fake dep to another module (like github.com/tailscale/version-horizon) that we have a bot auto-advance every $INTERVAL, so at least we have a rough date range of what binary people are running when they're running unofficial binaries. Or, if we're already having a bot do this, avoid that indirection and just have the bot auto-commit the latest date to version/version.go every $INTERVAL instead.

Low priority, but we'll probably want better data in the future.

/cc @apenwarr @crawshaw @danderson

Document how to run (or package) Tailscale for LXC under Proxmox

Describe the bug
Tailscale won't start and logs :

CreateTUN: no such file or directory
Error starting wireguard engine: no such file or directory

Because in LXC, the wireguard module is loaded on the host machine (Like a Proxmox) and not in the container. I think that's why the bug occurs because i've made 3 times the same install and this is the only one that failed.

To Reproduce
Steps to reproduce the behavior:

Setup a Debian LXC Container in Proxmox
Install wireguard for Proxmox CT
Install Tailscale for Debian
See error

Expected behavior
Tailscale has to start and work normally

Version information:

Device: LXC Container
OS: Debian
OS version: 9
Tailscale version: 0.94-236

Additional context
I've added the default (41641) port as UDP forward on my Proxmox NAT but still won't start

wgengine: rate limiter in `wgengine.RequestStatus`

This gets called too frequently on hello.ipn.dev, eating CPU time.

┆Issue is synchronized with this Asana task by Unito

freebsd: "interface wg0 already exists"

Is your feature request related to a problem? Please describe.

NewUserspaceEngine in wgengine/userspace.go issues a call to CreateTUN, which creates the wg0 interface on first run, but results in an "interface wg0 already exists" on subsequent runs.

Describe the solution you'd like

Mostly just looking for some context on whether this scenario exists on other platforms and how you'd like it to be handled. Perhaps a way to handle CreateTUN in which if it already exists, it gets reused.

Describe alternatives you've considered

Looking at the wireguard-go implementation, it looks like they're setting an environment variable after creating the tun, and referencing the file descriptor in the environment variable on subsequent runs. I can issue an "ifconfig wg0 destroy" to clean up the interface on close but that seems a little brute-forcish, and handling it higher up will likely impact all the platforms. I've checked the linux/darwin/windows implementations for an example of how this is handled but it's not immediately apparent from the code.

Additional context

logtail...
Starting userspace wireguard engine.
external packet routing via --tun=wg0 enabled
CreateTUN: interface wg0 already exists
Error starting wireguard engine: interface wg0 already exists

Add staticcheck to CI, and make the code staticcheck-clean.

staticcheck is currently very mad at our code, so we can't add it to CI.

┆Issue is synchronized with this Asana task by Unito

On ubuntu linux /var/lib/tailscale does not exist, tailscale-login fails

I tried following instructions to install on Ubuntu linux from here https://tailscale.com/kb/1026/install-deb

It seemed to fail for two reasons:

/var/lib/tailscale didn't exist
/var/lib/tailscale permissions (after I created manually with sudo, had to chown)

Appears things are under heavy flux so sorry if this is premature or not needed ticket.

$ sudo dpkg -i tailscale-relay_0.94-236_amd64.deb 
[sudo] password for aaron: 
Selecting previously unselected package tailscale-relay.
(Reading database ... 285724 files and directories currently installed.)
Preparing to unpack tailscale-relay_0.94-236_amd64.deb ...
Unpacking tailscale-relay (0.94-236) ...
Setting up tailscale-relay (0.94-236) ...
Created symlink /etc/systemd/system/multi-user.target.wants/tailscale-relay.service → /lib/systemd/system/tailscale-relay.service.

Note: Run tailscale-login to configure /var/lib/tailscale/relay.conf.

$ tailscale-login
2020/02/12 13:54:23 logpolicy.Read /var/lib/tailscale/relay.conf.log.conf: open /var/lib/tailscale/relay.conf.log.conf: no such file or directory
2020/02/12 13:54:23 logpolicy.Config write: "/var/lib/tailscale/relay.conf.log.conf.new.tmp": open /var/lib/tailscale/relay.conf.log.conf.new.tmp: no such file or directory
logtail started
Program starting: v0.94-236-gb2bf51d7: []string{"/usr/sbin/taillogin", "--config=/var/lib/tailscale/relay.conf"}
LogID: df6cea2d056c046bdfb5129c6eb0fe1e4abd086f4f6f7e9942d1821475d37fb6
filch failed: <nil>
config /var/lib/tailscale/relay.conf does not exist
Hostinfo: {<snip>}
client.Login(false, 0)
authRoutine: state:new
mapRoutine: state:new
authRoutine: context done.
authRoutine: state:new
direct.TryLogin(false, 0)
Generating a new machinekey.
doLogin(regen=false, hasUrl=false)
Generating a new nodekey.
RegisterReq: onode=[empty] node=[CSDQ…mdx4] fup=false
RegisterReq: returned.
AuthURL is https://login2.tails...
sendStatus: authRoutine3: state:url-visit-required
To authenticate, visit:

	https://login2.tailscale.io/a/<snip>

authRoutine: state:url-visit-required
direct.WaitLoginURL
doLogin(regen=false, hasUrl=true)
RegisterReq: onode=[empty] node=[CSDQ…mdx4] fup=true
RegisterReq: returned.
No AuthURL
sendStatus: authRoutine4: state:authenticated
cancelMapSafely: synced=false
cancelMapSafely: wrote to channel
authRoutine: state:authenticated
mapRoutine: new map needed while idle.
mapRoutine: state:authenticated
PollNetMap: stream=-1 :0 []
new network map[0]:
NetworkMap: self: [CSDQ…mdx4] auth=machine-authorized :<snip>
mapRoutine: netmap received: state:synchronized
sendStatus: mapRoutine2: state:synchronized
save config: "/var/lib/tailscale/relay.conf.new.tmp": open /var/lib/tailscale/relay.conf.new.tmp: no such file or directory
Success.
flushing log.
logger closing down

Adapt to changing network environments better

Overall tracking bug for network change reactivity.

When the network environment changes (e.g. switch from LTE to wifi, NAT gateway reboots and loses all its mappings), nodes should reestablish connectivity gracefully.

We currently adapt in some cases, but not others. We should always notice changes to connectivity, and adapt gracefully to them.

module name "tailscale.com" ?

tailscale/go.mod

Line 1 in d539a95

module tailscale.com

Is that on purpose ?

Shouldn't it rather be module github.com/tailscale/tailscale ?

