The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=containerboot-exit-code 2025-10-04T02:37:42Z 2025-10-04T02:37:42Z Brad Fitzpatrick bradfitz@tailscale.com 2025-10-04T00:32:17Z urn:sha1:223ced84b571df1e2045d3977459374bc43f5515 Updates #12614 Change-Id: Iaee75d8831c4ba5c9705d7877bb78044424c6da1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-10-02T15:25:14Z Brad Fitzpatrick bradfitz@tailscale.com 2025-10-01T15:53:48Z urn:sha1:1d93bdce20ddd2887651e4c2324dd4e113cd864a Saves 352 KB, removing one of our two HTTP/2 implementations linked into the binary. Fixes #17305 Updates #15015 Change-Id: I53a04b1f2687dca73c8541949465038b69aa6ade Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-10-01T18:59:38Z Claus Lensbøl claus@tailscale.com 2025-10-01T18:59:38Z urn:sha1:ce752b8a88214a2d45477aa8b77384175ebbdf18 The callback itself is not removed as it is used in other repos, making it simpler for those to slowly transition to the eventbus. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2025-09-30T17:25:56Z Brad Fitzpatrick bradfitz@tailscale.com 2025-09-30T16:12:42Z urn:sha1:442a3a779d29f78ba03cbd61509824f21c90cc59 Saves 139 KB. Also Synology support, which I saw had its own large-ish proxy parsing support on Linux, but support for proxies without Synology proxy support is reasonable, so I pulled that out as its own thing. Updates #12614 Change-Id: I22de285a3def7be77fdcf23e2bec7c83c9655593 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-09-21T03:37:14Z Brad Fitzpatrick bradfitz@tailscale.com 2025-09-20T23:48:18Z urn:sha1:db048e905d6636006d06c93da06fad3ff075e97b controlhttp has the responsibility of dialing a set of candidate control endpoints in a way that minimizes user facing latency. If one control endpoint is unavailable we promptly dial another, racing across the dimensions of: IPv6, IPv4, port 80, and port 443, over multiple server endpoints. In the case that the top priority endpoint was not available, the prior implementation would hang waiting for other results, so as to try to return the highest priority successful connection to the rest of the client code. This hang would take too long with a large dialplan and sufficient client to endpoint latency as to cause the server to timeout the connection due to inactivity in the intermediate state. Instead of trying to prioritize non-ideal candidate connections, the first successful connection is now used unconditionally, improving user facing latency and avoiding any delays that would encroach on the server-side timeout. The tests are converted to memnet and synctest, running on all platforms. Fixes #8442 Fixes tailscale/corp#32534 Co-authored-by: James Tucker <james@tailscale.com> Change-Id: I4eb57f046d8b40403220e40eb67a31c41adb3a38 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> 2025-09-19T16:52:29Z Brad Fitzpatrick bradfitz@tailscale.com 2025-09-17T16:44:50Z urn:sha1:ecfdd86fc9956631759277d1ddbd78f0456dc365 Updates tailscale/corp#32227 Change-Id: I38afc668f99eb1d6f7632e82554b82922f3ebb9f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-09-16T15:25:29Z Claus Lensbøl claus@tailscale.com 2025-09-16T15:25:29Z urn:sha1:2015ce40814dd175f7d441c83d7517a2128b37e4 The Tracker was using direct callbacks to ipnlocal. This PR moves those to be triggered via the eventbus. Additionally, the eventbus is now closed on exit from tailscaled explicitly, and health is now a SubSystem in tsd. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2025-06-18T21:20:39Z Brad Fitzpatrick bradfitz@tailscale.com 2025-06-09T01:51:41Z urn:sha1:e92eb6b17bb59cd66cd78c90db3b285015ed5e11 If you had HTTPS_PROXY=https://some-valid-cert.example.com running a CONNECT proxy, we should've been able to do a TLS CONNECT request to e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure it used to work, but refactorings and lack of integration tests made it regress. It probably regressed when we added the baked-in LetsEncrypt root cert validation fallback code, which was testing against the wrong hostname (the ultimate one, not the one which we were being asked to validate) Fixes #16222 Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-04-16T17:10:45Z David Anderson dave@tailscale.com 2025-03-20T16:19:47Z urn:sha1:6d6f69e7358f52b56ad8365f465aefaa95a7de0c The event bus's debug page uses websockets. Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com> 2025-04-08T17:07:47Z Brad Fitzpatrick bradfitz@tailscale.com 2025-04-08T15:32:27Z urn:sha1:fb96137d79628db5493603ac2fc67d2a92f6bc01 This adds netx.DialFunc, unifying a type we have a bazillion other places, giving it now a nice short name that's clickable in editors, etc. That highlighted that my earlier move (03b47a55c7956) of stuff from nettest into netx moved too much: it also dragged along the memnet impl, meaning all users of netx.DialFunc who just wanted netx for the type definition were instead also pulling in all of memnet. So move the memnet implementation netx.Network into memnet, a package we already had. Then use netx.DialFunc in a bunch of places. I'm sure I missed some. And plenty remain in other repos, to be updated later. Updates tailscale/corp#27636 Change-Id: I7296cd4591218e8624e214f8c70dab05fb884e95 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>