The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=knyar%2Fnetmapdiff2 2024-10-03T16:07:39Z 2024-10-03T16:07:39Z Brad Fitzpatrick bradfitz@tailscale.com 2024-10-02T17:01:46Z urn:sha1:5f88b65764925c397761d306fd6b228578948ac7 Hacky temporary workaround until we do #13654 correctly. Updates #13654 Change-Id: I764eaedbb112fb3a34dddb89572fec1b2543fd4a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-05-16T18:57:57Z Andrea Gottardo andrea@tailscale.com 2024-05-16T18:57:57Z urn:sha1:e5f67f90a24d64593c12cff50b2c272dfde16f86 Fixes tailscale/tailscale#10393 Fixes tailscale/corp#15412 Fixes tailscale/corp#19808 On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using. Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>