Clean up usage of winipcfg

Running go mod tidy or GOOS=windows go install ./... report:

go: finding module for package tailscale.io/control
tailscale.com/wgengine imports
        golang.zx2c4.com/winipcfg: cannot find module providing package golang.zx2c4.com/winipcfg: unrecognized import path "golang.zx2c4.com/winipcfg": reading https://golang.zx2c4.com/winipcfg?go-get=1: 404 Not Found
tailscale.com/control/controlclient tested by
        tailscale.com/control/controlclient.test imports
        tailscale.io/control: cannot find module providing package tailscale.io/control: unrecognized import path "tailscale.io/control": parse https://tailscale.io/control?go-get=1: no go-import meta tags (meta tag tailscale.com did not match import path tailscale.io/control)

Clean that up.

macOS & iOS doesn't use DNS set in the admin panel

Describe the bug
On macOS dns resolution order doesn't get prioritized with the dns in the admin panel which means it's essentially ignored.

To Reproduce
Steps to reproduce the behavior:

Set the DNS in the admin panel
scutil --dns should show the config in the scoped queries
ping or resolve a host where the dns would have a different ip ie. using an internal VPC dns in aws to get the internal ip vs the external ip.
You'll see the public ip returned not the internal ip. nslookup with the admin dns resolves to the internal ip correctly

Expected behavior
I'd expect the dns set in the admin to take priority with the vpn is connected, or at least an option per client to decide

Version information:
- Device: macbook pro
- OS: macOS
- OS version: 10.14.6
- Tailscale version: App version: 0.95.208

Additional context
I currently have a very specific hardcoded example that works as a work around at
https://github.com/pelotech/tailscale-tools/tree/master/resolver
it listens to the up/down of the interfaces and adds resolvers for specific domains to be used.

┆Issue is synchronized with this Asana task by Unito

document DCO / Signed-off-by requirement

We're going to require DCO sign-offs with Signed-off-by lines in PRs.

Document that, and automate checking with https://github.com/probot/dco or similar

/cc @danderson @apenwarr @crawshaw

wgengine: watchdog timeout on Reconfig

I noticed my tailscaled built at HEAD fail to start up. It hung

51.3M/35.8M Switching ipn state Starting -> Running (WantRunning=true)
51.3M/35.8M [CvZr…DN0I] - Stopping...
51.3M/35.8M [qD6N…bOUo] - Stopping...
51.3M/35.8M [a2yv…HsHM] - Stopping...
51.3M/35.8M [l59f…kOjA] - Stopping...
51.3M/35.8M [k2e0…9PQ0] - Stopping...
51.3M/35.8M [Qp2x…wWAc] - Stopping...
51.3M/35.8M [o9h+…yiGg] - Stopping...
51.3M/35.8M [dFWb…htlE] - Stopping...
51.3M/35.8M [F9u+…AgxU] - Stopping...
51.3M/35.8M [tfYF…ESmU] - Stopping...
51.3M/35.8M [5v1Z…HKUc] - Stopping...
51.3M/35.8M [hBJ7…g7VM] - Stopping...
51.3M/35.8M [LA56…RMjc] - Stopping...
STUN server stun.l.google.com:19302 reports public endpoint 209.180.207.193:57417 after 9.014619ms
magicsock: found local 209.180.207.193:57417 (stun)
STUN server stun3.l.google.com:19302 reports public endpoint 209.180.207.193:57417 after 74.395489ms
magicsock: found local 209.180.207.193:57417 (stun)
magicsock: found local 10.0.0.29:57417 (localAddresses)
52.7M/36.5M control: Hostinfo: &{LONGVER-TODO  d8110230555bdb199b48ca6ca71c3802b758e9373cd104d785b8e5c2d1eb8d27 linux taildoc [] [{tcp 22 sshd} {tcp 25 exim4} {tcp 80 godoc} {udp 57417 tailscaled}] 0xc000066cc0}
52.6M/36.5M control: cancelMapSafely: synced=true
52.7M/36.5M external route: up
[wgengine watchdog stacks:
goroutine profile: total 73
8 @ 0x432a40 0x44259b 0x88d692 0x460801
#	0x88d691	github.com/tailscale/wireguard-go/device.(*Peer).RoutineSequentialReceiver+0x1f1	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/receive.go:555

8 @ 0x432a40 0x44259b 0x890e33 0x460801
#	0x890e32	github.com/tailscale/wireguard-go/device.(*Peer).RoutineSequentialSender+0x152	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:659

7 @ 0x432a40 0x44259b 0x890474 0x460801
#	0x890473	github.com/tailscale/wireguard-go/device.(*Peer).RoutineNonce+0x2a3	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:481

6 @ 0x432a40 0x443100 0x4430eb 0x442e67 0x892077 0x891fa3 0x892a0a 0x88e823 0x892252 0x8984b0 0x460801
#	0x442e66	sync.runtime_SemacquireMutex+0x46								/home/bradfitz/sdk/go1.13.8/src/runtime/sema.go:71
#	0x892076	sync.(*RWMutex).RLock+0x126									/home/bradfitz/sdk/go1.13.8/src/sync/rwmutex.go:50
#	0x891fa2	github.com/tailscale/wireguard-go/device.(*Peer).timersActive+0x52				/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/timers.go:78
#	0x892a09	github.com/tailscale/wireguard-go/device.(*Peer).timersAnyAuthenticatedPacketTraversal+0x69	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/timers.go:223
#	0x88e822	github.com/tailscale/wireguard-go/device.(*Peer).SendHandshakeInitiation+0x372			/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:166
#	0x892251	github.com/tailscale/wireguard-go/device.expiredRetransmitHandshake+0x1b1			/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/timers.go:120
#	0x8984af	github.com/tailscale/wireguard-go/device.(*Peer).NewTimer.func1+0x9f				/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/timers.go:42

4 @ 0x432a40 0x44259b 0x88c05d 0x460801
#	0x88c05c	github.com/tailscale/wireguard-go/device.(*Device).RoutineDecryption+0x15c	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/receive.go:248

4 @ 0x432a40 0x44259b 0x890a1d 0x460801
#	0x890a1c	github.com/tailscale/wireguard-go/device.(*Device).RoutineEncryption+0x15c	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:560

