The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=knyar%2Fnetmapdiff2 2025-07-07T19:36:16Z 2025-07-07T19:36:16Z Naman Sood mail@nsood.in 2025-07-07T19:36:16Z urn:sha1:04d24cdbd4b551d95f85ca3b9b36ef147503d2b7 TCP connections are two unidirectional data streams, and if one of these streams closes, we should not assume the other half is closed as well. For example, if an HTTP client closes its write half of the connection early, it may still be expecting to receive data on its read half, so we should keep the server -> client half of the connection open, while terminating the client -> server half. Fixes tailscale/corp#29837. Signed-off-by: Naman Sood <mail@nsood.in> 2025-04-14T17:09:56Z Jordan Whited jordan@tailscale.com 2025-04-14T17:09:56Z urn:sha1:62182fc37d44c0a8185b7d96f30465710dd68b66 Updates google/gvisor#11632 Updates tailscale/corp#27717 Signed-off-by: Jordan Whited <jordan@tailscale.com> 2025-04-08T17:07:47Z Brad Fitzpatrick bradfitz@tailscale.com 2025-04-08T15:32:27Z urn:sha1:fb96137d79628db5493603ac2fc67d2a92f6bc01 This adds netx.DialFunc, unifying a type we have a bazillion other places, giving it now a nice short name that's clickable in editors, etc. That highlighted that my earlier move (03b47a55c7956) of stuff from nettest into netx moved too much: it also dragged along the memnet impl, meaning all users of netx.DialFunc who just wanted netx for the type definition were instead also pulling in all of memnet. So move the memnet implementation netx.Network into memnet, a package we already had. Then use netx.DialFunc in a bunch of places. I'm sure I missed some. And plenty remain in other repos, to be updated later. Updates tailscale/corp#27636 Change-Id: I7296cd4591218e8624e214f8c70dab05fb884e95 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-03-11T20:11:01Z Fran Bull fran@tailscale.com 2025-03-05T18:25:30Z urn:sha1:5ebc135397acbc2a217986b95f693e6a2c211fd8 Ensure that the src address for a connection is one of the primary addresses assigned by Tailscale. Not, for example, a virtual IP address. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com> 2025-02-07T01:14:11Z Adrian Dewhurst adrian@tailscale.com 2025-02-06T22:21:00Z urn:sha1:7b3e5b5df36276567109f6a924d2866d0f85e503 When in tun mode on Linux, AllowedIPs are not automatically added to netstack because the kernel is responsible for handling subnet routes. This ensures that virtual IPs are always added to netstack. When in tun mode, pings were also not being handled, so this adds explicit support for ping as well. Fixes tailscale/corp#26387 Change-Id: I6af02848bf2572701288125f247d1eaa6f661107 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com> 2025-02-07T00:17:34Z James Tucker james@tailscale.com 2025-02-06T18:45:45Z urn:sha1:e113b106a69080aace45e3d3d160ee87835ea75e Cubic performs better than Reno in higher BDP scenarios, and enables the use of the hystart++ implementation contributed by Coder. This improves throughput on higher BDP links with a much faster ramp. gVisor is bumped as well for some fixes related to send queue processing and RTT tracking. Updates #9707 Updates #10408 Updates #12393 Updates tailscale/corp#24483 Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com> 2025-02-06T18:10:44Z James Tucker james@tailscale.com 2025-02-04T00:18:07Z urn:sha1:83808029d8c6f54d11f9be7482634bd76fcdac15 The gVisor RACK implementation appears to perfom badly, particularly in scenarios with higher BDP. This may have gone poorly noticed as a result of it being gated on SACK, which is not enabled by default in upstream gVisor, but itself has a higher positive impact on performance. Both the RACK and DACK implementations (which are now one) have overlapping non-completion of tasks in their work streams on the public tracker. Updates #9707 Signed-off-by: James Tucker <james@tailscale.com> 2025-01-25T00:19:55Z James Tucker james@tailscale.com 2025-01-24T00:23:41Z urn:sha1:ca39c4e150366b0cdcb766a62c9c8bc3fb116083 Some natc instances have been observed with excessive memory growth, dominant in gvisor buffers. It is likely that the connection buffers are sticking around for too long due to the default long segment time, and uptuned buffer size applied by default in wgengine/netstack. Apply configurations in natc specifically which are a better match for the natc use case, most notably a 5s maximum segment lifetime. Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com> 2025-01-22T16:02:26Z KevinLiang10 37811973+KevinLiang10@users.noreply.github.com 2025-01-20T17:02:53Z urn:sha1:8c8750f1b3e69aa3ca5ac0ebd15f3b406818c5d2 This commit intend to provide support for TCP and Web VIP services and also allow user to use Tun for VIP services if they want to. The commit includes: 1.Setting TCP intercept function for VIP Services. 2.Update netstack to send packet written from WG to netStack handler for VIP service. 3.Return correct TCP hander for VIP services when netstack acceptTCP. This commit also includes unit tests for if the local backend setServeConfig would set correct TCP intercept function and test if a hander gets returned when getting TCPHandlerForDst. The shouldProcessInbound check is not unit tested since the test result just depends on mocked functions. There should be an integration test to cover shouldProcessInbound and if the returned TCP handler actually does what the serveConfig says. Updates tailscale/corp#24604 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> 2024-11-11T21:22:34Z Brad Fitzpatrick bradfitz@tailscale.com 2024-11-11T21:08:47Z urn:sha1:4e0fc037e67a86a0734f025e041ba7f04f4cc3d4 This gets close to all of the remaining ones. Updates #12912 Change-Id: I9c672bbed2654a6c5cab31e0cbece6c107d8c6fa Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>