The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=andrew%2Fexecqueue-metrics 2024-07-26T18:25:55Z 2024-07-26T18:25:55Z Andrea Gottardo andrea@tailscale.com 2024-07-26T18:25:55Z urn:sha1:90be06bd5b79798fb0fdaa996750acceb96f831c Updates tailscale/tailscale#1634 This PR introduces a new `captive-portal-detected` Warnable which is set to an unhealthy state whenever a captive portal is detected on the local network, preventing Tailscale from connecting. ipn/ipnlocal: fix captive portal loop shutdown Change-Id: I7cafdbce68463a16260091bcec1741501a070c95 net/captivedetection: fix mutex misuse ipn/ipnlocal: ensure that we don't fail to start the timer Change-Id: I3e43fb19264d793e8707c5031c0898e48e3e7465 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Andrea Gottardo <andrea@gottardo.me> 2024-07-12T15:24:06Z Brad Fitzpatrick bradfitz@tailscale.com 2024-07-09T03:31:16Z urn:sha1:808b4139eec4f9ffcf8fc7a39b0519395efcc165 If we get an non-disco presumably-wireguard-encrypted UDP packet from an IP:port we don't recognize, rather than drop the packet, give it to WireGuard anyway and let WireGuard try to figure out who it's from and tell us. This uses the new hook added in https://github.com/tailscale/wireguard-go/pull/27 Updates tailscale/corp#20732 Change-Id: I5c61a40143810592f9efac6c12808a87f924ecf2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-07-07T02:50:53Z Brad Fitzpatrick bradfitz@tailscale.com 2024-07-07T02:29:58Z urn:sha1:d2fef01206cd7a96d684f9c69ba9e767de824ab4 The DERP Return Path Optimization (DRPO) is over four years old (and on by default for over two) and we haven't had problems, so time to remove the emergency shutoff code (controlknob) which we've never used. The controlknobs are only meant for new features, to mitigate risk. But we don't want to keep them forever, as they kinda pollute the code. Updates #150 Change-Id: If021bc8fd1b51006d8bddd1ffab639bb1abb0ad1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-06-14T19:41:50Z Nick Khyl nickk@tailscale.com 2024-06-11T03:05:15Z urn:sha1:c32efd9118bb8ba63ae5729653d1eaeeaad52149 Without this rule, Windows 8.1 and newer devices issue parallel DNS requests to DNS servers associated with all network adapters, even when "Override local DNS" is enabled and/or a Mullvad exit node is being used, resulting in DNS leaks. This also adds "disable-local-dns-override-via-nrpt" nodeAttr that can be used to disable the new behavior if needed. Fixes tailscale/corp#20718 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2024-06-06T22:19:33Z Andrea Gottardo andrea@tailscale.com 2024-06-06T22:19:33Z urn:sha1:b65221999ca2644e917efce394dc0c9603cfacb7 Updates corp#15802. Adds the ability for control to disable the recently added change that uses split DNS in more cases on iOS. This will allow us to disable the feature if it leads to regression in production. We plan to remove this knob once we've verified that the feature works properly. Signed-off-by: Andrea Gottardo <andrea@gottardo.me> 2024-05-06T22:29:24Z Nick Khyl nickk@tailscale.com 2024-05-02T23:33:13Z urn:sha1:f62e678df8e1d4a3fd3a41f8c847c6b0a3605ac8 Now that tsdial.Dialer.UserDial has been updated to honor the configured routes and dial external network addresses without going through Tailscale, while also being able to dial a node/subnet router on the tailnet, we can start using UserDial to forward DNS requests. This is primarily needed for DNS over TCP when forwarding requests to internal DNS servers, but we also update getKnownDoHClientForProvider to use it. Updates tailscale/corp#18725 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2024-04-29T18:40:04Z Fran Bull fran@tailscale.com 2024-04-11T17:12:13Z urn:sha1:1bd1b387b298a09ae49d7084e644e0f4ff0cb4c2 When an app connector is reconfigured and domains to route are removed, we would like to no longer advertise routes that were discovered for those domains. In order to do this we plan to store which routes were discovered for which domains. Add a controlknob so that we can enable/disable the new behavior. Updates #11008 Signed-off-by: Fran Bull <fran@tailscale.com> 2024-03-25T04:08:46Z Brad Fitzpatrick bradfitz@tailscale.com 2024-03-23T23:23:59Z urn:sha1:7b34154df221f5613b397226a0b2a9109d183ad7 First we had Capabilities []string. Then https://tailscale.com/blog/acl-grants (#4217) brought CapMap, a superset of Capabilities. Except we never really finished the transition inside the codebase to go all-in on CapMap. This does so. Notably, this coverts Capabilities on the wire early to CapMap internally so the code can only deal in CapMap, even against an old control server. In the process, this removes PeerChange.Capabilities support, which no known control plane sent anyway. They can and should use PeerChange.CapMap instead. Updates #11508 Updates #4217 Change-Id: I872074e226b873f9a578d9603897b831d50b25d9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-02-09T01:34:22Z Joe Tsai joetsai@digital-static.net 2024-02-09T01:34:22Z urn:sha1:94a4f701c2fbaf914975c15c458f8b3a500e9d9e Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net> 2024-01-23T17:37:32Z Jordan Whited jordan@tailscale.com 2024-01-23T17:37:32Z urn:sha1:8b47322acc2f3dabff40cbc4dcee9576f4d19bc5 This commit implements probing of UDP path lifetime on the tail end of an active direct connection. Probing configuration has two parts - Cliffs, which are various timeout cliffs of interest, and CycleCanStartEvery, which limits how often a probing cycle can start, per-endpoint. Initially a statically defined default configuration will be used. The default configuration has cliffs of 10s, 30s, and 60s, with a CycleCanStartEvery of 24h. Probing results are communicated via clientmetric counters. Probing is off by default, and can be enabled via control knob. Probing is purely informational and does not yet drive any magicsock behaviors. Updates #540 Signed-off-by: Jordan Whited <jordan@tailscale.com>