2 @ 0x432a40 0x42d7da 0x42cda5 0x4c9885 0x4ca7ff 0x4ca7e1 0x5a715f 0x5bb408 0x615b20 0x4ed024 0x615d6c 0x6142c4 0x618531 0x61853c 0x55f86a 0x4c7657 0x69a977 0x69a92a 0x69b1e1 0x6bb67e 0x6bade3 0x460801
#	0x42cda4	internal/poll.runtime_pollWait+0x54		/home/bradfitz/sdk/go1.13.8/src/runtime/netpoll.go:184
#	0x4c9884	internal/poll.(*pollDesc).wait+0x44		/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:87
#	0x4ca7fe	internal/poll.(*pollDesc).waitRead+0x1ce	/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:92
#	0x4ca7e0	internal/poll.(*FD).Read+0x1b0			/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_unix.go:169
#	0x5a715e	net.(*netFD).Read+0x4e				/home/bradfitz/sdk/go1.13.8/src/net/fd_unix.go:202
#	0x5bb407	net.(*conn).Read+0x67				/home/bradfitz/sdk/go1.13.8/src/net/net.go:184
#	0x615b1f	crypto/tls.(*atLeastReader).Read+0x5f		/home/bradfitz/sdk/go1.13.8/src/crypto/tls/conn.go:780
#	0x4ed023	bytes.(*Buffer).ReadFrom+0xb3			/home/bradfitz/sdk/go1.13.8/src/bytes/buffer.go:204
#	0x615d6b	crypto/tls.(*Conn).readFromUntil+0xeb		/home/bradfitz/sdk/go1.13.8/src/crypto/tls/conn.go:802
#	0x6142c3	crypto/tls.(*Conn).readRecordOrCCS+0x123	/home/bradfitz/sdk/go1.13.8/src/crypto/tls/conn.go:609
#	0x618530	crypto/tls.(*Conn).readRecord+0x160		/home/bradfitz/sdk/go1.13.8/src/crypto/tls/conn.go:577
#	0x61853b	crypto/tls.(*Conn).Read+0x16b			/home/bradfitz/sdk/go1.13.8/src/crypto/tls/conn.go:1255
#	0x55f869	bufio.(*Reader).Read+0x269			/home/bradfitz/sdk/go1.13.8/src/bufio/bufio.go:226
#	0x4c7656	io.ReadAtLeast+0x86				/home/bradfitz/sdk/go1.13.8/src/io/io.go:310
#	0x69a976	io.ReadFull+0x86				/home/bradfitz/sdk/go1.13.8/src/io/io.go:329
#	0x69a929	net/http.http2readFrameHeader+0x39		/home/bradfitz/sdk/go1.13.8/src/net/http/h2_bundle.go:1477
#	0x69b1e0	net/http.(*http2Framer).ReadFrame+0xa0		/home/bradfitz/sdk/go1.13.8/src/net/http/h2_bundle.go:1735
#	0x6bb67d	net/http.(*http2clientConnReadLoop).run+0x8d	/home/bradfitz/sdk/go1.13.8/src/net/http/h2_bundle.go:8175
#	0x6bade2	net/http.(*http2ClientConn).readLoop+0xa2	/home/bradfitz/sdk/go1.13.8/src/net/http/h2_bundle.go:8103

2 @ 0x432a40 0x443100 0x4430eb 0x442e67 0x46eacc 0x8bb75d 0x8bb3b1 0x8bf638 0x89016c 0x890351 0x460801
#	0x442e66	sync.runtime_SemacquireMutex+0x46						/home/bradfitz/sdk/go1.13.8/src/runtime/sema.go:71
#	0x46eacb	sync.(*Mutex).lockSlow+0xfb							/home/bradfitz/sdk/go1.13.8/src/sync/mutex.go:138
#	0x8bb75c	sync.(*Mutex).Lock+0x55c							/home/bradfitz/sdk/go1.13.8/src/sync/mutex.go:81
#	0x8bb3b0	tailscale.com/wgengine.(*userspaceEngine).startPinger+0x1b0			/home/bradfitz/src/tailscale.com/wgengine/userspace.go:237
#	0x8bf637	tailscale.com/wgengine.newUserspaceEngineAdvanced.func4+0x2b7			/home/bradfitz/src/tailscale.com/wgengine/userspace.go:170
#	0x89016b	github.com/tailscale/wireguard-go/device.(*Peer).handshakeDoneCallback+0xdb	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:399
#	0x890350	github.com/tailscale/wireguard-go/device.(*Peer).RoutineNonce+0x180		/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:484

2 @ 0x432a40 0x443100 0x4430eb 0x442e67 0x46eacc 0x8bd897 0x8bc691 0x8bd942 0x460801
#	0x442e66	sync.runtime_SemacquireMutex+0x46				/home/bradfitz/sdk/go1.13.8/src/runtime/sema.go:71
#	0x46eacb	sync.(*Mutex).lockSlow+0xfb					/home/bradfitz/sdk/go1.13.8/src/sync/mutex.go:138
#	0x8bd896	sync.(*Mutex).Lock+0x1266					/home/bradfitz/sdk/go1.13.8/src/sync/mutex.go:81
#	0x8bc690	tailscale.com/wgengine.(*userspaceEngine).getStatus+0x60	/home/bradfitz/src/tailscale.com/wgengine/userspace.go:425
#	0x8bd941	tailscale.com/wgengine.(*userspaceEngine).RequestStatus+0x81	/home/bradfitz/src/tailscale.com/wgengine/userspace.go:543

2 @ 0x432a40 0x443100 0x4430eb 0x442e67 0x884df4 0x884d41 0x887e19 0x88d06c 0x460801
#	0x442e66	sync.runtime_SemacquireMutex+0x46							/home/bradfitz/sdk/go1.13.8/src/runtime/sema.go:71
#	0x884df3	sync.(*RWMutex).RLock+0x113								/home/bradfitz/sdk/go1.13.8/src/sync/rwmutex.go:50
#	0x884d40	github.com/tailscale/wireguard-go/device.(*Device).LookupPeer+0x60			/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/device.go:421
#	0x887e18	github.com/tailscale/wireguard-go/device.(*Device).ConsumeMessageInitiation+0x2c8	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/noise-protocol.go:274
#	0x88d06b	github.com/tailscale/wireguard-go/device.(*Device).RoutineHandshake+0xb2b		/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/receive.go:441

1 @ 0x40c994 0x44713c 0x7816d2 0x460801
#	0x44713b	os/signal.signal_recv+0x9b	/home/bradfitz/sdk/go1.13.8/src/runtime/sigqueue.go:147
#	0x7816d1	os/signal.loop+0x21		/home/bradfitz/sdk/go1.13.8/src/os/signal/signal_unix.go:23

1 @ 0x432a40 0x407578 0x40754e 0x40723b 0x8b31a6 0x8b1ad0 0x8b2651 0x8b0650 0x8adeb4 0x8adc10 0x8adb36 0x8b779e 0x8b7178 0x460801
#	0x8b31a5	github.com/mdlayher/netlink.(*lockedNetNSGoroutine).run+0xb5	/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/conn_linux.go:771
#	0x8b1acf	github.com/mdlayher/netlink.(*sysSocket).read+0xef		/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/conn_linux.go:377
#	0x8b2650	github.com/mdlayher/netlink.(*sysSocket).Recvmsg+0x170		/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/conn_linux.go:543
#	0x8b064f	github.com/mdlayher/netlink.(*conn).Receive+0xef		/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/conn_linux.go:147
#	0x8adeb3	github.com/mdlayher/netlink.(*Conn).receive+0x73		/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/conn.go:288
#	0x8adc0f	github.com/mdlayher/netlink.(*Conn).lockedReceive+0x3f		/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/conn.go:247
#	0x8adb35	github.com/mdlayher/netlink.(*Conn).Receive+0x95		/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/conn.go:240
#	0x8b779d	tailscale.com/wgengine/monitor.(*nlConn).Receive+0x2d		/home/bradfitz/src/tailscale.com/wgengine/monitor/monitor_linux.go:46
#	0x8b7177	tailscale.com/wgengine/monitor.(*Mon).pump+0x77			/home/bradfitz/src/tailscale.com/wgengine/monitor/monitor.go:103

1 @ 0x432a40 0x407578 0x40754e 0x40723b 0x8c6465 0x460801
#	0x8c6464	tailscale.com/ipn.(*LocalBackend).runPoller+0x1e4	/home/bradfitz/src/tailscale.com/ipn/local.go:305

1 @ 0x432a40 0x407578 0x40754e 0x40727b 0x892d82 0x460801
#	0x892d81	github.com/tailscale/wireguard-go/device.(*Device).RoutineTUNEventReader+0x101	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/tun.go:25

1 @ 0x432a40 0x42d7da 0x42cda5 0x4c9885 0x4ca7ff 0x4ca7e1 0x4d1f31 0x4d1f04 0x874b1c 0x88fa93 0x460801
#	0x42cda4	internal/poll.runtime_pollWait+0x54						/home/bradfitz/sdk/go1.13.8/src/runtime/netpoll.go:184
#	0x4c9884	internal/poll.(*pollDesc).wait+0x44						/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:87
#	0x4ca7fe	internal/poll.(*pollDesc).waitRead+0x1ce					/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:92
#	0x4ca7e0	internal/poll.(*FD).Read+0x1b0							/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_unix.go:169
#	0x4d1f30	os.(*File).read+0x70								/home/bradfitz/sdk/go1.13.8/src/os/file_unix.go:259
#	0x4d1f03	os.(*File).Read+0x43								/home/bradfitz/sdk/go1.13.8/src/os/file.go:116
#	0x874b1b	github.com/tailscale/wireguard-go/tun.(*NativeTun).Read+0x12b			/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/tun/tun_linux.go:348
#	0x88fa92	github.com/tailscale/wireguard-go/device.(*Device).RoutineReadFromTUN+0x102	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:317

1 @ 0x432a40 0x42d7da 0x42cda5 0x4c9885 0x4ca7ff 0x4ca7e1 0x5a715f 0x5bb408 0x615b20 0x4ed024 0x615d6c 0x6142c4 0x618531 0x61853c 0x55f1a3 0x55fa59 0x89c9bf 0x89caa2 0x89e2a2 0x89faf1 0x8a69b4 0x460801
#	0x42cda4	internal/poll.runtime_pollWait+0x54				/home/bradfitz/sdk/go1.13.8/src/runtime/netpoll.go:184
#	0x4c9884	internal/poll.(*pollDesc).wait+0x44				/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:87
#	0x4ca7fe	internal/poll.(*pollDesc).waitRead+0x1ce			/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:92
#	0x4ca7e0	internal/poll.(*FD).Read+0x1b0					/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_unix.go:169
#	0x5a715e	net.(*netFD).Read+0x4e						/home/bradfitz/sdk/go1.13.8/src/net/fd_unix.go:202
#	0x5bb407	net.(*conn).Read+0x67						/home/bradfitz/sdk/go1.13.8/src/net/net.go:184
#	0x615b1f	crypto/tls.(*atLeastReader).Read+0x5f				/home/bradfitz/sdk/go1.13.8/src/crypto/tls/conn.go:780
#	0x4ed023	bytes.(*Buffer).ReadFrom+0xb3					/home/bradfitz/sdk/go1.13.8/src/bytes/buffer.go:204
#	0x615d6b	crypto/tls.(*Conn).readFromUntil+0xeb				/home/bradfitz/sdk/go1.13.8/src/crypto/tls/conn.go:802
#	0x6142c3	crypto/tls.(*Conn).readRecordOrCCS+0x123			/home/bradfitz/sdk/go1.13.8/src/crypto/tls/conn.go:609
#	0x618530	crypto/tls.(*Conn).readRecord+0x160				/home/bradfitz/sdk/go1.13.8/src/crypto/tls/conn.go:577
#	0x61853b	crypto/tls.(*Conn).Read+0x16b					/home/bradfitz/sdk/go1.13.8/src/crypto/tls/conn.go:1255
#	0x55f1a2	bufio.(*Reader).fill+0x102					/home/bradfitz/sdk/go1.13.8/src/bufio/bufio.go:100
#	0x55fa58	bufio.(*Reader).ReadByte+0x38					/home/bradfitz/sdk/go1.13.8/src/bufio/bufio.go:252
#	0x89c9be	tailscale.com/derp.readFrameHeader+0x2e				/home/bradfitz/src/tailscale.com/derp/derp.go:95
#	0x89caa1	tailscale.com/derp.readFrame+0x31				/home/bradfitz/src/tailscale.com/derp/derp.go:117
#	0x89e2a1	tailscale.com/derp.(*Client).Recv+0x131				/home/bradfitz/src/tailscale.com/derp/derp_client.go:180
#	0x89faf0	tailscale.com/derp/derphttp.(*Client).Recv+0xa0			/home/bradfitz/src/tailscale.com/derp/derphttp/derphttp_client.go:175
#	0x8a69b3	tailscale.com/wgengine/magicsock.(*Conn).runDerpReader+0x103	/home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:583

1 @ 0x432a40 0x42d7da 0x42cda5 0x4c9885 0x4cacf3 0x4cacd2 0x5a72bb 0x5c837a 0x5c696d 0x8aabaa 0x8abc1a 0x460801
#	0x42cda4	internal/poll.runtime_pollWait+0x54					/home/bradfitz/sdk/go1.13.8/src/runtime/netpoll.go:184
#	0x4c9884	internal/poll.(*pollDesc).wait+0x44					/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:87
#	0x4cacf2	internal/poll.(*pollDesc).waitRead+0x1c2				/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:92
#	0x4cacd1	internal/poll.(*FD).ReadFrom+0x1a1					/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_unix.go:219
#	0x5a72ba	net.(*netFD).readFrom+0x5a						/home/bradfitz/sdk/go1.13.8/src/net/fd_unix.go:208
#	0x5c8379	net.(*UDPConn).readFrom+0x69						/home/bradfitz/sdk/go1.13.8/src/net/udpsock_posix.go:47
#	0x5c696c	net.(*UDPConn).ReadFrom+0x5c						/home/bradfitz/sdk/go1.13.8/src/net/udpsock.go:121
#	0x8aaba9	tailscale.com/wgengine/magicsock.(*RebindingUDPConn).ReadFrom+0x99	/home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:1068
#	0x8abc19	tailscale.com/wgengine/magicsock.(*Conn).ReceiveIPv4.func1+0x99		/home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:675

1 @ 0x432a40 0x42d7da 0x42cda5 0x4c9885 0x4cc208 0x4cc1e7 0x5a7ad2 0x5cc312 0x5ca817 0x8ce2be 0x8d7544 0x43266e 0x460801
#	0x42cda4	internal/poll.runtime_pollWait+0x54		/home/bradfitz/sdk/go1.13.8/src/runtime/netpoll.go:184
#	0x4c9884	internal/poll.(*pollDesc).wait+0x44		/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:87
#	0x4cc207	internal/poll.(*pollDesc).waitRead+0x1f7	/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:92
#	0x4cc1e6	internal/poll.(*FD).Accept+0x1d6		/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_unix.go:384
#	0x5a7ad1	net.(*netFD).accept+0x41			/home/bradfitz/sdk/go1.13.8/src/net/fd_unix.go:238
#	0x5cc311	net.(*UnixListener).accept+0x31			/home/bradfitz/sdk/go1.13.8/src/net/unixsock_posix.go:162
#	0x5ca816	net.(*UnixListener).Accept+0x46			/home/bradfitz/sdk/go1.13.8/src/net/unixsock.go:260
#	0x8ce2bd	tailscale.com/ipn/ipnserver.Run+0x5ed		/home/bradfitz/src/tailscale.com/ipn/ipnserver/server.go:159
#	0x8d7543	main.main+0x6f3					/home/bradfitz/src/tailscale.com/cmd/tailscaled/tailscaled.go:86
#	0x43266d	runtime.main+0x21d				/home/bradfitz/sdk/go1.13.8/src/runtime/proc.go:203

1 @ 0x432a40 0x42d7da 0x42cda5 0x4c9885 0x4cd21d 0x4cd1fa 0x4d6265 0x8b396d 0x8b5270 0x8b5f2f 0x8b5c71 0x460801
#	0x42cda4	internal/poll.runtime_pollWait+0x54					/home/bradfitz/sdk/go1.13.8/src/runtime/netpoll.go:184
#	0x4c9884	internal/poll.(*pollDesc).wait+0x44					/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:87
#	0x4cd21c	internal/poll.(*pollDesc).waitRead+0x10c				/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_poll_runtime.go:92
#	0x4cd1f9	internal/poll.(*FD).RawRead+0xe9					/home/bradfitz/sdk/go1.13.8/src/internal/poll/fd_unix.go:534
#	0x4d6264	os.(*rawConn).Read+0x64							/home/bradfitz/sdk/go1.13.8/src/os/rawconn.go:31
#	0x8b396c	github.com/mdlayher/netlink.fdread+0x9c					/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/fdcall_gteq_1.12.go:21
#	0x8b526f	github.com/mdlayher/netlink.(*sysSocket).read.func1+0x3f		/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/conn_linux.go:378
#	0x8b5f2e	github.com/mdlayher/netlink.(*lockedNetNSGoroutine).run.func1+0x5e	/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/conn_linux.go:769
#	0x8b5c70	github.com/mdlayher/netlink.newLockedNetNSGoroutine.func1+0x180		/home/bradfitz/pkg/mod/github.com/mdlayher/[email protected]/conn_linux.go:742

1 @ 0x432a40 0x44259b 0x857396 0x460801
#	0x857395	tailscale.com/control/controlclient.(*Client).authRoutine+0xad5	/home/bradfitz/src/tailscale.com/control/controlclient/auto.go:282

1 @ 0x432a40 0x44259b 0x862a65 0x460801
#	0x862a64	tailscale.com/control/controlclient.(*Direct).PollNetMap.func1+0xc4	/home/bradfitz/src/tailscale.com/control/controlclient/direct.go:481

1 @ 0x432a40 0x44259b 0x873467 0x460801
#	0x873466	github.com/tailscale/wireguard-go/tun.(*NativeTun).routineHackListener+0x236	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/tun/tun_linux.go:77

1 @ 0x432a40 0x44259b 0x87dbbc 0x460801
#	0x87dbbb	github.com/tailscale/wireguard-go/ratelimiter.(*Ratelimiter).Init.func1+0xbb	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/ratelimiter/ratelimiter.go:67

1 @ 0x432a40 0x44259b 0x8a443e 0x460801
#	0x8a443d	tailscale.com/wgengine/magicsock.(*Conn).epUpdate+0x14d	/home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:178

1 @ 0x432a40 0x44259b 0x8a6e57 0x460801
#	0x8a6e56	tailscale.com/wgengine/magicsock.(*Conn).runDerpWriter+0xf6	/home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:628

1 @ 0x432a40 0x44259b 0x8a7521 0x88be25 0x460801
#	0x8a7520	tailscale.com/wgengine/magicsock.(*Conn).ReceiveIPv4+0x1c0			/home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:698
#	0x88be24	github.com/tailscale/wireguard-go/device.(*Device).RoutineReceiveIncoming+0x714	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/receive.go:126

1 @ 0x432a40 0x44259b 0x8c26ce 0x460801
#	0x8c26cd	tailscale.com/portlist.(*Poller).Run+0x17d	/home/bradfitz/src/tailscale.com/portlist/poller.go:44

1 @ 0x432a40 0x44259b 0x8ceac7 0x460801
#	0x8ceac6	tailscale.com/ipn/ipnserver.Run.func2+0xb6	/home/bradfitz/src/tailscale.com/ipn/ipnserver/server.go:90

1 @ 0x432a40 0x44259b 0x8d107c 0x8d14fa 0x460801
#	0x8d107b	tailscale.com/logtail.(*logger).drainPending+0x49b	/home/bradfitz/src/tailscale.com/logtail/logtail.go:184
#	0x8d14f9	tailscale.com/logtail.(*logger).uploading+0x249		/home/bradfitz/src/tailscale.com/logtail/logtail.go:236

1 @ 0x432a40 0x443100 0x4430eb 0x442d52 0x470574 0x88ad8e 0x883230 0x885086 0x894ed1 0x8be071 0x8bf15f 0x8b73d2 0x460801
#	0x442d51	sync.runtime_Semacquire+0x41							/home/bradfitz/sdk/go1.13.8/src/runtime/sema.go:56
#	0x470573	sync.(*WaitGroup).Wait+0x63							/home/bradfitz/sdk/go1.13.8/src/sync/waitgroup.go:130
#	0x88ad8d	github.com/tailscale/wireguard-go/device.(*Peer).Stop+0x15d			/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/peer.go:312
#	0x88322f	github.com/tailscale/wireguard-go/device.unsafeRemovePeer+0x4f			/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/device.go:130
#	0x885085	github.com/tailscale/wireguard-go/device.(*Device).RemoveAllPeers+0x125		/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/device.go:443
#	0x894ed0	github.com/tailscale/wireguard-go/device.(*Device).IpcSetOperation+0x1b00	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/uapi.go:212
#	0x8be070	tailscale.com/wgengine.(*userspaceEngine).LinkChange+0x2e0			/home/bradfitz/src/tailscale.com/wgengine/userspace.go:591
#	0x8bf15e	tailscale.com/wgengine.newUserspaceEngineAdvanced.func1+0x2e			/home/bradfitz/src/tailscale.com/wgengine/userspace.go:108
#	0x8b73d1	tailscale.com/wgengine/monitor.(*Mon).debounce+0x111				/home/bradfitz/src/tailscale.com/wgengine/monitor/monitor.go:134

1 @ 0x432a40 0x443100 0x4430eb 0x442e67 0x46eacc 0x8bc312 0x8bb837 0x8c01a6 0x8c00c7 0x460801
#	0x442e66	sync.runtime_SemacquireMutex+0x46				/home/bradfitz/sdk/go1.13.8/src/runtime/sema.go:71
#	0x46eacb	sync.(*Mutex).lockSlow+0xfb					/home/bradfitz/sdk/go1.13.8/src/sync/mutex.go:138
#	0x8bc311	sync.(*Mutex).Lock+0xb61					/home/bradfitz/sdk/go1.13.8/src/sync/mutex.go:81
#	0x8bb836	tailscale.com/wgengine.(*userspaceEngine).Reconfig+0x86		/home/bradfitz/src/tailscale.com/wgengine/userspace.go:306
#	0x8c01a5	tailscale.com/wgengine.(*watchdogEngine).Reconfig.func1+0x55	/home/bradfitz/src/tailscale.com/wgengine/watchdog.go:64
#	0x8c00c6	tailscale.com/wgengine.(*watchdogEngine).watchdogErr.func1+0x26	/home/bradfitz/src/tailscale.com/wgengine/watchdog.go:40

1 @ 0x432a40 0x443100 0x4430eb 0x442e67 0x46eacc 0x8bd897 0x8bc691 0x8bd942 0x8bf270 0x8ab6aa 0x460801
#	0x442e66	sync.runtime_SemacquireMutex+0x46				/home/bradfitz/sdk/go1.13.8/src/runtime/sema.go:71
#	0x46eacb	sync.(*Mutex).lockSlow+0xfb					/home/bradfitz/sdk/go1.13.8/src/sync/mutex.go:138
#	0x8bd896	sync.(*Mutex).Lock+0x1266					/home/bradfitz/sdk/go1.13.8/src/sync/mutex.go:81
#	0x8bc690	tailscale.com/wgengine.(*userspaceEngine).getStatus+0x60	/home/bradfitz/src/tailscale.com/wgengine/userspace.go:425
#	0x8bd941	tailscale.com/wgengine.(*userspaceEngine).RequestStatus+0x81	/home/bradfitz/src/tailscale.com/wgengine/userspace.go:543
#	0x8bf26f	tailscale.com/wgengine.newUserspaceEngineAdvanced.func2+0xff	/home/bradfitz/src/tailscale.com/wgengine/userspace.go:119
#	0x8ab6a9	tailscale.com/wgengine/magicsock.(*Conn).epUpdate.func1+0x209	/home/bradfitz/src/tailscale.com/wgengine/magicsock/magicsock.go:208

1 @ 0x432a40 0x443100 0x4430eb 0x442e67 0x46eacc 0x8bd897 0x8bc691 0x8bd942 0x8bf8ce 0x460801
#	0x442e66	sync.runtime_SemacquireMutex+0x46				/home/bradfitz/sdk/go1.13.8/src/runtime/sema.go:71
#	0x46eacb	sync.(*Mutex).lockSlow+0xfb					/home/bradfitz/sdk/go1.13.8/src/sync/mutex.go:138
#	0x8bd896	sync.(*Mutex).Lock+0x1266					/home/bradfitz/sdk/go1.13.8/src/sync/mutex.go:81
#	0x8bc690	tailscale.com/wgengine.(*userspaceEngine).getStatus+0x60	/home/bradfitz/src/tailscale.com/wgengine/userspace.go:425
#	0x8bd941	tailscale.com/wgengine.(*userspaceEngine).RequestStatus+0x81	/home/bradfitz/src/tailscale.com/wgengine/userspace.go:543
#	0x8bf8cd	tailscale.com/wgengine.newUserspaceEngineAdvanced.func7+0x12d	/home/bradfitz/src/tailscale.com/wgengine/userspace.go:204

1 @ 0x432a40 0x443100 0x4430eb 0x442e67 0x892077 0x891fa3 0x89295b 0x88ef88 0x88d1c0 0x460801
#	0x442e66	sync.runtime_SemacquireMutex+0x46						/home/bradfitz/sdk/go1.13.8/src/runtime/sema.go:71
#	0x892076	sync.(*RWMutex).RLock+0x126							/home/bradfitz/sdk/go1.13.8/src/sync/rwmutex.go:50
#	0x891fa2	github.com/tailscale/wireguard-go/device.(*Peer).timersActive+0x52		/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/timers.go:78
#	0x89295a	github.com/tailscale/wireguard-go/device.(*Peer).timersSessionDerived+0x2a	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/timers.go:216
#	0x88ef87	github.com/tailscale/wireguard-go/device.(*Peer).SendHandshakeResponse+0x477	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/send.go:203
#	0x88d1bf	github.com/tailscale/wireguard-go/device.(*Device).RoutineHandshake+0xc7f	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/receive.go:464

1 @ 0x432a40 0x443100 0x4430eb 0x442e67 0x892077 0x891fa3 0x892a0a 0x88cd44 0x460801
#	0x442e66	sync.runtime_SemacquireMutex+0x46								/home/bradfitz/sdk/go1.13.8/src/runtime/sema.go:71
#	0x892076	sync.(*RWMutex).RLock+0x126									/home/bradfitz/sdk/go1.13.8/src/sync/rwmutex.go:50
#	0x891fa2	github.com/tailscale/wireguard-go/device.(*Peer).timersActive+0x52				/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/timers.go:78
#	0x892a09	github.com/tailscale/wireguard-go/device.(*Peer).timersAnyAuthenticatedPacketTraversal+0x69	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/timers.go:223
#	0x88cd43	github.com/tailscale/wireguard-go/device.(*Device).RoutineHandshake+0x803			/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/receive.go:498

1 @ 0x47b345 0x86595c 0x864c44 0x872963 0x872923 0x87388a 0x460801
#	0x47b344	syscall.Syscall6+0x4								/home/bradfitz/sdk/go1.13.8/src/syscall/asm_linux_amd64.s:44
#	0x86595b	golang.org/x/sys/unix.Pselect+0xbb						/home/bradfitz/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_linux_amd64.go:1221
#	0x864c43	golang.org/x/sys/unix.Select+0x93						/home/bradfitz/pkg/mod/golang.org/x/[email protected]/unix/syscall_linux_amd64.go:54
#	0x872962	github.com/tailscale/wireguard-go/rwcancel.unixSelect+0x162			/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/rwcancel/select_linux.go:11
#	0x872922	github.com/tailscale/wireguard-go/rwcancel.(*RWCancel).ReadyRead+0x122		/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/rwcancel/rwcancel.go:67
#	0x873889	github.com/tailscale/wireguard-go/tun.(*NativeTun).routineNetlinkListener+0x199	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/tun/tun_linux.go:118

1 @ 0x47b345 0x86595c 0x864c44 0x872963 0x872923 0x8913e0 0x460801
#	0x47b344	syscall.Syscall6+0x4								/home/bradfitz/sdk/go1.13.8/src/syscall/asm_linux_amd64.s:44
#	0x86595b	golang.org/x/sys/unix.Pselect+0xbb						/home/bradfitz/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_linux_amd64.go:1221
#	0x864c43	golang.org/x/sys/unix.Select+0x93						/home/bradfitz/pkg/mod/golang.org/x/[email protected]/unix/syscall_linux_amd64.go:54
#	0x872962	github.com/tailscale/wireguard-go/rwcancel.unixSelect+0x162			/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/rwcancel/select_linux.go:11
#	0x872922	github.com/tailscale/wireguard-go/rwcancel.(*RWCancel).ReadyRead+0x122		/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/rwcancel/rwcancel.go:67
#	0x8913df	github.com/tailscale/wireguard-go/device.(*Device).routineRouteListener+0x19f	/home/bradfitz/pkg/mod/github.com/tailscale/[email protected]/device/sticky_linux.go:60

1 @ 0x765305 0x765120 0x761d4a 0x8be3da 0x8be6d6 0x8c8cb7 0x8c90fe 0x8c96d9 0x8cc7a6 0x8584ac 0x86289f 0x85cf77 0x857ae3 0x460801
#	0x765304	runtime/pprof.writeRuntimeProfile+0x94					/home/bradfitz/sdk/go1.13.8/src/runtime/pprof/pprof.go:708
#	0x76511f	runtime/pprof.writeGoroutine+0x9f					/home/bradfitz/sdk/go1.13.8/src/runtime/pprof/pprof.go:670
#	0x761d49	runtime/pprof.(*Profile).WriteTo+0x3d9					/home/bradfitz/sdk/go1.13.8/src/runtime/pprof/pprof.go:329
#	0x8be3d9	tailscale.com/wgengine.(*watchdogEngine).watchdogErr+0x1e9		/home/bradfitz/src/tailscale.com/wgengine/watchdog.go:49
#	0x8be6d5	tailscale.com/wgengine.(*watchdogEngine).Reconfig+0xa5			/home/bradfitz/src/tailscale.com/wgengine/watchdog.go:64
#	0x8c8cb6	tailscale.com/ipn.(*LocalBackend).authReconfig+0x316			/home/bradfitz/src/tailscale.com/ipn/local.go:622
#	0x8c90fd	tailscale.com/ipn.(*LocalBackend).enterState+0x20d			/home/bradfitz/src/tailscale.com/ipn/local.go:656
#	0x8c96d8	tailscale.com/ipn.(*LocalBackend).stateMachine+0x38			/home/bradfitz/src/tailscale.com/ipn/local.go:710
#	0x8cc7a5	tailscale.com/ipn.(*LocalBackend).Start.func1+0x195			/home/bradfitz/src/tailscale.com/ipn/local.go:250
#	0x8584ab	tailscale.com/control/controlclient.(*Client).sendStatus+0x35b		/home/bradfitz/src/tailscale.com/control/controlclient/auto.go:538
#	0x86289e	tailscale.com/control/controlclient.(*Client).mapRoutine.func2+0x1be	/home/bradfitz/src/tailscale.com/control/controlclient/auto.go:457
#	0x85cf76	tailscale.com/control/controlclient.(*Direct).PollNetMap+0x1026		/home/bradfitz/src/tailscale.com/control/controlclient/direct.go:572
#	0x857ae2	tailscale.com/control/controlclient.(*Client).mapRoutine+0x2a2		/home/bradfitz/src/tailscale.com/control/controlclient/auto.go:428

wgengine: watchdog timeout on Reconfig

Support connecting over IPv6 or IPv6-to-6to4

We don't support IPv6 for the peer-to-peer connections. We should.

(This bug is unrelated to supporting IPv6 addresses for the virtual network addresses - see #19 for that.)

cmd/tailscaled: set default value of --state flag

I always forget to specify the tailscaled --state flag, then forget what value I used previously.

Let's just make it user-friendly and pick a reasonable, opinionated default.

If it absolutely must be opt-in (can't think of why?), then the error should say why and suggest a reasonable default value. Currently it just says:

# ./tailscaled 
logtail started
Program starting: vLONGVER-TODO: []string{"./tailscaled"}
LogID: d8110230555bdb199b48ca6ca71c3802b758e9373cd104d785b8e5c2d1eb8d27
--state is required

I can't seem to access my mesh via mobile

Hello,

I created a mesh with tailscale and it works perfectly fine. However, when I'm trying to access the IPs via my mobile phone, it doesn't seem to work.

Accessing the IP from my home computer works fine though.

What could be wrong?

Regards,
Dimitris

Add builds for other GOOSes to CI

CI currently builds GOOS=linux. We should build other platforms, just to make sure we don't let syntax errors and other obvious compile failures rot in the repo.

GOOS=darwin and GOOS=windows don't produce useful binaries, but we can at least check that the packages compile.

We're likely to have GOOS=openbsd and GOOS=freebsd soonish.

Finish, deploy DERP

Tracking bug for deploying DERP, the "Detour Encrypted Routing Protocol".

Tailscale tries to send traffic directly between peers, traversing NATs as needed, but sometimes no path is possible or it takes some time to find a path, so DERP is the ultimate fallback that routes encrypted packets through the cloud.

DERP is somewhat implemented & tested, but not enough, and it's not yet deployed + used.

Question: Key difference between nebula and tailscale

Hello,

During the recent months I've seen similar projects (Mesh VPN in particular) are coming up and as you guys probably know, around November, nebula from slack became open sourced which solve the similar problem domain.

So my main question is, What makes tailscale stand out?

Cheers,

Make connectivity always work

Tailscale end-to-end connectivity between peers needs to always work, even if the peers have challenging/changing network configurations.

Some high level dependent bugs are:

Finish, deploy DERP, Issue #2 (the fallback cloud proxy for routing encrypted Wireguard packets if all else fails or when a route hasn't yet been created/found through NAT)
Handle more types of NATs, Issue #3
Actively adapt to changing network configurations better, Issue #4
IPv6 support for peer-to-peer connections, Issue #18
PMTU discovery, issue #311

/cc @danderson @apenwarr @crawshaw

┆Issue is synchronized with this Asana task by Unito

derp: lots of connecting / EOF messages

Built at HEAD with NetInfo:

morty:~> journalctl -fu tailscaled
-- Logs begin at Thu 2018-02-22 12:57:10 EST. --
Feb 27 22:28:49 morty tailscaled[36344]: 2020/02/27 22:28:49 derphttp.Client.Recv: connecting
Feb 27 22:28:49 morty tailscaled[36344]: 2020/02/27 22:28:49 derp.Recv: derp.Recv: EOF
Feb 27 22:28:49 morty tailscaled[36344]: 2020/02/27 22:28:49 derphttp.Client.Recv: connecting
Feb 27 22:28:49 morty tailscaled[36344]: 2020/02/27 22:28:49 derp.Recv: derp.Recv: EOF
Feb 27 22:28:50 morty tailscaled[36344]: 2020/02/27 22:28:50 derphttp.Client.Recv: connecting
Feb 27 22:28:50 morty tailscaled[36344]: 2020/02/27 22:28:50 derp.Recv: derp.Recv: EOF
Feb 27 22:28:50 morty tailscaled[36344]: 2020/02/27 22:28:50 derphttp.Client.Recv: connecting
Feb 27 22:28:50 morty tailscaled[36344]: 2020/02/27 22:28:50 derp.Recv: derp.Recv: EOF
Feb 27 22:28:51 morty tailscaled[36344]: 2020/02/27 22:28:51 derphttp.Client.Recv: connecting
Feb 27 22:28:51 morty tailscaled[36344]: 2020/02/27 22:28:51 derp.Recv: derp.Recv: EOF
Feb 27 22:28:51 morty tailscaled[36344]: 2020/02/27 22:28:51 derphttp.Client.Recv: connecting
Feb 27 22:28:51 morty tailscaled[36344]: 2020/02/27 22:28:51 derp.Recv: derp.Recv: EOF
Feb 27 22:28:52 morty tailscaled[36344]: 2020/02/27 22:28:52 derphttp.Client.Recv: connecting
Feb 27 22:28:52 morty tailscaled[36344]: 2020/02/27 22:28:52 derp.Recv: derp.Recv: EOF
Feb 27 22:28:52 morty tailscaled[36344]: 2020/02/27 22:28:52 derphttp.Client.Recv: connecting
Feb 27 22:28:52 morty tailscaled[36344]: 2020/02/27 22:28:52 derp.Recv: derp.Recv: EOF

cc @bradfitz

Figure out tailscale{,d} file paths for non-linux unixes

tailscale{,d} is shaping up, and as part of that I'm moving a bunch of paths around:

tailscaled state is in /var/lib/tailscale/*
tailscaled's unix socket is in /run/tailscale/tailscaled.sock
tailscaled's logs buffer (buffering crash dumps for future upload) will is in /var/log/tailscale
tailscale CLI's logs config is in ~/.config/tailscale
tailscale CLI's logs buffers are in ~/.cache/tailscale

The tailscaled paths are managed by systemd, so they're guaranteed to always exist on daemon startup, and /run/tailscale is guaranteed to be cleaned up on daemon exit.

What's the right place to put these files on *BSD? I'm guessing most of them are already correct, with the possible exception of /run/tailscale -> /var/run/tailscale ?

cc @wardn @martinbaillie as our resident BSD knowers.

Magicsock refuses to downgrade from LAN to DERP

Steps to reproduce

Be on bradfitz's LAN.
Block all UDP traffic to/from bradfitz's dev box.
Run tailscaled.
Tailscaled peers with bradfitz's dev box over DERP, because LAN doesn't work.
Remove UDP blocks. Direct LAN connectivity now available.
Tailscaled notices this on the next handshake cycle, upgrades from DERP to LAN \o/
Put UDP blocks back. Direct LAN connectivity is broken.
Notice that tailscaled never downgrades from LAN back to DERP. Connectivity remains broken until you restart tailscaled.

During the outage, tailscaled periodically logs:

Feb 21 15:02:12 vega tailscaled[2996756]: 2020/02/21 15:02:12 magicsock: rx [pub:…xg0R] from low-pri 127.3.3.40:1 (0), keeping current 10.0.128.103:41641 (2)

So it's receiving nothing from LAN, and receiving handshakes from DERP, but refusing to downgrade.

Windows Connection Problems

Hello guys,

I'm trying to deploy Tailscale on Windows, but at this moment I have three machines (machine 1 with linux, machine 2 and 3 with windows), and I can't have connection from/to machine 3.

I'm debuging with ping, machine 2 and 3 have the same ICMP Firewall Rule:

Rule Name:                            Allow ICMP
----------------------------------------------------------------------
Enabled:                              Yes
Direction:                            In
Profiles:                             Domain,Private,Public
Grouping:
LocalIP:                              Any
RemoteIP:                             Any
Protocol:                             ICMPv4
                                      Type    Code
                                      Any     Any
Edge traversal:                       No
Action:                               Allow
Ok.

but machine 3 it' not working.

How can I debug it? No ping output, no traceroute, no tcpdump output....

In machine 3 I can only ping 100.101.102.103.
This is my route table on machine 3:

administrator@machine3 C:\Users\administrator> route print -4
...
machine2ip           255.255.255.255   machine3ip   machine3ip      5
100.101.102.103  255.255.255.255   machine3ip   machine3ip      5
machine1ip           255.255.255.255   machine3ip   machine3ip      5
...

There are only one difference between them. Local network is different. Machine 1 and 2 are in the same local network, and machine 3 are in another, but I this that's not the problem...

Any suggestion?

tailscale / tailscale Goto Github PK

tailscale's Introduction

Tailscale

Overview

Using

Other clients

Building

Bugs

Contributing

About Us

Legal

tailscale's People

Contributors

Stargazers

Watchers

Forkers

tailscale's Issues

Steps to reproduce

Recommend Projects

Recommend Topics

Recommend Org